WO2020078164A1 - Method and device for creating tunnel, and storage medium - Google Patents

Method and device for creating tunnel, and storage medium Download PDF

Info

Publication number
WO2020078164A1
WO2020078164A1 PCT/CN2019/107043 CN2019107043W WO2020078164A1 WO 2020078164 A1 WO2020078164 A1 WO 2020078164A1 CN 2019107043 W CN2019107043 W CN 2019107043W WO 2020078164 A1 WO2020078164 A1 WO 2020078164A1
Authority
WO
WIPO (PCT)
Prior art keywords
extended
vpn tunnel
information
message
tunnel
Prior art date
Application number
PCT/CN2019/107043
Other languages
French (fr)
Chinese (zh)
Inventor
吴水华
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2020078164A1 publication Critical patent/WO2020078164A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/12Setup of transport tunnels

Definitions

  • This application relates to network communication technology, and in particular to a method, device and storage medium for creating an Internet Protocol Security (IPSec) Tunnel.
  • IPSec Internet Protocol Security
  • VPN refers to the technology of establishing a private network on a public network.
  • VPN supports the establishment of a VPN tunnel between the two parties in order to encrypt the transmission process and improve transmission security.
  • the VMs of both parties of the communication determine the VPN tunnel common parameters of the two parties through multiple negotiations based on their respective configured parameters, keys, and certificates.
  • the VPN tunnel common parameters include encryption and decryption algorithms, authentication algorithms, and keys , Certificates, etc.
  • both parties of the communication After determining the common parameters of the VPN tunnel, both parties of the communication generate a tunnel descriptor (Security Association, SA) containing the common parameters of the VPN tunnel to complete the establishment of the tunnel between the two parties.
  • SA Secure Association
  • TS Traffic Selector, traffic filter
  • TS Traffic Selector, traffic filter
  • the embodiments of the present application are expected to provide a tunnel creation method, device, and storage medium, which can dynamically create multiple extended VPN tunnels to offload data service flows when the amount of data is large.
  • a method for creating a tunnel comprising: in an initial negotiation phase for a key, according to the initial negotiation phase Interactive information, it is determined that the message recipient has the ability to create an extended virtual information private network VPN tunnel; when the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel, it is extracted from the current user message for creation Characteristic information of the extended VPN tunnel; generating an extension code for creating the extended VPN tunnel according to the characteristic information; creating the extended VPN tunnel according to the extension code.
  • the method further includes: detecting the data traffic carried in the extended VPN tunnel to obtain a detection result; when the detection result indicates that the data traffic reaches the first preset traffic threshold, determining The data carried in the extended VPN tunnel satisfies the conditions of the extended VPN tunnel.
  • the message receiver has the ability to create an extended VPN tunnel, including: extracting the capability negotiation from the interaction information in the initial negotiation stage Information to obtain an extraction result; when the extraction result represents the interaction information in the initial negotiation stage and the capability negotiation information is successfully extracted, it is determined that the message recipient has the capability to create the extended VPN tunnel.
  • the feature information includes: information for creating the extended VPN tunnel except for quintuple information; wherein, the quintuple information includes: source IP address, source port, destination IP address, and destination Port and transport layer protocol numbers.
  • creating the extended VPN tunnel according to the extended code includes: in the second negotiation phase for the key, loading the extended code in the extended field of the TS load of the traffic filter; sending to the message receiver Carrying the second interaction information of the extension code; receiving the first response information of the message receiver for the second interaction information; determining that the extension code is included in the first response information, determining the The extended VPN tunnel is created.
  • creating the extended VPN tunnel according to the extended code includes: during the second negotiation phase for the key, sending second interaction information to the message recipient, the second interaction information carrying Notification load information; receiving a second response message sent by the message receiver for the second interaction information; when it is determined that the second response message carries the notification load information, according to the notification load information To create the extended VPN tunnel.
  • the method further includes: detecting the traffic data of the extended VPN tunnel to obtain a detection result; when the detection result is representative of the extended VPN tunnel When the flow data is less than the second preset flow threshold, the extended VPN tunnel is recovered.
  • the second preset threshold is the same as or different from the first preset threshold that determines that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
  • an apparatus for creating a tunnel includes: a determining unit configured to determine a message according to interaction information in the initial negotiation stage during an initial negotiation stage for a key
  • the receiver has the ability to create an extended VPN tunnel; the extraction unit is used to extract the extended VPN tunnel from the current user packet when the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel Characteristic information of; a generating unit for generating an extended code for creating the extended VPN tunnel according to the characteristic information; a creating unit for creating the extended VPN tunnel based on the extended code.
  • an apparatus for creating a tunnel includes: a memory and a processor; wherein the memory is used to store a computer program that can run on the processor; The processor is configured to execute any of the steps of the method in any one of the above tunnel creation methods when running the computer program.
  • a computer-readable storage medium on which a computer program is stored which is characterized in that when the computer program is executed by a processor, any of the above tunnel creation methods A method step.
  • Embodiments of the present application provide a tunnel creation method, device, and storage medium.
  • an initial negotiation phase for a key according to the interaction information in the initial negotiation phase, it is determined that the message receiver is capable of creating an extended virtual private network (VPN, Virtual Private Network) tunnel capability; when the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel, extract the feature information used to create the extended VPN tunnel in the current user message; according to the The feature information generates an extension code for creating the extended VPN tunnel; and creates the extended VPN tunnel according to the extension code.
  • VPN Virtual Private Network
  • the dynamic creation of an extended VPN tunnel through the amount of data traffic can break through the limitation of the existing technology that only a single IPSec tunnel can be created through the 5-tuple information, and it also solves the problems in the fifth generation mobile communication technology (5G, 5th- Generation) IPSec encrypted channel problem in high-traffic services.
  • 5G, 5th- Generation fifth generation mobile communication technology
  • FIG. 1 is a schematic flowchart of a tunnel creation method according to an embodiment of this application
  • FIG. 2 is a schematic diagram of message interaction between two communication parties during the initial negotiation stage in the IKEv2 protocol process in the prior art
  • FIG. 3 is a schematic diagram of the message interaction between the two parties in the initial negotiation phase of the IKEv2 protocol process of this application;
  • FIG. 5 is a schematic diagram of the TS load structure in this application.
  • FIG. 6 is a schematic diagram of message interaction using the TS payload structure shown in FIG. 5 to establish a sub-safety connection;
  • FIG. 7 is a schematic diagram of message interaction for establishing a sub-security connection in this application.
  • FIG. 8 is a schematic diagram 1 of the structural composition of the tunnel creation device in the present application.
  • FIG. 9 is a second schematic diagram of the structural composition of the tunnel creation device in the embodiment of the present application.
  • FIG. 1 is a schematic flowchart of a tunnel creation method according to an embodiment of the present application.
  • Step 101 In the initial negotiation phase for the key, according to the interaction information in the initial negotiation phase, it is determined that the message receiver has the ability to create a VPN tunnel for the extended virtual information private network.
  • the method is mainly applied to a device that can support protocol programming processing, for example, the device may be a base station.
  • the device can use Internet Key Exchange (IKE, Internet Key Exchange) to authenticate the identities of the two parties during the IPSec process between the two parties, as well as negotiate security policies, and Handle session key interaction.
  • IKE Internet Key Exchange
  • the communication parties may be a base station and a base station, or a base station and a virtual private network gateway (VPN, Virtual Private Network Gateway), or a VPN and a VPN.
  • VPN Virtual Private Network Gateway
  • the second version of IKE is used as an example to describe in detail how the application determines whether the receiver has the ability to create an extended VPN tunnel based on the interactive information at the initial negotiation stage.
  • the two communication parties are usually divided into two negotiation stages. These are the first consultation stage and the second consultation stage.
  • the first negotiation stage is also called the initial negotiation stage, which is mainly used to negotiate IKE.SA.
  • the second negotiation stage is also called the negotiation sub-SA exchange stage, which is mainly used to negotiate CHILD.SA.
  • FIG. 2 is a schematic diagram of message interaction between two communication parties during the initial negotiation stage in the IKEv2 protocol process in the prior art, as shown in FIG. 2.
  • the two parties of the communication mainly exchanged two messages, and each message exchange included 2 messages.
  • the first message 201 in the first message interaction is a message sent by the message sender 20 to the message receiver 30, and the second message 301 in the first message interaction is the message sender 30 receives the message sender After the first message 201 sent by 20, a response message sent to the message sender 20.
  • the response message may be that after the message receiver 30 receives the first message 201 sent by the message sender 20, a certain proposal is selected in SAi1 to form SAr1, and KEl and Nr are respectively used as the Diffle of the message receiver 30 -The Hellman public value and the Nonce value are sent to the message sender 20.
  • the message receiver 30 may also include an optional certificate in the response message 301 sent to the message sender 20.
  • the two parties can calculate the seed key SKE USED to obtain 7 other secrets: SK_d, SK_ai , SK_ar, SK_ei, SK_er, SK_pi, SK_pr.
  • the two parties use the encryption, authentication algorithm and key contained in the IKE.SA obtained in the first message exchange for security protection and use
  • the authentication payload authenticates the exchange process that has ended in the initial negotiation phase (IKE, SA, INIT), and finally negotiates to get the first CHILD.SA, which is IPSec SA.
  • the first message 202 and the second message 302 are both composed of the IKEv2 header HDR and an encrypted payload
  • the encrypted payload includes an identity payload (ID) , Optional certificate load (CERT) and certificate request load (CERTREQ), authentication load (AUTH), safety-related load (SA), flow selection load (TS), etc.
  • ID identity payload
  • CERT Optional certificate load
  • CERTREQ certificate request load
  • AUTH authentication load
  • SA safety-related load
  • TS flow selection load
  • SK ⁇ means that the included payload is encrypted and authenticated by SK.e and SK.a in the corresponding direction.
  • Figure 3 is a schematic diagram of the message interaction between the two parties in the initial negotiation phase of the IKEv2 protocol process of this application.
  • the negotiation process of Figure 3 is basically similar to that of Figure 2, and the similarities are not repeated here.
  • the difference is that
  • the message sender 20 and the message receiver 30 in 3 add the capability negotiation field with the dynamic creation of a VPN tunnel to the interaction information at the initial negotiation stage, for example, the capability negotiation field is the notification payload [Nx].
  • the capability negotiation field may be loaded in the first interaction message in the initial negotiation stage, or may be loaded in the second interaction message.
  • the message sender 20 when the message sender 20 sends a message message carrying the capability negotiation field to the message receiver in the initial negotiation phase for the key, the message receiver 30 will send a message to the message receiver after receiving the message.
  • the message sender 20 sends a response message for the message.
  • the message sender 20 After receiving the response message sent by the message receiver, the message sender 20 extracts the information of the capability negotiation field in the response message, and obtains the extraction result.
  • the message receiver 30 When the extraction result represents the information of successfully extracting the capability negotiation field in the response message, it is determined that the message receiver has the capability to create the extended VPN tunnel. On the contrary, if the extraction result indicates that extraction of capability negotiation information in the response message fails, it is determined that the message receiver 30 does not have the ability to create an extended VPN tunnel.
  • Step 102 When the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel, extract the feature information used to create the extended VPN tunnel in the current user packet.
  • the message sender determines that the message receiver has the ability to dynamically create an extended VPN tunnel, it detects the data traffic carried in the extended VPN tunnel to obtain a detection result; and compares the data traffic in the detection result with A first preset threshold characterizing the creation of an extended VPN tunnel is compared, and a comparison result is obtained.
  • the comparison result indicates that the data traffic is detected to be greater than or equal to the first preset traffic threshold, the location of the extended VPN tunnel is determined.
  • the data carried meets the conditions for expanding the VPN tunnel. Then extract the characteristic information used to create the extended VPN tunnel in the current user packet.
  • the user message refers to the message message generated by the message sender and the consumer in the negotiation process.
  • the message includes: a tunnel terminal identifier (TEID, Tunnel Endpoint Identifier), a differential service code point (DSCP, Differentiated Service, Code Point), and so on.
  • TEID tunnel terminal identifier
  • DSCP differential service code point
  • Differentiated Service Code Point
  • the characteristic information includes: information for creating the extended VPN tunnel except for quintuple information; for example, TEID, DSCP and other information.
  • the quintuple information includes: source IP address, source port, destination IP address, destination port and transport layer protocol number.
  • Step 103 Generate an extension code for creating the extended VPN tunnel according to the feature information.
  • the characteristic parameter in the characteristic information may be calculated by a HASH algorithm to obtain a calculation result. Then, the spreading code is generated from the calculation result.
  • the HASH algorithm is an algorithm set.
  • each sub-feature information in the feature information may be combined based on the feature information directly to generate the spreading code.
  • Step 104 Create the extended VPN tunnel according to the extended code.
  • the message sender may load the extension code in the extension field of the TS load of the traffic filter during the second negotiation phase for the key (see FIG. 5).
  • the TS payload includes TS type information, IP protocol ID information, sample selector length information, start port, end port, and start address And end address information.
  • FIG. 5 is a schematic diagram of the TS payload structure in this application.
  • FIG. 5 is substantially the same as FIG. 4. The similarities are not repeated here. The difference is that FIG. 5 is loaded in the extension field after the end address of the TS payload. There is an extended code (Extended).
  • the message sender loads the extension code in the extension field of the TS payload in the second negotiation stage
  • the interactive information carrying the extension code will also be sent to the second negotiation stage.
  • the message receiver sends; when the message receiver receives the interactive message sent by the message sender in the second negotiation phase, it sends a response message to the message sender for the interactive message in the second negotiation phase (see Image 6).
  • FIG. 6 is a schematic diagram of message interaction using the TS payload structure shown in FIG. 5 to establish a sub-safety connection.
  • the packets in the interactive message between the message sender 20 and the message receiver 30 carry TSi and TSr; among them, TSi and TSr represent the extension codes.
  • the message sender After receiving the response information sent by the message receiver for the interaction information in the second negotiation stage, the message sender extracts the extension code from the response message. When the sender of the message successfully extracts the extended code in the response message, it indicates that the extended VPN tunnel has been created.
  • the message sender can also send interaction information carrying notification payload information to the message receiver in the second negotiation phase for the key; the message receiver receives the notification payload information sent by the message developed party Response message of the interactive message to the sender of the message (see Figure 7).
  • FIG. 7 is a schematic diagram of message interaction for establishing a sub-security link in this application.
  • the interaction message between the message sender 20 and the message receiver 30 carries notification payload information (N-EXC,).
