WO2016165277A1 - Procédé et appareil de mise en œuvre de déviation ipsec - Google Patents

Procédé et appareil de mise en œuvre de déviation ipsec Download PDF

Info

Publication number
WO2016165277A1
WO2016165277A1 PCT/CN2015/089869 CN2015089869W WO2016165277A1 WO 2016165277 A1 WO2016165277 A1 WO 2016165277A1 CN 2015089869 W CN2015089869 W CN 2015089869W WO 2016165277 A1 WO2016165277 A1 WO 2016165277A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
module
ipsec
spd
message
Prior art date
Application number
PCT/CN2015/089869
Other languages
English (en)
Chinese (zh)
Inventor
邢业平
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016165277A1 publication Critical patent/WO2016165277A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the embodiments of the present invention relate to the field of communications, and in particular, to a method and apparatus for implementing IP layer (Internet Protocol Security) offloading.
  • IP layer Internet Protocol Security
  • IPsec is a set of Internet Protocol (IP) security protocols established by the IPsec team of the Internet Engineering Task Force (IETF). IPsec defines the security services used at the Internet layer, and its functions include data encryption, access control to network elements, data source address verification, data integrity checking, and replay prevention attacks.
  • IP Internet Protocol
  • IPsec When IPsec involves encryption and decryption technology, it encrypts and decrypts packets that comply with IPsec filtering rules, which consumes more CPU resources. In order to reduce the consumption of CPU resources, some large-scale devices currently process IPsec services by using a distributed multi-IPsec dedicated service board.
  • IPsec services are usually embedded in the system protocol stack.
  • the related technologies for implementing IPsec offloading generally include:
  • the IPsec outbound processing is implemented.
  • the security policy database (SPD) selection module needs to be based on the source IP address and destination IP address of the packet. If the packet is not required to be IPsec, the processing module directly forwards the packet. If the packet needs to be discarded, the processing module discards the packet. If the packet needs to be encapsulated in IPsec, the processing module encrypts the packet. The IPsec header is encapsulated in the encrypted packet and then forwarded.
  • SPD security policy database
  • the demultiplexer determines whether the packet is an IPsec-encapsulated packet according to the protocol number in the packet. Then, the packet is decapsulated by IPsec, and the decapsulated packet is decrypted. Then, the packet is filtered, and the packet that does not comply with the policy is discarded. The packet matching the policy is forwarded to the service instance. Module; if it is not a packet encapsulated by IPsec, the policy is applied to the packet. Filter the packets that do not match the policy and forward the packets that meet the policy to the service instance module.
  • the policy filtering and encryption and decryption process reduces the ability of the protocol stack to process messages.
  • the embodiment of the invention provides a method and a device for implementing IPsec offload, which can improve the capability of the protocol stack to process messages.
  • an embodiment of the present invention provides a method for implementing IP-based protocol secure IPsec offloading, which is associated with different service instance modules and corresponding security policy database SPD modules in advance;
  • the service instance module generates a message and sends it to the SPD module associated with itself;
  • the SPD module determines that the packet needs to be processed by IPsec, and sends the packet and the information indicating that the packet needs to be IPsec processed to the authentication header protocol AH/encapsulated secure payload protocol ESP module.
  • the AH/ESP module encrypts the packet, encapsulates the IPsec header in the encrypted packet, and forwards the first correspondence between the SPD module and the packet.
  • the service instance module is two or more; the SPD module is two or more.
  • the method further includes:
  • the SPD module sends the message and the information indicating that the packet does not need to be IPsec processed to the AH/ESP module, the AH/ESP module forwards the packet, and saves the SPD module and the The first correspondence between the messages; the end.
  • the method further includes: the SPD module directly discards the packet, and ends.
  • the AH/ESP module encrypts the packet, including:
  • the AH/ESP module searches for the SA index corresponding to the SP information in the packet in the second correspondence between the preset SP information and the SA index, and searches the SA index according to the found SA index.
  • the message is encrypted.
  • the method further includes:
  • the AH/ESP module determines that the received packet is an IPsec-encapsulated packet, and decapsulates the received packet according to the SA in the received packet.
  • the index decrypts the decapsulated packet, and sends the decrypted packet and the packet indicating that the packet is an IPsec encapsulated packet to the SPD module corresponding to the decrypted packet.
  • the SPD module corresponding to the decrypted packet determines that the decrypted packet needs to be subjected to IPsec processing, and the decrypted packet is sent to the service instance module corresponding to the decrypted packet.
  • the method further includes: the SPD module corresponding to the packet discards the decrypted packet ,End.
  • the SPD module that sends the decrypted packet and the packet indicating that the packet is an IPsec encapsulated packet to the decrypted packet includes:
  • the SPD module corresponding to the packet is searched in the first correspondence, and the information of the decrypted packet and the packet indicating that the packet is IPsec encapsulated is sent to the found SPD module.
  • the method further includes:
  • the AH/ESP module determines that the received packet is not an IPsec-encapsulated packet, and the AH/ESP module receives the received packet and the packet that is not encapsulated by IPsec. Sending information of the packet to the SPD module corresponding to the received message;
  • the SPD module corresponding to the received packet determines that the received packet needs to perform IPsec processing, the received packet is discarded.
  • the method further includes:
  • the SPD module corresponding to the received packet sends the received packet to the service instance module corresponding to the received packet.
  • the embodiment of the invention further provides a device for implementing IP IP protocol protocol security IPsec offloading, at least include:
  • the service instance module is configured to generate a message and send it to the SPD module associated with itself;
