WO2021027035A1 - Network security ipsec acceleration processing method and system - Google Patents

Network security ipsec acceleration processing method and system Download PDF

Info

Publication number
WO2021027035A1
WO2021027035A1 PCT/CN2019/108933 CN2019108933W WO2021027035A1 WO 2021027035 A1 WO2021027035 A1 WO 2021027035A1 CN 2019108933 W CN2019108933 W CN 2019108933W WO 2021027035 A1 WO2021027035 A1 WO 2021027035A1
Authority
WO
WIPO (PCT)
Prior art keywords
hardware
data
sender
packet
receiver
Prior art date
Application number
PCT/CN2019/108933
Other languages
French (fr)
Chinese (zh)
Inventor
刘刚
Original Assignee
苏州浪潮智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 苏州浪潮智能科技有限公司 filed Critical 苏州浪潮智能科技有限公司
Publication of WO2021027035A1 publication Critical patent/WO2021027035A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/32Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks

Definitions

  • the invention relates to the field of server networks, in particular to a method and system for accelerating network security IPsec.
  • IPsec Internet Protocol Security
  • IPsec Internet Protocol Security
  • the purpose of the present invention is to provide a method and system for accelerating network security IPsec processing, using software to run key exchange protocols, and hardware to run network security service protocols in parallel, thereby increasing the processing speed of network security IPsec and reducing software resources.
  • the present invention provides a network security IPsec acceleration processing method, including:
  • the first sender software uses the first sender software to generate a key exchange IP packet, and transparently transmit the key exchange IP packet to the first receiver's hardware through the first sender's hardware; wherein, the key exchange IP packet includes key data And the first IP address of both parties in the key exchange;
  • the second sender software uses the second sender software to perform IP packet processing on the transmission data to obtain a data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes the second data transmission and the second data transmission parties. IP address;
  • the data IP packet is directly transparently transmitted to the second receiver hardware through the second sender hardware.
  • the network security IPsec acceleration processing method further includes:
  • the data IP packet is discarded.
  • the accelerated processing method of network security IPsec further includes:
  • the process of using the corresponding target key data to encrypt the data IP packet on any one of the idle pipelines of the multiple pipelines of the second sender hardware includes:
  • the process to the first storage space includes:
  • the status flag corresponding to this pipeline is set to 1.
  • the pipeline The corresponding status flag position is 0.
  • the accelerated processing method of network security IPsec further includes:
  • the process of using the target key data to decrypt the data IP packet on any one of the idle pipelines among the multiple pipelines of the second receiver hardware includes:
  • the process to the second storage space includes:
  • Pre-set status flag bits for each pipeline of the receiver hardware in the system one by one, and store them in the second storage space reserved for the receiver hardware;
  • the status flag corresponding to this pipeline is set to 1; when any pipeline of the receiver's hardware is in an idle state, the pipeline The corresponding status flag position is 0.
  • the accelerated processing method of network security IPsec further includes:
  • data transmission is performed between the sender's software and the sender's hardware through a PCIE interface.
  • the present invention also provides a network security IPsec accelerated processing system, including:
  • the key exchange module is used to generate a key exchange IP packet by using the software of the first sender, and transparently transmit the key exchange IP packet to the hardware of the first receiver through the hardware of the first sender; wherein, the key The exchanged IP packet includes key data and the first IP addresses of both parties in the key exchange;
  • the data transmission module is configured to use the second sender software to perform IP packet processing on the transmission data to obtain a data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes transmission data and The second IP address of the data transmission parties;
  • the judging module is used to judge whether the second IP address exists in the first IP address; if so, execute the data encryption and decryption module; if not, execute the transparent transmission module;
  • the data encryption and decryption module is configured to use the corresponding target key data to encrypt the data IP packet on any idle pipeline among the multiple pipelines of the second sender hardware, and to encrypt the encrypted data IP
  • the packet is sent to the second receiver's hardware to decrypt the data IP packet using the target key data on any idle pipeline among the multiple pipelines of the second receiver's hardware;
  • the transparent transmission module is configured to transparently transmit the data IP packet directly to the second receiver hardware through the second sender hardware.
  • the network security IPsec accelerated processing system further includes:
  • Time setting module used to set the key expiration time of the system in advance
  • the key exchange trigger module is configured to re-execute the key exchange module every time the key expires from the time the system is operating.
  • the present invention provides an accelerated processing method for network security IPsec. Because the key exchange process between the sender and the receiver has low real-time requirements, this application uses software to run the key exchange protocol; because the data between the sender and the receiver The transmission process requires high real-time performance, so this application uses hardware with multiple pipelines to complete the data transmission process, and in this process, multiple pipelines can be used to complete the encryption and decryption process of different data IP packets in parallel (that is, hardware parallel operation is used Network Security Service Protocol), thereby improving the processing speed of network security IPsec, reducing the utilization rate of software resources, and increasing network bandwidth.
  • hardware parallel operation is used Network Security Service Protocol
  • the present invention also provides a network security IPsec accelerated processing system, which has the same beneficial effects as the aforementioned accelerated processing method.
  • FIG. 1 is a flowchart of a method for accelerating network security IPsec processing according to an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a network security IPsec accelerated processing system provided by an embodiment of the present invention.
  • the core of the present invention is to provide an accelerated processing method and system for network security IPsec, using software to run the key exchange protocol and hardware to run the network security service protocol in parallel, thereby improving the processing speed of network security IPsec and reducing software resources.
  • FIG. 1 is a flowchart of a network security IPsec acceleration processing method according to an embodiment of the present invention.
  • the accelerated processing method of the network security IPsec includes:
  • Step S1 Use the first sender software to generate a key exchange IP packet, and transparently transmit the key exchange IP packet to the first receiver's hardware through the first sender's hardware; wherein, the key exchange IP packet includes key data and The first IP address of the key exchange parties.
  • senders and receivers in the system have different requirements for data transmission security.
  • the transmission data needs to be encrypted and decrypted between the two Processing:
  • the sender and receiver with low data transmission security requirements there is no need to encrypt and decrypt the transmitted data between the two.
  • the sender and receiver (called the first sender and the first receiver) that require high data transmission security, they must exchange keys before data transmission for subsequent encryption and decryption. Lay the foundation for data transmission.
  • this application uses the software of the first sender to generate a key exchange IP package that includes the key data and the first IP (Internet Protocol, network protocol) address of the key exchange parties (that is, the software runs the key exchange protocol).
  • the key data is used for subsequent encryption and decryption of data transmitted between the first sender and the first receiver;
  • the first IP addresses of both parties in the key exchange include the IP address of the first sender and the IP of the first receiver address.
  • the key exchange IP packet is generated by the first sender software, the key exchange IP packet is sent to the first sender's hardware to be transparently transmitted to the first receiver's hardware through the first sender's hardware to complete the key exchange .
  • Step S2 Use the second sender software to perform IP packaging processing on the transmission data to obtain the data IP packet, and send the data IP packet to the second sender hardware; wherein the data IP packet includes the transmission data and the second IP of the data transmission parties address.
  • the second sender and the second receiver when data is transmitted between the sender and the receiver in the system (referred to as the second sender and the second receiver), first use the second sender software to perform IP packet processing on the transmission data, and obtain the data including the transmission data. And the data IP packet of the second IP address of both parties of the data transmission; then the data IP packet is sent to the second sender hardware.
  • the second IP addresses of the data transmission parties include the second IP address of the second sender and the second IP address of the second receiver, so as to lay a foundation for the subsequent determination of whether the transmitted data needs to be encrypted or decrypted.
  • Step S3 Determine whether there is a second IP address in the first IP address; if yes, execute step S4; if not, execute step S5.
  • the transmission data needs to be encrypted and decrypted later; if the second sender If the party and the second receiver do not belong to the first sender and the first receiver mentioned in step S1, there is no need to perform encryption and decryption processing on the transmission data subsequently.
  • this application should determine whether the second sender and the second receiver belong to the first sender and the first receiver mentioned in step S1, specifically based on the IP address. If one IP address can match the second IP address of both parties to the data transmission, the second sender and the second receiver belong to the first sender and the first receiver mentioned in step S1; otherwise, the second sender And the second receiver does not belong to the first sender and the first receiver mentioned in step S1.
  • Step S4 On any idle pipeline among the multiple pipelines of the second sender's hardware, encrypt the data IP packet with the corresponding target key data, and send the encrypted data IP packet to the second receiver's hardware to On any idle pipeline among the multiple pipelines of the second receiver's hardware, use the target key data to decrypt the data IP packet.
  • the sender's hardware and receiver's hardware of this application are both set as hardware with multiple pipelines, which can transmit multiple channels of data in parallel, and can encrypt and decrypt multiple channels of data in parallel (that is, the hardware runs the network security service protocol in parallel) .
