WO2022257643A1 - 网络传输层数据处理方法、设备及存储介质 - Google Patents
网络传输层数据处理方法、设备及存储介质 Download PDFInfo
- Publication number
- WO2022257643A1 WO2022257643A1 PCT/CN2022/090383 CN2022090383W WO2022257643A1 WO 2022257643 A1 WO2022257643 A1 WO 2022257643A1 CN 2022090383 W CN2022090383 W CN 2022090383W WO 2022257643 A1 WO2022257643 A1 WO 2022257643A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- transport layer
- network transport
- layer data
- ebpf
- kernel
- Prior art date
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 85
- 238000012545 processing Methods 0.000 claims abstract description 115
- 238000000034 method Methods 0.000 claims abstract description 75
- 238000004891 communication Methods 0.000 claims abstract description 12
- 230000008569 process Effects 0.000 claims description 35
- 238000013507 mapping Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 description 48
- 230000005540 biological transmission Effects 0.000 description 29
- 238000009448 modified atmosphere packaging Methods 0.000 description 22
- 230000003993 interaction Effects 0.000 description 10
- 238000004458 analytical method Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 5
- 238000011161 development Methods 0.000 description 5
- 238000012423 maintenance Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 3
- 230000008439 repair process Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000011022 operating instruction Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 235000019837 monoammonium phosphate Nutrition 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/321—Interlayer communication protocols or service data unit [SDU] definitions; Interfaces between layers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/326—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the transport layer [OSI layer 4]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Definitions
- the embodiments of the present application relate to the communication field, and in particular to a data processing method, device, and storage medium of a network transport layer.
- IPSec Internet Protocol Security
- TLS Transport Layer Security
- OSI model Open System Interconnection Reference Model
- TLS Protect all IP-based communication; while TLS works at the transport layer of the fourth layer of the OSI model, generally in a reliable transport layer protocol, such as connection-oriented Transmission Control Protocol (Transmission Control Protocol, TCP), wireless Based on the connected User Datagram Protocol (UDP), it provides data security and integrity protection for upper-layer applications. Specifically, it uses a client-server model to create a secure transmission connection between two applications. /tunnel to prevent eavesdropping or tampering of interactive data.
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- the above-mentioned encryption processing method or mechanism can realize the encryption or decryption processing of data in the kernel
- the method based on the IPSec protocol requires the system administrator to modify the network configuration or connection topology of the system in practical applications, such as creating a new virtual network device, Modify the global routing table, etc., that is, there is an intrusive configuration requirement for the system operating environment; and based on the TLS protocol, in practical applications, the application program needs to actively initiate and participate in the establishment of the transmission connection/tunnel, related configuration parameters and sensitive data , such as digital certificates, etc. generally also need to be maintained by the application itself, that is, there is an intrusive configuration requirement for the empirical program itself.
- the embodiment of the present application provides a network transport layer data processing method, which is applied to the extended Berkeley packet filter eBPF program running in the kernel.
- the network transport layer data processing method includes: obtaining the network transport layer data packets that need to be distributed; Analyzing the network transport layer data packet, determining the network transport layer data processing method that needs to be performed on the network transport layer data packet; according to the network transport layer data processing method, processing the network transport layer data packet .
- the embodiment of the present application also provides a network transport layer data processing method, including: applied to a management program running on the user plane, the network transport layer data processing method includes: after the management program is started, monitoring whether For the operation instructions of the eBPF program running in the kernel and/or the statistical data of the eBPF program during the processing of the network transport layer data packet; if the operation instruction for the eBPF program is received, according to the operation instruction The eBPF program performs processing; if the statistical data collected by the eBPF program during the processing of network transport layer data packets is received, the statistical data is processed.
- the embodiment of the present application also provides a data processing device at the network transport layer, including: a management program running on the user plane, an eBPF program running on the kernel, at least one processor; and a communication connection with the at least one processor Memory; wherein, the management program is used to load the eBPF program to the kernel of the environment, so that the eBPF program runs on the kernel, and the memory stores instructions executable by the at least one processor, The instructions are executed by the at least one processor, so that the at least one processor can execute any one of the above-mentioned network transport layer data processing methods.
- the embodiment of the present application also provides a computer-readable storage medium storing a computer program.
- the computer program is executed by the processor, any one of the above-mentioned network transport layer data processing methods is realized.
