WO2021027035A1 - Network security ipsec acceleration processing method and system - Google Patents
Network security ipsec acceleration processing method and system Download PDFInfo
- Publication number
- WO2021027035A1 WO2021027035A1 PCT/CN2019/108933 CN2019108933W WO2021027035A1 WO 2021027035 A1 WO2021027035 A1 WO 2021027035A1 CN 2019108933 W CN2019108933 W CN 2019108933W WO 2021027035 A1 WO2021027035 A1 WO 2021027035A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- hardware
- data
- sender
- packet
- receiver
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/32—Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
Definitions
- the invention relates to the field of server networks, in particular to a method and system for accelerating network security IPsec.
- IPsec Internet Protocol Security
- IPsec Internet Protocol Security
- the purpose of the present invention is to provide a method and system for accelerating network security IPsec processing, using software to run key exchange protocols, and hardware to run network security service protocols in parallel, thereby increasing the processing speed of network security IPsec and reducing software resources.
- the present invention provides a network security IPsec acceleration processing method, including:
- the first sender software uses the first sender software to generate a key exchange IP packet, and transparently transmit the key exchange IP packet to the first receiver's hardware through the first sender's hardware; wherein, the key exchange IP packet includes key data And the first IP address of both parties in the key exchange;
- the second sender software uses the second sender software to perform IP packet processing on the transmission data to obtain a data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes the second data transmission and the second data transmission parties. IP address;
- the data IP packet is directly transparently transmitted to the second receiver hardware through the second sender hardware.
- the network security IPsec acceleration processing method further includes:
- the data IP packet is discarded.
- the accelerated processing method of network security IPsec further includes:
- the process of using the corresponding target key data to encrypt the data IP packet on any one of the idle pipelines of the multiple pipelines of the second sender hardware includes:
- the process to the first storage space includes:
- the status flag corresponding to this pipeline is set to 1.
- the pipeline The corresponding status flag position is 0.
- the accelerated processing method of network security IPsec further includes:
- the process of using the target key data to decrypt the data IP packet on any one of the idle pipelines among the multiple pipelines of the second receiver hardware includes:
- the process to the second storage space includes:
- Pre-set status flag bits for each pipeline of the receiver hardware in the system one by one, and store them in the second storage space reserved for the receiver hardware;
- the status flag corresponding to this pipeline is set to 1; when any pipeline of the receiver's hardware is in an idle state, the pipeline The corresponding status flag position is 0.
- the accelerated processing method of network security IPsec further includes:
- data transmission is performed between the sender's software and the sender's hardware through a PCIE interface.
- the present invention also provides a network security IPsec accelerated processing system, including:
- the key exchange module is used to generate a key exchange IP packet by using the software of the first sender, and transparently transmit the key exchange IP packet to the hardware of the first receiver through the hardware of the first sender; wherein, the key The exchanged IP packet includes key data and the first IP addresses of both parties in the key exchange;
- the data transmission module is configured to use the second sender software to perform IP packet processing on the transmission data to obtain a data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes transmission data and The second IP address of the data transmission parties;
- the judging module is used to judge whether the second IP address exists in the first IP address; if so, execute the data encryption and decryption module; if not, execute the transparent transmission module;
- the data encryption and decryption module is configured to use the corresponding target key data to encrypt the data IP packet on any idle pipeline among the multiple pipelines of the second sender hardware, and to encrypt the encrypted data IP
- the packet is sent to the second receiver's hardware to decrypt the data IP packet using the target key data on any idle pipeline among the multiple pipelines of the second receiver's hardware;
- the transparent transmission module is configured to transparently transmit the data IP packet directly to the second receiver hardware through the second sender hardware.
- the network security IPsec accelerated processing system further includes:
- Time setting module used to set the key expiration time of the system in advance
- the key exchange trigger module is configured to re-execute the key exchange module every time the key expires from the time the system is operating.
- the present invention provides an accelerated processing method for network security IPsec. Because the key exchange process between the sender and the receiver has low real-time requirements, this application uses software to run the key exchange protocol; because the data between the sender and the receiver The transmission process requires high real-time performance, so this application uses hardware with multiple pipelines to complete the data transmission process, and in this process, multiple pipelines can be used to complete the encryption and decryption process of different data IP packets in parallel (that is, hardware parallel operation is used Network Security Service Protocol), thereby improving the processing speed of network security IPsec, reducing the utilization rate of software resources, and increasing network bandwidth.
