WO2018130079A1 - Method for encrypting internet protocol security (ipsec) protocol and network device - Google Patents

Method for encrypting internet protocol security (ipsec) protocol and network device Download PDF

Info

Publication number
WO2018130079A1
WO2018130079A1 PCT/CN2017/119487 CN2017119487W WO2018130079A1 WO 2018130079 A1 WO2018130079 A1 WO 2018130079A1 CN 2017119487 W CN2017119487 W CN 2017119487W WO 2018130079 A1 WO2018130079 A1 WO 2018130079A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
encrypted
network device
hard
address
Prior art date
Application number
PCT/CN2017/119487
Other languages
French (fr)
Chinese (zh)
Inventor
邹远鹏
刘家晓
刘福元
Original Assignee
京信通信系统(中国)有限公司
京信通信系统(广州)有限公司
京信通信技术(广州)有限公司
天津京信通信系统有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 京信通信系统(中国)有限公司, 京信通信系统(广州)有限公司, 京信通信技术(广州)有限公司, 天津京信通信系统有限公司 filed Critical 京信通信系统(中国)有限公司
Publication of WO2018130079A1 publication Critical patent/WO2018130079A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the embodiments of the present invention relate to the field of communications technologies, and in particular, to an Internet protocol security IPSec protocol encryption method and a network device.
  • the network is becoming more and more popular, and the network security problems that come with it are of great concern.
  • the replay attack suffered by the client the sender sends a protocol (Internet Protocol, IP for short) message to the receiver.
  • IP Internet Protocol
  • IP Internet Protocol
  • the Internet Protocol Security (IPSec) protocol has been used to solve this problem.
  • the IPSec protocol defines a sequence number (SN) field for recording the serial number of the IP packet.
  • the SN is unique when the sender sends packets in the same group of SA information. For example, the receiver receives an IP packet with sequence number 5. When it receives an IP packet with sequence number 5 again, it rejects it. Receive the repeatedly sent message.
  • DSP Digital Signal Processing
  • ARM Advanced Reduced Instruction Set Computer Machine
  • POWERPC Multi-core heterogeneous integrated chips such as Performance Optimization With Enhanced RISC-Performance Computing
  • CPU Central Processing Unit
  • POWERPC Enhanced RISC-Performance Computing
  • the multi-core heterogeneous network device processes the data, multiple threads process the packets in parallel.
  • the IP packets are sent, they are encrypted in different cryptographic modules, which easily leads to the serial number of the IP packets encapsulated by the IPSec protocol received by the receiver.
  • the out-of-order sequence is likely to cause the IP packet to be recognized as a replay packet and discarded incorrectly.
  • the embodiment of the present invention provides an Internet protocol security IPSec protocol encryption method and a network device, which are used to effectively solve the problem that the IP packet sequence number sent by the multi-core heterogeneous network device cannot be saved in the prior art.
  • an embodiment of the present application provides an Internet Protocol Security IPSec protocol encryption method, which is applicable to a control plane processor core including at least one control plane data processing and at least one user plane for processing user plane data.
  • the multi-core heterogeneous network device of the processor core the method includes: the network device acquires the first IP packet by using the control plane processor core; and the network device determines, by using the control plane processor core, that the first IP packet is encrypted.
  • the network device allocates a sequence number to the first IP packet through the hardware encryption module. And performing hard encryption to obtain the encrypted first IP packet; the network device sends the encrypted first IP packet through the network card.
  • the embodiment of the present application provides a network device for encrypting an Internet Protocol security IPSec protocol, including at least one control plane processor core for processing control plane data and at least one processing of user plane data.
  • a user plane processor core the network device includes: a control plane processor core, configured to obtain a first IP packet; and a hardware encryption module, configured to determine, by using a control plane processor core, that the first IP packet is to be encrypted In the case of the first IP packet, and in the case where the first IP packet needs to be hard-encrypted by the control plane processor core, the serial number is assigned to the first IP packet, and hard encryption is performed to obtain the encrypted first An IP packet; the network card is configured to send the encrypted first IP packet.
  • an embodiment of the present application provides a network device, including:
  • At least one processor and,
  • the memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform any of the IPSec protocols of the first aspect described above Encryption method.
  • an embodiment of the present application provides a non-transitory computer readable storage medium, where the non-transitory computer readable storage medium stores computer instructions, where the computer instructions are used to cause the computer to perform the first aspect or the A method in any of the possible embodiments on the one hand.
  • an embodiment of the present application provides a computer program product, where the computer program product includes a calculation program stored on a non-transitory computer readable storage medium, the computer program includes program instructions, when the program instruction is When executed by a computer, the computer is caused to perform the method of any of the first aspect or the first aspect of the first aspect.
  • the network device obtains the first IP packet by using the control plane processor core; and the network device determines, by using the control plane processor core, that the first IP packet is the first IP packet to be encrypted. And determining, according to the information of the first IP packet, that the first IP packet needs to be hard-encrypted: the network device allocates a serial number to the first IP packet through the hardware encryption module, and performs hard encryption to obtain the first encryption. IP packet; the network device sends the encrypted first IP packet through the network card. It can be seen that, in the embodiment of the present application, the packet to be encrypted is further processed, and the packet to be encrypted and hard-encrypted is encrypted by the hardware encryption module. The packet is encrypted by an encryption module. Therefore, in this embodiment, the sequence number of the packet is guaranteed to be saved, and the packet caused by encrypting the packet by using two encryption modules in the prior art is avoided. The serial number of the text is not guaranteed.
  • FIG. 1 is a schematic structural diagram of an Internet protocol security IPSec protocol encryption system according to an embodiment of the present disclosure
  • FIG. 2 is a schematic flowchart of a method for encrypting an Internet protocol security IPSec protocol according to an embodiment of the present application
  • FIG. 3 is a schematic flowchart of another method for encrypting an Internet protocol security IPSec protocol according to an embodiment of the present application
  • FIG. 4 is a schematic structural diagram of a network device for encrypting an Internet protocol security IPSec protocol according to an embodiment of the present application
  • FIG. 5 is a schematic structural diagram of a network device according to an embodiment of the present disclosure.
  • FIG. 1 is a schematic diagram showing an architecture of an Internet Protocol Security IPSec protocol encryption system to which the embodiment of the present application is applied, the system architecture being applicable to at least one control plane processor core including at least one control plane data processing and at least one A multi-core heterogeneous network device of a user plane processor core that processes user plane data; as shown in FIG. 1, the system architecture 100 includes a control plane processor core 110, a user plane processor core 120, a hardware encryption module 130, and a network card.
  • the control plane processor core 110 includes a network protocol stack 111 and a network card driver 112.
  • the network protocol stack 111 is connected to the network card driver 112.
  • the control plane processor core 110 can be connected to the user plane processor core 120 or can be connected to the network card.
  • control plane processor core 110 may be connected to the user plane processor core 120 through the network card driver 112, or may be connected to the network card 140 through the network card driver 112; optionally, the user plane processor core 120 is connected to the hardware encryption module 130.
  • the network card 140 can also be connected; the hardware encryption module 130 is connected to the network card 140; wherein the control plane processor core 110 is configured to process control plane data, Surface processor core 120 for processing user plane data.
  • the control plane processor core 110 may be a POWERPC core or an ARM core; optionally, the user plane processor core 120 may be a DSP core.
  • the network protocol stack 111 in the control plane processor core 110 processes the first IP packet obtained by the control plane data, and determines whether the first IP packet needs to be encrypted through the network card driver 112.
  • the communication technology sends the encrypted first IP packet to the user plane processor core 120, and then sends it to the hardware encryption module 130 through the user plane processor core 120 for encryption and assigns a serial number, and then encrypts the encrypted number through the network card 140.
  • An IP packet is sent out; on the other hand, the second IP packet obtained by the user plane data processed by the user plane processor 120 is sent to the hardware encryption module 130 for encryption and assigned a serial number, and then encrypted by the network card 140.
  • the first IP packet is sent out.
  • FIG. 2 is a schematic flowchart diagram showing an encryption method of an Internet protocol security IPSec protocol provided by an embodiment of the present application.
  • an Internet protocol security IPSec protocol encryption method provided by an embodiment of the present application is applicable to a control plane processor core including at least one control plane data processing. And a multi-core heterogeneous network device of at least one user plane processor core that processes user plane data, the method comprising the steps of:
  • Step S201 The network device acquires the first IP packet by using the control plane processor core.
  • Step S202 The network device determines, by the control plane processor, that the first IP packet is the first IP packet to be encrypted, and the network device determines the first IP packet according to the information of the first IP packet.
  • the network device allocates a serial number to the first IP packet through the hardware encryption module, and performs hard encryption to obtain the encrypted first IP packet.
  • Step S203 The network device sends the encrypted first IP packet through the network card.
  • the first IP packet may be an IP packet encapsulated by the control plane data processed by the control plane processor core.
  • the information of the first IP packet includes: a source IP address and a destination IP address in the packet; optionally, the control plane processor core may be a running Linux operating system. Core; determining whether the first IP packet needs to be encrypted in multiple ways, an optional way for the network protocol stack in the control plane processor core to determine whether the first IP packet needs to be encrypted; If the IP packet needs to be encrypted, the first IP packet is sent to the network card driver; the network card driver determines whether the IP packet to be encrypted needs to be hard-encrypted; and the first IP packet needs hard encryption.
  • the first IP packet that needs to be hard-encrypted is sent to the user plane processor core through Inter-Processing Communication (IPC) technology, and then the serial number is assigned to the first IP packet by the hardware encryption module. Hard encryption.
  • IPC Inter-Processing Communication
  • step S203 the hardware encryption module sends the encrypted first IP packet through the network card.
  • the network device obtains the first IP packet by using the control plane processor core; and the network device determines, by using the control plane processor core, that the first IP packet is the first IP packet to be encrypted. And determining, according to the information of the first IP packet, that the first IP packet needs to be hard-encrypted: the network device allocates a serial number to the first IP packet through the hardware encryption module, and performs hard encryption to obtain the first encryption. IP packet; the network device sends the encrypted first IP packet through the network card. It can be seen that, in the embodiment of the present application, the packet to be encrypted is further processed, and the packet to be encrypted and hard-encrypted is encrypted by the hardware encryption module. The packet is encrypted by an encryption module. Therefore, in this embodiment, the sequence number of the packet is guaranteed to be saved, and the packet caused by encrypting the packet by using two encryption modules in the prior art is avoided. The serial number of the text is not guaranteed.
  • the network device determines that the first IP packet needs to be hard-encrypted according to the information of the first IP packet, and needs to meet any one of the following two conditions: First, the network device determines the first IP packet. In the case of the tunnel mode, and determining that the source IP address in the first IP packet is an IP address negotiated based on the IPSec protocol, the first IP packet needs to be hard-encrypted; If the IP packet is in the transmission mode, the IP address set in the protected state is obtained, and the destination IP address in the first IP packet is determined to be one of the IP address sets. The first IP packet needs to be hard encrypted.
  • the information of the first IP packet includes: a source IP address and a destination IP address in the packet.
  • the two network devices are respectively a client and a cloud server, where the client The IP address of the IP address is IP 11 and the IP address of the cloud server is IP 21.
  • the IPSec link is set up to send and receive packets.
  • the client sends the first IP packet to the cloud server as an example:
  • an IPSec tunnel is established between the client and the cloud server, and the IP address of the packet is negotiated based on the IPSec protocol, and the client negotiates the IP address based on the IPSec protocol.
  • the IP address of the cloud server based on the IPSec protocol is IP 22.
  • the source IP address of the first packet is set to IP 12 ; After determining that the source IP address in the first packet is IP 12 , it is determined that the first IP packet needs to be hard encrypted.
  • an IPSec link is established between the client and the cloud server, and the set of IP addresses in the protected state is preset in the cloud server: IP 31 , IP 32 , IP 33 , IP 34 , IP 35 , IP 36 , each IP address in the IP address set corresponds to one network device; the client and one network device in the IP address set communicate, first obtain the IP address set, and the client is in the cloud
  • the server sends the first IP packet to be encrypted
  • the network protocol stack of the client sets the destination IP address in the first IP packet to IP 34 , and the network card driver in the client determines the first IP packet.
  • the destination IP address IP 34 in the IP address set: IP 31 , IP 32 , IP 33 , IP 34 , IP 35 , IP 36 determines that the first IP packet needs to be hard encrypted.
  • the determining, by the network device, that the first IP packet does not need to be hard-encrypted includes two cases: in the first case, the network device determines that the first IP packet is in the tunnel mode, and determines the first IP packet.
  • the source IP address in the text is not the IP address negotiated based on the IPSec protocol, and the first IP packet is not required to be hard-encrypted.
  • the network device determines that the first IP packet is in the transmission mode. Obtaining the preset IP address set in the cloud server. If the destination IP address in the first IP packet is not in the IP address set, the first IP packet does not need to be hard. encryption.
  • the information about the first IP packet is determined by the network card driver, and then the first IP packet needs to be hard-encrypted. Therefore, the IP packet that needs to be hard-encrypted can be effectively determined. And sent to the hardware encryption module for encryption, thereby avoiding the problem that the serial number of the transmitted message caused by the soft encryption of the first IP packet directly on the control plane processor core is not preserved.
  • the method further includes: the network device determining, by the control plane processor core, that the first IP packet is the first IP packet that is not required to be encrypted. In case: the network device sends the first IP packet through the network card.
  • the control plane processor determines that the first IP packet is the first IP packet that is not to be encrypted, the first IP packet is sent to the network card driver through the sending interface of the common IP packet; The IP packets that need to be encrypted are directly sent out through the network card, which avoids wasting resources caused by sending the first IP packet that does not need to be encrypted to the network card driver.
  • the network device further includes: determining, by the network device, that the first IP packet is not required according to the information of the first IP packet In the case of hard encryption: the network device sends the first IP packet through the network card.
  • the network card driver can determine whether the first IP packet needs to be hard-encrypted, and the first IP packet that does not need to be hard-encrypted is directly sent to the network card, thus avoiding the first step that does not require hard encryption. The waste of resources caused by the sending of IP packets to the user plane processor core.
  • the method for encrypting the Internet protocol security IPSec protocol further includes: the network device acquiring the second IP packet by using the user plane processor core; and determining, by the network device, the second IP packet according to the information of the second IP packet
  • the network device assigns a serial number to the second IP packet through the hardware encryption module, and performs hard encryption to obtain the encrypted second IP packet; the network device sends the encrypted second IP packet through the network card.