  • N-EXC,) means Notify payload carrying Extended Code (Extended).
  • the message sender sends a message carrying notification load information to the message receiver.
  • the message receiver receives the message carrying the notification load information sent by the message sender, it sends a response message to the message sender for the message.
  • the notification payload information is extracted from the response message.
  • the extended VPN tunnel is created according to the extension code carried in the notification payload information.
  • a new extension code is generated according to the characteristic information of the current service flow, and the new extension code is used to negotiate a new extension VPN tunnel.
  • the first threshold traffic threshold is 60% of the data traffic handled by a single VPN tunnel.
  • This application can also repeatedly generate new extension codes and create new extension VPN tunnels according to business needs.
  • the message sender can also recover the created extended VPN tunnel according to the current service traffic.
  • the message sender may also detect the flow data of the extended VPN tunnel to obtain a detection result; and recover the flow data and the characterization in the detection result
  • the second preset traffic threshold of the created extended VPN tunnel is compared, and the comparison result is obtained.
  • the comparison result indicates that the flow data of the extended VPN tunnel is less than the second preset flow threshold, the extended VPN tunnel is recovered. To release more business resources.
  • the second preset traffic threshold characterizing the recovery of the created extended VPN tunnel and the first preset traffic threshold characterizing the creation of the extended VPN tunnel may be the same or different. Specifically, it can be set or adjusted according to current business resources.
  • FIG. 8 is a schematic structural composition diagram of a tunnel creation device in the present application.
  • the device includes: a determination unit 801, an extraction unit 802, a generation unit 803, and a creation unit 804; wherein, the determination unit 801 uses In the initial negotiation phase for the key, according to the interaction information in the initial negotiation phase, it is determined that the message receiver has the ability to create an extended VPN tunnel; the extraction unit 802 is used to process the data carried in the extended VPN tunnel When the condition of the extended VPN tunnel is satisfied, extract the feature information used to create the extended VPN tunnel in the current user packet; the generating unit 803 is used to generate the feature used to create the extended VPN tunnel according to the feature information Extension code; the creating unit 804 is used to create the extended VPN tunnel according to the extension code.
  • the device further includes: a detection unit 805; the detection unit 805 is used to detect the data traffic carried in the extended VPN tunnel to obtain a detection result; and the determination unit 801 is further used to perform the detection
  • the result characterizes that when it is detected that the data traffic reaches the first preset traffic threshold, it is determined that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
  • the extraction unit 802 is also used to extract capability negotiation information from the interaction information in the initial negotiation stage to obtain an extraction result; the determination unit 801 is specifically used to characterize the extraction result in the initial negotiation In the interaction information at the stage, when the capability negotiation information is successfully extracted, it is determined that the message receiver has the capability to create the extended VPN tunnel.
  • the feature information includes: information for creating the extended VPN tunnel except for quintuple information; wherein, the quintuple information includes: source IP address, source port, destination IP address, and destination Port and transport layer protocol numbers.
  • the apparatus further includes: a loading unit 806, a sending unit 807, and a receiving unit 808; the loading unit 806 is used to load in the extension field of the traffic filter TS load in the second negotiation phase for the key
  • the spreading code the sending unit 807 is used to send the second interaction information carrying the spreading code to the message recipient; the receiving unit 808 is used to receive the message recipient for the second interaction
  • the first response information of the information the determining unit 801 is further specifically configured to determine that the creation of the extended VPN tunnel is completed when the first response information includes the extended code.
  • the sending unit 807 is further configured to send the second interaction information to the message receiver in the second negotiation phase for the key, where the second interaction information carries a notification Load information; the receiving unit 808 is also used to receive a second response message sent by the message recipient for the second interaction information; the determining unit 801 is also specifically used to determine that the second response message carries When there is the notification load information, the extended VPN tunnel is created according to the extension code carried in the notification load information.
  • the device further includes: a recovery unit 809; the recovery unit 809 is configured to recover the extended VPN tunnel when detecting that the flow data of the extended VPN tunnel is less than a second preset flow threshold.
  • the second preset flow threshold and the first preset flow threshold may be the same or different, and may specifically be set according to current business resources.
  • tunnel creation device when the tunnel creation device provided in the above embodiment creates an extended VPN tunnel, only the above-mentioned division of each program module is used as an example for illustration. In practical applications, the above processing may be allocated by different program modules as needed When completed, the internal structure of the tunnel creation device is divided into different program modules to complete all or part of the processing described above.
  • the tunnel creation device and the tunnel creation method embodiment provided in the above embodiments belong to the same concept. For the specific implementation process, see the method embodiments, and details are not described here.
  • the apparatus 900 for creating a tunnel may be a mobile phone, a computer, a digital broadcasting terminal, an information receiving and sending device, a game console, Tablet devices, personal digital assistants, information push servers, content servers, identity authentication servers, etc.
  • the tunnel creation device 900 shown in FIG. 9 includes: at least one processor 901, a memory 902, at least one network interface 904, and a user interface 903.
  • the various components in the tunnel creation device 900 are coupled together through the bus system 905. It can be understood that the bus system 905 is used to implement connection and communication between these components.
  • the bus system 905 also includes a power bus, a control bus, and a status signal bus. However, for clarity, various buses are marked as the bus system 905 in FIG. 9.
  • the user interface 903 may include a display, a keyboard, a mouse, a trackball, a click wheel, buttons, buttons, a touch panel, or a touch screen.
  • the memory 902 may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memory.
  • the non-volatile memory can be read-only memory (ROM, Read Only Memory), programmable read-only memory (PROM, Programmable Read-Only Memory), erasable programmable read-only memory (EPROM, Erasable Programmable Read- Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), Magnetic Random Access Memory (FRAM, Ferromagnetic Random Access Memory), Flash Memory (Flash) Memory, Magnetic Surface Memory , Compact disc, or read-only compact disc (CD-ROM, Compact, Read-Only Memory); the magnetic surface memory can be a disk storage or a tape storage.
  • the volatile memory may be a random access memory (RAM, Random Access Memory), which is used as an external cache.
  • RAM random access memory
  • SRAM static random access memory
  • SSRAM synchronous static random access memory
  • DRAM Dynamic Random Access Memory
  • SDRAM Synchronous Dynamic Random Access Memory
  • DDRSDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM Enhanced Synchronous Dynamic Random Access Memory
  • SLDRAM SyncLink Dynamic Random Access Memory
  • DRRAM Direct Rambus Random Access Random Access Memory
  • DRRAM Direct Rambus Random Access Random Access Memory
  • the memory 902 described in the embodiments of the present application is intended to include, but not limited to, these and any other suitable types of memories.
  • the memory 902 in the embodiment of the present application is used to store various types of data to support the operation of the apparatus 900 for creating a tunnel.
  • Examples of these data include: any computer program for operating on the tunnel creation device 900, such as an operating system 9021 and an application program 9022; where the operating system 9021 contains various system programs, such as a framework layer, a core library layer, and drivers Layers, etc., are used to implement various basic services and handle hardware-based tasks.
  • the application program 9022 may include various application programs, such as a media player (Media Player), a browser (Browser), etc., for implementing various application services.
  • the program for implementing the method of the embodiment of the present application may be included in the application program 9022.
  • the method disclosed in the above embodiments of the present application may be applied to the processor 901, or implemented by the processor 901.
  • the processor 901 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the processor 901 or an instruction in the form of software.
  • the foregoing processor 901 may be a general-purpose processor, a digital signal processor (DSP, Digital Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, and the like.
  • the processor 901 may implement or execute the methods, steps, and logical block diagrams disclosed in the embodiments of the present application.
  • the general-purpose processor may be a microprocessor or any conventional processor.
  • the steps of the method disclosed in the embodiments of the present application may be directly implemented and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the memory 902.
  • the processor 901 reads the information in the memory 902 and completes the steps of the foregoing method in combination with its hardware.
  • the tunnel creation device 900 may be one or more application specific integrated circuits (ASIC, Application Specific Integrated Circuit), DSP, programmable logic device (PLD, Programmable Logic Device), complex programmable logic device (CPLD, Complex Programmable Logic Device), Field Programmable Gate Array (FPGA, Field-Programmable Gate Array), general-purpose processor, controller, microcontroller (MCU, Micro Controller), microprocessor (Microprocessor), or Other electronic components are implemented to perform the aforementioned method.
  • ASIC Application Specific Integrated Circuit
  • DSP programmable logic device
  • PLD Programmable Logic Device
  • CPLD Complex Programmable Logic Device
  • FPGA Field Programmable Gate Array
  • MCU microcontroller
  • Microprocessor Microprocessor
  • the processor 901 runs the computer program, it executes: during the initial negotiation phase for the key, based on the interaction information in the initial negotiation phase, it is determined that the message recipient has the ability to create an extended virtual information pseudo-private network VPN tunnel ; When the data carried in the extended VPN tunnel satisfies the conditions of the extended VPN tunnel, extract the feature information used to create the extended VPN tunnel in the current user message; according to the feature information is generated for creating the The extended code of the extended VPN tunnel; creating the extended VPN tunnel according to the extended code.
  • the processor 901 runs the computer program, it also executes: detecting the data traffic carried in the extended VPN tunnel to obtain a detection result; when the detection result indicates that the data traffic reaches the first preset traffic At the threshold, it is determined that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
  • the processor 901 runs the computer program, it also executes: extracting capability negotiation information from the interaction information in the initial negotiation stage to obtain an extraction result; when the extraction result is characterized in the interaction information in the initial negotiation stage , When the capability negotiation information is successfully extracted, it is determined that the message receiver has the capability to create the extended VPN tunnel.
  • the processor 901 runs the computer program, it also executes: in the second negotiation phase for the key, the extension code is loaded in the extension field of the TS load of the traffic filter; Receiving the second interaction information of the extension code; receiving the first response information of the message receiver for the second interaction information; determining that the extension VPN tunnel is included in the first response information when determining that the extension code is included in the first response information
  • the creation is complete.
  • the processor 901 runs the computer program, it also executes: in the second negotiation phase for the key, sending second interaction information to the message recipient, the second interaction information carrying notification payload information Receiving the second response message sent by the message receiver for the second interaction information; when it is determined that the second response message carries the notification payload information, according to the extension code carried in the notification payload information Create the extended VPN tunnel.
  • the processor 901 runs the computer program, it further executes: when the detection result indicates that the traffic data of the extended VPN tunnel is less than the second preset traffic threshold, recover the extended VPN tunnel.
  • the second preset threshold is the same as or different from the first preset threshold that determines that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
  • an embodiment of the present application further provides a computer-readable storage medium, for example, a memory 902 including a computer program, which can be executed by the processor 901 of the tunnel creation device 900 to complete the foregoing method. Described steps.
  • the computer-readable storage medium may be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM; it may also be a variety of devices including one or any combination of the above memories, such as Mobile phones, computers, tablet devices, personal digital assistants, etc.
  • a computer-readable storage medium on which a computer program is stored which when executed by a processor, executes: during an initial negotiation phase for a key, according to the interaction information in the initial negotiation phase, it is determined that the message receiver has Ability to create extended virtual information pseudo-private network VPN tunnel; when the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel, extract the characteristic information used to create the extended VPN tunnel in the current user message Generating an extension code for creating the extended VPN tunnel according to the characteristic information; creating the extended VPN tunnel according to the extension code.
  • the computer program When the computer program is run by the processor, it also executes: detecting the data traffic carried in the extended VPN tunnel to obtain a detection result; when the detection result indicates that the data traffic reaches the first preset traffic threshold, It is determined that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
  • the computer program When the computer program is executed by the processor, it also executes: extracting capability negotiation information from the interaction information in the initial negotiation stage to obtain an extraction result; when the extraction result is characterized in the interaction information in the initial negotiation stage, it is successfully extracted When the capability negotiation information is reached, it is determined that the message receiver has the capability to create the extended VPN tunnel.
  • the computer program When the computer program is run by the processor, it also executes: in the second negotiation phase for the key, loading the extension code in the extension field of the traffic filter TS payload; sending the message carrying the extension code to the message receiver Receiving the second interaction information of the message; receiving the first response information of the message receiver with respect to the second interaction information; determining that the extended code is included in the first response information, determining that the creation of the extended VPN tunnel is completed.
  • the computer program When the computer program is run by the processor, it also executes: in the second negotiation phase for the key, sending second interaction information to the message recipient, the second interaction information carries notification payload information; A second response message sent by the message receiver in response to the second interaction information; when it is determined that the second response message carries the notification payload information, the message response information is created according to the extension code carried in the notification payload information Expand VPN tunnel.
  • the computer program When the computer program is executed by the processor, it also executes: detecting the flow data of the extended VPN tunnel to obtain a detection result; when the detection result indicates that the flow data of the extended VPN tunnel is less than the second preset flow threshold, recovering The extended VPN tunnel.
  • the second preset threshold is the same as or different from the first preset threshold that determines that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application discloses a method for creating a tunnel. The method comprises: in the initial negotiation phase for a secret key, determining that a message receiver has the ability to create an extended virtual private network (VPN) tunnel according to the interaction information in the initial negotiation phase (101); when the data carried in the extended VPN tunnel satisfy the conditions for the creation thereof, extracting feature information for creating the extended VPN tunnel from the current user message (102); generating, according to the feature information, an extended code for creating the extended VPN tunnel (103); and creating the extended VPN tunnel according to the extended code (104). The present application further discloses a device for creating a tunnel and a storage medium.