- hardware parallel operation is used Network Security Service Protocol
- the present invention also provides a network security IPsec accelerated processing system, which has the same beneficial effects as the aforementioned accelerated processing method.
- FIG. 1 is a flowchart of a method for accelerating network security IPsec processing according to an embodiment of the present invention
- FIG. 2 is a schematic structural diagram of a network security IPsec accelerated processing system provided by an embodiment of the present invention.
- the core of the present invention is to provide an accelerated processing method and system for network security IPsec, using software to run the key exchange protocol and hardware to run the network security service protocol in parallel, thereby improving the processing speed of network security IPsec and reducing software resources.
- FIG. 1 is a flowchart of a network security IPsec acceleration processing method according to an embodiment of the present invention.
- the accelerated processing method of the network security IPsec includes:
- Step S1 Use the first sender software to generate a key exchange IP packet, and transparently transmit the key exchange IP packet to the first receiver's hardware through the first sender's hardware; wherein, the key exchange IP packet includes key data and The first IP address of the key exchange parties.
- senders and receivers in the system have different requirements for data transmission security.
- the transmission data needs to be encrypted and decrypted between the two Processing:
- the sender and receiver with low data transmission security requirements there is no need to encrypt and decrypt the transmitted data between the two.
- the sender and receiver (called the first sender and the first receiver) that require high data transmission security, they must exchange keys before data transmission for subsequent encryption and decryption. Lay the foundation for data transmission.
- this application uses the software of the first sender to generate a key exchange IP package that includes the key data and the first IP (Internet Protocol, network protocol) address of the key exchange parties (that is, the software runs the key exchange protocol).
- the key data is used for subsequent encryption and decryption of data transmitted between the first sender and the first receiver;
- the first IP addresses of both parties in the key exchange include the IP address of the first sender and the IP of the first receiver address.
- the key exchange IP packet is generated by the first sender software, the key exchange IP packet is sent to the first sender's hardware to be transparently transmitted to the first receiver's hardware through the first sender's hardware to complete the key exchange .
- Step S2 Use the second sender software to perform IP packaging processing on the transmission data to obtain the data IP packet, and send the data IP packet to the second sender hardware; wherein the data IP packet includes the transmission data and the second IP of the data transmission parties address.
- the second sender and the second receiver when data is transmitted between the sender and the receiver in the system (referred to as the second sender and the second receiver), first use the second sender software to perform IP packet processing on the transmission data, and obtain the data including the transmission data. And the data IP packet of the second IP address of both parties of the data transmission; then the data IP packet is sent to the second sender hardware.
- the second IP addresses of the data transmission parties include the second IP address of the second sender and the second IP address of the second receiver, so as to lay a foundation for the subsequent determination of whether the transmitted data needs to be encrypted or decrypted.
- Step S3 Determine whether there is a second IP address in the first IP address; if yes, execute step S4; if not, execute step S5.
- the transmission data needs to be encrypted and decrypted later; if the second sender If the party and the second receiver do not belong to the first sender and the first receiver mentioned in step S1, there is no need to perform encryption and decryption processing on the transmission data subsequently.
- this application should determine whether the second sender and the second receiver belong to the first sender and the first receiver mentioned in step S1, specifically based on the IP address. If one IP address can match the second IP address of both parties to the data transmission, the second sender and the second receiver belong to the first sender and the first receiver mentioned in step S1; otherwise, the second sender And the second receiver does not belong to the first sender and the first receiver mentioned in step S1.
- Step S4 On any idle pipeline among the multiple pipelines of the second sender's hardware, encrypt the data IP packet with the corresponding target key data, and send the encrypted data IP packet to the second receiver's hardware to On any idle pipeline among the multiple pipelines of the second receiver's hardware, use the target key data to decrypt the data IP packet.
- the sender's hardware and receiver's hardware of this application are both set as hardware with multiple pipelines, which can transmit multiple channels of data in parallel, and can encrypt and decrypt multiple channels of data in parallel (that is, the hardware runs the network security service protocol in parallel) .
