WO2022002098A1 - Information sending method, information receiving method and network - Google Patents

Information sending method, information receiving method and network Download PDF

Info

Publication number
WO2022002098A1
WO2022002098A1 PCT/CN2021/103364 CN2021103364W WO2022002098A1 WO 2022002098 A1 WO2022002098 A1 WO 2022002098A1 CN 2021103364 W CN2021103364 W CN 2021103364W WO 2022002098 A1 WO2022002098 A1 WO 2022002098A1
Authority
WO
WIPO (PCT)
Prior art keywords
capability
network end
message
security protocol
sending
Prior art date
Application number
PCT/CN2021/103364
Other languages
French (fr)
Chinese (zh)
Inventor
周娜
李锐
吴华强
闫新成
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2022002098A1 publication Critical patent/WO2022002098A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present disclosure relates to the technical field of communication security, and in particular, to a method for sending information, a method for receiving information, and a network terminal.
  • packets eg, IP packets
  • network terminals eg, gateways of different networks, different offices, etc.
  • third-party network eg, the Internet
  • packets may be intercepted, viewed, or tampered with by attackers, resulting in Serious privacy and security concerns.
  • IPsec Internet Protocol Security
  • IPsec technology can establish an Internet Security Protocol tunnel (IPSec tunnel) between two network ends, so that subsequent packets between the two network ends are transmitted in the IPSec tunnel, so as to realize the security of data in an untrusted network transmission.
  • IPSec tunnel Internet Security Protocol tunnel
  • the anti-replay window (or the anti-replay queue) may incorrectly discard some packets. Affect the quality and security of data transmission.
  • an embodiment of the present disclosure provides a method for sending information, which is used for a network end of an Internet security protocol tunnel, the method includes: sending service quality assurance capability information to another network end of the Internet security protocol tunnel, wherein, The service quality assurance capability information is used to indicate whether the network end enables the multi-window capability, and/or whether the network end enables the multi-numbering capability, wherein the multi-numbering capability is when sending a message, at least The ability to independently number some packets with different quality of service; the multi-window capability is the ability to use different preset anti-replay windows to process at least part of the packets with different quality of service when receiving packets.
  • an embodiment of the present disclosure provides a method for receiving information, which is used at a network end of an Internet security protocol tunnel, the method comprising: receiving service quality assurance capability information from another network end of the Internet security protocol tunnel, wherein, The service quality assurance capability information is used to indicate whether the other network end of the Internet security protocol tunnel enables the multi-window capability, and/or whether the other network end enables the multi-numbering capability, wherein the multi-numbering capability is in the When sending a message, the ability to independently number at least some of the messages with different quality of service; the multi-window capability is to use different preset anti-replay windows to process at least some of the messages with different quality of service when receiving messages Ability.
  • an embodiment of the present disclosure provides a network end of an Internet security protocol tunnel, which includes: a sending module configured to send service quality assurance capability information to another network end of the Internet security protocol tunnel, wherein the quality of service
  • the guarantee capability information is used to indicate whether the network end enables the multi-window capability, and/or whether the network end enables the multi-numbering capability, wherein the multi-numbering capability is to change at least part of the quality of service different when sending a message
  • the capability of independently numbering the corresponding messages; the multi-window capability is the capability of using different preset anti-replay windows to process at least some of the messages with different quality of service when receiving messages.
  • an embodiment of the present disclosure provides a network end of an Internet security protocol tunnel, comprising: a receiving module configured to receive service quality assurance capability information from another network end of the Internet security protocol tunnel, wherein the quality of service
  • the assurance capability information is used to indicate whether the other network end of the Internet security protocol tunnel enables the multi-window capability, and/or whether the other network end enables the multi-numbering capability, wherein the multi-numbering capability is when sending a message , the ability to independently number at least some of the packets with different quality of service;
  • the multi-window capability is the ability to use different preset anti-replay windows to process at least some of the packets with different quality of service when receiving packets.
  • Fig. 1 is the schematic diagram that two network ends are connected through IPSec tunnel
  • FIG. 2 is a schematic diagram of a process of processing a message through an anti-replay window
  • FIG. 3 is a schematic diagram of a process of processing a message in an embodiment of the present disclosure
  • FIG. 4 is a flowchart of a method for sending information according to an embodiment of the present disclosure
  • FIG. 5 is a flowchart of another method for sending information according to an embodiment of the present disclosure.
  • FIG. 6 is a flowchart of another method for sending information provided by an embodiment of the present disclosure.
  • FIG. 7 is a flowchart of a method for receiving information according to an embodiment of the present disclosure.
  • FIG. 8 is a block diagram of the composition of a network end of an Internet security protocol tunnel provided by an embodiment of the present disclosure
  • FIG. 9 is a block diagram of the composition of a network end of an Internet security protocol tunnel provided by an embodiment of the present disclosure.
  • Embodiments of the present disclosure may be described with reference to plan views and/or cross-sectional views with the aid of idealized schematic illustrations of the present disclosure. Accordingly, example illustrations may be modified according to manufacturing techniques and/or tolerances.
  • Embodiments of the present disclosure are not limited to the embodiments shown in the drawings, but include modifications of configurations formed based on manufacturing processes.
  • the regions illustrated in the figures have schematic properties and the shapes of regions illustrated in the figures are illustrative of the specific shapes of regions of elements and are not intended to be limiting.
  • IPsec Internet Protocol Security
  • IPsec is a protocol suite, which is mainly composed of three parts: AH protocol (Authentication Header), ESP (Encapsulating Security Payload), and IKE (Internet Key Exchange).
  • AH protocol Authentication Header
  • ESP Encapsulating Security Payload
  • IKE Internet Key Exchange
  • the AH protocol can provide data source authentication, integrity, and anti-replay service (implemented through the anti-replay window).
  • Data encapsulation is based on the ESP protocol.
  • the IKE protocol is used to establish an Internet Security Protocol tunnel (IPSec tunnel) between two different network ends through negotiation.
  • IPSec tunnel Internet Security Protocol tunnel
  • the IKE protocol negotiates a Security Association (SA, Security Association) with a five-tuple based on source IP (Internet Protocol), destination IP, protocol number, source port (Port), and destination port, and according to The SA establishes the corresponding IPSec tunnel.
  • SA Security Association
  • each SA records the encapsulation mode, encryption algorithm, encryption key, verification algorithm, key and other information used to protect the packet, that is, the SA records the policy and policy parameters of each IPSec tunnel, which is equivalent to the IPSec tunnel's A special communication agreement established between two parties (the initiator and the responder).
  • each IPSec tunnel Based on the directionality of SAs, each IPSec tunnel usually includes two SAs (or it can also be considered that each unidirectional IPSec tunnel includes one SA).
  • Each SA is uniquely identified by the Security Parameter Index (SPI, Security Parameter Index), and the SPI identifier will be carried in the subsequent transmitted packets (IPSec packets) to determine whether it belongs to the corresponding SA (of course, the IPSec tunnel to which it belongs). ).
  • SPI Security Parameter Index
  • IPSec packets subsequent transmitted packets
  • an IPSec tunnel may also be established (or configured) manually, which will not be described in detail here.
  • a dedicated IPSec tunnel can be established between two different network ends through IPsec technology, and subsequent packets between the two network ends are transmitted in the IPSec tunnel, and encrypted, encapsulated, and authenticated in a specific way. , decryption, etc., so as to realize the secure transmission of data in untrusted networks, and provide security privacy and security guarantees for individual mobile users, enterprise mobile users, and operators.
  • both sides of the IPSec tunnel (the initiator and the responder) need to use an anti-replay window (or an anti-replay queue) to process (or filter) the received packets.
  • the packets received by a network end are arranged in the corresponding position of the receiving queue according to the sequence number (SN, Sequence Number) (if a packet has not been received, the packet with the corresponding sequence number The corresponding "position" still exists, but there is no content in it), and the anti-replay window has a certain size (or length, that is, the number of packets contained in it), and can "slide" on the receive queue.
  • sequence number SN, Sequence Number
  • the message is saved; and when the received message is located on the right side of the anti-replay window (that is, the sequence number of the message is larger than the maximum sequence number in the anti-replay window), the anti-replay window will be shifted to the right so that the maximum value reaches the position of the newly received message, so that the message It is located in the anti-replay window (at the far right end of the anti-replay window), and saves the message; if the received message is located on the left side of the anti-replay window (that is, the sequence number of the message is smaller than the smallest value in the anti-replay window) When the sequence number is still small), the corresponding message is discarded, so as to avoid repeated reception of the message with the small sequence number.
  • the data transmitted in the IPSec tunnel may come from different network elements, so it has different quality of service (QoS, Quality of Service).
  • QoS Quality of Service
  • QoS is the regulation of packet delay, packet loss rate, etc., which is equivalent to the "quality requirement" for packet transmission. Therefore, when the packet is transmitted in an intermediate transmission device (such as a router), the network device will Different QoS processes packets with different priorities.
  • the order in which packets with different QoS are reached may be different from the order in which the packets are sent (or sequence numbers), that is, high-priority, large sequence numbers. Packets may be "sent first, arrive first", while low-priority packets with small sequence numbers may be “sent first, arrive first”, resulting in "out of order”.
  • the network terminals of both sides of an IPSec tunnel are usually communication base stations, security gateways, etc.
  • the data transmitted between these network terminals may come from many different network elements (such as terminals of different users), so the amount of data transmitted between them is relatively large. big.
  • the network transmission volume continues to increase.
  • the traffic of a typical single 5G base station far exceeds that of 4G (downlink traffic can reach 40Gbps, and uplink traffic can reach 20Gbps), but the 5G base station and the corresponding security gateway are usually only connected through one IPSec tunnel, that is, all data is transmitted through a single IPSec tunnel.
  • IPSec tunnel transmission the data throughput in the IPSec tunnel is large, and the number of packets is large.
  • an embodiment of the present disclosure provides a method for sending information.
  • the method of the embodiment of the present disclosure is applied to a network end of an Internet Security Protocol tunnel (IPSec tunnel), which may be an initiator (Initiator) or a responder (Responder) of the IPSec tunnel, that is, any network of the IPSec tunnel.
  • IPSec tunnel Internet Security Protocol tunnel
  • the terminal may perform the method of an embodiment of the present disclosure.
  • the above network end may also be connected to other network devices through other means (means other than the IPSec tunnel).
  • the network end in this embodiment of the present disclosure may be any network element that can establish a connection through an IPSec tunnel, such as a wireless communication base station (such as a 2G, 3G, 4G, 5G and other base station), a set-top box, a security gateway, a firewall device, a Network equipment with other software, etc.
  • a wireless communication base station such as a 2G, 3G, 4G, 5G and other base station
  • a set-top box such as a 2G, 3G, 4G, 5G and other base station
  • a security gateway such as a set-top box
  • a firewall device such as a firewall device, a Network equipment with other software, etc.
  • the method for sending information includes:
  • Step S101 Send quality of service (QoS) guarantee capability information to another network end of the IPSec tunnel.
  • QoS quality of service
  • the QoS guarantee capability information is used to indicate whether the network end enables the multi-window capability, and/or whether the network end enables the multi-numbering capability.
  • the multi-numbering capability is the capability of independently numbering at least some of the packets with different QoS when the network sends packets;
  • the multi-window capability is the ability to use different preset anti-replay when receiving packets at the network. The ability of the window to handle at least some of the packets with different QoS.
  • the network end sends QoS assurance capability information to the other network end of the IPSec tunnel to "inform" the other network end of its own QoS assurance capability.
  • the QoS assurance capability specifically refers to whether the network end itself enables the multi-window capability and/or the multi-numbering capability. Therefore, through “negotiation" with another network end, it is decided whether to enable the corresponding QoS guarantee capability.
  • a certain guarantee capability means that, firstly, the network end must have the guarantee capability, and wish to use the guarantee capability.
  • Not enabling a certain guarantee capability may mean that the network end does not have the guarantee capability at all, or the network end has the guarantee capability but currently does not wish to use the guarantee capability.
  • multi-window capability refers to the capability of processing received packets with different preset anti-replay windows according to their QoS.
  • there are at least two preset anti-replay windows that is, packets with at least two different QoS should be processed in different preset anti-replay windows; and different preset anti-replay windows correspond to different QoS, so Packets with any QoS can only be processed in one preset anti-replay window, and will not enter the receive queues of two anti-replay windows at the same time.
  • the "multi-numbering capability” refers to the capability of independently numbering packets with different QoS according to different QoS when sending packets.
  • the sequence number (SN) of the message starts from "1".
  • the sequence numbers of packets with different QoS may be "duplicated” at this time, but because the packets with different QoS are processed in different preset anti-replay windows, the above "duplication” will not cause a problem.
  • the sender should first independently number the packets with different QoS.
  • the QoS corresponding to each preset anti-replay window or independent number may specifically be a QoS determined by "one", or a "group” of QoS with similar properties, that is, actually a "QoS" group.
  • the QoS guarantee capability information in addition to whether the multi-numbering capability and the multi-window capability are included, more detailed information about the QoS guarantee capability can also be included, for example, whether the packets (or corresponding presets) are assigned according to the QoS. Anti-replay windows, numbers) are divided into several different groups, and the specific QoS included in each group.
  • whether to enable the QoS guarantee capability is negotiated by sending the QoS guarantee capability information.
  • the QoS guarantee capability is enabled, at least some of the packets with different QoS are processed in different anti-replay windows (anti-replay filtering) , so that the number of packets processed by each anti-replay window is relatively small, and the priorities (such as QoS) of the packets are the same or relatively close.
  • anti-replay window anti-replay filtering
  • the network terminal has (or enables) multi-window capability; and the method for sending the information also includes:
  • Step S1021 Receive QoS guarantee capability information from another network end of the IPSec tunnel.
  • the received QoS guarantee capability information indicates that the other network end of the IPSec tunnel has (or enables) the multi-numbering capability.
  • the method further includes:
  • Step S1031 Receive a packet from another network end of the IPSec tunnel, and use a corresponding preset anti-replay window to process the packet according to the QoS of the packet.
  • the number of preset anti-playback windows is multiple, and any different preset anti-playback windows correspond to different QoS.
  • the local network end When the local network end supports the multi-window capability, if it also receives the QoS guarantee capability information from the other network end of the IPSec tunnel, indicating that the other network end has (or enables) the multi-numbering capability, it means that both parties have completed the QoS guarantee capability. A "negotiation" of safeguarding capabilities.
  • the local network terminal can enable the multi-window capability, that is, when it subsequently receives packets from another network terminal of the IPSec tunnel (of course, the packets with different QoS are independently numbered by the other network terminal), it can analyze the packets. According to the QoS in the text, the packets are put into the corresponding receive queues according to the QoS, and processed with the corresponding preset anti-replay windows.
  • QoS is carried by any one of the Differentiated Services Code Point (DSCP, Differentiated Services Code Point) value, the service type (TOS, Type Of Service) value, the communication classification (TC, Traffic Class) value, and the priority value carried in the message. kind of sure.
  • DSCP Differentiated Services Code Point