  • the user plane data processed by the user plane processor core obtains the second IP packet; if the second IP packet needs to be hard encrypted, the second IP packet to be hard encrypted is required. Sending to the hardware encryption module for hard encryption; if the second IP packet does not require hard encryption, sending the second IP packet through the network card; therefore, the first IP packet of the control plane processor core that needs to be hard encrypted The second IP packet to be encrypted and sent by the user plane processor core is sent to the hardware encryption module for encryption.
  • the encrypted IP packet sent by the multi-core heterogeneous network device is assigned a serial number through the hardware encryption module.
  • Hard encryption on the one hand, avoids the problem that the serial number is not preserved due to multi-thread parallel encryption IP packets in multi-core heterogeneous network devices; on the other hand, there is no need to do any shared memory between multiple cores in a multi-core heterogeneous network device. Or other mutually exclusive, synchronous operations, to avoid resource mutual exclusion issues.
  • the first IP packet is determined by the control plane processor to be the first IP packet to be encrypted, and the network device determines a preset security policy route, where the security policy route includes at least one IP address. And determining, by the network device, that the first IP packet is the first IP packet to be encrypted, if the destination IP address in the first IP packet belongs to one of the at least one IP address.
  • the control plane processor core includes a network protocol stack of a Linux operating system; the application determines the first IP packet to be encrypted by modifying the network protocol stack; optionally, the network protocol stack preset security policy routing
  • the security policy route includes at least one IP address.
  • the IP address is 192.168.10.15 to 192.168.10.30 corresponding to a secure route. If the destination IP address in the first IP packet is 192.168.10.25 Then, the network protocol stack finds the secure route corresponding to the IP address of 192.168.10.25 according to the security policy route, and determines that the first IP packet is the first IP packet to be encrypted.
  • the network device can determine whether the first IP packet needs to be encrypted through the control plane processor, and then send the packet to be encrypted to the network card driver, thereby avoiding the first IP packet to be encrypted on the control plane processor core.
  • Soft encryption is performed to prevent the CPU from consuming too many resources for soft encryption, which improves the performance of the system.
  • the present application provides an optional method for hard-encrypting the first IP packet on the control plane processor core; the control plane processor core uses an ARM core as an example, and the user plane processor core uses a DSP.
  • the xfrm_lookup function is set in the network protocol stack of the ARM core. The xfrm_lookup function is used to identify the sending interface that needs to be used for the IPSec protocol to perform the encapsulation processing and return the first IP packet; for example, in the network protocol stack.
  • the security policy corresponding to the IP address in the first IP packet is determined by the xfrm_lookup function, and the first IP packet is encrypted.
  • the sending interface is sent to the network card driver; the network card driver determines whether the first IP packet needs to be hard-encrypted. If hard encryption is required, the first IP packet that needs to be hard-encrypted is sent to the DSP core through the IPC technology; Sending the first IP packet to the hardware encryption module to allocate the serial number and performing hard encryption; meanwhile, for the second IP packet processed on the DSP core that needs to be hard-encrypted, the DSP core will need to be performed.
  • the encrypted second IP packet is also sent to the hardware encryption module to allocate the serial number and is hard-encrypted; thus, the IP packets sent by the nuclear heterogeneous network device are all assigned the serial number through the hardware encryption module, and are hard.
  • the effect of the single-threaded encrypted IP packet in the multi-core heterogeneous network device is achieved, so that the sequence number of the hard-encrypted IP packet is increased in order to avoid the problem that the packet is discarded by the peer anti-replay mechanism.
  • FIG. 3 is a schematic flowchart of another Internet protocol security IPSec protocol encryption method provided by the embodiment of the present application.
  • the system architecture shown in FIG. 1 is shown in FIG.
  • Another Internet Protocol Security IPSec protocol encryption method is applicable to a multi-core heterogeneous network including at least one control plane processor core for processing control plane data and at least one user plane processor core for processing user plane data Device, the method includes the following steps:
  • Step S301 The network device acquires the first IP packet by using the control plane processor core.
  • Step S302 The network device determines, by the control plane, that the destination IP address in the first IP packet belongs to one of the at least one IP address in the preset security policy route; if yes, step S303 is performed; if not, Then executing step S313;
  • Step S303 The network device determines, by using the network protocol stack, that the first IP packet is the first IP packet to be encrypted.
  • Step S304 The network device determines that the first IP packet is the tunnel mode or the transmission mode by using the network card driver; if it is the tunnel mode, step S305 is performed; if it is the transmission mode, step S306 is performed;
  • Step S305 The network device determines, by the network card driver, whether the source IP address in the first IP packet is an IP address negotiated based on the IPSec protocol; if yes, step S307 is performed; if not, step S313 is performed;
  • Step S306 The network device acquires the IP address set in the protected state preset in the cloud server, and determines whether the destination IP address in the first IP packet is one of the IP address sets; if yes, step S307 is performed; if not, Then executing step S313;
  • Step S307 The network device determines that the first IP packet needs to be hard-encrypted.
  • Step S308 Send the first IP packet to the user plane processor core by using the network card driver in the control plane processor core;
  • Step S309 The network device acquires the second IP packet by using the user plane processor core.
  • Step S310 The network device determines whether the second IP packet needs to be hard-encrypted according to the information of the second IP packet; if yes, step S311 is performed; if not, step S314 is performed;
  • Step S311 The network device sends the first IP packet and the second IP packet to the hardware encryption module through the user plane processor core.
  • Step S312 The network device allocates a serial number to the first IP packet and the second IP packet by using the hardware encryption module, and performs hard encryption respectively to obtain the encrypted first IP packet and the encrypted second IP packet.
  • Step S313 Send the first IP packet to the network card by using a network card driver
  • Step S314 The network device sends the first IP packet and the encrypted second IP packet through the network card.
  • the network device obtains the first IP packet through the control plane processor core; the network device determines that the first IP packet is the first IP packet to be encrypted through the control plane processor core. If the first IP packet needs to be hard-encrypted according to the information of the first IP packet, the network device allocates a serial number to the first IP packet through the hardware encryption module, and performs hard encryption to obtain the encrypted IP address.
  • the packet to be encrypted is further processed, and the packet to be encrypted and hard-encrypted is encrypted by the hardware encryption module, that is, only one encryption is performed in the embodiment of the present application.
  • the module encrypts the packet, so that the sequence number of the packet can be guaranteed in the embodiment of the present application, and the packet is avoided by using two encryption modules as in the prior art.
  • the problem that the sequence number of the packet caused by the encryption is not preserved; moreover, the problem that the IP packet is discarded is avoided in the anti-replay detection process, and the security of the data is increased.
  • the method in the embodiment of the present application avoids the problem of system performance degradation caused by soft encryption of the first IP packet in the control plane processor core, and does not need to do any shared memory between multiple cores in the multi-core heterogeneous network device.
  • Other mutually exclusive and synchronous operations avoid the problem of mutual exclusion of resources and greatly simplify the programming.
  • FIG. 4 is a schematic structural diagram of a network device for Internet Protocol Security IPSec protocol encryption provided by an embodiment of the present application.
  • a network device for encrypting the Internet protocol security IPSec protocol provided by the embodiment of the present application is used to execute the foregoing method, as shown in FIG. 4, which is used for security protocol IPSec encryption of the Internet protocol.
  • the network device 400 includes a control plane processor core 401, a hardware encryption module 403, and a network card 404, and a user plane processor core 402; wherein:
  • control plane processor core 401 configured to acquire a first IP packet
  • the hardware encryption module 403 is configured to: when the first IP packet is determined by the control plane processor core 401 as the first IP packet to be encrypted, and pass through the control plane processor core 401 When the first IP packet is to be hard-encrypted, the first IP packet is assigned a serial number, and hard encryption is performed to obtain the encrypted first IP packet.
  • the network card 404 is configured to send the encrypted first IP packet.
  • control plane processor core 401 is configured to: when determining that the first IP packet is in a tunnel mode, and determine that the source IP address in the first IP packet is based on an IPSec protocol If the IP address of the negotiation is performed, the first IP packet needs to be hard-encrypted; and when the first IP packet is determined to be in the transmission mode, the IP address set preset in the cloud server is obtained. And determining that the first IP packet needs to be hard-encrypted if the destination IP address in the first IP packet is one of the IP address sets.
  • the network card 404 is further configured to: when the first IP packet is not required to be hard-encrypted by the control plane processor core 401: sending the first IP packet.
  • the network card 404 is further configured to: when the first IP packet is determined by the control plane processor core 401 as a first IP packet that is not required to be encrypted: the network device The first IP packet is sent by the network card 404.
  • the network device further includes: a user plane processor core 402, configured to acquire a second IP packet;
  • the hardware encryption module 403 is further configured to: when the user plane processor core 402 determines that the second IP packet needs to be hard-encrypted: assign a serial number to the second IP packet, and Performing hard encryption to obtain the encrypted second IP packet; the network card 404 is further configured to: send the encrypted second IP packet.
  • control plane processor core 401 is configured to: determine a preset security policy route, where the security policy route includes at least one IP address; and determine the first IP packet. If the destination IP address belongs to one of the at least one IP address, the first IP packet is determined to be the first IP packet to be encrypted.
  • the network device obtains the first IP packet through the control plane processor core; the network device determines that the first IP packet is the first IP packet to be encrypted through the control plane processor core. If the first IP packet needs to be hard-encrypted according to the information of the first IP packet, the network device allocates a serial number to the first IP packet through the hardware encryption module, and performs hard encryption to obtain the encrypted IP address.
  • the packet to be encrypted is further processed, and the packet to be encrypted and hard-encrypted is encrypted by the hardware encryption module, that is, only one encryption is performed in the embodiment of the present application.
  • the module encrypts the packet, so that the sequence number of the packet can be guaranteed in the embodiment of the present application, and the packet is avoided by using two encryption modules as in the prior art. Packet sequence number does not guarantee the problem caused by the encryption row sequence; and, to avoid the problem of IP packets are discarded in antkeplay detection process, increase data security.
  • the method in the embodiment of the present application avoids the problem of system performance degradation caused by soft encryption of the first IP packet in the control plane processor core, and does not need to do any shared memory between multiple cores in the multi-core heterogeneous network device.
  • Other mutually exclusive and synchronous operations avoid the problem of mutual exclusion of resources and greatly simplify the programming.
  • the present application provides a network device including at least one processor; and a memory communicatively coupled to the at least one processor; the memory storing instructions executable by the at least one processor, The instructions are executed by the at least one processor to enable the at least one processor to perform the IPSec protocol encryption method in the above embodiments.
  • FIG. 5 is a schematic structural diagram of a network device provided by the present application.
  • the network device includes a transceiver 501, a processor 502, a memory 503, and a communication interface 504; wherein the transceiver 501, the processor 502, the memory 503, and the communication interface 504 are connected to one another via a bus 505.
  • the memory 503 is used to store programs.
  • the program can include program code, the program code including computer operating instructions.
  • the memory 503 may be a volatile memory, such as a random-access memory (RAM), or a non-volatile memory, such as a flash memory.
  • RAM random-access memory
  • non-volatile memory such as a flash memory.
  • HDD hard disk drive
  • SSD solid-state drive
  • the memory 503 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof:
  • Operation instructions include various operation instructions for implementing various operations.
  • Operating system Includes a variety of system programs for implementing various basic services and handling hardware-based tasks.
  • the bus 505 can be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus.
  • PCI peripheral component interconnect
  • EISA extended industry standard architecture
  • the bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 5, but it does not mean that there is only one bus or one type of bus.
  • the communication interface 504 can be a wired communication access port, a wireless communication interface, or a combination thereof, wherein the wired communication interface can be, for example, an Ethernet interface.
  • the Ethernet interface can be an optical interface, an electrical interface, or a combination thereof.
  • the wireless communication interface can be a WLAN interface.
  • the processor 502 can be a central processing unit (CPU), a network processor (NP) or a combination of a CPU and an NP. It can also be a hardware chip.
  • the hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof.
  • the PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination.
  • the transceiver 501 is configured to obtain a first IP packet, and send the encrypted first IP packet.
  • the processor 502 is configured to read a program in the memory 503 and perform the following methods:
  • the first IP packet is determined to be the first IP packet to be encrypted, in the case that the first IP packet needs to be hard-encrypted, the first IP packet is allocated a sequence. Number, and perform hard encryption to obtain the encrypted first IP packet;
  • the memory 503 is configured to store one or more executable programs, and may store data used by the processor 502 when performing operations.
  • the processor 502 is configured to: when determining that the first IP packet is in a tunnel mode, and determine that the source IP address in the first IP packet is negotiated according to an IPSec protocol. And determining, by the IP address, that the first IP packet is to be hard-encrypted; and determining that the first IP packet is in the transmission mode, acquiring a preset IP address set in a protection state in the cloud server, determining When the destination IP address in the first IP packet is one of the IP address sets, it is determined that the first IP packet needs to be hard encrypted.
  • the transceiver 501 is further configured to: when the processor 502 determines that the first IP packet does not need to be hard-encrypted: sending the first IP packet.
  • the transceiver 501 is further configured to: when the first IP packet is determined by the processor 502 to be a first IP packet that does not need to be encrypted: sending the first IP Message.
  • the transceiver 501 is further configured to obtain a second IP packet, and send the encrypted second IP packet.
  • the processor 502 is further configured to: determine that the second IP packet needs to be performed. In the case of hard encryption, a serial number is assigned to the second IP packet, and hard encryption is performed to obtain an encrypted second IP packet.
  • the processor 502 is configured to: determine a preset security policy route, where the security policy route includes at least one IP address; and determine a destination IP address in the first IP packet. In the case of one of the at least one IP address, the first IP packet is determined to be the first IP packet to be encrypted.
  • embodiments of the present application can be provided as a method, system, or computer program product. Therefore, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, embodiments of the present application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • the present application also provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the IPSec described in any of the above Protocol encryption method.
  • the present application also provides a computer program product comprising a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer And causing the computer to perform the IPSec protocol encryption method described in any of the above.
  • Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Abstract