- Fig. 1 is a schematic diagram of the corresponding relationship between the traditional IPSec protocol, the TLS protocol and the OSI model;
- FIG. 2 is a schematic flow diagram of a network transport layer data processing method applied to a management program provided by an embodiment of the present application
- Fig. 3 is another schematic flow chart of the network transport layer data processing method applied to the management program provided by the embodiment of the present application;
- FIG. 4 is a schematic diagram of the interaction between the management program and the eBPF program involved in the network transport layer data processing method shown in FIG. 2 or FIG. 3;
- Fig. 5 is a schematic flow chart of a method for processing network transport layer data applied to an eBPF program provided by an embodiment of the present application
- Fig. 6 is another schematic flowchart of the network transport layer data processing method applied to the eBPF program provided by the embodiment of the present application;
- Fig. 7 is a schematic diagram of realizing fully transparent transmission encryption between node A and node B based on the network transport layer data processing method provided by the embodiment of the present application;
- Fig. 8 is a schematic diagram of realizing joint encryption with an upper-layer application program between node A and node B based on the data processing method of the network transport layer provided by the embodiment of the present application;
- FIG. 9 is a schematic structural diagram of a network transport layer data processing device provided by an embodiment of the present application.
- the network transport layer data processing method, device, and storage medium proposed in the embodiments of the present application load and run a management program capable of managing eBPF programs on the user plane, and then use the management program to pre-register the eBPF program in the kernel, and the eBPF program will go to the kernel.
- Interception requires kernel distribution, such as sending out network transport layer data packets, receiving network transport layer data packets, and determining the network transport layer data processing method of the network transport layer data packets that need to be distributed, and finally the eBPF program is based on the determined network transmission Layer data processing method, which processes the currently intercepted network transport layer data packets.
- the entire network transport layer data processing process can be completed by the rewritten eBPF program in the kernel, without the need for the system environment or upper-layer applications to change their own state, and participate in the actual network transport layer data processing process, so that the system environment or
- the transparency of upper-layer applications eliminates the need for additional deployment, configuration, operation and maintenance, and development costs, and also ensures good compatibility between the system environment and upper-layer applications.
- the network transport layer data processing solution provided by this embodiment in addition to simply encrypting or decrypting network transport layer data packets based on the eBPF program loaded in the kernel, can also set the eBPF program and upper-layer applications, such as The application program running on the user plane cooperates to realize joint encryption or decryption processing, so as to further improve the network transport layer by combining the encryption/decryption method of the upper-layer application while minimizing the modification of the uploaded application according to the actual business needs Security of data packets during transmission.
- FIG. 2 is a flow chart of a method for processing network transport layer data provided by an embodiment of the present application.
- the method is mainly applied to a management program running on a user plane.
- the network transport layer data processing method provided by this embodiment includes the following steps:
- Step 201 after the hypervisor is started, monitor whether the operating instructions for the eBPF program running in the kernel and/or the statistical data during the processing of the network transport layer data packets collected by the eBPF program are received.
- eBPF programs are essentially special codes that run in the kernel. Users can write functional codes within the limits specified by them. After compiling these codes into bytecodes, they will be loaded into a special virtual machine in the kernel for execution. Therefore, in order to manage the eBPF program according to actual business requirements, this embodiment provides a management program running on the user plane, so that the user can manage the eBPF program running in the kernel through the management program.
- the management program is not only responsible for loading or registering eBPF programs into the kernel, but also provides user interaction interfaces.
- the above-mentioned management program loads the eBPF program into the kernel, which is to load the bytecode of the eBPF program to realize the corresponding function to the specified location of the kernel, so that when the network transport layer data packet needs to be distributed by the kernel, such as sending out , or when receiving, the network transport layer data packet arriving at the kernel can be intercepted by the eBPF program loaded in the kernel, and then the eBPF program will process the network transport layer data packet according to the corresponding functional interface/function.
- the user interaction interface provided by the hypervisor is specifically used to receive the user's operation instructions for the eBPF program running in the kernel.
- the management program is also used to feed back the statistical data generated during the process of processing network transport layer data packets, such as the number of successful encryption/decryption, etc., to the eBPF program through the user interaction interface, and/or the running of the eBPF program The status, current configuration parameters and other information are fed back to the user for the user to perform follow-up operations according to the current running status of the eBPF program.
- step 202 if it is monitored that an operation instruction for the eBPF program running on the kernel is received, then enter step 202; if it is monitored that the network transport layer data packet output by the eBPF program running on the kernel is received, then enter step 203.
- the management program can store and/or display the above information received according to the pre-configured business requirements, or through user interaction Interface feedback to the user.
