WO2016165277A1 - Ipsec diversion implementing method and apparatus - Google Patents

Ipsec diversion implementing method and apparatus Download PDF

Info

Publication number
WO2016165277A1
WO2016165277A1 PCT/CN2015/089869 CN2015089869W WO2016165277A1 WO 2016165277 A1 WO2016165277 A1 WO 2016165277A1 CN 2015089869 W CN2015089869 W CN 2015089869W WO 2016165277 A1 WO2016165277 A1 WO 2016165277A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
module
ipsec
spd
message
Prior art date
Application number
PCT/CN2015/089869
Other languages
French (fr)
Chinese (zh)
Inventor
邢业平
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016165277A1 publication Critical patent/WO2016165277A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the embodiments of the present invention relate to the field of communications, and in particular, to a method and apparatus for implementing IP layer (Internet Protocol Security) offloading.
  • IP layer Internet Protocol Security
  • IPsec is a set of Internet Protocol (IP) security protocols established by the IPsec team of the Internet Engineering Task Force (IETF). IPsec defines the security services used at the Internet layer, and its functions include data encryption, access control to network elements, data source address verification, data integrity checking, and replay prevention attacks.
  • IP Internet Protocol
  • IPsec When IPsec involves encryption and decryption technology, it encrypts and decrypts packets that comply with IPsec filtering rules, which consumes more CPU resources. In order to reduce the consumption of CPU resources, some large-scale devices currently process IPsec services by using a distributed multi-IPsec dedicated service board.
  • IPsec services are usually embedded in the system protocol stack.
  • the related technologies for implementing IPsec offloading generally include:
  • the IPsec outbound processing is implemented.
  • the security policy database (SPD) selection module needs to be based on the source IP address and destination IP address of the packet. If the packet is not required to be IPsec, the processing module directly forwards the packet. If the packet needs to be discarded, the processing module discards the packet. If the packet needs to be encapsulated in IPsec, the processing module encrypts the packet. The IPsec header is encapsulated in the encrypted packet and then forwarded.
  • SPD security policy database
  • the demultiplexer determines whether the packet is an IPsec-encapsulated packet according to the protocol number in the packet. Then, the packet is decapsulated by IPsec, and the decapsulated packet is decrypted. Then, the packet is filtered, and the packet that does not comply with the policy is discarded. The packet matching the policy is forwarded to the service instance. Module; if it is not a packet encapsulated by IPsec, the policy is applied to the packet. Filter the packets that do not match the policy and forward the packets that meet the policy to the service instance module.
  • the policy filtering and encryption and decryption process reduces the ability of the protocol stack to process messages.
  • the embodiment of the invention provides a method and a device for implementing IPsec offload, which can improve the capability of the protocol stack to process messages.
  • an embodiment of the present invention provides a method for implementing IP-based protocol secure IPsec offloading, which is associated with different service instance modules and corresponding security policy database SPD modules in advance;
  • the service instance module generates a message and sends it to the SPD module associated with itself;
  • the SPD module determines that the packet needs to be processed by IPsec, and sends the packet and the information indicating that the packet needs to be IPsec processed to the authentication header protocol AH/encapsulated secure payload protocol ESP module.
  • the AH/ESP module encrypts the packet, encapsulates the IPsec header in the encrypted packet, and forwards the first correspondence between the SPD module and the packet.
  • the service instance module is two or more; the SPD module is two or more.
  • the method further includes:
  • the SPD module sends the message and the information indicating that the packet does not need to be IPsec processed to the AH/ESP module, the AH/ESP module forwards the packet, and saves the SPD module and the The first correspondence between the messages; the end.
  • the method further includes: the SPD module directly discards the packet, and ends.
  • the AH/ESP module encrypts the packet, including:
  • the AH/ESP module searches for the SA index corresponding to the SP information in the packet in the second correspondence between the preset SP information and the SA index, and searches the SA index according to the found SA index.
  • the message is encrypted.
  • the method further includes:
  • the AH/ESP module determines that the received packet is an IPsec-encapsulated packet, and decapsulates the received packet according to the SA in the received packet.
  • the index decrypts the decapsulated packet, and sends the decrypted packet and the packet indicating that the packet is an IPsec encapsulated packet to the SPD module corresponding to the decrypted packet.
  • the SPD module corresponding to the decrypted packet determines that the decrypted packet needs to be subjected to IPsec processing, and the decrypted packet is sent to the service instance module corresponding to the decrypted packet.
  • the method further includes: the SPD module corresponding to the packet discards the decrypted packet ,End.
  • the SPD module that sends the decrypted packet and the packet indicating that the packet is an IPsec encapsulated packet to the decrypted packet includes:
  • the SPD module corresponding to the packet is searched in the first correspondence, and the information of the decrypted packet and the packet indicating that the packet is IPsec encapsulated is sent to the found SPD module.
  • the method further includes:
  • the AH/ESP module determines that the received packet is not an IPsec-encapsulated packet, and the AH/ESP module receives the received packet and the packet that is not encapsulated by IPsec. Sending information of the packet to the SPD module corresponding to the received message;
  • the SPD module corresponding to the received packet determines that the received packet needs to perform IPsec processing, the received packet is discarded.
  • the method further includes:
  • the SPD module corresponding to the received packet sends the received packet to the service instance module corresponding to the received packet.
  • the embodiment of the invention further provides a device for implementing IP IP protocol protocol security IPsec offloading, at least include:
  • the service instance module is configured to generate a message and send it to the SPD module associated with itself;
  • the SPD module is configured to determine that the packet needs to be subjected to IPsec processing, and send the packet and the information indicating that the packet needs to be IPsec processed to the authentication header protocol AH/encapsulated secure payload protocol ESP module;
  • the AH/ESP module is configured to encrypt the packet, encapsulate the IPsec header in the encrypted packet, and forward the first correspondence between the SPD module and the packet.
  • the service instance module is two or more; the SPD module is two or more.
  • the SPD module is further configured to:
  • the AH/ESP module is further configured to: forward the packet, and save a first correspondence between the SPD module and the packet, and end.
  • the SPD module is further configured to: determine that the packet needs to be discarded, directly discard the packet, and end.
  • the AH/ESP module is specifically configured to:
  • the second index of the pre-set SP information and the SA index is used to search for the SA index corresponding to the SP information in the packet, and encrypt the packet according to the found SA index, and encrypt the packet.
  • the packet is forwarded, and the first correspondence between the SPD module and the packet is saved.
  • the AH/ESP module is further configured to:
  • the received packet When receiving the packet, it is determined that the received packet is an IPsec-encapsulated packet, and the received packet is decapsulated, and the decapsulated packet is de-encapsulated according to the SA index in the received packet.
  • the message is decrypted, and the decrypted message and the message indicating that the message is an IPsec encapsulated message are sent to the SPD module corresponding to the decrypted message;
  • the SPD module is further configured to:
  • the SPD module is further configured to:
  • the decrypted packet does not need to be IPsec processed, and the decrypted packet is discarded, and the process ends.
  • the AH/ESP module is further configured to:
  • the SPD module is further configured to: when it is determined that the received packet needs to perform IPsec processing, discard the received packet.
  • the SPD module is further configured to:
  • Determining that the received packet does not need to be subjected to IPsec processing and the received packet is sent to the service instance module corresponding to the received packet.
  • the technical solution provided by the present invention includes: pre-associating different service instance modules and corresponding security policy database SPD modules; wherein the service instance modules are two or more; the SPD modules are two or Two or more; the service instance module generates a message and sends it to the SPD module associated with itself; the SPD module determines that the packet needs to be IPsec processed, and sends the message and the information indicating that the packet needs to be IPsec processed to the AH/ESP module.
  • the AH/ESP module encrypts the packet, encapsulates the IPsec header after the encrypted packet is forwarded, and saves the first correspondence between the SPD module and the packet.
  • FIG. 1 is a schematic diagram of implementing IPsec outgoing processing in the related art
  • FIG. 2 is a schematic diagram of implementing IPsec inbound processing in the related art
