WO2020063528A1 - Method, apparatus and system for communication between virtual machines in data center - Google Patents

Method, apparatus and system for communication between virtual machines in data center Download PDF

Info

Publication number
WO2020063528A1
WO2020063528A1 PCT/CN2019/107266 CN2019107266W WO2020063528A1 WO 2020063528 A1 WO2020063528 A1 WO 2020063528A1 CN 2019107266 W CN2019107266 W CN 2019107266W WO 2020063528 A1 WO2020063528 A1 WO 2020063528A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
ipsec
vxlan
virtual machine
vni
Prior art date
Application number
PCT/CN2019/107266
Other languages
French (fr)
Chinese (zh)
Inventor
孙应孔
胡红山
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2020063528A1 publication Critical patent/WO2020063528A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2212/00Encapsulation of packets

Definitions

  • the encapsulated data packet of the first aspect of the present invention in addition to carrying the original VxLAN data packet and encapsulating the IPsec header, includes a third part.
  • the third part It is used to carry tenant information or routing instructions. For example, VNI information is used as tenant information or routing instructions.
  • the specific implementation of the newly added third part in the IPsec data packet can be shown in FIG. 4 or FIG. 5, and the third part is set between the outer IP field and the ESP header.
  • the specific setting of the third part in the IPsec data packet may also add the third part directly to the ESP header or the AH header, for example, the sequence number and load data (playload) in the ESP header. data).
  • the second communication device 72 includes a transceiver unit 721 for receiving an IPsec data packet from the first host machine, wherein the IPsec data packet includes a first part, a second part, and a third part, and the first part is used for Carrying a VxLAN data packet, the second part includes an IPsec header, and the third part is used to carry a VxLAN identifier VNI to which the first virtual machine and the second virtual machine belong, and the VxLAN data packet is The source data packet of the first virtual machine is obtained by encapsulation, and a VxLAN header of the VxLAN packet includes the VNI; and a first decapsulating unit 722 is configured according to the VNI and the IPsec carried in the IPsec packet.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a method, apparatus and system for communication between virtual machines in a data center. In the present application, an IPsec security protocol is used to encapsulate data packages, and security measures such as encryption or authentication are taken for communication packets between virtual machines in the same tenant or the same VxLAN, thereby ensuring the security of the communication packets. Moreover, in order to prevent the problem of encapsulated IPsec packets being unable to be routed or associated with a correct security association, indexes of the IPsec packets and an IPsec security association are extended.