- Step 202 process the eBPF program according to the operation instruction.
- the operation instructions received by the management program through the user interaction interface for the eBPF program running in the kernel are divided into the following three types: the operation instruction is a configuration information update instruction, or an eBPF program replacement instruction, or an eBPF program uninstallation instruction .
- the hypervisor processes the eBPF program already running in the kernel differently, as follows:
- the configuration information to be updated is extracted from the configuration information update instruction.
- configuration information mentioned in this embodiment includes any one or more of encryption and decryption conditions, encryption rules, and decryption rules.
- the package needs to be encrypted, or decrypted.
- the encryption rules mentioned above at least include the specific encryption algorithm used to encrypt the network transport layer data packets that need to be encrypted.
- the encryption rule also needs to include the required key for encryption using the specified encryption algorithm.
- the above-mentioned decryption rule at least includes a specific decryption algorithm used for decrypting the network transport layer data packets that need to be decrypted.
- the decryption rule also needs to include the key required for decryption using the specified decryption algorithm.
- encryption processing and decryption processing usually occur in pairs, so for the sender of the network transport layer data packet, for example, the configuration information about the encryption processing of the eBPF program running in the kernel in node A needs to communicate with the network
- the receiver of the transport layer data packet such as the eBPF program running in the kernel in the B node, cooperates with each other in relation to the configuration information about the decryption process.
- the configuration information mapping table mentioned in this embodiment is the BPF MAP involved in the eBPF technology.
- a corresponding BPF MAP can be designed for different eBPF programs that can run in the kernel, or a global BPF MAP can be designed, and all eBPF programs that can run in the kernel share a BPF MAP.
- BPF MAP the parameters required for encryption and decryption of eBPF programs need to be defined in BPF MAP.
- the management program when the management program manages the eBPF program running in the kernel, such as modifying the configuration information, it only needs to update the configuration information that needs to be modified into the BPF MAP, and the eBPF program is After the kernel is activated, it will actively search for the required configuration information in the BPF MAP, and then make corresponding operations according to the found configuration information.
- BFP MAP is essentially a switching mechanism/communication mechanism provided by the kernel. Based on BPF MAP, the management program running on the user plane and the eBPF program running on the kernel can realize interaction.
- the replacement eBPF program is extracted from the eBPF program replacement directive.
- Step 203 process the statistical data.
- the management program when the hypervisor receives statistical data provided by the eBPF program when encrypting/decrypting data packets at the network transport layer, such as the number of successful encryptions or the number of successful decryptions, the management program performs The processing of the statistic data may be storing the statistical data in a preset storage area and/or displaying it in a preset format.
- the management program will exit the current message processing operation and stop executing the network transmission provided by this embodiment, except that the received operation command is an eBPF program uninstall command and the eBPF program is uninstalled. Layer data processing method. In other cases, such as modifying instructions according to configuration parameters, or eBPF program replacement instructions, after processing eBPF programs already running in the kernel and processing statistical data, it will automatically enter the next message deal with.
- the network transport layer data processing method provided by this embodiment is deployed on the user plane, and the management program is started, and the management program loads the eBPF program capable of encryption and decryption processing into the kernel, and monitors the eBPF program running on the The feedback of the eBPF program in the kernel and the operation instructions made by the user, and then according to the monitored results, the corresponding results are directly made on the user plane, or the eBPF program running in the kernel is managed, so as to realize the dynamic management of the eBPF program .
- the hypervisor directly manages the eBPF program running in the kernel, it can activate and deactivate the eBPF program for encryption and decryption, and configure information without the system environment and upper-layer applications being aware of it. Change and other operations, so as to dynamically adjust the data to be transmitted, that is, the encryption and decryption of network transport layer data packets, so that the network transport layer data processing can better meet the actual changing business needs.
- the network transport layer data processing method provided in this embodiment truly achieves transparency to the system environment or upper-layer applications, thereby eliminating the need for additional deployment, configuration, operation and maintenance, and development costs, and also ensuring a good system environment and Compatibility of upper layer applications.
- the eBPF program can also cooperate with upper-layer applications to complete data encryption or protection.
- an upper-layer application can intentionally send an illegal data packet. If the corresponding eBPF program is deployed in the receiver's environment (and the parameters are configured correctly), then the eBPF program can send the illegal data before the receiver's kernel sees the data.
- node such as node A
- no hypervisor may be deployed on the user plane, and eBPF may not be loaded in the kernel program.