  • TOS Service Type Of Service
  • TC Traffic Class
  • priority value carried in the message. kind of sure.
  • the QoS information may be carried in a packet header (eg, an IP header), or may be carried in an SPI.
  • the local network terminal may first send the QoS guarantee capability information, and then the other network terminal "replies" the QoS guarantee capability information to the local network terminal according to the QoS guarantee capability information;
  • the QoS guarantee capability information is sent to the local network, and the local network "replies" the QoS guarantee capability information; alternatively, both transmitters can send the QoS guarantee capability information to each other independently.
  • the network terminal has (or enables) multi-numbering capability
  • the method for sending the information further includes:
  • Step S1022 Receive QoS guarantee capability information from another network end of the IPSec tunnel.
  • the received QoS guarantee capability information indicates that the other network end of the IPSec tunnel has (or enables) the multi-window capability.
  • the method further includes:
  • Step S1032 Send a packet to another network end of the IPSec tunnel, and determine the sequence number of the packet according to the QoS of the packet.
  • the local network end when it supports the multi-numbering capability, if it also receives the QoS guarantee capability information from the other network end of the IPSec tunnel, indicating that the other network end has (or enables) the multi-window capability, it is equivalent to the completion of the Another kind of "negotiation" of QoS guarantee capability.
  • the packets with different QoS should be numbered independently, so that the other network terminal can process the packets using the multi-window capability.
  • sending the QoS guarantee capability information to another network end of the IPSec tunnel includes:
  • Step S1011 Send QoS guarantee capability information to another network end of the IPSec tunnel through a negotiation request message or negotiation response message for establishing the IPSec tunnel.
  • the negotiation request message is any one of an IKE_SA_INIT request message, a local IKE security proposal sending message, a key material sending message, and an identity information sending message.
  • the negotiation response message is any one of the IKE_SA_INIT response message, the IKE security proposal confirmation message, the key material sending message, and the identity information sending message.
  • the above “negotiation” may be performed during the process of establishing an IPSec tunnel, that is, when negotiating to establish an IPSec tunnel, in addition to sending the information required according to the standard IPSec protocol, also
  • the above QoS assurance capability information may be sent, so that the QoS assurance capability information is also a negotiation request message or a negotiation response message for establishing an IPSec tunnel (depending on whether the initiator or responder of the IPSec tunnel sends the QoS assurance capability information).
  • the above negotiation request message can be any one of IKE_SA_INIT request message, local IKE security proposal sending message, key material sending message, and identity information sending message; and the negotiation response message is IKE_SA_INIT response message, IKE security proposal confirmation message , any one of the key material sending message and the identity information sending message
  • the QoS guarantee capability information received by the local network end may also all be negotiation request messages.
  • an embodiment of the present disclosure provides a method for receiving information, which is used at a network end of an IPSec tunnel, including:
  • Step S201 Receive QoS guarantee capability information from another network end of the IPSec tunnel.
  • the QoS guarantee capability information is used to indicate whether the other network end of the IPSec tunnel enables the multi-window capability, and/or whether the other network end enables the multi-numbering capability.
  • the ability to independently number at least some of the packets with different QoS; the multi-window capability is the ability to use different preset anti-replay windows to process at least some of the packets with different QoS when receiving packets.
  • each network end performs the two methods of the embodiments of the present disclosure.
  • the received QoS guarantee capability information indicates that another network end of the IPSec tunnel has (or enables) the multi-numbering capability
  • the method for receiving the information further includes:
  • Step S2021 Send QoS guarantee capability information to another network end of the IPSec tunnel.
  • the QoS guarantee capability information indicates that the network has (or enables) the multi-window capability.
  • the received information After receiving the QoS assurance capability information from the other network end of the IPSec tunnel and sending the QoS assurance capability information to the other network end of the IPSec tunnel, the received information further includes:
  • Step S2031 Receive a packet from another network end of the IPSec tunnel, and use a corresponding preset anti-replay window to process the packet according to the QoS of the packet.
  • the number of preset anti-playback windows is multiple, and any different preset anti-playback windows correspond to different QoS.
  • the received QoS guarantee capability information indicates that another network end of the IPSec tunnel has (or enables) multi-window capability; and the method for receiving the information further includes:
  • Step S2022 Send QoS guarantee capability information to another network end of the IPSec tunnel.
  • the QoS guarantee capability information indicates that the network has (or enables) the multi-numbering capability.
  • the method for receiving the information further includes:
  • Step S2032 Send a packet to another network end of the IPSec tunnel, and determine the sequence number of the packet according to the QoS of the packet. Wherein, at least some of the packets with different QoS are numbered independently.
  • the local network when the local network determines that the other network has (or enables) the multi-numbering capability or the multi-window capability according to the received QoS guarantee capability information, the local network can also send the QoS guarantee capability to the other network, informing the other network of the QoS guarantee capability.
  • a network end itself has (or enables) the multi-window capability or the multi-numbering capability, and subsequently starts to use the multi-window capability to process the received message, or use the multi-numbering capability to process the sent message.
  • the QoS guarantee capability information received and sent by the local network terminal may also be a negotiation request message or a negotiation response message.
  • the QoS guarantee capability can be "negotiated" by the method of the embodiment of the present disclosure, which may specifically include the following steps:
  • the initiator sends a negotiation request message to the responder, which carries QoS guarantee capability information.
  • the initiator "notifies” the responder of its own QoS guarantee capability information through the negotiation request message.
  • the initiator may be a base station, a security gateway, a firewall, or any other network element or function with IPSec capability.
  • the responder may be a base station, a security gateway, a firewall, or any other network element or function with IPSec capability.
  • the negotiation request message may be an IKE_SA_INIT request message, a local IKE security proposal sending message, a key material sending message, or an identity information sending message.
  • the QoS guarantee capability information indicates the support situation of the initiator for the multi-window capability and the multi-numbering capability.
  • the responder After receiving the request message from the initiator, the responder replies with a negotiation response message carrying the QoS guarantee capability information.
  • the responder "replies" its own QoS guarantee capability information to the initiator through the negotiation response message.
  • the negotiation response message may be an IKE_SA_INIT response message, an IKE security proposal confirmation message, a key material sending message, or an identity information sending message.
  • the QoS guarantee capability information indicates the support of the responder for the multi-window capability and the multi-numbering capability.
  • the content of the QoS guarantee capability information sent by the responder may only be determined according to the status of the responder itself, that is, it may not be related to the QoS guarantee capability information received by the responder.
  • the content of the QoS assurance capability information sent by the responder may also be determined according to the QoS assurance capability information it receives, for example, only "meaningful" QoS assurance capability information may be returned.
  • the QoS guarantee capability information sent by the initiator indicates that the initiator "does not support (or does not have)" the multi-window capability, it is meaningless whether the responder supports the multi-numbering capability (because even if it supports it, it cannot be used) , so the QoS guarantee capability sent by the responder may not involve its own multi-numbering capability.
  • steps A101 and A102 may be performed; or, the order of steps A101 and A102 may be interchanged; or, steps A101 and A102 may be performed independently by both parties in the IPSec tunnel, and there is no necessary relationship between the two.
  • both parties of the IPSec tunnel can know the QoS guarantee capability of the other party, and then decide how to activate the QoS guarantee capability.
  • the initiator and the responder complete IPSec tunnel negotiation, and the initiator learns that the responder has or decides to enable the QoS guarantee capability.
  • the initiator independently marks the serial numbers (ie, independent numbers) of the packets (IPSec packets) sent by the initiator according to the SPI and the QoS.
  • the QoS can be a DSCP value, a TOS value, a Traffic Class value, or a priority value.
  • the initiator sends a packet to the responder, carrying QoS.
  • the QoS can be carried through the SPI, that is, the QoS can be filled into the SPI.
  • the QoS can also be carried through the QoS field of the packet, that is, the IP header of the packet already has the QoS field.
  • the responder receives the packet, extracts the QoS, and places IPSec packets with different QoS in different receiving queues, and uses different anti-replay windows for processing.
  • the initiator has or decides to enable the QoS guarantee capability, so that the responder independently numbers the packets of different QoS according to the QoS guarantee capability information of the initiator.
  • the initiator enables the multi-window capability and the multi-numbering capability; the responder enables the multi-window capability and the multi-numbering capability.
  • the subsequent packets sent by the initiator to the responder need to be numbered separately, and the packets sent by the responder to the initiator also need to be numbered separately.
  • the initiator needs to use the multi-window mode to process the received message
  • the responder also needs to use the multi-window mode to process the received message.
  • the initiator enables the multi-window capability, but does not enable (eg does not have, or does not want to use) the multi-numbering capability, and the responder enables the multi-numbering capability (the responder's multi-window capability is meaningless at this time).
  • the packets sent by the responder to the initiator need to be numbered separately, and the initiator needs to process the received packets in a multi-window manner.
  • the process of sending packets from the initiator to the response can be performed by using the existing IPSec rules.
  • the initiator enables the multi-numbering capability, but does not enable (eg does not have, or does not want to use) the multi-window capability, and the responder enables the multi-window capability (the multi-numbering capability of the responder is meaningless at this time).
  • the packets sent by the initiator to the responder need to be numbered separately, and the responder needs to process the received packets in a multi-window manner.
  • the process of sending packets from the response direction can be performed by using the existing IPSec rules.
  • the initiator does not enable (eg does not have, or does not want to use) the multi-numbering capability, nor does it enable (eg does not have, or does not wish to use) the multi-numbering capability (at this time, the responder's multi-window and multi-numbering capabilities are not available). significance).
  • the QoS guarantee capability information is not transmitted.
  • the initiator and the responder can carry QoS guarantee capability information in the packets (IPSec packets), and determine whether to enable the QoS guarantee capability subsequently according to the QoS guarantee capability information.
  • the QoS guarantee capability information may be carried through the SPI.
  • the transmission of the QoS guarantee capability information is not performed. Instead, in the message sending stage, the receiver of the message uses different preset anti-replay windows to process messages with different QoS according to the QoS in the SPI.
  • the QoS corresponding to each anti-replay window or number may not be "one QoS", but multiple similar QoSs, that is, a QoS group.
  • the IPSec tunnel can be established by manually configuring the IPSec tunnel or through IKE negotiation, but its QoS guarantee capability information is locally configured and does not need to be "negotiated”.
  • an embodiment of the present disclosure provides a network end of an IPSec tunnel, which includes: a sending module configured to send QoS guarantee capability information to another network end of the IPSec tunnel.
  • the QoS guarantee capability information is used to indicate whether the network end enables the multi-window capability, and/or whether the network end enables the multi-numbering capability.
  • the multi-numbering capability is the capability of independently numbering at least some of the packets with different QoS when sending packets; the multi-window capability is the ability to use different preset anti-replay windows to process at least some of the packets with different QoS when receiving packets. ability to write.
  • the network end in the embodiment of the present disclosure may be any network element that can establish a connection through an IPSec tunnel, such as a wireless communication base station (such as 2G, 3G, 4G, 5G and other base stations), a set-top box, a security gateway, a firewall device, a device loaded with Other software network equipment, etc.
  • a wireless communication base station such as 2G, 3G, 4G, 5G and other base stations
  • a set-top box such as 2G, 3G, 4G, 5G and other base stations
  • a security gateway such as a set-top box
  • a firewall device such as a device loaded with Other software network equipment, etc.
  • the network end of the IPSec tunnel in the embodiment of the present disclosure is actually any one of the IPSec tunnels, so it can also receive QoS assurance capability information from another network end of the IPSec tunnel, so it may actually have a receiving module.
  • an embodiment of the present disclosure provides a network end of an IPSec tunnel, which includes: a receiving module configured to receive QoS guarantee capability information from another network end of the IPSec tunnel.
  • the QoS guarantee capability information is used to indicate whether the other network end of the IPSec tunnel enables the multi-window capability, and/or whether the other network end enables the multi-numbering capability.
  • the multi-numbering capability is the capability to independently number at least some of the packets with different QoS when sending packets; the multi-window capability is the ability to use different preset anti-replay windows to process at least some of the packets with different QoS when receiving the packets. ability to write.
  • the network end in the embodiment of the present disclosure may be any network element that can establish a connection through an IPSec tunnel, such as a wireless communication base station (such as 2G, 3G, 4G, 5G and other base stations), a set-top box, a security gateway, a firewall device, a device loaded with Other software network equipment, etc.
  • a wireless communication base station such as 2G, 3G, 4G, 5G and other base stations
  • a set-top box such as 2G, 3G, 4G, 5G and other base stations
  • a security gateway such as a set-top box
  • a firewall device such as a device loaded with Other software network equipment, etc.
  • the network end of the IPSec tunnel in the embodiment of the present disclosure is actually any party in the IPSec tunnel, so it can also send the QoS guarantee capability information to another network end of the IPSec tunnel, so it may actually have a sending module.
  • the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical components Components execute cooperatively.
  • Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit (CPU), digital signal processor or microprocessor, or as hardware, or as an integrated circuit such as Application-specific integrated circuits.
  • a processor such as a central processing unit (CPU), digital signal processor or microprocessor, or as hardware, or as an integrated circuit such as Application-specific integrated circuits.
  • Such software may be distributed on computer-readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media).
  • computer storage media includes both volatile and nonvolatile implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules or other data flexible, removable and non-removable media.
  • Computer storage media include, but are not limited to, random access memory (RAM, more specifically SDRAM, DDR, etc.), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), flash memory (FLASH), or other disk storage ; compact disk-read only (CD-ROM), digital versatile disk (DVD), or other optical disk storage; magnetic cartridge, tape, magnetic disk storage, or other magnetic storage; any other storage that can be used to store desired information and that can be accessed by a computer medium.
  • communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and can include any information delivery media, as is well known to those of ordinary skill in the art .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Embodiments of the present disclosure provide an information sending method, comprising: sending to another network terminal of an Internet Protocol Security tunnel quality of service assurance capability information, wherein the quality of service assurance capability information is used for indicating whether the network terminal enables multi-window capability and/or whether the network terminal enables multi-number capability, wherein the multi-number capability is the ability to, when sending packets, separately number at least a part of the packets having different quality of service, and the multi-window capability is the ability to, when receiving packets, process at least a part of the packets having different quality of service using different preset anti-replay windows. The embodiments of the present disclosure also provide an information receiving method and a network terminal.