  • the transmission data needs to be encrypted and decrypted.
  • the target key data in the key exchange IP packets corresponding to the second sender and the second receiver can be obtained.
  • the second sender transmits data to the second receiver select an idle pipeline from the multiple pipelines of the second sender's hardware, and use the acquired target key data to encrypt the data IP packet on the idle pipeline, and then The encrypted data IP packet is sent to the second receiver hardware.
  • the second receiver's hardware When the second receiver's hardware receives the encrypted data IP packet, it selects an idle pipeline from the multiple pipelines of the second receiver's hardware, and uses the obtained target key data to decrypt the data IP packet on this idle pipeline , So as to get the transmission data.
  • Step S5 Transparently transmit the data IP packet directly to the second receiver's hardware through the second sender's hardware.
  • step S1 when the second sender and the second receiver do not belong to the first sender and the first receiver mentioned in step S1, there is no need to encrypt and decrypt the transmission data, and the data IP packet is directly sent through the second
  • the hardware of the third party can be transparently transmitted to the hardware of the second receiver.
  • the present application may use the second sender's hardware to determine whether to perform encryption processing on the transmission data, and use the second receiver's hardware to determine whether to perform decryption processing on the transmission data.
  • the second sender's hardware if the first IP addresses of the two parties in the key exchange can match the second IP addresses of the two parties in the data transmission, the transmitted data will be encrypted, otherwise it will be transmitted directly.
  • the second receiver's hardware it receives both the encrypted data IP packet and the unencrypted data IP packet, so the second receiver's hardware first unpacks the data IP packet to obtain the first data transmission of both parties.
  • Two IP addresses if the first IP addresses of the two parties in the key exchange can match the second IP addresses of the two parties in the data transmission, the transmitted data will be decrypted, otherwise no decryption will be performed.
  • the present invention provides an accelerated processing method for network security IPsec. Because the key exchange process between the sender and the receiver has low real-time requirements, this application uses software to run the key exchange protocol; because the data between the sender and the receiver The transmission process requires high real-time performance, so this application uses hardware with multiple pipelines to complete the data transmission process, and in this process, multiple pipelines can be used to complete the encryption and decryption process of different data IP packets in parallel (that is, hardware parallel operation is used Network Security Service Protocol), thereby improving the processing speed of network security IPsec, reducing the usage rate of software resources, and increasing network bandwidth.
  • hardware parallel operation is used Network Security Service Protocol
  • the network security IPsec acceleration processing method further includes:
  • the data IP packet is discarded.
  • the format of the data IP packet is a normal format, it means that the data IP packet is not encrypted, that is, there is no error in the process of transmitting the data IP packet directly to the second receiver's hardware through the second sender's hardware; if the data IP When the packet format is the network security service protocol format, it means that the data IP packet is encrypted, that is, there is an error in the process of transmitting the data IP packet directly through the second sender's hardware to the second receiver's hardware, then the data IP The packet can be discarded.
  • the method for accelerating network security IPsec further includes:
  • the process of using the corresponding target key data to encrypt the data IP packet on any idle pipeline among the multiple pipelines of the second sender hardware includes:
  • this application may reserve a first storage space for each sender's hardware in the system to store the state of multiple pipelines of each sender's hardware.
  • the state of the multiple pipelines of each sender's hardware is updated to the first storage space in real time, so that the first storage space retains the latest state of the multiple pipelines of each sender's hardware.
  • the idle pipeline of the second sender's hardware can be determined according to the state of the multiple pipelines of the second sender's hardware currently stored in the first storage space.
  • the subsequent selection of idle pipelines to encrypt data IP packets lays the foundation.
  • a process of storing space including:
  • Pre-set status flags for each pipeline of the sender's hardware in the system one by one, and store them in the first storage space reserved for the sender's hardware;
  • the state flag corresponding to this pipeline is set to 1; when any pipeline of the sender's hardware is idle, the state flag corresponding to this pipeline is set to 0 .
  • this application can set status flags one by one for multiple pipelines of each sender's hardware in the system, and store these status flags in the first storage space reserved for each sender's hardware.
  • the status flag position corresponding to this pipeline is "1"; when any pipeline of a sender's hardware is in an idle state, the corresponding pipeline The status flag position is "0", so that the status of multiple pipelines of each sender's hardware is determined according to the value of the status flag bit stored in the first storage space.
  • the method for accelerating network security IPsec further includes:
  • the process of using the target key data to decrypt the data IP packet on any idle pipeline among the multiple pipelines of the second receiver's hardware includes:
  • this application may reserve a second storage space for each receiver's hardware in the system to store the status of multiple pipelines of each receiver's hardware.
  • the status of the multiple pipelines of each receiver's hardware is updated to the second storage space in real time, so that the second storage space retains the latest state of the multiple pipelines of each receiver's hardware.
  • the idle pipeline of the second receiver's hardware can be determined according to the status of the multiple pipelines of the second receiver's hardware currently stored in the second storage space, Then choose an idle pipeline to lay the foundation for decrypting data IP packets.
  • the process of storing space including:
  • Pre-set status flags for each pipeline of the receiver's hardware in the system one by one, and store them in the second storage space reserved for the receiver's hardware;
  • the status flag corresponding to this pipeline is set to 1; when any pipeline of the receiver's hardware is idle, the status flag corresponding to this pipeline is set to 0 .
  • this application may set status flags one by one for multiple pipelines of each receiver's hardware in the system, and store these status flags in the second storage space reserved for each receiver's hardware.
  • the status flag position corresponding to this pipeline is "1"; when any pipeline of a receiver's hardware is in idle state, the corresponding pipeline The status flag position is "0", so that the status of multiple pipelines of each receiver's hardware is determined according to the value of the status flag bit stored in the second storage space.
  • the method for accelerating network security IPsec further includes:
  • this application sets a key expiration time in advance, starting from the time the system is operating, every When the key expires, re-execute the steps of using the first sender’s software to generate the key exchange IP package, and transparently transmit the key exchange IP package to the first receiver’s hardware through the first sender’s hardware, that is, the software is regenerated Key exchange protocol, thereby improving system security.
  • data transmission is performed between the sender's software and the sender's hardware through a PCIE interface.
  • the sender’s software and the sender’s hardware can transmit data through but not limited to PCIE (peripheral component interconnect express, high-speed serial computer expansion bus standard) interface, which is not described in this application. Special restrictions.
  • PCIE peripheral component interconnect express, high-speed serial computer expansion bus standard
  • FIG. 2 is a schematic structural diagram of a network security IPsec acceleration processing system provided by an embodiment of the present invention.
  • the network security IPsec accelerated processing system includes:
  • the key exchange module 1 is used to generate a key exchange IP packet by using the software of the first sender, and transparently transmit the key exchange IP packet to the hardware of the first receiver through the hardware of the first sender; wherein, the key exchange IP packet Including the key data and the first IP addresses of both parties in the key exchange;
  • the data transmission module 2 is used to use the second sender software to perform IP packet processing on the transmission data to obtain the data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes the transmission data and both parties of the data transmission The second IP address;
  • the judgment module 3 is used to judge whether there is a second IP address in the first IP address; if it is, execute the data encryption and decryption module 4; if not, execute the transparent transmission module 5;
  • the data encryption and decryption module 4 is used to encrypt the data IP packet with the corresponding target key data on any one of the multiple pipelines of the second sender's hardware, and send the encrypted data IP packet to the second
  • the receiver's hardware uses the target key data to decrypt the data IP packet on any idle pipeline among the multiple pipelines of the second receiver's hardware;
  • the transparent transmission module 5 is used to transparently transmit the data IP packet directly to the second receiver's hardware through the second sender's hardware.
  • the network security IPsec acceleration processing system further includes:
  • Time setting module used to set the key expiration time of the system in advance
  • the key exchange trigger module is used to re-execute the key exchange module every key expiration time from the time the system is operating.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A network security IPsec acceleration processing method. The key exchange process between a sender and a receiver has low real-time requirements; therefore, a software is used in the present application to run a key exchange protocol. The data transmission process between the sender and the receiver has high real-time requirements; therefore, hardware having a plurality of pipelines is used in the present application to complete the data transmission process, and in this process, the plurality of pipelines can be used to complete the encryption and decryption process of different data IP packets in parallel (i.e., the hardware is used to run a network security service protocol in parallel), thereby improving the processing speed of a network security IPsec, reducing the utilization rate of a software resource, and improving the network bandwidth. Also disclosed is a network security IPsec acceleration processing system, which has the same beneficial effects as the acceleration processing method.