Description

一种隧道的创建方法、装置及存储介质Tunnel creation method, device and storage medium
交叉引用cross reference
本申请引用于2018年10月19日递交的名称为“一种隧道的创建方法、装置及存储介质”的第201811223937.x号中国专利申请,其通过引用被全部并入本申请。This application refers to the Chinese patent application No. 201811223937.x filed on October 19, 2018 and titled "A tunnel creation method, device and storage medium", which is fully incorporated by reference into this application.
技术领域Technical field
本申请涉及网络通讯技术,具体涉及一种互联网协议安全IPSec(Internet Protocol Security)隧道的创建方法、装置及存储介质。This application relates to network communication technology, and in particular to a method, device and storage medium for creating an Internet Protocol Security (IPSec) Tunnel.
背景技术Background technique
VPN指在公用网络上建立专用网络的技术,VPN支持通信双方之间建立VPN隧道,以便对传输过程进行加密,提高传输安全性。在建立VPN隧道的过程中,通信双方VM根据各自配置的参数、密钥和证书等,经过多次协商确定双方的VPN隧道公用参数,其中VPN隧道公用参数包括加解密算法、认证算法、密钥、证书等,在确定VPN隧道公用参数后,通信双方各自生成包含VPN隧道公用参数的隧道描述符(Security Association,SA),以此完成通信双方之间的隧道建立。VPN refers to the technology of establishing a private network on a public network. VPN supports the establishment of a VPN tunnel between the two parties in order to encrypt the transmission process and improve transmission security. In the process of establishing a VPN tunnel, the VMs of both parties of the communication determine the VPN tunnel common parameters of the two parties through multiple negotiations based on their respective configured parameters, keys, and certificates. The VPN tunnel common parameters include encryption and decryption algorithms, authentication algorithms, and keys , Certificates, etc. After determining the common parameters of the VPN tunnel, both parties of the communication generate a tunnel descriptor (Security Association, SA) containing the common parameters of the VPN tunnel to complete the establishment of the tunnel between the two parties.
在一些情形下,通过源IP地址,目的IP地址,传输层协议号,源端口,目的端口的五元组信息生成TS(Traffic Selector,流量筛选器)载荷,从而创建单个不同的虚拟私人网络(VPN,Virtual Private Network)隧道。In some cases, TS (Traffic Selector, traffic filter) payload is generated from the quintuple information of source IP address, destination IP address, transport layer protocol number, source port, and destination port, thereby creating a single different virtual private network ( VPN, Virtual Private Network) tunnel.
但是,在5G(第5代通讯系统)基站通讯中,由于用户面的数据吞吐量较大,导致很多设备利用五元组信息创建的单VPN隧道的处理能力有限。However, in 5G (fifth generation communication system) base station communication, due to the large data throughput of the user plane, the processing capacity of a single VPN tunnel created by many devices using quintuple information is limited.
发明内容Summary of the invention
为解决现有存在的技术问题,本申请实施例期望提供一种隧道的创建方法、装置及存储介质,能够在数据量较大时,动态创建多个扩展VPN隧道对数据业务流进行分流处理。To solve the existing technical problems, the embodiments of the present application are expected to provide a tunnel creation method, device, and storage medium, which can dynamically create multiple extended VPN tunnels to offload data service flows when the amount of data is large.
本申请实施例的技术方案是这样实现的:根据本申请实施例中的一方面,提供一种隧道的创建方法,所述方法包括:在针对密钥的初始协商阶段,根据所述初始协商阶段的交互信息,确定消息接收方具备创建扩展虚拟信息私人网络VPN隧道的能力;当所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件时,在当前的用户报文中提取用于创建所述扩展VPN隧道的特征信息; 根据所述特征信息生成用于创建所述扩展VPN隧道的扩展码;根据所述扩展码创建所述扩展VPN隧道。The technical solution of the embodiment of the present application is implemented as follows: According to an aspect in the embodiment of the present application, a method for creating a tunnel is provided, the method comprising: in an initial negotiation phase for a key, according to the initial negotiation phase Interactive information, it is determined that the message recipient has the ability to create an extended virtual information private network VPN tunnel; when the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel, it is extracted from the current user message for creation Characteristic information of the extended VPN tunnel; generating an extension code for creating the extended VPN tunnel according to the characteristic information; creating the extended VPN tunnel according to the extension code.
上述方案中,所述方法还包括:检测所述扩展VPN隧道内所承载的数据流量,得到检测结果;当所述检测结果表征检测到所述数据流量达到第一预设流量阈值时,确定所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件。In the above solution, the method further includes: detecting the data traffic carried in the extended VPN tunnel to obtain a detection result; when the detection result indicates that the data traffic reaches the first preset traffic threshold, determining The data carried in the extended VPN tunnel satisfies the conditions of the extended VPN tunnel.
上述方案中,在针对密钥的初始协商阶段,根据所述初始协商阶段的交互信息,确定消息接收方具备创建扩展VPN隧道的能力,包括:在所述初始协商阶段的交互信息中提取能力协商信息,得到提取结果;当所述提取结果表征在所述初始协商阶段的交互信息中,成功提取到所述能力协商信息时,确定所述消息接收方具备创建所述扩展VPN隧道的能力。In the above solution, in the initial negotiation stage for the key, according to the interaction information in the initial negotiation stage, it is determined that the message receiver has the ability to create an extended VPN tunnel, including: extracting the capability negotiation from the interaction information in the initial negotiation stage Information to obtain an extraction result; when the extraction result represents the interaction information in the initial negotiation stage and the capability negotiation information is successfully extracted, it is determined that the message recipient has the capability to create the extended VPN tunnel.
上述方案中,所述特征信息包括:除五元组信息以外的用于创建所述扩展VPN隧道的信息;其中,所述五元组信息包括:源IP地址,源端口,目的IP地址,目的端口和传输层协议号。In the above solution, the feature information includes: information for creating the extended VPN tunnel except for quintuple information; wherein, the quintuple information includes: source IP address, source port, destination IP address, and destination Port and transport layer protocol numbers.
上述方案中,根据所述扩展码创建所述扩展VPN隧道,包括:在针对密钥的第二协商阶段,在流量筛选器TS载荷的扩展字段加载所述扩展码;向所述消息接收方发送携带有所述扩展码的第二交互信息;接收所述消息接收方针对所述第二交互信息的第一响应信息;确定所述第一响应信息中包含有所述扩展码时,确定所述扩展VPN隧道创建完成。In the above solution, creating the extended VPN tunnel according to the extended code includes: in the second negotiation phase for the key, loading the extended code in the extended field of the TS load of the traffic filter; sending to the message receiver Carrying the second interaction information of the extension code; receiving the first response information of the message receiver for the second interaction information; determining that the extension code is included in the first response information, determining the The extended VPN tunnel is created.
上述方案中,根据所述扩展码创建所述扩展VPN隧道,包括:在针对密钥的第二协商阶段,向所述消息接收方发送第二次交互信息,所述第二交互信息中携带有通知载荷信息;接收所述消息接收方针对所述第二次交互信息发送的第二响应消息;确定所述第二响应消息中携带有所述通知载荷信息时,根据所述通知载荷信息中携带的扩展码创建所述扩展VPN隧道。In the above solution, creating the extended VPN tunnel according to the extended code includes: during the second negotiation phase for the key, sending second interaction information to the message recipient, the second interaction information carrying Notification load information; receiving a second response message sent by the message receiver for the second interaction information; when it is determined that the second response message carries the notification load information, according to the notification load information To create the extended VPN tunnel.
上述方案中,在根据所述扩展码创建所述扩展VPN隧道之后,所述方法还包括:检测所述扩展VPN隧道的流量数据,得到检测结果;当所述检测结果表征所述扩展VPN隧道的流量数据小于第二预设流量阈值时,回收所述扩展VPN隧道。In the above solution, after the extended VPN tunnel is created according to the extended code, the method further includes: detecting the traffic data of the extended VPN tunnel to obtain a detection result; when the detection result is representative of the extended VPN tunnel When the flow data is less than the second preset flow threshold, the extended VPN tunnel is recovered.
上述方案中,所述第二预设阈值与确定所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件的第一预设阈值相同或不同。In the above solution, the second preset threshold is the same as or different from the first preset threshold that determines that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
根据本申请实施例中的另一方面,提供一种隧道的创建装置,所述装置包括:确定单元,用于在针对密钥的初始协商阶段,根据所述初始协商阶段的交互信息,确定消息接收方具备创建扩展VPN隧道的能力;提取单元,用于当所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件时,在当前的用户报文中提取用于创建所述扩展VPN隧道的特征信息;生成单元,用于根据所述特征信息生成用于创建所述扩展VPN隧道的扩展码;创建单元,用于根据所述扩展码创建所述扩展VPN隧道。According to another aspect in the embodiments of the present application, an apparatus for creating a tunnel is provided. The apparatus includes: a determining unit configured to determine a message according to interaction information in the initial negotiation stage during an initial negotiation stage for a key The receiver has the ability to create an extended VPN tunnel; the extraction unit is used to extract the extended VPN tunnel from the current user packet when the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel Characteristic information of; a generating unit for generating an extended code for creating the extended VPN tunnel according to the characteristic information; a creating unit for creating the extended VPN tunnel based on the extended code.
根据本申请实施例中的第三方面,提供一种隧道的创建装置,所述装置包括:存储器和处理器;其中,所述存储器,用于存储能够在所述处理器上运行的计算机程序;所述处理器,用于运行所述计算机程序时,执行上述一种隧 道的创建方法中的任一项所述方法的步骤。According to a third aspect of the embodiments of the present application, an apparatus for creating a tunnel is provided. The apparatus includes: a memory and a processor; wherein the memory is used to store a computer program that can run on the processor; The processor is configured to execute any of the steps of the method in any one of the above tunnel creation methods when running the computer program.
根据本申请实施例中的第四方面,提供一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该计算机程序被处理器执行时实现上述一种隧道的创建方法中的任一项所述方法的步骤。According to a fourth aspect in the embodiments of the present application, there is provided a computer-readable storage medium on which a computer program is stored, which is characterized in that when the computer program is executed by a processor, any of the above tunnel creation methods A method step.
本申请实施例提供一种隧道的创建方法、装置及存储介质,通过在针对密钥的初始协商阶段,根据所述初始协商阶段的交互信息,确定消息接收方具备创建扩展虚拟私人网络(VPN,Virtual Private Network)隧道的能力;当所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件时,在当前的用户报文中提取用于创建所述扩展VPN隧道的特征信息;根据所述特征信息生成用于创建所述扩展VPN隧道的扩展码;根据所述扩展码创建所述扩展VPN隧道。如此,通过数据流量的多少动态创建扩展VPN隧道,能够突破现有技术中只能通过五元组信息创建单IPSec隧道的限制,而且还解决了在例如第五代移动通信技术(5G,5th-Generation)的大流量业务中的IPSec加密通道问题。Embodiments of the present application provide a tunnel creation method, device, and storage medium. In an initial negotiation phase for a key, according to the interaction information in the initial negotiation phase, it is determined that the message receiver is capable of creating an extended virtual private network (VPN, Virtual Private Network) tunnel capability; when the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel, extract the feature information used to create the extended VPN tunnel in the current user message; according to the The feature information generates an extension code for creating the extended VPN tunnel; and creates the extended VPN tunnel according to the extension code. In this way, the dynamic creation of an extended VPN tunnel through the amount of data traffic can break through the limitation of the existing technology that only a single IPSec tunnel can be created through the 5-tuple information, and it also solves the problems in the fifth generation mobile communication technology (5G, 5th- Generation) IPSec encrypted channel problem in high-traffic services.
附图说明BRIEF DESCRIPTION
图1为本申请实施例一种隧道的创建方法流程示意图;FIG. 1 is a schematic flowchart of a tunnel creation method according to an embodiment of this application;
图2为现有技术中IKEv2协议过程中通信双方在初始协商阶段的消息交互示意图;2 is a schematic diagram of message interaction between two communication parties during the initial negotiation stage in the IKEv2 protocol process in the prior art;
图3是本申请在IKEv2协议过程中通信双方在初始协商阶段的消息交互示意图;3 is a schematic diagram of the message interaction between the two parties in the initial negotiation phase of the IKEv2 protocol process of this application;
图4为现有技术中TS载荷结构示意图;4 is a schematic diagram of the TS load structure in the prior art;
图5为本申请中TS载荷结构示意图;Figure 5 is a schematic diagram of the TS load structure in this application;
图6为利用图5中所示的TS载荷结构建立子安全联萌的消息交互示意图;FIG. 6 is a schematic diagram of message interaction using the TS payload structure shown in FIG. 5 to establish a sub-safety connection;
图7为本申请中建立子安全联萌的消息交互示意图;FIG. 7 is a schematic diagram of message interaction for establishing a sub-security connection in this application;
图8为本申请中隧道的创建装置的结构组成示意图一;8 is a schematic diagram 1 of the structural composition of the tunnel creation device in the present application;
图9为本申请实施例中隧道的创建装置的结构组成示意图二。FIG. 9 is a second schematic diagram of the structural composition of the tunnel creation device in the embodiment of the present application.
具体实施例Specific examples
下面结合附图对本申请的具体实施例进行详细说明。应当理解的是,此处所描述的具体实施例仅用于说明和解释本申请,并不用于限制本申请。The specific embodiments of the present application will be described in detail below with reference to the drawings. It should be understood that the specific embodiments described herein are only used to illustrate and explain the present application, and are not used to limit the present application.
图1为本申请实施例一种隧道的创建方法流程示意图。FIG. 1 is a schematic flowchart of a tunnel creation method according to an embodiment of the present application.
步骤101,在针对密钥的初始协商阶段,根据所述初始协商阶段的交互信息,确定消息接收方具备创建扩展虚拟信息私人网络VPN隧道的能力。Step 101: In the initial negotiation phase for the key, according to the interaction information in the initial negotiation phase, it is determined that the message receiver has the ability to create a VPN tunnel for the extended virtual information private network.
本申请中,该方法主要应用于能够支持协议编程处理的设备,例如,该设备可以是基站。In this application, the method is mainly applied to a device that can support protocol programming processing, for example, the device may be a base station.