- the transmission data needs to be encrypted and decrypted.
- the target key data in the key exchange IP packets corresponding to the second sender and the second receiver can be obtained.
- the second sender transmits data to the second receiver select an idle pipeline from the multiple pipelines of the second sender's hardware, and use the acquired target key data to encrypt the data IP packet on the idle pipeline, and then The encrypted data IP packet is sent to the second receiver hardware.
- the second receiver's hardware When the second receiver's hardware receives the encrypted data IP packet, it selects an idle pipeline from the multiple pipelines of the second receiver's hardware, and uses the obtained target key data to decrypt the data IP packet on this idle pipeline , So as to get the transmission data.
- Step S5 Transparently transmit the data IP packet directly to the second receiver's hardware through the second sender's hardware.
- step S1 when the second sender and the second receiver do not belong to the first sender and the first receiver mentioned in step S1, there is no need to encrypt and decrypt the transmission data, and the data IP packet is directly sent through the second
- the hardware of the third party can be transparently transmitted to the hardware of the second receiver.
- the present application may use the second sender's hardware to determine whether to perform encryption processing on the transmission data, and use the second receiver's hardware to determine whether to perform decryption processing on the transmission data.
- the second sender's hardware if the first IP addresses of the two parties in the key exchange can match the second IP addresses of the two parties in the data transmission, the transmitted data will be encrypted, otherwise it will be transmitted directly.
- the second receiver's hardware it receives both the encrypted data IP packet and the unencrypted data IP packet, so the second receiver's hardware first unpacks the data IP packet to obtain the first data transmission of both parties.
- Two IP addresses if the first IP addresses of the two parties in the key exchange can match the second IP addresses of the two parties in the data transmission, the transmitted data will be decrypted, otherwise no decryption will be performed.
- the present invention provides an accelerated processing method for network security IPsec. Because the key exchange process between the sender and the receiver has low real-time requirements, this application uses software to run the key exchange protocol; because the data between the sender and the receiver The transmission process requires high real-time performance, so this application uses hardware with multiple pipelines to complete the data transmission process, and in this process, multiple pipelines can be used to complete the encryption and decryption process of different data IP packets in parallel (that is, hardware parallel operation is used Network Security Service Protocol), thereby improving the processing speed of network security IPsec, reducing the usage rate of software resources, and increasing network bandwidth.
- hardware parallel operation is used Network Security Service Protocol
- the network security IPsec acceleration processing method further includes:
- the data IP packet is discarded.
- the format of the data IP packet is a normal format, it means that the data IP packet is not encrypted, that is, there is no error in the process of transmitting the data IP packet directly to the second receiver's hardware through the second sender's hardware; if the data IP When the packet format is the network security service protocol format, it means that the data IP packet is encrypted, that is, there is an error in the process of transmitting the data IP packet directly through the second sender's hardware to the second receiver's hardware, then the data IP The packet can be discarded.
- the method for accelerating network security IPsec further includes:
- the process of using the corresponding target key data to encrypt the data IP packet on any idle pipeline among the multiple pipelines of the second sender hardware includes:
- this application may reserve a first storage space for each sender's hardware in the system to store the state of multiple pipelines of each sender's hardware.
- the state of the multiple pipelines of each sender's hardware is updated to the first storage space in real time, so that the first storage space retains the latest state of the multiple pipelines of each sender's hardware.
- the idle pipeline of the second sender's hardware can be determined according to the state of the multiple pipelines of the second sender's hardware currently stored in the first storage space.
- the subsequent selection of idle pipelines to encrypt data IP packets lays the foundation.
- a process of storing space including:
- Pre-set status flags for each pipeline of the sender's hardware in the system one by one, and store them in the first storage space reserved for the sender's hardware;
- the state flag corresponding to this pipeline is set to 1; when any pipeline of the sender's hardware is idle, the state flag corresponding to this pipeline is set to 0 .
- this application can set status flags one by one for multiple pipelines of each sender's hardware in the system, and store these status flags in the first storage space reserved for each sender's hardware.
- the status flag position corresponding to this pipeline is "1"; when any pipeline of a sender's hardware is in an idle state, the corresponding pipeline The status flag position is "0", so that the status of multiple pipelines of each sender's hardware is determined according to the value of the status flag bit stored in the first storage space.