Description

一种网络安全IPsec的加速处理方法及系统A method and system for accelerating network security IPsec processing
本申请要求于2019年08月09日提交至中国专利局、申请号为201910736381.2、发明名称为“一种网络安全IPsec的加速处理方法及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed to the Chinese Patent Office on August 9, 2019, with the application number 201910736381.2 and the invention title "A network security IPsec accelerated processing method and system", the entire content of which is incorporated by reference Incorporated in this application.
技术领域Technical field
本发明涉及服务器网络领域,特别是涉及一种网络安全IPsec的加速处理方法及系统。The invention relates to the field of server networks, in particular to a method and system for accelerating network security IPsec.
背景技术Background technique
在服务器网络领域,网络安全越来越重要。目前,通常在软件层面运行IPsec(Internet Protocol Security,互联网安全协议)实现网络安全,即通过软件实现发送方和接收方的密钥交换及传输数据加解密处理。但是,由于软件具有串行执行的特点,导致网络安全IPsec的处理速度较慢,同时占用大量软件资源,且不能有效使用网络带宽。In the field of server networks, network security is becoming more and more important. At present, IPsec (Internet Protocol Security) is usually run at the software level to achieve network security, that is, the key exchange between the sender and the receiver and the encryption and decryption of transmitted data are realized through software. However, due to the serial execution characteristics of the software, the processing speed of network security IPsec is slow, and at the same time it occupies a lot of software resources and cannot effectively use network bandwidth.
因此,如何提供一种解决上述技术问题的方案是本领域的技术人员目前需要解决的问题。Therefore, how to provide a solution to the above technical problems is a problem that needs to be solved by those skilled in the art.
发明内容Summary of the invention
本发明的目的是提供一种网络安全IPsec的加速处理方法及系统,采用软件运行密钥交换协议,采用硬件并行运行网络安全服务协议,从而提高了网络安全IPsec的处理速度,同时减少了软件资源的使用率,且提高了网络带宽。The purpose of the present invention is to provide a method and system for accelerating network security IPsec processing, using software to run key exchange protocols, and hardware to run network security service protocols in parallel, thereby increasing the processing speed of network security IPsec and reducing software resources. The utilization rate of, and increase the network bandwidth.
为解决上述技术问题,本发明提供了一种网络安全IPsec的加速处理方法,包括:To solve the above technical problems, the present invention provides a network security IPsec acceleration processing method, including:
利用第一发送方软件生成密钥交换IP包,并将所述密钥交换IP包经第一发送方硬件透传至第一接收方硬件;其中,所述密钥交换IP包包括密钥数据及密钥交换双方的第一IP地址;Use the first sender software to generate a key exchange IP packet, and transparently transmit the key exchange IP packet to the first receiver's hardware through the first sender's hardware; wherein, the key exchange IP packet includes key data And the first IP address of both parties in the key exchange;
利用第二发送方软件对传输数据进行IP打包处理得到数据IP包,并 将所述数据IP包发送至第二发送方硬件;其中,所述数据IP包包括传输数据及数据传输双方的第二IP地址;Use the second sender software to perform IP packet processing on the transmission data to obtain a data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes the second data transmission and the second data transmission parties. IP address;
判断所述第一IP地址中是否存在所述第二IP地址;Determine whether the second IP address exists in the first IP address;
若是,则在所述第二发送方硬件的多条流水线中任一条空闲流水线上,利用所对应的目标密钥数据加密所述数据IP包,并将加密后的数据IP包发送至第二接收方硬件,以在所述第二接收方硬件的多条流水线中任一条空闲流水线上,利用所述目标密钥数据解密所述数据IP包;If yes, then use the corresponding target key data to encrypt the data IP packet on any idle pipeline among the multiple pipelines of the second sender hardware, and send the encrypted data IP packet to the second receiver Third party hardware, to use the target key data to decrypt the data IP packet on any one of the idle pipelines among the multiple pipelines of the second receiver hardware;
若否,则将所述数据IP包直接经所述第二发送方硬件透传至所述第二接收方硬件。If not, the data IP packet is directly transparently transmitted to the second receiver hardware through the second sender hardware.
优选地,在将所述数据IP包直接经所述第二发送方硬件透传至所述第二接收方硬件之后,所述网络安全IPsec的加速处理方法还包括:Preferably, after the data IP packet is directly transparently transmitted to the second receiver's hardware through the second sender's hardware, the network security IPsec acceleration processing method further includes:
检测所述第二接收方硬件接收的数据IP包的格式;Detecting the format of the data IP packet received by the second receiver hardware;
当所述数据IP包的格式为网络安全服务协议格式时,对所述数据IP包进行丢弃处理。When the format of the data IP packet is a network security service protocol format, the data IP packet is discarded.
优选地,所述网络安全IPsec的加速处理方法还包括:Preferably, the accelerated processing method of network security IPsec further includes:
为系统中发送方硬件预留用于存储所述发送方硬件的各流水线状态的第一存储空间;Reserve a first storage space for the sender hardware in the system for storing the state of each pipeline of the sender hardware;
在所述系统运作时,实时将所述发送方硬件的各流水线状态存储至所述第一存储空间;When the system is operating, storing each pipeline state of the sender's hardware in the first storage space in real time;
相应的,所述在所述第二发送方硬件的多条流水线中任一条空闲流水线上,利用所对应的目标密钥数据加密所述数据IP包的过程,包括:Correspondingly, the process of using the corresponding target key data to encrypt the data IP packet on any one of the idle pipelines of the multiple pipelines of the second sender hardware includes:
根据所述第一存储空间当前存储的所述第二发送方硬件的各流水线状态,确定所述第二发送方硬件的空闲流水线;Determine the idle pipeline of the second sender hardware according to the pipeline states of the second sender hardware currently stored in the first storage space;
在所述第二发送方硬件的任一条空闲流水线上,利用所对应的目标密钥数据加密所述数据IP包。On any idle pipeline of the second sender hardware, encrypt the data IP packet with the corresponding target key data.
优选地,所述为系统中发送方硬件预留用于存储所述发送方硬件的各流水线状态的第一存储空间;在所述系统运作时,实时将所述发送方硬件的各流水线状态存储至所述第一存储空间的过程,包括:Preferably, the first storage space reserved for the sender hardware in the system for storing the pipeline states of the sender hardware; when the system is operating, the pipeline states of the sender hardware are stored in real time The process to the first storage space includes:
预先为系统中发送方硬件的各流水线一一设置状态标志位,并将其存 储至为所述发送方硬件预留的第一存储空间;Preliminarily set status flag bits for each pipeline of the sender hardware in the system, and store them in the first storage space reserved for the sender hardware;
在所述系统运作时,当所述发送方硬件的任一流水线处于工作状态时,将此流水线对应的状态标志位置1;当所述发送方硬件的任一流水线处于空闲状态时,将此流水线对应的状态标志位置0。When the system is operating, when any pipeline of the sender's hardware is in the working state, the status flag corresponding to this pipeline is set to 1. When any pipeline of the sender's hardware is in an idle state, the pipeline The corresponding status flag position is 0.
优选地,所述网络安全IPsec的加速处理方法还包括:Preferably, the accelerated processing method of network security IPsec further includes:
为系统中接收方硬件预留用于存储所述接收方硬件的各流水线状态的第二存储空间;Reserve a second storage space for the receiver's hardware in the system for storing each pipeline state of the receiver's hardware;
在所述系统运作时,实时将所述接收方硬件的各流水线状态存储至所述第二存储空间;When the system is operating, storing each pipeline state of the receiver's hardware in the second storage space in real time;
相应的,所述在所述第二接收方硬件的多条流水线中任一条空闲流水线上,利用所述目标密钥数据解密所述数据IP包的过程,包括:Correspondingly, the process of using the target key data to decrypt the data IP packet on any one of the idle pipelines among the multiple pipelines of the second receiver hardware includes:
根据所述第二存储空间当前存储的所述第二接收方硬件的各流水线状态,确定所述第二接收方硬件的空闲流水线;Determine the idle pipeline of the second receiver's hardware according to each pipeline state of the second receiver's hardware currently stored in the second storage space;
在所述第二接收方硬件的任一条空闲流水线上,利用所述目标密钥数据解密所述数据IP包。Use the target key data to decrypt the data IP packet on any idle pipeline of the second receiver hardware.
优选地,所述为系统中接收方硬件预留用于存储所述接收方硬件的各流水线状态的第二存储空间;在所述系统运作时,实时将所述接收方硬件的各流水线状态存储至所述第二存储空间的过程,包括:Preferably, the second storage space reserved for the receiver hardware in the system for storing the pipeline states of the receiver hardware; while the system is operating, the pipeline states of the receiver hardware are stored in real time The process to the second storage space includes:
预先为系统中接收方硬件的各流水线一一设置状态标志位,并将其存储至为所述接收方硬件预留的第二存储空间;Pre-set status flag bits for each pipeline of the receiver hardware in the system one by one, and store them in the second storage space reserved for the receiver hardware;
在所述系统运作时,当所述接收方硬件的任一流水线处于工作状态时,将此流水线对应的状态标志位置1;当所述接收方硬件的任一流水线处于空闲状态时,将此流水线对应的状态标志位置0。When the system is operating, when any pipeline of the receiver's hardware is in the working state, the status flag corresponding to this pipeline is set to 1; when any pipeline of the receiver's hardware is in an idle state, the pipeline The corresponding status flag position is 0.
优选地,所述网络安全IPsec的加速处理方法还包括:Preferably, the accelerated processing method of network security IPsec further includes:
预先设置系统的密钥到期时间;Pre-set the key expiration time of the system;
从所述系统运作时开始,每隔所述密钥到期时间,均重新执行所述利用第一发送方软件生成密钥交换IP包,并将所述密钥交换IP包经第一发送方硬件透传至第一接收方硬件的步骤。Starting from the operation of the system, at intervals of the expiration time of the key, re-execute the use of the first sender software to generate a key exchange IP packet, and pass the key exchange IP packet to the first sender The step of transparently transmitting the hardware to the hardware of the first receiver.
优选地,发送方软件与发送方硬件之间通过PCIE接口进行数据传输。Preferably, data transmission is performed between the sender's software and the sender's hardware through a PCIE interface.
为解决上述技术问题,本发明还提供了一种网络安全IPsec的加速处理系统,包括:In order to solve the above technical problems, the present invention also provides a network security IPsec accelerated processing system, including:
密钥交换模块,用于利用第一发送方软件生成密钥交换IP包,并将所述密钥交换IP包经第一发送方硬件透传至第一接收方硬件;其中,所述密钥交换IP包包括密钥数据及密钥交换双方的第一IP地址;The key exchange module is used to generate a key exchange IP packet by using the software of the first sender, and transparently transmit the key exchange IP packet to the hardware of the first receiver through the hardware of the first sender; wherein, the key The exchanged IP packet includes key data and the first IP addresses of both parties in the key exchange;
数据传输模块,用于利用第二发送方软件对传输数据进行IP打包处理得到数据IP包,并将所述数据IP包发送至第二发送方硬件;其中,所述数据IP包包括传输数据及数据传输双方的第二IP地址;The data transmission module is configured to use the second sender software to perform IP packet processing on the transmission data to obtain a data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes transmission data and The second IP address of the data transmission parties;
判断模块,用于判断所述第一IP地址中是否存在所述第二IP地址;若是,则执行数据加解密模块;若否,则执行透传模块;The judging module is used to judge whether the second IP address exists in the first IP address; if so, execute the data encryption and decryption module; if not, execute the transparent transmission module;