Description

数据中心中虚拟机之间的通信方法、装置和系统Communication method, device and system between virtual machines in data center 技术领域Technical field
本发明大体上涉及通信技术,尤其涉及一种数据中心中虚拟机的通信方法和系统。The present invention relates generally to communication technologies, and in particular, to a communication method and system for a virtual machine in a data center.
背景技术Background technique
虚拟可扩展局域网(Virtual Extensible Local Area Network,VxLAN)技术是用于扩展网络虚拟化,以得到足够数量的虚拟网络来满足用户使用的技术。根据VxLAN协议的规定,VxLAN报文通常包括载荷和报文头,其中,报文头中通常包括24位(bit)的虚拟可扩展局域网网络标识(VxLAN Network Identifier,VNI)、源数据包的IP地址、目的数据包的IP地址等信息,用于VxLAN报文的转发;载荷中通常包括虚拟机(virtual machine,VM)之间用于通信的通信报文,例如数据包、源VM的MAC地址和目的VM的MAC地址等。Virtual Extensible Local Area Network (VxLAN) technology is a technology used to extend network virtualization to obtain a sufficient number of virtual networks to satisfy users. According to the provisions of the VxLAN protocol, VxLAN packets usually include a payload and a packet header. The packet header usually includes a 24-bit virtual extensible LAN network identifier (VxLAN, Network Identifier, VNI), and the IP of the source data packet. Information such as the address and the IP address of the destination data packet is used to forward VxLAN packets. The payload usually includes communication packets used for communication between virtual machines (VMs), such as data packets and the MAC address of the source VM. And the MAC address of the destination VM.
现有技术中,如果虚拟机之间采用VxLAN数据包进行通信,数据在转发过程尤其跨数据中心场景存在被窃取、被篡改和被重放的安全风险。In the prior art, if VxLAN data packets are used for communication between virtual machines, there is a security risk of data being stolen, tampered, and replayed during data forwarding, especially across data center scenarios.
发明内容Summary of the Invention
本申请实施例提供了一种数据中心中虚拟机之间通信的方法、装置和系统,以对归属相同租户或者VxLAN的虚拟机之间的通信采用IPsec协议进行安全保护。The embodiments of the present application provide a method, an apparatus, and a system for communication between virtual machines in a data center, so as to use IPsec protocol for security protection for communication between virtual machines belonging to the same tenant or VxLAN.
第一方面,本申请提供一种虚拟机之间通信方法,第一虚拟机与第二虚拟机分别运行于第一宿主机和第二宿主机,所述第一虚拟机与所述第二虚拟机归属相同的可扩展虚拟局域网VxLAN,所述第一虚拟机与所述第二虚拟机之间通信的方法包括:获取所述第一虚拟机的待发送源数据包,对所述源数据包进行VxLAN格式的封装得到VxLAN数据包,所述VxLAN数据包的VxLAN报头包含所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,再对所述VxLAN数据包进行因特网安全协议安全性IPsec格式的封装以得到IPsec数据包,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载所述VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述VNI;最后发送所述IPsec数据包。In a first aspect, the present application provides a method for communication between virtual machines, where a first virtual machine and a second virtual machine run on a first host machine and a second host machine, respectively, and the first virtual machine and the second virtual machine Machines belong to the same extensible virtual local area network VxLAN, and a method for communication between the first virtual machine and the second virtual machine includes: obtaining a source data packet to be sent by the first virtual machine, and comparing the source data packet A VxLAN data packet is obtained by encapsulating in a VxLAN format, and a VxLAN header of the VxLAN data packet includes an identifier VNI of a VxLAN to which the first virtual machine and the second virtual machine belong, and then Internet security is performed on the VxLAN data packet. Encapsulation of the protocol security IPsec format to obtain an IPsec data packet. The IPsec data packet includes a first part, a second part, and a third part. The first part is used to carry the VxLAN data packet, and the second part includes IPsec. A header, the third part is used to carry the VNI; and finally, the IPsec data packet is sent.
在第一方面,对于相同租户或者相同VxLAN的虚拟机之间的通信,在发送方对待发送的VxLAN数据包进行IPsec封装,封装得到的IPsec数据包在通信转发过程中能够避免各种安全风险,另外,针对现有IPsec协议不适用多租户场景的问题进行改进,本发明第一方面封装后的数据包除了承载原VxLAN数据包和加封IPsec报头之外,还增加第三部分,该第三部分用于承载租户信息或者路由指示信息,例如使用VNI的信息作为租户信息或者路由指示信息。该增加的第三部分可以解决接收方接收到IPsec数据包之后无法匹配出正确的IPsec安全联盟SA,以至于无法解封装该IPsec数据包的问题,同时,该第三部分也可以使得该IPsec数据包在中间路由过程中,能够被中间路由设备,例如网关识别并进行正确的路由。In the first aspect, for communication between virtual machines of the same tenant or the same VxLAN, IPsec encapsulation is performed on the VxLAN data packets to be sent by the sender. The encapsulated IPsec data packets can avoid various security risks during the communication forwarding process. In addition, to address the problem that the existing IPsec protocol is not applicable to the multi-tenant scenario, the encapsulated data packet of the first aspect of the present invention, in addition to carrying the original VxLAN data packet and encapsulating the IPsec header, includes a third part. The third part It is used to carry tenant information or routing instructions. For example, VNI information is used as tenant information or routing instructions. The added third part can solve the problem that the receiver cannot match the correct IPsec security association SA after receiving the IPsec data packet, so that the IPsec data packet cannot be decapsulated. At the same time, the third part can also make the IPsec data During the intermediate routing process, a packet can be identified by an intermediate routing device, such as a gateway, and routed correctly.
根据第一方面的第一种可能的实现方式,所述IPsec格式的封装采用安全载荷ESP协议,所述第一部分中的VxLAN数据包中携带的VNI为加密状态,所述第三部分中携带的VNI为非加密状态。According to a first possible implementation manner of the first aspect, the encapsulation in the IPsec format uses a secure payload ESP protocol, the VNI carried in the VxLAN data packet in the first part is in an encrypted state, and the VNI is unencrypted.
根据第一方面的第二种可能的实现方式,所述IPsec格式的封装采用安全载荷ESP协议和认证头AH协议,所述第一部分中的VxLAN数据包携带的VNI为加密状态,所述第三部 分中携带的VNI为非加密状态。According to a second possible implementation manner of the first aspect, the IPsec format encapsulation uses a security payload ESP protocol and an authentication header AH protocol, the VNI carried in the VxLAN data packet in the first part is in an encrypted state, and the third The VNI carried in the section is unencrypted.
根据第一方面的第三种可能的实现方式,所述IPsec格式的封装采用认证头AH协议,所述第一部分中的VxLAN数据包携带的VNI为非加密状态,所述第三部分中的VNI为非加密状态。According to a third possible implementation manner of the first aspect, the IPsec format encapsulation uses an authentication header AH protocol, the VNI carried in the VxLAN data packet in the first part is in an unencrypted state, and the VNI in the third part Not encrypted.
根据第一方面以及第一方面的上述三种可能的实现方式,在第四种可能的实现方式中,所述VxLAN数据包包含外层IP字段,所述第三部分设置于所述外层IP字段与所述IPsec报头之间,并采用用户数据报协议UDP格式封装。According to the first aspect and the foregoing three possible implementation manners of the first aspect, in a fourth possible implementation manner, the VxLAN data packet includes an outer IP field, and the third part is set at the outer IP Between the field and the IPsec header, and encapsulated in the user datagram protocol UDP format.
根据第一方面的第二种或第三种可能的实现方式,在第五种可能的实现方式中,所述IPsec报头包括ESP报头,所述第三部分设置于所述ESP报头中。According to the second or third possible implementation manner of the first aspect, in a fifth possible implementation manner, the IPsec header includes an ESP header, and the third part is set in the ESP header.
根据第一方面的第三种或第四种可能的实现方式,在第六种可能的实现方式中,所述IPsec报头包括AH报头,所述第三部分设置于所述AH报头中。According to the third or fourth possible implementation manner of the first aspect, in a sixth possible implementation manner, the IPsec header includes an AH header, and the third part is set in the AH header.
上述六种可能的实现方式,具体包含了IPsec实现的具体实现细节。The above six possible implementations include specific implementation details of IPsec implementation.
根据第一方面的上述六种可能的实现方式,在第七种实现方式中,所述进行IPsec封装之前,还包括:所述第一宿主机与所述第二宿主机通过Internet秘钥交换IKE协议协商确定所述第一虚拟机与所述第二虚拟机之间的IPsec的安全关联SA,其中,所述IPsec SA包括四元组索引以及安全要素,所述四元组索引包括安全协议类型、安全参数索引、对端IP地址以及所述第一虚拟机和所述第二虚拟机的归属VNI,所述第一宿主机发送到所述第二宿主机的IKE数据包包括所述VNI。According to the foregoing six possible implementation manners of the first aspect, in a seventh implementation manner, before the performing IPsec encapsulation, the method further includes: exchanging IKE between the first host and the second host through an Internet key. A protocol negotiation determines an IPsec security association SA between the first virtual machine and the second virtual machine, wherein the IPsec SA includes a quadruple index and a security element, and the quadruple index includes a security protocol type , A security parameter index, a peer IP address, and a home VNI of the first virtual machine and the second virtual machine, and the IKE data packet sent by the first host machine to the second host machine includes the VNI.
进一步,所述进行IPsec封装包括:根据所述四元组索引查询所述IPsec SA获得安全要素,根据所述安全要素进行IPsec格式的封装以得到所述IPsec数据包。Further, the performing IPsec encapsulation includes: querying the IPsec and SA to obtain a security element according to the quadruple index, and performing IPsec format encapsulation according to the security element to obtain the IPsec data packet.
第二方面,本申请提供一种虚拟机之间通信方法,第一虚拟机与第二虚拟机分别运行于第一宿主机和第二宿主机,所述第一虚拟机与所述第二虚拟机归属相同的可扩展虚拟局域网VxLAN,所述第一虚拟机与所述第二虚拟机之间通信的方法包括:接收来自所述第一宿主机的IPsec数据包,其中,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,所述VxLAN数据包由所述第一虚拟机的源数据包封装得到,所述VxLAN数据包的VxLAN报头包含所述VNI;根据所述IPsec数据包中携带的所述VNI和所述IPsec报头,解封装所述IPsec数据包获得VxLAN数据包;解封装所述VxLAN数据包得到所述源数据包,并向所述第二虚拟机转发所述源数据包。In a second aspect, the present application provides a method for communication between virtual machines. A first virtual machine and a second virtual machine run on a first host machine and a second host machine, respectively. The first virtual machine and the second virtual machine Machines belong to the same extensible virtual local area network VxLAN, and a method for communication between the first virtual machine and the second virtual machine includes: receiving an IPsec data packet from the first host machine, wherein the IPsec data packet It includes a first part, a second part, and a third part. The first part is used to carry VxLAN data packets, the second part includes an IPsec header, and the third part is used to carry the first virtual machine and the third part. The identification VNI of the VxLAN to which the two virtual machines belong, the VxLAN data packet is obtained by encapsulating the source data packet of the first virtual machine, and the VxLAN header of the VxLAN data packet includes the VNI; according to the IPsec data packet, Carrying the VNI and the IPsec header, decapsulating the IPsec data packet to obtain a VxLAN data packet; decapsulating the VxLAN data packet to obtain the source data packet, and forwarding the source data to the second virtual machine package.
第二方面或第二方面任意一种实现方式是第一方面或第一方面任意一种实现方式对应的装置实现,第一方面或第一方面任意一种实现方式中的描述适用于第二方面或第二方面任意一种实现方式,在此不再赘述。The second aspect or any implementation manner of the second aspect is a device implementation corresponding to the first aspect or any implementation manner of the first aspect, and the description in the first aspect or any implementation manner of the first aspect is applicable to the second aspect Or any implementation manner of the second aspect, which is not described again here.
第三方面,本申请提供一种虚拟机的数据包的转发方法,第一虚拟机与第二虚拟机分别运行于第一宿主机和第二宿主机,所述第一虚拟机与所述第二虚拟机归属相同的可扩展虚拟局域网VxLAN,所述方法应用于所述第一宿主机与所述第二宿主机之间的网关,包括:接收来自所述第一宿主机的IPsec数据包,其中,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,所述VxLAN数据包由所述第一虚拟机的源数据包封装得到,所述VxLAN数据包的VxLAN报头包含所述VNI;获取所述IPsec数据包中携带的所述VNI,根据所述VNI确定所述IPsec数据包的目的 接收方为所述第二宿主机;根据所述第二宿主机的信息,将所述IPsec数据包发送到所述第二宿主机。In a third aspect, the present application provides a method for forwarding a data packet of a virtual machine. A first virtual machine and a second virtual machine run on a first host machine and a second host machine, respectively. The first virtual machine and the first virtual machine Two virtual machines belong to the same extensible virtual local area network VxLAN. The method is applied to a gateway between the first host and the second host, and includes: receiving an IPsec data packet from the first host; The IPsec data packet includes a first part, a second part, and a third part. The first part is used to carry a VxLAN data packet, the second part includes an IPsec header, and the third part is used to carry the first part. A virtual machine and a VxLAN identifier VNI to which the second virtual machine belongs, the VxLAN data packet is obtained by encapsulating a source data packet of the first virtual machine, and a VxLAN header of the VxLAN data packet includes the VNI; Obtaining the VNI carried in the IPsec data packet, and determining the destination receiver of the IPsec data packet as the second host according to the VNI; and sending the IPsec data according to the information of the second host Packet sending To the second host.