Description

信息发送的方法、信息接收的方法、网络端Method of sending information, method of receiving information, network terminal
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本申请要求于2020年6月30提交的中国专利申请NO.202010613157.7的优先权,该中国专利申请的全部内容通过引用结合在本申请中。This application claims priority to Chinese patent application No. 202010613157.7 filed on June 30, 2020, the entire contents of which are incorporated herein by reference.
技术领域technical field
本公开涉及通信安全技术领域,特别涉及信息发送的方法、信息接收的方法、以及网络端。The present disclosure relates to the technical field of communication security, and in particular, to a method for sending information, a method for receiving information, and a network terminal.
背景技术Background technique
在网络系统中,不同网络端(如不同网络的网关、不同局点等)间交互的报文(如IP报文)常会通过公开的第三方网络(如因特网)进行传输。而由于第三方网络具有公开性、透明性,同时报文多为明文,本身不具备足够的安全特性,因此报文在第三方网络中传送时,可能被攻击者拦截、查看、篡改等,导致严重的隐私和安全问题。In a network system, packets (eg, IP packets) exchanged between different network terminals (eg, gateways of different networks, different offices, etc.) are often transmitted through an open third-party network (eg, the Internet). However, because the third-party network is open and transparent, and most of the packets are in plain text, they do not have sufficient security features. Therefore, when the packets are transmitted in the third-party network, they may be intercepted, viewed, or tampered with by attackers, resulting in Serious privacy and security concerns.
因此,数据在非可信网络中的传输安全性,是网络安全性的重要组成部分之一。而互联网安全协议(IPsec,Internet Protocol Security)是解决网络传输安全性的重要技术之一。IPsec技术可在两个网络端间建立一个互联网安全协议隧道(IPSec隧道),从而后续两个网络端之间的报文均在该IPSec隧道中传输,以实现数据在非可信网络中的安全传输。Therefore, the security of data transmission in an untrusted network is one of the important components of network security. The Internet Security Protocol (IPsec, Internet Protocol Security) is one of the important technologies to solve the security of network transmission. IPsec technology can establish an Internet Security Protocol tunnel (IPSec tunnel) between two network ends, so that subsequent packets between the two network ends are transmitted in the IPSec tunnel, so as to realize the security of data in an untrusted network transmission.
但是,当IPSec隧道中传输的报文的服务质量(QoS,Quality of Service)不同且数据量较大时,可能导致抗重放窗口(或称抗重放队列)错误地将部分报文丢弃,影响数据传输的质量和安全性。However, when the quality of service (QoS, Quality of Service) of the packets transmitted in the IPSec tunnel is different and the amount of data is large, the anti-replay window (or the anti-replay queue) may incorrectly discard some packets. Affect the quality and security of data transmission.
发明内容SUMMARY OF THE INVENTION
第一方面,本公开实施例提供一种信息发送的方法,用于互联网安全协议隧道的网络端,所述方法包括:向互联网安全协议隧道的另一网络端发送服务质量保障能力信息,其中,所述服务质量保障能力信息用于表明所述网络端是否启用多窗口能力,和/或,所述网络端是否启用多编号能力,其中,所述多编号能力为在发送报文时,将至少部分服务质量不同的报文分别独立编号的能力;所述多窗口能力为在接收报文时,使用不同的预设抗重放窗口处理至少部分服务质量不同的报文的能力。In a first aspect, an embodiment of the present disclosure provides a method for sending information, which is used for a network end of an Internet security protocol tunnel, the method includes: sending service quality assurance capability information to another network end of the Internet security protocol tunnel, wherein, The service quality assurance capability information is used to indicate whether the network end enables the multi-window capability, and/or whether the network end enables the multi-numbering capability, wherein the multi-numbering capability is when sending a message, at least The ability to independently number some packets with different quality of service; the multi-window capability is the ability to use different preset anti-replay windows to process at least part of the packets with different quality of service when receiving packets.
第二方面,本公开实施例提供一种信息接收的方法,用于互联网安全协议隧道的网络端,所述方法包括:接收来自互联网安全协议隧道的另一网络端的服务质量保障能力信息,其中,所述服务质量保障能力信息用于表明互联网安全协议隧道的另一网络端是否启用多窗口能力,和/或,所述另一网络端是否启用多编号能力,其中,所述多编号能力为在发送报文时,将至少部分服务质量不同的报文分别独立编号的能力;所述多窗口能力为在接收报文时,使用不 同的预设抗重放窗口处理至少部分服务质量不同的报文的能力。In a second aspect, an embodiment of the present disclosure provides a method for receiving information, which is used at a network end of an Internet security protocol tunnel, the method comprising: receiving service quality assurance capability information from another network end of the Internet security protocol tunnel, wherein, The service quality assurance capability information is used to indicate whether the other network end of the Internet security protocol tunnel enables the multi-window capability, and/or whether the other network end enables the multi-numbering capability, wherein the multi-numbering capability is in the When sending a message, the ability to independently number at least some of the messages with different quality of service; the multi-window capability is to use different preset anti-replay windows to process at least some of the messages with different quality of service when receiving messages Ability.
第三方面,本公开实施例提供一种互联网安全协议隧道的网络端,其包括:发送模块,配置为向互联网安全协议隧道的另一网络端发送服务质量保障能力信息,其中,所述服务质量保障能力信息用于表明所述网络端是否启用多窗口能力,和/或,所述网络端是否启用多编号能力,其中,所述多编号能力为在发送报文时,将至少部分服务质量不同的报文分别独立编号的能力;所述多窗口能力为在接收报文时,使用不同的预设抗重放窗口处理至少部分服务质量不同的报文的能力。In a third aspect, an embodiment of the present disclosure provides a network end of an Internet security protocol tunnel, which includes: a sending module configured to send service quality assurance capability information to another network end of the Internet security protocol tunnel, wherein the quality of service The guarantee capability information is used to indicate whether the network end enables the multi-window capability, and/or whether the network end enables the multi-numbering capability, wherein the multi-numbering capability is to change at least part of the quality of service different when sending a message The capability of independently numbering the corresponding messages; the multi-window capability is the capability of using different preset anti-replay windows to process at least some of the messages with different quality of service when receiving messages.
第四方面,本公开实施例提供一种互联网安全协议隧道的网络端,其包括:接收模块,配置为接收来自互联网安全协议隧道的另一网络端的服务质量保障能力信息,其中,所述服务质量保障能力信息用于表明互联网安全协议隧道的另一网络端是否启用多窗口能力,和/或,所述另一网络端是否启用多编号能力,其中,所述多编号能力为在发送报文时,将至少部分服务质量不同的报文分别独立编号的能力;所述多窗口能力为在接收报文时,使用不同的预设抗重放窗口处理至少部分服务质量不同的报文的能力。In a fourth aspect, an embodiment of the present disclosure provides a network end of an Internet security protocol tunnel, comprising: a receiving module configured to receive service quality assurance capability information from another network end of the Internet security protocol tunnel, wherein the quality of service The assurance capability information is used to indicate whether the other network end of the Internet security protocol tunnel enables the multi-window capability, and/or whether the other network end enables the multi-numbering capability, wherein the multi-numbering capability is when sending a message , the ability to independently number at least some of the packets with different quality of service; the multi-window capability is the ability to use different preset anti-replay windows to process at least some of the packets with different quality of service when receiving packets.
附图说明Description of drawings
在本公开实施例的附图中:In the accompanying drawings of embodiments of the present disclosure:
图1为两个网络端通过IPSec隧道连接的示意图;Fig. 1 is the schematic diagram that two network ends are connected through IPSec tunnel;
图2为通过抗重放窗口处理报文的过程示意图;2 is a schematic diagram of a process of processing a message through an anti-replay window;
图3为本公开实施例中处理报文的过程的示意图;3 is a schematic diagram of a process of processing a message in an embodiment of the present disclosure;
图4为本公开实施例提供的一种信息发送的方法的流程图;4 is a flowchart of a method for sending information according to an embodiment of the present disclosure;
图5为本公开实施例提供的另一种信息发送的方法的流程图;FIG. 5 is a flowchart of another method for sending information according to an embodiment of the present disclosure;
图6为本公开实施例提供的另一种信息发送的方法的流程图;6 is a flowchart of another method for sending information provided by an embodiment of the present disclosure;
图7为本公开实施例提供的一种信息接收的方法的流程图;7 is a flowchart of a method for receiving information according to an embodiment of the present disclosure;
图8为本公开实施例提供的一种互联网安全协议隧道的网络端的组成框图;8 is a block diagram of the composition of a network end of an Internet security protocol tunnel provided by an embodiment of the present disclosure;
图9为本公开实施例提供的一种互联网安全协议隧道的网络端的组成框图。FIG. 9 is a block diagram of the composition of a network end of an Internet security protocol tunnel provided by an embodiment of the present disclosure.
具体实施方式detailed description
为使本领域的技术人员更好地理解本公开实施例的技术方案,下面结合附图对本公开实施例提供的信息发送的方法、信息接收的方法、网络端进行详细描述。In order for those skilled in the art to better understand the technical solutions of the embodiments of the present disclosure, the information sending method, the information receiving method, and the network terminal provided by the embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
在下文中将参考附图更充分地描述本公开实施例,但是所示的实施例可以以不同形式来体现,且不应当被解释为限于本公开阐述的实施例。反之,提供这些实施例的目的在于使本公开透彻和完整,并将使本领域技术人员充分理解本公开的范围。Embodiments of the present disclosure will be described more fully hereinafter with reference to the accompanying drawings, but the illustrated embodiments may be embodied in different forms and should not be construed as limited to the embodiments set forth in this disclosure. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
本公开实施例的附图用来提供对本公开实施例的进一步理解,并且构成说明书的一部分,与本公开实施例一起用于解释本公开,并不构成对本公开的限制。通过参考附图对详细示例实施例进行描述,以上和其他特征和优点对本领域技术人员将变得更加显而易见,The accompanying drawings of the embodiments of the present disclosure are used to provide a further understanding of the embodiments of the present disclosure, constitute a part of the specification, and together with the embodiments of the present disclosure, are used to explain the present disclosure, and do not constitute a limitation to the present disclosure. The above and other features and advantages will become more apparent to those skilled in the art by describing detailed example embodiments with reference to the accompanying drawings,
本公开实施例可借助本公开的理想示意图而参考平面图和/或截面图进行描述。因此,可根据制造技术和/或容限来修改示例图示。Embodiments of the present disclosure may be described with reference to plan views and/or cross-sectional views with the aid of idealized schematic illustrations of the present disclosure. Accordingly, example illustrations may be modified according to manufacturing techniques and/or tolerances.
在不冲突的情况下,本公开各实施例及实施例中的各特征可相互组合。Various embodiments of the present disclosure and various features of the embodiments may be combined with each other without conflict.
本公开所使用的术语仅用于描述特定实施例,且不意欲限制本公开。如本公开所使用的术语“和/或”包括一个或多个相关列举条目的任何和所有组合。如本公开所使用的单数形式“一个”和“该”也意欲包括复数形式,除非上下文另外清楚指出。如本公开所使用的术语“包括”、“由……制成”,指定存在所述特征、整体、步骤、操作、元件和/或组件,但不排除存在或添加一个或多个其他特征、整体、步骤、操作、元件、组件和/或其群组。The terminology used in this disclosure is used to describe particular embodiments only, and is not intended to limit the disclosure. As used in this disclosure, the term "and/or" includes any and all combinations of one or more of the associated listed items. As used in this disclosure, the singular forms "a" and "the" are intended to include the plural forms as well, unless the context clearly dictates otherwise. The terms "comprising", "made of", as used in this disclosure, specify the presence of stated features, integers, steps, operations, elements and/or components, but do not preclude the presence or addition of one or more other features, wholes, steps, operations, elements, components and/or groups thereof.
除非另外限定,否则本公开所用的所有术语(包括技术和科学术语)的含义与本领域普通技术人员通常理解的含义相同。还将理解,诸如那些在常用字典中限定的那些术语应当被解释为具有与其在相关技术以及本公开的背景下的含义一致的含义,且将不解释为具有理想化或过度形式上的含义,除非本公开明确如此限定。Unless otherwise defined, all terms (including technical and scientific terms) used in this disclosure have the same meaning as commonly understood by one of ordinary skill in the art. It will also be understood that terms such as those defined in common dictionaries should be construed as having meanings consistent with their meanings in the context of the related art and the present disclosure, and will not be construed as having idealized or over-formal meanings, Unless this disclosure expressly so limited.
本公开实施例不限于附图中所示的实施例,而是包括基于制造工艺而形成的配置的修改。因此,附图中例示的区具有示意性属性,并且图中所示区的形状例示了元件的区的具体形状,但并不是旨在限制性的。Embodiments of the present disclosure are not limited to the embodiments shown in the drawings, but include modifications of configurations formed based on manufacturing processes. Thus, the regions illustrated in the figures have schematic properties and the shapes of regions illustrated in the figures are illustrative of the specific shapes of regions of elements and are not intended to be limiting.
在一些相关技术中,可通过互联网安全协议(IPsec,Internet Protocol Security)解决数据在非可信网络中传输安全性的问题。In some related technologies, the problem of data transmission security in an untrusted network can be solved through Internet Security Protocol (IPsec, Internet Protocol Security).
IPsec是一个协议簇,主要由AH协议(认证头协议,Authentication Header)、ESP协议(封装安全负载协议,Encapsulating Security Payload)、IKE协议(因特网密钥交换协议,Internet Key Exchange)三部分组成。IPsec is a protocol suite, which is mainly composed of three parts: AH protocol (Authentication Header), ESP (Encapsulating Security Payload), and IKE (Internet Key Exchange).
其中,AH协议能提供数据源的认证、完整性,以及抗重放服务(通过抗重放窗口实现)。数据封装则基于ESP协议进行。IKE协议用于通过协商建立位于两个不同网络端间的互联网安全协议隧道(IPSec隧道)。Among them, the AH protocol can provide data source authentication, integrity, and anti-replay service (implemented through the anti-replay window). Data encapsulation is based on the ESP protocol. The IKE protocol is used to establish an Internet Security Protocol tunnel (IPSec tunnel) between two different network ends through negotiation.
具体的,参照图1,IKE协议用基于源IP(Internet Protocol)、目的IP、协议号、源端口(Port)、目的端口的五元组来协商一个安全联盟(SA,Security Association),并根据SA建立相应的IPSec隧道。其中,每个SA记录了用于保护报文的封装模式、加密算法、加密密钥、验证算法、密钥等信息,即SA记录了每条IPSec隧道的策略和策略参数,相当于IPSec隧道的双方(发起发和响应方)间建立的一个专门通信协定。基于SA的方向性,每条IPSec隧道通常包含两个SA(或者也可视为每个单向的IPSec隧道包括一个SA)。而每个SA通过安全参数索引(SPI,Security Parameter Index)进行唯一标识,在后续传输的报文(IPSec报文)中将携带SPI标识以确定其属于相应的SA(当然也就是所属的IPSec隧道)。Specifically, referring to Figure 1, the IKE protocol negotiates a Security Association (SA, Security Association) with a five-tuple based on source IP (Internet Protocol), destination IP, protocol number, source port (Port), and destination port, and according to The SA establishes the corresponding IPSec tunnel. Among them, each SA records the encapsulation mode, encryption algorithm, encryption key, verification algorithm, key and other information used to protect the packet, that is, the SA records the policy and policy parameters of each IPSec tunnel, which is equivalent to the IPSec tunnel's A special communication agreement established between two parties (the initiator and the responder). Based on the directionality of SAs, each IPSec tunnel usually includes two SAs (or it can also be considered that each unidirectional IPSec tunnel includes one SA). Each SA is uniquely identified by the Security Parameter Index (SPI, Security Parameter Index), and the SPI identifier will be carried in the subsequent transmitted packets (IPSec packets) to determine whether it belongs to the corresponding SA (of course, the IPSec tunnel to which it belongs). ).
当然,除通过IKE协议进行协商外,还可以采用手工方式建立(或者说配置)IPSec隧道,在此不再详细描述。Of course, in addition to negotiating through the IKE protocol, an IPSec tunnel may also be established (or configured) manually, which will not be described in detail here.