- node B that receives node A's encrypted network transport layer data packets through the upper layer application, it is necessary to deploy a management program on the user plane and record the eBPF program in the kernel, so as to cooperate to realize the processing of network transport layer data packets.
- FIG. 3 is another flow chart of a method for processing network transport layer data provided by an embodiment of the present application.
- the method is mainly applied to a management program running on a user plane.
- the network transport layer data processing method includes the following steps:
- Step 301 read configuration information from a preset address.
- the kernel in order to ensure that the kernel has network transport layer data that needs to be distributed, whether it is inward, that is, the network transport layer data packets that the kernel receives from other nodes, or outward, that is, the network that the kernel needs to send to other nodes
- the transport layer data packet can be intercepted by the eBPF program running in the kernel when it reaches the kernel, and the eBPF program will perform corresponding network transport layer data processing on the intercepted network transport layer data packet, such as encryption processing or decryption processing, which needs to be guaranteed
- the eBPF program is already running in the kernel. Therefore, when the network transport layer data processing method provided by this embodiment is executed for the first time, when the management program is deployed to the user plane and started, the management program needs to read configuration information from a preset address, such as from the Read from one of the configuration information files.
- the configuration information read by the management program from the preset address also includes any one or more of encryption and decryption conditions, encryption rules, and decryption rules.
- Step 302 checking the integrity of eBPF programs and configuration information that need to be registered in the kernel.
- the management program registers the pre-designed eBPF program to the kernel, and configures the read configuration information to the eBPF Before configuring the configuration information mapping table corresponding to the program, you need to check the integrity of the eBPF program and configuration information.
- Step 303 if the eBPF program and configuration information are complete, register the eBPF program into the kernel, so that the eBPF program runs on the kernel.
- the management program loads the bytecode of the eBPF program to the kernel of the environment, and loads the eBPF program into the kernel, and then exchanges data with the eBPF program through a system call function/interface (syscall).
- system call function/interface seyscall
- management program also provides external management and query interfaces, such as user interaction interfaces, so that the eBPF programs running in the kernel can be processed accordingly according to the operation instructions input from the outside.
- external management and query interfaces such as user interaction interfaces
- Step 304 configure the configuration information into the configuration information mapping table corresponding to the eBPF program.
- the configuration information mapping table mentioned in this embodiment is the BPF MAP involved in the eBPF technology.
- the eBPF program provided in this embodiment and the hypervisor may interact with configuration data or runtime statistical data through one or more BPF MAPs.
- Step 305 enter message processing cycle operation.
- the above-mentioned entry into the message processing loop operation refers to the pre-construction of the message queue, and each time a message that needs to be processed is detected, such as the operation instruction for the eBPF program and/or the eBPF program is written in the BPF MAP
- a message that needs to be processed is detected, such as the operation instruction for the eBPF program and/or the eBPF program is written in the BPF MAP
- Step 306 if a configuration information update instruction for the eBPF program is received, extract the configuration information to be updated from the configuration information update instruction, and update the configuration information mapping table corresponding to the eBPF program according to the extracted configuration information to be updated.
- Step 307 if the eBPF program replacement instruction for the eBPF program is received, extract the replacement eBPF program from the eBPF program replacement instruction, register the replacement eBPF program into the kernel, and after the replacement eBPF program is registered into the kernel, uninstall the The eBPF program.
- Step 308 if an eBPF program uninstallation instruction for the eBPF program is received, uninstall the eBPF program running in the kernel.
- Step 309 if the eBPF program counts statistical data during the processing of network transport layer data packets, the statistical data will be stored in a preset storage area and/or displayed in a preset format.
- steps 306 to 307 in this embodiment are roughly the same as several specific processing methods given in steps 202 and 203 in the embodiment shown in FIG. 2 , so details will not be repeated here.
- the network transport layer data processing method uses the management program running on the user plane to load the eBPF program into the kernel before performing the network transport layer data processing, and configures and manages the eBPF program.
- the eBPF program The configuration information used in the encryption and decryption processing is configured in the configuration information mapping table, so that when there is a network transport layer data packet that needs to be distributed by the kernel, the eBPF program can perform corresponding encryption and decryption processing.
- FIG. 5 is a flowchart of a method for processing network transport layer data provided by an embodiment of the present application.
- the method is mainly applied to an eBPF program running on a kernel.
- the network transport layer data processing method mentioned in this embodiment specifically refers to the encryption or decryption of the network transport layer data packets to be distributed by the kernel by the eBPF program running in the kernel.