  • FIG. 3 is a flowchart of a method for implementing IPsec offloading according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of an apparatus for implementing IPsec offloading according to an embodiment of the present invention.
  • an embodiment of the present invention provides a method for implementing IPsec offloading. First, different service instance modules and corresponding SPD modules are associated in advance.
  • a socket can be associated with a service instance module and an SPD module.
  • a service instance module and an SPD module can be associated with a service instance module and an SPD module.
  • how to associate the service instance module and the SPD module is common knowledge of those skilled in the art, and is not intended to limit the scope of protection of the present invention, and details are not described herein again.
  • the method of the invention comprises:
  • Step 300 The service instance module generates a message and sends the message to the SPD module associated with itself.
  • the service instance module is two or more; the SPD module is two or more.
  • each service instance module may separately generate a remote login protocol (telnet) message carried by a Transmission Control Protocol (TCP), a File Transfer Protocol (FTP) message carried by the TCP protocol, and the Internet.
  • telnet remote login protocol
  • TCP Transmission Control Protocol
  • FTP File Transfer Protocol
  • ICMP Control Message Protocol
  • Step 301 The SPD module determines that the packet needs to be subjected to IPsec processing, and sends the packet to an Authentication Header (AH)/Encapsulating Security Payload (ESP) module.
  • AH Authentication Header
  • ESP Encapsulating Security Payload
  • the AH/ESP module is used to implement the existing SPD selection module for packaging and Part of the function of encrypting a message, and a module in the demultiplexer for decapsulating and decrypting part of the message.
  • the SPD module determines that the packet does not need to be processed by the IPsec
  • the SPD module sends the packet and the information indicating that the packet does not need to be processed by the IPsec to the AH/ESP module, and the AH/ESP module directly forwards the packet. And save the first correspondence between the SPD module and the message, and the end.
  • the SPD module determines that the packet needs to be discarded, the SPD module directly discards the packet and ends.
  • the packet policy filtering function and the packet encryption and decryption function in the existing IPsec service processing are separated.
  • only multi-instantiation is used for the SPD module, and only one instance is required for the AH/ESP module, where each instance of the SPD module is reported.
  • the message filtering is performed, and only the packets that need to be encrypted and decrypted by IPsec are sent to the AH/ESP module for processing, and the packets that are discarded or directly passed are directly processed by the SPD module.
  • Step 302 The AH/ESP module encrypts the packet, encapsulates the IPsec header after the encrypted packet is forwarded, and saves the first correspondence between the SPD module and the packet.
  • the AH/ESP module encrypts the packet, including:
  • the AH/ESP module searches for the SA index corresponding to the SP information in the packet, and encrypts the packet according to the found SA index in the second correspondence between the preset SP information and the SA index.
  • the SP information includes a source IP address, a destination IP address, and a protocol number.
  • the SP information may also include a source port and a destination port.
  • the SA index includes a key, an encryption algorithm, and the like.
  • the found SA index is included in the IPsec header.
  • Step 303 When receiving the packet, the AH/ESP module determines that the received packet is an IPsec-encapsulated packet, and decapsulates the received packet according to the SA index in the received packet. The decapsulated packet is decrypted, and the decrypted packet and the packet indicating that the packet is encapsulated by IPsec are sent to the SPD module corresponding to the decrypted packet.
  • the SPD module corresponding to the packet and the packet indicating that the packet is an IPsec encapsulated packet is sent to the SPD module.
  • the SPD module corresponding to the packet is searched in the first correspondence, and the information of the decrypted packet and the packet indicating that the packet is encapsulated by IPsec is sent to the found SPD module.
  • Step 304 The SPD module corresponding to the decrypted packet determines that the decrypted packet needs to be subjected to IPsec processing, and the decrypted packet is sent to the service instance module corresponding to the decrypted packet.
  • the decrypted packet is discarded and ends.
  • the method further includes:
  • the AH/ESP module sends the received message and the information indicating that the packet is not encapsulated by the IPsec packet to the SPD module corresponding to the received packet; the SPD module corresponding to the received packet determines the received packet.
  • the received packet is discarded.
  • the SPD module corresponding to the received packet when it is determined that the received packet does not need to be processed by the IPsec, sends the received packet to the service instance module corresponding to the received packet.
  • the present invention further provides an apparatus for implementing IPsec offload, including at least:
  • the service instance module is configured to generate a message and send the message to the SPD module associated with itself when the message is sent;
  • the SPD module is configured to determine that the packet needs to be IPsec processed, and send the packet and the information indicating that the packet needs to be IPsec processed to the AH/ESP module;
  • the AH/ESP module is configured to encrypt the packet, encapsulate the IPsec header in the encrypted packet, and then forward the first correspondence between the SPD module and the packet.
  • the service instance module is two or more; the SPD module is two or more.
  • the SPD module is further configured to:
  • the processed information is sent to the AH/ESP module;
  • the AH/ESP module is also set to:
  • the SPD module is further configured to:
  • the packet is discarded, the packet is discarded and the packet is discarded.
  • the AH/ESP module is specifically configured to:
  • the SA index corresponding to the SP information in the packet is searched, and the packet is encrypted according to the found SA index, and the encrypted packet is encapsulated.
  • the IPsec header is forwarded and the first correspondence between the SPD module and the packet is saved.
  • the AH/ESP module is further configured to:
  • the receiving a packet When receiving a packet, it determines that the received packet is an IPsec-encapsulated packet, decapsulates the received packet, and decrypts the decapsulated packet according to the SA index in the received packet. And sending the decrypted packet and the information indicating that the packet is an IPsec encapsulated packet to the SPD module corresponding to the decrypted packet;
  • the SPD module is also set to:
  • the decrypted packet needs to be subjected to IPsec processing, and the decrypted packet is sent to the service instance module corresponding to the decrypted packet.
  • the SPD module is further configured to:
  • the decrypted packet does not need to be processed by IPsec, and the decrypted packet is discarded.
  • the AH/ESP module is further configured to:
  • the SPD module is also set to:
  • the received packet is discarded.
  • the SPD module is further configured to:
  • the received packet does not need to be processed by IPsec, and the received packet is sent to the service instance module corresponding to the received packet.
  • the method and device for implementing IP layer protocol security (IPsec) offloading include: pre-associating different service instance modules and corresponding security policy database SPD modules; wherein the service instance modules are two or more
  • the SPD module is two or more; the service instance module generates a message and sends it to the SPD module associated with itself; the SPD module determines that the packet needs to be IPsec processed, and the packet and the representation message need to be performed.
  • the information processed by the IPsec is sent to the authentication header protocol AH/encapsulated secure payload protocol ESP module.
  • the AH/ESP module encrypts the packet, encapsulates the IPsec header after the encrypted packet is forwarded, and saves the SPD module and the packet.
  • the first correspondence between the two With the solution of the present invention, when there are a large number of packets, different SPD modules can be used to simultaneously process different packets, thereby improving the capability of the protocol stack to process messages.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An internet protocol security (IPsec) diversion implementing method and apparatus. The method comprises: pre-associating different service instance modules and corresponding security policy database (SPD) modules, wherein there are two or more service instance modules, and there are two or more SPD modules. The method further comprises: a service instance module generates a message and sends the message to an SPD module associated therewith; the SPD module judges that it is necessary to perform IPsec processing on the message, and sends the message and information, indicative of necessity to perform IPsec processing on the message, to an authentication header (AH)/encapsulating security payload (ESP) module; and the AH/ESP module encrypts the message, encapsulates the encrypted message with an IPsec header, forwards the message, and then saves a first corresponding relationship between the SPD module and the message. By means of the solution of the present invention, when there are a great number of messages, different SPD modules can be used to process different messages simultaneously, thereby improving the message processing capacity of a protocol stack.