由于网关连接的不止一个宿主机,网关应该获取其中的VNI信息以识别目的宿主机,然而,如果发送方通过ESP协议封装得到该IPsec数据包,VNI信息则是属于加密状态,这种情况下,网关无法获取到VNI信息。第三方面由于发送方对IPsec封装进行扩展,新增加的第三部分用于承载非加密状态的VNI,则可以解决网关无法路由的问题。Since the gateway is connected to more than one host, the gateway should obtain the VNI information to identify the destination host. However, if the sender obtains the IPsec packet through the ESP protocol encapsulation, the VNI information is in an encrypted state. In this case, The gateway cannot obtain VNI information. The third aspect is that the sender expands the IPsec encapsulation, and the newly added third part is used to carry the non-encrypted VNI, which can solve the problem that the gateway cannot route.
第四方面,本申请提供一种通信装置,用于归属相同的可扩展虚拟局域网VxLAN的第一虚拟机与第二虚拟机之间的通信,所述装置包括:收发单元,用于获取所述第一虚拟机的待发送源数据包;第一封装单元,用于对所述源数据包进行VxLAN格式的封装得到VxLAN数据包,所述VxLAN数据包的VxLAN报头包含所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI;第二封装单元,用于对所述VxLAN数据包进行因特网安全协议安全性IPsec格式的封装以得到IPsec数据包,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载所述VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述VNI;所述收发单元,还用于发送所述IPsec数据包。According to a fourth aspect, the present application provides a communication device for communication between a first virtual machine and a second virtual machine that belong to the same extensible virtual local area network VxLAN, and the device includes a transceiver unit for acquiring the A source data packet to be sent of the first virtual machine; a first encapsulating unit, configured to encapsulate the source data packet in a VxLAN format to obtain a VxLAN data packet, and a VxLAN header of the VxLAN data packet includes the first virtual machine and An identifier VNI of a VxLAN to which the second virtual machine belongs; a second encapsulating unit, configured to encapsulate the VxLAN data packet with an Internet security protocol security IPsec format to obtain an IPsec data packet, where the IPsec data packet includes a first A first part, a second part, and a third part, the first part is used to carry the VxLAN data packet, the second part includes an IPsec header, and the third part is used to carry the VNI; the transceiver unit, and For sending the IPsec data packet.
第四方面或第四方面任意一种实现方式是第一方面或第一方面任意一种实现方式对应的装置实现,第一方面或第一方面任意一种实现方式中的描述适用于第四方面或第四方面任意一种实现方式,在此不再赘述。The fourth aspect or any implementation manner of the fourth aspect is a device implementation corresponding to the first aspect or any implementation manner of the first aspect, and the description in the first aspect or any implementation manner of the first aspect is applicable to the fourth aspect Or any implementation manner of the fourth aspect, which is not described again here.
第五方面,本申请提供一种通信装置,用于归属相同的可扩展虚拟局域网VxLAN的第一虚拟机与第二虚拟机之间的通信,所述装置包括:收发单元,用于接收来自所述第一宿主机的IPsec数据包,其中,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,所述VxLAN数据包由所述第一虚拟机的源数据包封装得到,所述VxLAN数据包的VxLAN报头包含所述VNI;第一解封装单元,用于根据所述IPsec数据包中携带的所述VNI和所述IPsec报头,解封装所述IPsec数据包获得VxLAN数据包;第二解封装单元,用于解封装所述VxLAN数据包得到所述源数据包;所述收发单元还用于向所述第二虚拟机转发所述源数据包。In a fifth aspect, the present application provides a communication device for communication between a first virtual machine and a second virtual machine that belong to the same extensible virtual local area network VxLAN. The device includes: a transceiver unit for receiving data from all The IPsec data packet of the first host machine, wherein the IPsec data packet includes a first part, a second part, and a third part, the first part is used to carry a VxLAN data packet, and the second part includes an IPsec header. The third part is used to carry the identification VNI of the VxLAN to which the first virtual machine and the second virtual machine belong, the VxLAN data packet is obtained by encapsulating the source data packet of the first virtual machine, and the VxLAN A VxLAN header of a data packet includes the VNI; a first decapsulating unit is configured to decapsulate the IPsec data packet to obtain a VxLAN data packet according to the VNI and the IPsec header carried in the IPsec data packet; the second The decapsulating unit is configured to decapsulate the VxLAN data packet to obtain the source data packet; the transceiver unit is further configured to forward the source data packet to the second virtual machine.
第五方面或第五方面任意一种实现方式是第二方面或第二方面任意一种实现方式对应的装置实现,第二方面或第二方面任意一种实现方式中的描述适用于第五方面或第五方面任意一种实现方式,在此不再赘述。The fifth aspect or any implementation manner of the fifth aspect is a device implementation corresponding to the second aspect or any implementation manner of the second aspect, and the description in the second aspect or any implementation manner of the second aspect is applicable to the fifth aspect Or any implementation manner of the fifth aspect, details are not described herein again.
第六方面,本申请提供一种通信网关,用于归属相同的可扩展虚拟局域网VxLAN的第一虚拟机与第二虚拟机之间的通信,包括:接收单元,用于接收来自所述第一宿主机的IPsec数据包,其中,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,所述VxLAN数据包由所述第一虚拟机的源数据包封装得到,所述VxLAN数据包的VxLAN报头包含所述VNI;路由单元,用于获取所述IPsec数据包中携带的所述VNI,根据所述VNI确定所述IPsec数据包的目的接收方为所述第二宿主机,以及根据所述第二宿主机的信息,将所述IPsec数据包发送到所述第二宿主机。According to a sixth aspect, the present application provides a communication gateway for communication between a first virtual machine and a second virtual machine that belong to the same extensible virtual local area network VxLAN, and includes a receiving unit configured to receive data from the first virtual machine. The host's IPsec data packet, wherein the IPsec data packet includes a first part, a second part, and a third part, the first part is used to carry a VxLAN data packet, the second part includes an IPsec header, and the third part Partly used to carry the identification VNI of the VxLAN to which the first virtual machine and the second virtual machine belong. The VxLAN data packet is obtained by encapsulating the source data packet of the first virtual machine. A VxLAN header includes the VNI; a routing unit configured to obtain the VNI carried in the IPsec data packet, determine the destination of the IPsec data packet as the second host according to the VNI, and Said the information of the second host, and sending the IPsec data packet to the second host.
第七方面,本申请提供一种通信装置,包括:处理器、存储器和总线;In a seventh aspect, the present application provides a communication device, including: a processor, a memory, and a bus;
所述存储器用于存储执行指令,所述处理器与所述存储器通过所述总线连接,当所述通信装置运行时,所述处理器执行所述存储器存储的所述执行指令,以使所述计算设备执行上 述第一方面或者第二方面或者第三方面所述的方法。The memory is used to store execution instructions, the processor is connected to the memory through the bus, and when the communication device is running, the processor executes the execution instructions stored in the memory, so that the processor The computing device executes the method described in the first aspect or the second aspect or the third aspect.
第八方面,本申请提供一种通信系统,包括第一宿主机和第二宿主机,所述第一宿主机上运行第一虚拟机,所述第二宿主机上运行第二虚拟机,所述第一虚拟机与所述第二虚拟机归属相同的可扩展虚拟局域网VxLAN;所述第一宿主机用于获取所述第一虚拟机的待发送源数据包,对所述源数据包进行VxLAN格式的封装得到VxLAN数据包,所述VxLAN数据包的VxLAN报头包含所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,对所述VxLAN数据包进行因特网安全协议安全性IPsec格式的封装以得到IPsec数据包,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载所述VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述VNI,以及发送所述IPsec数据包;所述第二宿主机用于接收来自所述第一宿主机的IPsec数据包,根据所述IPsec数据包中携带的所述VNI和所述IPsec报头,解封装所述IPsec数据包获得VxLAN数据包,解封装所述VxLAN数据包得到所述源数据包,并向所述第二虚拟机转发所述源数据包。In an eighth aspect, the present application provides a communication system including a first host machine and a second host machine. The first host machine runs a first virtual machine, and the second host machine runs a second virtual machine. The first virtual machine and the second virtual machine belong to the same extensible virtual local area network VxLAN; the first host machine is configured to obtain a source data packet to be sent by the first virtual machine, and perform a process on the source data packet. Encapsulation in the VxLAN format obtains a VxLAN data packet, and the VxLAN header of the VxLAN data packet includes the identification VNI of the VxLAN to which the first virtual machine and the second virtual machine belong, and performs Internet security protocol security on the VxLAN data packet Encapsulation in a static IPsec format to obtain an IPsec data packet, the IPsec data packet includes a first part, a second part, and a third part, the first part is used to carry the VxLAN data packet, and the second part includes an IPsec header, The third part is used to carry the VNI and send the IPsec data packet; the second host is used to receive an IPsec data packet from the first host, and according to the IPsec data packet Carrying the VNI and the IPsec header, decapsulating the IPsec data packet to obtain a VxLAN data packet, decapsulating the VxLAN data packet to obtain the source data packet, and forwarding the source data to the second virtual machine package.
可选地,该通信系统还包括:通信网关,用于接收来自所述第一宿主机的IPsec数据包,获取所述IPsec数据包中携带的所述VNI,根据所述VNI确定所述IPsec数据包的目的接收方为所述第二宿主机,根据所述第二宿主机的信息,将所述IPsec数据包发送到所述第二宿主机。Optionally, the communication system further includes: a communication gateway, configured to receive an IPsec data packet from the first host, obtain the VNI carried in the IPsec data packet, and determine the IPsec data according to the VNI The destination of the packet is the second host, and the IPsec data packet is sent to the second host according to the information of the second host.
第九方面,本申请提供一种计算机可读存储介质或计算机程序产品,该计算机可读存储介质中存储了指令,该指令被处理器运行时,实现前述第一方面或第二方面或第三方面任意一种实现方式中提供的虚拟机的配置方法。该计算机可读存储介质包括但不限于只读存储器,随机访问存储器,快闪存储器、HDD或SSD。In a ninth aspect, the present application provides a computer-readable storage medium or computer program product. The computer-readable storage medium stores instructions. When the instructions are executed by a processor, the first or second aspect or the third aspect is implemented. A method for configuring a virtual machine provided in any implementation aspect of the aspect. The computer-readable storage medium includes, but is not limited to, read-only memory, random access memory, flash memory, HDD or SSD.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本申请实施例或背景技术中的技术方案,下面将对本申请实施例或背景技术中所需要使用的附图进行说明。In order to more clearly explain the technical solutions in the embodiments of the present application or the background art, the drawings that are needed in the embodiments of the present application or the background art will be described below.
图1A是本发明实施例提供的系统架构图;FIG. 1A is a system architecture diagram provided by an embodiment of the present invention; FIG.
图1B是本发明实施例提供的另一种系统架构图;FIG. 1B is another system architecture diagram provided by an embodiment of the present invention; FIG.
图2是本发明实施例提供的方法流程图;2 is a flowchart of a method according to an embodiment of the present invention;
图3是根据本发明实施例的VxLAN数据包结构示意图;3 is a schematic diagram of a VxLAN data packet structure according to an embodiment of the present invention;
图4是根据本发明实施例的IPsec数据包结构示意图;4 is a schematic structural diagram of an IPsec data packet according to an embodiment of the present invention;
图5是根据本发明实施例的IPsec数据包结构示意图;5 is a schematic structural diagram of an IPsec data packet according to an embodiment of the present invention;
图6是根据本发明实施例的IPsec数据包结构示意图;6 is a schematic structural diagram of an IPsec data packet according to an embodiment of the present invention;
图7是根据本发明实施例的通信系统的组成示意图;7 is a schematic diagram of a composition of a communication system according to an embodiment of the present invention;
图8是根据本发明实施例的设备的组成示意图。FIG. 8 is a schematic diagram of a device according to an embodiment of the present invention.
具体实施方式detailed description
下面结合本申请实施例中的附图对本申请实施例进行描述。The following describes the embodiments of the present application with reference to the drawings in the embodiments of the present application.