Embodiments of the present application relates to the technical field of communications, and in particular, to a method for encrypting an Internet protocol security (IPSec) protocol and a network device, for use in effectively resolving the problem in the prior art of being unable to preserve the order of the sequence number of an IP packet sent by a multi-core heterogeneous network device. The method comprises: a network device acquires a first IP packet by means of a control-plane processor core; when the network device determines, by means of the control-plane processor core, that the first IP packet is a first IP packet to be encrypted, and determines, according to information of the first IP packet, that the first IP packet needs to be hard encrypted, the network device assigns a sequence number to the first IP packet by means of a hardware encryption module and hard encrypts the first IP packet to obtain an encrypted first IP packet; the network device sends the encrypted first IP packet by means of a network interface card. Thus, the present invention effectively resolves the problem in the prior art of being unable to preserve the order of the sequence number of an IP packet sent by a multi-core heterogeneous network device.

Description

一种英特网协议安全IPSec协议加密方法和网络设备Internet protocol security IPSec protocol encryption method and network device
本申请要求在2017年1月11日提交中华人民共和国知识产权局、申请号为201710021178.8,发明名称为“一种英特网协议安全IPSec协议加密方法和网络设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed on January 11, 2017, the Intellectual Property Office of the People's Republic of China, the application number is 201710021178.8, and the invention name is "an Internet protocol security IPSec protocol encryption method and network equipment". The entire contents of this application are incorporated herein by reference.
技术领域Technical field
本申请实施例涉及通信技术领域,尤其涉及一种英特网协议安全IPSec协议加密方法和网络设备。The embodiments of the present invention relate to the field of communications technologies, and in particular, to an Internet protocol security IPSec protocol encryption method and a network device.
背景技术Background technique
网络越来越普遍,随之而来的网络安全问题备受关注,例如客户端遭受的重播攻击:发送端向接收端发送了一个网络之间互连的协议(Internet Protocol,简称IP)报文,若该IP报文被恶意用户捕获,恶意用户向接收端在重复发送该IP报文,造成网络应用会受到不断重播的数据包的轰炸。英特网协议安全(Internet Protocol Security,简称IPSec)协议的出现解决了这个问题,IPSec协议中定义了一个序列号(Sequence Number,简称SN)字段,用于记录该IP报文的序列号,任何发送端在必须保证同一组SA信息下,发送报文时SN是唯一的,例如,接收端接收了序列号为5的IP报文,当再次接收到序列号为5的IP报文时,拒绝接收该重复发送的报文。The network is becoming more and more popular, and the network security problems that come with it are of great concern. For example, the replay attack suffered by the client: the sender sends a protocol (Internet Protocol, IP for short) message to the receiver. If the IP packet is captured by a malicious user, the malicious user repeatedly sends the IP packet to the receiving end, causing the network application to be bombarded by the continuously replayed data packet. The Internet Protocol Security (IPSec) protocol has been used to solve this problem. The IPSec protocol defines a sequence number (SN) field for recording the serial number of the IP packet. The SN is unique when the sender sends packets in the same group of SA information. For example, the receiver receives an IP packet with sequence number 5. When it receives an IP packet with sequence number 5 again, it rejects it. Receive the repeatedly sent message.
现有技术中,单核设备单个转发线程时,报文按照序列串行依次封装、发送,接收端收到的IPSec封装报文的序列号不会出现乱序情况。对于多核异构网络设备,例如,即数字信号处理(Digital Signal Process,简称DSP)技术+进阶精简指令集机器(Advanced Reduced Instruction Set Computer Machine,简称ARM)、DSP+精简指令集架构的中央处理器(Performance Optimization With Enhanced RISC-Performance Computing,简称POWERPC)等多核异构的 集成芯片中,通常使用DSP作业务处理,使用POWERPC或ARM核运行Linux操作系统作为控制业务;对于POWERPC或ARM核处理的控制面数据,通常采用集成芯片的中央处理器(Central Processing Unit,简称CPU)核运行软件加密程序进行加密,而DSP核处理的用户面数据通常采用硬加密模块进行加密。由于多核异构网络设备在处理数据时多个线程并行处理报文,发送IP报文时是在不同的加密模块进行加密的,容易导致接收端收到的IPSec协议封装的IP报文的序列号出现乱序,容易导致该IP报文被认定为重放报文,而被错误的丢弃。In the prior art, when a single-core device forwards a thread, the packets are sequentially encapsulated and sent in sequence, and the sequence number of the IPSec encapsulated packets received by the receiving end does not appear out of order. For multi-core heterogeneous network devices, for example, Digital Signal Processing (DSP) technology + Advanced Reduced Instruction Set Computer Machine (ARM), DSP + reduced instruction set architecture of the central processor (Multi-core heterogeneous integrated chips such as Performance Optimization With Enhanced RISC-Performance Computing, referred to as POWERPC), usually use DSP for business processing, use POWERPC or ARM core to run Linux operating system as control service; control for POWERPC or ARM core processing The face data is usually encrypted by a Central Processing Unit (CPU) core running software encryption program, and the user plane data processed by the DSP core is usually encrypted by a hard encryption module. As the multi-core heterogeneous network device processes the data, multiple threads process the packets in parallel. When the IP packets are sent, they are encrypted in different cryptographic modules, which easily leads to the serial number of the IP packets encapsulated by the IPSec protocol received by the receiver. The out-of-order sequence is likely to cause the IP packet to be recognized as a replay packet and discarded incorrectly.
现有技术中,为了解决多核异构网络设备中IP报文的序列号不保序的问题,采用在多核异构网络设备中进行多核之间共享内存,但是异构CPU之间的同步和互斥的额外处理非常麻烦,加大了程序设计的复杂度。因此,亟需一种IPSec加密的方法,以有效解决现有技术中多核异构网络设备发送的IP报文序列号不保序的问题。In the prior art, in order to solve the problem that the sequence number of IP packets in the multi-core heterogeneous network device is not preserved, the shared memory between multiple cores is used in the multi-core heterogeneous network device, but the synchronization and mutual between the heterogeneous CPUs are used. The extra processing is very cumbersome and increases the complexity of programming. Therefore, an IPSec encryption method is needed to effectively solve the problem that the IP packet sequence number sent by the multi-core heterogeneous network device in the prior art is not guaranteed.
发明内容Summary of the invention
本申请实施例提供一种英特网协议安全IPSec协议加密方法和网络设备,用于有效解决现有技术中多核异构网络设备发送的IP报文序列号无法保序的问题。The embodiment of the present invention provides an Internet protocol security IPSec protocol encryption method and a network device, which are used to effectively solve the problem that the IP packet sequence number sent by the multi-core heterogeneous network device cannot be saved in the prior art.
第一方面,本申请实施例提供一种英特网协议安全IPSec协议加密方法,适用于包括至少一个对控制面数据进行处理的控制面处理器核和至少一个对用户面数据进行处理的用户面处理器核的多核异构网络设备,该方法包括:网络设备通过控制面处理器核获取第一IP报文;网络设备在通过控制面处理器核确定第一IP报文为需进行加密的第一IP报文的情况下,且网络设备在根据第一IP报文的信息确定第一IP报文需进行硬加密的情况下:网络设备通过硬件加密模块为第一IP报文分配序列号,并进行硬加密,得到加密后第一IP报文;网络设备通过网卡发送加密后第一IP报文。In a first aspect, an embodiment of the present application provides an Internet Protocol Security IPSec protocol encryption method, which is applicable to a control plane processor core including at least one control plane data processing and at least one user plane for processing user plane data. The multi-core heterogeneous network device of the processor core, the method includes: the network device acquires the first IP packet by using the control plane processor core; and the network device determines, by using the control plane processor core, that the first IP packet is encrypted. In the case of an IP packet, and the network device determines that the first IP packet needs to be hard-encrypted according to the information of the first IP packet: the network device allocates a sequence number to the first IP packet through the hardware encryption module. And performing hard encryption to obtain the encrypted first IP packet; the network device sends the encrypted first IP packet through the network card.
第二方面,本申请实施例提供一种用于英特网协议安全IPSec协议加密的 网络设备,包括至少一个对控制面数据进行处理的控制面处理器核和至少一个对用户面数据进行处理的用户面处理器核,该网络设备包括:控制面处理器核,用于获取第一IP报文;硬件加密模块,用于在通过控制面处理器核确定第一IP报文为需进行加密的第一IP报文的情况下,且在通过控制面处理器核确定第一IP报文需进行硬加密的情况下:为第一IP报文分配序列号,并进行硬加密,得到加密后第一IP报文;网卡,用于发送加密后第一IP报文。In a second aspect, the embodiment of the present application provides a network device for encrypting an Internet Protocol security IPSec protocol, including at least one control plane processor core for processing control plane data and at least one processing of user plane data. a user plane processor core, the network device includes: a control plane processor core, configured to obtain a first IP packet; and a hardware encryption module, configured to determine, by using a control plane processor core, that the first IP packet is to be encrypted In the case of the first IP packet, and in the case where the first IP packet needs to be hard-encrypted by the control plane processor core, the serial number is assigned to the first IP packet, and hard encryption is performed to obtain the encrypted first An IP packet; the network card is configured to send the encrypted first IP packet.
第三方面,本申请实施例提供一种网络设备,包括:In a third aspect, an embodiment of the present application provides a network device, including:
至少一个处理器;以及,At least one processor; and,
与所述至少一个处理器通信连接的存储器;其中,a memory communicatively coupled to the at least one processor; wherein
所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行上述第一方面中的任一项IPSec协议加密方法。The memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform any of the IPSec protocols of the first aspect described above Encryption method.
第四方面,本申请实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使所述计算机执行第一方面或第一方面的任意可能的实施方式中的方法。In a fourth aspect, an embodiment of the present application provides a non-transitory computer readable storage medium, where the non-transitory computer readable storage medium stores computer instructions, where the computer instructions are used to cause the computer to perform the first aspect or the A method in any of the possible embodiments on the one hand.
第五方面,本申请实施例提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行第一方面或第一方面的任意可能的实施方式中的方法。In a fifth aspect, an embodiment of the present application provides a computer program product, where the computer program product includes a calculation program stored on a non-transitory computer readable storage medium, the computer program includes program instructions, when the program instruction is When executed by a computer, the computer is caused to perform the method of any of the first aspect or the first aspect of the first aspect.
本申请实施例中,由于网络设备通过控制面处理器核获取第一IP报文;网络设备在通过控制面处理器核确定第一IP报文为需进行加密的第一IP报文的情况下,且根据第一IP报文的信息确定第一IP报文需进行硬加密的情况下:网络设备通过硬件加密模块为第一IP报文分配序列号,并进行硬加密,得到加密后第一IP报文;网络设备通过网卡发送加密后第一IP报文。可见,本申请实施例中,对需进行加密的报文进行进一步的处理,将需进行加密、且需进行硬加密的报文通过硬件加密模块进行加密,也就是说,本申请实施例中仅通过一个加密模块对报文进行加密,如此,本申请实施例中可保证报文的 序列号保序的目的,避免了像现有技术中通过两个加密模块对报文进行加密所导致的报文的序列号不保序的问题。In the embodiment of the present application, the network device obtains the first IP packet by using the control plane processor core; and the network device determines, by using the control plane processor core, that the first IP packet is the first IP packet to be encrypted. And determining, according to the information of the first IP packet, that the first IP packet needs to be hard-encrypted: the network device allocates a serial number to the first IP packet through the hardware encryption module, and performs hard encryption to obtain the first encryption. IP packet; the network device sends the encrypted first IP packet through the network card. It can be seen that, in the embodiment of the present application, the packet to be encrypted is further processed, and the packet to be encrypted and hard-encrypted is encrypted by the hardware encryption module. The packet is encrypted by an encryption module. Therefore, in this embodiment, the sequence number of the packet is guaranteed to be saved, and the packet caused by encrypting the packet by using two encryption modules in the prior art is avoided. The serial number of the text is not guaranteed.
附图说明DRAWINGS
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简要介绍。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings used in the description of the embodiments will be briefly described below.
图1为本申请实施例提供的一种英特网协议安全IPSec协议加密系统的架构示意图;FIG. 1 is a schematic structural diagram of an Internet protocol security IPSec protocol encryption system according to an embodiment of the present disclosure;
图2为本申请实施例提供的一种英特网协议安全IPSec协议加密方法的流程示意图;2 is a schematic flowchart of a method for encrypting an Internet protocol security IPSec protocol according to an embodiment of the present application;
图3为本申请实施例提供的在另一种英特网协议安全IPSec协议加密方法的流程示意图;FIG. 3 is a schematic flowchart of another method for encrypting an Internet protocol security IPSec protocol according to an embodiment of the present application;
图4为本申请实施例提供的一种用于英特网协议安全IPSec协议加密的网络设备的结构示意图;4 is a schematic structural diagram of a network device for encrypting an Internet protocol security IPSec protocol according to an embodiment of the present application;
图5为本申请实施例提供的一种网络设备的结构示意图。FIG. 5 is a schematic structural diagram of a network device according to an embodiment of the present disclosure.
具体实施方式detailed description
为了使本申请的目的、技术方案及有益效果更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the objects, technical solutions and beneficial effects of the present application more clear, the present application will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the application and are not intended to be limiting.