Description

一种实现IPsec分流的方法和装置Method and device for realizing IPsec shunt 技术领域Technical field
本发明实施例涉及本发明涉及通信领域,尤指一种实现IP层协议安全(IPsec,Internet Protocol Security)分流的方法和装置。The embodiments of the present invention relate to the field of communications, and in particular, to a method and apparatus for implementing IP layer (Internet Protocol Security) offloading.
背景技术Background technique
IPsec是因特网工程任务组(IETF,Internet Engineering Task Force)的IPsec小组建立的一组互联网协议(IP,Internet Protocol)安全协议集。IPsec定义了在网际层使用的安全服务,其功能包括数据加密、对网络单元的访问控制、数据源地址验证、数据完整性检查和防止重放攻击。IPsec is a set of Internet Protocol (IP) security protocols established by the IPsec team of the Internet Engineering Task Force (IETF). IPsec defines the security services used at the Internet layer, and its functions include data encryption, access control to network elements, data source address verification, data integrity checking, and replay prevention attacks.
IPsec涉及到加解密技术时,会对符合IPsec过滤规则的报文进行加解密处理,这样会消耗较多的CPU资源。为了减少CPU资源的消耗,当前一些大型设备通过使用分布式多IPsec专用业务板的方式来处理IPsec业务。When IPsec involves encryption and decryption technology, it encrypts and decrypts packets that comply with IPsec filtering rules, which consumes more CPU resources. In order to reduce the consumption of CPU resources, some large-scale devices currently process IPsec services by using a distributed multi-IPsec dedicated service board.
但在一些小型设备,或缺少IPsec专用业务板的设备上,IPsec业务通常是嵌入在系统协议栈中处理的。而对于IPsec业务嵌入在系统协议栈中处理的情况,相关技术实现IPsec分流的方法大致包括:However, on some small devices, or devices that lack IPsec-specific service boards, IPsec services are usually embedded in the system protocol stack. For the case where the IPsec service is embedded in the system protocol stack, the related technologies for implementing IPsec offloading generally include:
如图1所示的实现IPsec出向处理示意图:当发送报文时,业务实例模块生成报文后,安全策略数据库(SPD,Security Policy Database)选择模块需要根据报文的源IP地址和目的IP地址对报文进行安全策略过滤,如果报文不需要进行IPsec处理,处理模块直接转发;如果报文需要丢弃,处理模块直接丢弃;如果报文需要进行IPsec封装,则处理模块对报文进行加密,对加密后的报文封装IPsec头后再转发。As shown in Figure 1, the IPsec outbound processing is implemented. After the service instance module generates a packet, the security policy database (SPD) selection module needs to be based on the source IP address and destination IP address of the packet. If the packet is not required to be IPsec, the processing module directly forwards the packet. If the packet needs to be discarded, the processing module discards the packet. If the packet needs to be encapsulated in IPsec, the processing module encrypts the packet. The IPsec header is encapsulated in the encrypted packet and then forwarded.
如图2所示的实现IPsec入向处理过程:当接收报文时,多路分配器根据报文中的协议号判断报文是否是经过IPsec封装的报文,如果是经过IPsec封装的报文,则对报文进行IPsec解封装,对解封装后的报文进行解密,然后对解密后的报文进行策略过滤,将不符合策略的报文丢弃,将符合策略的报文转发给业务实例模块;如果不是经过IPsec封装的报文,则对报文进行策略过 滤,将不符合策略的报文丢弃,将符合策略的报文转发给业务实例模块。As shown in Figure 2, the process of IPsec encapsulation is implemented. When receiving a packet, the demultiplexer determines whether the packet is an IPsec-encapsulated packet according to the protocol number in the packet. Then, the packet is decapsulated by IPsec, and the decapsulated packet is decrypted. Then, the packet is filtered, and the packet that does not comply with the policy is discarded. The packet matching the policy is forwarded to the service instance. Module; if it is not a packet encapsulated by IPsec, the policy is applied to the packet. Filter the packets that do not match the policy and forward the packets that meet the policy to the service instance module.
在相关技术的实现IPsec分流的方法中,当有大量报文时,策略过滤和加解密过程会降低协议栈处理报文的能力。In the related art method for implementing IPsec offloading, when there are a large number of packets, the policy filtering and encryption and decryption process reduces the ability of the protocol stack to process messages.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本发明实施例提出了一种实现IPsec分流的方法和装置,能够提高协议栈处理报文的能力。The embodiment of the invention provides a method and a device for implementing IPsec offload, which can improve the capability of the protocol stack to process messages.
为了达到上述目的,本发明实施例提出了一种实现IP层协议安全IPsec分流的方法,预先关联不同的业务实例模块和对应的安全策略数据库SPD模块;还包括:In order to achieve the above object, an embodiment of the present invention provides a method for implementing IP-based protocol secure IPsec offloading, which is associated with different service instance modules and corresponding security policy database SPD modules in advance;
业务实例模块生成报文并发送给与自身关联的SPD模块;The service instance module generates a message and sends it to the SPD module associated with itself;
SPD模块判断出报文需要进行IPsec处理,将报文和表示报文需要进行IPsec处理的信息发送给认证头协议AH/封装安全载荷协议ESP模块;The SPD module determines that the packet needs to be processed by IPsec, and sends the packet and the information indicating that the packet needs to be IPsec processed to the authentication header protocol AH/encapsulated secure payload protocol ESP module.
AH/ESP模块对报文进行加密,对加密后的报文封装IPsec头后进行转发,并保存SPD模块和报文之间的第一对应关系;The AH/ESP module encrypts the packet, encapsulates the IPsec header in the encrypted packet, and forwards the first correspondence between the SPD module and the packet.
其中,业务实例模块为两个或两个以上;SPD模块为两个或两个以上。The service instance module is two or more; the SPD module is two or more.
可选地,当所述SPD模块判断出所述报文不需要进行IPsec处理时,该方法还包括:Optionally, when the SPD module determines that the packet does not need to perform IPsec processing, the method further includes:
所述SPD模块将所述报文和表示报文不需要进行IPsec处理的信息发送给所述AH/ESP模块,所述AH/ESP模块转发所述报文,并保存所述SPD模块和所述报文之间的第一对应关系;结束。The SPD module sends the message and the information indicating that the packet does not need to be IPsec processed to the AH/ESP module, the AH/ESP module forwards the packet, and saves the SPD module and the The first correspondence between the messages; the end.
可选地,当所述SPD模块判断出所述报文需要丢弃时,该方法还包括:所述SPD模块直接丢弃报文,结束。Optionally, when the SPD module determines that the packet needs to be discarded, the method further includes: the SPD module directly discards the packet, and ends.
可选地,所述AH/ESP模块对报文进行加密包括:Optionally, the AH/ESP module encrypts the packet, including:
所述AH/ESP模块在预先设置的SP信息和SA索引之间的第二对应关系中,查找所述报文中的SP信息对应的SA索引,根据查找到的SA索引对所 述报文进行加密。The AH/ESP module searches for the SA index corresponding to the SP information in the packet in the second correspondence between the preset SP information and the SA index, and searches the SA index according to the found SA index. The message is encrypted.
可选地,该方法还包括:Optionally, the method further includes:
当接收报文时,所述AH/ESP模块判断出接收到的报文是经过IPsec封装的报文,对所述接收到的报文进行解封装,根据所述接收到的报文中的SA索引对解封装后的报文进行解密,将所述解密后的报文和表示报文是经过IPsec封装的报文的信息发送给解密后的报文对应的SPD模块;When receiving the packet, the AH/ESP module determines that the received packet is an IPsec-encapsulated packet, and decapsulates the received packet according to the SA in the received packet. The index decrypts the decapsulated packet, and sends the decrypted packet and the packet indicating that the packet is an IPsec encapsulated packet to the SPD module corresponding to the decrypted packet.
所述解密后的报文对应的SPD模块判断出所述解密后的报文需要进行IPsec处理,将所述解密后的报文发送给所述解密后的报文对应的业务实例模块。The SPD module corresponding to the decrypted packet determines that the decrypted packet needs to be subjected to IPsec processing, and the decrypted packet is sent to the service instance module corresponding to the decrypted packet.
可选地,当所述报文对应的SPD模块判断出所述解密后的报文不需要进行IPsec处理时,该方法还包括:所述报文对应的SPD模块丢弃所述解密后的报文,结束。Optionally, when the SPD module corresponding to the packet determines that the decrypted packet does not need to perform IPsec processing, the method further includes: the SPD module corresponding to the packet discards the decrypted packet ,End.
可选地,所述将解密后的报文和表示报文是经过IPsec封装的报文的信息发送给解密后的报文对应的SPD模块包括:Optionally, the SPD module that sends the decrypted packet and the packet indicating that the packet is an IPsec encapsulated packet to the decrypted packet includes:
在所述第一对应关系中查找所述报文对应的SPD模块,将所述解密后的报文和所述表示报文是经过IPsec封装的报文的信息发送给查找到的SPD模块。The SPD module corresponding to the packet is searched in the first correspondence, and the information of the decrypted packet and the packet indicating that the packet is IPsec encapsulated is sent to the found SPD module.
可选地,该方法还包括:Optionally, the method further includes:
当接收报文时,所述AH/ESP模块判断出所述接收到的报文不是经过IPsec封装的报文,所述AH/ESP模块将接收到的报文和表示报文不是经过IPsec封装的报文的信息发送给所述接收到的报文对应的SPD模块;When receiving the packet, the AH/ESP module determines that the received packet is not an IPsec-encapsulated packet, and the AH/ESP module receives the received packet and the packet that is not encapsulated by IPsec. Sending information of the packet to the SPD module corresponding to the received message;
所述接收到的报文对应的SPD模块判断出所述接收到的报文需要进行IPsec处理时,丢弃所述接收到的报文。When the SPD module corresponding to the received packet determines that the received packet needs to perform IPsec processing, the received packet is discarded.
可选地,当所述接收到的报文对应的SPD模块判断出所述接收到的报文不需要进行IPsec处理时,该方法还包括:Optionally, when the SPD module corresponding to the received packet determines that the received packet does not need to perform IPsec processing, the method further includes:
所述接收到的报文对应的SPD模块将所述接收到的报文发送给所述接收到的报文对应的业务实例模块。The SPD module corresponding to the received packet sends the received packet to the service instance module corresponding to the received packet.
本发明实施例还提出了一种实现IP层协议安全IPsec分流的装置,至少 包括:The embodiment of the invention further provides a device for implementing IP IP protocol protocol security IPsec offloading, at least include:
业务实例模块,设置为生成报文并发送给与自身关联的SPD模块;The service instance module is configured to generate a message and send it to the SPD module associated with itself;
SPD模块,设置为判断出报文需要进行IPsec处理,将报文和表示报文需要进行IPsec处理的信息发送给认证头协议AH/封装安全载荷协议ESP模块;The SPD module is configured to determine that the packet needs to be subjected to IPsec processing, and send the packet and the information indicating that the packet needs to be IPsec processed to the authentication header protocol AH/encapsulated secure payload protocol ESP module;
AH/ESP模块,设置为对报文进行加密,对加密后的报文封装IPsec头后进行转发,并保存SPD模块和报文之间的第一对应关系;The AH/ESP module is configured to encrypt the packet, encapsulate the IPsec header in the encrypted packet, and forward the first correspondence between the SPD module and the packet.
其中,业务实例模块为两个或两个以上;SPD模块为两个或两个以上。The service instance module is two or more; the SPD module is two or more.
可选地,所述SPD模块还设置为:Optionally, the SPD module is further configured to:
判断出所述报文不需要进行IPsec处理,将所述报文和表示报文不需要进行IPsec处理的信息发送给所述AH/ESP模块;Determining that the packet does not need to be subjected to IPsec processing, and sending the packet and the information indicating that the packet does not need to be IPsec processed to the AH/ESP module;
所述AH/ESP模块还设置为:转发所述报文,并保存所述SPD模块和所述报文之间的第一对应关系,结束。The AH/ESP module is further configured to: forward the packet, and save a first correspondence between the SPD module and the packet, and end.
可选地,所述SPD模块还设置为:判断出所述报文需要丢弃,直接丢弃报文,结束。Optionally, the SPD module is further configured to: determine that the packet needs to be discarded, directly discard the packet, and end.
可选地,所述AH/ESP模块具体设置为:Optionally, the AH/ESP module is specifically configured to:
在预先设置的SP信息和SA索引之间的第二对应关系中,查找所述报文中的SP信息对应的SA索引,根据查找到的SA索引进行对报文进行加密,对加密后的报文封装IPsec头后进行转发,并保存SPD模块和报文之间的第一对应关系。The second index of the pre-set SP information and the SA index is used to search for the SA index corresponding to the SP information in the packet, and encrypt the packet according to the found SA index, and encrypt the packet. After the IPsec header is encapsulated, the packet is forwarded, and the first correspondence between the SPD module and the packet is saved.
可选地,所述AH/ESP模块还设置为:Optionally, the AH/ESP module is further configured to:
当接收报文时,判断出接收到的报文是经过IPsec封装的报文,对所述接收到的报文进行解封装,根据所述接收到的报文中的SA索引对解封装后的报文进行解密,将所述解密后的报文和表示报文是经过IPsec封装的报文的信息发送给解密后的报文对应的SPD模块;When receiving the packet, it is determined that the received packet is an IPsec-encapsulated packet, and the received packet is decapsulated, and the decapsulated packet is de-encapsulated according to the SA index in the received packet. The message is decrypted, and the decrypted message and the message indicating that the message is an IPsec encapsulated message are sent to the SPD module corresponding to the decrypted message;
所述SPD模块还设置为:The SPD module is further configured to:
判断出所述解密后的报文需要进行IPsec处理,将所述解密后的报文发送 给所述解密后的报文对应的业务实例模块。Determining that the decrypted packet needs to perform IPsec processing, and sending the decrypted packet A service instance module corresponding to the decrypted message.
可选地,所述SPD模块还设置为:Optionally, the SPD module is further configured to:
判断出所述解密后的报文不需要进行IPsec处理,丢弃所述解密后的报文,结束。It is determined that the decrypted packet does not need to be IPsec processed, and the decrypted packet is discarded, and the process ends.
可选地,所述AH/ESP模块还设置为:Optionally, the AH/ESP module is further configured to:
当接收报文时,判断出所述接收到的报文不是经过IPsec封装的报文,将接收到的报文和表示报文不是经过IPsec封装的报文的信息发送给所述接收到的报文对应的SPD模块;When receiving the packet, it is determined that the received packet is not a packet encapsulated by IPsec, and the received packet and the packet indicating that the packet is not encapsulated by IPsec are sent to the received packet. Corresponding SPD module;
所述SPD模块还设置为:判断出所述接收到的报文需要进行IPsec处理时,丢弃所述接收到的报文。The SPD module is further configured to: when it is determined that the received packet needs to perform IPsec processing, discard the received packet.
可选地,所述SPD模块还设置为:Optionally, the SPD module is further configured to:
判断出所述接收到的报文不需要进行IPsec处理,将所述接收到的报文发送给所述接收到的报文对应的业务实例模块。Determining that the received packet does not need to be subjected to IPsec processing, and the received packet is sent to the service instance module corresponding to the received packet.
与现有技术相比,本发明提供的技术方案包括:预先关联不同的业务实例模块和对应的安全策略数据库SPD模块;其中,业务实例模块为两个或两个以上;SPD模块为两个或两个以上;业务实例模块生成报文并发送给与自身关联的SPD模块;SPD模块判断出报文需要进行IPsec处理,将报文和表示报文需要进行IPsec处理的信息发送给AH/ESP模块;AH/ESP模块对报文进行加密,对加密后的报文封装IPsec头后进行转发,并保存SPD模块和报文之间的第一对应关系。通过本发明的方案,在有大量报文时,可以使用不同的SPD模块同时处理不同的报文,从而提高了协议栈处理报文的能力。Compared with the prior art, the technical solution provided by the present invention includes: pre-associating different service instance modules and corresponding security policy database SPD modules; wherein the service instance modules are two or more; the SPD modules are two or Two or more; the service instance module generates a message and sends it to the SPD module associated with itself; the SPD module determines that the packet needs to be IPsec processed, and sends the message and the information indicating that the packet needs to be IPsec processed to the AH/ESP module. The AH/ESP module encrypts the packet, encapsulates the IPsec header after the encrypted packet is forwarded, and saves the first correspondence between the SPD module and the packet. With the solution of the present invention, when there are a large number of packets, different SPD modules can be used to simultaneously process different packets, thereby improving the capability of the protocol stack to process messages.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
下面对本发明实施例中的附图进行说明,实施例中的附图是用于对本发明的进一步理解,与说明书一起用于解释本发明,并不构成对本发明保护范围的限制。The drawings in the following description of the embodiments of the present invention are intended to illustrate the invention, and are not intended to limit the scope of the invention.
图1为相关技术中实现IPsec出向处理的示意图; 1 is a schematic diagram of implementing IPsec outgoing processing in the related art;
图2为相关技术中实现IPsec入向处理的示意图;2 is a schematic diagram of implementing IPsec inbound processing in the related art;
图3为本发明实施例实现IPsec分流的方法的流程图;3 is a flowchart of a method for implementing IPsec offloading according to an embodiment of the present invention;