图1A和图1B分别为本申请虚拟机通信的系统架构示意图。如图1A所示,在同一个数据中心中,包括至少两台宿主机(图示两台宿主机),每台宿主机上运行有多台虚拟机(图示两台虚拟机),第一宿主机10上运行第一虚拟机VM1与第三虚拟机VM3,第二宿主机20上运行第一虚拟机VM2与第四虚拟机VM4,VM1与VM2归属于相同的VxLAN(图示虚线表 示的VxLAN1),VM3与VM4归属于相同的VxLAN(图示虚线表示的VxLAN2)。相同的租户一般意味着相同的VxLAN,在同一租户网络中,每一台虚拟机分配不同的ID或地址,但在不同的租户中,不同虚拟机可能分配相同的ID或地址,例如,VM1与VM4可能具有相同的地址。在图1A所示的数据中心中,虚拟机之间可以进行通信,虚拟机之间采用VxLAN数据包进行通信,VxLAN数据包封装了虚拟机所归属的VxLAN网络标识VNI,该VNI用于数据包的转发路由。图1B所示的系统与图1A不同之处在于,图1B是不同的数据中心中归属相同的VxLAN的虚拟机之间的通信,每一个数据中心也称为一个可用区AZ(availiable zone),宿主机10与宿主机20位于不同的数据中心,每个数据中心中包括各自的网关,数据中心2中包括至少两台宿主机(图示两台),宿主机20和宿主机30都属于数据中心2中的宿主机,宿主机30上的VM5和VM6都归属与VxLAN2。宿主机10发出的数据包经过网关102通过网络转发到网关202,并由网关202转发到宿主机20,网关在转发过程中,依赖VxLAN数据包中的VNI进行路由。FIG. 1A and FIG. 1B are schematic diagrams of a system architecture of virtual machine communication of the present application, respectively. As shown in FIG. 1A, in the same data center, there are at least two host machines (two host machines shown), and each host machine runs multiple virtual machines (two virtual machines shown). Host machine 10 runs first virtual machine VM1 and third virtual machine VM3, second host machine 20 runs first virtual machine VM2 and fourth virtual machine VM4, and VM1 and VM2 belong to the same VxLAN (the dotted lines shown in the figure) VxLAN1), VM3 and VM4 belong to the same VxLAN (VxLAN2 indicated by the dotted line in the figure). The same tenant generally means the same VxLAN. In the same tenant network, each virtual machine is assigned a different ID or address, but in different tenants, different virtual machines may be assigned the same ID or address. For example, VM1 and VM4 may have the same address. In the data center shown in FIG. 1A, virtual machines can communicate with each other. The virtual machines use VxLAN packets for communication. The VxLAN packets encapsulate the VxLAN network identifier VNI to which the virtual machine belongs. The VNI is used for data packets. Forwarding route. The system shown in FIG. 1B is different from FIG. 1A in that FIG. 1B is a communication between virtual machines belonging to the same VxLAN in different data centers. Each data center is also referred to as an availability zone (AZ). Host machine 10 and host machine 20 are located in different data centers. Each data center includes its own gateway. Data center 2 includes at least two host machines (two are shown in the figure). Both host machine 20 and host machine 30 belong to the data. The host machine in the center 2 and VM5 and VM6 on the host machine 30 belong to VxLAN2. The data packet sent by the host machine 10 is forwarded to the gateway 202 through the network through the gateway 102, and is forwarded by the gateway 202 to the host machine 20. During the forwarding process, the gateway relies on the VNI in the VxLAN data packet for routing.
现有的相同租户虚拟机之间通信过程如下:图1A中,发送方VM1的流量经过虚拟交换机101,该虚拟交换机101对源数据包进行VxLAN加封装后出宿主机10,接收方宿主机20的物理接口收到报文后,将该报文发送到本端虚拟交换机201,虚拟机201做Vxlan解封装,最后将报文转发到目的虚机vm2。图1B中,发送方VM1的流量经过虚拟交换机101,该虚拟交换机101对源数据包进行VxLAN加封装后出宿主机10,经过网关102和202的分别转发,接收方宿主机20的物理接口收到报文后,将该报文发送到本端虚拟交换机201,虚拟交换机201做Vxlan解封装,最后将报文转发到目的虚机vm2。The existing communication process between the same tenant virtual machines is as follows: In FIG. 1A, the traffic of the sender VM1 passes through the virtual switch 101, and the virtual switch 101 encapsulates the source data packet with VxLAN and then leaves the host machine 10, and the receiver host machine 20 After receiving the packet, the physical interface sends the packet to the local virtual switch 201, the virtual machine 201 performs Vxlan decapsulation, and finally forwards the packet to the destination virtual machine vm2. In FIG. 1B, the traffic of the sender VM1 passes through the virtual switch 101. The virtual switch 101 encapsulates the source data packet with VxLAN and then leaves the host machine 10. The packets are forwarded by the gateways 102 and 202 respectively, and the physical interface of the receiver host machine 20 is received. After the message is received, the message is sent to the local virtual switch 201. The virtual switch 201 performs Vxlan decapsulation, and finally forwards the message to the destination virtual machine vm2.
现有技术中相同租户的虚拟机之间的通信数据包并未经过安全处理,因此数据在转发过程尤其是跨数据中心场景存在可能被窃取、被篡改和被重放的安全风险。In the prior art, communication data packets between virtual machines of the same tenant have not been processed securely. Therefore, there is a security risk that data may be stolen, tampered with, and replayed during the forwarding process, especially across data center scenarios.
因特网协议安全性(Internet Protocol Security,IPSec)是网络通信中广泛应用的一种安全协议。通信双方之间在IP层通过加密与数据源认证等方式,能够提供了以下的安全服务:数据机密性(Confidentiality):IPsec发送方在通过网络传输包前对包进行加密;数据完整性(Data Integrity):IPsec接收方对发送方发送来的包进行认证,以确保数据在传输过程中没有被篡改;数据来源认证(Data Authentication):IPsec在接收端可以认证发送IPsec报文的发送端是否合法;防重放(Anti-Replay):IPsec接收方可检测并拒绝接收过时或重复的报文。Internet Protocol Security (Internet Protocol Security, IPSec) is a security protocol widely used in network communications. The two communication parties can provide the following security services at the IP layer through encryption and data source authentication: Data confidentiality (Confidentiality): The IPsec sender encrypts the packet before transmitting it through the network; Data integrity (Data Integrity) Integrity): The IPsec receiver authenticates the packets sent by the sender to ensure that the data has not been tampered with during the transmission process. Data Source Authentication: IPsec at the receiver can authenticate whether the sender sending the IPsec message is legitimate ; Anti-Replay: IPsec receiver can detect and refuse to receive outdated or duplicate messages.
IPsec提供了两种安全机制:认证和加密。认证机制使IP通信的数据接收方能够确认数据发送方的真实身份以及数据在传输过程中是否遭篡改。加密机制通过对数据进行加密运算来保证数据的机密性,以防数据在传输过程中被窃听。IPsec协议中的认证头(Authentication Header,AH)协议定义了认证的应用方法,提供数据源认证和完整性保证;封装安全载荷(Encapsulating Security Payload,ESP)协议定义了加密和可选认证的应用方法,提供数据可靠性保证;因特网密钥交换(Internet Key Exchange,IKE)用于密钥交换。IPsec provides two security mechanisms: authentication and encryption. The authentication mechanism enables the data receiver of IP communication to confirm the true identity of the data sender and whether the data has been tampered with during transmission. The encryption mechanism guarantees the confidentiality of the data by encrypting the data to prevent the data from being intercepted during transmission. The Authentication Header (AH) protocol in the IPsec protocol defines the application method of authentication, providing data source authentication and integrity guarantee; the Encapsulating Security Payload (ESP) protocol defines the application method of encryption and optional authentication Provides data reliability guarantee; Internet Key Exchange (IKE) is used for key exchange.
在IPSec协议的应用中,两个通信端点之间进行信息传递需要建立IPSec安全联盟(Security Association,SA)用于信息的加密解密过程,以确保信息的安全传递。IPsec SA在两个端点之间提供安全通信,端点被称为IPsec对等体。IPSec SA是通信对等体之间对安全要素的约定,例如,使用哪种协议(AH还是ESP还是两者结合使用)、协议的封装模式、加密算法、特定流中保护数据的共享密钥以及密钥的生存周期等。按照现有IPSec协议定义,一个IPSec SA由一个三元组来唯一标识,这个三元组包括安全参数索引(Security Parameter Index,SPI)、对端/远端IP地址(也称为destination address)、安全协议类型(AH或ESP)。In the application of the IPSec protocol, information transmission between two communication endpoints requires the establishment of an IPSec Security Association (SA) for the encryption and decryption of information to ensure the secure transmission of information. IPsec SA provides secure communication between two endpoints, which are called IPsec peers. IPSec SA is the agreement on the security elements between communication peers, for example, which protocol is used (AH or ESP or a combination of the two), the protocol's encapsulation mode, the encryption algorithm, the shared key to protect data in a specific stream, and Key lifetime, etc. According to the definition of the existing IPSec protocol, an IPSec SA is uniquely identified by a triplet including a security parameter index (SPI), a peer / remote IP address (also called destination address), Security protocol type (AH or ESP).
基于IPsec协议,对相同租户虚拟机之间的通信的VxLAN数据包进行IPsec封装可以提供数据安全保护,但是现有的IPsec协议并不针对多租户的场景,通信双方(两个虚拟机)之间建立的SA按照现有的三元组并不能映射到唯一的一条SA,例如,VM1与VM2建立的SA,VM3与VM4建立的SA,如果VM1与VM3的地址相同(不同的VxLAN中的虚拟机允许具有相同的地址),当VM1发送的IPsec数据包到达宿主机20后,宿主机根据三元组作为索引(SPI,VM1的地址,ESP或AH协议类型)可能查到两条或者两条以上的SA,原因是其它两项索引值(SPI与协议类型)相同的概率较大,而VM1的地址与VM3的地址又相同,那么三元组索引就可能对应两条SA。因此,宿主机20可能无法索引到正确的SA,从而无法对接收到的IPsec数据包采取解密或者认证等安全措施,最终将导致无法将数据包转发到对应的接收方虚拟机。另外,如果采用ESP协议对VxLAN数据包进行加密,原VxLAN数据包中的VNI处于加密状态,接收方宿主机无法获取到VNI,则无法判断出数据包的接收方虚拟机。另外,在图1B的场景中,如果采用ESP协议对VxLAN数据包进行加密得到IPsec数据包,则VxLAN数据包头中携带的VxLAN标识VNI是加密状态的,网关接收到IPsec数据包无法获取到其中的VNI信息,网关则无法根据VNI信息决定后续的路由信息,这种情况下将导致VM1发送的数据包无法被路由到VM2所在的宿主机。Based on the IPsec protocol, IPsec encapsulation of VxLAN data packets for communication between virtual machines of the same tenant can provide data security protection, but the existing IPsec protocol is not targeted at multi-tenant scenarios. The established SA cannot be mapped to the only SA according to the existing triplet. For example, the SA established by VM1 and VM2, the SA established by VM3 and VM4, if the addresses of VM1 and VM3 are the same (virtual machines in different VxLANs) It is allowed to have the same address). After the IPsec packet sent by VM1 reaches the host 20, the host may find two or more based on the triplet as the index (SPI, address of VM1, ESP or AH protocol type). The reason is that the other two index values (SPI and protocol type) have the same probability, and the address of VM1 and the address of VM3 are the same. Then the triplet index may correspond to two SAs. Therefore, the host 20 may not be able to index to the correct SA, and thus cannot take security measures such as decryption or authentication on the received IPsec data packet, which will eventually lead to the inability to forward the data packet to the corresponding recipient virtual machine. In addition, if the VxLAN data packet is encrypted using the ESP protocol, the VNI in the original VxLAN data packet is in an encrypted state, and the recipient host cannot obtain the VNI, so the recipient virtual machine of the packet cannot be determined. In addition, in the scenario of FIG. 1B, if the VxLAN data packet is encrypted by using the ESP protocol to obtain an IPsec data packet, the VxLAN identifier VNI carried in the VxLAN packet header is encrypted, and the gateway cannot receive the IPsec data packet received by the gateway. VNI information, the gateway cannot determine subsequent routing information based on the VNI information. In this case, the data packet sent by VM1 cannot be routed to the host where VM2 is located.
本申请提供一种相同租户的虚拟机之间通信的方法,该方法既保证通信双方之间数据包的安全性,又解决IPsec协议运用在虚拟化多租户场景中的无法唯一确定SA的问题以及无法获取VNI进行路由的问题,使得多租户场景下的同一租户中的虚拟机之间通过IPsec进行安全通信。This application provides a method for communication between virtual machines of the same tenant. This method not only guarantees the security of data packets between the two communicating parties, but also solves the problem that the IPsec protocol cannot be used to uniquely determine the SA in a virtualized multi-tenant scenario. The problem that the VNI cannot be routed makes the virtual machines in the multi-tenant scenario communicate securely through IPsec.
本申请对IPsec SA的索引信息进行扩展,由现有的三元组扩展为四元组,增加一个索引项VNI,以此来区分不同的租户中的虚拟机的SA,四元组索引包括:安全协议类型(ESP还是AH还是两者皆是)、安全参数索引SPI、目的IP地址以及租户信息(通信双方虚拟机的归属VNI)。This application extends the IPsec SA index information from the existing triples to quads and adds an index item VNI to distinguish the SAs of virtual machines in different tenants. The quad tuple index includes: Security protocol type (ESP or AH or both), security parameter index SPI, destination IP address, and tenant information (the home VNI of the virtual machines on both sides of the communication).
图2为本申请提供的方法实施例的流程图,图2结合了图1B中的场景,在步骤201中,当VM1要发送数据包给VM2,VM1发送源数据包到宿主机10上的虚拟交换机101,虚拟交换机101接收到该源数据包后,对所述源数据包进行VxLAN格式的封装得到VxLAN数据包,所述VxLAN数据包的VxLAN报头包含所述VM1和VM2所归属的VxLAN的标识VNI,如图3所示,为VxLAN数据包的示例性格式,该VxLAN数据包在源数据包外层封装外层媒体访问控制地址MAC与IP地址,该外层MAC与IP地址一般为VM1对应的VxLAN隧道端点(VXLAN Tunnel End Point,VTEP)或者宿主机的MAC或IP地址,外层UDP头中目的端口号(VXLAN Port)固定为4789,源端口号(UDP Source Port)是原始以太帧通过哈希算法计算后的值,VxLAN报头中携带VNI。FIG. 2 is a flowchart of a method embodiment provided in the present application. FIG. 2 combines the scenario in FIG. 1B. In step 201, when VM1 wants to send a data packet to VM2, VM1 sends a source data packet to the virtual machine on host 10. After receiving the source data packet, the switch 101 and the virtual switch 101 encapsulate the source data packet in a VxLAN format to obtain a VxLAN data packet. The VxLAN header of the VxLAN data packet includes the identifiers of the VxLAN to which the VM1 and VM2 belong. VNI, as shown in FIG. 3, is an exemplary format of a VxLAN packet. The VxLAN packet encapsulates the outer media access control address MAC and IP address in the outer layer of the source packet. The outer MAC and IP address generally correspond to VM1. VxLAN Tunnel Endpoint (VTEP) or MAC or IP address of the host, the destination port number (VXLAN Port) in the outer UDP header is fixed to 4789, and the source port number (UDP, Source Port) is the original Ethernet frame passing The value calculated by the hash algorithm. The VxLAN header carries VNI.