  • the SPD module is configured to determine that the packet needs to be subjected to IPsec processing, and send the packet and the information indicating that the packet needs to be IPsec processed to the authentication header protocol AH/encapsulated secure payload protocol ESP module;
  • the AH/ESP module is configured to encrypt the packet, encapsulate the IPsec header in the encrypted packet, and forward the first correspondence between the SPD module and the packet.
  • the service instance module is two or more; the SPD module is two or more.
  • the SPD module is further configured to:
  • the AH/ESP module is further configured to: forward the packet, and save a first correspondence between the SPD module and the packet, and end.
  • the SPD module is further configured to: determine that the packet needs to be discarded, directly discard the packet, and end.
  • the AH/ESP module is specifically configured to:
  • the second index of the pre-set SP information and the SA index is used to search for the SA index corresponding to the SP information in the packet, and encrypt the packet according to the found SA index, and encrypt the packet.
  • the packet is forwarded, and the first correspondence between the SPD module and the packet is saved.
  • the AH/ESP module is further configured to:
  • the received packet When receiving the packet, it is determined that the received packet is an IPsec-encapsulated packet, and the received packet is decapsulated, and the decapsulated packet is de-encapsulated according to the SA index in the received packet.
  • the message is decrypted, and the decrypted message and the message indicating that the message is an IPsec encapsulated message are sent to the SPD module corresponding to the decrypted message;
  • the SPD module is further configured to:
  • the SPD module is further configured to:
  • the decrypted packet does not need to be IPsec processed, and the decrypted packet is discarded, and the process ends.
  • the AH/ESP module is further configured to:
  • the SPD module is further configured to: when it is determined that the received packet needs to perform IPsec processing, discard the received packet.
  • the SPD module is further configured to:
  • Determining that the received packet does not need to be subjected to IPsec processing and the received packet is sent to the service instance module corresponding to the received packet.
  • the technical solution provided by the present invention includes: pre-associating different service instance modules and corresponding security policy database SPD modules; wherein the service instance modules are two or more; the SPD modules are two or Two or more; the service instance module generates a message and sends it to the SPD module associated with itself; the SPD module determines that the packet needs to be IPsec processed, and sends the message and the information indicating that the packet needs to be IPsec processed to the AH/ESP module.
  • the AH/ESP module encrypts the packet, encapsulates the IPsec header after the encrypted packet is forwarded, and saves the first correspondence between the SPD module and the packet.
  • FIG. 1 is a schematic diagram of implementing IPsec outgoing processing in the related art
  • FIG. 2 is a schematic diagram of implementing IPsec inbound processing in the related art
  • FIG. 3 is a flowchart of a method for implementing IPsec offloading according to an embodiment of the present invention
  • FIG. 4 is a schematic structural diagram of an apparatus for implementing IPsec offloading according to an embodiment of the present invention.
  • an embodiment of the present invention provides a method for implementing IPsec offloading. First, different service instance modules and corresponding SPD modules are associated in advance.
  • a socket can be associated with a service instance module and an SPD module.
  • a service instance module and an SPD module can be associated with a service instance module and an SPD module.
  • how to associate the service instance module and the SPD module is common knowledge of those skilled in the art, and is not intended to limit the scope of protection of the present invention, and details are not described herein again.
  • the method of the invention comprises:
  • Step 300 The service instance module generates a message and sends the message to the SPD module associated with itself.
  • the service instance module is two or more; the SPD module is two or more.
  • each service instance module may separately generate a remote login protocol (telnet) message carried by a Transmission Control Protocol (TCP), a File Transfer Protocol (FTP) message carried by the TCP protocol, and the Internet.
  • telnet remote login protocol
  • TCP Transmission Control Protocol
  • FTP File Transfer Protocol
  • ICMP Control Message Protocol
  • Step 301 The SPD module determines that the packet needs to be subjected to IPsec processing, and sends the packet to an Authentication Header (AH)/Encapsulating Security Payload (ESP) module.
  • AH Authentication Header
  • ESP Encapsulating Security Payload
  • the AH/ESP module is used to implement the existing SPD selection module for packaging and Part of the function of encrypting a message, and a module in the demultiplexer for decapsulating and decrypting part of the message.
  • the SPD module determines that the packet does not need to be processed by the IPsec
  • the SPD module sends the packet and the information indicating that the packet does not need to be processed by the IPsec to the AH/ESP module, and the AH/ESP module directly forwards the packet. And save the first correspondence between the SPD module and the message, and the end.
  • the SPD module determines that the packet needs to be discarded, the SPD module directly discards the packet and ends.
  • the packet policy filtering function and the packet encryption and decryption function in the existing IPsec service processing are separated.
  • only multi-instantiation is used for the SPD module, and only one instance is required for the AH/ESP module, where each instance of the SPD module is reported.
  • the message filtering is performed, and only the packets that need to be encrypted and decrypted by IPsec are sent to the AH/ESP module for processing, and the packets that are discarded or directly passed are directly processed by the SPD module.
  • Step 302 The AH/ESP module encrypts the packet, encapsulates the IPsec header after the encrypted packet is forwarded, and saves the first correspondence between the SPD module and the packet.
  • the AH/ESP module encrypts the packet, including:
  • the AH/ESP module searches for the SA index corresponding to the SP information in the packet, and encrypts the packet according to the found SA index in the second correspondence between the preset SP information and the SA index.
  • the SP information includes a source IP address, a destination IP address, and a protocol number.
  • the SP information may also include a source port and a destination port.