图1示例性示出了本申请实施例适用的一种英特网协议安全IPSec协议加密系统架构示意图,该系统架构适用于包括至少一个对控制面数据进行处理的控制面处理器核和至少一个对用户面数据进行处理的用户面处理器核的多核异构网络设备;如图1所示,该系统架构100包括控制面处理器核110、用户面处理器核120、硬件加密模块130和网卡140;控制面处理器核110包括网络协议栈111、网卡驱动112;网络协议栈111连接网卡驱动112;可选地,控制面处理器核110可连接用户面处理器核120,也可以连接网卡140;进一 步地,控制面处理器核110可以通过网卡驱动112连接用户面处理器核120,也可以通过网卡驱动112连接网卡140;可选地,用户面处理器核120连接硬件加密模块130,也可以连接网卡140;硬件加密模块130连接网卡140;其中,控制面处理器核110用于处理控制面数据,用户面处理器核120用于处理用户面数据。可选地,控制面处理器核110可以为POWERPC核,也可以为ARM核;可选地,用户面处理器核120可以为DSP核。FIG. 1 is a schematic diagram showing an architecture of an Internet Protocol Security IPSec protocol encryption system to which the embodiment of the present application is applied, the system architecture being applicable to at least one control plane processor core including at least one control plane data processing and at least one A multi-core heterogeneous network device of a user plane processor core that processes user plane data; as shown in FIG. 1, the system architecture 100 includes a control plane processor core 110, a user plane processor core 120, a hardware encryption module 130, and a network card. The control plane processor core 110 includes a network protocol stack 111 and a network card driver 112. The network protocol stack 111 is connected to the network card driver 112. Alternatively, the control plane processor core 110 can be connected to the user plane processor core 120 or can be connected to the network card. Further, the control plane processor core 110 may be connected to the user plane processor core 120 through the network card driver 112, or may be connected to the network card 140 through the network card driver 112; optionally, the user plane processor core 120 is connected to the hardware encryption module 130. The network card 140 can also be connected; the hardware encryption module 130 is connected to the network card 140; wherein the control plane processor core 110 is configured to process control plane data, Surface processor core 120 for processing user plane data. Optionally, the control plane processor core 110 may be a POWERPC core or an ARM core; optionally, the user plane processor core 120 may be a DSP core.
本申请实施例中,一方面,控制面处理器核110中的网络协议栈111处理控制面数据得到的第一IP报文,通过网卡驱动112确定第一IP报文是否需要加密,通过核间通信技术将需要进行加密的第一IP报文发送至用户面处理器核120,再通过用户面处理器核120发送至硬件加密模块130进行加密并分配序列号,之后通过网卡140将加密后第一IP报文发送出去;另一方面,用户面处理器核120处理的用户面数据得到的第二IP报文,发送至硬件加密模块130进行加密并分配序列号,之后通过网卡140将加密后第一IP报文发送出去。In the embodiment of the present application, on the one hand, the network protocol stack 111 in the control plane processor core 110 processes the first IP packet obtained by the control plane data, and determines whether the first IP packet needs to be encrypted through the network card driver 112. The communication technology sends the encrypted first IP packet to the user plane processor core 120, and then sends it to the hardware encryption module 130 through the user plane processor core 120 for encryption and assigns a serial number, and then encrypts the encrypted number through the network card 140. An IP packet is sent out; on the other hand, the second IP packet obtained by the user plane data processed by the user plane processor 120 is sent to the hardware encryption module 130 for encryption and assigned a serial number, and then encrypted by the network card 140. The first IP packet is sent out.
图2示例性示出了本申请实施例提供的一种英特网协议安全IPSec协议加密方法的流程示意图。FIG. 2 is a schematic flowchart diagram showing an encryption method of an Internet protocol security IPSec protocol provided by an embodiment of the present application.
基于图1所示的系统架构,如图2所示,本申请实施例提供的一种英特网协议安全IPSec协议加密方法,适用于包括至少一个对控制面数据进行处理的控制面处理器核和至少一个对用户面数据进行处理的用户面处理器核的多核异构网络设备,该方法包括以下步骤:Based on the system architecture shown in FIG. 1 , as shown in FIG. 2 , an Internet protocol security IPSec protocol encryption method provided by an embodiment of the present application is applicable to a control plane processor core including at least one control plane data processing. And a multi-core heterogeneous network device of at least one user plane processor core that processes user plane data, the method comprising the steps of:
步骤S201:网络设备通过控制面处理器核获取第一IP报文;Step S201: The network device acquires the first IP packet by using the control plane processor core.
步骤S202:网络设备在通过控制面处理器核确定第一IP报文为需进行加密的第一IP报文的情况下,且网络设备在根据第一IP报文的信息确定第一IP报文需进行硬加密的情况下:网络设备通过硬件加密模块为第一IP报文分配序列号,并进行硬加密,得到加密后第一IP报文;Step S202: The network device determines, by the control plane processor, that the first IP packet is the first IP packet to be encrypted, and the network device determines the first IP packet according to the information of the first IP packet. In the case of hard encryption, the network device allocates a serial number to the first IP packet through the hardware encryption module, and performs hard encryption to obtain the encrypted first IP packet.
步骤S203:网络设备通过网卡发送加密后第一IP报文。Step S203: The network device sends the encrypted first IP packet through the network card.
基于上述实施例,在步骤S201中,可选地,第一IP报文可为控制面处 理器核处理的控制面数据进行封装得到的IP报文。Based on the foregoing embodiment, in step S201, optionally, the first IP packet may be an IP packet encapsulated by the control plane data processed by the control plane processor core.
基于上述实施例,在步骤S202中,可选地,第一IP报文的信息包括:报文中的源IP地址和目的IP地址;可选地,控制面处理器核可以为运行Linux操作系统的核;确定第一IP报文是否需要进行加密有多种方式,一种可选的方式为控制面处理器核中的网络协议栈确定第一IP报文是否需要进行加密;在确定第一IP报文是否需要进行加密的情况下,将第一IP报文发送至网卡驱动;网卡驱动对需要加密的IP报文进行是否需要硬加密的判断;在第一IP报文需要硬加密的情况下,将需要硬加密的第一IP报文通过核间通信(Inter-Processsor Communication,简称IPC)技术发送至用户面处理器核,再通过硬件加密模块为第一IP报文分配序列号并进行硬加密。Based on the foregoing embodiment, in step S202, optionally, the information of the first IP packet includes: a source IP address and a destination IP address in the packet; optionally, the control plane processor core may be a running Linux operating system. Core; determining whether the first IP packet needs to be encrypted in multiple ways, an optional way for the network protocol stack in the control plane processor core to determine whether the first IP packet needs to be encrypted; If the IP packet needs to be encrypted, the first IP packet is sent to the network card driver; the network card driver determines whether the IP packet to be encrypted needs to be hard-encrypted; and the first IP packet needs hard encryption. The first IP packet that needs to be hard-encrypted is sent to the user plane processor core through Inter-Processing Communication (IPC) technology, and then the serial number is assigned to the first IP packet by the hardware encryption module. Hard encryption.
基于上述实施例,在步骤S203中,硬件加密模块将加密后第一IP报文通过网卡发送出去。Based on the foregoing embodiment, in step S203, the hardware encryption module sends the encrypted first IP packet through the network card.
本申请实施例中,由于网络设备通过控制面处理器核获取第一IP报文;网络设备在通过控制面处理器核确定第一IP报文为需进行加密的第一IP报文的情况下,且根据第一IP报文的信息确定第一IP报文需进行硬加密的情况下:网络设备通过硬件加密模块为第一IP报文分配序列号,并进行硬加密,得到加密后第一IP报文;网络设备通过网卡发送加密后第一IP报文。可见,本申请实施例中,对需进行加密的报文进行进一步的处理,将需进行加密、且需进行硬加密的报文通过硬件加密模块进行加密,也就是说,本申请实施例中仅通过一个加密模块对报文进行加密,如此,本申请实施例中可保证报文的序列号保序的目的,避免了像现有技术中通过两个加密模块对报文进行加密所导致的报文的序列号不保序的问题。In the embodiment of the present application, the network device obtains the first IP packet by using the control plane processor core; and the network device determines, by using the control plane processor core, that the first IP packet is the first IP packet to be encrypted. And determining, according to the information of the first IP packet, that the first IP packet needs to be hard-encrypted: the network device allocates a serial number to the first IP packet through the hardware encryption module, and performs hard encryption to obtain the first encryption. IP packet; the network device sends the encrypted first IP packet through the network card. It can be seen that, in the embodiment of the present application, the packet to be encrypted is further processed, and the packet to be encrypted and hard-encrypted is encrypted by the hardware encryption module. The packet is encrypted by an encryption module. Therefore, in this embodiment, the sequence number of the packet is guaranteed to be saved, and the packet caused by encrypting the packet by using two encryption modules in the prior art is avoided. The serial number of the text is not guaranteed.
可选地,网络设备根据第一IP报文的信息确定第一IP报文需进行硬加密,需要满足以下两种情况中的任一种:第一种,网络设备在确定第一IP报文为隧道模式的情况下,且确定第一IP报文中的源IP地址为基于IPSec协议进行协商的IP地址,则确定第一IP报文需进行硬加密;第二种,网络设备在确定第一IP报文为传输模式的情况下,获取云端服务器中预设的处于保护状态的 IP地址集合,在确定第一IP报文中的目的IP地址为IP地址集合中的一个的情况下,确定第一IP报文需进行硬加密。Optionally, the network device determines that the first IP packet needs to be hard-encrypted according to the information of the first IP packet, and needs to meet any one of the following two conditions: First, the network device determines the first IP packet. In the case of the tunnel mode, and determining that the source IP address in the first IP packet is an IP address negotiated based on the IPSec protocol, the first IP packet needs to be hard-encrypted; If the IP packet is in the transmission mode, the IP address set in the protected state is obtained, and the destination IP address in the first IP packet is determined to be one of the IP address sets. The first IP packet needs to be hard encrypted.
本申请实施例中,可选地,第一IP报文的信息包括:报文中的源IP地址和目的IP地址;举个例子,两个网络设备分别为客户端和云端服务器,其中,客户端的IP地址为IP 11,云端服务器的IP地址为IP 21,客户端和云端服务器开始通信之前,先建立IPSec链路进行收发报文,以客户端向云端服务器发送第一IP报文为例: In the embodiment of the present application, the information of the first IP packet includes: a source IP address and a destination IP address in the packet. For example, the two network devices are respectively a client and a cloud server, where the client The IP address of the IP address is IP 11 and the IP address of the cloud server is IP 21. Before the client and the cloud server start to communicate, the IPSec link is set up to send and receive packets. The client sends the first IP packet to the cloud server as an example:
针对上述实施例中的第一种情况:在隧道模式的情况下,客户端和云端服务器之间建立IPSec隧道,并基于IPSec协议协商发送报文的IP地址,客户端基于IPSec协议的协商IP地址为IP 12,云端服务器基于IPSec协议的协商IP地址为IP 22,在客户端向云端服务器发送需要加密的第一IP报文时,将第一报文中源IP地址设为IP 12;客户端在确定第一报文中的源IP地址为IP 12,则确定第一IP报文需进行硬加密。 For the first case in the foregoing embodiment, in the case of the tunnel mode, an IPSec tunnel is established between the client and the cloud server, and the IP address of the packet is negotiated based on the IPSec protocol, and the client negotiates the IP address based on the IPSec protocol. For the IP 12 , the IP address of the cloud server based on the IPSec protocol is IP 22. When the client sends the first IP packet to be encrypted to the cloud server, the source IP address of the first packet is set to IP 12 ; After determining that the source IP address in the first packet is IP 12 , it is determined that the first IP packet needs to be hard encrypted.
针对上述实施例中的第二种情况:在传输模式的情况下,客户端和云端服务器之间建立IPSec链路,云端服务器中预设了处于保护状态的IP地址集合:IP 31、IP 32、IP 33、IP 34、IP 35、IP 36,IP地址集合中每个IP地址对应一个网络设备;客户端和IP地址集合中的一个网络设备进行通信,首先获取IP地址集合,在客户端向云端服务器发送需要加密的第一IP报文时,例如,将客户端的网络协议栈将第一IP报文中的目的IP地址设为IP 34,则客户端中的网卡驱动确定第一IP报文中的目的IP地址IP 34在IP地址集合:IP 31、IP 32、IP 33、IP 34、IP 35、IP 36中,则确定第一IP报文需进行硬加密。 For the second case in the foregoing embodiment, in the case of the transmission mode, an IPSec link is established between the client and the cloud server, and the set of IP addresses in the protected state is preset in the cloud server: IP 31 , IP 32 , IP 33 , IP 34 , IP 35 , IP 36 , each IP address in the IP address set corresponds to one network device; the client and one network device in the IP address set communicate, first obtain the IP address set, and the client is in the cloud When the server sends the first IP packet to be encrypted, for example, the network protocol stack of the client sets the destination IP address in the first IP packet to IP 34 , and the network card driver in the client determines the first IP packet. The destination IP address IP 34 in the IP address set: IP 31 , IP 32 , IP 33 , IP 34 , IP 35 , IP 36 , determines that the first IP packet needs to be hard encrypted.
可选地,网络设备在确定第一IP报文不需进行硬加密包括两种情况:第一种情况,网络设备在确定第一IP报文为隧道模式的情况下,且确定第一IP报文中的源IP地址不为基于IPSec协议进行协商的IP地址,确定第一IP报文不需要进行硬加密;第二种情况,网络设备在确定第一IP报文为传输模式的情况下,获取云端服务器中预设的处于保护状态的IP地址集合,在确定第一IP报文中的目的IP地址不为IP地址集合中的任一个的情况下,确定第一 IP报文不需要进行硬加密。Optionally, the determining, by the network device, that the first IP packet does not need to be hard-encrypted includes two cases: in the first case, the network device determines that the first IP packet is in the tunnel mode, and determines the first IP packet. The source IP address in the text is not the IP address negotiated based on the IPSec protocol, and the first IP packet is not required to be hard-encrypted. In the second case, the network device determines that the first IP packet is in the transmission mode. Obtaining the preset IP address set in the cloud server. If the destination IP address in the first IP packet is not in the IP address set, the first IP packet does not need to be hard. encryption.
本申请实施例中,可选地,可通过网卡驱动对第一IP报文的信息进行确定,进而确定第一IP报文是否需要硬加密,如此,可以有效确定出需要硬加密的IP报文,并发送至硬件加密模块进行加密,进而避免了第一IP报文直接在控制面处理器核上进行软加密带来的发送报文序列号不保序的问题。In the embodiment of the present application, optionally, the information about the first IP packet is determined by the network card driver, and then the first IP packet needs to be hard-encrypted. Therefore, the IP packet that needs to be hard-encrypted can be effectively determined. And sent to the hardware encryption module for encryption, thereby avoiding the problem that the serial number of the transmitted message caused by the soft encryption of the first IP packet directly on the control plane processor core is not preserved.
可选地,网络设备通过控制面处理器核获取第一IP报文之后,还包括:网络设备在通过控制面处理器核确定第一IP报文为不需进行加密的第一IP报文的情况下:网络设备通过网卡发送第一IP报文。可选地,控制面处理器核确定第一IP报文为不需进行加密的第一IP报文时,通过普通IP报文的发送接口将第一IP报文发送至网卡驱动;如此,不需要进行加密的IP报文直接通过网卡发送出去,避免了将不需要加密的第一IP报文发送至网卡驱动造成的资源浪费。Optionally, after the network device obtains the first IP packet by using the control plane processor core, the method further includes: the network device determining, by the control plane processor core, that the first IP packet is the first IP packet that is not required to be encrypted. In case: the network device sends the first IP packet through the network card. Optionally, when the control plane processor determines that the first IP packet is the first IP packet that is not to be encrypted, the first IP packet is sent to the network card driver through the sending interface of the common IP packet; The IP packets that need to be encrypted are directly sent out through the network card, which avoids wasting resources caused by sending the first IP packet that does not need to be encrypted to the network card driver.
可选地,网络设备在确定第一IP报文为需进行加密的第一IP报文的情况之后,还包括:网络设备在根据第一IP报文的信息确定第一IP报文不需进行硬加密的情况下:网络设备通过网卡发送第一IP报文。可选地,可通过网卡驱动确定第一IP报文是否需要进行硬加密,将不需要进行硬加密的第一IP报文直接发送至网卡,如此,避免了将不需要进行硬加密的第一IP报文发送至用户面处理器核而造成的资源浪费。Optionally, after determining that the first IP packet is the first IP packet to be encrypted, the network device further includes: determining, by the network device, that the first IP packet is not required according to the information of the first IP packet In the case of hard encryption: the network device sends the first IP packet through the network card. Optionally, the network card driver can determine whether the first IP packet needs to be hard-encrypted, and the first IP packet that does not need to be hard-encrypted is directly sent to the network card, thus avoiding the first step that does not require hard encryption. The waste of resources caused by the sending of IP packets to the user plane processor core.