所述数据加解密模块,用于在所述第二发送方硬件的多条流水线中任一条空闲流水线上,利用所对应的目标密钥数据加密所述数据IP包,并将加密后的数据IP包发送至第二接收方硬件,以在所述第二接收方硬件的多条流水线中任一条空闲流水线上,利用所述目标密钥数据解密所述数据IP包;The data encryption and decryption module is configured to use the corresponding target key data to encrypt the data IP packet on any idle pipeline among the multiple pipelines of the second sender hardware, and to encrypt the encrypted data IP The packet is sent to the second receiver's hardware to decrypt the data IP packet using the target key data on any idle pipeline among the multiple pipelines of the second receiver's hardware;
所述透传模块,用于将所述数据IP包直接经所述第二发送方硬件透传至所述第二接收方硬件。The transparent transmission module is configured to transparently transmit the data IP packet directly to the second receiver hardware through the second sender hardware.
优选地,所述网络安全IPsec的加速处理系统还包括:Preferably, the network security IPsec accelerated processing system further includes:
时间设置模块,用于预先设置系统的密钥到期时间;Time setting module, used to set the key expiration time of the system in advance;
密钥交换触发模块,用于从所述系统运作时开始,每隔所述密钥到期时间,均重新执行所述密钥交换模块。The key exchange trigger module is configured to re-execute the key exchange module every time the key expires from the time the system is operating.
本发明提供了一种网络安全IPsec的加速处理方法,由于发送方与接收方的密钥交换过程对实时性要求低,所以本申请采用软件运行密钥交换协议;由于发送方与接收方的数据传输过程对实时性要求高,所以本申请采用具有多条流水线的硬件完成数据传输过程,并在此过程中可以多条流水线的方式并行完成不同数据IP包的加解密过程(即采用硬件并行运行网络安全服务协议),从而提高了网络安全IPsec的处理速度,同时减少了软件资源的使用率,且提高了网络带宽。The present invention provides an accelerated processing method for network security IPsec. Because the key exchange process between the sender and the receiver has low real-time requirements, this application uses software to run the key exchange protocol; because the data between the sender and the receiver The transmission process requires high real-time performance, so this application uses hardware with multiple pipelines to complete the data transmission process, and in this process, multiple pipelines can be used to complete the encryption and decryption process of different data IP packets in parallel (that is, hardware parallel operation is used Network Security Service Protocol), thereby improving the processing speed of network security IPsec, reducing the utilization rate of software resources, and increasing network bandwidth.
本发明还提供了一种网络安全IPsec的加速处理系统,与上述加速处 理方法具有相同的有益效果。The present invention also provides a network security IPsec accelerated processing system, which has the same beneficial effects as the aforementioned accelerated processing method.
附图说明Description of the drawings
为了更清楚地说明本发明实施例中的技术方案,下面将对现有技术和实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly describe the technical solutions in the embodiments of the present invention, the following will briefly introduce the prior art and the drawings needed in the embodiments. Obviously, the drawings in the following description are only some of the present invention. Embodiments, for those of ordinary skill in the art, without creative work, other drawings can be obtained from these drawings.
图1为本发明实施例提供的一种网络安全IPsec的加速处理方法的流程图;FIG. 1 is a flowchart of a method for accelerating network security IPsec processing according to an embodiment of the present invention;
图2为本发明实施例提供的一种网络安全IPsec的加速处理系统的结构示意图。2 is a schematic structural diagram of a network security IPsec accelerated processing system provided by an embodiment of the present invention.
具体实施方式detailed description
本发明的核心是提供一种网络安全IPsec的加速处理方法及系统,采用软件运行密钥交换协议,采用硬件并行运行网络安全服务协议,从而提高了网络安全IPsec的处理速度,同时减少了软件资源的使用率,且提高了网络带宽。The core of the present invention is to provide an accelerated processing method and system for network security IPsec, using software to run the key exchange protocol and hardware to run the network security service protocol in parallel, thereby improving the processing speed of network security IPsec and reducing software resources. The utilization rate of, and increase the network bandwidth.
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be described clearly and completely in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of the embodiments of the present invention, not all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
请参照图1,图1为本发明实施例提供的一种网络安全IPsec的加速处理方法的流程图。Please refer to FIG. 1. FIG. 1 is a flowchart of a network security IPsec acceleration processing method according to an embodiment of the present invention.
该网络安全IPsec的加速处理方法包括:The accelerated processing method of the network security IPsec includes:
步骤S1:利用第一发送方软件生成密钥交换IP包,并将密钥交换IP包经第一发送方硬件透传至第一接收方硬件;其中,密钥交换IP包包括密钥数据及密钥交换双方的第一IP地址。Step S1: Use the first sender software to generate a key exchange IP packet, and transparently transmit the key exchange IP packet to the first receiver's hardware through the first sender's hardware; wherein, the key exchange IP packet includes key data and The first IP address of the key exchange parties.
具体地,系统中不同发送方和接收方之间对数据传输安全性的要求并不相同,对于数据传输安全性要求较高的发送方和接收方,二者之间需对传输数据进行加解密处理;对于数据传输安全性要求较低的发送方和接收方,二者之间无需对传输数据进行加解密处理。可以理解的是,对于数据传输安全性要求较高的发送方和接收方(称为第一发送方和第一接收方),二者在数据传输之前,要进行密钥交换,以为后续加解密传输数据打下基础。Specifically, different senders and receivers in the system have different requirements for data transmission security. For senders and receivers that require higher data transmission security, the transmission data needs to be encrypted and decrypted between the two Processing: For the sender and receiver with low data transmission security requirements, there is no need to encrypt and decrypt the transmitted data between the two. It is understandable that for the sender and receiver (called the first sender and the first receiver) that require high data transmission security, they must exchange keys before data transmission for subsequent encryption and decryption. Lay the foundation for data transmission.
考虑到系统中第一发送方(第一发送方软件+第一发送方硬件)和第一接收方(第一接收方软件+第一接收方硬件)的密钥交换过程对实时性要求低,所以本申请采用第一发送方软件生成包括密钥数据及密钥交换双方的第一IP(Internet Protocol,网络协议)地址的密钥交换IP包(即由软件运行密钥交换协议)。其中,密钥数据用于后续第一发送方和第一接收方之间传输数据的加解密处理;密钥交换双方的第一IP地址包含第一发送方的IP地址和第一接收方的IP地址。Considering that the key exchange process between the first sender (first sender software + first sender hardware) and the first receiver (first receiver software + first receiver hardware) in the system requires low real-time performance, Therefore, this application uses the software of the first sender to generate a key exchange IP package that includes the key data and the first IP (Internet Protocol, network protocol) address of the key exchange parties (that is, the software runs the key exchange protocol). Among them, the key data is used for subsequent encryption and decryption of data transmitted between the first sender and the first receiver; the first IP addresses of both parties in the key exchange include the IP address of the first sender and the IP of the first receiver address.
在利用第一发送方软件生成密钥交换IP包之后,将密钥交换IP包发送至第一发送方硬件,以经第一发送方硬件透传至第一接收方硬件,从而完成密钥交换。After the key exchange IP packet is generated by the first sender software, the key exchange IP packet is sent to the first sender's hardware to be transparently transmitted to the first receiver's hardware through the first sender's hardware to complete the key exchange .
步骤S2:利用第二发送方软件对传输数据进行IP打包处理得到数据IP包,并将数据IP包发送至第二发送方硬件;其中,数据IP包包括传输数据及数据传输双方的第二IP地址。Step S2: Use the second sender software to perform IP packaging processing on the transmission data to obtain the data IP packet, and send the data IP packet to the second sender hardware; wherein the data IP packet includes the transmission data and the second IP of the data transmission parties address.
具体地,当系统中的发送方和接收方(称为第二发送方和第二接收方)之间传输数据时,首先利用第二发送方软件对传输数据进行IP打包处理,得到包括传输数据及数据传输双方的第二IP地址的数据IP包;然后将数据IP包发送至第二发送方硬件。其中,数据传输双方的第二IP地址包括第二发送方的第二IP地址和第二接收方的第二IP地址,以为后续判定传输数据是否需要加解密打下基础。Specifically, when data is transmitted between the sender and the receiver in the system (referred to as the second sender and the second receiver), first use the second sender software to perform IP packet processing on the transmission data, and obtain the data including the transmission data. And the data IP packet of the second IP address of both parties of the data transmission; then the data IP packet is sent to the second sender hardware. Wherein, the second IP addresses of the data transmission parties include the second IP address of the second sender and the second IP address of the second receiver, so as to lay a foundation for the subsequent determination of whether the transmitted data needs to be encrypted or decrypted.
步骤S3:判断第一IP地址中是否存在第二IP地址;若是,则执行步骤S4;若否,则执行步骤S5。Step S3: Determine whether there is a second IP address in the first IP address; if yes, execute step S4; if not, execute step S5.
具体地,可以理解的是,若第二发送方和第二接收方属于步骤S1所提 及的第一发送方和第一接收方,则后续需要对传输数据进行加解密处理;若第二发送方和第二接收方不属于步骤S1所提及的第一发送方和第一接收方,则后续无需对传输数据进行加解密处理。Specifically, it can be understood that if the second sender and the second receiver belong to the first sender and the first receiver mentioned in step S1, then the transmission data needs to be encrypted and decrypted later; if the second sender If the party and the second receiver do not belong to the first sender and the first receiver mentioned in step S1, there is no need to perform encryption and decryption processing on the transmission data subsequently.
基于此,本申请应对第二发送方和第二接收方是否属于步骤S1所提及的第一发送方和第一接收方进行判定,具体是根据IP地址进行判定,若密钥交换双方的第一IP地址中可匹配到数据传输双方的第二IP地址,则第二发送方和第二接收方属于步骤S1所提及的第一发送方和第一接收方;否则,则第二发送方和第二接收方不属于步骤S1所提及的第一发送方和第一接收方。Based on this, this application should determine whether the second sender and the second receiver belong to the first sender and the first receiver mentioned in step S1, specifically based on the IP address. If one IP address can match the second IP address of both parties to the data transmission, the second sender and the second receiver belong to the first sender and the first receiver mentioned in step S1; otherwise, the second sender And the second receiver does not belong to the first sender and the first receiver mentioned in step S1.
步骤S4:在第二发送方硬件的多条流水线中任一条空闲流水线上,利用所对应的目标密钥数据加密数据IP包,并将加密后的数据IP包发送至第二接收方硬件,以在第二接收方硬件的多条流水线中任一条空闲流水线上,利用目标密钥数据解密数据IP包。Step S4: On any idle pipeline among the multiple pipelines of the second sender's hardware, encrypt the data IP packet with the corresponding target key data, and send the encrypted data IP packet to the second receiver's hardware to On any idle pipeline among the multiple pipelines of the second receiver's hardware, use the target key data to decrypt the data IP packet.