- the method for accelerating network security IPsec further includes:
- the process of using the target key data to decrypt the data IP packet on any idle pipeline among the multiple pipelines of the second receiver's hardware includes:
- this application may reserve a second storage space for each receiver's hardware in the system to store the status of multiple pipelines of each receiver's hardware.
- the status of the multiple pipelines of each receiver's hardware is updated to the second storage space in real time, so that the second storage space retains the latest state of the multiple pipelines of each receiver's hardware.
- the idle pipeline of the second receiver's hardware can be determined according to the status of the multiple pipelines of the second receiver's hardware currently stored in the second storage space, Then choose an idle pipeline to lay the foundation for decrypting data IP packets.
- the process of storing space including:
- Pre-set status flags for each pipeline of the receiver's hardware in the system one by one, and store them in the second storage space reserved for the receiver's hardware;
- the status flag corresponding to this pipeline is set to 1; when any pipeline of the receiver's hardware is idle, the status flag corresponding to this pipeline is set to 0 .
- this application may set status flags one by one for multiple pipelines of each receiver's hardware in the system, and store these status flags in the second storage space reserved for each receiver's hardware.
- the status flag position corresponding to this pipeline is "1"; when any pipeline of a receiver's hardware is in idle state, the corresponding pipeline The status flag position is "0", so that the status of multiple pipelines of each receiver's hardware is determined according to the value of the status flag bit stored in the second storage space.
- the method for accelerating network security IPsec further includes:
- this application sets a key expiration time in advance, starting from the time the system is operating, every When the key expires, re-execute the steps of using the first sender’s software to generate the key exchange IP package, and transparently transmit the key exchange IP package to the first receiver’s hardware through the first sender’s hardware, that is, the software is regenerated Key exchange protocol, thereby improving system security.
- data transmission is performed between the sender's software and the sender's hardware through a PCIE interface.
- the sender’s software and the sender’s hardware can transmit data through but not limited to PCIE (peripheral component interconnect express, high-speed serial computer expansion bus standard) interface, which is not described in this application. Special restrictions.
- PCIE peripheral component interconnect express, high-speed serial computer expansion bus standard
- FIG. 2 is a schematic structural diagram of a network security IPsec acceleration processing system provided by an embodiment of the present invention.
- the network security IPsec accelerated processing system includes:
- the key exchange module 1 is used to generate a key exchange IP packet by using the software of the first sender, and transparently transmit the key exchange IP packet to the hardware of the first receiver through the hardware of the first sender; wherein, the key exchange IP packet Including the key data and the first IP addresses of both parties in the key exchange;
- the data transmission module 2 is used to use the second sender software to perform IP packet processing on the transmission data to obtain the data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes the transmission data and both parties of the data transmission The second IP address;
- the judgment module 3 is used to judge whether there is a second IP address in the first IP address; if it is, execute the data encryption and decryption module 4; if not, execute the transparent transmission module 5;
- the data encryption and decryption module 4 is used to encrypt the data IP packet with the corresponding target key data on any one of the multiple pipelines of the second sender's hardware, and send the encrypted data IP packet to the second
- the receiver's hardware uses the target key data to decrypt the data IP packet on any idle pipeline among the multiple pipelines of the second receiver's hardware;
- the transparent transmission module 5 is used to transparently transmit the data IP packet directly to the second receiver's hardware through the second sender's hardware.