- the network transport layer data processing method provided in this embodiment includes the following steps:
- Step 501 acquiring network transport layer data packets to be distributed.
- the network transport layer data packets that need to be distributed in this embodiment specifically refer to the need for the kernel to distribute the received network transport layer data packets to the upper layer applications of the node, such as applications running on the user plane, That is, the network transport layer data packets that need to be distributed come from other nodes.
- the network transport layer data packets that need to be distributed may also be distributed by the kernel to other nodes, that is, the network transport layer data packets that need to be distributed need to be sent by the kernel to other nodes.
- the eBPF program loaded into the kernel is not always running, or activated.
- the kernel triggers, and then executes the network transport layer data processing method provided in this embodiment.
- the obtained network transport layer data packets to be distributed are essentially transmitted to the eBPF program after the kernel triggers the eBPF program.
- Step 502 analyzing the network transport layer data packet, and determining the network transport layer data processing method that needs to be performed on the network transport layer data packet.
- the protocol header of the network transport layer data packet will carry information such as the protocol and quadruple used to transmit the network transport layer data packet, so it is determined that the network transport layer data packet needs to be processed
- the protocol header of the network transport layer data packet is extracted by analyzing the network transport layer data packet, and then according to the protocol header and pre-configured encryption and decryption conditions, it is judged whether the network transport layer data packet needs Encrypt or decrypt.
- the network transport layer data processing method that needs to be carried out to the network transport layer data is an encryption processing method; if it is determined by judgment that the network transport layer data packet needs to be decrypted, Then it is determined that the network transport layer data processing method that needs to be performed on the network transport layer data is decryption processing.
- the encryption and decryption conditions mentioned in this embodiment are specifically provided by the management program running on the user plane.
- the encryption and decryption conditions may be predetermined protocols for encrypting or decrypting network transport layer data packets transmitted.
- encryption and decryption conditions may also be specified for a specific port number (source port number and/or destination port number), a specific IP address (source IP address and/or destination IP address).
- the network transport layer data processing methods for the network transport layer data packets that need to be distributed are roughly divided into encryption processing and decryption processing.
- the network transport layer data packets that need to be sent to other nodes are usually encrypted, and the network transport layer data packets received from other nodes are decrypted. Based on this, when determining the network transport layer data processing method that needs to be performed on the network transport layer data packets, it can be specifically determined whether the current network data needs to be sent out or received.
- Step 503 process the network transport layer data packet according to the network transport layer data processing mode.
- the processing of the network transport layer data packets is specifically:
- the aforementioned pre-configured encryption rules are also provided by the management program running on the user plane. Specifically, the management program reads the configuration information including encryption rules from the preset address, and then configures the read configuration information into the configuration information mapping table corresponding to the eBPF program. Therefore, the above-mentioned operation of selecting the target encryption rule specifically selects an encryption rule from the configuration information mapping table that is suitable for the current network transport layer data packets that need to be encrypted.
- the encryption rule needs to include at least a specific encryption algorithm.
- the encryption rule also needs to include the encryption key, which can be understood as an encryption parameter.
- how to select a target encryption rule suitable for the current network transport layer data packets that need to be encrypted can be determined according to the content of the protocol header of the current network transport layer data packets that need to be encrypted.
- the specific encryption method and key corresponding to a certain protocol, or a specific port number, or a certain IP address are specified in advance, and then when selecting the target encryption rule, it is even more necessary to encrypt the data packets of the network transport layer.
- the protocol header can quickly and accurately select an encryption rule suitable for the network transport layer data packet.
- all network transport layer data packets that need to be encrypted may adopt the same encryption rule.
- the payload part of the network transport layer data packet is encrypted.
- the protocol header is updated to obtain the encrypted network transport layer data packet.
- the length of the encrypted payload part is usually different from the length of the payload part before encryption. Therefore, in order to ensure that the encrypted network transport layer data packets are transmitted to other nodes, they will not be affected by the protocol header.
- the length information recorded in and the length of the payload part of the actually received network transport layer data packet are inconsistent, and the encrypted network transport layer data packet is mistaken for illegal data. Therefore, after encrypting the payload part of the network transport layer data packet according to the target encryption rules, it is necessary to update the protocol header according to the encrypted payload part, so as to ensure that the information recorded in the protocol header of the encrypted network transport layer data packet is finally obtained It is consistent with the length of the encrypted payload.
- the encrypted network transport layer data packets are handed over to the kernel, and the encrypted network transport layer data packets are distributed by the kernel.