在步骤202中,虚拟交换机101进一步对VxLAN数据进行安全封装,安全封装可以采用IPsec协议,封装得到IPsec数据包,该IPsec数据包包括第一部分、第二部分与第三部分,该第一部分用于承载所述VxLAN数据包,该第二部分包括IPsec报头,该第三部分用于承载所述VNI。本实施例中,对IPsec数据包的格式进行扩展,第三部分为新增加的部分,用于在报文中再次增加VNI信息,也就是说,在VxLAN报头中承载了VNI之外,再额外增加VNI信息,该增加的VNI信息可以直接指示通行双方虚拟机所归属的VxLAN网络的标识,使得接收到该IPsec数据包的接收方可以根据该VNI进行相关的识别或安全操作。In step 202, the virtual switch 101 further securely encapsulates the VxLAN data. The secure encapsulation may use the IPsec protocol to obtain an IPsec data packet. The IPsec data packet includes a first part, a second part, and a third part. The first part is used for The VxLAN data packet is carried, the second part includes an IPsec header, and the third part is used to carry the VNI. In this embodiment, the format of the IPsec data packet is extended. The third part is a newly added part, which is used to add VNI information again in the message. That is, the VxLAN header carries the VNI in addition to the VNI. Add VNI information. The added VNI information can directly indicate the identity of the VxLAN network to which the virtual machines of both parties belong, so that the receiver receiving the IPsec data packet can perform related identification or security operations according to the VNI.
具体地,在步骤202之前可以先执行步骤202A,步骤202A中宿主机10与宿主机20可 以先通过IKE协议协商确定VM1与所述VM2之间的IPsec的安全关联SA,当协商成功之后,宿主机10和宿主机20分别记录协商好的SA,所记录的SA包括四元组索引和安全要素,四元组索引包括安全协议类型、安全参数索引、对端IP地址(destination IP)以及所述VM1和VM2的归属VNI,四元组索引与安全要素对应,安全要素包括协议的封装模式、加密算法、特定流中保护数据的共享密钥以及密钥的生存周期等。本步骤中,建立SA可以通过协商确定,也可以通过手工配置建立SA;如果采用协商确定SA,可以使用IKE协议进行相关的协商,现有技术中IKE协议并不支持携带VNI,本实施例中可以对IKE协议的数据包进行扩展,使得该IKE数据包可以携带VNI,例如可以在IKE数据包的UDP和Initiator Cookie之间插入VNI信息。Specifically, step 202A may be performed before step 202. In step 202A, the host 10 and the host 20 may first determine the IPsec security association SA between VM1 and VM2 through IKE negotiation. After the negotiation is successful, the host The host 10 and the host 20 respectively record the negotiated SA, and the recorded SA includes a quad index and a security element, and the quad index includes a security protocol type, a security parameter index, a destination IP address (destination IP), and the VM1 and VM2 belong to the VNI. The quadruple index corresponds to the security elements. The security elements include the encapsulation mode of the protocol, the encryption algorithm, the shared key to protect the data in a specific stream, and the key's lifetime. In this step, the establishment of the SA can be determined through negotiation, or the SA can be manually configured. If the SA is determined through negotiation, the IKE protocol can be used for related negotiation. In the prior art, the IKE protocol does not support carrying VNI. In this embodiment, The data packet of the IKE protocol can be extended, so that the IKE data packet can carry VNI, for example, VNI information can be inserted between the UDP and the initiator cookie of the IKE data packet.
具体地,在步骤202中,虚拟交换机101可以获取步骤202A中确定的SA,根据SA中的安全要素进行相应地IPsec封装,IPsec封装可以采用ESP协议,也可以采用AH协议,也可以即采用ESP协议也采用AH协议。Specifically, in step 202, the virtual switch 101 may obtain the SA determined in step 202A, and perform IPsec encapsulation according to the security elements in the SA. The IPsec encapsulation may use the ESP protocol, the AH protocol, or the ESP. The protocol also uses the AH protocol.
采用ESP协议封装得到的IPsec数据包如图4所示,该IPsec数据包至少包括三部分,第一部分用于承载原VxLAN数据包,第二部分包括ESP报头,用于承载封装信息,该封装信息可以包含四元组索引中的SPI以及协议类型(ESP),由于采用ESP需要对数据包进行加密,一般来说从ESP报头到源数据包部分为加密部分,也就是说VxLAN数据包中的VNI为加密状态,由于VxLAN数据包中的VNI为加密状态,为了保证路由过程中的各接收方能够获取到VNI信息,新增加的第三部分中的VNI为非加密状态。需要说明的是,ESP报头并非全部内容需要被加密,其中的SPI以及协议类型信息一般不被加密。The IPsec data packet encapsulated by the ESP protocol is shown in Figure 4. The IPsec data packet includes at least three parts. The first part is used to carry the original VxLAN data packet, and the second part includes the ESP header to carry the encapsulation information. The encapsulation information It can include the SPI and protocol type (ESP) in the quadruple index. Since ESP needs to be used to encrypt the data packet, in general, the part from the ESP header to the source packet is the encrypted part, that is, the VNI in the VxLAN packet. This is an encrypted state. Since the VNI in the VxLAN data packet is encrypted, in order to ensure that each receiver in the routing process can obtain VNI information, the newly added VNI in the third part is in an unencrypted state. It should be noted that not all contents of the ESP header need to be encrypted, and the SPI and protocol type information are generally not encrypted.
采用ESP协议和AH协议封装得到的IPsec数据包如图5所示,该IPsec数据包即要被加密又要被对端进行认证,IPsec数据包需要进一步携带认证信息部分,图5中第二部分除了包括ESP报头之外还包括AH报头。The IPsec data packet encapsulated by the ESP protocol and the AH protocol is shown in Figure 5. The IPsec data packet is to be encrypted and authenticated by the peer. The IPsec data packet needs to further carry the authentication information part. The second part in Figure 5 In addition to the ESP header, the AH header is also included.
采用AH协议封装得到的IPsec数据包格式与图4类似,不同之处在于,ESP报头替换为AH报头,另外,该IPsec数据包没有加密部分。The format of the IPsec data packet encapsulated by using the AH protocol is similar to that in FIG. 4 except that the ESP header is replaced with an AH header. In addition, the IPsec data packet has no encrypted part.
新增加的第三部分在IPsec数据包中的具体设置实施方式可以如图4或图5所示,第三部分设置在外层IP字段与ESP报头之间。第三部分在IPsec数据包中的具体设置另一种实施方式也可以将第三部分直接增加在ESP报头或者AH报头中,例如,在ESP报头中的序列号(sequence number)与载荷数据(playload data)之间设置新增的第三部分。The specific implementation of the newly added third part in the IPsec data packet can be shown in FIG. 4 or FIG. 5, and the third part is set between the outer IP field and the ESP header. The specific setting of the third part in the IPsec data packet. Another embodiment may also add the third part directly to the ESP header or the AH header, for example, the sequence number and load data (playload) in the ESP header. data).
第三部分可以采用用户数据报协议(User Datagram Protocol,UDP)的格式进行封装,如图6所示,第三部分采用UDP格式封装,包括新UDP字段、VNI字段和保留字段,新UDP的目的端口的值可以设置为6001,表示第三部分封装了租户信息或者VNI信息。The third part can be encapsulated in the format of User Datagram Protocol (UDP), as shown in Figure 6. The third part is encapsulated in UDP format, including the new UDP field, VNI field, and reserved field. The purpose of the new UDP The value of the port can be set to 6001, which indicates that the third part encapsulates the tenant information or VNI information.
需要说明的是,上述步骤202中,由虚拟交换机进行IPsec封装,实际操作中,也可以由宿主机10中的其他组件进行封装。It should be noted that in step 202, IPsec encapsulation is performed by the virtual switch. In actual operation, encapsulation may also be performed by other components in the host machine 10.
步骤203,第一宿主机10发送封装后的IPsec数据包,该IPsec数据包在从宿主机10发出之后,通过网络到达宿主机20连接的网关202Step 203: The first host machine 10 sends an encapsulated IPsec data packet. After the IPsec data packet is sent from the host machine 10, it reaches the gateway 202 connected to the host machine 20 through the network.
步骤204:网关202接收到该IPsec数据包之后,获取该IPsec数据包之中的VNI信息,根据该VNI信息确定宿主机20为接收该IPsec数据包的接收方,将该IPsec数据包转发给该宿主机20的虚拟交换机201。Step 204: After receiving the IPsec data packet, the gateway 202 obtains the VNI information in the IPsec data packet, determines that the host 20 is the receiver receiving the IPsec data packet according to the VNI information, and forwards the IPsec data packet to the IPsec data packet. The virtual switch 201 of the host 20.
由于网关202连接的不止一个宿主机,网关202应该获取其中的VNI信息以识别目的宿主机,然而,如果发送方通过ESP协议封装得到该IPsec数据包,VNI信息则是属于加密状 态,这种情况下,网关202可能无法获取到VNI信息。本申请实施例中由于发送方对IPsec封装进行扩展,新增加的第三部分用于承载非加密状态的VNI,则可以解决网关无法路由的问题。Since the gateway 202 is connected to more than one host, the gateway 202 should obtain the VNI information to identify the destination host. However, if the sender obtains the IPsec data packet through the ESP protocol encapsulation, the VNI information is in an encrypted state. In this case, Next, the gateway 202 may not be able to obtain VNI information. In the embodiment of the present application, because the sender extends the IPsec encapsulation, the newly added third part is used to carry the VNI in the non-encrypted state, which can solve the problem that the gateway cannot route.
步骤205,虚拟交换机201根据所述IPsec数据包中携带的所述VNI和所述IPsec报头,获得四元组索引,根据所述四元组索引查询所述IPsec SA获得安全要素,根据所述安全要素解封装所述IPsec数据包获得VxLAN数据包;虚拟交换机201解封装所述VxLAN数据包得到源数据包。Step 205: The virtual switch 201 obtains a quad index based on the VNI and the IPsec header carried in the IPsec data packet, queries the IPsec SA to obtain a security element according to the quad index, and obtains a security element according to the security. The elements decapsulate the IPsec data packet to obtain a VxLAN data packet; the virtual switch 201 decapsulates the VxLAN data packet to obtain a source data packet.
步骤206,虚拟交换机201根据所述VNI的信息向所述第二虚拟机转发所述源数据包。Step 206: The virtual switch 201 forwards the source data packet to the second virtual machine according to the VNI information.
上述实施例针对图1B的场景进行描述,在实际生产中还有图1A的场景,与上述流程实施例不同之处在于不需要通过网关进行数据包的转发。The foregoing embodiment is described with reference to the scenario of FIG. 1B. In actual production, there is also the scenario of FIG. 1A. The difference from the foregoing process embodiment is that data packets are not forwarded through the gateway.
上述实施例通过扩展IPsec数据包的报文格式,使得IPsec数据包新增第三部分,该第三部分用于承载租户信息,具体地,该第三部分用于承载通信双方所归属的VxLAN网络的标识,该VNI能够用于IPsec数据包的路由,也能够用于作为索引信息以关联到正确的通信双方的SA,使得IPsec数据包在接收方能够被解封装,并进行其他的安全操作,例如认证,从而使得同一租户的虚拟机之间的通信更加安全,避免可能的被窃取、被篡改和被重放的安全风险。In the above embodiment, by expanding the message format of the IPsec data packet, a third part is added to the IPsec data packet. The third part is used to carry the tenant information. Specifically, the third part is used to carry the VxLAN network to which the two communication parties belong. The VNI can be used for the routing of IPsec data packets, and can also be used as index information to associate with the SA of the correct communicating parties, so that the IPsec data packets can be decapsulated at the receiver and perform other security operations. For example, authentication makes communication between virtual machines of the same tenant more secure and avoids possible security risks of theft, tampering, and replay.
如图7所示,为本发明实施例提供的通信系统实施例,该通信系统包括第一通信装置71、第二通信装置72以及通信网关73,其中对于通信系统而言,通信网关73为可选设备。本实施例中的第一通信装置可用于实施图2所示中的第一宿主机所实施的方法,具体地,可以实施虚拟交换机101所实施的方法;本实施例中的第二通信装置可用于实施图2所示中的第二宿主机所实施的方法,具体地,可以实施虚拟交换机201所实施的方法;本实施例中的通信网关可用于实施图2所示中的网关所实施的方法。As shown in FIG. 7, this is an embodiment of a communication system provided by an embodiment of the present invention. The communication system includes a first communication device 71, a second communication device 72, and a communication gateway 73. For the communication system, the communication gateway 73 is Choose equipment. The first communication device in this embodiment may be used to implement the method implemented by the first host shown in FIG. 2. Specifically, the method implemented by the virtual switch 101 may be implemented. The second communication device in this embodiment is available. For implementing the method implemented by the second host shown in FIG. 2, specifically, the method implemented by the virtual switch 201 may be implemented; the communication gateway in this embodiment may be used to implement the method implemented by the gateway shown in FIG. 2. method.