- the network security IPsec acceleration processing system further includes:
- Time setting module used to set the key expiration time of the system in advance
- the key exchange trigger module is used to re-execute the key exchange module every key expiration time from the time the system is operating.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (10)
- 一种网络安全IPsec的加速处理方法,其特征在于,包括:An accelerated processing method for network security IPsec, which is characterized in that it comprises:利用第一发送方软件生成密钥交换IP包,并将所述密钥交换IP包经第一发送方硬件透传至第一接收方硬件;其中,所述密钥交换IP包包括密钥数据及密钥交换双方的第一IP地址;Use the first sender software to generate a key exchange IP packet, and transparently transmit the key exchange IP packet to the first receiver's hardware through the first sender's hardware; wherein, the key exchange IP packet includes key data And the first IP address of both parties in the key exchange;利用第二发送方软件对传输数据进行IP打包处理得到数据IP包,并将所述数据IP包发送至第二发送方硬件;其中,所述数据IP包包括传输数据及数据传输双方的第二IP地址;Use the second sender software to perform IP packet processing on the transmission data to obtain a data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes the second data transmission and the second data transmission parties. IP address;判断所述第一IP地址中是否存在所述第二IP地址;Determine whether the second IP address exists in the first IP address;若是,则在所述第二发送方硬件的多条流水线中任一条空闲流水线上,利用所对应的目标密钥数据加密所述数据IP包,并将加密后的数据IP包发送至第二接收方硬件,以在所述第二接收方硬件的多条流水线中任一条空闲流水线上,利用所述目标密钥数据解密所述数据IP包;If yes, then use the corresponding target key data to encrypt the data IP packet on any idle pipeline among the multiple pipelines of the second sender hardware, and send the encrypted data IP packet to the second receiver Third party hardware, to use the target key data to decrypt the data IP packet on any one of the idle pipelines among the multiple pipelines of the second receiver hardware;若否,则将所述数据IP包直接经所述第二发送方硬件透传至所述第二接收方硬件。If not, the data IP packet is directly transparently transmitted to the second receiver hardware through the second sender hardware.
- 如权利要求1所述的网络安全IPsec的加速处理方法,其特征在于,在将所述数据IP包直接经所述第二发送方硬件透传至所述第二接收方硬件之后,所述网络安全IPsec的加速处理方法还包括:The network security IPsec acceleration processing method of claim 1, wherein after the data IP packet is directly transparently transmitted to the second receiver hardware through the second sender hardware, the network The accelerated processing method of secure IPsec also includes:检测所述第二接收方硬件接收的数据IP包的格式;Detecting the format of the data IP packet received by the second receiver hardware;当所述数据IP包的格式为网络安全服务协议格式时,对所述数据IP包进行丢弃处理。When the format of the data IP packet is a network security service protocol format, the data IP packet is discarded.
- 如权利要求1所述的网络安全IPsec的加速处理方法,其特征在于,所述网络安全IPsec的加速处理方法还包括:8. The accelerated processing method of network security IPsec according to claim 1, wherein the accelerated processing method of network security IPsec further comprises:为系统中发送方硬件预留用于存储所述发送方硬件的各流水线状态的第一存储空间;Reserve a first storage space for the sender hardware in the system for storing the state of each pipeline of the sender hardware;在所述系统运作时,实时将所述发送方硬件的各流水线状态存储至所述第一存储空间;When the system is operating, storing each pipeline state of the sender's hardware in the first storage space in real time;相应的,所述在所述第二发送方硬件的多条流水线中任一条空闲流水线上,利用所对应的目标密钥数据加密所述数据IP包的过程,包括:Correspondingly, the process of using the corresponding target key data to encrypt the data IP packet on any one of the idle pipelines of the multiple pipelines of the second sender hardware includes:根据所述第一存储空间当前存储的所述第二发送方硬件的各流水线状态,确定所述第二发送方硬件的空闲流水线;Determine the idle pipeline of the second sender hardware according to the pipeline states of the second sender hardware currently stored in the first storage space;在所述第二发送方硬件的任一条空闲流水线上,利用所对应的目标密钥数据加密所述数据IP包。On any idle pipeline of the second sender hardware, encrypt the data IP packet with the corresponding target key data.
- 如权利要求3所述的网络安全IPsec的加速处理方法,其特征在于,所述为系统中发送方硬件预留用于存储所述发送方硬件的各流水线状态的第一存储空间;在所述系统运作时,实时将所述发送方硬件的各流水线状态存储至所述第一存储空间的过程,包括:The network security IPsec acceleration processing method of claim 3, wherein the first storage space reserved for the sender hardware in the system for storing the pipeline states of the sender hardware; When the system is operating, the process of storing each pipeline state of the sender's hardware in the first storage space in real time includes:预先为系统中发送方硬件的各流水线一一设置状态标志位,并将其存储至为所述发送方硬件预留的第一存储空间;Pre-set status flag bits for each pipeline of the sender hardware in the system one by one, and store them in the first storage space reserved for the sender hardware;在所述系统运作时,当所述发送方硬件的任一流水线处于工作状态时,将此流水线对应的状态标志位置1;当所述发送方硬件的任一流水线处于空闲状态时,将此流水线对应的状态标志位置0。When the system is operating, when any pipeline of the sender's hardware is in the working state, the status flag corresponding to this pipeline is set to 1. When any pipeline of the sender's hardware is in an idle state, the pipeline The corresponding status flag position is 0.