可选地,英特网协议安全IPSec协议加密方法还包括:网络设备通过用户面处理器核获取第二IP报文;网络设备在根据第二IP报文的信息确定第二IP报文需进行硬加密的情况下:网络设备通过硬件加密模块为第二IP报文分配序列号,并进行硬加密,得到加密后第二IP报文;网络设备通过网卡发送加密后第二IP报文。Optionally, the method for encrypting the Internet protocol security IPSec protocol further includes: the network device acquiring the second IP packet by using the user plane processor core; and determining, by the network device, the second IP packet according to the information of the second IP packet In the case of hard encryption, the network device assigns a serial number to the second IP packet through the hardware encryption module, and performs hard encryption to obtain the encrypted second IP packet; the network device sends the encrypted second IP packet through the network card.
本申请实施例中,可选地,用户面处理器核处理的用户面数据得到第二IP报文;在第二IP报文需要硬加密的情况下,将需要硬加密的第二IP报文发送至硬件加密模块进行硬加密;在第二IP报文不需要硬加密的情况下,将第二IP报文通过网卡发送出去;因此,控制面处理器核的需要硬加密的第一 IP报文和用户面处理器核的需要加密的第二IP报文都发送至硬件加密模块进行加密,如此,多核异构网络设备向外发送的加密IP报文都通过硬件加密模块分配序列号并进行硬加密,一方面,避免了多核异构网络设备中多线程并行加密IP报文导致的序列号不保序的问题;另一方面,多核异构网络设备中多核之间不需要做任何共享内存或其他互斥、同步操作,避免了资源互斥问题。In the embodiment of the present application, optionally, the user plane data processed by the user plane processor core obtains the second IP packet; if the second IP packet needs to be hard encrypted, the second IP packet to be hard encrypted is required. Sending to the hardware encryption module for hard encryption; if the second IP packet does not require hard encryption, sending the second IP packet through the network card; therefore, the first IP packet of the control plane processor core that needs to be hard encrypted The second IP packet to be encrypted and sent by the user plane processor core is sent to the hardware encryption module for encryption. Thus, the encrypted IP packet sent by the multi-core heterogeneous network device is assigned a serial number through the hardware encryption module. Hard encryption, on the one hand, avoids the problem that the serial number is not preserved due to multi-thread parallel encryption IP packets in multi-core heterogeneous network devices; on the other hand, there is no need to do any shared memory between multiple cores in a multi-core heterogeneous network device. Or other mutually exclusive, synchronous operations, to avoid resource mutual exclusion issues.
可选地,通过控制面处理器核确定第一IP报文为需进行加密的第一IP报文,包括:网络设备确定出预设的安全策略路由;其中,安全策略路由中包括至少一个IP地址;网络设备在确定第一IP报文中的目的IP地址属于至少一个IP地址中的一个的情况下,确定第一IP报文为需进行加密的第一IP报文。Optionally, the first IP packet is determined by the control plane processor to be the first IP packet to be encrypted, and the network device determines a preset security policy route, where the security policy route includes at least one IP address. And determining, by the network device, that the first IP packet is the first IP packet to be encrypted, if the destination IP address in the first IP packet belongs to one of the at least one IP address.
可选地,控制面处理器核包括Linux操作系统的网络协议栈;本申请通过对网络协议栈进行修改,确定需要加密的第一IP报文;可选地,网络协议栈预设安全策略路由包括至少一个IP地址对应的安全策略路由;例如,预设安全策略路由中,IP地址为192.168.10.15到192.168.10.30对应一个安全路由,若第一IP报文中的目的IP地址为192.168.10.25,则网络协议栈根据安全策略路由找到IP地址为192.168.10.25对应的安全路由,则确定该第一IP报文为需进行加密的第一IP报文。如此,网络设备通过控制面处理器可以确定第一IP报文是否需要加密,进而将需要加密的报文发送至网卡驱动,进而避免了将需要加密的第一IP报文在控制面处理器核进行软加密,进而避免CPU消耗过多资源进行软加密,达到了提升了系统性能的效果。Optionally, the control plane processor core includes a network protocol stack of a Linux operating system; the application determines the first IP packet to be encrypted by modifying the network protocol stack; optionally, the network protocol stack preset security policy routing The security policy route includes at least one IP address. For example, in the preset security policy route, the IP address is 192.168.10.15 to 192.168.10.30 corresponding to a secure route. If the destination IP address in the first IP packet is 192.168.10.25 Then, the network protocol stack finds the secure route corresponding to the IP address of 192.168.10.25 according to the security policy route, and determines that the first IP packet is the first IP packet to be encrypted. In this way, the network device can determine whether the first IP packet needs to be encrypted through the control plane processor, and then send the packet to be encrypted to the network card driver, thereby avoiding the first IP packet to be encrypted on the control plane processor core. Soft encryption is performed to prevent the CPU from consuming too many resources for soft encryption, which improves the performance of the system.
可选地,本申请提供一种可选的实现对控制面处理器核上的第一IP报文进行硬加密的方法;控制面处理器核以ARM核为例,用户面处理器核以DSP核为例:在ARM核中网络协议栈中设置xfrm_lookup函数,该xfrm_lookup函数用于识别需要IPSec协议进行加密封装处理,并返回第一IP报文所需要使用的发送接口;例如,在网络协议栈发送第一IP报文时,通过xfrm_lookup函数确定出第一IP报文中的IP地址对应的安全策略,则确定第一IP报文需 要加密,则将该第一IP报文通过普通IP报文发送接口发送至网卡驱动程序;网卡驱动程序确定第一IP报文是否需要进行硬加密,若是需要硬加密,则将需要进行硬加密的第一IP报文通过IPC技术发送至DSP核;DSP核将第一IP报文发送至硬件加密模块分配序列号,并进行硬加密;同时,对于DSP核上处理的需要进行硬加密的第二IP报文,DSP核将需要进行硬加密的第二IP报文也发送至硬件加密模块分配序列号,并进行硬加密;如此,保证了核异构网络设备发出的IP报文都是经过硬件加密模块进行分配序列号,并进行硬加密,达到了在多核异构网络设备的单线程加密IP报文的效果,使得硬加密的IP报文的序列号报文有序增长,避免报文被对端的抗重播机制所丢弃的问题。Optionally, the present application provides an optional method for hard-encrypting the first IP packet on the control plane processor core; the control plane processor core uses an ARM core as an example, and the user plane processor core uses a DSP. As an example, the xfrm_lookup function is set in the network protocol stack of the ARM core. The xfrm_lookup function is used to identify the sending interface that needs to be used for the IPSec protocol to perform the encapsulation processing and return the first IP packet; for example, in the network protocol stack. When the first IP packet is sent, the security policy corresponding to the IP address in the first IP packet is determined by the xfrm_lookup function, and the first IP packet is encrypted. The sending interface is sent to the network card driver; the network card driver determines whether the first IP packet needs to be hard-encrypted. If hard encryption is required, the first IP packet that needs to be hard-encrypted is sent to the DSP core through the IPC technology; Sending the first IP packet to the hardware encryption module to allocate the serial number and performing hard encryption; meanwhile, for the second IP packet processed on the DSP core that needs to be hard-encrypted, the DSP core will need to be performed. The encrypted second IP packet is also sent to the hardware encryption module to allocate the serial number and is hard-encrypted; thus, the IP packets sent by the nuclear heterogeneous network device are all assigned the serial number through the hardware encryption module, and are hard. Encryption, the effect of the single-threaded encrypted IP packet in the multi-core heterogeneous network device is achieved, so that the sequence number of the hard-encrypted IP packet is increased in order to avoid the problem that the packet is discarded by the peer anti-replay mechanism.
为了更清楚的介绍上述方法流程,本申请实施例提供以下示例。In order to introduce the above method flow more clearly, the following examples are provided in the embodiments of the present application.
图3示例性示出了本申请实施例提供的另一种英特网协议安全IPSec协议加密方法的流程示意图,基于图1所示的系统架构,如图3所示,本申请实施例提供的另一种英特网协议安全IPSec协议加密方法,适用于包括至少一个对控制面数据进行处理的控制面处理器核和至少一个对用户面数据进行处理的用户面处理器核的多核异构网络设备,该方法包括以下步骤:FIG. 3 is a schematic flowchart of another Internet protocol security IPSec protocol encryption method provided by the embodiment of the present application. The system architecture shown in FIG. 1 is shown in FIG. Another Internet Protocol Security IPSec protocol encryption method is applicable to a multi-core heterogeneous network including at least one control plane processor core for processing control plane data and at least one user plane processor core for processing user plane data Device, the method includes the following steps:
步骤S301:网络设备通过控制面处理器核获取第一IP报文;Step S301: The network device acquires the first IP packet by using the control plane processor core.
步骤S302:网络设备在控制面处理器核确定第一IP报文中的目的IP地址是否属于预设的安全策略路由中的至少一个IP地址中的一个;若是,则执行步骤S303;若否,则执行步骤S313;Step S302: The network device determines, by the control plane, that the destination IP address in the first IP packet belongs to one of the at least one IP address in the preset security policy route; if yes, step S303 is performed; if not, Then executing step S313;
步骤S303:网络设备通过网络协议栈确定第一IP报文为需进行加密的第一IP报文;Step S303: The network device determines, by using the network protocol stack, that the first IP packet is the first IP packet to be encrypted.
步骤S304:网络设备通过网卡驱动确定第一IP报文为隧道模式或传输模式;若是隧道模式,执行步骤S305;若是传输模式,执行步骤S306;Step S304: The network device determines that the first IP packet is the tunnel mode or the transmission mode by using the network card driver; if it is the tunnel mode, step S305 is performed; if it is the transmission mode, step S306 is performed;
步骤S305:网络设备通过网卡驱动确定第一IP报文中的源IP地址是否为基于IPSec协议进行协商的IP地址;若是,则执行步骤S307;若否,则执行步骤S313;Step S305: The network device determines, by the network card driver, whether the source IP address in the first IP packet is an IP address negotiated based on the IPSec protocol; if yes, step S307 is performed; if not, step S313 is performed;
步骤S306:网络设备获取云端服务器中预设的处于保护状态的IP地址集合,确定第一IP报文中的目的IP地址是否为IP地址集合中的一个;若是,则执行步骤S307;若否,则执行步骤S313;Step S306: The network device acquires the IP address set in the protected state preset in the cloud server, and determines whether the destination IP address in the first IP packet is one of the IP address sets; if yes, step S307 is performed; if not, Then executing step S313;
步骤S307:网络设备确定第一IP报文需进行硬加密;Step S307: The network device determines that the first IP packet needs to be hard-encrypted.
步骤S308:通过控制面处理器核中的网卡驱动将第一IP报文发送至用户面处理器核;Step S308: Send the first IP packet to the user plane processor core by using the network card driver in the control plane processor core;
步骤S309:网络设备通过用户面处理器核获取第二IP报文;Step S309: The network device acquires the second IP packet by using the user plane processor core.
步骤S310:网络设备在根据第二IP报文的信息确定第二IP报文是否需进行硬加密;若是,则执行步骤S311;若否,则执行步骤S314;Step S310: The network device determines whether the second IP packet needs to be hard-encrypted according to the information of the second IP packet; if yes, step S311 is performed; if not, step S314 is performed;
步骤S311:网络设备通过用户面处理器核将第一IP报文和第二IP报文发送至硬件加密模块;Step S311: The network device sends the first IP packet and the second IP packet to the hardware encryption module through the user plane processor core.
步骤S312:网络设备通过硬件加密模块分别为第一IP报文和第二IP报文分配序列号,并分别进行硬加密,得到加密后第一IP报文和加密后第二IP报文;Step S312: The network device allocates a serial number to the first IP packet and the second IP packet by using the hardware encryption module, and performs hard encryption respectively to obtain the encrypted first IP packet and the encrypted second IP packet.
步骤S313:通过网卡驱动将第一IP报文发送至网卡;Step S313: Send the first IP packet to the network card by using a network card driver;
步骤S314:网络设备通过网卡将第一IP报文和加密后第二IP报文发送出去。Step S314: The network device sends the first IP packet and the encrypted second IP packet through the network card.
从上述内容可以看出:由于网络设备通过控制面处理器核获取第一IP报文;网络设备在通过控制面处理器核确定第一IP报文为需进行加密的第一IP报文的情况下,且根据第一IP报文的信息确定第一IP报文需进行硬加密的情况下:网络设备通过硬件加密模块为第一IP报文分配序列号,并进行硬加密,得到加密后第一IP报文;网络设备通过网卡发送加密后第一IP报文;而且,用户面处理器核处理的第二IP报文也通过至硬件加密模块分配序列号并统一进行硬加密;可见,本申请实施例中,对需进行加密的报文进行进一步的处理,将需进行加密、且需进行硬加密的报文通过硬件加密模块进行加密,也就是说,本申请实施例中仅通过一个加密模块对报文进行加密,如此,本申请实施例中可保证报文的序列号保序的目的,避免了像现有技术中通过两个 加密模块对报文进行加密所导致的报文的序列号不保序的问题;而且,在抗重播检测过程中避免了IP报文被丢弃的问题,增加了数据的安全性。进一步,本申请实施例中的方法避免了第一IP报文在控制面处理器核进行软加密造成的系统性能的下降的问题,多核异构网络设备中多核之间不需要做任何共享内存或其他互斥、同步操作,避免了资源互斥问题,大大简化了程序设计。It can be seen from the above that the network device obtains the first IP packet through the control plane processor core; the network device determines that the first IP packet is the first IP packet to be encrypted through the control plane processor core. If the first IP packet needs to be hard-encrypted according to the information of the first IP packet, the network device allocates a serial number to the first IP packet through the hardware encryption module, and performs hard encryption to obtain the encrypted IP address. An IP packet; the network device sends the encrypted first IP packet through the network card; and the second IP packet processed by the user plane processor core is also assigned a serial number to the hardware encryption module and uniformly hard-encrypted; In the application embodiment, the packet to be encrypted is further processed, and the packet to be encrypted and hard-encrypted is encrypted by the hardware encryption module, that is, only one encryption is performed in the embodiment of the present application. The module encrypts the packet, so that the sequence number of the packet can be guaranteed in the embodiment of the present application, and the packet is avoided by using two encryption modules as in the prior art. The problem that the sequence number of the packet caused by the encryption is not preserved; moreover, the problem that the IP packet is discarded is avoided in the anti-replay detection process, and the security of the data is increased. Further, the method in the embodiment of the present application avoids the problem of system performance degradation caused by soft encryption of the first IP packet in the control plane processor core, and does not need to do any shared memory between multiple cores in the multi-core heterogeneous network device. Other mutually exclusive and synchronous operations avoid the problem of mutual exclusion of resources and greatly simplify the programming.
图4示例性示出了本申请实施例提供的一种用于英特网协议安全IPSec协议加密的网络设备的结构示意图。FIG. 4 is a schematic structural diagram of a network device for Internet Protocol Security IPSec protocol encryption provided by an embodiment of the present application.
基于相同构思,本申请实施例提供的一种用于英特网协议安全IPSec协议加密的网络设备,用于执行上述方法流程,如图4所示,该用于英特网协议安全IPSec协议加密的网络设备400包括控制面处理器核401、硬件加密模块403和网卡404,还包括用户面处理器核402;其中:Based on the same concept, a network device for encrypting the Internet protocol security IPSec protocol provided by the embodiment of the present application is used to execute the foregoing method, as shown in FIG. 4, which is used for security protocol IPSec encryption of the Internet protocol. The network device 400 includes a control plane processor core 401, a hardware encryption module 403, and a network card 404, and a user plane processor core 402; wherein:
控制面处理器核401,用于获取第一IP报文;a control plane processor core 401, configured to acquire a first IP packet;
硬件加密模块403,用于在通过所述控制面处理器核401确定所述第一IP报文为需进行加密的第一IP报文的情况下,且在通过所述控制面处理器核401确定所述第一IP报文需进行硬加密的情况下:为所述第一IP报文分配序列号,并进行硬加密,得到加密后第一IP报文;The hardware encryption module 403 is configured to: when the first IP packet is determined by the control plane processor core 401 as the first IP packet to be encrypted, and pass through the control plane processor core 401 When the first IP packet is to be hard-encrypted, the first IP packet is assigned a serial number, and hard encryption is performed to obtain the encrypted first IP packet.
网卡404,用于发送所述加密后第一IP报文。The network card 404 is configured to send the encrypted first IP packet.
可选地,所述控制面处理器核401,用于:在确定所述第一IP报文为隧道模式的情况下,且确定所述第一IP报文中的源IP地址为基于IPSec协议进行协商的IP地址,则确定所述第一IP报文需进行硬加密;在确定所述第一IP报文为传输模式的情况下,获取云端服务器中预设的处于保护状态的IP地址集合,在确定所述第一IP报文中的目的IP地址为所述IP地址集合中的一个的情况下,确定所述第一IP报文需进行硬加密。Optionally, the control plane processor core 401 is configured to: when determining that the first IP packet is in a tunnel mode, and determine that the source IP address in the first IP packet is based on an IPSec protocol If the IP address of the negotiation is performed, the first IP packet needs to be hard-encrypted; and when the first IP packet is determined to be in the transmission mode, the IP address set preset in the cloud server is obtained. And determining that the first IP packet needs to be hard-encrypted if the destination IP address in the first IP packet is one of the IP address sets.
可选地,所述网卡404,还用于:在通过所述控制面处理器核401确定所述第一IP报文不需进行硬加密的情况下:发送所述第一IP报文。Optionally, the network card 404 is further configured to: when the first IP packet is not required to be hard-encrypted by the control plane processor core 401: sending the first IP packet.
可选地,所述网卡404,还用于:在通过所述控制面处理器核401确定所述第一IP报文为不需进行加密的第一IP报文的情况下:所述网络设备通过网 卡404发送所述第一IP报文。Optionally, the network card 404 is further configured to: when the first IP packet is determined by the control plane processor core 401 as a first IP packet that is not required to be encrypted: the network device The first IP packet is sent by the network card 404.
可选地,所述网络设备还包括:用户面处理器核402,用于获取第二IP报文;Optionally, the network device further includes: a user plane processor core 402, configured to acquire a second IP packet;
所述硬件加密模块403,还用于:在通过所述用户面处理器核402确定所述第二IP报文需进行硬加密的情况下:为所述第二IP报文分配序列号,并进行硬加密,得到加密后第二IP报文;所述网卡404,还用于:发送所述加密后第二IP报文。The hardware encryption module 403 is further configured to: when the user plane processor core 402 determines that the second IP packet needs to be hard-encrypted: assign a serial number to the second IP packet, and Performing hard encryption to obtain the encrypted second IP packet; the network card 404 is further configured to: send the encrypted second IP packet.
可选地,所述控制面处理器核401,用于:确定出预设的安全策略路由;其中,所述安全策略路由中包括至少一个IP地址;在确定所述第一IP报文中的目的IP地址属于所述至少一个IP地址中的一个的情况下,确定所述第一IP报文为需进行加密的第一IP报文。Optionally, the control plane processor core 401 is configured to: determine a preset security policy route, where the security policy route includes at least one IP address; and determine the first IP packet. If the destination IP address belongs to one of the at least one IP address, the first IP packet is determined to be the first IP packet to be encrypted.
从上述内容可以看出:由于网络设备通过控制面处理器核获取第一IP报文;网络设备在通过控制面处理器核确定第一IP报文为需进行加密的第一IP报文的情况下,且根据第一IP报文的信息确定第一IP报文需进行硬加密的情况下:网络设备通过硬件加密模块为第一IP报文分配序列号,并进行硬加密,得到加密后第一IP报文;网络设备通过网卡发送加密后第一IP报文;而且,用户面处理器核处理的第二IP报文也通过至硬件加密模块分配序列号并统一进行硬加密;可见,本申请实施例中,对需进行加密的报文进行进一步的处理,将需进行加密、且需进行硬加密的报文通过硬件加密模块进行加密,也就是说,本申请实施例中仅通过一个加密模块对报文进行加密,如此,本申请实施例中可保证报文的序列号保序的目的,避免了像现有技术中通过两个加密模块对报文进行加密所导致的报文的序列号不保序的问题;而且,在抗重播检测过程中避免了IP报文被丢弃的问题,增加了数据的安全性。进一步,本申请实施例中的方法避免了第一IP报文在控制面处理器核进行软加密造成的系统性能的下降的问题,多核异构网络设备中多核之间不需要做任何共享内存或其他互斥、同步操作,避免了资源互斥问题,大大简化了程序设计。It can be seen from the above that the network device obtains the first IP packet through the control plane processor core; the network device determines that the first IP packet is the first IP packet to be encrypted through the control plane processor core. If the first IP packet needs to be hard-encrypted according to the information of the first IP packet, the network device allocates a serial number to the first IP packet through the hardware encryption module, and performs hard encryption to obtain the encrypted IP address. An IP packet; the network device sends the encrypted first IP packet through the network card; and the second IP packet processed by the user plane processor core is also assigned a serial number to the hardware encryption module and uniformly hard-encrypted; In the application embodiment, the packet to be encrypted is further processed, and the packet to be encrypted and hard-encrypted is encrypted by the hardware encryption module, that is, only one encryption is performed in the embodiment of the present application. The module encrypts the packet, so that the sequence number of the packet can be guaranteed in the embodiment of the present application, and the packet is avoided by using two encryption modules as in the prior art. Packet sequence number does not guarantee the problem caused by the encryption row sequence; and, to avoid the problem of IP packets are discarded in antkeplay detection process, increase data security. Further, the method in the embodiment of the present application avoids the problem of system performance degradation caused by soft encryption of the first IP packet in the control plane processor core, and does not need to do any shared memory between multiple cores in the multi-core heterogeneous network device. Other mutually exclusive and synchronous operations avoid the problem of mutual exclusion of resources and greatly simplify the programming.
应理解,以上各个单元的划分仅仅是一种逻辑功能的划分,实际实现时 可以全部或部分集成到一个物理实体上,也可以物理上分开。It should be understood that the division of each unit above is only a division of logical functions, and the actual implementation may be integrated into one physical entity in whole or in part, or may be physically separated.
基于相同构思,本申请提供一种网络设备,包括至少一个处理器;以及,与所述至少一个处理器通信连接的存储器;所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行上述实施例中的IPSec协议加密方法。Based on the same concept, the present application provides a network device including at least one processor; and a memory communicatively coupled to the at least one processor; the memory storing instructions executable by the at least one processor, The instructions are executed by the at least one processor to enable the at least one processor to perform the IPSec protocol encryption method in the above embodiments.
以一个处理器为例,图5为本申请提供的一种网络设备的结构示意图。Taking a processor as an example, FIG. 5 is a schematic structural diagram of a network device provided by the present application.
该网络设备包括收发器501、处理器502、存储器503和通信接口504;其中,收发器501、处理器502、存储器503和通信接口504通过总线505相互连接。The network device includes a transceiver 501, a processor 502, a memory 503, and a communication interface 504; wherein the transceiver 501, the processor 502, the memory 503, and the communication interface 504 are connected to one another via a bus 505.
其中,存储器503用于存储程序。具体地,程序可以包括程序代码,程序代码包括计算机操作指令。存储器503可以为易失性存储器(volatile memory),例如随机存取存储器(random-access memory,简称RAM);也可以为非易失性存储器(non-volatile memory),例如快闪存储器(flash memory),硬盘(hard disk drive,简称HDD)或固态硬盘(solid-state drive,简称SSD);还可以为上述任一种或任多种易失性存储器和非易失性存储器的组合。The memory 503 is used to store programs. In particular, the program can include program code, the program code including computer operating instructions. The memory 503 may be a volatile memory, such as a random-access memory (RAM), or a non-volatile memory, such as a flash memory. A hard disk drive (HDD) or a solid-state drive (SSD); or any combination of any one or more of the above-mentioned volatile memory and non-volatile memory.
存储器503存储了如下的元素,可执行模块或者数据结构,或者它们的子集,或者它们的扩展集:The memory 503 stores the following elements, executable modules or data structures, or a subset thereof, or an extended set thereof:
操作指令:包括各种操作指令,用于实现各种操作。Operation instructions: include various operation instructions for implementing various operations.
操作系统:包括各种系统程序,用于实现各种基础业务以及处理基于硬件的任务。Operating system: Includes a variety of system programs for implementing various basic services and handling hardware-based tasks.
总线505可以是外设部件互连标准(peripheral component interconnect,简称PCI)总线或扩展工业标准结构(extended industry standard architecture,简称EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图5中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The bus 505 can be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in Figure 5, but it does not mean that there is only one bus or one type of bus.
通信接口504可以为有线通信接入口,无线通信接口或其组合,其中,有线通信接口例如可以为以太网接口。以太网接口可以是光接口,电接口或其组合。无线通信接口可以为WLAN接口。The communication interface 504 can be a wired communication access port, a wireless communication interface, or a combination thereof, wherein the wired communication interface can be, for example, an Ethernet interface. The Ethernet interface can be an optical interface, an electrical interface, or a combination thereof. The wireless communication interface can be a WLAN interface.
处理器502可以是中央处理器(central processing unit,简称CPU),网络处理器(network processor,简称NP)或者CPU和NP的组合。还可以是硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,简称ASIC),可编程逻辑器件(programmable logic device,简称PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device,简称CPLD),现场可编程逻辑门阵列(field-programmable gate array,简称FPGA),通用阵列逻辑(generic array logic,简称GAL)或其任意组合。The processor 502 can be a central processing unit (CPU), a network processor (NP) or a combination of a CPU and an NP. It can also be a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination.
所述收发器501,用于获取第一IP报文;发送所述加密后第一IP报文;The transceiver 501 is configured to obtain a first IP packet, and send the encrypted first IP packet.
所述处理器502,用于读取所述存储器503中的程序,执行以下方法:The processor 502 is configured to read a program in the memory 503 and perform the following methods:
在确定所述第一IP报文为需进行加密的第一IP报文的情况下:在确定所述第一IP报文需进行硬加密的情况下,为所述第一IP报文分配序列号,并进行硬加密,得到加密后第一IP报文;When the first IP packet is determined to be the first IP packet to be encrypted, in the case that the first IP packet needs to be hard-encrypted, the first IP packet is allocated a sequence. Number, and perform hard encryption to obtain the encrypted first IP packet;
所述存储器503,用于存储一个或多个可执行程序,可以存储所述处理器502在执行操作时所使用的数据。The memory 503 is configured to store one or more executable programs, and may store data used by the processor 502 when performing operations.
可选的,所述处理器502,用于:在确定所述第一IP报文为隧道模式的情况下,且确定所述第一IP报文中的源IP地址为基于IPSec协议进行协商的IP地址,则确定所述第一IP报文需进行硬加密;在确定所述第一IP报文为传输模式的情况下,获取云端服务器中预设的处于保护状态的IP地址集合,在确定所述第一IP报文中的目的IP地址为所述IP地址集合中的一个的情况下,确定所述第一IP报文需进行硬加密。Optionally, the processor 502 is configured to: when determining that the first IP packet is in a tunnel mode, and determine that the source IP address in the first IP packet is negotiated according to an IPSec protocol. And determining, by the IP address, that the first IP packet is to be hard-encrypted; and determining that the first IP packet is in the transmission mode, acquiring a preset IP address set in a protection state in the cloud server, determining When the destination IP address in the first IP packet is one of the IP address sets, it is determined that the first IP packet needs to be hard encrypted.
可选的,所述收发器501,还用于:在通过所述处理器502确定所述第一IP报文不需进行硬加密的情况下:发送所述第一IP报文。Optionally, the transceiver 501 is further configured to: when the processor 502 determines that the first IP packet does not need to be hard-encrypted: sending the first IP packet.
可选的,所述收发器501,还用于:在通过所述处理器502确定所述第一IP报文为不需进行加密的第一IP报文的情况下:发送所述第一IP报文。Optionally, the transceiver 501 is further configured to: when the first IP packet is determined by the processor 502 to be a first IP packet that does not need to be encrypted: sending the first IP Message.
可选的,所述收发器501,还用于获取第二IP报文;发送加密后第二IP报文;所述处理器502,还用于:在确定所述第二IP报文需进行硬加密的情况下:为所述第二IP报文分配序列号,并进行硬加密,得到加密后第二IP报文。Optionally, the transceiver 501 is further configured to obtain a second IP packet, and send the encrypted second IP packet. The processor 502 is further configured to: determine that the second IP packet needs to be performed. In the case of hard encryption, a serial number is assigned to the second IP packet, and hard encryption is performed to obtain an encrypted second IP packet.
可选的,所述处理器502,用于:确定出预设的安全策略路由;其中,所述安全策略路由中包括至少一个IP地址;在确定所述第一IP报文中的目的IP地址属于所述至少一个IP地址中的一个的情况下,确定所述第一IP报文为需进行加密的第一IP报文。Optionally, the processor 502 is configured to: determine a preset security policy route, where the security policy route includes at least one IP address; and determine a destination IP address in the first IP packet. In the case of one of the at least one IP address, the first IP packet is determined to be the first IP packet to be encrypted.
本领域内的技术人员应明白,本申请实施例可提供为方法、系统、或计算机程序产品。因此,本申请实施例可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请实施例可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present application can be provided as a method, system, or computer program product. Therefore, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware. Moreover, embodiments of the present application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
另外,本申请还提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使所述计算机执行上述任一项所述的IPSec协议加密方法。In addition, the present application also provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the IPSec described in any of the above Protocol encryption method.
另外,本申请还提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行上述任一项所述的IPSec协议加密方法。In addition, the present application also provides a computer program product comprising a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer And causing the computer to perform the IPSec protocol encryption method described in any of the above.
本申请实施例是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用 计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
显然,本领域的技术人员可以对本申请实施例进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请实施例的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。It is apparent that those skilled in the art can make various modifications and variations to the embodiments of the present application without departing from the spirit and scope of the application. Thus, it is intended that the present invention cover the modifications and variations of the embodiments of the present invention.