如图7所示,第一通信装置71包括收发单元711,用于获取所述第一虚拟机的待发送源数据包;第一封装单元712,用于对所述源数据包进行VxLAN格式的封装得到VxLAN数据包,所述VxLAN数据包的VxLAN报头包含所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI;第二封装单元713,用于对所述VxLAN数据包进行因特网安全协议安全性IPsec格式的封装以得到IPsec数据包,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载所述VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述VNI;所述收发单元711,还用于发送所述IPsec数据包。进一步,第一通信装置71还包括协商单元715,用于通过Internet秘钥交换IKE协议协商确定所述第一虚拟机与所述第二虚拟机之间的IPsec的安全关联SA,其中,所述IPsec SA包括四元组索引以及安全要素,所述四元组索引包括安全协议类型、安全参数索引、对端IP地址以及所述第一虚拟机和所述第二虚拟机的归属VNI,所述第一宿主机发送到所述第二宿主机的IKE数据包包括所述VNI。As shown in FIG. 7, the first communication device 71 includes a transceiver unit 711, configured to obtain a source data packet to be sent of the first virtual machine, and a first encapsulation unit 712, configured to perform a VxLAN format on the source data packet. A VxLAN data packet is obtained by encapsulation, and a VxLAN header of the VxLAN data packet includes an identifier VNI of a VxLAN to which the first virtual machine and the second virtual machine belong; and a second encapsulation unit 713 is configured to process the VxLAN data packet. Encapsulating the IPsec format of the Internet security protocol to obtain an IPsec data packet. The IPsec data packet includes a first part, a second part, and a third part. The first part is used to carry the VxLAN data packet, and the second A part includes an IPsec header, and the third part is used to carry the VNI; the transceiver unit 711 is further configured to send the IPsec data packet. Further, the first communication device 71 further includes a negotiation unit 715, configured to determine an IPsec security association SA between the first virtual machine and the second virtual machine through an Internet key exchange IKE protocol negotiation, where the IPsec SA includes a quadruple index and a security element. The quadruple index includes a security protocol type, a security parameter index, a peer IP address, and home VNIs of the first virtual machine and the second virtual machine. The IKE data packet sent by the first host to the second host includes the VNI.
第二通信装置72包括收发单元721,用于接收来自所述第一宿主机的IPsec数据包,其中,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,所述VxLAN数据包由所述第一虚拟机的源数据包封装得到,所述VxLAN数据包的VxLAN报头包含所述VNI;第一解封装单元722,用于根据所述IPsec数据包中携带的所述VNI和所述IPsec报头,解封装所述IPsec数据包获得VxLAN 数据包;第二解封装单元723,用于解封装所述VxLAN数据包得到所述源数据包;所述收发单元721还用于向所述第二虚拟机转发所述源数据包。进一步,第二通信装置72还包括协商单元725,用于通过Internet秘钥交换IKE协议协商确定所述第一虚拟机与所述第二虚拟机之间的IPsec的安全关联SA,其中,所述IPsec SA包括四元组索引以及安全要素,所述四元组索引包括安全协议类型、安全参数索引、对端IP地址以及所述第一虚拟机和所述第二虚拟机的归属VNI,所述第一宿主机发送到所述第二宿主机的IKE数据包包括所述VNI。The second communication device 72 includes a transceiver unit 721 for receiving an IPsec data packet from the first host machine, wherein the IPsec data packet includes a first part, a second part, and a third part, and the first part is used for Carrying a VxLAN data packet, the second part includes an IPsec header, and the third part is used to carry a VxLAN identifier VNI to which the first virtual machine and the second virtual machine belong, and the VxLAN data packet is The source data packet of the first virtual machine is obtained by encapsulation, and a VxLAN header of the VxLAN packet includes the VNI; and a first decapsulating unit 722 is configured according to the VNI and the IPsec carried in the IPsec packet. A header, which decapsulates the IPsec data packet to obtain a VxLAN data packet; a second decapsulation unit 723 is configured to decapsulate the VxLAN data packet to obtain the source data packet; and the transceiver unit 721 is further configured to send the second data packet to the second The virtual machine forwards the source data packet. Further, the second communication device 72 further includes a negotiation unit 725, configured to determine an IPsec security association SA between the first virtual machine and the second virtual machine through an Internet key exchange IKE protocol negotiation, where the IPsec SA includes a quadruple index and a security element. The quadruple index includes a security protocol type, a security parameter index, a peer IP address, and home VNIs of the first virtual machine and the second virtual machine. The IKE data packet sent by the first host to the second host includes the VNI.
通信网关73包括接收单元731,用于接收来自所述第一宿主机的IPsec数据包,其中,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,所述VxLAN数据包由所述第一虚拟机的源数据包封装得到,所述VxLAN数据包的VxLAN报头包含所述VNI;路由单元732,用于获取所述IPsec数据包中携带的所述VNI,根据所述VNI确定所述IPsec数据包的目的接收方为所述第二宿主机,以及根据所述第二宿主机的信息,将所述IPsec数据包发送到所述第二宿主机。The communication gateway 73 includes a receiving unit 731 for receiving an IPsec data packet from the first host machine, wherein the IPsec data packet includes a first part, a second part, and a third part, and the first part is used to carry VxLAN. A data packet, the second part includes an IPsec header, and the third part is used to carry an identifier VNI of a VxLAN to which the first virtual machine and the second virtual machine belong, and the VxLAN data packet is sent by the first A source data packet of a virtual machine is obtained by encapsulation, a VxLAN header of the VxLAN packet includes the VNI; and a routing unit 732 is configured to obtain the VNI carried in the IPsec data packet, and determine the IPsec according to the VNI The destination of the data packet is the second host, and the IPsec data packet is sent to the second host according to the information of the second host.
图8为本发明实施例提供的一种设备800的示意图,如图所示,所述设备800包括处理器801、存储器802、通信接口803和总线804。其中,处理器801、存储器802、通信接口803通过总线804进行通信,也可以通过无线传输等其他手段实现通信。该存储器802用于存储程序代码8021,处理器801用于调用存储器802存储的程序代码8021以执行本申请各方法的操作。FIG. 8 is a schematic diagram of a device 800 according to an embodiment of the present invention. As shown in the figure, the device 800 includes a processor 801, a memory 802, a communication interface 803, and a bus 804. Among them, the processor 801, the memory 802, and the communication interface 803 communicate through a bus 804, and communication may also be implemented through other means such as wireless transmission. The memory 802 is configured to store the program code 8021, and the processor 801 is configured to call the program code 8021 stored in the memory 802 to perform operations of the methods of the present application.
处理器801可以执行如下操作:获取所述第一虚拟机的待发送源数据包;对所述源数据包进行VxLAN格式的封装得到VxLAN数据包,所述VxLAN数据包的VxLAN报头包含所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI;对所述VxLAN数据包进行因特网安全协议安全性IPsec格式的封装以得到IPsec数据包,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载所述VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述VNI;发送所述IPsec数据包。The processor 801 may perform the following operations: obtaining a source data packet to be sent of the first virtual machine; and encapsulating the source data packet in a VxLAN format to obtain a VxLAN data packet, wherein a VxLAN header of the VxLAN data packet includes the first A virtual machine and an identification VNI of a VxLAN to which the second virtual machine belongs; and encapsulating the VxLAN data packet with an Internet security protocol security IPsec format to obtain an IPsec data packet, where the IPsec data packet includes a first part, a first Two parts and a third part, the first part is used to carry the VxLAN data packet, the second part includes an IPsec header, the third part is used to carry the VNI, and the IPsec data packet is sent.
处理器801也可以执行如下操作:接收来自所述第一宿主机的IPsec数据包,其中,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,所述VxLAN数据包由所述第一虚拟机的源数据包封装得到,所述VxLAN数据包的VxLAN报头包含所述VNI;根据所述IPsec数据包中携带的所述VNI和所述IPsec报头,解封装所述IPsec数据包获得VxLAN数据包;解封装所述VxLAN数据包得到所述源数据包,并向所述第二虚拟机转发所述源数据包The processor 801 may also perform the following operation: receiving an IPsec data packet from the first host machine, wherein the IPsec data packet includes a first part, a second part, and a third part, and the first part is used to carry VxLAN data Packet, the second part includes an IPsec header, the third part is used to carry the identifier VNI of the VxLAN to which the first virtual machine and the second virtual machine belong, and the VxLAN data packet is sent by the first The source data packet of the virtual machine is encapsulated, and the VxLAN header of the VxLAN packet includes the VNI; according to the VNI and the IPsec header carried in the IPsec packet, decapsulating the IPsec packet to obtain VxLAN data Packet; decapsulating the VxLAN data packet to obtain the source data packet, and forwarding the source data packet to the second virtual machine
处理器801还可以执行如下操作:接收来自所述第一宿主机的IPsec数据包,其中,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,所述VxLAN数据包由所述第一虚拟机的源数据包封装得到,所述VxLAN数据包的VxLAN报头包含所述VNI;获取所述IPsec数据包中携带的所述VNI,根据所述VNI确定所述IPsec数据包的目的接收方为所述第二宿主机;根据所述第二宿主机的信息,将所述IPsec数据包发送到所述第二宿主机。The processor 801 may further perform the following operations: receiving an IPsec data packet from the first host machine, wherein the IPsec data packet includes a first part, a second part, and a third part, and the first part is used to carry VxLAN data Packet, the second part includes an IPsec header, the third part is used to carry the identifier VNI of the VxLAN to which the first virtual machine and the second virtual machine belong, and the VxLAN data packet is sent by the first The source data packet of the virtual machine is obtained by encapsulation, and the VxLAN header of the VxLAN packet includes the VNI; the VNI carried in the IPsec packet is obtained, and the destination of the IPsec packet is determined according to the VNI as The second host machine; and sending the IPsec data packet to the second host machine according to the information of the second host machine.
应理解,设备800可以是上述图1A中的宿主机10或者宿主机20或者网关202,也可能是宿主机10或者宿主机20或者网关202中的任意一部分,设备800中的处理器801可以执 行宿主机10或者宿主机20或者网关202所执行的方法。It should be understood that the device 800 may be the host machine 10 or the host machine 20 or the gateway 202 in FIG. 1A described above, or may be any part of the host machine 10 or the host machine 20 or the gateway 202. The processor 801 in the device 800 may execute The method executed by the host machine 10 or the host machine 20 or the gateway 202.
应理解,在本发明实施例中,处理器801可以是CPU,该处理器801还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现场可编程门阵列(FPGA)、GPU或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor 801 may be a CPU, and the processor 801 may also be another general-purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array ( FPGA), GPU or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or any conventional processor.
存储器802可以是易失性存储器或非易失性存储器,或可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(read-only memory,ROM)、可编程只读存储器(programmable ROM,PROM)、可擦除可编程只读存储器(erasable PROM,EPROM)、电可擦除可编程只读存储器(electrically EPROM,EEPROM)或闪存。易失性存储器可以是随机存取存储器(random access memory,RAM),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(static RAM,SRAM)、动态随机存取存储器(DRAM)、同步动态随机存取存储器(synchronous DRAM,SDRAM)、双倍数据速率同步动态随机存取存储器(double data date SDRAM,DDR SDRAM)、增强型同步动态随机存取存储器(enhanced SDRAM,ESDRAM)、同步连接动态随机存取存储器(synchlink DRAM,SLDRAM)和直接内存总线随机存取存储器(direct rambus RAM,DR RAM)。The memory 802 may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memory. Among them, the non-volatile memory may be read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrical memory Erase programmable read-only memory (EPROM, EEPROM) or flash memory. The volatile memory may be a random access memory (RAM), which is used as an external cache. By way of example, but not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), Double data rate synchronous dynamic random access memory (double SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (ESDRAM, ESDRAM), synchronous connection dynamic random access memory (synchlink DRAM, SLDRAM) and direct Memory bus random access memory (direct RAMbus RAM, DR RAM).
总线804除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线804。In addition to the data bus, the bus 804 may also include a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are marked as the bus 804 in the figure.
最后,应了解上述实施例仅仅用于阐释,本申请的技术方案不限于此。尽管参考上述优选实施例对本申请进行详细描述,但是应了解,所属领域的技术人员可在不脱离本申请所附权利要求书的范围的情况下,做出各种修改、变更或替换。Finally, it should be understood that the above embodiments are only used for explanation, and the technical solution of the present application is not limited thereto. Although the present application is described in detail with reference to the above-mentioned preferred embodiments, it should be understood that those skilled in the art can make various modifications, changes, or substitutions without departing from the scope of the claims appended to this application.