由此,通过IPsec技术可在两个不同网络端之间建立一个专门的IPSec隧道,后续两个网络端之间的报文均在该IPSec隧道中传输,并以特定方式进行加密、封装、验证、解密等,从而以实现数据在非可信网络中的安全传输,为个人移动用户、企业移动用户、运营商等提供安全隐私和安全保证。As a result, a dedicated IPSec tunnel can be established between two different network ends through IPsec technology, and subsequent packets between the two network ends are transmitted in the IPSec tunnel, and encrypted, encapsulated, and authenticated in a specific way. , decryption, etc., so as to realize the secure transmission of data in untrusted networks, and provide security privacy and security guarantees for individual mobile users, enterprise mobile users, and operators.
为避免重复接收报文,故IPSec隧道的双方(发起方和响应方)均需要用抗重放窗口(或称抗重放队列)对接收到的报文进行处理(或者说过滤)。In order to avoid repeatedly receiving packets, both sides of the IPSec tunnel (the initiator and the responder) need to use an anti-replay window (or an anti-replay queue) to process (or filter) the received packets.
具体的,参照图1、图2,一个网络端接收的报文按照序列号(SN,Sequence Number)排在接收队列的相应位置(若某报文还未收到,则相应序列号的报文对应的“位置”仍然存 在,但其中无内容),而抗重放窗口则具有一定的尺寸(或者说长度,即其中容纳的报文数),且可在接收队列上“滑动”。Specifically, referring to Figure 1 and Figure 2, the packets received by a network end are arranged in the corresponding position of the receiving queue according to the sequence number (SN, Sequence Number) (if a packet has not been received, the packet with the corresponding sequence number The corresponding "position" still exists, but there is no content in it), and the anti-replay window has a certain size (or length, that is, the number of packets contained in it), and can "slide" on the receive queue.
当接收到的报文位于抗重放窗口中(即报文的序列号位于抗重放窗口的范围内)时,则将报文保存下来;而当接收到的报文位于抗重放窗口右侧(即报文的序列号比抗重放窗口中的最大序列号还大)时,则将抗重放窗口右移,使其最大值达到该新接收的报文的位置,从而使报文位于抗重放窗口中(在抗重放窗口最右端),并保存报文;而若接收到的报文位于抗重放窗口左侧(即报文的序列号比抗重放窗口中的最小序列号还小)时,则丢弃相应报文,以即避免小序列号的报文被重复接收。When the received message is located in the anti-replay window (that is, the sequence number of the message is within the range of the anti-replay window), the message is saved; and when the received message is located on the right side of the anti-replay window (that is, the sequence number of the message is larger than the maximum sequence number in the anti-replay window), the anti-replay window will be shifted to the right so that the maximum value reaches the position of the newly received message, so that the message It is located in the anti-replay window (at the far right end of the anti-replay window), and saves the message; if the received message is located on the left side of the anti-replay window (that is, the sequence number of the message is smaller than the smallest value in the anti-replay window) When the sequence number is still small), the corresponding message is discarded, so as to avoid repeated reception of the message with the small sequence number.
很多情况下,IPSec隧道中传输的数据可能来自不同的网元,故具有不同的服务质量(QoS,Quality of Service)。其中,QoS是对报文的延迟、丢包率等的规定,相当于对报文传输的“质量要求”,故报文在中间传输设备(如路由)中传输时,网络设备会根据报文的QoS的不同以不同的优先级处理报文。In many cases, the data transmitted in the IPSec tunnel may come from different network elements, so it has different quality of service (QoS, Quality of Service). Among them, QoS is the regulation of packet delay, packet loss rate, etc., which is equivalent to the "quality requirement" for packet transmission. Therefore, when the packet is transmitted in an intermediate transmission device (such as a router), the network device will Different QoS processes packets with different priorities.
由于不同的报文实际要经过许多不同的中间传输设备传输,故对不同QoS的报文,其达到顺序可能与报文的发送顺序(或者说序列号)不同,即高优先级的大序列号报文可能“后发先到”,而低优先级的小序列号的报文可能“先发后到”,从而产生“乱序”。Since different packets are actually transmitted through many different intermediate transmission devices, the order in which packets with different QoS are reached may be different from the order in which the packets are sent (or sequence numbers), that is, high-priority, large sequence numbers. Packets may be "sent first, arrive first", while low-priority packets with small sequence numbers may be "sent first, arrive first", resulting in "out of order".
而IPSec隧道的双方的网络端通常可为通信基站、安全网关等,这些网络端间传输的数据可能来自很多不同的网元(如不同的用户的终端),从而它们之间传输的数据量较大。The network terminals of both sides of an IPSec tunnel are usually communication base stations, security gateways, etc. The data transmitted between these network terminals may come from many different network elements (such as terminals of different users), so the amount of data transmitted between them is relatively large. big.
尤其是,随着5G技术以及物联网技术的迅猛发展,网络传输量不断增大。例如,典型的单个5G基站的流量远远超过了4G(下行流量可达40Gbps,上行流量可达20Gbp),但5G基站与相应安全网关间通常仅通过一个IPSec隧道连接,即全部数据均通过一个IPSec隧道传输,IPSec隧道中的数据吞吐量很大,报文数很多。In particular, with the rapid development of 5G technology and Internet of Things technology, the network transmission volume continues to increase. For example, the traffic of a typical single 5G base station far exceeds that of 4G (downlink traffic can reach 40Gbps, and uplink traffic can reach 20Gbps), but the 5G base station and the corresponding security gateway are usually only connected through one IPSec tunnel, that is, all data is transmitted through a single IPSec tunnel. IPSec tunnel transmission, the data throughput in the IPSec tunnel is large, and the number of packets is large.
在数据量大且QoS不同的情况下,会导致经一个IPSec隧道传输的报文,出现很多大序列号且优先级高的报文,先于小序列号且优先级低的报文到达的情况。而当网络端先接收到大序列号(如图2中的n+100号报文)的报文时,抗重放窗口会右移到大序列号的报文处,而这往往导致后续接收的小序列号(如图2中的n号报文)的报文已经位于抗重放窗口的左侧(如2图中抗重放窗口尺寸为100),被错误的丢弃。When the amount of data is large and the QoS is different, many packets with large sequence numbers and high priorities will arrive before packets with small sequence numbers and low priorities in the packets transmitted through an IPSec tunnel. . When the network first receives a packet with a large sequence number (such as the n+100 packet in Figure 2), the anti-replay window will move to the right to the packet with a large sequence number, which often leads to subsequent reception. The message with the small sequence number (such as the n-number message in Figure 2) is already located on the left side of the anti-replay window (for example, the size of the anti-replay window is 100 in Figure 2), and is discarded by mistake.
也就是说,在数据量较大的情况下,当IPSec隧道传输QoS不同的报文时,很可能部分报文被错误丢弃的,影响数据传输的质量和安全性。That is to say, in the case of a large amount of data, when the IPSec tunnel transmits packets with different QoS, it is very likely that some of the packets are discarded incorrectly, which affects the quality and security of data transmission.
而且,若只是单纯的增大抗重放窗口,也并不能解决以上问题,因为:一方面抗重放窗口过大也就相当于失去了原有的抗重放功能;另一方面,也无法确定多大的抗重放窗口才可以彻底避免以上问题。Moreover, simply increasing the anti-playback window will not solve the above problems, because: on the one hand, if the anti-playback window is too large, it is equivalent to losing the original anti-playback function; on the other hand, it cannot Determine the size of the anti-replay window to completely avoid the above problems.
第一方面,本公开实施例提供一种信息发送的方法。In a first aspect, an embodiment of the present disclosure provides a method for sending information.
本公开实施例的方法是用于互联网安全协议隧道(IPSec隧道)的一个网络端的,其可以是IPSec隧道的发起方(Initiator),也可以是响应方(Responder),即IPSec隧道的任意一个网络端可进行本公开实施例的方法。The method of the embodiment of the present disclosure is applied to a network end of an Internet Security Protocol tunnel (IPSec tunnel), which may be an initiator (Initiator) or a responder (Responder) of the IPSec tunnel, that is, any network of the IPSec tunnel. The terminal may perform the method of an embodiment of the present disclosure.
应当理解,以上网络端除了通过IPSec隧道与另一网络端进行信息交互外,也可通过其它方式(非IPSec隧道的方式)与其它的网络设备连接。It should be understood that, in addition to exchanging information with another network end through an IPSec tunnel, the above network end may also be connected to other network devices through other means (means other than the IPSec tunnel).
示例性的,本公开实施例的网络端可以是任何能通过IPSec隧道建立连接的网元,如无 线通信基站(如2G、3G、4G、5G等基站)、机顶盒、安全网关、防火墙设备、加载有其它软件的网络设备等。Exemplarily, the network end in this embodiment of the present disclosure may be any network element that can establish a connection through an IPSec tunnel, such as a wireless communication base station (such as a 2G, 3G, 4G, 5G and other base station), a set-top box, a security gateway, a firewall device, a Network equipment with other software, etc.
参照图4,本公开实施例的信息发送的方法包括:Referring to FIG. 4 , the method for sending information according to an embodiment of the present disclosure includes:
步骤S101:向IPSec隧道的另一网络端发送服务质量(QoS)保障能力信息。Step S101: Send quality of service (QoS) guarantee capability information to another network end of the IPSec tunnel.
其中,QoS保障能力信息用于表明网络端是否启用多窗口能力,和/或,该网络端是否启用多编号能力。The QoS guarantee capability information is used to indicate whether the network end enables the multi-window capability, and/or whether the network end enables the multi-numbering capability.
其中,多编号能力为在该网络端发送报文时,将至少部分QoS不同的报文分别独立编号的能力;多窗口能力为在该网络端接收报文时,使用不同的预设抗重放窗口处理至少部分QoS不同的报文的能力。Among them, the multi-numbering capability is the capability of independently numbering at least some of the packets with different QoS when the network sends packets; the multi-window capability is the ability to use different preset anti-replay when receiving packets at the network. The ability of the window to handle at least some of the packets with different QoS.
网络端向IPSec隧道的另一网络端发送QoS保障能力信息,以“告知”另一网络端自身的QoS保障能力,QoS保障能力具体是网络端自身是否启用多窗口能力和/或多编号能力,从而通过与另一网络端的“协商”,决定是否启用相应的QoS保障能力。The network end sends QoS assurance capability information to the other network end of the IPSec tunnel to "inform" the other network end of its own QoS assurance capability. The QoS assurance capability specifically refers to whether the network end itself enables the multi-window capability and/or the multi-numbering capability. Therefore, through "negotiation" with another network end, it is decided whether to enable the corresponding QoS guarantee capability.
其中,“启用”某保障能力(多窗口能力和多编号能力)是指,首先网络端要具有该保障能力,并且希望使用该保障能力。Among them, "enable" a certain guarantee capability (multi-window capability and multi-number capability) means that, firstly, the network end must have the guarantee capability, and wish to use the guarantee capability.
而“不启用”某保障能力(多窗口能力和多编号能力)可以是网络端根本没有该保障能力,也可以是网络端具有该保障能力但当前不希望使用该保障能力。"Not enabling" a certain guarantee capability (multi-window capability and multi-numbering capability) may mean that the network end does not have the guarantee capability at all, or the network end has the guarantee capability but currently does not wish to use the guarantee capability.
参照图3,“多窗口能力”是指,对接收到的报文,根据其QoS的不同,用不同的预设抗重放窗口对其进行处理的能力。Referring to FIG. 3 , "multi-window capability" refers to the capability of processing received packets with different preset anti-replay windows according to their QoS.
其中,预设抗重放窗口有至少两个,即至少有两种不同QoS的报文应在不同的预设抗重放窗口处理;且不同的预设抗重放窗口对应的QoS不同,故任意QoS的报文都只能在一个预设抗重放窗口处理,而不会同时进入两个抗重放窗口的接收队列。Among them, there are at least two preset anti-replay windows, that is, packets with at least two different QoS should be processed in different preset anti-replay windows; and different preset anti-replay windows correspond to different QoS, so Packets with any QoS can only be processed in one preset anti-replay window, and will not enter the receive queues of two anti-replay windows at the same time.
其中,“多编号能力”是指,在发送报文时,根据其QoS的不同,对QoS不同的报文分别独立的编号的能力。由此,在每种编号中,报文的序列号(SN)都是从“1”开始的。当然,此时不同QoS的报文的序列号可能出现“重复”,但因为不同QoS的报文是在不同预设抗重放窗口中处理的,故以上“重复”不会引起问题。The "multi-numbering capability" refers to the capability of independently numbering packets with different QoS according to different QoS when sending packets. Thus, in each numbering, the sequence number (SN) of the message starts from "1". Of course, the sequence numbers of packets with different QoS may be "duplicated" at this time, but because the packets with different QoS are processed in different preset anti-replay windows, the above "duplication" will not cause a problem.
如前,若所有报文仍然统一编号,则对同样QoS中邻近的报文,其序列号仍然可能相差很大(因为之间有很多其它QoS的报文),一个预设抗重放窗口仍然可能连续接收到序列号相差很大报文,仍有可能引起问题。As before, if all packets are still numbered uniformly, the sequence numbers of adjacent packets in the same QoS may still be very different (because there are many other QoS packets), and a preset anti-replay window is still It is possible to continuously receive packets with greatly different sequence numbers, which may still cause problems.
因此,当接收方要用多个预设抗重放窗口处理不同QoS的报文时,则发送方应当先对不同QoS的报文分别独立的编号。Therefore, when the receiver uses multiple preset anti-replay windows to process packets with different QoS, the sender should first independently number the packets with different QoS.
其中,应当理解,以上多窗口能力和多编号能力对应的QoS的方式应当是相同的,每个预设抗重放窗口对应的QoS,都应当是独立编号的。Among them, it should be understood that the QoS methods corresponding to the above multi-window capability and multi-numbering capability should be the same, and the QoS corresponding to each preset anti-replay window should be independently numbered.
其中,每个预设抗重放窗口或独立编号对应的QoS,具体可以是“一个”确定的QoS,也可以是“一组”性质比较相似的QoS,即实际是一个“QoS”组。The QoS corresponding to each preset anti-replay window or independent number may specifically be a QoS determined by "one", or a "group" of QoS with similar properties, that is, actually a "QoS" group.
由此,在QoS保障能力信息中,除了包括是否有多编号能力和多窗口能力外,还可包括有关QoS保障能力的更详细的信息,例如是根据QoS将报文(或者说对应的预设抗重放窗口、编号)分为了几个不同组,以及每组具体包括的QoS。Therefore, in the QoS guarantee capability information, in addition to whether the multi-numbering capability and the multi-window capability are included, more detailed information about the QoS guarantee capability can also be included, for example, whether the packets (or corresponding presets) are assigned according to the QoS. Anti-replay windows, numbers) are divided into several different groups, and the specific QoS included in each group.
本公开实施例中通过发送QoS保障能力信息协商是否启用QoS保障能力,当启用QoS保障能力时,对至少部分QoS不同的报文,用不同的抗重放窗口分别进行处理(抗重放过滤), 从而每个抗重放窗口处理的报文数量相对较少,且报文的优先级(如QoS)相同或比较接近,因此每个抗重放窗口处理的报文中“大序列号报文后发先到,小序列号报文先发后到”的情况(即“乱序”)很少,从而可在不增大抗重放窗口的情况下,消除或大大减少报文被错误丢弃的情况,提升系统的质量保证能力。In the embodiment of the present disclosure, whether to enable the QoS guarantee capability is negotiated by sending the QoS guarantee capability information. When the QoS guarantee capability is enabled, at least some of the packets with different QoS are processed in different anti-replay windows (anti-replay filtering) , so that the number of packets processed by each anti-replay window is relatively small, and the priorities (such as QoS) of the packets are the same or relatively close. There are few cases where packets with small sequence numbers are sent first and then arrive later (that is, "out-of-order"), which can eliminate or greatly reduce the erroneous discarding of packets without increasing the anti-replay window. to improve the quality assurance capability of the system.
在一些可选的实施方式中,参照图5,网络端具有(或启用)多窗口能力;且该信息发送的方法还包括:In some optional embodiments, referring to FIG. 5 , the network terminal has (or enables) multi-window capability; and the method for sending the information also includes:
步骤S1021:接收来自IPSec隧道的另一网络端的QoS保障能力信息。Step S1021: Receive QoS guarantee capability information from another network end of the IPSec tunnel.
其中,接收的QoS保障能力信息表明IPSec隧道的另一网络端具有(或启用)多编号能力。The received QoS guarantee capability information indicates that the other network end of the IPSec tunnel has (or enables) the multi-numbering capability.
在向IPSec隧道的另一网络端发送QoS保障能力信息和接收来自IPSec隧道的另一网络端的QoS保障能力信息后,该方法还包括:After sending the QoS assurance capability information to the other network end of the IPSec tunnel and receiving the QoS assurance capability information from the other network end of the IPSec tunnel, the method further includes:
步骤S1031:接收来自IPSec隧道的另一网络端的报文,根据报文的QoS使用对应的预设抗重放窗口处理报文。Step S1031: Receive a packet from another network end of the IPSec tunnel, and use a corresponding preset anti-replay window to process the packet according to the QoS of the packet.
其中,预设抗重放窗口的数量为多个,且任意不同预设抗重放窗口对应的QoS不同。Wherein, the number of preset anti-playback windows is multiple, and any different preset anti-playback windows correspond to different QoS.
当本地网络端支持多窗口能力时,若其还接收到来自IPSec隧道的另一网络端的QoS保障能力信息,表明另一网络端具有(或启用)多编号能力,则相当于双方完成了对QoS保障能力的一种“协商”。When the local network end supports the multi-window capability, if it also receives the QoS guarantee capability information from the other network end of the IPSec tunnel, indicating that the other network end has (or enables) the multi-numbering capability, it means that both parties have completed the QoS guarantee capability. A "negotiation" of safeguarding capabilities.
从而,本地网络端可开启多窗口能力,即当其后续接收来自IPSec隧道的另一网络端的报文(当然其中不同QoS的报文是被另一网络端分别独立编号的)时,可分析报文中的QoS,并根据QoS将报文放入相应的接收队列中,用相应的预设抗重放窗口处理。Therefore, the local network terminal can enable the multi-window capability, that is, when it subsequently receives packets from another network terminal of the IPSec tunnel (of course, the packets with different QoS are independently numbered by the other network terminal), it can analyze the packets. According to the QoS in the text, the packets are put into the corresponding receive queues according to the QoS, and processed with the corresponding preset anti-replay windows.
其中,QoS通过报文携带的差分服务代码点(DSCP,Differentiated Services Code Point)值、服务类型(TOS,Type Of Service)值、通信分类(TC,Traffic Class)值、优先级值中的任意一种确定。Among them, QoS is carried by any one of the Differentiated Services Code Point (DSCP, Differentiated Services Code Point) value, the service type (TOS, Type Of Service) value, the communication classification (TC, Traffic Class) value, and the priority value carried in the message. kind of sure.
其中,QoS的信息可以携带在报文头(如IP头)中,也可携带在SPI中。The QoS information may be carried in a packet header (eg, an IP header), or may be carried in an SPI.
应当理解,以上“向IPSec隧道的另一网络端发送QoS保障能力信息”和“接收来自IPSec隧道的另一网络端的QoS保障能力信息”步骤之间并无必然的先后顺序。It should be understood that there is no necessary sequence between the above steps of "sending QoS assurance capability information to another network end of the IPSec tunnel" and "receiving QoS assurance capability information from another network end of the IPSec tunnel".
例如,可以是本地的网络端先发送QoS保障能力信息,之后另一网络端根据该QoS保障能力信息向本地的网络端“回复”QoS保障能力信息;或者,也可以是另一网络端根据先向本地网络端发送QoS保障能力信息,而本地的网络端再“回复”QoS保障能力信息;或者,也可以是双发都各自独立的向对方发送QoS保障能力信息。For example, the local network terminal may first send the QoS guarantee capability information, and then the other network terminal "replies" the QoS guarantee capability information to the local network terminal according to the QoS guarantee capability information; The QoS guarantee capability information is sent to the local network, and the local network "replies" the QoS guarantee capability information; alternatively, both transmitters can send the QoS guarantee capability information to each other independently.
应当理解,当另一网络端发送QoS保障能力信息时,则该另一网络端相当于执行了本公开实施例的方法。It should be understood that when another network end sends the QoS guarantee capability information, the other network end is equivalent to executing the method of the embodiment of the present disclosure.
在一些可选的实施方式中,参照图6,网络端具有(或启用)多编号能力,且该信息发送的方法还包括:In some optional embodiments, referring to FIG. 6 , the network terminal has (or enables) multi-numbering capability, and the method for sending the information further includes:
步骤S1022:接收来自IPSec隧道的另一网络端的QoS保障能力信息。Step S1022: Receive QoS guarantee capability information from another network end of the IPSec tunnel.
其中,接收的QoS保障能力信息表明IPSec隧道的另一网络端具有(或启用)多窗口能力。The received QoS guarantee capability information indicates that the other network end of the IPSec tunnel has (or enables) the multi-window capability.
在向IPSec隧道的另一网络端发送QoS保障能力信息和接收来自IPSec隧道的另一网络端的QoS保障能力信息后,还包括:After sending the QoS assurance capability information to the other network end of the IPSec tunnel and receiving the QoS assurance capability information from the other network end of the IPSec tunnel, the method further includes:
步骤S1032:向IPSec隧道的另一网络端发送报文,并根据报文的QoS确定报文的序列号。Step S1032: Send a packet to another network end of the IPSec tunnel, and determine the sequence number of the packet according to the QoS of the packet.
其中,至少部分QoS不同的报文分别独立编号。Wherein, at least some of the packets with different QoS are numbered independently.
类似的,当本地网络端支持多编号能力时,若其还接收到来自IPSec隧道的另一网络端的QoS保障能力信息,表明另一网络端具有(或启用)多窗口能力,则相当于双方完成了对QoS保障能力的另一种“协商”。Similarly, when the local network end supports the multi-numbering capability, if it also receives the QoS guarantee capability information from the other network end of the IPSec tunnel, indicating that the other network end has (or enables) the multi-window capability, it is equivalent to the completion of the Another kind of "negotiation" of QoS guarantee capability.
从而,后续当本地网络端向另一网络端发送报文时,则应对不同QoS的报文分别独立的编号,以便另一网络端用多窗口能力对报文进行处理。Therefore, when the local network terminal sends a packet to another network terminal subsequently, the packets with different QoS should be numbered independently, so that the other network terminal can process the packets using the multi-window capability.
同上,以上“向IPSec隧道的另一网络端发送QoS保障能力信息”和“接收来自IPSec隧道的另一网络端的QoS保障能力信息”步骤之间并无必然的先后顺序。Same as above, there is no necessary sequence between the above steps of "sending QoS assurance capability information to the other network end of the IPSec tunnel" and "receiving QoS assurance capability information from the other network end of the IPSec tunnel".
在一些可选的实施方式中,向IPSec隧道的另一网络端发送QoS保障能力信息(步骤S101)包括:In some optional embodiments, sending the QoS guarantee capability information to another network end of the IPSec tunnel (step S101) includes:
步骤S1011:通过建立IPSec隧道的协商请求消息或协商响应消息,向IPSec隧道的另一网络端发送QoS保障能力信息。Step S1011: Send QoS guarantee capability information to another network end of the IPSec tunnel through a negotiation request message or negotiation response message for establishing the IPSec tunnel.
在一些可选的实施方式中,协商请求消息为IKE_SA_INIT请求消息、本地IKE安全提议发送消息,密钥材料发送消息、身份信息发送消息中的任意一种。In some optional embodiments, the negotiation request message is any one of an IKE_SA_INIT request message, a local IKE security proposal sending message, a key material sending message, and an identity information sending message.
协商响应消息为IKE_SA_INIT响应消息、IKE安全提议确认消息、密钥材料发送消息、身份信息发送消息中的任意一种。The negotiation response message is any one of the IKE_SA_INIT response message, the IKE security proposal confirmation message, the key material sending message, and the identity information sending message.
作为本公开的一种可选的实施方式,以上“协商”可以是在建立IPSec隧道的过程中进行的,即在协商建立IPSec隧道时,除了发送根据标准的IPSec协议所需的信息外,还可发送以上QoS保障能力信息,从而,QoS保障能力信息也是用于建立IPSec隧道的协商请求消息或协商响应消息(根据发送QoS保障能力信息的是IPSec隧道的发起方或响应方而定)。As an optional implementation manner of the present disclosure, the above "negotiation" may be performed during the process of establishing an IPSec tunnel, that is, when negotiating to establish an IPSec tunnel, in addition to sending the information required according to the standard IPSec protocol, also The above QoS assurance capability information may be sent, so that the QoS assurance capability information is also a negotiation request message or a negotiation response message for establishing an IPSec tunnel (depending on whether the initiator or responder of the IPSec tunnel sends the QoS assurance capability information).
具体的,以上协商请求消息可以是IKE_SA_INIT请求消息、本地IKE安全提议发送消息,密钥材料发送消息、身份信息发送消息中的任意一种;而协商响应消息为IKE_SA_INIT响应消息、IKE安全提议确认消息、密钥材料发送消息、身份信息发送消息中的任意一种Specifically, the above negotiation request message can be any one of IKE_SA_INIT request message, local IKE security proposal sending message, key material sending message, and identity information sending message; and the negotiation response message is IKE_SA_INIT response message, IKE security proposal confirmation message , any one of the key material sending message and the identity information sending message
当然,应当理解,本地网络端接收到的QoS保障能力信息,也可以均是协商请求消息。Of course, it should be understood that the QoS guarantee capability information received by the local network end may also all be negotiation request messages.
第二方面,参照图7,本公开实施例提供一种信息接收的方法,用于IPSec隧道的网络端,其包括:In the second aspect, referring to FIG. 7 , an embodiment of the present disclosure provides a method for receiving information, which is used at a network end of an IPSec tunnel, including:
步骤S201:接收来自IPSec隧道的另一网络端的QoS保障能力信息。Step S201: Receive QoS guarantee capability information from another network end of the IPSec tunnel.
其中,QoS保障能力信息用于表明IPSec隧道的另一网络端是否启用多窗口能力,和/或,该另一网络端是否启用多编号能力,其中,多编号能力为在发送报文时,将至少部分QoS不同的报文分别独立编号的能力;多窗口能力为在接收报文时,使用不同的预设抗重放窗口处理至少部分QoS不同的报文的能力。The QoS guarantee capability information is used to indicate whether the other network end of the IPSec tunnel enables the multi-window capability, and/or whether the other network end enables the multi-numbering capability. The ability to independently number at least some of the packets with different QoS; the multi-window capability is the ability to use different preset anti-replay windows to process at least some of the packets with different QoS when receiving packets.
当IPSec隧道的一个网络端发送QoS保障能力信息时,则另一网络端必然会接收到以上的QoS保障能力信息,从而对一个发送QoS保障能力信息的过程,IPSec隧道的两个网络端 相当于分别进行了本公开实施例的两种方法。When one network end of an IPSec tunnel sends QoS assurance capability information, the other network end will inevitably receive the above QoS assurance capability information, so for a process of sending QoS assurance capability information, the two network ends of the IPSec tunnel are equivalent to The two methods of the embodiments of the present disclosure are carried out separately.
而当两个网络端都向对方发送了QoS保障能力信息时,则相当于每个网络端都进行了本公开实施例的两种方法。However, when both network ends send the QoS guarantee capability information to each other, it is equivalent that each network end performs the two methods of the embodiments of the present disclosure.
在一些可选的实施方式中,接收的QoS保障能力信息表明IPSec隧道的另一网络端具有(或启用)多编号能力,并且该信息接收的方法还包括:In some optional embodiments, the received QoS guarantee capability information indicates that another network end of the IPSec tunnel has (or enables) the multi-numbering capability, and the method for receiving the information further includes:
步骤S2021:向IPSec隧道的另一网络端发送QoS保障能力信息。其中,QoS保障能力信息表明网络端具有(或启用)多窗口能力。Step S2021: Send QoS guarantee capability information to another network end of the IPSec tunnel. The QoS guarantee capability information indicates that the network has (or enables) the multi-window capability.
在接收来自IPSec隧道的另一网络端的QoS保障能力信息和向IPSec隧道的另一网络端发送QoS保障能力信息后,该信息接收的还包括:After receiving the QoS assurance capability information from the other network end of the IPSec tunnel and sending the QoS assurance capability information to the other network end of the IPSec tunnel, the received information further includes:
步骤S2031:接收来自IPSec隧道的另一网络端的报文,根据报文的QoS使用对应的预设抗重放窗口处理报文。Step S2031: Receive a packet from another network end of the IPSec tunnel, and use a corresponding preset anti-replay window to process the packet according to the QoS of the packet.
其中,预设抗重放窗口的数量为多个,且任意不同预设抗重放窗口对应的QoS不同。Wherein, the number of preset anti-playback windows is multiple, and any different preset anti-playback windows correspond to different QoS.
在一些实施例中,接收的QoS保障能力信息表明IPSec隧道的另一网络端具有(或启用)多窗口能力;并且该信息接收的方法还包括:In some embodiments, the received QoS guarantee capability information indicates that another network end of the IPSec tunnel has (or enables) multi-window capability; and the method for receiving the information further includes:
步骤S2022:向IPSec隧道的另一网络端发送QoS保障能力信息。其中,QoS保障能力信息表明网络端具有(或启用)多编号能力。Step S2022: Send QoS guarantee capability information to another network end of the IPSec tunnel. The QoS guarantee capability information indicates that the network has (or enables) the multi-numbering capability.
在接收来自IPSec隧道的另一网络端的QoS保障能力信息和向IPSec隧道的另一网络端发送QoS保障能力信息后,该信息接收的方法还包括:After receiving the QoS assurance capability information from the other network end of the IPSec tunnel and sending the QoS assurance capability information to the other network end of the IPSec tunnel, the method for receiving the information further includes:
步骤S2032:向IPSec隧道的另一网络端发送报文,并根据报文的QoS确定报文的序列号。其中,至少部分QoS不同的报文分别独立编号。Step S2032: Send a packet to another network end of the IPSec tunnel, and determine the sequence number of the packet according to the QoS of the packet. Wherein, at least some of the packets with different QoS are numbered independently.
如前,当本地网络端根据接收的QoS保障能力信息确定另一网络端具有(或启用)多编号能力或多窗口能力时,本地网络端还可向另一网络端发送QoS保障能力,告知另一网络端自身具有(或启用)多窗口能力或多编号能力,并在后续开始用多窗口能力处理接收的报文,或用多编号能力处理发送的报文。As before, when the local network determines that the other network has (or enables) the multi-numbering capability or the multi-window capability according to the received QoS guarantee capability information, the local network can also send the QoS guarantee capability to the other network, informing the other network of the QoS guarantee capability. A network end itself has (or enables) the multi-window capability or the multi-numbering capability, and subsequently starts to use the multi-window capability to process the received message, or use the multi-numbering capability to process the sent message.
同上,以上“向IPSec隧道的另一网络端发送QoS保障能力信息”和“接收来自IPSec隧道的另一网络端的QoS保障能力信息”步骤之间并无必然的先后顺序。Same as above, there is no necessary sequence between the above steps of "sending QoS assurance capability information to the other network end of the IPSec tunnel" and "receiving QoS assurance capability information from the other network end of the IPSec tunnel".
同上,此时本地网络端接收、发送的QoS保障能力信息,也可以均是协商请求消息或协商响应消息。Same as above, at this time, the QoS guarantee capability information received and sent by the local network terminal may also be a negotiation request message or a negotiation response message.
具体实例1:Specific example 1:
对IPSec隧道双方(发起方和响应方)而言,可通过本公开实施例的方法“协商”QoS保障能力,其具体可包括以下步骤:For both parties (the initiator and the responder) of the IPSec tunnel, the QoS guarantee capability can be "negotiated" by the method of the embodiment of the present disclosure, which may specifically include the following steps:
A101、发起方向响应方发送协商请求消息,携带QoS保障能力信息。A101. The initiator sends a negotiation request message to the responder, which carries QoS guarantee capability information.
即发起方通过协商请求消息,“告知”响应方自身的QoS保障能力信息。That is, the initiator "notifies" the responder of its own QoS guarantee capability information through the negotiation request message.
其中,发起方可以是基站,可以是安全网关,可以是防火墙,可以是其它具有IPSec能力的任何网元或功能。The initiator may be a base station, a security gateway, a firewall, or any other network element or function with IPSec capability.
其中,响应方可以是基站,可以是安全网关,可以是防火墙,可以是其它具有IPSec能力的任何网元或功能。The responder may be a base station, a security gateway, a firewall, or any other network element or function with IPSec capability.
其中,协商请求消息可以是IKE_SA_INIT请求消息,可以是本地IKE安全提议发送消息,可以是密钥材料发送消息,可以是身份信息发送消息。The negotiation request message may be an IKE_SA_INIT request message, a local IKE security proposal sending message, a key material sending message, or an identity information sending message.
其中,QoS保障能力信息表示发起方对多窗口能力和多编号能力的支持情况。The QoS guarantee capability information indicates the support situation of the initiator for the multi-window capability and the multi-numbering capability.