Claims (15)

  1. 一种英特网协议安全IPSec协议加密方法,其特征在于,适用于包括至少一个对控制面数据进行处理的控制面处理器核和至少一个对用户面数据进行处理的用户面处理器核的多核异构网络设备,所述方法包括:An Internet Protocol Security IPSec protocol encryption method, characterized in that it is applicable to a multi-core of a control plane processor core including at least one control plane data processing and at least one user plane processor core for processing user plane data A heterogeneous network device, the method comprising:
    网络设备通过所述控制面处理器核获取第一IP报文;The network device obtains the first IP packet by using the control plane processor core;
    所述网络设备在通过所述控制面处理器核确定所述第一IP报文为需进行加密的第一IP报文的情况下:The network device, when the first IP packet is determined by the control plane processor to be the first IP packet to be encrypted:
    所述网络设备在根据所述第一IP报文的信息确定所述第一IP报文需进行硬加密的情况下:The network device determines, according to the information of the first IP packet, that the first IP packet needs to be hard encrypted:
    所述网络设备通过所述硬件加密模块为所述第一IP报文分配序列号,并进行硬加密,得到加密后第一IP报文;The network device allocates a serial number to the first IP packet by using the hardware encryption module, and performs hard encryption to obtain the encrypted first IP packet.
    所述网络设备通过网卡发送所述加密后第一IP报文。The network device sends the encrypted first IP packet by using a network card.
  2. 如权利要求1所述的方法,其特征在于,所述网络设备根据所述第一IP报文的信息确定所述第一IP报文需进行硬加密,包括:The method of claim 1, wherein the network device determines that the first IP packet needs to be hard-encrypted according to the information of the first IP packet, including:
    所述网络设备在确定所述第一IP报文为隧道模式的情况下,且确定所述第一IP报文中的源IP地址为基于IPSec协议进行协商的IP地址,则确定所述第一IP报文需进行硬加密;And determining, by the network device, that the first IP packet is in a tunnel mode, and determining that the source IP address in the first IP packet is an IP address negotiated based on the IPSec protocol, determining the first IP packets need to be hard encrypted.
    所述网络设备在确定所述第一IP报文为传输模式的情况下,获取云端服务器中预设的处于保护状态的IP地址集合,在确定所述第一IP报文中的目的IP地址为所述IP地址集合中的一个的情况下,确定所述第一IP报文需进行硬加密。And determining, by the network device, that the first IP packet is in a transmission mode, acquiring a preset IP address set in the cloud server, and determining that the destination IP address in the first IP packet is In the case of one of the IP address sets, it is determined that the first IP packet needs to be hard encrypted.
  3. 如权利要求1所述的方法,其特征在于,所述网络设备在确定所述第一IP报文为需进行加密的第一IP报文的情况之后,还包括:The method of claim 1, wherein the network device, after determining that the first IP packet is the first IP packet to be encrypted, further includes:
    所述网络设备在根据所述第一IP报文的信息确定所述第一IP报文不需进行硬加密的情况下:The network device determines, according to the information of the first IP packet, that the first IP packet does not need to be hard encrypted:
    所述网络设备通过所述网卡发送所述第一IP报文。The network device sends the first IP packet by using the network card.
  4. 如权利要求1所述的方法,其特征在于,所述网络设备通过所述控制面处理器核获取第一IP报文之后,还包括:The method of claim 1, wherein after the network device obtains the first IP packet by using the control plane processor core, the method further includes:
    所述网络设备在通过所述控制面处理器核确定所述第一IP报文为不需进行加密的第一IP报文的情况下:The network device, when the first IP packet is determined by the control plane processor to be the first IP packet that does not need to be encrypted:
    所述网络设备通过网卡发送所述第一IP报文。The network device sends the first IP packet by using a network card.
  5. 如权利要求1至4任一权利要求所述的方法,其特征在于,所述方法还包括:The method of any of claims 1 to 4, further comprising:
    所述网络设备通过所述用户面处理器核获取第二IP报文;The network device acquires a second IP packet by using the user plane processor core;
    所述网络设备在根据所述第二IP报文的信息确定所述第二IP报文需进行硬加密的情况下:The network device determines, according to the information of the second IP packet, that the second IP packet needs to be hard encrypted:
    所述网络设备通过所述硬件加密模块为所述第二IP报文分配序列号,并进行硬加密,得到加密后第二IP报文;The network device allocates a serial number to the second IP packet by using the hardware encryption module, and performs hard encryption to obtain an encrypted second IP packet.
    所述网络设备通过网卡发送所述加密后第二IP报文。The network device sends the encrypted second IP packet by using a network card.
  6. 如权利要求1至4任一权利要求所述的方法,其特征在于,所述通过控制面处理器核确定所述第一IP报文为需进行加密的第一IP报文,包括:The method according to any one of claims 1 to 4, wherein the determining, by the control plane processor, the first IP packet is a first IP packet to be encrypted, comprising:
    所述网络设备确定出预设的安全策略路由;其中,所述安全策略路由中包括至少一个IP地址;Determining, by the network device, a preset security policy route, where the security policy route includes at least one IP address;
    所述网络设备在确定所述第一IP报文中的目的IP地址属于所述至少一个IP地址中的一个的情况下,确定所述第一IP报文为需进行加密的第一IP报文。And determining, by the network device, that the first IP packet is the first IP packet to be encrypted, if the destination IP address in the first IP packet belongs to one of the at least one IP address. .
  7. 一种用于英特网协议安全IPSec协议加密的网络设备,其特征在于,包括至少一个对控制面数据进行处理的控制面处理器核和至少一个对用户面数据进行处理的用户面处理器核;所述网络设备还包括硬件加密模块和网卡;A network device for Internet Protocol Security IPSec protocol encryption, comprising: at least one control plane processor core for processing control plane data and at least one user plane processor core for processing user plane data The network device further includes a hardware encryption module and a network card;
    所述控制面处理器核,用于获取第一IP报文;The control plane processor core is configured to acquire a first IP packet;
    所述硬件加密模块,用于在通过所述控制面处理器核确定所述第一IP报文为需进行加密的第一IP报文的情况下:在通过所述控制面处理器核确定所 述第一IP报文需进行硬加密的情况下:为所述第一IP报文分配序列号,并进行硬加密,得到加密后第一IP报文;The hardware encryption module is configured to: when the first IP packet is determined by the control plane processor core as a first IP packet to be encrypted: determined by the control plane processor core In the case that the first IP packet needs to be hard-encrypted, a sequence number is assigned to the first IP packet, and hard encryption is performed to obtain the encrypted first IP packet.
    所述网卡,用于发送所述加密后第一IP报文。The network card is configured to send the encrypted first IP packet.
  8. 如权利要求7所述的网络设备,其特征在于,所述控制面处理器核,用于:The network device according to claim 7, wherein said control plane processor core is configured to:
    在确定所述第一IP报文为隧道模式的情况下,且确定所述第一IP报文中的源IP地址为基于IPSec协议进行协商的IP地址,则确定所述第一IP报文需进行硬加密;When the first IP packet is determined to be in the tunnel mode, and the source IP address in the first IP packet is determined to be an IP address negotiated based on the IPSec protocol, the first IP packet needs to be determined. Hard encryption;
    在确定所述第一IP报文为传输模式的情况下,获取云端服务器中预设的处于保护状态的IP地址集合,在确定所述第一IP报文中的目的IP地址为所述IP地址集合中的一个的情况下,确定所述第一IP报文需进行硬加密。When the first IP packet is determined to be in the transmission mode, the IP address set in the protected state is obtained in the cloud server, and the destination IP address in the first IP packet is determined to be the IP address. In the case of one of the sets, it is determined that the first IP packet needs to be hard encrypted.
  9. 如权利要求7所述的网络设备,其特征在于,所述网卡,还用于:The network device according to claim 7, wherein the network card is further configured to:
    在通过所述控制面处理器核确定所述第一IP报文不需进行硬加密的情况下:发送所述第一IP报文。And sending, by the control plane processor, that the first IP packet does not need to be hard-encrypted: sending the first IP packet.
  10. 如权利要求7所述的网络设备,其特征在于,所述网卡,还用于:The network device according to claim 7, wherein the network card is further configured to:
    在通过所述控制面处理器核确定所述第一IP报文为不需进行加密的第一IP报文的情况下:所述网络设备通过网卡发送所述第一IP报文。When the first IP packet is determined by the control plane processor to be the first IP packet that is not required to be encrypted, the network device sends the first IP packet by using the network card.
  11. 如权利要求7至10任一权利要求所述的网络设备,其特征在于,所述用户面处理器核,用于获取第二IP报文;The network device according to any one of claims 7 to 10, wherein the user plane processor core is configured to acquire a second IP packet;
    所述硬件加密模块,还用于:在通过所述用户面处理器核确定所述第二IP报文需进行硬加密的情况下:为所述第二IP报文分配序列号,并进行硬加密,得到加密后第二IP报文;The hardware encryption module is further configured to: when the user plane processor core determines that the second IP packet needs to be hard-encrypted: assign a serial number to the second IP packet, and perform hard Encrypted to obtain the encrypted second IP packet;
    所述网卡,还用于:发送所述加密后第二IP报文。The network card is further configured to: send the encrypted second IP packet.
  12. 如权利要求7至10任一权利要求所述的网络设备,其特征在于,所述控制面处理器核,用于:The network device according to any one of claims 7 to 10, wherein the control plane processor core is configured to:
    确定出预设的安全策略路由;其中,所述安全策略路由中包括至少一个 IP地址;Determining a preset security policy route; wherein the security policy route includes at least one IP address;
    在确定所述第一IP报文中的目的IP地址属于所述至少一个IP地址中的一个的情况下,确定所述第一IP报文为需进行加密的第一IP报文。And determining, in the case that the destination IP address in the first IP packet belongs to one of the at least one IP address, determining that the first IP packet is the first IP packet to be encrypted.
  13. 一种网络设备,其特征在于,包括:A network device, comprising:
    至少一个处理器;以及,At least one processor; and,
    与所述至少一个处理器通信连接的存储器;其中,a memory communicatively coupled to the at least one processor; wherein
    所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行权利要求1-6任一所述IPSec协议加密方法。The memory stores instructions executable by the at least one processor, the instructions being executed by the at least one processor to enable the at least one processor to perform the IPSec protocol of any of claims 1-6 Encryption method.
  14. 一种非暂态计算机可读存储介质,其特征在于,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令用于使所述计算机执行权利要求1~6任一权利要求所述方法。A non-transitory computer readable storage medium, wherein the non-transitory computer readable storage medium stores computer instructions for causing the computer to perform any of claims 1 to 6 Method.
  15. 一种计算机程序产品,其特征在于,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行权利要求1~6任一权利要求所述方法。A computer program product, comprising: a computing program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer, The computer performs the method of any of claims 1 to 6.
PCT/CN2017/119487 2017-01-11 2017-12-28 Method for encrypting internet protocol security (ipsec) protocol and network device WO2018130079A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710021178.8A CN106790221B (en) 2017-01-11 2017-01-11 Internet protocol security IPSec protocol encryption method and network equipment
CN201710021178.8 2017-01-11