具体地,考虑到同一发送方可能要与不同接收方之间传输数据,同一接收方可能也要与不同发送方之间传输数据,且发送方与接收方的数据传输过程对实时性要求高,所以本申请的发送方硬件和接收方硬件均设置为具有多条流水线的硬件,可并行传输多路数据,且可并行对多路数据进行加解密处理(即由硬件并行运行网络安全服务协议)。Specifically, considering that the same sender may want to transmit data with different receivers, the same receiver may also transmit data with different senders, and the data transmission process between the sender and the receiver requires high real-time performance, Therefore, the sender's hardware and receiver's hardware of this application are both set as hardware with multiple pipelines, which can transmit multiple channels of data in parallel, and can encrypt and decrypt multiple channels of data in parallel (that is, the hardware runs the network security service protocol in parallel) .
可以理解的是,当第二发送方和第二接收方属于步骤S1所提及的第一发送方和第一接收方时,需要对传输数据进行加解密处理。具体地,由于第二发送方和第二接收方进行过密钥交换,所以可以获取到第二发送方和第二接收方对应的密钥交换IP包中的目标密钥数据。当第二发送方向第二接收方传输数据时,从第二发送方硬件的多条流水线中选择一条空闲流水线,并在此空闲流水线上利用所获取的目标密钥数据加密数据IP包,然后将加密后的数据IP包发送至第二接收方硬件。It is understandable that when the second sender and the second receiver belong to the first sender and the first receiver mentioned in step S1, the transmission data needs to be encrypted and decrypted. Specifically, since the second sender and the second receiver have exchanged keys, the target key data in the key exchange IP packets corresponding to the second sender and the second receiver can be obtained. When the second sender transmits data to the second receiver, select an idle pipeline from the multiple pipelines of the second sender's hardware, and use the acquired target key data to encrypt the data IP packet on the idle pipeline, and then The encrypted data IP packet is sent to the second receiver hardware.
当第二接收方硬件接收到加密后的数据IP包后,从第二接收方硬件的多条流水线中选择一条空闲流水线,并在此空闲流水线上利用所获取的目标密钥数据解密数据IP包,从而得到传输数据。When the second receiver's hardware receives the encrypted data IP packet, it selects an idle pipeline from the multiple pipelines of the second receiver's hardware, and uses the obtained target key data to decrypt the data IP packet on this idle pipeline , So as to get the transmission data.
步骤S5:将数据IP包直接经第二发送方硬件透传至第二接收方硬件。Step S5: Transparently transmit the data IP packet directly to the second receiver's hardware through the second sender's hardware.
具体地,当第二发送方和第二接收方不属于步骤S1所提及的第一发送方和第一接收方时,无需对传输数据进行加解密处理,将数据IP包直接经第二发送方硬件透传至第二接收方硬件即可。Specifically, when the second sender and the second receiver do not belong to the first sender and the first receiver mentioned in step S1, there is no need to encrypt and decrypt the transmission data, and the data IP packet is directly sent through the second The hardware of the third party can be transparently transmitted to the hardware of the second receiver.
此外,本申请可利用第二发送方硬件判断是否对传输数据进行加密处理,利用第二接收方硬件判断是否对传输数据进行解密处理。对于第二发送方硬件来说,若密钥交换双方的第一IP地址中可匹配到数据传输双方的第二IP地址,则对传输数据进行加密处理,否则直接透传。对于第二接收方硬件来说,其既接收到加密后的数据IP包,又接收到未加密的数据IP包,所以第二接收方硬件先对数据IP包进行拆包得到数据传输双方的第二IP地址,若密钥交换双方的第一IP地址中可匹配到数据传输双方的第二IP地址,则对传输数据进行解密处理,否则不作解密处理。In addition, the present application may use the second sender's hardware to determine whether to perform encryption processing on the transmission data, and use the second receiver's hardware to determine whether to perform decryption processing on the transmission data. For the second sender's hardware, if the first IP addresses of the two parties in the key exchange can match the second IP addresses of the two parties in the data transmission, the transmitted data will be encrypted, otherwise it will be transmitted directly. For the second receiver's hardware, it receives both the encrypted data IP packet and the unencrypted data IP packet, so the second receiver's hardware first unpacks the data IP packet to obtain the first data transmission of both parties. Two IP addresses, if the first IP addresses of the two parties in the key exchange can match the second IP addresses of the two parties in the data transmission, the transmitted data will be decrypted, otherwise no decryption will be performed.
本发明提供了一种网络安全IPsec的加速处理方法,由于发送方与接收方的密钥交换过程对实时性要求低,所以本申请采用软件运行密钥交换协议;由于发送方与接收方的数据传输过程对实时性要求高,所以本申请采用具有多条流水线的硬件完成数据传输过程,并在此过程中可以多条流水线的方式并行完成不同数据IP包的加解密过程(即采用硬件并行运行网络安全服务协议),从而提高了网络安全IPsec的处理速度,同时减少了软件资源的使用率,且提高了网络带宽。The present invention provides an accelerated processing method for network security IPsec. Because the key exchange process between the sender and the receiver has low real-time requirements, this application uses software to run the key exchange protocol; because the data between the sender and the receiver The transmission process requires high real-time performance, so this application uses hardware with multiple pipelines to complete the data transmission process, and in this process, multiple pipelines can be used to complete the encryption and decryption process of different data IP packets in parallel (that is, hardware parallel operation is used Network Security Service Protocol), thereby improving the processing speed of network security IPsec, reducing the usage rate of software resources, and increasing network bandwidth.
在上述实施例的基础上:On the basis of the above embodiment:
作为一种可选地实施例,在将数据IP包直接经第二发送方硬件透传至第二接收方硬件之后,网络安全IPsec的加速处理方法还包括:As an optional embodiment, after the data IP packet is directly transparently transmitted to the second receiver's hardware through the second sender's hardware, the network security IPsec acceleration processing method further includes:
检测第二接收方硬件接收的数据IP包的格式;Detecting the format of the data IP packet received by the second receiver's hardware;
当数据IP包的格式为网络安全服务协议格式时,对数据IP包进行丢弃处理。When the format of the data IP packet is the network security service protocol format, the data IP packet is discarded.
进一步地,考虑到在将数据IP包直接经第二发送方硬件透传至第二接收方硬件的过程中,可能会存在错误,导致第二发送方硬件误加密数据IP包并发送至第二接收方硬件,此时第二接收方硬件并不能对接收的数据IP包进行解密处理,所以本申请在将数据IP包直接经第二发送方硬件透传至 第二接收方硬件之后,检测第二接收方硬件接收的数据IP包的格式。若数据IP包的格式为普通格式时,说明数据IP包未经过加密,即在将数据IP包直接经第二发送方硬件透传至第二接收方硬件的过程中不存在错误;若数据IP包的格式为网络安全服务协议格式时,说明数据IP包经过加密,即在将数据IP包直接经第二发送方硬件透传至第二接收方硬件的过程中存在错误,则对此数据IP包进行丢弃处理即可。Further, considering that in the process of transparently transmitting the data IP packet directly to the second receiver's hardware through the second sender's hardware, there may be errors, causing the second sender's hardware to incorrectly encrypt the data IP packet and send it to the second receiver. The hardware of the receiver. At this time, the hardware of the second receiver cannot decrypt the received data IP packet. Therefore, this application will detect the second receiver’s hardware after transparently transmitting the data IP packet directly to the second receiver’s hardware through the second sender’s hardware. 2. The format of the data IP packet received by the receiver's hardware. If the format of the data IP packet is a normal format, it means that the data IP packet is not encrypted, that is, there is no error in the process of transmitting the data IP packet directly to the second receiver's hardware through the second sender's hardware; if the data IP When the packet format is the network security service protocol format, it means that the data IP packet is encrypted, that is, there is an error in the process of transmitting the data IP packet directly through the second sender's hardware to the second receiver's hardware, then the data IP The packet can be discarded.
作为一种可选地实施例,网络安全IPsec的加速处理方法还包括:As an optional embodiment, the method for accelerating network security IPsec further includes:
为系统中发送方硬件预留用于存储发送方硬件的各流水线状态的第一存储空间;Reserve the first storage space for the sender's hardware in the system to store each pipeline state of the sender's hardware;
在系统运作时,实时将发送方硬件的各流水线状态存储至第一存储空间;When the system is operating, store the status of each pipeline of the sender's hardware in the first storage space in real time;
相应的,在第二发送方硬件的多条流水线中任一条空闲流水线上,利用所对应的目标密钥数据加密数据IP包的过程,包括:Correspondingly, the process of using the corresponding target key data to encrypt the data IP packet on any idle pipeline among the multiple pipelines of the second sender hardware includes:
根据第一存储空间当前存储的第二发送方硬件的各流水线状态,确定第二发送方硬件的空闲流水线;Determine the idle pipeline of the second sender's hardware according to each pipeline state of the second sender's hardware currently stored in the first storage space;
在第二发送方硬件的任一条空闲流水线上,利用所对应的目标密钥数据加密数据IP包。On any idle pipeline of the second sender's hardware, use the corresponding target key data to encrypt the data IP packet.
进一步地,本申请可为系统中各发送方硬件预留一个第一存储空间,用来存储各发送方硬件的多条流水线的状态。在系统运作时,实时将各发送方硬件的多条流水线的状态更新至第一存储空间,使第一存储空间保留有各发送方硬件的多条流水线的最新状态。Further, this application may reserve a first storage space for each sender's hardware in the system to store the state of multiple pipelines of each sender's hardware. When the system is operating, the state of the multiple pipelines of each sender's hardware is updated to the first storage space in real time, so that the first storage space retains the latest state of the multiple pipelines of each sender's hardware.
当从第二发送方硬件的多条流水线中寻找空闲流水线时,可根据第一存储空间当前存储的第二发送方硬件的多条流水线的状态,确定出第二发送方硬件的空闲流水线,以为后续选择空闲流水线加密数据IP包打下基础。When looking for an idle pipeline from the multiple pipelines of the second sender's hardware, the idle pipeline of the second sender's hardware can be determined according to the state of the multiple pipelines of the second sender's hardware currently stored in the first storage space. The subsequent selection of idle pipelines to encrypt data IP packets lays the foundation.
作为一种可选地实施例,为系统中发送方硬件预留用于存储发送方硬件的各流水线状态的第一存储空间;在系统运作时,实时将发送方硬件的各流水线状态存储至第一存储空间的过程,包括:As an optional embodiment, reserve the first storage space for the sender's hardware in the system to store each pipeline state of the sender's hardware; while the system is operating, store each pipeline state of the sender's hardware in the first storage space in real time. A process of storing space, including:
预先为系统中发送方硬件的各流水线一一设置状态标志位,并将其存储至为发送方硬件预留的第一存储空间;Pre-set status flags for each pipeline of the sender's hardware in the system one by one, and store them in the first storage space reserved for the sender's hardware;
在系统运作时,当发送方硬件的任一流水线处于工作状态时,将此流水线对应的状态标志位置1;当发送方硬件的任一流水线处于空闲状态时,将此流水线对应的状态标志位置0。When the system is operating, when any pipeline of the sender's hardware is in working state, the state flag corresponding to this pipeline is set to 1; when any pipeline of the sender's hardware is idle, the state flag corresponding to this pipeline is set to 0 .