本申请中,该设备可以采用因特网密钥交换协议(IKE,Internet Key Exchange)在通信双方之间进行IPSec的处理过程中,对通信双方的身份进行鉴别,同时还可以进行安全策略的协商,以及处理会话密钥的交互。In this application, the device can use Internet Key Exchange (IKE, Internet Key Exchange) to authenticate the identities of the two parties during the IPSec process between the two parties, as well as negotiate security policies, and Handle session key interaction.
这里,通信双方可以是基站与基站,也可以是基站与虚拟专用网网关 (VPN,Virtual Private Network Gateway),还可以是VPN与VPN。Here, the communication parties may be a base station and a base station, or a base station and a virtual private network gateway (VPN, Virtual Private Network Gateway), or a VPN and a VPN.
下面,以IKE的第二版本IKEv2协议为例对本申请是如何根据初始协商阶段的交互信息,来确定接收方是否具备创建扩展VPN隧道的能力进行详细描述。The second version of IKE, the IKEv2 protocol, is used as an example to describe in detail how the application determines whether the receiver has the ability to create an extended VPN tunnel based on the interactive information at the initial negotiation stage.
首先,通信双方在IKEv2协议的协商过程中,通常分为两个协商阶段。分别为第一协商阶段和第二协商阶段。First of all, during the negotiation process of the IKEv2 protocol, the two communication parties are usually divided into two negotiation stages. These are the first consultation stage and the second consultation stage.
其中,第一协商阶段又称初始协商阶段,主要用于协商IKE.SA。第二协商阶段又称为协商子SA交换阶段,主要用于协商CHILD.SA。另外还可以有信息交换阶段,主要用来在IKEv2协的通信双方之间通知一些出错、配置、删除等信息。Among them, the first negotiation stage is also called the initial negotiation stage, which is mainly used to negotiate IKE.SA. The second negotiation stage is also called the negotiation sub-SA exchange stage, which is mainly used to negotiate CHILD.SA. In addition, there can also be an information exchange phase, which is mainly used to notify some errors, configuration, deletion and other information between the communication parties of the IKEv2 association.
图2为现有技术中IKEv2协议过程中通信双方在初始协商阶段的消息交互示意图,如图2所示。FIG. 2 is a schematic diagram of message interaction between two communication parties during the initial negotiation stage in the IKEv2 protocol process in the prior art, as shown in FIG. 2.
在初始协商阶段中,通信双方主要进行两次消息交换,每次消息交换包括2条消息。In the initial negotiation phase, the two parties of the communication mainly exchanged two messages, and each message exchange included 2 messages.
其中,第一次消息交互中的第一条消息201是消息发送方20向消息接收方30发送的消息,第一次消息交互中的第二条消息301是消息接收方30接收到消息发送方20发送的第一条消息201后,向消息发送方20发送的响应消息。Among them, the first message 201 in the first message interaction is a message sent by the message sender 20 to the message receiver 30, and the second message 301 in the first message interaction is the message sender 30 receives the message sender After the first message 201 sent by 20, a response message sent to the message sender 20.
具体地,该响应消息可以是消息接收方30接收到消息发送方20发送的第一条消息201后,在SAi1中选择某种提案形成SAr1,并且将KEr和Nr分别作为消息接收方30的Diffle-Hellman公开值以及Nonce值发送给消息发送方20。另外,消息接收方30在向消息发送方20发送的响应消息301中还可以包含可选的证书。Specifically, the response message may be that after the message receiver 30 receives the first message 201 sent by the message sender 20, a certain proposal is selected in SAi1 to form SAr1, and KEl and Nr are respectively used as the Diffle of the message receiver 30 -The Hellman public value and the Nonce value are sent to the message sender 20. In addition, the message receiver 30 may also include an optional certificate in the response message 301 sent to the message sender 20.
通常,在第一次消息交互(IKE.SA)交换完成之后,通信双方(消息发送方20和消息接收方30)之间可以计算种子密钥SKE USEED,以便得到7个其他秘密:SK_d,SK_ai,SK_ar,SK_ei,SK_er,SK_pi,SK_pr。Generally, after the first message exchange (IKE.SA) exchange is completed, the two parties (message sender 20 and message receiver 30) can calculate the seed key SKE USED to obtain 7 other secrets: SK_d, SK_ai , SK_ar, SK_ei, SK_er, SK_pi, SK_pr.
随后进行第二次消息交互,也就是IKE.AUTH交换。Then the second message exchange, which is IKE.AUTH exchange.
如图2所示,通信双方在第二次消息协商阶段(IKE.AUTH)中,使用第一次消息交互中得到的IKE.SA中包含的加密、认证算法以及密钥进行安全保护,并且使用认证载荷对已经结束的初始协商阶段(IKE,SA,INIT)交换过程进行认证,最终协商得到第一个CHILD.SA,即IPSec SA。As shown in Figure 2, in the second message negotiation stage (IKE.AUTH), the two parties use the encryption, authentication algorithm and key contained in the IKE.SA obtained in the first message exchange for security protection and use The authentication payload authenticates the exchange process that has ended in the initial negotiation phase (IKE, SA, INIT), and finally negotiates to get the first CHILD.SA, which is IPSec SA.
如图2所示,在第二次消息交互中,第一条消息202和第二条消息302均是由IKEv2消息头HDR以及一个加密载荷组成,在这个加密载荷中包含了身份载荷(ID)、可选的证书载荷(CERT)以及证书请求载荷(CERTREQ)、认证载荷(AUTH)、安全关联载荷(SA)、流量选择载荷(TS)等。其中,SK{}表示被包含的载荷均被相应方向的SK.e和SK.a加密和认证保护。As shown in FIG. 2, in the second message interaction, the first message 202 and the second message 302 are both composed of the IKEv2 header HDR and an encrypted payload, and the encrypted payload includes an identity payload (ID) , Optional certificate load (CERT) and certificate request load (CERTREQ), authentication load (AUTH), safety-related load (SA), flow selection load (TS), etc. Among them, SK {} means that the included payload is encrypted and authenticated by SK.e and SK.a in the corresponding direction.
图3是本申请在IKEv2协议过程中通信双方在初始协商阶段的消息交互示意图,该图3与图2的协商过程基本类似,其相同之处在此不再赘述,其不同之处在于,图3中的消息发送方20与消息接收方30在初始协商阶段的交互信息中加入了附带动态创建VPN隧道的能力协商字段,比如该能力协商字段是通知载荷[Nx]。其中该能力协商字段可以在初始协商阶段的第一次交互消息中 加载,也可以在第二次交互消息中加载。Figure 3 is a schematic diagram of the message interaction between the two parties in the initial negotiation phase of the IKEv2 protocol process of this application. The negotiation process of Figure 3 is basically similar to that of Figure 2, and the similarities are not repeated here. The difference is that The message sender 20 and the message receiver 30 in 3 add the capability negotiation field with the dynamic creation of a VPN tunnel to the interaction information at the initial negotiation stage, for example, the capability negotiation field is the notification payload [Nx]. The capability negotiation field may be loaded in the first interaction message in the initial negotiation stage, or may be loaded in the second interaction message.
本申请中,当消息发送方20在针对密钥的初始协商阶段,向消息接收方发送了携带有能力协商字段的报文消息后,消息接收方30会在接收到该报文消息后,向消息发送方20发送针对该报文消息的响应消息。In this application, when the message sender 20 sends a message message carrying the capability negotiation field to the message receiver in the initial negotiation phase for the key, the message receiver 30 will send a message to the message receiver after receiving the message. The message sender 20 sends a response message for the message.
消息发送方20接收到消息接收方发送的该响应消息后,在该响应消息中提取所述能力协商字段的信息,并得到提取结果。After receiving the response message sent by the message receiver, the message sender 20 extracts the information of the capability negotiation field in the response message, and obtains the extraction result.
当所述提取结果表征在所述响应消息中成功提取到能力协商字段的信息时,确定所述消息接收方具备创建所述扩展VPN隧道的能力。相反,如果所述提取结果表征在所述响应消息中针对能力协商信息提取失败时,确定所述消息接收方30不具备创建扩展VPN隧道的能力。When the extraction result represents the information of successfully extracting the capability negotiation field in the response message, it is determined that the message receiver has the capability to create the extended VPN tunnel. On the contrary, if the extraction result indicates that extraction of capability negotiation information in the response message fails, it is determined that the message receiver 30 does not have the ability to create an extended VPN tunnel.
本申请中,当消息发送方20与消息接收方30之间对于能力协商失败时,则后续不再进行动态创建VPN隧道。In this application, when the capability negotiation between the message sender 20 and the message receiver 30 fails, the subsequent dynamic creation of the VPN tunnel is not performed.
步骤102,当所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件时,在当前的用户报文中提取用于创建所述扩展VPN隧道的特征信息。Step 102: When the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel, extract the feature information used to create the extended VPN tunnel in the current user packet.
本申请中,当消息发送方确定消息接收方具备动态创建扩展VPN隧道的能力时,检测所述扩展VPN隧道内所承载的数据流量,得到检测结果;并将所述检测结果中的数据流量与表征创建扩展VPN隧道的第一预设阈值进行比较,得到比较结果,当所述比较结果表征检测到所述数据流量大于或等于该第一预设流量阈值时,确定所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件。则在当前的用户报文中提取用于创建扩展VPN隧道的特征信息。In this application, when the message sender determines that the message receiver has the ability to dynamically create an extended VPN tunnel, it detects the data traffic carried in the extended VPN tunnel to obtain a detection result; and compares the data traffic in the detection result with A first preset threshold characterizing the creation of an extended VPN tunnel is compared, and a comparison result is obtained. When the comparison result indicates that the data traffic is detected to be greater than or equal to the first preset traffic threshold, the location of the extended VPN tunnel is determined. The data carried meets the conditions for expanding the VPN tunnel. Then extract the characteristic information used to create the extended VPN tunnel in the current user packet.
这里,用户报文是指消息发送方与消接收方在协商过程中产生的消息报文。例如,该消息报文包括:隧道终端标识符(TEID,Tunnel Endpoint Identifier),差分服务代码点(DSCP,Differentiated Service Code Point)等等。Here, the user message refers to the message message generated by the message sender and the consumer in the negotiation process. For example, the message includes: a tunnel terminal identifier (TEID, Tunnel Endpoint Identifier), a differential service code point (DSCP, Differentiated Service, Code Point), and so on.
本申请中,所述特征信息包括:除五元组信息以外的用于创建所述扩展VPN隧道的信息;例如,TEID、DSCP等信息。In this application, the characteristic information includes: information for creating the extended VPN tunnel except for quintuple information; for example, TEID, DSCP and other information.
其中,所述五元组信息包括:源IP地址,源端口,目的IP地址,目的端口和传输层协议号。如此,根据除五元组信息之外的信息能够在业务流量较大时,动态创建扩展VPN隧道,以通过创建的扩展VPN隧道来承载更多的业务流量。Wherein, the quintuple information includes: source IP address, source port, destination IP address, destination port and transport layer protocol number. In this way, according to the information other than the quintuple information, when service traffic is large, an extended VPN tunnel can be dynamically created to carry more service traffic through the created extended VPN tunnel.
步骤103,根据所述特征信息生成用于创建所述扩展VPN隧道的扩展码。Step 103: Generate an extension code for creating the extended VPN tunnel according to the feature information.
本申请中,具体可以通过哈唏(HASH)算法对所述特征信息中的特征参数进行计算,得到计算结果。然后,将所述计算结果生成所述扩展码。In this application, the characteristic parameter in the characteristic information may be calculated by a HASH algorithm to obtain a calculation result. Then, the spreading code is generated from the calculation result.
这里,所述HASH算法是一个算法集。Here, the HASH algorithm is an algorithm set.
本申请中,还可以直接基于所述特征信息,将所述特征信息中的每个子特征信息进行组合,生成所述扩展码。In this application, each sub-feature information in the feature information may be combined based on the feature information directly to generate the spreading code.
步骤104,根据所述扩展码创建所述扩展VPN隧道。Step 104: Create the extended VPN tunnel according to the extended code.
本申请中,具体可以由消息发送方在针对密钥的第二次协商阶段,在流量筛选器TS载荷的扩展字段加载所述扩展码(参见图5)。In this application, specifically, the message sender may load the extension code in the extension field of the TS load of the traffic filter during the second negotiation phase for the key (see FIG. 5).
图4为现有技术中TS载荷结构示意图,如图4所示,在该TS载荷中,包括有TS类型信息、IP协议ID信息、选样器长度信息、启动端口、结束端口、 起始地址和结束地址信息。4 is a schematic diagram of the structure of a TS payload in the prior art. As shown in FIG. 4, the TS payload includes TS type information, IP protocol ID information, sample selector length information, start port, end port, and start address And end address information.
图5为本申请中TS载荷结构示意图,图5与图4大致相同,其相同之处在此不再赘述,其不同之处在于,图5中在TS载荷的结束地址之后的扩展字段中加载有扩展码(Extended Code)。FIG. 5 is a schematic diagram of the TS payload structure in this application. FIG. 5 is substantially the same as FIG. 4. The similarities are not repeated here. The difference is that FIG. 5 is loaded in the extension field after the end address of the TS payload. There is an extended code (Extended).
本申请中,当消息发送方在第二次协商阶段中,在TS载荷的扩展字段中加载进所述扩展码之后,还会将携带有所述扩展码的交互信息在第二次协商阶段向所述消息接收方发送;所述消息接收方接收到消息发送方在第二次协商阶段发送的交互消息时,向消息发送方发送针对所述第二次协商阶段的交互消息的响应消息(参见图6)。In this application, when the message sender loads the extension code in the extension field of the TS payload in the second negotiation stage, the interactive information carrying the extension code will also be sent to the second negotiation stage. The message receiver sends; when the message receiver receives the interactive message sent by the message sender in the second negotiation phase, it sends a response message to the message sender for the interactive message in the second negotiation phase (see Image 6).
图6为利用图5中所示的TS载荷结构建立子安全联萌的消息交互示意图。FIG. 6 is a schematic diagram of message interaction using the TS payload structure shown in FIG. 5 to establish a sub-safety connection.
如图6所示,消息发送方20与消息接收方30的交互消息中包均携带有TSi和TSr;其中,TSi和TSr则是表示扩展码。As shown in FIG. 6, the packets in the interactive message between the message sender 20 and the message receiver 30 carry TSi and TSr; among them, TSi and TSr represent the extension codes.
所述消息发送方接收到所述消息接收方针对第二次协商阶段的所述交互信息发送的响应信息后,在所述响应消息中提取所述扩展码。当所述消息发送方在所述响应消息中成功提取到所述扩展码时,表征所述扩展VPN隧道已创建完成。After receiving the response information sent by the message receiver for the interaction information in the second negotiation stage, the message sender extracts the extension code from the response message. When the sender of the message successfully extracts the extended code in the response message, it indicates that the extended VPN tunnel has been created.
相反,当所述消息发送方在所述响应消息中针对所述扩展码提取失败时,表征所述扩展VPN隧道创建操失败。Conversely, when the message sender fails to extract the extended code in the response message, it indicates that the extended VPN tunnel creation operation failed.