图4为本发明实施例实现IPsec分流的装置的结构组成示意图。FIG. 4 is a schematic structural diagram of an apparatus for implementing IPsec offloading according to an embodiment of the present invention.
本发明的较佳实施方式Preferred embodiment of the invention
为了便于本领域技术人员的理解,下面结合附图对本发明作进一步的描述,并不能用来限制本发明的保护范围。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的各种方式可以相互组合。In order to facilitate the understanding of those skilled in the art, the present invention is further described below in conjunction with the accompanying drawings, and is not intended to limit the scope of the present invention. It should be noted that the embodiments in the present application and the various manners in the embodiments may be combined with each other without conflict.
参见图3,本发明实施例提出了一种实现IPsec分流的方法,首先,预先关联不同的业务实例模块和对应的SPD模块。Referring to FIG. 3, an embodiment of the present invention provides a method for implementing IPsec offloading. First, different service instance modules and corresponding SPD modules are associated in advance.
其中,可以采用套接字(socket)关联业务实例模块和SPD模块。具体如何关联业务实例模块和SPD模块属于本领域技术人员的公知常识,并不用于限定本发明的保护范围,这里不再赘述。Among them, a socket (cord) can be associated with a service instance module and an SPD module. Specifically, how to associate the service instance module and the SPD module is common knowledge of those skilled in the art, and is not intended to limit the scope of protection of the present invention, and details are not described herein again.
本发明方法包括:The method of the invention comprises:
步骤300、业务实例模块生成报文并发送给与自身关联的SPD模块。Step 300: The service instance module generates a message and sends the message to the SPD module associated with itself.
其中,业务实例模块为两个或两个以上;SPD模块为两个或两个以上。The service instance module is two or more; the SPD module is two or more.
可以预先设置不同的报文由不同的业务实例模块生成,则在有大量报文时,后续处理中可以使用不同的SPD模块同时处理不同的报文,从而提高协议栈处理报文的能力。You can set different packets to be generated by different service instance modules. In the case of a large number of packets, different SPD modules can be used to process different packets at the same time. This improves the protocol stack's ability to process packets.
本步骤强调的是采用多个业务实例模块来生成报文,不同的业务实例模块可以同时生成不同的报文。例如,各个业务实例模块可以分别生成以传输控制协议(TCP,Transmission Control Protocol)承载的远程登录协议(telnet)报文,以TCP协议承载的文件传输协议(FTP,File Transfer Protocol)报文和因特网控制报文协议(ICMP,Internet Control Message Protocol)报文等等。This step emphasizes that multiple service instance modules are used to generate packets. Different service instance modules can generate different packets at the same time. For example, each service instance module may separately generate a remote login protocol (telnet) message carried by a Transmission Control Protocol (TCP), a File Transfer Protocol (FTP) message carried by the TCP protocol, and the Internet. Control Message Protocol (ICMP) messages, and so on.
步骤301、SPD模块判断出报文需要进行IPsec处理,将报文发送给认证头协议(AH,Authentication Header)/封装安全载荷协议(ESP,Encapsulating Security Payload)模块。Step 301: The SPD module determines that the packet needs to be subjected to IPsec processing, and sends the packet to an Authentication Header (AH)/Encapsulating Security Payload (ESP) module.
本步骤中,AH/ESP模块是用于实现现有的SPD选择模块中用于封装和 加密报文的部分功能、以及多路分配器中用于解封装和解密报文的部分功能的模块。In this step, the AH/ESP module is used to implement the existing SPD selection module for packaging and Part of the function of encrypting a message, and a module in the demultiplexer for decapsulating and decrypting part of the message.
本步骤中,当SPD模块判断出报文不需要进行IPsec处理时,SPD模块将报文和表示报文不需要进行IPsec处理的信息发送给AH/ESP模块,AH/ESP模块直接转发报文,并保存SPD模块和报文之间的第一对应关系,结束。In this step, when the SPD module determines that the packet does not need to be processed by the IPsec, the SPD module sends the packet and the information indicating that the packet does not need to be processed by the IPsec to the AH/ESP module, and the AH/ESP module directly forwards the packet. And save the first correspondence between the SPD module and the message, and the end.
本步骤中,当SPD模块判断出报文需要丢弃时,SPD模块直接丢弃报文,并结束。In this step, when the SPD module determines that the packet needs to be discarded, the SPD module directly discards the packet and ends.
本步骤中,SPD模块如何判断报文是否需要进行IPsec处理、以及判断报文是否需要丢弃属于本领域技术人员的公知技术,并不用于限定本发明的保护范围,这里不再赘述。In this step, how the SPD module determines whether the packet needs to be processed by the IPsec, and whether the packet needs to be discarded is known to those skilled in the art, and is not intended to limit the scope of the present invention, and details are not described herein.
也就是说,本发明实施例提供的技术方案中,将现有IPsec业务处理中的报文策略过滤功能和报文加解密功能相分离。由于IPsec业务存在抗重放的功能,因此,本发明实施例中,仅对SPD模块使用多实例化,而AH/ESP模块只需有一个实例即可,其中,SPD模块的每个实例对报文进行策略过滤,而仅将需要做IPsec加解密处理的报文发送给AH/ESP模块处理,而丢弃或直接通过的报文则直接由SPD模块处理。That is to say, in the technical solution provided by the embodiment of the present invention, the packet policy filtering function and the packet encryption and decryption function in the existing IPsec service processing are separated. In the embodiment of the present invention, only multi-instantiation is used for the SPD module, and only one instance is required for the AH/ESP module, where each instance of the SPD module is reported. The message filtering is performed, and only the packets that need to be encrypted and decrypted by IPsec are sent to the AH/ESP module for processing, and the packets that are discarded or directly passed are directly processed by the SPD module.
步骤302、AH/ESP模块对报文进行加密,对加密后的报文封装IPsec头后进行转发,并保存SPD模块和报文之间的第一对应关系。Step 302: The AH/ESP module encrypts the packet, encapsulates the IPsec header after the encrypted packet is forwarded, and saves the first correspondence between the SPD module and the packet.
本步骤中,AH/ESP模块对报文进行加密包括:In this step, the AH/ESP module encrypts the packet, including:
AH/ESP模块在预先设置的SP信息和SA索引之间的第二对应关系中,查找报文中的SP信息对应的SA索引,根据查找到的SA索引对报文进行加密。The AH/ESP module searches for the SA index corresponding to the SP information in the packet, and encrypts the packet according to the found SA index in the second correspondence between the preset SP information and the SA index.
其中,SP信息包括源IP地址、目的IP地址、协议号。SP信息还可以包括源端口、目的端口。SA索引包括密钥、加密算法等。The SP information includes a source IP address, a destination IP address, and a protocol number. The SP information may also include a source port and a destination port. The SA index includes a key, an encryption algorithm, and the like.
本步骤中,封装IPsec头时,将查找到的SA索引包含在IPsec头中。In this step, when the IPsec header is encapsulated, the found SA index is included in the IPsec header.
本发明实施例还包括:The embodiment of the invention further includes:
步骤303、当接收报文时,AH/ESP模块判断出接收到的报文是经过IPsec封装的报文,对接收到的报文进行解封装,根据接收到的报文中的SA索引 对解封装后的报文进行解密,将解密后的报文和表示报文是经过IPsec封装的报文的信息发送给解密后的报文对应的SPD模块。Step 303: When receiving the packet, the AH/ESP module determines that the received packet is an IPsec-encapsulated packet, and decapsulates the received packet according to the SA index in the received packet. The decapsulated packet is decrypted, and the decrypted packet and the packet indicating that the packet is encapsulated by IPsec are sent to the SPD module corresponding to the decrypted packet.
本步骤中,将解密后的报文和表示报文是经过IPsec封装的报文的信息发送给报文对应的SPD模块包括:In this step, the SPD module corresponding to the packet and the packet indicating that the packet is an IPsec encapsulated packet is sent to the SPD module.
在第一对应关系中查找报文对应的SPD模块,将解密后的报文和表示报文是经过IPsec封装的报文的信息发送给查找到的SPD模块。The SPD module corresponding to the packet is searched in the first correspondence, and the information of the decrypted packet and the packet indicating that the packet is encapsulated by IPsec is sent to the found SPD module.
步骤304、解密后的报文对应的SPD模块判断出解密后的报文需要进行IPsec处理,将解密后的报文发送给解密后的报文对应的业务实例模块。Step 304: The SPD module corresponding to the decrypted packet determines that the decrypted packet needs to be subjected to IPsec processing, and the decrypted packet is sent to the service instance module corresponding to the decrypted packet.