  • the SA index includes a key, an encryption algorithm, and the like.
  • the found SA index is included in the IPsec header.
  • Step 303 When receiving the packet, the AH/ESP module determines that the received packet is an IPsec-encapsulated packet, and decapsulates the received packet according to the SA index in the received packet. The decapsulated packet is decrypted, and the decrypted packet and the packet indicating that the packet is encapsulated by IPsec are sent to the SPD module corresponding to the decrypted packet.
  • the SPD module corresponding to the packet and the packet indicating that the packet is an IPsec encapsulated packet is sent to the SPD module.
  • the SPD module corresponding to the packet is searched in the first correspondence, and the information of the decrypted packet and the packet indicating that the packet is encapsulated by IPsec is sent to the found SPD module.
  • Step 304 The SPD module corresponding to the decrypted packet determines that the decrypted packet needs to be subjected to IPsec processing, and the decrypted packet is sent to the service instance module corresponding to the decrypted packet.
  • the decrypted packet is discarded and ends.
  • the method further includes:
  • the AH/ESP module sends the received message and the information indicating that the packet is not encapsulated by the IPsec packet to the SPD module corresponding to the received packet; the SPD module corresponding to the received packet determines the received packet.
  • the received packet is discarded.
  • the SPD module corresponding to the received packet when it is determined that the received packet does not need to be processed by the IPsec, sends the received packet to the service instance module corresponding to the received packet.
  • the present invention further provides an apparatus for implementing IPsec offload, including at least:
  • the service instance module is configured to generate a message and send the message to the SPD module associated with itself when the message is sent;
  • the SPD module is configured to determine that the packet needs to be IPsec processed, and send the packet and the information indicating that the packet needs to be IPsec processed to the AH/ESP module;
  • the AH/ESP module is configured to encrypt the packet, encapsulate the IPsec header in the encrypted packet, and then forward the first correspondence between the SPD module and the packet.
  • the service instance module is two or more; the SPD module is two or more.
  • the SPD module is further configured to:
  • the processed information is sent to the AH/ESP module;
  • the AH/ESP module is also set to:
  • the SPD module is further configured to:
  • the packet is discarded, the packet is discarded and the packet is discarded.
  • the AH/ESP module is specifically configured to:
  • the SA index corresponding to the SP information in the packet is searched, and the packet is encrypted according to the found SA index, and the encrypted packet is encapsulated.
  • the IPsec header is forwarded and the first correspondence between the SPD module and the packet is saved.
  • the AH/ESP module is further configured to:
  • the receiving a packet When receiving a packet, it determines that the received packet is an IPsec-encapsulated packet, decapsulates the received packet, and decrypts the decapsulated packet according to the SA index in the received packet. And sending the decrypted packet and the information indicating that the packet is an IPsec encapsulated packet to the SPD module corresponding to the decrypted packet;
  • the SPD module is also set to:
  • the decrypted packet needs to be subjected to IPsec processing, and the decrypted packet is sent to the service instance module corresponding to the decrypted packet.
  • the SPD module is further configured to:
  • the decrypted packet does not need to be processed by IPsec, and the decrypted packet is discarded.
  • the AH/ESP module is further configured to:
  • the SPD module is also set to:
  • the received packet is discarded.
  • the SPD module is further configured to:
  • the received packet does not need to be processed by IPsec, and the received packet is sent to the service instance module corresponding to the received packet.
  • the method and device for implementing IP layer protocol security (IPsec) offloading include: pre-associating different service instance modules and corresponding security policy database SPD modules; wherein the service instance modules are two or more
  • the SPD module is two or more; the service instance module generates a message and sends it to the SPD module associated with itself; the SPD module determines that the packet needs to be IPsec processed, and the packet and the representation message need to be performed.
  • the information processed by the IPsec is sent to the authentication header protocol AH/encapsulated secure payload protocol ESP module.
  • the AH/ESP module encrypts the packet, encapsulates the IPsec header after the encrypted packet is forwarded, and saves the SPD module and the packet.
  • the first correspondence between the two With the solution of the present invention, when there are a large number of packets, different SPD modules can be used to simultaneously process different packets, thereby improving the capability of the protocol stack to process messages.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention porte sur un procédé et un appareil de mise en œuvre de déviation de sécurité de protocole Internet (IPsec). Le procédé comprend : la pré-association de différents modules d'instance de service et modules de base de données de politique de sécurité (SPD) correspondants, dans lequel il existe au moins deux modules d'instance de service, et il existe au moins deux modules SPD. Le procédé comprend en outre les étapes suivantes : un module d'instance de service génère un message et envoie le message à un module SPD associé à ce dernier ; le module SPD détermine qu'il est nécessaire de réaliser un traitement IPsec sur le message, et envoie le message et des informations, indicatives de la nécessité de réaliser un traitement IPsec sur le message, à un module d'en-tête d'authentification (AH)/de charge utile de sécurité d'encapsulation (ESP) ; et le module AH/ESP chiffre le message, encapsule le message chiffré avec un en-tête IPsec, transfère le message, et ensuite sauvegarde une première relation correspondante entre le module SPD et le message. Au moyen de la solution de la présente invention, lorsqu'il existe un grand nombre de messages, différents modules SPD peuvent être utilisés pour traiter différents messages simultanément, améliorant ainsi la capacité de traitement de message d'une pile de protocoles.
PCT/CN2015/089869 2015-04-16 2015-09-17 Procédé et appareil de mise en œuvre de déviation ipsec WO2016165277A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510180550.0 2015-04-16
CN201510180550.0A CN106161386B (zh) 2015-04-16 2015-04-16 一种实现IPsec分流的方法和装置