- 如权利要求1所述的网络安全IPsec的加速处理方法,其特征在于,所述网络安全IPsec的加速处理方法还包括:8. The accelerated processing method of network security IPsec according to claim 1, wherein the accelerated processing method of network security IPsec further comprises:为系统中接收方硬件预留用于存储所述接收方硬件的各流水线状态的第二存储空间;Reserve a second storage space for the receiver's hardware in the system for storing each pipeline state of the receiver's hardware;在所述系统运作时,实时将所述接收方硬件的各流水线状态存储至所述第二存储空间;When the system is operating, storing each pipeline state of the receiver's hardware in the second storage space in real time;相应的,所述在所述第二接收方硬件的多条流水线中任一条空闲流水线上,利用所述目标密钥数据解密所述数据IP包的过程,包括:Correspondingly, the process of using the target key data to decrypt the data IP packet on any one of the idle pipelines among the multiple pipelines of the second receiver hardware includes:根据所述第二存储空间当前存储的所述第二接收方硬件的各流水线状态,确定所述第二接收方硬件的空闲流水线;Determine the idle pipeline of the second receiver's hardware according to each pipeline state of the second receiver's hardware currently stored in the second storage space;在所述第二接收方硬件的任一条空闲流水线上,利用所述目标密钥数据解密所述数据IP包。Use the target key data to decrypt the data IP packet on any idle pipeline of the second receiver hardware.
- 如权利要求5所述的网络安全IPsec的加速处理方法,其特征在于,所述为系统中接收方硬件预留用于存储所述接收方硬件的各流水线状态的第二存储空间;在所述系统运作时,实时将所述接收方硬件的各流水线状态存储至所述第二存储空间的过程,包括:The method for accelerating network security IPsec processing according to claim 5, wherein the second storage space reserved for the receiver hardware in the system for storing the pipeline states of the receiver hardware; When the system is operating, the process of storing each pipeline state of the receiver's hardware in the second storage space in real time includes:预先为系统中接收方硬件的各流水线一一设置状态标志位,并将其存储至为所述接收方硬件预留的第二存储空间;Pre-set status flag bits for each pipeline of the receiver hardware in the system one by one, and store them in the second storage space reserved for the receiver hardware;在所述系统运作时,当所述接收方硬件的任一流水线处于工作状态时,将此流水线对应的状态标志位置1;当所述接收方硬件的任一流水线处于空闲状态时,将此流水线对应的状态标志位置0。When the system is operating, when any pipeline of the receiver's hardware is in the working state, the status flag corresponding to this pipeline is set to 1; when any pipeline of the receiver's hardware is in an idle state, the pipeline The corresponding status flag position is 0.
- 如权利要求1-6任一项所述的网络安全IPsec的加速处理方法,其特征在于,所述网络安全IPsec的加速处理方法还包括:7. The method for accelerating network security IPsec processing according to any one of claims 1 to 6, wherein the method for accelerating network security IPsec processing further comprises:预先设置系统的密钥到期时间;Pre-set the key expiration time of the system;从所述系统运作时开始,每隔所述密钥到期时间,均重新执行所述利用第一发送方软件生成密钥交换IP包,并将所述密钥交换IP包经第一发送方硬件透传至第一接收方硬件的步骤。Starting from the operation of the system, at intervals of the expiration time of the key, re-execute the use of the first sender software to generate a key exchange IP packet, and pass the key exchange IP packet to the first sender The step of transparently transmitting the hardware to the hardware of the first receiver.
- 如权利要求7所述的网络安全IPsec的加速处理方法,其特征在于,发送方软件与发送方硬件之间通过PCIE接口进行数据传输。8. The method for accelerating network security IPsec processing according to claim 7, wherein the software of the sender and the hardware of the sender perform data transmission through a PCIE interface.