本步骤中,当报文对应的SPD模块判断出解密后的报文不需要进行IPsec处理时,丢弃解密后的报文,并结束。In this step, when the SPD module corresponding to the packet determines that the decrypted packet does not need to perform IPsec processing, the decrypted packet is discarded and ends.
当AH/ESP模块判断出接收到的报文不是经过IPsec封装的报文时,该方法还包括:When the AH/ESP module determines that the received packet is not an IPsec encapsulated packet, the method further includes:
AH/ESP模块将接收到的报文和表示报文不是经过IPsec封装的报文的信息发送给接收到的报文对应的SPD模块;接收到的报文对应的SPD模块判断出接收到的报文需要进行IPsec处理时,丢弃接收到的报文。The AH/ESP module sends the received message and the information indicating that the packet is not encapsulated by the IPsec packet to the SPD module corresponding to the received packet; the SPD module corresponding to the received packet determines the received packet. When the IPsec processing is required, the received packet is discarded.
其中,当接收到的报文对应的SPD模块判断出接收到的报文不需要进行IPsec处理时,将接收到的报文发送给接收到的报文对应的业务实例模块。The SPD module corresponding to the received packet, when it is determined that the received packet does not need to be processed by the IPsec, sends the received packet to the service instance module corresponding to the received packet.
参见图4,本发明还提出了一种实现IPsec分流的装置,至少包括:Referring to FIG. 4, the present invention further provides an apparatus for implementing IPsec offload, including at least:
业务实例模块,设置为当发送报文时,生成报文并发送给与自身关联的SPD模块;The service instance module is configured to generate a message and send the message to the SPD module associated with itself when the message is sent;
SPD模块,设置为判断出报文需要进行IPsec处理,将报文和表示报文需要进行IPsec处理的信息发送给AH/ESP模块;The SPD module is configured to determine that the packet needs to be IPsec processed, and send the packet and the information indicating that the packet needs to be IPsec processed to the AH/ESP module;
AH/ESP模块,设置为对报文进行加密,对加密后的报文封装IPsec头后进行转发,并保存SPD模块和报文之间的第一对应关系。The AH/ESP module is configured to encrypt the packet, encapsulate the IPsec header in the encrypted packet, and then forward the first correspondence between the SPD module and the packet.
其中,业务实例模块为两个或两个以上;SPD模块为两个或两个以上。The service instance module is two or more; the SPD module is two or more.
本发明实施例提供的装置中,SPD模块还设置为:In the apparatus provided by the embodiment of the present invention, the SPD module is further configured to:
判断出报文不需要进行IPsec处理,将报文和表示报文不需要进行IPsec 处理的信息发送给AH/ESP模块;It is judged that the packet does not need to be processed by IPsec, and the packet and the packet are not required to be IPsec. The processed information is sent to the AH/ESP module;
AH/ESP模块还设置为:The AH/ESP module is also set to:
转发报文,并保存SPD模块和报文之间的第一对应关系,结束。Forwards the packet and saves the first correspondence between the SPD module and the packet, and ends.
本发明实施例提供的装置中,SPD模块还设置为:In the apparatus provided by the embodiment of the present invention, the SPD module is further configured to:
判断出报文需要丢弃,直接丢弃报文,结束。If the packet is discarded, the packet is discarded and the packet is discarded.
本发明实施例提供的装置中,AH/ESP模块具体设置为:In the device provided by the embodiment of the present invention, the AH/ESP module is specifically configured to:
在预先设置的SP信息和SA索引之间的第二对应关系中,查找报文中的SP信息对应的SA索引,根据查找到的SA索引进行对报文进行加密,对加密后的报文封装IPsec头后进行转发,并保存SPD模块和报文之间的第一对应关系。In the second correspondence between the preset SP information and the SA index, the SA index corresponding to the SP information in the packet is searched, and the packet is encrypted according to the found SA index, and the encrypted packet is encapsulated. The IPsec header is forwarded and the first correspondence between the SPD module and the packet is saved.
本发明实施例提供的装置中,AH/ESP模块还设置为:In the apparatus provided by the embodiment of the present invention, the AH/ESP module is further configured to:
当接收报文时,判断出接收到的报文是经过IPsec封装的报文,对接收到的报文进行解封装,根据接收到的报文中的SA索引对解封装后的报文进行解密,将解密后的报文和表示报文是经过IPsec封装的报文的信息发送给解密后的报文对应的SPD模块;When receiving a packet, it determines that the received packet is an IPsec-encapsulated packet, decapsulates the received packet, and decrypts the decapsulated packet according to the SA index in the received packet. And sending the decrypted packet and the information indicating that the packet is an IPsec encapsulated packet to the SPD module corresponding to the decrypted packet;
SPD模块还设置为:The SPD module is also set to:
判断出解密后的报文需要进行IPsec处理,将解密后的报文发送给解密后的报文对应的业务实例模块。It is determined that the decrypted packet needs to be subjected to IPsec processing, and the decrypted packet is sent to the service instance module corresponding to the decrypted packet.
本发明实施例提供的装置中,SPD模块还设置为:In the apparatus provided by the embodiment of the present invention, the SPD module is further configured to:
判断出解密后的报文不需要进行IPsec处理,丢弃解密后的报文。It is determined that the decrypted packet does not need to be processed by IPsec, and the decrypted packet is discarded.
本发明实施例提供的装置中,AH/ESP模块还设置为:In the apparatus provided by the embodiment of the present invention, the AH/ESP module is further configured to:
当接收报文时,判断出接收到的报文不是经过IPsec封装的报文,将接收到的报文和表示报文不是经过IPsec封装的报文的信息发送给接收到的报文对应的SPD模块;When receiving a packet, it is determined that the received packet is not an IPsec-encapsulated packet, and the received packet and the packet indicating that the packet is not encapsulated by IPsec are sent to the SPD corresponding to the received packet. Module
SPD模块还设置为:The SPD module is also set to:
判断出接收到的报文需要进行IPsec处理时,丢弃接收到的报文。When it is determined that the received packet needs to be IPsec processed, the received packet is discarded.
本发明实施例提供的装置中,SPD模块还设置为: In the apparatus provided by the embodiment of the present invention, the SPD module is further configured to:
判断出接收到的报文不需要进行IPsec处理,将接收到的报文发送给接收到的报文对应的业务实例模块。It is determined that the received packet does not need to be processed by IPsec, and the received packet is sent to the service instance module corresponding to the received packet.
需要说明的是,以上所述的实施例仅是为了便于本领域的技术人员理解而已,并不用于限制本发明的保护范围,在不脱离本发明的发明构思的前提下,本领域技术人员对本发明所做出的任何显而易见的替换和改进等均在本发明的保护范围之内。It should be noted that the above-mentioned embodiments are only for the purpose of facilitating the understanding of those skilled in the art, and are not intended to limit the scope of the present invention, and those skilled in the art will Any obvious substitutions and improvements made by the invention are within the scope of the invention.
工业实用性Industrial applicability
本发明实施例提出的实现IP层协议安全(IPsec)分流的方法和装置,包括:预先关联不同的业务实例模块和对应的安全策略数据库SPD模块;其中,业务实例模块为两个或两个以上;SPD模块为两个或两个以上;还包括:业务实例模块生成报文并发送给与自身关联的SPD模块;SPD模块判断出报文需要进行IPsec处理,将报文和表示报文需要进行IPsec处理的信息发送给认证头协议AH/封装安全载荷协议ESP模块;AH/ESP模块进行对报文进行加密,对加密后的报文封装IPsec头后进行转发,并保存SPD模块和报文之间的第一对应关系。通过本发明的方案,在有大量报文时,可以使用不同的SPD模块同时处理不同的报文,从而提高了协议栈处理报文的能力。 The method and device for implementing IP layer protocol security (IPsec) offloading according to the embodiment of the present invention include: pre-associating different service instance modules and corresponding security policy database SPD modules; wherein the service instance modules are two or more The SPD module is two or more; the service instance module generates a message and sends it to the SPD module associated with itself; the SPD module determines that the packet needs to be IPsec processed, and the packet and the representation message need to be performed. The information processed by the IPsec is sent to the authentication header protocol AH/encapsulated secure payload protocol ESP module. The AH/ESP module encrypts the packet, encapsulates the IPsec header after the encrypted packet is forwarded, and saves the SPD module and the packet. The first correspondence between the two. With the solution of the present invention, when there are a large number of packets, different SPD modules can be used to simultaneously process different packets, thereby improving the capability of the protocol stack to process messages.