Publications (1)

Publication Number Publication Date
WO2016165277A1 true WO2016165277A1 (fr) 2016-10-20

Family

ID=57126334

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/089869 WO2016165277A1 (fr) 2015-04-16 2015-09-17 Procédé et appareil de mise en œuvre de déviation ipsec

Country Status (2)

Country Link
CN (1) CN106161386B (fr)
WO (1) WO2016165277A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639721A (zh) * 2019-01-08 2019-04-16 郑州云海信息技术有限公司 IPsec报文格式处理方法、装置、设备及存储介质
CN113691490A (zh) * 2020-05-19 2021-11-23 华为技术有限公司 一种校验SRv6报文的方法及装置

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107172072B (zh) * 2017-06-09 2020-11-06 中国电子科技集团公司第四十一研究所 一种基于FPGA的IPSec数据流高速处理系统及方法
CN113992343B (zh) * 2021-09-10 2022-11-18 深圳开源互联网安全技术有限公司 一种实现IPsec网络安全协议的装置、方法、电子设备和存储介质
CN113872865A (zh) * 2021-10-11 2021-12-31 南方电网数字电网研究院有限公司 报文数据分流方法、装置、计算机设备和存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2005220270A1 (en) * 2005-10-10 2007-04-26 Canon Kabushiki Kaisha A method of efficiently identifying security association information for IPsec processing
CN101605136A (zh) * 2009-07-28 2009-12-16 杭州华三通信技术有限公司 一种对报文进行互联网协议安全性IPSec处理的方法和装置
CN103188264A (zh) * 2013-03-25 2013-07-03 清华大学深圳研究生院 在线网络安全处理器和处理方法
CN103198105A (zh) * 2013-03-25 2013-07-10 清华大学深圳研究生院 以太网IPSec安全数据库查找装置及方法