A102、响应方收到发起方请求消息后,回复协商响应消息,携带QoS保障能力信息。A102. After receiving the request message from the initiator, the responder replies with a negotiation response message carrying the QoS guarantee capability information.
即响应方通过协商响应消息,向发起方“回复”自身的QoS保障能力信息。That is, the responder "replies" its own QoS guarantee capability information to the initiator through the negotiation response message.
其中,协商响应消息可以是IKE_SA_INIT响应消息,可以是IKE安全提议确认消息,可以是密钥材料发送消息,也可以是身份信息发送消息。The negotiation response message may be an IKE_SA_INIT response message, an IKE security proposal confirmation message, a key material sending message, or an identity information sending message.
其中,QoS保障能力信息表示响应方对多窗口能力和多编号能力的支持情况。The QoS guarantee capability information indicates the support of the responder for the multi-window capability and the multi-numbering capability.
其中,响应方发送的QoS保障能力信息的内容,可以仅根据响应方自身的状况确定的,即其与响应方接收到的QoS保障能力信息可以没有关系。The content of the QoS guarantee capability information sent by the responder may only be determined according to the status of the responder itself, that is, it may not be related to the QoS guarantee capability information received by the responder.
或者,响应方发送的QoS保障能力信息的内容,也可根据其接收到的QoS保障能力信息确定,如可仅回复“有意义”的QoS保障能力信息。例如,当发起方发送的QoS保障能力信息表示发起方“不支持(或不具有)”多窗口能力时,则响应方是否支持多编号能力实际都是无意义的(因为即使支持也无法使用),故此时响应方发送的QoS保障能力可不涉及自身多编号能力的情况。Alternatively, the content of the QoS assurance capability information sent by the responder may also be determined according to the QoS assurance capability information it receives, for example, only "meaningful" QoS assurance capability information may be returned. For example, when the QoS guarantee capability information sent by the initiator indicates that the initiator "does not support (or does not have)" the multi-window capability, it is meaningless whether the responder supports the multi-numbering capability (because even if it supports it, it cannot be used) , so the QoS guarantee capability sent by the responder may not involve its own multi-numbering capability.
如前,以上步骤A101和A102也可仅进行一者;或者,步骤A101和A102的顺序可以互换;或者,步骤A101和A102可由IPSec隧道双方分别独立的进行,二者之间没有必然关系。As before, only one of the above steps A101 and A102 may be performed; or, the order of steps A101 and A102 may be interchanged; or, steps A101 and A102 may be performed independently by both parties in the IPSec tunnel, and there is no necessary relationship between the two.
总之,通过以上实例,可使IPSec隧道的双方获知对方的QoS保障能力,从而决定如何启用QoS保障能力。In a word, through the above example, both parties of the IPSec tunnel can know the QoS guarantee capability of the other party, and then decide how to activate the QoS guarantee capability.
具体实例2:Specific example 2:
本公开实施例的一种具体方法可包括如下步骤:A specific method of the embodiment of the present disclosure may include the following steps:
A201、发起方与响应方完成IPSec隧道协商,发起方获知响应方具有或决定启用QoS保障能力。A201. The initiator and the responder complete IPSec tunnel negotiation, and the initiator learns that the responder has or decides to enable the QoS guarantee capability.
A202、发起方依据SPI和QoS分别独立的标记其发送的报文(IPSec报文)的序列号(即分别独立的编号)。A202. The initiator independently marks the serial numbers (ie, independent numbers) of the packets (IPSec packets) sent by the initiator according to the SPI and the QoS.
其中,QoS可以是DSCP值,可以是TOS值,可以是Traffic Class值,可以是优先级值。The QoS can be a DSCP value, a TOS value, a Traffic Class value, or a priority value.
A203、发起方向响应方发送报文,携带QoS。A203. The initiator sends a packet to the responder, carrying QoS.
其中,QoS可以通过SPI携带,即可将QoS填充至SPI中。Among them, the QoS can be carried through the SPI, that is, the QoS can be filled into the SPI.
或者,QoS也可通过报文的QoS字段携带,即报文的IP头已经具有QoS字段。Alternatively, the QoS can also be carried through the QoS field of the packet, that is, the IP header of the packet already has the QoS field.
A204、响应方接收报文,提取出QoS,并将不同QoS的IPSec报文置于不同的接收队列中,用不同的抗重放窗口处理。A204. The responder receives the packet, extracts the QoS, and places IPSec packets with different QoS in different receiving queues, and uses different anti-replay windows for processing.
具体实例3:Specific example 3:
本实施例与具体实例2类似,其与具体实例2的区别是:This embodiment is similar to the specific example 2, and the difference between it and the specific example 2 is:
发起方具有或决定启用QoS保障能力,从而响应方根据发起方的QoS保障能力信息,对不同QoS的报文分别独立编号。The initiator has or decides to enable the QoS guarantee capability, so that the responder independently numbers the packets of different QoS according to the QoS guarantee capability information of the initiator.
具体实例4:Specific example 4:
本具体实例与具体实例1的区别在于,根据发起发和响应方QoS保障能力的不同,在具体实例1后还可包括以下情况:The difference between this specific example and the specific example 1 is that according to the difference in the QoS guarantee capabilities of the initiator and the responder, the following situations can also be included after the specific example 1:
(1)发起方启用多窗口能力和多编号能力;响应方启用多窗口能力和多编号能力。(1) The initiator enables the multi-window capability and the multi-numbering capability; the responder enables the multi-window capability and the multi-numbering capability.
从而,后续发起方发给响应方的报文需要分别编号,而响应方发给发起方的报文也需要分别编号。Therefore, the subsequent packets sent by the initiator to the responder need to be numbered separately, and the packets sent by the responder to the initiator also need to be numbered separately.
同时,发起方对接收的报文需要用多窗口方式处理,而响应方对接收的报文也需要用多窗口方式处理。At the same time, the initiator needs to use the multi-window mode to process the received message, and the responder also needs to use the multi-window mode to process the received message.
(2)发起方启用多窗口能力,而不启用(如不具有,或不希望使用)多编号能力,而响应方启用多编号能力(此时响应方的多窗口能力无意义)。(2) The initiator enables the multi-window capability, but does not enable (eg does not have, or does not want to use) the multi-numbering capability, and the responder enables the multi-numbering capability (the responder's multi-window capability is meaningless at this time).
从而,响应方发给发起方的报文需要分别编号,而发起方对接收的报文需要用多窗口方式处理。Therefore, the packets sent by the responder to the initiator need to be numbered separately, and the initiator needs to process the received packets in a multi-window manner.
而从发起方向响应发送报文的过程可采用现有IPSec的规则进行。The process of sending packets from the initiator to the response can be performed by using the existing IPSec rules.
(3)发起方启用多编号能力,而不启用(如不具有,或不希望使用)多窗口能力,而响应方启用多窗口能力(此时响应方的多编号能力无意义)。(3) The initiator enables the multi-numbering capability, but does not enable (eg does not have, or does not want to use) the multi-window capability, and the responder enables the multi-window capability (the multi-numbering capability of the responder is meaningless at this time).
从而,发起方发给响应方的报文需要分别编号,而响应方对接收的报文需要用多窗口方式处理。Therefore, the packets sent by the initiator to the responder need to be numbered separately, and the responder needs to process the received packets in a multi-window manner.
而从响应方向发起发送报文的过程可采用现有IPSec的规则进行。The process of sending packets from the response direction can be performed by using the existing IPSec rules.
(4)发起方不启用(如不具有,或不希望使用)多编号能力,也不启用(如不具有,或不希望使用)多编号能力(此时响应方的多窗口、多编号能力无意义)。(4) The initiator does not enable (eg does not have, or does not want to use) the multi-numbering capability, nor does it enable (eg does not have, or does not wish to use) the multi-numbering capability (at this time, the responder's multi-window and multi-numbering capabilities are not available). significance).
从而所有报文的发送和接收均采用现有IPSec的规则进行。Therefore, all packets are sent and received using the existing IPSec rules.
具体实例5:Specific example 5:
本具体实例中,在IPSec隧道协商阶段,并不传递QoS保障能力信息。In this specific example, in the IPSec tunnel negotiation stage, the QoS guarantee capability information is not transmitted.
而是在IPSec隧道建立后的报文发送阶段,发起方、响应方可以在报文(IPSec报文)中携带QoS保障能力信息,并根据QoS保障能力信息确定后续是否开启QoS保障能力。Instead, in the packet sending stage after the IPSec tunnel is established, the initiator and the responder can carry QoS guarantee capability information in the packets (IPSec packets), and determine whether to enable the QoS guarantee capability subsequently according to the QoS guarantee capability information.
其中,QoS保障能力信息可以通过SPI来携带。The QoS guarantee capability information may be carried through the SPI.
具体实例6:Specific example 6:
本具体实例中,不进行QoS保障能力信息的传递。而是在报文发送阶段,报文的接收方根据SPI中的QoS,用不同的预设抗重放窗口处理不同QoS的报文。In this specific example, the transmission of the QoS guarantee capability information is not performed. Instead, in the message sending stage, the receiver of the message uses different preset anti-replay windows to process messages with different QoS according to the QoS in the SPI.
具体实例7:Specific example 7:
本具体实例中,每个抗重放窗口或编号对应的QoS,可以不是“一个QoS”,而是多个相似的QoS,即为一个QoS组。In this specific example, the QoS corresponding to each anti-replay window or number may not be "one QoS", but multiple similar QoSs, that is, a QoS group.
具体实例8:Specific example 8:
本具体实例中,可通过手工配置IPSec隧道或者通过IKE协商建立IPSec隧道,但是其QoS保障能力信息是本地配置的,而无需进行“协商”。In this specific example, the IPSec tunnel can be established by manually configuring the IPSec tunnel or through IKE negotiation, but its QoS guarantee capability information is locally configured and does not need to be "negotiated".
第三方面,参照图8,本公开实施例提供一种IPSec隧道的网络端,其包括:发送模块,配置为向IPSec隧道的另一网络端发送QoS保障能力信息。其中,QoS保障能力信息用于表明网络端是否启用多窗口能力,和/或,该网络端是否启用多编号能力。多编号能力为在发送报文时,将至少部分QoS不同的报文分别独立编号的能力;多窗口能力为在接收报文时,使用不同的预设抗重放窗口处理至少部分QoS不同的报文的能力。In a third aspect, referring to FIG. 8 , an embodiment of the present disclosure provides a network end of an IPSec tunnel, which includes: a sending module configured to send QoS guarantee capability information to another network end of the IPSec tunnel. The QoS guarantee capability information is used to indicate whether the network end enables the multi-window capability, and/or whether the network end enables the multi-numbering capability. The multi-numbering capability is the capability of independently numbering at least some of the packets with different QoS when sending packets; the multi-window capability is the ability to use different preset anti-replay windows to process at least some of the packets with different QoS when receiving packets. ability to write.
具体的,本公开实施例的网络端可以是任何能通过IPSec隧道建立连接的网元,如无线通信基站(如2G、3G、4G、5G等基站)、机顶盒、安全网关、防火墙设备、加载有其它软件的网络设备等。Specifically, the network end in the embodiment of the present disclosure may be any network element that can establish a connection through an IPSec tunnel, such as a wireless communication base station (such as 2G, 3G, 4G, 5G and other base stations), a set-top box, a security gateway, a firewall device, a device loaded with Other software network equipment, etc.
应当理解,本公开实施例的IPSec隧道的网络端实际是IPSec隧道中的任意一方,故其也可接收来自IPSec隧道的另一网络端的QoS保障能力信息,故其中实际也可具有接收模块。It should be understood that the network end of the IPSec tunnel in the embodiment of the present disclosure is actually any one of the IPSec tunnels, so it can also receive QoS assurance capability information from another network end of the IPSec tunnel, so it may actually have a receiving module.
第四方面,参照图9,本公开实施例提供一种IPSec隧道的网络端,其包括:接收模块,其配置为接收来自IPSec隧道的另一网络端的QoS保障能力信息。其中,QoS保障能力信息用于表明IPSec隧道的另一网络端是否启用多窗口能力,和/或,该另一网络端是否启用多编号能力。多编号能力为在发送报文时,将至少部分QoS不同的报文分别独立编号的能力;多窗口能力为在接收报文时,使用不同的预设抗重放窗口处理至少部分QoS不同的报文的能力。In a fourth aspect, referring to FIG. 9 , an embodiment of the present disclosure provides a network end of an IPSec tunnel, which includes: a receiving module configured to receive QoS guarantee capability information from another network end of the IPSec tunnel. The QoS guarantee capability information is used to indicate whether the other network end of the IPSec tunnel enables the multi-window capability, and/or whether the other network end enables the multi-numbering capability. The multi-numbering capability is the capability to independently number at least some of the packets with different QoS when sending packets; the multi-window capability is the ability to use different preset anti-replay windows to process at least some of the packets with different QoS when receiving the packets. ability to write.
具体的,本公开实施例的网络端可以是任何能通过IPSec隧道建立连接的网元,如无线通信基站(如2G、3G、4G、5G等基站)、机顶盒、安全网关、防火墙设备、加载有其它软件的网络设备等。Specifically, the network end in the embodiment of the present disclosure may be any network element that can establish a connection through an IPSec tunnel, such as a wireless communication base station (such as 2G, 3G, 4G, 5G and other base stations), a set-top box, a security gateway, a firewall device, a device loaded with Other software network equipment, etc.
应当理解,本公开实施例的IPSec隧道的网络端实际是IPSec隧道中的任意一方,故其也可向IPSec隧道的另一网络端发送的QoS保障能力信息,故其中实际也可具有发送模块。It should be understood that the network end of the IPSec tunnel in the embodiment of the present disclosure is actually any party in the IPSec tunnel, so it can also send the QoS guarantee capability information to another network end of the IPSec tunnel, so it may actually have a sending module.
本领域普通技术人员可以理解,上文中所公开的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。Those of ordinary skill in the art can understand that all or some of the steps, systems, and functional modules/units in the apparatus disclosed above can be implemented as software, firmware, hardware, and appropriate combinations thereof.
在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical components Components execute cooperatively.
某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器(CPU)、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于随机存取存储器(RAM,更具体如SDRAM、DDR等)、只读存储器(ROM)、带电可擦可编程只读存储器(EEPROM)、闪存(FLASH)或其他磁盘存储器;只读光盘(CD-ROM)、数字多功能盘(DVD)或其他光盘存储器;磁盒、磁带、磁盘存储或其他磁存储器;可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit (CPU), digital signal processor or microprocessor, or as hardware, or as an integrated circuit such as Application-specific integrated circuits. Such software may be distributed on computer-readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As known to those of ordinary skill in the art, the term computer storage media includes both volatile and nonvolatile implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules or other data flexible, removable and non-removable media. Computer storage media include, but are not limited to, random access memory (RAM, more specifically SDRAM, DDR, etc.), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), flash memory (FLASH), or other disk storage ; compact disk-read only (CD-ROM), digital versatile disk (DVD), or other optical disk storage; magnetic cartridge, tape, magnetic disk storage, or other magnetic storage; any other storage that can be used to store desired information and that can be accessed by a computer medium. In addition, communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and can include any information delivery media, as is well known to those of ordinary skill in the art .
本公开已经公开了示例实施例,并且虽然采用了具体术语,但它们仅用于并仅应当被解释为一般说明性含义,并且不用于限制的目的。在一些实例中,对本领域技术人员显而易见的是,除非另外明确指出,否则可单独使用与特定实施例相结合描述的特征、特性和/或元素,或可与其他实施例相结合描述的特征、特性和/或元件组合使用。因此,本领域技术人员将理解,在不脱离由所附的权利要求阐明的本公开的范围的情况下,可进行各种形式和细节上的改变。This disclosure has disclosed example embodiments, and although specific terms are employed, they are used and should only be construed in a general descriptive sense and not for purposes of limitation. In some instances, it will be apparent to those skilled in the art that features, characteristics and/or elements described in connection with a particular embodiment may be used alone or in combination with other embodiments, unless expressly stated otherwise. Features and/or elements are used in combination. Accordingly, it will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the scope of the present disclosure as set forth in the appended claims.