Claims (29)

  1. 一种虚拟机之间通信方法,其特征在于,第一虚拟机与第二虚拟机分别运行于第一宿主机和第二宿主机,所述第一虚拟机与所述第二虚拟机归属相同的可扩展虚拟局域网VxLAN,所述第一虚拟机与所述第二虚拟机之间通信的方法包括:A method for communication between virtual machines, characterized in that a first virtual machine and a second virtual machine run on a first host machine and a second host machine, respectively, and the first virtual machine and the second virtual machine belong to the same A scalable virtual local area network VxLAN, a method for communication between the first virtual machine and the second virtual machine includes:
    获取所述第一虚拟机的待发送源数据包;Acquiring a source data packet to be sent of the first virtual machine;
    对所述源数据包进行VxLAN格式的封装得到VxLAN数据包,所述VxLAN数据包的VxLAN报头包含所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI;Encapsulating the source data packet in a VxLAN format to obtain a VxLAN data packet, and a VxLAN header of the VxLAN data packet includes an identifier VNI of a VxLAN to which the first virtual machine and the second virtual machine belong;
    对所述VxLAN数据包进行因特网安全协议安全性IPsec格式的封装以得到IPsec数据包,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载所述VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述VNI;Encapsulating the VxLAN data packet with Internet security protocol security IPsec format to obtain an IPsec data packet. The IPsec data packet includes a first part, a second part, and a third part. The first part is used to carry the VxLAN data. Packet, the second part includes an IPsec header, and the third part is used to carry the VNI;
    发送所述IPsec数据包。Sending the IPsec data packet.
  2. 根据权利要求1所述的方法,其特征在于,所述IPsec格式的封装采用安全载荷ESP协议,所述第一部分中的VxLAN数据包中携带的VNI为加密状态,所述第三部分中携带的VNI为非加密状态。The method according to claim 1, wherein the encapsulation in the IPsec format uses a secure payload ESP protocol, the VNI carried in the VxLAN data packet in the first part is encrypted, and the VNI carried in the third part is encrypted VNI is unencrypted.
  3. 根据权利要求1所述的方法,其特征在于,所述IPsec格式的封装采用安全载荷ESP协议和认证头AH协议,所述第一部分中的VxLAN数据包携带的VNI为加密状态,所述第三部分中携带的VNI为非加密状态。The method according to claim 1, wherein the encapsulation in the IPsec format uses a security payload ESP protocol and an authentication header AH protocol, and the VNI carried in the VxLAN data packet in the first part is in an encrypted state, and the third The VNI carried in the section is unencrypted.
  4. 根据权利要求1所述的方法,其特征在于,所述IPsec格式的封装采用认证头AH协议,所述第一部分中的VxLAN数据包携带的VNI为非加密状态,所述第三部分中的VNI为非加密状态。The method according to claim 1, wherein the IPsec format encapsulation uses an authentication header AH protocol, the VNI carried in the VxLAN data packet in the first part is in an unencrypted state, and the VNI in the third part Not encrypted.
  5. 根据权利要求1-4任一项所述的方法,其特征在于,所述VxLAN数据包包含外层IP字段,所述第三部分设置于所述外层IP字段与所述IPsec报头之间,并采用用户数据报协议UDP格式封装。The method according to any one of claims 1 to 4, wherein the VxLAN data packet includes an outer IP field, and the third part is set between the outer IP field and the IPsec header, It is encapsulated in the user datagram protocol UDP format.
  6. 根据权利要求2或3所述的方法,其特征在于,所述IPsec报头包括ESP报头,所述第三部分设置于所述ESP报头中。The method according to claim 2 or 3, wherein the IPsec header includes an ESP header, and the third part is disposed in the ESP header.
  7. 根据权利要求3或4所述的方法,其特征在于,所述IPsec报头包括AH报头,所述第三部分设置于所述AH报头中。The method according to claim 3 or 4, wherein the IPsec header includes an AH header, and the third part is disposed in the AH header.
  8. 根据权利要求1-7任一项所述的方法,其特征在于,所述进行IPsec封装之前,还包括:The method according to any one of claims 1-7, wherein before the performing IPsec encapsulation, further comprising:
    所述第一宿主机与所述第二宿主机通过Internet秘钥交换IKE协议协商确定所述第一虚拟机与所述第二虚拟机之间的IPsec的安全关联SA,其中,所述IPsec SA包括四元组索引以及安全要素,所述四元组索引包括安全协议类型、安全参数索引、对端IP地址以及所述第一虚拟机和所述第二虚拟机的归属VNI,所述第一宿主机发送到所述第二宿主机的IKE数据包包括所述VNI。The first host and the second host negotiate and determine an IPsec security association SA between the first virtual machine and the second virtual machine through an Internet key exchange IKE protocol negotiation, wherein the IPsec SA Including a quadruple index and a security element, the quadruple index includes a security protocol type, a security parameter index, a peer IP address, and a home VNI of the first virtual machine and the second virtual machine. The IKE data packet sent by the host to the second host includes the VNI.
  9. 根据权利要求8所述的方法,其特征在于,所述进行IPsec封装包括:The method according to claim 8, wherein the performing IPsec encapsulation comprises:
    根据所述四元组索引查询所述IPsec SA获得安全要素,根据所述安全要素进行IPsec格式的封装以得到所述IPsec数据包。Query the IPsec SA according to the quadruple index to obtain a security element, and perform an IPsec format encapsulation according to the security element to obtain the IPsec data packet.
  10. 一种虚拟机之间通信方法,其特征在于,第一虚拟机与第二虚拟机分别运行于第一宿主机和第二宿主机,所述第一虚拟机与所述第二虚拟机归属相同的可扩展虚拟局域网 VxLAN,所述第一虚拟机与所述第二虚拟机之间通信的方法包括:A method for communication between virtual machines, characterized in that a first virtual machine and a second virtual machine run on a first host machine and a second host machine, respectively, and the first virtual machine and the second virtual machine belong to the same A scalable virtual local area network VxLAN, a method for communication between the first virtual machine and the second virtual machine includes:
    接收来自所述第一宿主机的IPsec数据包,其中,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,所述VxLAN数据包由所述第一虚拟机的源数据包封装得到,所述VxLAN数据包的VxLAN报头包含所述VNI;Receiving an IPsec data packet from the first host, wherein the IPsec data packet includes a first part, a second part, and a third part, the first part is used to carry a VxLAN data packet, and the second part includes IPsec A header, the third part is used to carry an identifier VNI of a VxLAN to which the first virtual machine and the second virtual machine belong, and the VxLAN data packet is obtained by encapsulating a source data packet of the first virtual machine, A VxLAN header of the VxLAN data packet includes the VNI;
    根据所述IPsec数据包中携带的所述VNI和所述IPsec报头,解封装所述IPsec数据包获得VxLAN数据包;Decapsulating the IPsec data packet to obtain a VxLAN data packet according to the VNI and the IPsec header carried in the IPsec data packet;
    解封装所述VxLAN数据包得到所述源数据包,并向所述第二虚拟机转发所述源数据包。Decapsulate the VxLAN data packet to obtain the source data packet, and forward the source data packet to the second virtual machine.
  11. 根据权利要求10所述的方法,其特征在于,所述IPsec格式的封装采用安全载荷ESP协议,所述第一部分中的VxLAN数据包携带的VNI为加密状态,所述第三部分中携带的VNI为非加密状态。The method according to claim 10, wherein the encapsulation in the IPsec format uses a secure payload ESP protocol, the VNI carried in the VxLAN data packet in the first part is encrypted, and the VNI carried in the third part Not encrypted.
  12. 根据权利要求10所述的方法,其特征在于,所述IPsec格式的封装采用安全载荷ESP协议和认证头AH协议,所述第一部分中的VxLAN数据包携带的VNI为加密状态,所述第三部分中的VNI为非加密状态。The method according to claim 10, wherein the encapsulation in the IPsec format uses a security payload ESP protocol and an authentication header AH protocol, and the VNI carried in the VxLAN data packet in the first part is in an encrypted state, and the third The VNI in the section is unencrypted.
  13. 根据权利要求10所述的方法,其特征在于,所述IPsec格式的封装采用认证头AH协议,所述第一部分中的VxLAN数据包携带的VNI为非加密状态,所述第三部分中的VNI为非加密状态。The method according to claim 10, wherein the encapsulation in the IPsec format uses an authentication header AH protocol, the VNI carried in the VxLAN data packet in the first part is in an unencrypted state, and the VNI in the third part Not encrypted.
  14. 根据权利要求10-13任一项所述的方法,其特征在于,所述VxLAN数据包包含外层IP字段,所述第三部分设置于所述外层IP字段与所述IPsec报头之间,并采用用户数据报协议UDP格式封装。The method according to any one of claims 10-13, wherein the VxLAN data packet includes an outer IP field, and the third part is set between the outer IP field and the IPsec header, It is encapsulated in the user datagram protocol UDP format.
  15. 根据权利要求11或12所述的方法,其特征在于,所述IPsec报头包括ESP报头,所述第三部分设置于所述ESP报头中。The method according to claim 11 or 12, wherein the IPsec header includes an ESP header, and the third part is disposed in the ESP header.
  16. 根据权利要求12或13所述的方法,其特征在于,所述IPsec报头包括AH报头,所述第三部分设置于所述AH报头中。The method according to claim 12 or 13, wherein the IPsec header includes an AH header, and the third part is disposed in the AH header.
  17. 根据权利要求10-16任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 10-16, wherein the method further comprises:
    所述第二宿主机与所述第一宿主机通过Internet秘钥交换IKE协议协商确定所述第一虚拟机与所述第二虚拟机之间的IPsec的安全关联SA,其中,所述IPsec SA包括四元组索引以及安全要素,所述四元组索引包括封装协议类型、安全参数索引、对端IP地址以及所述第一虚拟机和所述第二虚拟机的归属VNI,所述第一宿主机发送到所述第二宿主机的IKE数据包包括所述VNI。The second host and the first host negotiate and determine an IPsec security association SA between the first virtual machine and the second virtual machine through an Internet key exchange IKE protocol negotiation, wherein the IPsec SA Including a quadruple index and a security element, the quadruple index includes an encapsulation protocol type, a security parameter index, a peer IP address, and a home VNI of the first virtual machine and the second virtual machine. The IKE data packet sent by the host to the second host includes the VNI.
  18. 根据权利要求17所述的方法,其特征在于,所述第二宿主机根据所述IPsec数据包中携带的所述VNI和所述IPsec报头,解封装所述IPsec数据包获得VxLAN数据包,包括:The method according to claim 17, wherein the second host machine decapsulates the IPsec data packet to obtain a VxLAN data packet according to the VNI and the IPsec header carried in the IPsec data packet, comprising: :
    所述第二宿主机根据所述IPsec数据包中携带的所述VNI和所述IPsec报头,获得四元组索引,根据所述四元组索引查询所述IPsec SA获得安全要素,根据所述安全要素解封装所述IPsec数据包获得VxLAN数据包。Obtaining, by the second host, a quadruple index based on the VNI and the IPsec header carried in the IPsec data packet, querying the IPsec SA based on the quadruple index to obtain a security element, and according to the security The elements decapsulate the IPsec data packet to obtain a VxLAN data packet.
  19. 一种虚拟机的数据包的转发方法,其特征在于,第一虚拟机与第二虚拟机分别运行于第一宿主机和第二宿主机,所述第一虚拟机与所述第二虚拟机归属相同的可扩展虚拟局域网VxLAN,所述方法应用于所述第一宿主机与所述第二宿主机之间的网关,包括:A data packet forwarding method for a virtual machine, characterized in that a first virtual machine and a second virtual machine run on a first host machine and a second host machine, respectively, and the first virtual machine and the second virtual machine The method belongs to the same scalable virtual local area network VxLAN, and the method is applied to a gateway between the first host and the second host, including:
    接收来自所述第一宿主机的IPsec数据包,其中,所述IPsec数据包包括第一部分、第二 部分与第三部分,所述第一部分用于承载VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,所述VxLAN数据包由所述第一虚拟机的源数据包封装得到,所述VxLAN数据包的VxLAN报头包含所述VNI;Receiving an IPsec data packet from the first host, wherein the IPsec data packet includes a first part, a second part, and a third part, the first part is used to carry a VxLAN data packet, and the second part includes IPsec A header, the third part is used to carry an identifier VNI of a VxLAN to which the first virtual machine and the second virtual machine belong, and the VxLAN data packet is obtained by encapsulating a source data packet of the first virtual machine, A VxLAN header of the VxLAN data packet includes the VNI;
    获取所述IPsec数据包中携带的所述VNI,根据所述VNI确定所述IPsec数据包的目的接收方为所述第二宿主机;Obtaining the VNI carried in the IPsec data packet, and determining a destination receiver of the IPsec data packet as the second host according to the VNI;
    根据所述第二宿主机的信息,将所述IPsec数据包发送到所述第二宿主机。Sending the IPsec data packet to the second host machine according to the information of the second host machine.
  20. 一种通信装置,其特征在于,用于归属相同的可扩展虚拟局域网VxLAN的第一虚拟机与第二虚拟机之间的通信,所述装置包括:A communication device, which is used for communication between a first virtual machine and a second virtual machine belonging to the same extensible virtual local area network VxLAN, and the device includes:
    收发单元,用于获取所述第一虚拟机的待发送源数据包;A transceiver unit, configured to obtain a source data packet to be sent of the first virtual machine;
    第一封装单元,用于对所述源数据包进行VxLAN格式的封装得到VxLAN数据包,所述VxLAN数据包的VxLAN报头包含所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI;A first encapsulating unit is configured to perform a VxLAN format encapsulation on the source data packet to obtain a VxLAN data packet, and a VxLAN header of the VxLAN data packet includes a VxLAN to which the first virtual machine and the second virtual machine belong. Identify VNI;
    第二封装单元,用于对所述VxLAN数据包进行因特网安全协议安全性IPsec格式的封装以得到IPsec数据包,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载所述VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述VNI;A second encapsulating unit, configured to encapsulate the VxLAN data packet with an Internet security protocol security IPsec format to obtain an IPsec data packet, where the IPsec data packet includes a first part, a second part, and a third part; the first part Configured to carry the VxLAN data packet, the second part includes an IPsec header, and the third part is used to carry the VNI;
    所述收发单元,还用于发送所述IPsec数据包。The transceiver unit is further configured to send the IPsec data packet.
  21. 根据权利要求20所述的装置,其特征在于,所述第一部分中的VxLAN数据包中携带的VNI为加密状态,所述第三部分中携带的VNI为非加密状态;或者,所述第一部分中的VxLAN数据包中携带的VNI为非加密状态,所述第三部分中携带的VNI为非加密状态。The device according to claim 20, wherein the VNI carried in the VxLAN data packet in the first part is in an encrypted state, and the VNI carried in the third part is in an unencrypted state; or, the first part The VNI carried in the VxLAN data packet is in an unencrypted state, and the VNI carried in the third part is in an unencrypted state.
  22. 根据权利要求20或21所述的装置,其特征在于,还包括:The device according to claim 20 or 21, further comprising:
    协商单元,用于通过Internet秘钥交换IKE协议协商确定所述第一虚拟机与所述第二虚拟机之间的IPsec的安全关联SA,其中,所述IPsec SA包括四元组索引以及安全要素,所述四元组索引包括安全协议类型、安全参数索引、对端IP地址以及所述第一虚拟机和所述第二虚拟机的归属VNI,所述第一宿主机发送到所述第二宿主机的IKE数据包包括所述VNI。A negotiation unit, configured to determine an IPsec security association SA between the first virtual machine and the second virtual machine through an Internet key exchange IKE protocol negotiation, wherein the IPsec SA includes a quadruple index and a security element The quadruple index includes a security protocol type, a security parameter index, a peer IP address, and a home VNI of the first virtual machine and the second virtual machine, and the first host machine sends the second host machine to the second virtual machine The host's IKE data packet includes the VNI.
  23. 一种通信装置,其特征在于,用于归属相同的可扩展虚拟局域网VxLAN的第一虚拟机与第二虚拟机之间的通信,所述装置包括:A communication device, which is used for communication between a first virtual machine and a second virtual machine belonging to the same extensible virtual local area network VxLAN, and the device includes:
    收发单元,用于接收来自所述第一宿主机的IPsec数据包,其中,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,所述VxLAN数据包由所述第一虚拟机的源数据包封装得到,所述VxLAN数据包的VxLAN报头包含所述VNI;The transceiver unit is configured to receive an IPsec data packet from the first host, wherein the IPsec data packet includes a first part, a second part, and a third part, and the first part is used to carry a VxLAN data packet. The second part includes an IPsec header, and the third part is used to carry an identifier VNI of a VxLAN to which the first virtual machine and the second virtual machine belong, and the VxLAN data packet is sent from a source of the first virtual machine. A data packet is obtained, and a VxLAN header of the VxLAN data packet includes the VNI;
    第一解封装单元,用于根据所述IPsec数据包中携带的所述VNI和所述IPsec报头,解封装所述IPsec数据包获得VxLAN数据包;A first decapsulating unit, configured to decapsulate the IPsec data packet to obtain a VxLAN data packet according to the VNI and the IPsec header carried in the IPsec data packet;
    第二解封装单元,用于解封装所述VxLAN数据包得到所述源数据包;A second decapsulating unit, configured to decapsulate the VxLAN data packet to obtain the source data packet;
    所述收发单元还用于向所述第二虚拟机转发所述源数据包。The transceiver unit is further configured to forward the source data packet to the second virtual machine.
  24. 根据权利要求23所述的装置,其特征在于,所述第一部分中的VxLAN数据包中携带的VNI为加密状态,所述第三部分中携带的VNI为非加密状态;或者,所述第一部分中的VxLAN数据包中携带的VNI为非加密状态,所述第三部分中携带的VNI为非加密状态。The device according to claim 23, wherein the VNI carried in the VxLAN data packet in the first part is in an encrypted state, and the VNI carried in the third part is in an unencrypted state; or, the first part The VNI carried in the VxLAN data packet is in an unencrypted state, and the VNI carried in the third part is in an unencrypted state.
  25. 根据权利要求23或24所述的装置,其特征在于,还包括:The device according to claim 23 or 24, further comprising:
    协商单元,用于通过Internet秘钥交换IKE协议协商确定所述第一虚拟机与所述第二虚拟机之间的IPsec的安全关联SA,其中,所述IPsec SA包括四元组索引以及安全要素,所述四元组索引包括安全协议类型、安全参数索引、对端IP地址以及所述第一虚拟机和所述第二虚拟机的归属VNI,所述第一宿主机发送到所述第二宿主机的IKE数据包包括所述VNI。A negotiation unit, configured to determine an IPsec security association SA between the first virtual machine and the second virtual machine through an Internet key exchange IKE protocol negotiation, wherein the IPsec SA includes a quadruple index and a security element The quadruple index includes a security protocol type, a security parameter index, a peer IP address, and a home VNI of the first virtual machine and the second virtual machine, and the first host machine sends the second host machine to the second virtual machine The host's IKE data packet includes the VNI.
  26. 一种通信网关,其特征在于,用于归属相同的可扩展虚拟局域网VxLAN的第一虚拟机与第二虚拟机之间的通信,包括:A communication gateway, characterized in that it is used for communication between a first virtual machine and a second virtual machine that belong to the same extensible virtual local area network VxLAN, and includes:
    接收单元,用于接收来自所述第一宿主机的IPsec数据包,其中,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,所述VxLAN数据包由所述第一虚拟机的源数据包封装得到,所述VxLAN数据包的VxLAN报头包含所述VNI;A receiving unit, configured to receive an IPsec data packet from the first host machine, wherein the IPsec data packet includes a first part, a second part, and a third part, and the first part is used to carry a VxLAN data packet; The second part includes an IPsec header, and the third part is used to carry an identifier VNI of a VxLAN to which the first virtual machine and the second virtual machine belong, and the VxLAN data packet is sent from a source of the first virtual machine. A data packet is obtained, and a VxLAN header of the VxLAN data packet includes the VNI;
    路由单元,用于获取所述IPsec数据包中携带的所述VNI,根据所述VNI确定所述IPsec数据包的目的接收方为所述第二宿主机,以及根据所述第二宿主机的信息,将所述IPsec数据包发送到所述第二宿主机。A routing unit, configured to obtain the VNI carried in the IPsec data packet, determine the destination receiver of the IPsec data packet as the second host according to the VNI, and according to the information of the second host Sending the IPsec data packet to the second host.
  27. 一种通信装置,其特征在于,包括:处理器、存储器和总线;A communication device, comprising: a processor, a memory, and a bus;
    所述存储器用于存储执行指令,所述处理器与所述存储器通过所述总线连接,当所述通信装置运行时,所述处理器执行所述存储器存储的所述执行指令,以使所述计算设备执行权利要求1-19任一项所述的方法。The memory is used to store execution instructions, the processor is connected to the memory through the bus, and when the communication device is running, the processor executes the execution instructions stored in the memory, so that the processor A computing device executes the method of any of claims 1-19.
  28. 一种通信系统,其特征在于,包括第一宿主机和第二宿主机,所述第一宿主机上运行第一虚拟机,所述第二宿主机上运行第二虚拟机,所述第一虚拟机与所述第二虚拟机归属相同的可扩展虚拟局域网VxLAN;A communication system includes a first host machine and a second host machine, the first host machine runs a first virtual machine, the second host machine runs a second virtual machine, and the first host machine The virtual machine and the second virtual machine belong to the same scalable virtual local area network VxLAN;
    所述第一宿主机用于获取所述第一虚拟机的待发送源数据包,对所述源数据包进行VxLAN格式的封装得到VxLAN数据包,所述VxLAN数据包的VxLAN报头包含所述第一虚拟机和所述第二虚拟机所归属的VxLAN的标识VNI,对所述VxLAN数据包进行因特网安全协议安全性IPsec格式的封装以得到IPsec数据包,所述IPsec数据包包括第一部分、第二部分与第三部分,所述第一部分用于承载所述VxLAN数据包,所述第二部分包括IPsec报头,所述第三部分用于承载所述VNI,以及发送所述IPsec数据包;The first host is configured to obtain a source data packet to be sent by the first virtual machine, and encapsulate the source data packet in a VxLAN format to obtain a VxLAN data packet. A VxLAN header of the VxLAN data packet includes the first A virtual machine and a VxLAN identifier VNI to which the second virtual machine belongs, encapsulate the VxLAN data packet in an Internet security protocol security IPsec format to obtain an IPsec data packet. The IPsec data packet includes a first part, Two parts and a third part, the first part is used to carry the VxLAN data packet, the second part includes an IPsec header, the third part is used to carry the VNI, and send the IPsec data packet;
    所述第二宿主机用于接收来自所述第一宿主机的IPsec数据包,根据所述IPsec数据包中携带的所述VNI和所述IPsec报头,解封装所述IPsec数据包获得VxLAN数据包,解封装所述VxLAN数据包得到所述源数据包,并向所述第二虚拟机转发所述源数据包。The second host is configured to receive an IPsec data packet from the first host, and decapsulate the IPsec data packet to obtain a VxLAN data packet according to the VNI and the IPsec header carried in the IPsec data packet. , Decapsulating the VxLAN data packet to obtain the source data packet, and forwarding the source data packet to the second virtual machine.
  29. 根据权利要求28所述的通信系统,其特征在于,还包括:The communication system according to claim 28, further comprising:
    通信网关,用于接收来自所述第一宿主机的IPsec数据包,获取所述IPsec数据包中携带的所述VNI,根据所述VNI确定所述IPsec数据包的目的接收方为所述第二宿主机,根据所述第二宿主机的信息,将所述IPsec数据包发送到所述第二宿主机。A communication gateway, configured to receive an IPsec data packet from the first host, obtain the VNI carried in the IPsec data packet, and determine, according to the VNI, that the destination of the IPsec data packet is the second recipient The host computer sends the IPsec data packet to the second host computer according to the information of the second host computer.
PCT/CN2019/107266 2018-09-30 2019-09-23 Method, apparatus and system for communication between virtual machines in data center WO2020063528A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811161473.4 2018-09-30
CN201811161473.4A CN109525477A (en) 2018-09-30 2018-09-30 Communication means, device and system in data center between virtual machine