具体地,本申请可为系统中各发送方硬件的多条流水线一一设置状态标志位,并将这些状态标志位存储至为各发送方硬件预留的第一存储空间。在系统运作时,当一发送方硬件的任一流水线处于工作状态时,将此流水线对应的状态标志位置“1”;当一发送方硬件的任一流水线处于空闲状态时,将此流水线对应的状态标志位置“0”,从而根据第一存储空间中存储的状态标志位的取值判定各发送方硬件的多条流水线的状态。Specifically, this application can set status flags one by one for multiple pipelines of each sender's hardware in the system, and store these status flags in the first storage space reserved for each sender's hardware. When the system is operating, when any pipeline of a sender's hardware is in working state, the status flag position corresponding to this pipeline is "1"; when any pipeline of a sender's hardware is in an idle state, the corresponding pipeline The status flag position is "0", so that the status of multiple pipelines of each sender's hardware is determined according to the value of the status flag bit stored in the first storage space.
作为一种可选地实施例,网络安全IPsec的加速处理方法还包括:As an optional embodiment, the method for accelerating network security IPsec further includes:
为系统中接收方硬件预留用于存储接收方硬件的各流水线状态的第二存储空间;Reserve a second storage space for the receiver's hardware in the system to store each pipeline state of the receiver's hardware;
在系统运作时,实时将接收方硬件的各流水线状态存储至第二存储空间;When the system is operating, store the state of each pipeline of the receiver's hardware in the second storage space in real time;
相应的,在第二接收方硬件的多条流水线中任一条空闲流水线上,利用目标密钥数据解密数据IP包的过程,包括:Correspondingly, the process of using the target key data to decrypt the data IP packet on any idle pipeline among the multiple pipelines of the second receiver's hardware includes:
根据第二存储空间当前存储的第二接收方硬件的各流水线状态,确定第二接收方硬件的空闲流水线;Determine the idle pipeline of the second receiver's hardware according to each pipeline state of the second receiver's hardware currently stored in the second storage space;
在第二接收方硬件的任一条空闲流水线上,利用目标密钥数据解密数据IP包。On any idle pipeline of the second receiver's hardware, use the target key data to decrypt the data IP packet.
进一步地,本申请可为系统中各接收方硬件预留一个第二存储空间,用来存储各接收方硬件的多条流水线的状态。在系统运作时,实时将各接收方硬件的多条流水线的状态更新至第二存储空间,使第二存储空间保留有各接收方硬件的多条流水线的最新状态。Furthermore, this application may reserve a second storage space for each receiver's hardware in the system to store the status of multiple pipelines of each receiver's hardware. When the system is operating, the status of the multiple pipelines of each receiver's hardware is updated to the second storage space in real time, so that the second storage space retains the latest state of the multiple pipelines of each receiver's hardware.
当从第二接收方硬件的多条流水线中寻找空闲流水线时,可根据第二存储空间当前存储的第二接收方硬件的多条流水线的状态,确定出第二接收方硬件的空闲流水线,以为后续选择空闲流水线解密数据IP包打下基础。When looking for an idle pipeline from the multiple pipelines of the second receiver's hardware, the idle pipeline of the second receiver's hardware can be determined according to the status of the multiple pipelines of the second receiver's hardware currently stored in the second storage space, Then choose an idle pipeline to lay the foundation for decrypting data IP packets.
作为一种可选地实施例,为系统中接收方硬件预留用于存储接收方硬件的各流水线状态的第二存储空间;在系统运作时,实时将接收方硬件的 各流水线状态存储至第二存储空间的过程,包括:As an optional embodiment, reserve a second storage space for the receiver's hardware in the system to store each pipeline state of the receiver's hardware; when the system is operating, store each pipeline state of the receiver's hardware in the first 2. The process of storing space, including:
预先为系统中接收方硬件的各流水线一一设置状态标志位,并将其存储至为接收方硬件预留的第二存储空间;Pre-set status flags for each pipeline of the receiver's hardware in the system one by one, and store them in the second storage space reserved for the receiver's hardware;
在系统运作时,当接收方硬件的任一流水线处于工作状态时,将此流水线对应的状态标志位置1;当接收方硬件的任一流水线处于空闲状态时,将此流水线对应的状态标志位置0。When the system is operating, when any pipeline of the receiver's hardware is in working state, the status flag corresponding to this pipeline is set to 1; when any pipeline of the receiver's hardware is idle, the status flag corresponding to this pipeline is set to 0 .
具体地,本申请可为系统中各接收方硬件的多条流水线一一设置状态标志位,并将这些状态标志位存储至为各接收方硬件预留的第二存储空间。在系统运作时,当一接收方硬件的任一流水线处于工作状态时,将此流水线对应的状态标志位置“1”;当一接收方硬件的任一流水线处于空闲状态时,将此流水线对应的状态标志位置“0”,从而根据第二存储空间中存储的状态标志位的取值判定各接收方硬件的多条流水线的状态。Specifically, this application may set status flags one by one for multiple pipelines of each receiver's hardware in the system, and store these status flags in the second storage space reserved for each receiver's hardware. When the system is operating, when any pipeline of a receiver's hardware is in working state, the status flag position corresponding to this pipeline is "1"; when any pipeline of a receiver's hardware is in idle state, the corresponding pipeline The status flag position is "0", so that the status of multiple pipelines of each receiver's hardware is determined according to the value of the status flag bit stored in the second storage space.
作为一种可选地实施例,网络安全IPsec的加速处理方法还包括:As an optional embodiment, the method for accelerating network security IPsec further includes:
预先设置系统的密钥到期时间;Pre-set the key expiration time of the system;
从系统运作时开始,每隔密钥到期时间,均重新执行利用第一发送方软件生成密钥交换IP包,并将密钥交换IP包经第一发送方硬件透传至第一接收方硬件的步骤。From the beginning of the system operation, at every key expiration time, re-execute the use of the first sender’s software to generate the key exchange IP package, and transparently transmit the key exchange IP package to the first receiver through the first sender’s hardware Hardware steps.
进一步地,考虑到发送方和接收方在密钥交换一定时间后,二者之间的数据传输安全性会降低,所以本申请提前设置一个密钥到期时间,从系统运作时开始,每隔密钥到期时间,均重新执行利用第一发送方软件生成密钥交换IP包,并将密钥交换IP包经第一发送方硬件透传至第一接收方硬件的步骤,即软件重新产生密钥交换协议,从而提高了系统安全性。Further, considering that the security of data transmission between the sender and receiver will be reduced after a certain period of key exchange, this application sets a key expiration time in advance, starting from the time the system is operating, every When the key expires, re-execute the steps of using the first sender’s software to generate the key exchange IP package, and transparently transmit the key exchange IP package to the first receiver’s hardware through the first sender’s hardware, that is, the software is regenerated Key exchange protocol, thereby improving system security.
作为一种可选地实施例,发送方软件与发送方硬件之间通过PCIE接口进行数据传输。As an optional embodiment, data transmission is performed between the sender's software and the sender's hardware through a PCIE interface.
具体地,系统的各发送方中,发送方软件与发送方硬件之间可通过但不仅限于PCIE(peripheral component interconnect express,高速串行计算机扩展总线标准)接口进行数据传输,本申请在此不做特别的限定。Specifically, in each sender of the system, the sender’s software and the sender’s hardware can transmit data through but not limited to PCIE (peripheral component interconnect express, high-speed serial computer expansion bus standard) interface, which is not described in this application. Special restrictions.
请参照图2,图2为本发明实施例提供的一种网络安全IPsec的加速处理 系统的结构示意图。Please refer to FIG. 2, which is a schematic structural diagram of a network security IPsec acceleration processing system provided by an embodiment of the present invention.
该网络安全IPsec的加速处理系统包括:The network security IPsec accelerated processing system includes:
密钥交换模块1,用于利用第一发送方软件生成密钥交换IP包,并将密钥交换IP包经第一发送方硬件透传至第一接收方硬件;其中,密钥交换IP包包括密钥数据及密钥交换双方的第一IP地址;The key exchange module 1 is used to generate a key exchange IP packet by using the software of the first sender, and transparently transmit the key exchange IP packet to the hardware of the first receiver through the hardware of the first sender; wherein, the key exchange IP packet Including the key data and the first IP addresses of both parties in the key exchange;
数据传输模块2,用于利用第二发送方软件对传输数据进行IP打包处理得到数据IP包,并将数据IP包发送至第二发送方硬件;其中,数据IP包包括传输数据及数据传输双方的第二IP地址;The data transmission module 2 is used to use the second sender software to perform IP packet processing on the transmission data to obtain the data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes the transmission data and both parties of the data transmission The second IP address;
判断模块3,用于判断第一IP地址中是否存在第二IP地址;若是,则执行数据加解密模块4;若否,则执行透传模块5;The judgment module 3 is used to judge whether there is a second IP address in the first IP address; if it is, execute the data encryption and decryption module 4; if not, execute the transparent transmission module 5;
数据加解密模块4,用于在第二发送方硬件的多条流水线中任一条空闲流水线上,利用所对应的目标密钥数据加密数据IP包,并将加密后的数据IP包发送至第二接收方硬件,以在第二接收方硬件的多条流水线中任一条空闲流水线上,利用目标密钥数据解密数据IP包;The data encryption and decryption module 4 is used to encrypt the data IP packet with the corresponding target key data on any one of the multiple pipelines of the second sender's hardware, and send the encrypted data IP packet to the second The receiver's hardware uses the target key data to decrypt the data IP packet on any idle pipeline among the multiple pipelines of the second receiver's hardware;
透传模块5,用于将数据IP包直接经第二发送方硬件透传至第二接收方硬件。The transparent transmission module 5 is used to transparently transmit the data IP packet directly to the second receiver's hardware through the second sender's hardware.
作为一种可选地实施例,网络安全IPsec的加速处理系统还包括:As an optional embodiment, the network security IPsec acceleration processing system further includes:
时间设置模块,用于预先设置系统的密钥到期时间;Time setting module, used to set the key expiration time of the system in advance;
密钥交换触发模块,用于从系统运作时开始,每隔密钥到期时间,均重新执行密钥交换模块。The key exchange trigger module is used to re-execute the key exchange module every key expiration time from the time the system is operating.
本发明提供的加速处理系统的介绍请参考上述加速处理方法的实施例,本发明在此不再赘述。For the introduction of the accelerated processing system provided by the present invention, please refer to the foregoing embodiment of the accelerated processing method, and the present invention will not be repeated here.
还需要说明的是,在本说明书中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、 物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should also be noted that in this specification, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply these entities or operations. There is any such actual relationship or sequence between operations. Moreover, the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article, or device that includes a series of elements includes not only those elements, but also includes Other elements of the process, method, article, or equipment are inherent elements. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other same elements in the process, method, article, or equipment including the element.
对所公开的实施例的上述说明,使本领域专业技术人员能够实现或使用本发明。对这些实施例的多种修改对本领域的专业技术人员来说将是显而易见的,本文中所定义的一般原理可以在不脱离本发明的精神或范围的情况下,在其他实施例中实现。因此,本发明将不会被限制于本文所示的这些实施例,而是要符合与本文所公开的原理和新颖特点相一致的最宽的范围。The above description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be obvious to those skilled in the art, and the general principles defined in this document can be implemented in other embodiments without departing from the spirit or scope of the present invention. Therefore, the present invention will not be limited to the embodiments shown in this document, but should conform to the widest scope consistent with the principles and novel features disclosed in this document.