Claims (10)

  1. 一种信息发送的方法,用于互联网安全协议隧道的网络端,所述方法包括:A method for sending information, which is used for a network end of an Internet security protocol tunnel, the method comprising:
    向所述互联网安全协议隧道的另一网络端发送服务质量保障能力信息,sending service quality assurance capability information to the other network end of the Internet security protocol tunnel,
    其中,所述服务质量保障能力信息用于表明所述网络端是否启用多窗口能力,和/或,所述网络端是否启用多编号能力,其中,所述多编号能力为在发送报文时,将至少部分服务质量不同的报文分别独立编号的能力;所述多窗口能力为在接收报文时,使用不同的预设抗重放窗口处理至少部分服务质量不同的报文的能力。Wherein, the service quality assurance capability information is used to indicate whether the network end enables the multi-window capability, and/or whether the network end enables the multi-numbering capability, wherein the multi-numbering capability is when sending a message, The ability to independently number at least some packets with different quality of service; the multi-window capability is the ability to use different preset anti-replay windows to process at least part of the packets with different quality of service when receiving packets.
  2. 根据权利要求1所述的方法,其中,所述网络端具有所述多窗口能力;The method of claim 1, wherein the network has the multi-window capability;
    所述方法还包括:接收来自所述互联网安全协议隧道的所述另一网络端的服务质量保障能力信息;其中,接收的所述服务质量保障能力信息表明所述互联网安全协议隧道的所述另一网络端具有所述多编号能力;并且The method further includes: receiving service quality assurance capability information from the other network end of the Internet security protocol tunnel; wherein the received service quality assurance capability information indicates the other network end of the Internet security protocol tunnel. the network has the multi-numbering capability; and
    在所述向所述互联网安全协议隧道的另一网络端发送服务质量保障能力信息和所述接收来自所述互联网安全协议隧道的所述另一网络端的服务质量保障能力信息后,所述方法还包括:接收来自所述互联网安全协议隧道的所述另一网络端的报文,根据所述报文的服务质量使用对应的预设抗重放窗口处理所述报文,其中,所述预设抗重放窗口的数量为多个,且任意不同所述预设抗重放窗口对应的服务质量不同。After the sending the service quality assurance capability information to the other network end of the Internet security protocol tunnel and the receiving the service quality assurance capability information from the other network end of the Internet security protocol tunnel, the method further The method includes: receiving a message from the other network end of the Internet security protocol tunnel, and processing the message using a corresponding preset anti-replay window according to the service quality of the message, wherein the preset anti-replay window is used to process the message. The number of playback windows is multiple, and any different preset anti-playback windows correspond to different quality of service.
  3. 根据权利要求1所述的方法,其中,所述网络端具有所述多编号能力;The method of claim 1, wherein the network has the multi-numbering capability;
    所述方法还包括:接收来自所述互联网安全协议隧道的所述另一网络端的服务质量保障能力信息;其中,接收的所述服务质量保障能力信息表明所述互联网安全协议隧道的所述另一网络端具有所述多窗口能力;The method further includes: receiving service quality assurance capability information from the other network end of the Internet security protocol tunnel; wherein the received service quality assurance capability information indicates the other network end of the Internet security protocol tunnel. The network end has the multi-window capability;
    在所述向所述互联网安全协议隧道的所述另一网络端发送服务质量保障能力信息和所述接收来自所述互联网安全协议隧道的所述另一网络端的服务质量保障能力信息后,所述方法还包括:向所述互联网安全协议隧道的所述另一网络端发送报文,并根据所述报文的服务质量确定所述报文的序列号,其中,至少部分服务质量不同的报文分别独立编号。After the sending the QoS assurance capability information to the other network end of the Internet security protocol tunnel and the receiving the QoS assurance capability information from the other network end of the Internet security protocol tunnel, the The method further includes: sending a message to the other network end of the Internet security protocol tunnel, and determining the sequence number of the message according to the quality of service of the message, wherein at least some of the messages with different quality of service individually numbered.
  4. 根据权利要求1所述的方法,其中,所述向所述互联网安全协议隧道的所述另一网络端发送服务质量保障能力信息包括:The method according to claim 1, wherein the sending the service quality assurance capability information to the other network end of the Internet security protocol tunnel comprises:
    通过建立互联网安全协议隧道的协商请求消息或协商响应消息,向所述互联网安全协议隧道的所述另一网络端发送服务质量保障能力信息。By establishing a negotiation request message or negotiation response message of the Internet security protocol tunnel, the service quality assurance capability information is sent to the other network end of the Internet security protocol tunnel.
  5. 根据权利要求4所述的方法,其中,The method of claim 4, wherein,
    所述协商请求消息为IKE_SA_INIT请求消息、本地IKE安全提议发送消息,密钥材料发送消息、身份信息发送消息中的任意一种;The negotiation request message is any one of an IKE_SA_INIT request message, a local IKE security proposal sending message, a key material sending message, and an identity information sending message;
    所述协商响应消息为IKE_SA_INIT响应消息、IKE安全提议确认消息、密钥材料发送消 息、身份信息发送消息中的任意一种。The negotiation response message is any one of the IKE_SA_INIT response message, the IKE security proposal confirmation message, the key material sending message, and the identity information sending message.
  6. 一种信息接收的方法,用于互联网安全协议隧道的网络端,所述方法包括:A method for receiving information, which is used for a network end of an Internet security protocol tunnel, the method comprising:
    接收来自所述互联网安全协议隧道的另一网络端的服务质量保障能力信息;receiving service quality assurance capability information from another network end of the Internet security protocol tunnel;
    其中,所述服务质量保障能力信息用于表明所述互联网安全协议隧道的所述另一网络端是否启用多窗口能力,和/或,所述另一网络端是否启用多编号能力,其中,所述多编号能力为在发送报文时,将至少部分服务质量不同的报文分别独立编号的能力;所述多窗口能力为在接收报文时,使用不同的预设抗重放窗口处理至少部分服务质量不同的报文的能力。Wherein, the service quality assurance capability information is used to indicate whether the other network end of the Internet security protocol tunnel enables the multi-window capability, and/or whether the other network end enables the multi-numbering capability, wherein the The multi-numbering capability is the capability of independently numbering at least some messages with different quality of service when sending messages; the multi-window capability is that when receiving messages, different preset anti-replay windows are used to process at least some of the messages. The ability of packets of different quality of service.
  7. 根据权利要求6所述的方法,其中,接收的所述服务质量保障能力信息表明所述互联网安全协议隧道的所述另一网络端具有所述多编号能力;The method according to claim 6, wherein the received QoS assurance capability information indicates that the other network end of the Internet Security Protocol tunnel has the multi-numbering capability;
    所述方法还包括:向所述互联网安全协议隧道的所述另一网络端发送服务质量保障能力信息;其中,所述服务质量保障能力信息表明所述网络端具有所述多窗口能力;The method further includes: sending service quality assurance capability information to the other network end of the Internet security protocol tunnel; wherein, the service quality assurance capability information indicates that the network end has the multi-window capability;
    在所述接收来自所述互联网安全协议隧道的所述另一网络端的服务质量保障能力信息和所述向所述互联网安全协议隧道的所述另一网络端发送服务质量保障能力信息后,所述方法还包括:接收来自所述互联网安全协议隧道的所述另一网络端的报文,根据所述报文的服务质量使用对应的预设抗重放窗口处理所述报文,其中,所述预设抗重放窗口的数量为多个,且任意不同所述预设抗重放窗口对应的服务质量不同。After the receiving the service quality assurance capability information from the other network end of the Internet security protocol tunnel and the sending the service quality assurance capability information to the other network end of the Internet security protocol tunnel, the The method further includes: receiving a message from the other network end of the Internet security protocol tunnel, and processing the message using a corresponding preset anti-replay window according to the quality of service of the message, wherein the preset anti-replay window is used to process the message. It is assumed that the number of anti-playback windows is multiple, and any different preset anti-playback windows correspond to different quality of service.
  8. 根据权利要求6所述的方法,其中,接收的所述服务质量保障能力信息表明所述互联网安全协议隧道的所述另一网络端具有所述多窗口能力;The method according to claim 6, wherein the received QoS assurance capability information indicates that the other network end of the Internet Security Protocol tunnel has the multi-window capability;
    所述方法还包括:向所述互联网安全协议隧道的所述另一网络端发送服务质量保障能力信息;其中,所述服务质量保障能力信息表明所述网络端具有所述多编号能力;The method further includes: sending service quality assurance capability information to the other network end of the Internet security protocol tunnel; wherein, the service quality assurance capability information indicates that the network end has the multi-number capability;
    在所述接收来自所述互联网安全协议隧道的所述另一网络端的服务质量保障能力信息和所述向所述互联网安全协议隧道的所述另一网络端发送服务质量保障能力信息后,所述方法还包括:向所述互联网安全协议隧道的所述另一网络端发送报文,并根据所述报文的服务质量确定所述报文的序列号,其中,至少部分服务质量不同的报文分别独立编号。After the receiving the service quality assurance capability information from the other network end of the Internet security protocol tunnel and the sending the service quality assurance capability information to the other network end of the Internet security protocol tunnel, the The method further includes: sending a message to the other network end of the Internet security protocol tunnel, and determining the sequence number of the message according to the quality of service of the message, wherein at least some of the messages with different quality of service individually numbered.
  9. 一种互联网安全协议隧道的网络端,其包括:A network end of an Internet security protocol tunnel, comprising:
    发送模块,向所述互联网安全协议隧道的另一网络端发送服务质量保障能力信息;a sending module, sending service quality assurance capability information to another network end of the Internet security protocol tunnel;
    其中,所述服务质量保障能力信息用于表明所述网络端是否启用多窗口能力,和/或,所述网络端是否启用多编号能力,其中,所述多编号能力为在发送报文时,将至少部分服务质量不同的报文分别独立编号的能力;所述多窗口能力为在接收报文时,使用不同的预设抗重放窗口处理至少部分服务质量不同的报文的能力。Wherein, the service quality assurance capability information is used to indicate whether the network end enables the multi-window capability, and/or whether the network end enables the multi-numbering capability, wherein the multi-numbering capability is when sending a message, The ability to independently number at least some packets with different quality of service; the multi-window capability is the ability to use different preset anti-replay windows to process at least part of the packets with different quality of service when receiving packets.
  10. 一种互联网安全协议隧道的网络端,其包括:A network end of an Internet security protocol tunnel, comprising:
    接收模块,其配置为接收来自互联网安全协议隧道的另一网络端的服务质量保障能力信息;a receiving module, which is configured to receive service quality assurance capability information from another network end of the Internet security protocol tunnel;
    其中,所述服务质量保障能力信息用于表明互联网安全协议隧道的另一网络端是否启用 多窗口能力,和/或,所述另一网络端是否启用多编号能力,其中,所述多编号能力为在发送报文时,将至少部分服务质量不同的报文分别独立编号的能力;所述多窗口能力为在接收报文时,使用不同的预设抗重放窗口处理至少部分服务质量不同的报文的能力。Wherein, the service quality assurance capability information is used to indicate whether the other network end of the Internet security protocol tunnel enables the multi-window capability, and/or whether the other network end enables the multi-numbering capability, wherein the multi-numbering capability When sending packets, the ability to independently number at least some of the packets with different quality of service; the multi-window capability is to use different preset anti-replay windows to process at least part of the packets with different quality of service when receiving packets. message capability.
PCT/CN2021/103364 2020-06-30 2021-06-30 Information sending method, information receiving method and network WO2022002098A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010613157.7A CN113872915A (en) 2020-06-30 2020-06-30 Information sending method, information receiving method and network terminal
CN202010613157.7 2020-06-30