另一实施例中,消息发送方还可以在针对密钥的第二协商阶段,向消息接收方发送携带有通知载荷信息的交互信息;消息接收方接收到消息发达方发送的携带有通知载荷信息的交互消息时,向消息发送方发送针对该交互消息的响应消息(参见图7)。In another embodiment, the message sender can also send interaction information carrying notification payload information to the message receiver in the second negotiation phase for the key; the message receiver receives the notification payload information sent by the message developed party Response message of the interactive message to the sender of the message (see Figure 7).
图7为本申请中建立子安全联萌的消息交互示意图,如图7所示,消息发送方20与消息接收方30的交互报文中携带有通知载荷信息(N-EXC,)。而(N-EXC,)表示携带扩展码(Extended Code)的Notify载荷。FIG. 7 is a schematic diagram of message interaction for establishing a sub-security link in this application. As shown in FIG. 7, the interaction message between the message sender 20 and the message receiver 30 carries notification payload information (N-EXC,). And (N-EXC,) means Notify payload carrying Extended Code (Extended).
具体地,消息发送方向消息接收方发送携带有通知载荷信息的消息,消息接收方接收到消息发送方发送的携带有通知载荷信息的消息时,针对该消息向消息发送方发送响应消息。Specifically, the message sender sends a message carrying notification load information to the message receiver. When the message receiver receives the message carrying the notification load information sent by the message sender, it sends a response message to the message sender for the message.
消息发送方接收到消息接收方发送的针对第二次协调阶段的交互信息的响应消息时,在所述响应消息中提取所述通知载荷信息。When the message sender receives the response message for the interaction information of the second coordination stage sent by the message receiver, the notification payload information is extracted from the response message.
当消息发送方在该响应消息中提取到所述通知载荷信息时,则根据所述通知载荷信息中携带的扩展码创建所述扩展VPN隧道。When the message sender extracts the notification payload information in the response message, the extended VPN tunnel is created according to the extension code carried in the notification payload information.
本申请中,当第一个扩展VPN隧道的数据流量达到第一预设流量阈值时,根据当前的业务流量的特征信息,生成新的扩展码,并利用新的扩展码协商出新的扩展VPN隧道。In this application, when the data flow of the first extended VPN tunnel reaches the first preset flow threshold, a new extension code is generated according to the characteristic information of the current service flow, and the new extension code is used to negotiate a new extension VPN tunnel.
这里,例如第一阈值流量阈值是单VPN隧道所处理数据流量的60%。Here, for example, the first threshold traffic threshold is 60% of the data traffic handled by a single VPN tunnel.
本申请,还可以根据业务需要,重复生成新的扩展码以及创建新的扩展VPN隧道。This application can also repeatedly generate new extension codes and create new extension VPN tunnels according to business needs.
本申请中,消息发送方在根据所述扩展码成功创建所述扩展VPN隧道之 后,还可以根据当前的业务流量,对创建的扩展VPN隧道进行回收。In this application, after successfully creating the extended VPN tunnel according to the extended code, the message sender can also recover the created extended VPN tunnel according to the current service traffic.
具体地,消息发送方在根据所述扩展码成功创建所述扩展VPN隧道之后,还可以检测所述扩展VPN隧道的流量数据,得到检测结果;并将所述检测结果中的流量数据与表征回收已创建的扩展VPN隧道的第二预设流量阈值进行比较,并得到比较结果。当所述比较结果表征所述扩展VPN隧道的流量数据小于所述第二预设流量阈值时,回收所述扩展VPN隧道。以释放更多的业务资源。Specifically, after successfully creating the extended VPN tunnel according to the extended code, the message sender may also detect the flow data of the extended VPN tunnel to obtain a detection result; and recover the flow data and the characterization in the detection result The second preset traffic threshold of the created extended VPN tunnel is compared, and the comparison result is obtained. When the comparison result indicates that the flow data of the extended VPN tunnel is less than the second preset flow threshold, the extended VPN tunnel is recovered. To release more business resources.
当然,本申请中,当业务资料比较丰富的情况下,也可以不对已创建的扩展VPN隧道进行回收。Of course, in this application, when the business data is relatively rich, the extended VPN tunnel that has been created may not be recovered.
这里,表征回收已创建的扩展VPN隧道的第二预设流量阈值与表征创建扩展VPN隧道的第一预设流量阈值可以相同,也可以不同。具体可以根据当前的业务资源进行设定或调整。Here, the second preset traffic threshold characterizing the recovery of the created extended VPN tunnel and the first preset traffic threshold characterizing the creation of the extended VPN tunnel may be the same or different. Specifically, it can be set or adjusted according to current business resources.
采用本申请所述动态创建扩展VPN隧道方法,与现有技术相比,突破了五元组信息只能创建单IPSec隧道的限制,解决5G通讯大吞吐量的IPSec加密通道问题,达到了根据业务流量动态创建IPSec隧道的效果。Using the method of dynamically creating an extended VPN tunnel described in this application, compared with the prior art, it breaks through the limitation that quintuple information can only create a single IPSec tunnel, solves the problem of 5G communication large throughput IPSec encrypted channel, and reaches The effect of traffic dynamically creating an IPSec tunnel.
图8为本申请中隧道的创建装置的结构组成示意图,如图8所示,所述装置包括:确定单元801、提取单元802,生成单元803和创建单元804;其中,所述确定单元801用于在针对密钥的初始协商阶段,根据所述初始协商阶段的交互信息,确定消息接收方具备创建扩展VPN隧道的能力;所述提取单元802用于当所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件时,在当前的用户报文中提取用于创建所述扩展VPN隧道的特征信息;所述生成单元803用于根据所述特征信息生成用于创建所述扩展VPN隧道的扩展码;所述创建单元804用于根据所述扩展码创建所述扩展VPN隧道。FIG. 8 is a schematic structural composition diagram of a tunnel creation device in the present application. As shown in FIG. 8, the device includes: a determination unit 801, an extraction unit 802, a generation unit 803, and a creation unit 804; wherein, the determination unit 801 uses In the initial negotiation phase for the key, according to the interaction information in the initial negotiation phase, it is determined that the message receiver has the ability to create an extended VPN tunnel; the extraction unit 802 is used to process the data carried in the extended VPN tunnel When the condition of the extended VPN tunnel is satisfied, extract the feature information used to create the extended VPN tunnel in the current user packet; the generating unit 803 is used to generate the feature used to create the extended VPN tunnel according to the feature information Extension code; the creating unit 804 is used to create the extended VPN tunnel according to the extension code.
本申请中,所述装置还包括:检测单元805;所述检测单元805用于检测所述扩展VPN隧道内所承载的数据流量,得到检测结果;所述确定单元801还用于当所述检测结果表征检测到所述数据流量达到第一预设流量阈值时,确定所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件。In the present application, the device further includes: a detection unit 805; the detection unit 805 is used to detect the data traffic carried in the extended VPN tunnel to obtain a detection result; and the determination unit 801 is further used to perform the detection The result characterizes that when it is detected that the data traffic reaches the first preset traffic threshold, it is determined that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
本申请中,所述提取单元802还用于在所述初始协商阶段的交互信息中提取能力协商信息,得到提取结果;所述确定单元801具体用于当所述提取结果表征在所述初始协商阶段的交互信息中,成功提取到所述能力协商信息时,确定所述消息接收方具备创建所述扩展VPN隧道的能力。In this application, the extraction unit 802 is also used to extract capability negotiation information from the interaction information in the initial negotiation stage to obtain an extraction result; the determination unit 801 is specifically used to characterize the extraction result in the initial negotiation In the interaction information at the stage, when the capability negotiation information is successfully extracted, it is determined that the message receiver has the capability to create the extended VPN tunnel.
本申请中,所述特征信息包括:除五元组信息以外的用于创建所述扩展VPN隧道的信息;其中,所述五元组信息包括:源IP地址,源端口,目的IP地址,目的端口和传输层协议号。In this application, the feature information includes: information for creating the extended VPN tunnel except for quintuple information; wherein, the quintuple information includes: source IP address, source port, destination IP address, and destination Port and transport layer protocol numbers.
本申请中,所述装置还包括:加载单元806、发送单元807和接收单元808;所述加载单元806,用于在针对密钥的第二协商阶段,在流量筛选器TS载荷的扩展字段加载所述扩展码;所述发送单元807用于向所述消息接收方发送携带有所述扩展码的第二交互信息;所述接收单元808用于接收所述消息接收方针对所述第二交互信息的第一响应信息;所述确定单元801具体还用于确定所述第一响应信息中包含有所述扩展码时,确定所述扩展VPN隧道创建完成。In this application, the apparatus further includes: a loading unit 806, a sending unit 807, and a receiving unit 808; the loading unit 806 is used to load in the extension field of the traffic filter TS load in the second negotiation phase for the key The spreading code; the sending unit 807 is used to send the second interaction information carrying the spreading code to the message recipient; the receiving unit 808 is used to receive the message recipient for the second interaction The first response information of the information; the determining unit 801 is further specifically configured to determine that the creation of the extended VPN tunnel is completed when the first response information includes the extended code.
本申请的另一实施例中,所述发送单元807还用于在针对密钥的第二协 商阶段,向所述消息接收方发送第二次交互信息,所述第二交互信息中携带有通知载荷信息;所述接收单元808还用于接收所述消息接收方针对所述第二次交互信息发送的第二响应消息;所述确定单元801具体还用于确定所述第二响应消息中携带有所述通知载荷信息时,根据所述通知载荷信息中携带的扩展码创建所述扩展VPN隧道。In another embodiment of the present application, the sending unit 807 is further configured to send the second interaction information to the message receiver in the second negotiation phase for the key, where the second interaction information carries a notification Load information; the receiving unit 808 is also used to receive a second response message sent by the message recipient for the second interaction information; the determining unit 801 is also specifically used to determine that the second response message carries When there is the notification load information, the extended VPN tunnel is created according to the extension code carried in the notification load information.
本申请中,所述装置还包括:回收单元809;所述回收单元809用于检测到所述扩展VPN隧道的流量数据小于第二预设流量阈值时,回收所述扩展VPN隧道。In this application, the device further includes: a recovery unit 809; the recovery unit 809 is configured to recover the extended VPN tunnel when detecting that the flow data of the extended VPN tunnel is less than a second preset flow threshold.
其中,所述第二预设流量阈值与第一预设流量阈值可以相同,也可以不同,具体可以根据当前的业务资源进行设定。Wherein, the second preset flow threshold and the first preset flow threshold may be the same or different, and may specifically be set according to current business resources.
需要说明的是:上述实施例提供的隧道的创建装置在创建扩展VPN隧道时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将隧道的创建装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的隧道的创建装置与隧道的创建方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that when the tunnel creation device provided in the above embodiment creates an extended VPN tunnel, only the above-mentioned division of each program module is used as an example for illustration. In practical applications, the above processing may be allocated by different program modules as needed When completed, the internal structure of the tunnel creation device is divided into different program modules to complete all or part of the processing described above. In addition, the tunnel creation device and the tunnel creation method embodiment provided in the above embodiments belong to the same concept. For the specific implementation process, see the method embodiments, and details are not described here.
图9为本申请实施例中隧道的创建装置的结构组成示意图二;如图9所示,所述隧道的创建装置900可以是移动电话、计算机、数字广播终端、信息收发设备、游戏控制台、平板设备、个人数字助理、信息推送服务器、内容服务器、身份认证服务器等。图9所示的隧道的创建装置900包括:至少一个处理器901、存储器902、至少一个网络接口904和用户接口903。隧道的创建装置900中的各个组件通过总线系统905耦合在一起。可理解,总线系统905用于实现这些组件之间的连接通信。总线系统905除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图9中将各种总线都标为总线系统905。9 is a schematic structural diagram 2 of the apparatus for creating a tunnel in an embodiment of the present application; as shown in FIG. 9, the apparatus 900 for creating a tunnel may be a mobile phone, a computer, a digital broadcasting terminal, an information receiving and sending device, a game console, Tablet devices, personal digital assistants, information push servers, content servers, identity authentication servers, etc. The tunnel creation device 900 shown in FIG. 9 includes: at least one processor 901, a memory 902, at least one network interface 904, and a user interface 903. The various components in the tunnel creation device 900 are coupled together through the bus system 905. It can be understood that the bus system 905 is used to implement connection and communication between these components. In addition to the data bus, the bus system 905 also includes a power bus, a control bus, and a status signal bus. However, for clarity, various buses are marked as the bus system 905 in FIG. 9.
其中,用户接口903可以包括显示器、键盘、鼠标、轨迹球、点击轮、按键、按钮、触感板或者触摸屏等。The user interface 903 may include a display, a keyboard, a mouse, a trackball, a click wheel, buttons, buttons, a touch panel, or a touch screen.
可以理解,存储器902可以是易失性存储器或非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(ROM,Read Only Memory)、可编程只读存储器(PROM,Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM,Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,Electrically Erasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM,ferromagnetic random access memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-Only Memory);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,Static Random Access Memory)、同步静态随机存取存储器(SSRAM,Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM, Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced Synchronous Dynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM,SyncLink Dynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM,Direct Rambus Random Access Memory)。本申请实施例描述的存储器902旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory 902 may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memory. Among them, the non-volatile memory can be read-only memory (ROM, Read Only Memory), programmable read-only memory (PROM, Programmable Read-Only Memory), erasable programmable read-only memory (EPROM, Erasable Programmable Read- Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), Magnetic Random Access Memory (FRAM, Ferromagnetic Random Access Memory), Flash Memory (Flash) Memory, Magnetic Surface Memory , Compact disc, or read-only compact disc (CD-ROM, Compact, Read-Only Memory); the magnetic surface memory can be a disk storage or a tape storage. The volatile memory may be a random access memory (RAM, Random Access Memory), which is used as an external cache. By way of example but not limitation, many forms of RAM are available, such as static random access memory (SRAM, Static Random Access Memory), synchronous static random access memory (SSRAM, Synchronous Static Random Access Memory), dynamic random access Memory (DRAM, Dynamic Random Access Memory), Synchronous Dynamic Random Access Memory (SDRAM, Synchronous Dynamic Random Access Memory), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM, Double Data Rate Synchronous Dynamic Random Access Random Access Memory), enhanced Type synchronous dynamic random access memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), synchronous connection dynamic random access memory (SLDRAM, SyncLink Dynamic Random Access Memory), direct memory bus random access memory (DRRAM, Direct Rambus Random Access Random Access Memory ). The memory 902 described in the embodiments of the present application is intended to include, but not limited to, these and any other suitable types of memories.