Claims (17)

  1. 一种实现IP层协议安全IPsec分流的方法,其中,预先关联不同的业务实例模块和对应的安全策略数据库SPD模块;还包括:A method for implementing the IP layer protocol security IPsec offloading, wherein the different service instance modules and the corresponding security policy database SPD modules are associated in advance; and the method further includes:
    业务实例模块生成报文并发送给与自身关联的SPD模块;The service instance module generates a message and sends it to the SPD module associated with itself;
    SPD模块判断出报文需要进行IPsec处理,将报文和表示报文需要进行IPsec处理的信息发送给认证头协议AH/封装安全载荷协议ESP模块;The SPD module determines that the packet needs to be processed by IPsec, and sends the packet and the information indicating that the packet needs to be IPsec processed to the authentication header protocol AH/encapsulated secure payload protocol ESP module.
    AH/ESP模块对报文进行加密,对加密后的报文封装IPsec头后进行转发,并保存SPD模块和报文之间的第一对应关系;The AH/ESP module encrypts the packet, encapsulates the IPsec header in the encrypted packet, and forwards the first correspondence between the SPD module and the packet.
    其中,业务实例模块为两个或两个以上;SPD模块为两个或两个以上。The service instance module is two or more; the SPD module is two or more.
  2. 根据权利要求1所述的方法,当所述SPD模块判断出所述报文不需要进行IPsec处理时,该方法还包括:The method of claim 1, when the SPD module determines that the packet does not need to perform IPsec processing, the method further includes:
    所述SPD模块将所述报文和表示报文不需要进行IPsec处理的信息发送给所述AH/ESP模块,所述AH/ESP模块转发所述报文,并保存所述SPD模块和所述报文之间的第一对应关系;结束。The SPD module sends the message and the information indicating that the packet does not need to be IPsec processed to the AH/ESP module, the AH/ESP module forwards the packet, and saves the SPD module and the The first correspondence between the messages; the end.
  3. 根据权利要求1所述的方法,当所述SPD模块判断出所述报文需要丢弃时,该方法还包括:所述SPD模块直接丢弃报文,结束。The method of claim 1, when the SPD module determines that the packet needs to be discarded, the method further includes: the SPD module directly discarding the packet, and ending.
  4. 根据权利要求1所述的方法,所述AH/ESP模块对报文进行加密包括:The method of claim 1, the encrypting the message by the AH/ESP module comprises:
    所述AH/ESP模块在预先设置的SP信息和SA索引之间的第二对应关系中,查找所述报文中的SP信息对应的SA索引,根据查找到的SA索引对所述报文进行加密。The AH/ESP module searches for the SA index corresponding to the SP information in the packet in the second correspondence between the preset SP information and the SA index, and performs the packet according to the found SA index. encryption.
  5. 根据权利要求1或2或3所述的方法,该方法还包括:The method of claim 1 or 2 or 3, further comprising:
    当接收报文时,所述AH/ESP模块判断出接收到的报文是经过IPsec封装的报文,对所述接收到的报文进行解封装,根据所述接收到的报文中的SA索引对解封装后的报文进行解密,将所述解密后的报文和表示报文是经过IPsec封装的报文的信息发送给解密后的报文对应的SPD模块;When receiving the packet, the AH/ESP module determines that the received packet is an IPsec-encapsulated packet, and decapsulates the received packet according to the SA in the received packet. The index decrypts the decapsulated packet, and sends the decrypted packet and the packet indicating that the packet is an IPsec encapsulated packet to the SPD module corresponding to the decrypted packet.
    所述解密后的报文对应的SPD模块判断出所述解密后的报文需要进行IPsec处理,将所述解密后的报文发送给所述解密后的报文对应的业务实例模 块。The SPD module corresponding to the decrypted packet determines that the decrypted packet needs to be subjected to IPsec processing, and the decrypted packet is sent to the service instance corresponding to the decrypted packet. Piece.
  6. 根据权利要求5所述的方法,当所述报文对应的SPD模块判断出所述解密后的报文不需要进行IPsec处理时,该方法还包括:所述报文对应的SPD模块丢弃所述解密后的报文,结束。The method of claim 5, when the SPD module corresponding to the packet determines that the decrypted packet does not need to be processed by IPsec, the method further includes: the SPD module corresponding to the packet discarding the The decrypted message ends.
  7. 根据权利要求5所述的方法,所述将解密后的报文和表示报文是经过IPsec封装的报文的信息发送给解密后的报文对应的SPD模块包括:The method according to claim 5, wherein the SPD module corresponding to the decrypted message and the message indicating that the message is an IPsec-encapsulated message is sent to the decrypted message includes:
    在所述第一对应关系中查找所述报文对应的SPD模块,将所述解密后的报文和所述表示报文是经过IPsec封装的报文的信息发送给查找到的SPD模块。The SPD module corresponding to the packet is searched in the first correspondence, and the information of the decrypted packet and the packet indicating that the packet is IPsec encapsulated is sent to the found SPD module.
  8. 根据权利要求1或2或3所述的方法,该方法还包括:The method of claim 1 or 2 or 3, further comprising:
    当接收报文时,所述AH/ESP模块判断出所述接收到的报文不是经过IPsec封装的报文,所述AH/ESP模块将接收到的报文和表示报文不是经过IPsec封装的报文的信息发送给所述接收到的报文对应的SPD模块;When receiving the packet, the AH/ESP module determines that the received packet is not an IPsec-encapsulated packet, and the AH/ESP module receives the received packet and the packet that is not encapsulated by IPsec. Sending information of the packet to the SPD module corresponding to the received message;
    所述接收到的报文对应的SPD模块判断出所述接收到的报文需要进行IPsec处理时,丢弃所述接收到的报文。When the SPD module corresponding to the received packet determines that the received packet needs to perform IPsec processing, the received packet is discarded.
  9. 根据权利要求8所述的方法,其特征在于,当所述接收到的报文对应的SPD模块判断出所述接收到的报文不需要进行IPsec处理时,该方法还包括:The method according to claim 8, wherein when the SPD module corresponding to the received message determines that the received message does not need to be processed by IPsec, the method further includes:
    所述接收到的报文对应的SPD模块将所述接收到的报文发送给所述接收到的报文对应的业务实例模块。The SPD module corresponding to the received packet sends the received packet to the service instance module corresponding to the received packet.
  10. 一种实现IP层协议安全IPsec分流的装置,其特征在于,至少包括:An apparatus for implementing IP-based protocol secure IPsec offloading, comprising: at least:
    业务实例模块,设置为生成报文并发送给与自身关联的SPD模块;The service instance module is configured to generate a message and send it to the SPD module associated with itself;
    SPD模块,设置为判断出报文需要进行IPsec处理,将报文和表示报文需要进行IPsec处理的信息发送给认证头协议AH/封装安全载荷协议ESP模块;The SPD module is configured to determine that the packet needs to be subjected to IPsec processing, and send the packet and the information indicating that the packet needs to be IPsec processed to the authentication header protocol AH/encapsulated secure payload protocol ESP module;
    AH/ESP模块,设置为对报文进行加密,对加密后的报文封装IPsec头后进行转发,并保存SPD模块和报文之间的第一对应关系; The AH/ESP module is configured to encrypt the packet, encapsulate the IPsec header in the encrypted packet, and forward the first correspondence between the SPD module and the packet.
    其中,业务实例模块为两个或两个以上;SPD模块为两个或两个以上。The service instance module is two or more; the SPD module is two or more.
  11. 根据权利要求10所述的装置,所述SPD模块还设置为:The apparatus according to claim 10, wherein the SPD module is further configured to:
    判断出所述报文不需要进行IPsec处理,将所述报文和表示报文不需要进行IPsec处理的信息发送给所述AH/ESP模块;Determining that the packet does not need to be subjected to IPsec processing, and sending the packet and the information indicating that the packet does not need to be IPsec processed to the AH/ESP module;
    所述AH/ESP模块还设置为:转发所述报文,并保存所述SPD模块和所述报文之间的第一对应关系,结束。The AH/ESP module is further configured to: forward the packet, and save a first correspondence between the SPD module and the packet, and end.
  12. 根据权利要求10所述的装置,所述SPD模块还设置为:判断出所述报文需要丢弃,直接丢弃报文,结束。The device according to claim 10, wherein the SPD module is further configured to: determine that the packet needs to be discarded, directly discard the packet, and end.
  13. 根据权利要求10所述的装置,其特征在于,所述AH/ESP模块具体设置为:The device according to claim 10, wherein the AH/ESP module is specifically configured to:
    在预先设置的SP信息和SA索引之间的第二对应关系中,查找所述报文中的SP信息对应的SA索引,根据查找到的SA索引进行对报文进行加密,对加密后的报文封装IPsec头后进行转发,并保存SPD模块和报文之间的第一对应关系。The second index of the pre-set SP information and the SA index is used to search for the SA index corresponding to the SP information in the packet, and encrypt the packet according to the found SA index, and encrypt the packet. After the IPsec header is encapsulated, the packet is forwarded, and the first correspondence between the SPD module and the packet is saved.
  14. 根据权利要求10或11或12所述的装置,所述AH/ESP模块还设置为:The apparatus according to claim 10 or 11 or 12, wherein the AH/ESP module is further configured to:
    当接收报文时,判断出接收到的报文是经过IPsec封装的报文,对所述接收到的报文进行解封装,根据所述接收到的报文中的SA索引对解封装后的报文进行解密,将所述解密后的报文和表示报文是经过IPsec封装的报文的信息发送给解密后的报文对应的SPD模块;When receiving the packet, it is determined that the received packet is an IPsec-encapsulated packet, and the received packet is decapsulated, and the decapsulated packet is de-encapsulated according to the SA index in the received packet. The message is decrypted, and the decrypted message and the message indicating that the message is an IPsec encapsulated message are sent to the SPD module corresponding to the decrypted message;
    所述SPD模块还设置为:The SPD module is further configured to:
    判断出所述解密后的报文需要进行IPsec处理,将所述解密后的报文发送给所述解密后的报文对应的业务实例模块。It is determined that the decrypted packet needs to be subjected to IPsec processing, and the decrypted packet is sent to the service instance module corresponding to the decrypted packet.
  15. 根据权利要求14所述的装置,所述SPD模块还设置为:The apparatus of claim 14, the SPD module is further configured to:
    判断出所述解密后的报文不需要进行IPsec处理,丢弃所述解密后的报文,结束。It is determined that the decrypted packet does not need to be IPsec processed, and the decrypted packet is discarded, and the process ends.
  16. 根据权利要求10或11或12所述的装置,所述AH/ESP模块还设置 为:The apparatus according to claim 10 or 11 or 12, wherein said AH/ESP module is further provided for:
    当接收报文时,判断出所述接收到的报文不是经过IPsec封装的报文,将接收到的报文和表示报文不是经过IPsec封装的报文的信息发送给所述接收到的报文对应的SPD模块;When receiving the packet, it is determined that the received packet is not a packet encapsulated by IPsec, and the received packet and the packet indicating that the packet is not encapsulated by IPsec are sent to the received packet. Corresponding SPD module;
    所述SPD模块还设置为:The SPD module is further configured to:
    判断出所述接收到的报文需要进行IPsec处理时,丢弃所述接收到的报文。When it is determined that the received packet needs to perform IPsec processing, the received packet is discarded.
  17. 根据权利要求16所述的装置,所述SPD模块还设置为:The apparatus of claim 16, the SPD module further configured to:
    判断出所述接收到的报文不需要进行IPsec处理,将所述接收到的报文发送给所述接收到的报文对应的业务实例模块。 Determining that the received packet does not need to be subjected to IPsec processing, and the received packet is sent to the service instance module corresponding to the received packet.
PCT/CN2015/089869 2015-04-16 2015-09-17 Ipsec diversion implementing method and apparatus WO2016165277A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510180550.0A CN106161386B (en) 2015-04-16 2015-04-16 Method and device for realizing IPsec (Internet protocol Security) shunt
CN201510180550.0 2015-04-16