Claims (10)

  1. 一种网络安全IPsec的加速处理方法,其特征在于,包括:An accelerated processing method for network security IPsec, which is characterized in that it comprises:
    利用第一发送方软件生成密钥交换IP包,并将所述密钥交换IP包经第一发送方硬件透传至第一接收方硬件;其中,所述密钥交换IP包包括密钥数据及密钥交换双方的第一IP地址;Use the first sender software to generate a key exchange IP packet, and transparently transmit the key exchange IP packet to the first receiver's hardware through the first sender's hardware; wherein, the key exchange IP packet includes key data And the first IP address of both parties in the key exchange;
    利用第二发送方软件对传输数据进行IP打包处理得到数据IP包,并将所述数据IP包发送至第二发送方硬件;其中,所述数据IP包包括传输数据及数据传输双方的第二IP地址;Use the second sender software to perform IP packet processing on the transmission data to obtain a data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes the second data transmission and the second data transmission parties. IP address;
    判断所述第一IP地址中是否存在所述第二IP地址;Determine whether the second IP address exists in the first IP address;
    若是,则在所述第二发送方硬件的多条流水线中任一条空闲流水线上,利用所对应的目标密钥数据加密所述数据IP包,并将加密后的数据IP包发送至第二接收方硬件,以在所述第二接收方硬件的多条流水线中任一条空闲流水线上,利用所述目标密钥数据解密所述数据IP包;If yes, then use the corresponding target key data to encrypt the data IP packet on any idle pipeline among the multiple pipelines of the second sender hardware, and send the encrypted data IP packet to the second receiver Third party hardware, to use the target key data to decrypt the data IP packet on any one of the idle pipelines among the multiple pipelines of the second receiver hardware;
    若否,则将所述数据IP包直接经所述第二发送方硬件透传至所述第二接收方硬件。If not, the data IP packet is directly transparently transmitted to the second receiver hardware through the second sender hardware.
  2. 如权利要求1所述的网络安全IPsec的加速处理方法,其特征在于,在将所述数据IP包直接经所述第二发送方硬件透传至所述第二接收方硬件之后,所述网络安全IPsec的加速处理方法还包括:The network security IPsec acceleration processing method of claim 1, wherein after the data IP packet is directly transparently transmitted to the second receiver hardware through the second sender hardware, the network The accelerated processing method of secure IPsec also includes:
    检测所述第二接收方硬件接收的数据IP包的格式;Detecting the format of the data IP packet received by the second receiver hardware;
    当所述数据IP包的格式为网络安全服务协议格式时,对所述数据IP包进行丢弃处理。When the format of the data IP packet is a network security service protocol format, the data IP packet is discarded.
  3. 如权利要求1所述的网络安全IPsec的加速处理方法,其特征在于,所述网络安全IPsec的加速处理方法还包括:8. The accelerated processing method of network security IPsec according to claim 1, wherein the accelerated processing method of network security IPsec further comprises:
    为系统中发送方硬件预留用于存储所述发送方硬件的各流水线状态的第一存储空间;Reserve a first storage space for the sender hardware in the system for storing the state of each pipeline of the sender hardware;
    在所述系统运作时,实时将所述发送方硬件的各流水线状态存储至所述第一存储空间;When the system is operating, storing each pipeline state of the sender's hardware in the first storage space in real time;
    相应的,所述在所述第二发送方硬件的多条流水线中任一条空闲流水线上,利用所对应的目标密钥数据加密所述数据IP包的过程,包括:Correspondingly, the process of using the corresponding target key data to encrypt the data IP packet on any one of the idle pipelines of the multiple pipelines of the second sender hardware includes:
    根据所述第一存储空间当前存储的所述第二发送方硬件的各流水线状态,确定所述第二发送方硬件的空闲流水线;Determine the idle pipeline of the second sender hardware according to the pipeline states of the second sender hardware currently stored in the first storage space;
    在所述第二发送方硬件的任一条空闲流水线上,利用所对应的目标密钥数据加密所述数据IP包。On any idle pipeline of the second sender hardware, encrypt the data IP packet with the corresponding target key data.
  4. 如权利要求3所述的网络安全IPsec的加速处理方法,其特征在于,所述为系统中发送方硬件预留用于存储所述发送方硬件的各流水线状态的第一存储空间;在所述系统运作时,实时将所述发送方硬件的各流水线状态存储至所述第一存储空间的过程,包括:The network security IPsec acceleration processing method of claim 3, wherein the first storage space reserved for the sender hardware in the system for storing the pipeline states of the sender hardware; When the system is operating, the process of storing each pipeline state of the sender's hardware in the first storage space in real time includes:
    预先为系统中发送方硬件的各流水线一一设置状态标志位,并将其存储至为所述发送方硬件预留的第一存储空间;Pre-set status flag bits for each pipeline of the sender hardware in the system one by one, and store them in the first storage space reserved for the sender hardware;
    在所述系统运作时,当所述发送方硬件的任一流水线处于工作状态时,将此流水线对应的状态标志位置1;当所述发送方硬件的任一流水线处于空闲状态时,将此流水线对应的状态标志位置0。When the system is operating, when any pipeline of the sender's hardware is in the working state, the status flag corresponding to this pipeline is set to 1. When any pipeline of the sender's hardware is in an idle state, the pipeline The corresponding status flag position is 0.
  5. 如权利要求1所述的网络安全IPsec的加速处理方法,其特征在于,所述网络安全IPsec的加速处理方法还包括:8. The accelerated processing method of network security IPsec according to claim 1, wherein the accelerated processing method of network security IPsec further comprises:
    为系统中接收方硬件预留用于存储所述接收方硬件的各流水线状态的第二存储空间;Reserve a second storage space for the receiver's hardware in the system for storing each pipeline state of the receiver's hardware;
    在所述系统运作时,实时将所述接收方硬件的各流水线状态存储至所述第二存储空间;When the system is operating, storing each pipeline state of the receiver's hardware in the second storage space in real time;
    相应的,所述在所述第二接收方硬件的多条流水线中任一条空闲流水线上,利用所述目标密钥数据解密所述数据IP包的过程,包括:Correspondingly, the process of using the target key data to decrypt the data IP packet on any one of the idle pipelines among the multiple pipelines of the second receiver hardware includes:
    根据所述第二存储空间当前存储的所述第二接收方硬件的各流水线状态,确定所述第二接收方硬件的空闲流水线;Determine the idle pipeline of the second receiver's hardware according to each pipeline state of the second receiver's hardware currently stored in the second storage space;
    在所述第二接收方硬件的任一条空闲流水线上,利用所述目标密钥数据解密所述数据IP包。Use the target key data to decrypt the data IP packet on any idle pipeline of the second receiver hardware.
  6. 如权利要求5所述的网络安全IPsec的加速处理方法,其特征在于,所述为系统中接收方硬件预留用于存储所述接收方硬件的各流水线状态的第二存储空间;在所述系统运作时,实时将所述接收方硬件的各流水线状态存储至所述第二存储空间的过程,包括:The method for accelerating network security IPsec processing according to claim 5, wherein the second storage space reserved for the receiver hardware in the system for storing the pipeline states of the receiver hardware; When the system is operating, the process of storing each pipeline state of the receiver's hardware in the second storage space in real time includes:
    预先为系统中接收方硬件的各流水线一一设置状态标志位,并将其存储至为所述接收方硬件预留的第二存储空间;Pre-set status flag bits for each pipeline of the receiver hardware in the system one by one, and store them in the second storage space reserved for the receiver hardware;
    在所述系统运作时,当所述接收方硬件的任一流水线处于工作状态时,将此流水线对应的状态标志位置1;当所述接收方硬件的任一流水线处于空闲状态时,将此流水线对应的状态标志位置0。When the system is operating, when any pipeline of the receiver's hardware is in the working state, the status flag corresponding to this pipeline is set to 1; when any pipeline of the receiver's hardware is in an idle state, the pipeline The corresponding status flag position is 0.
  7. 如权利要求1-6任一项所述的网络安全IPsec的加速处理方法,其特征在于,所述网络安全IPsec的加速处理方法还包括:7. The method for accelerating network security IPsec processing according to any one of claims 1 to 6, wherein the method for accelerating network security IPsec processing further comprises:
    预先设置系统的密钥到期时间;Pre-set the key expiration time of the system;
    从所述系统运作时开始,每隔所述密钥到期时间,均重新执行所述利用第一发送方软件生成密钥交换IP包,并将所述密钥交换IP包经第一发送方硬件透传至第一接收方硬件的步骤。Starting from the operation of the system, at intervals of the expiration time of the key, re-execute the use of the first sender software to generate a key exchange IP packet, and pass the key exchange IP packet to the first sender The step of transparently transmitting the hardware to the hardware of the first receiver.
  8. 如权利要求7所述的网络安全IPsec的加速处理方法,其特征在于,发送方软件与发送方硬件之间通过PCIE接口进行数据传输。8. The method for accelerating network security IPsec processing according to claim 7, wherein the software of the sender and the hardware of the sender perform data transmission through a PCIE interface.
  9. 一种网络安全IPsec的加速处理系统,其特征在于,包括:A network security IPsec accelerated processing system, which is characterized in that it comprises:
    密钥交换模块,用于利用第一发送方软件生成密钥交换IP包,并将所述密钥交换IP包经第一发送方硬件透传至第一接收方硬件;其中,所述密钥交换IP包包括密钥数据及密钥交换双方的第一IP地址;The key exchange module is used to generate a key exchange IP packet by using the software of the first sender, and transparently transmit the key exchange IP packet to the hardware of the first receiver through the hardware of the first sender; wherein, the key The exchanged IP packet includes key data and the first IP addresses of both parties in the key exchange;
    数据传输模块,用于利用第二发送方软件对传输数据进行IP打包处理得到数据IP包,并将所述数据IP包发送至第二发送方硬件;其中,所述数据IP包包括传输数据及数据传输双方的第二IP地址;The data transmission module is configured to use the second sender software to perform IP packet processing on the transmission data to obtain a data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes transmission data and The second IP address of the data transmission parties;
    判断模块,用于判断所述第一IP地址中是否存在所述第二IP地址;若是,则执行数据加解密模块;若否,则执行透传模块;The judging module is used to judge whether the second IP address exists in the first IP address; if so, execute the data encryption and decryption module; if not, execute the transparent transmission module;
    所述数据加解密模块,用于在所述第二发送方硬件的多条流水线中任一条空闲流水线上,利用所对应的目标密钥数据加密所述数据IP包,并将加密后的数据IP包发送至第二接收方硬件,以在所述第二接收方硬件的多条流水线中任一条空闲流水线上,利用所述目标密钥数据解密所述数据IP包;The data encryption and decryption module is configured to use the corresponding target key data to encrypt the data IP packet on any idle pipeline among the multiple pipelines of the second sender hardware, and to encrypt the encrypted data IP The packet is sent to the second receiver's hardware to decrypt the data IP packet using the target key data on any idle pipeline among the multiple pipelines of the second receiver's hardware;
    所述透传模块,用于将所述数据IP包直接经所述第二发送方硬件透传至所述第二接收方硬件。The transparent transmission module is configured to transparently transmit the data IP packet directly to the second receiver hardware through the second sender hardware.
  10. 如权利要求9所述的网络安全IPsec的加速处理系统,其特征在于,所述网络安全IPsec的加速处理系统还包括:9. The network security IPsec acceleration processing system of claim 9, wherein the network security IPsec acceleration processing system further comprises:
    时间设置模块,用于预先设置系统的密钥到期时间;Time setting module, used to set the key expiration time of the system in advance;
    密钥交换触发模块,用于从所述系统运作时开始,每隔所述密钥到期时间,均重新执行所述密钥交换模块。The key exchange trigger module is configured to re-execute the key exchange module every time the key expires from the time the system is operating.
PCT/CN2019/108933 2019-08-09 2019-09-29 Network security ipsec acceleration processing method and system WO2021027035A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910736381.2 2019-08-09
CN201910736381.2A CN110535834B (en) 2019-08-09 2019-08-09 Accelerated processing method and system for network security IPsec