本申请实施例中的存储器902用于存储各种类型的数据以支持隧道的创建装置900的操作。这些数据的示例包括:用于在隧道的创建装置900上操作的任何计算机程序,如操作系统9021和应用程序9022;其中,操作系统9021包含各种系统程序,例如框架层、核心库层、驱动层等,用于实现各种基础业务以及处理基于硬件的任务。应用程序9022可以包含各种应用程序,例如媒体播放器(Media Player)、浏览器(Browser)等,用于实现各种应用业务。实现本申请实施例方法的程序可以包含在应用程序9022中。The memory 902 in the embodiment of the present application is used to store various types of data to support the operation of the apparatus 900 for creating a tunnel. Examples of these data include: any computer program for operating on the tunnel creation device 900, such as an operating system 9021 and an application program 9022; where the operating system 9021 contains various system programs, such as a framework layer, a core library layer, and drivers Layers, etc., are used to implement various basic services and handle hardware-based tasks. The application program 9022 may include various application programs, such as a media player (Media Player), a browser (Browser), etc., for implementing various application services. The program for implementing the method of the embodiment of the present application may be included in the application program 9022.
上述本申请实施例揭示的方法可以应用于处理器901中,或者由处理器901实现。处理器901可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器901中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器901可以是通用处理器、数字信号处理器(DSP,Digital Signal Processor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。处理器901可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于存储器902,处理器901读取存储器902中的信息,结合其硬件完成前述方法的步骤。The method disclosed in the above embodiments of the present application may be applied to the processor 901, or implemented by the processor 901. The processor 901 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the processor 901 or an instruction in the form of software. The foregoing processor 901 may be a general-purpose processor, a digital signal processor (DSP, Digital Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, and the like. The processor 901 may implement or execute the methods, steps, and logical block diagrams disclosed in the embodiments of the present application. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present application may be directly implemented and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the memory 902. The processor 901 reads the information in the memory 902 and completes the steps of the foregoing method in combination with its hardware.
在示例性实施例中,隧道的创建装置900可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,Programmable Logic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable Logic Device)、现场可编程门阵列(FPGA,Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU,Micro Controller Unit)、微处理器(Microprocessor)、或其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the tunnel creation device 900 may be one or more application specific integrated circuits (ASIC, Application Specific Integrated Circuit), DSP, programmable logic device (PLD, Programmable Logic Device), complex programmable logic device (CPLD, Complex Programmable Logic Device), Field Programmable Gate Array (FPGA, Field-Programmable Gate Array), general-purpose processor, controller, microcontroller (MCU, Micro Controller), microprocessor (Microprocessor), or Other electronic components are implemented to perform the aforementioned method.
具体所述处理器901运行所述计算机程序时,执行:在针对密钥的初始协商阶段,根据所述初始协商阶段的交互信息,确定消息接收方具备创建扩展虚信息拟私人网络VPN隧道的能力;当所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件时,在当前的用户报文中提取用于创建所述扩展VPN隧道的特征信息;根据所述特征信息生成用于创建所述扩展VPN隧道的扩展码;根据所述扩展码创建所述扩展VPN隧道。Specifically, when the processor 901 runs the computer program, it executes: during the initial negotiation phase for the key, based on the interaction information in the initial negotiation phase, it is determined that the message recipient has the ability to create an extended virtual information pseudo-private network VPN tunnel ; When the data carried in the extended VPN tunnel satisfies the conditions of the extended VPN tunnel, extract the feature information used to create the extended VPN tunnel in the current user message; according to the feature information is generated for creating the The extended code of the extended VPN tunnel; creating the extended VPN tunnel according to the extended code.
所述处理器901运行所述计算机程序时,还执行:检测所述扩展VPN隧道内所承载的数据流量,得到检测结果;当所述检测结果表征检测到所述数据 流量达到第一预设流量阈值时,确定所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件。When the processor 901 runs the computer program, it also executes: detecting the data traffic carried in the extended VPN tunnel to obtain a detection result; when the detection result indicates that the data traffic reaches the first preset traffic At the threshold, it is determined that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
所述处理器901运行所述计算机程序时,还执行:在所述初始协商阶段的交互信息中提取能力协商信息,得到提取结果;当所述提取结果表征在所述初始协商阶段的交互信息中,成功提取到所述能力协商信息时,确定所述消息接收方具备创建所述扩展VPN隧道的能力。When the processor 901 runs the computer program, it also executes: extracting capability negotiation information from the interaction information in the initial negotiation stage to obtain an extraction result; when the extraction result is characterized in the interaction information in the initial negotiation stage , When the capability negotiation information is successfully extracted, it is determined that the message receiver has the capability to create the extended VPN tunnel.
所述处理器901运行所述计算机程序时,还执行:在针对密钥的第二协商阶段,在流量筛选器TS载荷的扩展字段加载所述扩展码;向所述消息接收方发送携带有所述扩展码的第二交互信息;接收所述消息接收方针对所述第二交互信息的第一响应信息;确定所述第一响应信息中包含有所述扩展码时,确定所述扩展VPN隧道创建完成。When the processor 901 runs the computer program, it also executes: in the second negotiation phase for the key, the extension code is loaded in the extension field of the TS load of the traffic filter; Receiving the second interaction information of the extension code; receiving the first response information of the message receiver for the second interaction information; determining that the extension VPN tunnel is included in the first response information when determining that the extension code is included in the first response information The creation is complete.
所述处理器901运行所述计算机程序时,还执行:在针对密钥的第二协商阶段,向所述消息接收方发送第二次交互信息,所述第二交互信息中携带有通知载荷信息;接收所述消息接收方针对所述第二次交互信息发送的第二响应消息;确定所述第二响应消息中携带有所述通知载荷信息时,根据所述通知载荷信息中携带的扩展码创建所述扩展VPN隧道。When the processor 901 runs the computer program, it also executes: in the second negotiation phase for the key, sending second interaction information to the message recipient, the second interaction information carrying notification payload information Receiving the second response message sent by the message receiver for the second interaction information; when it is determined that the second response message carries the notification payload information, according to the extension code carried in the notification payload information Create the extended VPN tunnel.
所述处理器901运行所述计算机程序时,还执行:当所述检测结果表征所述扩展VPN隧道的流量数据小于第二预设流量阈值时,回收所述扩展VPN隧道。When the processor 901 runs the computer program, it further executes: when the detection result indicates that the traffic data of the extended VPN tunnel is less than the second preset traffic threshold, recover the extended VPN tunnel.
所述第二预设阈值与确定所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件的第一预设阈值相同或不同。The second preset threshold is the same as or different from the first preset threshold that determines that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
在示例性实施例中,本申请实施例还提供了一种计算机可读存储介质,例如包括计算机程序的存储器902,上述计算机程序可由隧道的创建装置900的处理器901执行,以完成前述方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器;也可以是包括上述存储器之一或任意组合的各种设备,如移动电话、计算机、平板设备、个人数字助理等。In an exemplary embodiment, an embodiment of the present application further provides a computer-readable storage medium, for example, a memory 902 including a computer program, which can be executed by the processor 901 of the tunnel creation device 900 to complete the foregoing method. Described steps. The computer-readable storage medium may be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM; it may also be a variety of devices including one or any combination of the above memories, such as Mobile phones, computers, tablet devices, personal digital assistants, etc.
一种计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器运行时,执行:在针对密钥的初始协商阶段,根据所述初始协商阶段的交互信息,确定消息接收方具备创建扩展虚信息拟私人网络VPN隧道的能力;当所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件时,在当前的用户报文中提取用于创建所述扩展VPN隧道的特征信息;根据所述特征信息生成用于创建所述扩展VPN隧道的扩展码;根据所述扩展码创建所述扩展VPN隧道。A computer-readable storage medium on which a computer program is stored, which when executed by a processor, executes: during an initial negotiation phase for a key, according to the interaction information in the initial negotiation phase, it is determined that the message receiver has Ability to create extended virtual information pseudo-private network VPN tunnel; when the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel, extract the characteristic information used to create the extended VPN tunnel in the current user message Generating an extension code for creating the extended VPN tunnel according to the characteristic information; creating the extended VPN tunnel according to the extension code.
该计算机程序被处理器运行时,还执行:检测所述扩展VPN隧道内所承载的数据流量,得到检测结果;当所述检测结果表征检测到所述数据流量达到第一预设流量阈值时,确定所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件。When the computer program is run by the processor, it also executes: detecting the data traffic carried in the extended VPN tunnel to obtain a detection result; when the detection result indicates that the data traffic reaches the first preset traffic threshold, It is determined that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
该计算机程序被处理器运行时,还执行:在所述初始协商阶段的交互信息中提取能力协商信息,得到提取结果;当所述提取结果表征在所述初始协商 阶段的交互信息中,成功提取到所述能力协商信息时,确定所述消息接收方具备创建所述扩展VPN隧道的能力。When the computer program is executed by the processor, it also executes: extracting capability negotiation information from the interaction information in the initial negotiation stage to obtain an extraction result; when the extraction result is characterized in the interaction information in the initial negotiation stage, it is successfully extracted When the capability negotiation information is reached, it is determined that the message receiver has the capability to create the extended VPN tunnel.
该计算机程序被处理器运行时,还执行:在针对密钥的第二协商阶段,在流量筛选器TS载荷的扩展字段加载所述扩展码;向所述消息接收方发送携带有所述扩展码的第二交互信息;接收所述消息接收方针对所述第二交互信息的第一响应信息;确定所述第一响应信息中包含有所述扩展码时,确定所述扩展VPN隧道创建完成。When the computer program is run by the processor, it also executes: in the second negotiation phase for the key, loading the extension code in the extension field of the traffic filter TS payload; sending the message carrying the extension code to the message receiver Receiving the second interaction information of the message; receiving the first response information of the message receiver with respect to the second interaction information; determining that the extended code is included in the first response information, determining that the creation of the extended VPN tunnel is completed.
该计算机程序被处理器运行时,还执行:在针对密钥的第二协商阶段,向所述消息接收方发送第二次交互信息,所述第二交互信息中携带有通知载荷信息;接收所述消息接收方针对所述第二次交互信息发送的第二响应消息;确定所述第二响应消息中携带有所述通知载荷信息时,根据所述通知载荷信息中携带的扩展码创建所述扩展VPN隧道。When the computer program is run by the processor, it also executes: in the second negotiation phase for the key, sending second interaction information to the message recipient, the second interaction information carries notification payload information; A second response message sent by the message receiver in response to the second interaction information; when it is determined that the second response message carries the notification payload information, the message response information is created according to the extension code carried in the notification payload information Expand VPN tunnel.
该计算机程序被处理器运行时,还执行:检测所述扩展VPN隧道的流量数据,得到检测结果;当所述检测结果表征所述扩展VPN隧道的流量数据小于第二预设流量阈值时,回收所述扩展VPN隧道。When the computer program is executed by the processor, it also executes: detecting the flow data of the extended VPN tunnel to obtain a detection result; when the detection result indicates that the flow data of the extended VPN tunnel is less than the second preset flow threshold, recovering The extended VPN tunnel.
所述第二预设阈值与确定所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件的第一预设阈值相同或不同。The second preset threshold is the same as or different from the first preset threshold that determines that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
以上所述,仅为本申请的具体实施例,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific examples of this application, but the scope of protection of this application is not limited to this, any person skilled in the art can easily think of changes or replacements within the technical scope disclosed in this application. It should be covered by the scope of protection of this application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (11)