- the specific processing mode for the network transport layer data packet is as follows: first, select the target decryption rule from the pre-configured decryption rules; then, decrypt according to the target According to the rules, the payload part of the network transport layer data packet is decrypted; then, according to the decrypted payload part, the protocol header is updated to obtain the decrypted network transport layer data packet; finally, the decrypted network transport layer data packet is delivered to The kernel distributes the decrypted network transport layer data packets by the kernel.
- the decryption rules need to correspond to the encryption rules. Ensure that the encrypted network transport layer data packets can be decrypted, and then restore the original network transport layer data packets.
- the network transport layer data processing method loads and runs a management program capable of managing eBPF programs on the user plane, and then uses the management program to pre-register the eBPF program in the kernel, and the eBPF program intercepts the required kernel Distribution, such as sending out network transport layer data packets, receiving network transport layer data packets, and determining the network transport layer data processing method of the network transport layer data packets that need to be distributed, and finally the eBPF program processes according to the determined network transport layer data way to process the currently intercepted network transport layer packets.
- the entire network transport layer data processing process can be completed by the rewritten eBPF program in the kernel, without the need for the system environment or upper-layer applications to change their own state, and participate in the actual network transport layer data processing process, so that the system environment or
- the transparency of upper-layer applications eliminates the need for additional deployment, configuration, operation and maintenance, and development costs, and also ensures good compatibility between the system environment and upper-layer applications.
- the eBPF program can also cooperate with upper-layer applications to complete data encryption or protection.
- an upper-layer application can intentionally send an illegal data packet. If the corresponding eBPF program is deployed in the receiver's environment (and the parameters are configured correctly), then the eBPF program can send the illegal data before the receiver's kernel sees the data.
- node such as node A
- no hypervisor may be deployed on the user plane, and eBPF may not be loaded in the kernel program.
- node B that receives node A's encrypted network transport layer data packets through the upper layer application, it is necessary to deploy a management program on the user plane and record the eBPF program in the kernel, so as to cooperate to realize the processing of network transport layer data packets.
- the eBPF program is loaded into the kernel by the hypervisor running on the user plane, and the hypervisor can manage the eBPF program. Therefore, in practical applications, if the eBPF program running in the kernel receives the configuration information update instruction issued by the management program of the user plane, it will update the pre-configured configuration information according to the configuration information update instruction, that is, the configuration in the configuration information mapping
- the configuration information in the table may specifically be any one or more of encryption and decryption conditions, encryption rules, and decryption rules.
- the dynamic update of the eBPF program running in the kernel is realized, so that the eBPF program running in the kernel can better adapt to the actual data processing requirements of the network transport layer.
- FIG. 6 is a flow chart of a method for processing network transport layer data provided by an embodiment of the present application.
- the method is mainly applied to an eBPF program running on a kernel.
- the network transport layer data processing method provided in this embodiment includes the following steps:
- Step 601 acquiring network transport layer data packets to be distributed.
- step 601 in this embodiment is substantially the same as step 501 in the embodiment shown in FIG. 5 , and will not be repeated here.
- Step 602 analyzing the network transport layer data packet to determine whether the network transport layer data packet needs to be processed.
- the current network transport layer data packet that needs to be distributed can be determined according to the identification information carried in the protocol header of the parsed network transport layer data packet Whether encryption or decryption is required.
- step 603 determines the specific network transport layer data processing method that needs to be performed on the network transport layer data packet.
- step 610 directly enters step 610, that is, directly hand over the intercepted network transport layer data packet to the kernel, and the kernel distributes it.
- Step 603 determine whether the network transport layer data packet is a network transport layer data packet to be sent or a received network transport layer data packet.
- the network transport layer data processing that needs to be performed is encryption processing.
- the network transport layer data packet that needs to be processed by the network transport layer needs to be fed back by the kernel to the upper layer application, that is, the application program located in the user plane, or the network transport layer data packet is the network transmission received by the kernel from other nodes
- the data processing method of the network transport layer that needs to be performed is the decryption processing method.
- the network transport layer data packet is a network transport layer data packet that needs to be sent, go to step 603 .
- it is determined that the network transport layer data packet is the received network transport layer data packet go to step 607 .
- Step 604 encrypt the payload part of the network transport layer data packet.
- Step 605 updating the protocol header of the network transport layer data packet.
- Step 606 hand over the encrypted network transport layer data packet to the kernel, and the kernel distributes the encrypted network transport layer data packet.
- Step 607 decrypt the payload part of the network transport layer data packet.