- 一种网络安全IPsec的加速处理系统,其特征在于,包括:A network security IPsec accelerated processing system, which is characterized in that it comprises:密钥交换模块,用于利用第一发送方软件生成密钥交换IP包,并将所述密钥交换IP包经第一发送方硬件透传至第一接收方硬件;其中,所述密钥交换IP包包括密钥数据及密钥交换双方的第一IP地址;The key exchange module is used to generate a key exchange IP packet by using the software of the first sender, and transparently transmit the key exchange IP packet to the hardware of the first receiver through the hardware of the first sender; wherein, the key The exchanged IP packet includes key data and the first IP addresses of both parties in the key exchange;数据传输模块,用于利用第二发送方软件对传输数据进行IP打包处理得到数据IP包,并将所述数据IP包发送至第二发送方硬件;其中,所述数据IP包包括传输数据及数据传输双方的第二IP地址;The data transmission module is configured to use the second sender software to perform IP packet processing on the transmission data to obtain a data IP packet, and send the data IP packet to the second sender hardware; wherein, the data IP packet includes transmission data and The second IP address of the data transmission parties;判断模块,用于判断所述第一IP地址中是否存在所述第二IP地址;若是,则执行数据加解密模块;若否,则执行透传模块;The judging module is used to judge whether the second IP address exists in the first IP address; if so, execute the data encryption and decryption module; if not, execute the transparent transmission module;所述数据加解密模块,用于在所述第二发送方硬件的多条流水线中任一条空闲流水线上,利用所对应的目标密钥数据加密所述数据IP包,并将加密后的数据IP包发送至第二接收方硬件,以在所述第二接收方硬件的多条流水线中任一条空闲流水线上,利用所述目标密钥数据解密所述数据IP包;The data encryption and decryption module is configured to use the corresponding target key data to encrypt the data IP packet on any idle pipeline among the multiple pipelines of the second sender hardware, and to encrypt the encrypted data IP The packet is sent to the second receiver's hardware to decrypt the data IP packet using the target key data on any idle pipeline among the multiple pipelines of the second receiver's hardware;所述透传模块,用于将所述数据IP包直接经所述第二发送方硬件透传至所述第二接收方硬件。The transparent transmission module is configured to transparently transmit the data IP packet directly to the second receiver hardware through the second sender hardware.
- 如权利要求9所述的网络安全IPsec的加速处理系统,其特征在于,所述网络安全IPsec的加速处理系统还包括:9. The network security IPsec acceleration processing system of claim 9, wherein the network security IPsec acceleration processing system further comprises:时间设置模块,用于预先设置系统的密钥到期时间;Time setting module, used to set the key expiration time of the system in advance;密钥交换触发模块,用于从所述系统运作时开始,每隔所述密钥到期时间,均重新执行所述密钥交换模块。The key exchange trigger module is configured to re-execute the key exchange module every time the key expires from the time the system is operating.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910736381.2 | 2019-08-09 | ||
CN201910736381.2A CN110535834B (en) | 2019-08-09 | 2019-08-09 | Accelerated processing method and system for network security IPsec |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021027035A1 true WO2021027035A1 (en) | 2021-02-18 |
Family
ID=68662396
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/108933 WO2021027035A1 (en) | 2019-08-09 | 2019-09-29 | Network security ipsec acceleration processing method and system |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN110535834B (en) |
WO (1) | WO2021027035A1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110535834B (en) * | 2019-08-09 | 2021-11-09 | 苏州浪潮智能科技有限公司 | Accelerated processing method and system for network security IPsec |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040153643A1 (en) * | 2002-11-25 | 2004-08-05 | Siemens Aktiengesellschaft | Method and system for encrypting transmissions of communication data streams via a packet-oriented communication network |
CN105704122A (en) * | 2016-01-08 | 2016-06-22 | 北京北方烽火科技有限公司 | Route encryption system |
CN106169952A (en) * | 2016-09-06 | 2016-11-30 | 杭州迪普科技有限公司 | Authentication method that a kind of internet IKMP is heavily consulted and device |
CN107172072A (en) * | 2017-06-09 | 2017-09-15 | 中国电子科技集团公司第四十研究所 | A kind of IPSec data flow high speeds processing system and method based on FPGA |
CN108173652A (en) * | 2018-02-12 | 2018-06-15 | 武汉三江航天网络通信有限公司 | IPSec VPN cipher machines based on quantum key distribution |