Publications (1)

Publication Number Publication Date
WO2018130079A1 true WO2018130079A1 (en) 2018-07-19

Family

ID=58949241

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/119487 WO2018130079A1 (en) 2017-01-11 2017-12-28 Method for encrypting internet protocol security (ipsec) protocol and network device

Country Status (2)

Country Link
CN (1) CN106790221B (en)
WO (1) WO2018130079A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111049758A (en) * 2019-11-22 2020-04-21 东软集团股份有限公司 Method, system and equipment for realizing QoS processing of message
CN112543197A (en) * 2020-12-04 2021-03-23 中船重工(武汉)凌久电子有限责任公司 Method for realizing hardware encryption and decryption of IPSEC under XFRM framework
CN113422753A (en) * 2021-02-09 2021-09-21 阿里巴巴集团控股有限公司 Data processing method and device, electronic equipment and computer storage medium
CN115378764A (en) * 2022-08-19 2022-11-22 山石网科通信技术股份有限公司 Communication method, communication apparatus, storage medium, and electronic apparatus

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790221B (en) * 2017-01-11 2020-11-03 京信通信系统(中国)有限公司 Internet protocol security IPSec protocol encryption method and network equipment
CN109714292B (en) * 2017-10-25 2021-05-11 华为技术有限公司 Method and device for transmitting message
CN112015564A (en) * 2019-05-28 2020-12-01 普天信息技术有限公司 Encryption and decryption processing method and device
CN111800436B (en) * 2020-07-29 2022-04-08 郑州信大捷安信息技术股份有限公司 IPSec isolation network card equipment and secure communication method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843235A (en) * 2012-09-06 2012-12-26 汉柏科技有限公司 Message encrypting/decrypting method
CN104468309A (en) * 2014-10-31 2015-03-25 成都卫士通信息产业股份有限公司 Efficient adaptation method for low-speed SMP and high-speed password card
US20160277358A1 (en) * 2015-03-20 2016-09-22 Vamsi K. Ambati Flow-Based Anti-Replay Checking
CN106341404A (en) * 2016-09-09 2017-01-18 西安工程大学 IPSec VPN system based on many-core processor and encryption and decryption processing method
CN106790221A (en) * 2017-01-11 2017-05-31 京信通信技术(广州)有限公司 A kind of safe ipsec protocol encryption method of internet protocol and the network equipment

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI230532B (en) * 2002-03-05 2005-04-01 Admtek Inc Pipelined engine for encryption/authentication in IPSEC
JP2006050267A (en) * 2004-08-04 2006-02-16 Matsushita Electric Ind Co Ltd IPsec COMMUNICATION METHOD, COMMUNICATION CONTROLLER AND NETWORK CAMERA
KR101601790B1 (en) * 2009-09-22 2016-03-21 삼성전자주식회사 Storage system including cryptography key selection device and selection method for cryptography key
CN102263794B (en) * 2011-08-25 2013-10-23 北京星网锐捷网络技术有限公司 Security processing method, device, processing chip and network equipment
CN102968399A (en) * 2012-10-22 2013-03-13 华为技术有限公司 Multi-core processor and multiplexing method of network management portinterface thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102843235A (en) * 2012-09-06 2012-12-26 汉柏科技有限公司 Message encrypting/decrypting method
CN104468309A (en) * 2014-10-31 2015-03-25 成都卫士通信息产业股份有限公司 Efficient adaptation method for low-speed SMP and high-speed password card
US20160277358A1 (en) * 2015-03-20 2016-09-22 Vamsi K. Ambati Flow-Based Anti-Replay Checking
CN106341404A (en) * 2016-09-09 2017-01-18 西安工程大学 IPSec VPN system based on many-core processor and encryption and decryption processing method
CN106790221A (en) * 2017-01-11 2017-05-31 京信通信技术(广州)有限公司 A kind of safe ipsec protocol encryption method of internet protocol and the network equipment

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111049758A (en) * 2019-11-22 2020-04-21 东软集团股份有限公司 Method, system and equipment for realizing QoS processing of message
CN111049758B (en) * 2019-11-22 2022-12-09 东软集团股份有限公司 Method, system and equipment for realizing QoS processing of message
CN112543197A (en) * 2020-12-04 2021-03-23 中船重工(武汉)凌久电子有限责任公司 Method for realizing hardware encryption and decryption of IPSEC under XFRM framework
CN113422753A (en) * 2021-02-09 2021-09-21 阿里巴巴集团控股有限公司 Data processing method and device, electronic equipment and computer storage medium
CN113422753B (en) * 2021-02-09 2023-06-13 阿里巴巴集团控股有限公司 Data processing method, device, electronic equipment and computer storage medium
CN115378764A (en) * 2022-08-19 2022-11-22 山石网科通信技术股份有限公司 Communication method, communication apparatus, storage medium, and electronic apparatus
CN115378764B (en) * 2022-08-19 2024-04-05 山石网科通信技术股份有限公司 Communication method, device, storage medium and electronic device

Also Published As

Publication number Publication date
CN106790221B (en) 2020-11-03
CN106790221A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
WO2018130079A1 (en) Method for encrypting internet protocol security (ipsec) protocol and network device
US10541984B2 (en) Hardware-accelerated payload filtering in secure communication
EP3215939B1 (en) Method and device for secure communication with shared cloud services
US11336629B2 (en) Deterministic load balancing of IPSec packet processing
US10069800B2 (en) Scalable intermediate network device leveraging SSL session ticket extension
US8856518B2 (en) Secure and efficient offloading of network policies to network interface cards
US8677004B2 (en) Migration of logical partitions between two devices
US11509638B2 (en) Receive-side processing for encapsulated encrypted packets
US11729042B2 (en) IPSec acceleration method, apparatus, and system
US9992223B2 (en) Flow-based anti-replay checking
US11347870B2 (en) Technologies for securely providing remote accelerators hosted on the edge to client compute devices
WO2023005773A1 (en) Message forwarding method and apparatus based on remote direct data storage, and network card and device
WO2019231547A1 (en) Systems and methods for split network tunneling based on traffic inspection
US11539747B2 (en) Secure communication session resumption in a service function chain
US11133933B1 (en) Rapid secure authentication and communications through multitenant components in provider networks
CN110535742B (en) Message forwarding method and device, electronic equipment and machine-readable storage medium
WO2015070755A1 (en) Network security method and device
US9948568B2 (en) Packet size control using maximum transmission units for facilitating packet transmission
US11102100B2 (en) Optimized and scalable method of detecting dead internet key exchange (IKE) peers
US11283768B1 (en) Systems and methods for managing connections
CN113810397B (en) Protocol data processing method and device
US10880265B1 (en) Systems and methods for improving network efficiency
US11722525B2 (en) IPsec processing of packets in SoCs
US11805109B1 (en) Data transfer encryption offloading using session pairs
CN117675354A (en) Secure communication method, system, electronic equipment and computer storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17890962

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 28/10/2019)

122 Ep: pct application non-entry in european phase

Ref document number: 17890962

Country of ref document: EP

Kind code of ref document: A1