Publications (1)

Publication Number Publication Date
WO2021027035A1 true WO2021027035A1 (en) 2021-02-18

Family

ID=68662396

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/108933 WO2021027035A1 (en) 2019-08-09 2019-09-29 Network security ipsec acceleration processing method and system

Country Status (2)

Country Link
CN (1) CN110535834B (en)
WO (1) WO2021027035A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535834B (en) * 2019-08-09 2021-11-09 苏州浪潮智能科技有限公司 Accelerated processing method and system for network security IPsec

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040153643A1 (en) * 2002-11-25 2004-08-05 Siemens Aktiengesellschaft Method and system for encrypting transmissions of communication data streams via a packet-oriented communication network
CN105704122A (en) * 2016-01-08 2016-06-22 北京北方烽火科技有限公司 Route encryption system
CN106169952A (en) * 2016-09-06 2016-11-30 杭州迪普科技有限公司 Authentication method that a kind of internet IKMP is heavily consulted and device
CN107172072A (en) * 2017-06-09 2017-09-15 中国电子科技集团公司第四十研究所 A kind of IPSec data flow high speeds processing system and method based on FPGA
CN108173652A (en) * 2018-02-12 2018-06-15 武汉三江航天网络通信有限公司 IPSec VPN cipher machines based on quantum key distribution
CN110535834A (en) * 2019-08-09 2019-12-03 苏州浪潮智能科技有限公司 A kind of accelerated processing method and system of network security IPsec

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102724173A (en) * 2011-07-28 2012-10-10 北京天地互连信息技术有限公司 System and method for realizing IKEv2 protocol in MIPv6 environment
CN102263794B (en) * 2011-08-25 2013-10-23 北京星网锐捷网络技术有限公司 Security processing method, device, processing chip and network equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040153643A1 (en) * 2002-11-25 2004-08-05 Siemens Aktiengesellschaft Method and system for encrypting transmissions of communication data streams via a packet-oriented communication network
CN105704122A (en) * 2016-01-08 2016-06-22 北京北方烽火科技有限公司 Route encryption system
CN106169952A (en) * 2016-09-06 2016-11-30 杭州迪普科技有限公司 Authentication method that a kind of internet IKMP is heavily consulted and device
CN107172072A (en) * 2017-06-09 2017-09-15 中国电子科技集团公司第四十研究所 A kind of IPSec data flow high speeds processing system and method based on FPGA
CN108173652A (en) * 2018-02-12 2018-06-15 武汉三江航天网络通信有限公司 IPSec VPN cipher machines based on quantum key distribution
CN110535834A (en) * 2019-08-09 2019-12-03 苏州浪潮智能科技有限公司 A kind of accelerated processing method and system of network security IPsec

Also Published As

Publication number Publication date
CN110535834B (en) 2021-11-09
CN110535834A (en) 2019-12-03

Similar Documents

Publication Publication Date Title
KR101593864B1 (en) Content-centric networking
WO2021022794A1 (en) Rdma-based data transmission method, network card, server and medium
US8464053B2 (en) Systems, methods, and media for retransmitting data using the secure real-time transport protocol
US20200177631A1 (en) Secure communication session resumption in a service function chain
US10911581B2 (en) Packet parsing method and device
EP2951946B1 (en) Method and system for protecting data using data passports
US11558361B2 (en) Communication method between mesh network and cloud server, mesh network system and node device thereof
WO2024001035A1 (en) Message transmission method and apparatus based on blockchain relay communication network system
WO2024022096A1 (en) Message encryption method and decryption method, apparatus, and storage medium
CN113542428A (en) Vehicle data uploading method and device, vehicle, system and storage medium
WO2021027035A1 (en) Network security ipsec acceleration processing method and system
WO2024037366A1 (en) Forwarding rule issuing method, and intelligent network interface card and storage medium
CN109391650B (en) Method and device for establishing session
CN111756698B (en) Message transmission method, device, equipment and computer readable storage medium
WO2024001037A1 (en) Message transmission method and apparatus, electronic device and storage medium
CN113595964A (en) Connection tracking synchronization method, device, medium and equipment
US20220407689A1 (en) Key sharing for media frames using blockchain
EP4138356A1 (en) Inter-node privacy communication method and network node
CN109587163B (en) Protection method and device in DR mode
WO2010124549A1 (en) Method, apparatus and system for obtaining public key
CN107770018B (en) Communication method and device for serial communication system
CN113364816B (en) Data transmission system based on multi-channel exchange protocol
CN114142998B (en) Data encryption processing method and device, electronic equipment and storage medium
US20240048369A1 (en) Quantum resistant ledger for secure communications
CN116232944B (en) Method, equipment and medium for transport layer security protocol message service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19941662

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19941662

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 19941662

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 26/10/2022)