CN110535834A (en) * | 2019-08-09 | 2019-12-03 | 苏州浪潮智能科技有限公司 | A kind of accelerated processing method and system of network security IPsec |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102724173A (en) * | 2011-07-28 | 2012-10-10 | 北京天地互连信息技术有限公司 | System and method for realizing IKEv2 protocol in MIPv6 environment |
CN102263794B (en) * | 2011-08-25 | 2013-10-23 | 北京星网锐捷网络技术有限公司 | Security processing method, device, processing chip and network equipment |
-
2019
- 2019-08-09 CN CN201910736381.2A patent/CN110535834B/en active Active
- 2019-09-29 WO PCT/CN2019/108933 patent/WO2021027035A1/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040153643A1 (en) * | 2002-11-25 | 2004-08-05 | Siemens Aktiengesellschaft | Method and system for encrypting transmissions of communication data streams via a packet-oriented communication network |
CN105704122A (en) * | 2016-01-08 | 2016-06-22 | 北京北方烽火科技有限公司 | Route encryption system |
CN106169952A (en) * | 2016-09-06 | 2016-11-30 | 杭州迪普科技有限公司 | Authentication method that a kind of internet IKMP is heavily consulted and device |
CN107172072A (en) * | 2017-06-09 | 2017-09-15 | 中国电子科技集团公司第四十研究所 | A kind of IPSec data flow high speeds processing system and method based on FPGA |
CN108173652A (en) * | 2018-02-12 | 2018-06-15 | 武汉三江航天网络通信有限公司 | IPSec VPN cipher machines based on quantum key distribution |
CN110535834A (en) * | 2019-08-09 | 2019-12-03 | 苏州浪潮智能科技有限公司 | A kind of accelerated processing method and system of network security IPsec |
Also Published As
Publication number | Publication date |
---|---|
CN110535834B (en) | 2021-11-09 |
CN110535834A (en) | 2019-12-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101593864B1 (en) | Content-centric networking | |
WO2021022794A1 (en) | Rdma-based data transmission method, network card, server and medium | |
US8464053B2 (en) | Systems, methods, and media for retransmitting data using the secure real-time transport protocol | |
US20200177631A1 (en) | Secure communication session resumption in a service function chain | |
US10911581B2 (en) | Packet parsing method and device | |
EP2951946B1 (en) | Method and system for protecting data using data passports | |
US11558361B2 (en) | Communication method between mesh network and cloud server, mesh network system and node device thereof | |
WO2024001035A1 (en) | Message transmission method and apparatus based on blockchain relay communication network system | |
WO2024022096A1 (en) | Message encryption method and decryption method, apparatus, and storage medium | |
CN113542428A (en) | Vehicle data uploading method and device, vehicle, system and storage medium | |
WO2021027035A1 (en) | Network security ipsec acceleration processing method and system | |
WO2024037366A1 (en) | Forwarding rule issuing method, and intelligent network interface card and storage medium | |
CN109391650B (en) | Method and device for establishing session | |
CN111756698B (en) | Message transmission method, device, equipment and computer readable storage medium | |
WO2024001037A1 (en) | Message transmission method and apparatus, electronic device and storage medium | |
CN113595964A (en) | Connection tracking synchronization method, device, medium and equipment | |
US20220407689A1 (en) | Key sharing for media frames using blockchain | |
EP4138356A1 (en) | Inter-node privacy communication method and network node | |
CN109587163B (en) | Protection method and device in DR mode | |
WO2010124549A1 (en) | Method, apparatus and system for obtaining public key | |
CN107770018B (en) | Communication method and device for serial communication system | |
CN113364816B (en) | Data transmission system based on multi-channel exchange protocol | |
CN114142998B (en) | Data encryption processing method and device, electronic equipment and storage medium | |
US20240048369A1 (en) | Quantum resistant ledger for secure communications | |
CN116232944B (en) | Method, equipment and medium for transport layer security protocol message service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19941662 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19941662 Country of ref document: EP Kind code of ref document: A1 |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19941662 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 26/10/2022) |