  1. 一种隧道的创建方法,所述方法包括:A method for creating a tunnel, the method includes:
    在针对密钥的初始协商阶段,根据所述初始协商阶段的交互信息,确定消息接收方具备创建扩展虚拟信息私人网络VPN隧道的能力;In the initial negotiation phase for the key, based on the interaction information in the initial negotiation phase, it is determined that the message receiver has the ability to create a VPN tunnel for the extended virtual information private network;
    当所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件时,在当前的用户报文中提取用于创建所述扩展VPN隧道的特征信息;When the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel, extract the characteristic information used to create the extended VPN tunnel in the current user packet;
    根据所述特征信息生成用于创建所述扩展VPN隧道的扩展码;Generating an extension code for creating the extended VPN tunnel according to the characteristic information;
    根据所述扩展码创建所述扩展VPN隧道。Create the extended VPN tunnel according to the extended code.
  2. 根据权利要求1所述的方法,所述方法还包括:The method according to claim 1, further comprising:
    检测所述扩展VPN隧道内所承载的数据流量,得到检测结果;Detecting the data traffic carried in the extended VPN tunnel to obtain the detection result;
    当所述检测结果表征检测到所述数据流量达到第一预设流量阈值时,确定所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件。When the detection result indicates that the data traffic reaches the first preset traffic threshold, it is determined that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
  3. 根据权利要求1所述的方法,在针对密钥的初始协商阶段,根据所述初始协商阶段的交互信息,确定消息接收方具备创建扩展VPN隧道的能力,包括:According to the method of claim 1, in the initial negotiation phase for the key, based on the interaction information in the initial negotiation phase, it is determined that the message recipient has the ability to create an extended VPN tunnel, including:
    在所述初始协商阶段的交互信息中提取能力协商信息,得到提取结果;Extracting capability negotiation information from the interactive information in the initial negotiation stage to obtain an extraction result;
    当所述提取结果表征在所述初始协商阶段的交互信息中,成功提取到所述能力协商信息时,确定所述消息接收方具备创建所述扩展VPN隧道的能力。When the extraction result is characterized in the interaction information in the initial negotiation stage, and the capability negotiation information is successfully extracted, it is determined that the message recipient has the capability to create the extended VPN tunnel.
  4. 根据权利要求1所述的方法,所述特征信息包括:除五元组信息以外的用于创建所述扩展VPN隧道的信息;The method according to claim 1, wherein the characteristic information includes: information other than quintuple information for creating the extended VPN tunnel;
    其中,所述五元组信息包括:源IP地址,源端口,目的IP地址,目的端口和传输层协议号。Wherein, the quintuple information includes: source IP address, source port, destination IP address, destination port and transport layer protocol number.
  5. 根据权利要求1所述的方法,根据所述扩展码创建所述扩展VPN隧道,包括:The method of claim 1, creating the extended VPN tunnel according to the extended code, comprising:
    在针对密钥的第二协商阶段,在流量TS载荷的扩展字段加载所述扩展码;In the second negotiation phase for the key, the extension code is loaded in the extension field of the traffic TS payload;
    向所述消息接收方发送携带有所述扩展码的交互信息;Sending the interactive information carrying the extension code to the message receiver;
    接收所述消息接收方针对所述第二协商阶段的交互信息的响应信息;Receiving the response information of the message receiver for the interactive information in the second negotiation stage;
    确定所述响应信息中包含有所述扩展码时,确定所述扩展VPN隧道创建完成。When it is determined that the extension code is included in the response information, it is determined that the creation of the extended VPN tunnel is completed.
  6. 根据权利要求1所述的方法,根据所述扩展码创建所述扩展VPN隧道,包括:The method of claim 1, creating the extended VPN tunnel according to the extended code, comprising:
    在针对密钥的第二协商阶段,向所述消息接收方发送携带有通知载荷信息 的交互信息;In the second negotiation stage for the key, sending the interactive information carrying the notification payload information to the message receiver;
    接收所述消息接收方针对所述携带有通知载荷信息的交互信息发送的响应消息;Receiving a response message sent by the message receiver for the interaction information carrying notification payload information;
    确定所述响应消息中携带有所述通知载荷信息时,根据所述通知载荷信息中携带的扩展码创建所述扩展VPN隧道。When it is determined that the response load information is carried in the response message, the extended VPN tunnel is created according to the extension code carried in the notification load information.
  7. 根据权利要求1所述的方法,在根据所述扩展码创建所述扩展VPN隧道之后,所述方法还包括:The method of claim 1, after creating the extended VPN tunnel according to the extended code, the method further comprises:
    检测所述扩展VPN隧道的流量数据,得到检测结果;Detecting the flow data of the extended VPN tunnel to obtain the detection result;
    当所述检测结果表征所述扩展VPN隧道的流量数据小于第二预设流量阈值时,回收所述扩展VPN隧道。When the detection result indicates that the flow data of the extended VPN tunnel is less than the second preset flow threshold, the extended VPN tunnel is recovered.
  8. 根据权利要求7所述的方法,所述第二预设阈值与确定所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件的第一预设阈值相同或不同。According to the method of claim 7, the second preset threshold is the same as or different from the first preset threshold that determines that the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel.
  9. 一种隧道的创建装置,所述装置包括:A tunnel creation device, the device includes:
    确定单元,用于在针对密钥的初始协商阶段,根据所述初始协商阶段的交互信息,确定消息接收方具备创建扩展VPN隧道的能力;The determining unit is used to determine that the message receiver has the ability to create an extended VPN tunnel based on the interaction information in the initial negotiation stage for the key during the initial negotiation stage;
    提取单元,用于当所述扩展VPN隧道内所承载的数据满足扩展VPN隧道的条件时,在当前的用户报文中提取用于创建所述扩展VPN隧道的特征信息;An extracting unit, configured to extract the characteristic information used to create the extended VPN tunnel in the current user packet when the data carried in the extended VPN tunnel meets the conditions of the extended VPN tunnel;
    生成单元,用于根据所述特征信息生成用于创建所述扩展VPN隧道的扩展码;A generating unit, configured to generate an extension code for creating the extended VPN tunnel according to the characteristic information;
    创建单元,用于根据所述扩展码创建所述扩展VPN隧道。The creating unit is used to create the extended VPN tunnel according to the extended code.
  10. 一种隧道的创建装置,所述装置包括:存储器和处理器;A tunnel creation device, the device includes: a memory and a processor;
    其中,所述存储器,用于存储能够在所述处理器上运行的计算机程序;Wherein, the memory is used to store a computer program that can run on the processor;
    所述处理器,用于运行所述计算机程序时,执行权利要求1至8任一项所述方法的步骤。The processor is configured to execute the steps of the method according to any one of claims 1 to 8 when running the computer program.
  11. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该计算机程序被处理器执行时实现权利要求1至8任一项所述方法的步骤。A computer-readable storage medium on which a computer program is stored, characterized in that when the computer program is executed by a processor, the steps of the method according to any one of claims 1 to 8 are implemented.
PCT/CN2019/107043 2018-10-19 2019-09-20 Method and device for creating tunnel, and storage medium WO2020078164A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811223937.X 2018-10-19
CN201811223937.XA CN111083091B (en) 2018-10-19 2018-10-19 Tunnel creation method, device and storage medium