- Step 608 updating the protocol header of the network transport layer data packet.
- Step 609 hand over the decrypted network transport layer data packet to the kernel, and the kernel distributes the decrypted network transport layer data packet.
- Step 610 hand over the network transport layer data packets to the kernel, and the kernel distributes the network transport layer data packets.
- the network transport layer data processing method provided by this embodiment by using the eBPF program, well solves the intrusion impact of the traditional network transport layer data transmission encryption protocol on the system environment and upper-layer applications during use, and provides More flexible and powerful data transmission encryption and protection functions, and better isolation and guarantee in terms of security.
- eBPF technology supports a variety of program types, and different types of programs are suitable for different purposes.
- the type that is more suitable for implementing the transmission encryption function is traffic control (Traffic Control, TC). Therefore, the eBPF program for encrypting or encrypting data packets at the network transport layer mentioned in this embodiment is specifically a TC-type eBPF program.
- the Linux kernel can directly intercept the processing entry and exit of the network transport layer data packet.
- the TC program can directly access the cache original The memory buffer area of the network transport layer data packet, and then according to the memory buffer address corresponding to the original network transport layer data packet, obtain the network transport layer data packet to be processed from the memory buffer area, and then obtain the network transport layer data packet Carry out the corresponding network transport layer data processing operations, and after completing the corresponding network transport layer data processing operations, hand them over to the kernel for distribution and processing.
- the specific implementation and configuration logic of data encryption and decryption can be integrated into a software and hardware unit, so that the network transport layer data can be completed without the system environment and upper-layer applications knowing any details. encryption and decryption.
- the eBPF program like the kernel, can be dynamically loaded/unloaded at runtime, so the network transport layer data processing method provided in this embodiment can activate/deactivate the encryption and decryption function at runtime, or dynamically replace the encryption Algorithms and configuration data, while the operating system and upper-layer applications can be unaware of these behavior changes.
- TC-type eBPF program used in this embodiment is determined based on the current status of eBPF technology. If other suitable types appear in the subsequent rapid evolution of eBPF technology, this implementation can still be implemented. Example implementation method. That is, the use of TC-type eBPF programs in this embodiment to implement network transmission data processing is only a specific implementation manner, and does not constitute any limitation on the technical solution provided in this embodiment itself.
- the eBPF program can also cooperate with upper-layer applications to complete data encryption or protection.
- an upper-layer application can intentionally send an illegal data packet. If the corresponding eBPF program is deployed in the receiver's environment (and the parameters are configured correctly), then the eBPF program can send the illegal data before the receiver's kernel sees the data.
- FIG. 7 and Figure 8 illustrates the data processing of the network transport layer based on the cooperation of the management program and the eBPF program, specifically the encryption and decryption process.
- the receiver of the network transport layer data packet (hereinafter referred to as the data receiver) and the sender of the network transport layer data packet (hereinafter referred to as the data sender) must both use Linux System, and the kernel version must be greater than 4.3, and eBPF-related functions must be enabled.
- the two parties of data communication that is, the data sender and the data receiver need to use a standard network transport layer protocol stack, such as IP, TCP/UDP communication.
- a standard network transport layer protocol stack such as IP, TCP/UDP communication.
- the management program running on the user plane and the eBPF program running on the kernel can be packaged in a software package SDK for distribution and deployment in the form of software, or can be packaged in a Distributed and deployed in the form of hardware units in portable hardware.
- the network cards of some mainstream manufacturers currently on the market already support the direct loading and running of eBPF programs.
- Figure 7 is a schematic diagram of fully transparent transmission encryption between node A and node B, that is, the application program (upper layer application) on the user plane does not participate in encryption and decryption, and the entire transmission encryption process, for node A and node B
- the application program upper layer application
- the system environment and upper-layer applications are not aware of it.
- the upper-layer application communicates with another remote application using TCP protocol on port 1080, such as node A and node B in Figure 7; the network devices of node A and node B are both eth0; the file name of the eBPF program is eBPF.elf ;
- the function responsible for encryption in the eBPF program is named encrypt; the function responsible for decryption in the eBPF program is named decrypt.
- the management program For the management program, it needs to run on Node A and Node B, and load the eBPF program (specifically load the encryption function and decryption function in the eBPF program) through the following command:
- both the kernel of node A and the kernel of node B will call the encrypt function in the previously mounted eBPF program when sending network transport layer packets (egress) to eth0, and Pass the raw kernel data buffer (socket kernel buffer, skb for short) pointer to the function.