Publications (1)

Publication Number Publication Date
WO2016165277A1 true WO2016165277A1 (en) 2016-10-20

Family

ID=57126334

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/089869 WO2016165277A1 (en) 2015-04-16 2015-09-17 Ipsec diversion implementing method and apparatus

Country Status (2)

Country Link
CN (1) CN106161386B (en)
WO (1) WO2016165277A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639721A (en) * 2019-01-08 2019-04-16 郑州云海信息技术有限公司 IPsec message format processing method, device, equipment and storage medium
CN113691490A (en) * 2020-05-19 2021-11-23 华为技术有限公司 Method and device for checking SRv6 message

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107172072B (en) * 2017-06-09 2020-11-06 中国电子科技集团公司第四十一研究所 IPSec data flow high-speed processing system and method based on FPGA
CN113992343B (en) * 2021-09-10 2022-11-18 深圳开源互联网安全技术有限公司 Device, method, electronic equipment and storage medium for realizing IPsec network security protocol
CN113872865A (en) * 2021-10-11 2021-12-31 南方电网数字电网研究院有限公司 Message data distribution method and device, computer equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2005220270A1 (en) * 2005-10-10 2007-04-26 Canon Kabushiki Kaisha A method of efficiently identifying security association information for IPsec processing
CN101605136A (en) * 2009-07-28 2009-12-16 杭州华三通信技术有限公司 A kind of method and apparatus that message is carried out the internet protocol security IPSec processing
CN103188264A (en) * 2013-03-25 2013-07-03 清华大学深圳研究生院 On-line network security processor and on-line network security processing method
CN103198105A (en) * 2013-03-25 2013-07-10 清华大学深圳研究生院 Searching device and method for Ethernet internet protocol security (IPSec) database

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100499649C (en) * 2004-09-15 2009-06-10 华为技术有限公司 Method for realizing safety coalition backup and switching
US8250229B2 (en) * 2005-09-29 2012-08-21 International Business Machines Corporation Internet protocol security (IPSEC) packet processing for multiple clients sharing a single network address
CN1984130A (en) * 2005-12-14 2007-06-20 北京三星通信技术研究有限公司 Method for converting IPSec
US8010990B2 (en) * 2006-10-26 2011-08-30 Intel Corporation Acceleration of packet flow classification in a virtualized system
KR20120035392A (en) * 2010-10-05 2012-04-16 주식회사 인스프리트 Dual security server system in the ipsec environment and controlling method therefor
CN102420769A (en) * 2011-12-27 2012-04-18 汉柏科技有限公司 Method for forwarding internet protocol security (IPSec)

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2005220270A1 (en) * 2005-10-10 2007-04-26 Canon Kabushiki Kaisha A method of efficiently identifying security association information for IPsec processing
CN101605136A (en) * 2009-07-28 2009-12-16 杭州华三通信技术有限公司 A kind of method and apparatus that message is carried out the internet protocol security IPSec processing
CN103188264A (en) * 2013-03-25 2013-07-03 清华大学深圳研究生院 On-line network security processor and on-line network security processing method
CN103198105A (en) * 2013-03-25 2013-07-10 清华大学深圳研究生院 Searching device and method for Ethernet internet protocol security (IPSec) database

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639721A (en) * 2019-01-08 2019-04-16 郑州云海信息技术有限公司 IPsec message format processing method, device, equipment and storage medium
CN109639721B (en) * 2019-01-08 2022-02-22 郑州云海信息技术有限公司 IPsec message format processing method, device, equipment and storage medium
CN113691490A (en) * 2020-05-19 2021-11-23 华为技术有限公司 Method and device for checking SRv6 message

Also Published As

Publication number Publication date
CN106161386B (en) 2020-05-05
CN106161386A (en) 2016-11-23

Similar Documents

Publication Publication Date Title
CN102882789B (en) A kind of data message processing method, system and equipment
US8984268B2 (en) Encrypted record transmission
US8379638B2 (en) Security encapsulation of ethernet frames
US8775790B2 (en) System and method for providing secure network communications
US9294506B2 (en) Method and apparatus for security encapsulating IP datagrams
US9369550B2 (en) Protocol for layer two multiple network links tunnelling
WO2016165277A1 (en) Ipsec diversion implementing method and apparatus
US20140095862A1 (en) Security association detection for internet protocol security
US20080162922A1 (en) Fragmenting security encapsulated ethernet frames
EP1953954B1 (en) Encryption/decryption device for secure communications between a protected network and an unprotected network and associated methods
CN111385259B (en) Data transmission method, device, related equipment and storage medium
WO2015131609A1 (en) Method for implementing l2tp over ipsec access
EP3771170A1 (en) Method for sending message, method for receiving message, and network device
WO2013179551A1 (en) Transmission apparatus, reception apparatus, communication system, transmission method, and reception method
CN103227742B (en) A kind of method of ipsec tunnel fast processing message
CN111698245A (en) VxLAN security gateway and two-layer security network construction method based on state cryptographic algorithm
CN112600802B (en) SRv6 encrypted message and SRv6 message encryption and decryption methods and devices
US20160366191A1 (en) Single Proxies in Secure Communication Using Service Function Chaining
KR101653956B1 (en) Method for monitoring encoded traffic and apparatus using the same
Alhaj Performance Evaluation of Secure Data Transmission Mechanism (SDTM) for Cloud Outsourced Data and Transmission Layer Security (TLS)
WO2015154346A1 (en) Method and device for conducting ah authentication on ipsec packet which has gone through nat traversal
JP2006033350A (en) Proxy secure router apparatus and program
CN115766063A (en) Data transmission method, device, equipment and medium
Song et al. One new research about IPSec communication based on HTTP tunnel
Palomares IPSECME D. Migault (Ed) Internet-Draft Orange Intended status: Standards Track T. Guggemos Expires: September 4, 2014 Orange/LMU Munich

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15888976

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15888976

Country of ref document: EP

Kind code of ref document: A1