Publications (1)

Publication Number Publication Date
WO2020078164A1 true WO2020078164A1 (en) 2020-04-23

Family

ID=70284469

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/107043 WO2020078164A1 (en) 2018-10-19 2019-09-20 Method and device for creating tunnel, and storage medium

Country Status (2)

Country Link
CN (1) CN111083091B (en)
WO (1) WO2020078164A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114039798A (en) * 2021-11-30 2022-02-11 绿盟科技集团股份有限公司 Data transmission method and device and electronic equipment
CN114513435A (en) * 2022-01-14 2022-05-17 深信服科技股份有限公司 Method for detecting VPN tunnel, electronic device and storage medium
CN115834529A (en) * 2022-11-23 2023-03-21 浪潮智慧科技有限公司 Remote monitoring method and system for edge equipment

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109104435B (en) * 2018-10-12 2021-04-06 中国科学院上海高等研究院 Method for realizing data in-sequence transmission
CN111884796B (en) * 2020-06-17 2022-03-18 中国电子科技集团公司第三十研究所 Method and system for carrying information based on random number field

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101026516A (en) * 2006-02-22 2007-08-29 迈世亚(北京)科技有限公司 Method for establishing virtual personal network connection
CN101079787A (en) * 2007-07-26 2007-11-28 杭州华三通信技术有限公司 Selection method and device for carrying LSP of VPN
CN101151849A (en) * 2005-03-28 2008-03-26 客得富移动通信股份有限公司 Method for mobile node's connection to virtual private network using mobile IP
US20080183504A1 (en) * 2006-09-14 2008-07-31 Robert D. Highley Point-of-care information entry
CN101447907A (en) * 2008-10-31 2009-06-03 北京东方中讯联合认证技术有限公司 VPN secure access method and system thereof

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7117530B1 (en) * 1999-12-07 2006-10-03 Watchguard Technologies, Inc. Tunnel designation system for virtual private networks
CN1319336C (en) * 2003-05-26 2007-05-30 华为技术有限公司 Method for building special analog network
CN103067290B (en) * 2012-11-30 2016-06-01 成都卫士通信息产业股份有限公司 The VPN tunnel implementation of load balancing network is adapted to based on virtual network interface card
CN103152343B (en) * 2013-03-04 2015-09-16 北京神州绿盟信息安全科技股份有限公司 Set up method and the network equipment in internet security Protocol virtual private network tunnel
CN104104569B (en) * 2013-04-01 2017-08-29 华为技术有限公司 Set up the method and server of vpn tunneling
CN104426735B (en) * 2013-08-30 2018-06-26 中国移动通信集团公司 A kind of method and device for establishing Virtual Private Network connection
CN107786445A (en) * 2016-08-31 2018-03-09 南京中兴软件有限责任公司 The by-pass method and device of a kind of tunnel traffic

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101151849A (en) * 2005-03-28 2008-03-26 客得富移动通信股份有限公司 Method for mobile node's connection to virtual private network using mobile IP
CN101026516A (en) * 2006-02-22 2007-08-29 迈世亚(北京)科技有限公司 Method for establishing virtual personal network connection
US20080183504A1 (en) * 2006-09-14 2008-07-31 Robert D. Highley Point-of-care information entry
CN101079787A (en) * 2007-07-26 2007-11-28 杭州华三通信技术有限公司 Selection method and device for carrying LSP of VPN
CN101447907A (en) * 2008-10-31 2009-06-03 北京东方中讯联合认证技术有限公司 VPN secure access method and system thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MURESAN, NICOLAE ET AL.: "Remote Monitoring of the Intelligent Buildings Parameters", ACTA TECHNICA NAPOCENSIS, vol. 52, no. 2, 20 February 2011 (2011-02-20) *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114039798A (en) * 2021-11-30 2022-02-11 绿盟科技集团股份有限公司 Data transmission method and device and electronic equipment
CN114039798B (en) * 2021-11-30 2023-11-03 绿盟科技集团股份有限公司 Data transmission method and device and electronic equipment
CN114513435A (en) * 2022-01-14 2022-05-17 深信服科技股份有限公司 Method for detecting VPN tunnel, electronic device and storage medium
CN115834529A (en) * 2022-11-23 2023-03-21 浪潮智慧科技有限公司 Remote monitoring method and system for edge equipment
CN115834529B (en) * 2022-11-23 2023-08-08 浪潮智慧科技有限公司 Remote monitoring method and system for edge equipment

Also Published As

Publication number Publication date
CN111083091A (en) 2020-04-28
CN111083091B (en) 2022-08-02

Similar Documents

Publication Publication Date Title
WO2020078164A1 (en) Method and device for creating tunnel, and storage medium
US11159361B2 (en) Method and apparatus for providing notification of detected error conditions in a network
US10069800B2 (en) Scalable intermediate network device leveraging SSL session ticket extension
US8544080B2 (en) Mobile virtual private networks
US9398026B1 (en) Method for authenticated communications incorporating intermediary appliances
US20170289185A1 (en) Device assisted traffic anomaly detection
US9100370B2 (en) Strong SSL proxy authentication with forced SSL renegotiation against a target server
CN110138772B (en) Communication method, device, system, equipment and storage medium
CN108702371A (en) System, apparatus and method for generating the addresses dynamic IP V6 for being used for safety verification
KR20100056454A (en) Bootstrapping method for setting up a security association
WO2019201154A1 (en) Method and apparatus for communication between internet of things devices
WO2010003335A1 (en) Method, system and device for negotiating security association (sa) in ipv6 network
US11418951B2 (en) Method for identifying encrypted data stream, device, storage medium and system
US20200228505A1 (en) Private Exchange of Encrypted Data Over A Computer Network
WO2020134413A1 (en) Data transmission method and apparatus, related device, and storage medium
CN106487802B (en) The method for detecting abnormal and device of IPSec SA based on DPD agreement
US20120110319A1 (en) Failure recognition
WO2018045590A1 (en) A method for secure link layer connection over wireless local area networks
CN114844730A (en) Network system constructed based on trusted tunnel technology
WO2023231774A1 (en) Identity verification method for handshake process for tlcp protocol
CN106209401B (en) A kind of transmission method and device
Touil et al. Secure and guarantee QoS in a video sequence: a new approach based on TLS protocol to secure data and RTP to ensure real-time exchanges
WO2019015618A1 (en) Communication tunnel endpoint address separation method, terminal, gateway and storage medium
WO2016082363A1 (en) User data management method and apparatus
WO2023246501A1 (en) Message verification method and apparatus, and related device and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19873750

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19873750

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 31/08/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19873750

Country of ref document: EP

Kind code of ref document: A1