Publications (1)

Publication Number Publication Date
WO2022002098A1 true WO2022002098A1 (en) 2022-01-06

Family

ID=78981214

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/103364 WO2022002098A1 (en) 2020-06-30 2021-06-30 Information sending method, information receiving method and network

Country Status (2)

Country Link
CN (1) CN113872915A (en)
WO (1) WO2022002098A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102055733A (en) * 2009-10-30 2011-05-11 华为技术有限公司 Method, device and system for negotiating business bearing tunnels
CN102724713A (en) * 2011-03-30 2012-10-10 华为技术有限公司 Method and related device for data packet transmission
US20160337398A1 (en) * 2015-05-15 2016-11-17 Cisco Technology, Inc. Anti-Replay Checking with Multiple Sequence Number Spaces
US20190141019A1 (en) * 2017-07-31 2019-05-09 Cisco Technology, Inc. Ipsec anti-replay window with quality of service

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011109992A1 (en) * 2010-08-06 2011-09-15 华为技术有限公司 Method, device and system for obtaining information
CN103152343B (en) * 2013-03-04 2015-09-16 北京神州绿盟信息安全科技股份有限公司 Set up method and the network equipment in internet security Protocol virtual private network tunnel
US9843505B2 (en) * 2015-05-28 2017-12-12 Cisco Technology, Inc. Differentiated quality of service using tunnels with security as a service

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102055733A (en) * 2009-10-30 2011-05-11 华为技术有限公司 Method, device and system for negotiating business bearing tunnels
CN102724713A (en) * 2011-03-30 2012-10-10 华为技术有限公司 Method and related device for data packet transmission
US20160337398A1 (en) * 2015-05-15 2016-11-17 Cisco Technology, Inc. Anti-Replay Checking with Multiple Sequence Number Spaces
US20190141019A1 (en) * 2017-07-31 2019-05-09 Cisco Technology, Inc. Ipsec anti-replay window with quality of service

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MOTOROLA MOBILITY; LENOVO; BROADCOM; HUAWEI; HISILICON: "PDU Session Setup over Untrusted Non-3GPP Access with IKEv2", 3GPP DRAFT; S2-170081_PDU SESSION WITH IKEV2_V7, vol. SA WG2, 10 January 2017 (2017-01-10), Spokane, WA, USA, pages 1 - 6, XP051205522 *

Also Published As

Publication number Publication date
CN113872915A (en) 2021-12-31

Similar Documents

Publication Publication Date Title
US9301193B2 (en) Service data flow detection in a conforming 3GPP access network having a packet modification function
US20100135287A1 (en) Process for prioritized end-to-end secure data protection
CN111757513B (en) Communication method and device
US9887974B2 (en) Method for network communication past encryption devices
CN111355698B (en) Transmission method, device, message sending end and receiving end
US20130166905A1 (en) Methods and arrangements for secure communication over an ip network
WO2022001640A1 (en) Data transmission method and apparatus
EP3164973B1 (en) Methods and first, second and network nodes for managing traffic characteristics
WO2019101054A1 (en) Aggregation rate control method, device and system
WO2017148419A1 (en) Data transmission method and server
ES2777606T3 (en) Communication of application transactions on a radio link
WO2022012361A1 (en) Communication method and apparatus
US10785195B2 (en) Mobile communications over secure enterprise networks
WO2022002098A1 (en) Information sending method, information receiving method and network
US20090073971A1 (en) Per-packet quality of service support for encrypted ipsec tunnels
WO2021098375A1 (en) Time information transmission processing method and apparatus, and storage medium
CN113872920A (en) Method for processing message, network terminal and computer readable medium
WO2023060406A1 (en) Enhanced qos support for extended reality (xr)
WO2024001778A1 (en) Communication method and apparatus
WO2024098632A1 (en) Systems and methods for determining network capability via control plane
WO2024113069A1 (en) Systems and methods for quality of service handling for extended reality traffic
WO2024035680A1 (en) Uplink sdap header enhancements
WO2024035679A1 (en) Ue-initiated qos flow to drb mapping
WO2024035716A1 (en) Qos flow to drb remapping or packet shifting
WO2024098077A1 (en) Quality of service flow model for low-latency services

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 22/05/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 21834257

Country of ref document: EP

Kind code of ref document: A1