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100499649C (zh) * 2004-09-15 2009-06-10 华为技术有限公司 一种实现安全联盟备份和切换的方法
US8250229B2 (en) * 2005-09-29 2012-08-21 International Business Machines Corporation Internet protocol security (IPSEC) packet processing for multiple clients sharing a single network address
CN1984130A (zh) * 2005-12-14 2007-06-20 北京三星通信技术研究有限公司 IPSec转发的方法
US8010990B2 (en) * 2006-10-26 2011-08-30 Intel Corporation Acceleration of packet flow classification in a virtualized system
KR20120035392A (ko) * 2010-10-05 2012-04-16 주식회사 인스프리트 IPSec 환경에서의 이중화된 암호화서버시스템 및 그 제어방법
CN102420769A (zh) * 2011-12-27 2012-04-18 汉柏科技有限公司 一种Ipsec转发的方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2005220270A1 (en) * 2005-10-10 2007-04-26 Canon Kabushiki Kaisha A method of efficiently identifying security association information for IPsec processing
CN101605136A (zh) * 2009-07-28 2009-12-16 杭州华三通信技术有限公司 一种对报文进行互联网协议安全性IPSec处理的方法和装置
CN103188264A (zh) * 2013-03-25 2013-07-03 清华大学深圳研究生院 在线网络安全处理器和处理方法
CN103198105A (zh) * 2013-03-25 2013-07-10 清华大学深圳研究生院 以太网IPSec安全数据库查找装置及方法

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639721A (zh) * 2019-01-08 2019-04-16 郑州云海信息技术有限公司 IPsec报文格式处理方法、装置、设备及存储介质
CN109639721B (zh) * 2019-01-08 2022-02-22 郑州云海信息技术有限公司 IPsec报文格式处理方法、装置、设备及存储介质
CN113691490A (zh) * 2020-05-19 2021-11-23 华为技术有限公司 一种校验SRv6报文的方法及装置

Also Published As

Publication number Publication date
CN106161386B (zh) 2020-05-05
CN106161386A (zh) 2016-11-23

Similar Documents

Publication Publication Date Title
CN102882789B (zh) 一种数据报文处理方法、系统及设备
US8984268B2 (en) Encrypted record transmission
US8379638B2 (en) Security encapsulation of ethernet frames
US8775790B2 (en) System and method for providing secure network communications
US9369550B2 (en) Protocol for layer two multiple network links tunnelling
US20110314274A1 (en) Method and apparatus for security encapsulating ip datagrams
WO2016165277A1 (fr) Procédé et appareil de mise en œuvre de déviation ipsec
US20140095862A1 (en) Security association detection for internet protocol security
WO2015131609A1 (fr) Procédé pour la mise en oeuvre de l2tp par accès ipsec
US20080162922A1 (en) Fragmenting security encapsulated ethernet frames
EP1953954B1 (fr) Dispositif de cryptage/décryptage pour communications sécurisées entre un réseau protégé et un réseau non protégé et procédés associés
CN111385259B (zh) 一种数据传输方法、装置、相关设备及存储介质
CN103227742B (zh) 一种IPSec隧道快速处理报文的方法
EP3771170A1 (fr) Procédé d'envoi de message, procédé de réception de message, et dispositif de réseau
CN112600802B (zh) 一种SRv6加密报文、SRv6报文的加解密方法及装置
CN115766172B (zh) 基于dpu和国密的报文转发方法、装置、设备及介质
WO2013179551A1 (fr) Appareil d'émission, appareil de réception, système de communication, procédé d'émission et procédé de réception
CN111698245A (zh) 一种基于国密算法的VxLAN安全网关及二层安全网络组建方法
US10015208B2 (en) Single proxies in secure communication using service function chaining
KR101653956B1 (ko) 암호화된 트래픽을 모니터링하는 방법 및 장치
Alhaj Performance Evaluation of Secure Data Transmission Mechanism (SDTM) for Cloud Outsourced Data and Transmission Layer Security (TLS)
WO2015154346A1 (fr) Procédé et dispositif pour conduire une authentification ah sur un paquet ipsec qui est passé par une traversée nat
JP2006033350A (ja) 代理セキュアルータ装置及びプログラム
Song et al. One new research about IPSec communication based on HTTP tunnel
Palomares IPSECME D. Migault (Ed) Internet-Draft Orange Intended status: Standards Track T. Guggemos Expires: September 4, 2014 Orange/LMU Munich

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15888976

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15888976

Country of ref document: EP

Kind code of ref document: A1