Publications (1)

Publication Number Publication Date
WO2020063528A1 true WO2020063528A1 (en) 2020-04-02

Family

ID=65771626

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/107266 WO2020063528A1 (en) 2018-09-30 2019-09-23 Method, apparatus and system for communication between virtual machines in data center

Country Status (2)

Country Link
CN (1) CN109525477A (en)
WO (1) WO2020063528A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220360566A1 (en) * 2015-07-31 2022-11-10 Nicira, Inc. Distributed tunneling for vpn

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109525477A (en) * 2018-09-30 2019-03-26 华为技术有限公司 Communication means, device and system in data center between virtual machine
CN111431789A (en) * 2020-04-13 2020-07-17 北京星网锐捷网络技术有限公司 Multi-data center interconnection communication method and DCI equipment
CN111698245A (en) * 2020-06-10 2020-09-22 成都国泰网信科技有限公司 VxLAN security gateway and two-layer security network construction method based on state cryptographic algorithm
CN116418537A (en) * 2021-12-31 2023-07-11 苏州盛科通信股份有限公司 Tunnel encryption, forwarding and decryption method and device
CN114826672A (en) * 2022-03-25 2022-07-29 阿里云计算有限公司 Encryption and decryption methods and devices of cloud network, computing node and system
CN115766063B (en) * 2022-09-26 2024-09-27 中国电子科技集团公司第三十研究所 Data transmission method, device, equipment and medium
CN116800486B (en) * 2023-06-13 2024-06-07 中科驭数(北京)科技有限公司 Cloud network communication method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103560948A (en) * 2013-11-01 2014-02-05 中国联合网络通信集团有限公司 Communication method, device and system between virtual machines
CN103618596A (en) * 2013-05-15 2014-03-05 盛科网络(苏州)有限公司 Encryption method for inner layer information in VXLAN (Virtual Extensible Local Area Net) tunnel
CN106161225A (en) * 2015-03-23 2016-11-23 华为技术有限公司 For processing method, the Apparatus and system of VXLAN message
CN107770064A (en) * 2016-08-19 2018-03-06 华为技术有限公司 A kind of method of internetwork communication, equipment
WO2018109536A1 (en) * 2016-12-17 2018-06-21 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for monitoring virtual extensible local area network (vxlan) tunnel with border gateway protocol (bgp)-ethernet virtual private network (evpn) infrastructure
CN109525477A (en) * 2018-09-30 2019-03-26 华为技术有限公司 Communication means, device and system in data center between virtual machine

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10747888B2 (en) * 2014-06-30 2020-08-18 Nicira, Inc. Method and apparatus for differently encrypting data messages for different logical networks
CN106209401B (en) * 2015-04-30 2019-08-06 新华三技术有限公司 A kind of transmission method and device
WO2017143611A1 (en) * 2016-02-27 2017-08-31 华为技术有限公司 Method, device and system for processing vxlan packet

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618596A (en) * 2013-05-15 2014-03-05 盛科网络(苏州)有限公司 Encryption method for inner layer information in VXLAN (Virtual Extensible Local Area Net) tunnel
CN103560948A (en) * 2013-11-01 2014-02-05 中国联合网络通信集团有限公司 Communication method, device and system between virtual machines
CN106161225A (en) * 2015-03-23 2016-11-23 华为技术有限公司 For processing method, the Apparatus and system of VXLAN message
CN107770064A (en) * 2016-08-19 2018-03-06 华为技术有限公司 A kind of method of internetwork communication, equipment
WO2018109536A1 (en) * 2016-12-17 2018-06-21 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for monitoring virtual extensible local area network (vxlan) tunnel with border gateway protocol (bgp)-ethernet virtual private network (evpn) infrastructure
CN109525477A (en) * 2018-09-30 2019-03-26 华为技术有限公司 Communication means, device and system in data center between virtual machine

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220360566A1 (en) * 2015-07-31 2022-11-10 Nicira, Inc. Distributed tunneling for vpn

Also Published As

Publication number Publication date
CN109525477A (en) 2019-03-26

Similar Documents

Publication Publication Date Title
WO2020063528A1 (en) Method, apparatus and system for communication between virtual machines in data center
US10708245B2 (en) MACsec for encrypting tunnel data packets
US10958627B2 (en) Offloading communication security operations to a network interface controller
US10757138B2 (en) Systems and methods for storing a security parameter index in an options field of an encapsulation header
CN109150688B (en) IPSec VPN data transmission method and device
US20170099266A1 (en) Method and system for sending a message through a secure connection
US20110113236A1 (en) Methods, systems, and computer readable media for offloading internet protocol security (ipsec) processing using an ipsec proxy mechanism
US8918634B2 (en) Network node with network-attached stateless security offload device employing out-of-band processing
US9369550B2 (en) Protocol for layer two multiple network links tunnelling
US11316837B2 (en) Supporting unknown unicast traffic using policy-based encryption virtualized networks
CN108769292B (en) Message data processing method and device
US10044841B2 (en) Methods and systems for creating protocol header for embedded layer two packets
US9473466B2 (en) System and method for internet protocol security processing
WO2020134413A1 (en) Data transmission method and apparatus, related device, and storage medium
WO2013124758A1 (en) Network node with network-attached stateless security offload device
WO2022166979A1 (en) Packet processing method, client end device, server end device, and computer-readable medium
US20240205205A1 (en) Packet sending method, network device, storage medium, and program product
US20130219167A1 (en) Network node with network-attached stateless security offload device employing in-band processing
US20180176230A1 (en) Data packet transmission method, apparatus, and system, and node device
CN117254976B (en) National standard IPsec VPN realization method, device and system based on VPP and electronic equipment
US11095619B2 (en) Information exchange for secure communication
CN114039812B (en) Data transmission channel establishment method, device, computer equipment and storage medium
CN114338116A (en) Encryption transmission method and device and SD-WAN (secure digital-Wide area network) network system
US11610011B2 (en) Secure transfer of data between programs executing on the same end-user device
WO2023272498A1 (en) Packet forwarding method and apparatus, network node and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19866575

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19866575

Country of ref document: EP

Kind code of ref document: A1