- IP protocol analysis (parsing and stripping the IP header) is carried out to the load part, if the load protocol indication of the IP header is not TCP, then directly end the processing, that is, enter step (10).
- the kernel of node A or the kernel of node B receives the network transport layer data packet (ingress) from eth0, it will call the decrypt function in the eBPF program mounted before, and Pass the raw data buffer (sk_buff, skb for short) pointer to the function.
- TCP protocol analysis parsing and stripping the TCP header
- the load part if the format is correct, it means that the data is not encrypted, and the processing is directly ended, and the step (9) is entered.
- BPF MAP configuration information mapping table
- the management program is also responsible for the following work: pass necessary parameters to the encrypt function and decrypt function through the BPF MAP, such as RC4 encryption algorithm related parameters, TCP port number, etc.
- BPF MAP Through BPF MAP, read and summarize the statistical data recorded by the encrypt function and decrypt function at runtime, such as the total number of encrypted/decrypted packets, the number of successes/failures, etc.; through the interface of the command line (or other forms, such as Restful, etc.), the user can Manage and query the operating parameters of the eBPF program, such as four-tuple information (port number, address, etc.) and operating status, such as the number of successful encryption/decryption, how much illegal or legal data is detected, etc.
- the operating parameters of the eBPF program such as four-tuple information (port number, address, etc.) and operating status, such as the number of successful encryption/decryption, how much illegal or legal data is detected, etc.
- the upper-layer application does not participate in the encryption and decryption process of the network transmission layer, so it is completely unaware of the algorithm, parameters, timing and other details adopted by the underlying transmission encryption system. Encryption and decryption are not considered when receiving network data, and all are processed in plain text format. In this way, the upper-layer application can realize the encryption and decryption of network transport layer data without any operation or configuration modification, and the upper-layer application knows nothing about the details of the encryption process. Even if it is compromised by an attacker, it cannot understand the actual details of the encryption and decryption process.
- Figure 8 is a schematic diagram of implementing joint encryption with upper-layer applications between Node A and Node B, that is, the application program located on the user plane participates in the eBPF program running in the kernel for the network transport layer data packets that need to be distributed Encryption processing or decryption processing.
- the upper-layer applications will cooperate with the encryption system to complete the encryption and decryption process of the transmitted data.
- the encryption system there are many ways to cooperate, such as:
- Method 1 The application program is responsible for encrypting the sent data, and the peer eBPF program is responsible for decrypting the received data.
- Method 2 The application program is responsible for decrypting the received data, and the peer eBPF program is responsible for encrypting the sent data.
- Method 3 The application program is responsible for the encryption and decryption of sending and receiving data, and the eBPF program is responsible for scrambling and descrambling the encrypted data when sending and receiving data, that is, the eBPF program performs secondary encryption and decryption on the data encrypted or decrypted by the upper layer application. deal with.
- both node A and node B need to deploy a management program and an eBPF program, and both eBPF programs support the call of the encrypt function and the decrypt function.
- Its general implementation is similar to the description of FIG. 7 , except that encryption and encryption operations are added to the application program on the user plane.
- the application program uses a preset encryption algorithm, such as an asymmetric encryption algorithm, to encrypt the data to be sent
- a management program is deployed on the user plane, and The eBPF program for decryption is loaded into the kernel.
- This method is especially suitable for scenarios with the following characteristics or requirements: the application of the data sending end is completely controlled (code and configuration can be modified); the data transmission channel is untrusted and uncontrolled; the application of the data receiving end is not controlled (the code or configuration cannot be modified). Configuration); the network configuration of the environment where the sending end and the receiving end are located cannot or is not convenient to modify; only the sending data is required to be encrypted, and the response data sent back by the remote end is not required to be encrypted.
- the upper-layer application communicates with another remote application using the TCP protocol on port 1080, such as node A and node B in Figure 8; the network devices of node A and node B are both eth0; the user plane of node B runs a management program , the kernel of node B runs an eBPF program, the file name of the eBPF program is eBPF.elf, and the eBPF program is only responsible for decryption, and the function responsible for decryption is named decrypt.
- the upper layer application uses an asymmetric encryption algorithm (such as X25519 elliptic curve encryption algorithm or other similar algorithms), and uses the public key to encrypt the TCP payload data to be sent, Then send it again.
- node A does not need to reside in a management program, nor does it need to load any eBPF program.
- the management program needs to reside on the user plane, and the eBPF program needs to reside on the kernel, and for the management program in node B, the eBPF program needs to be loaded through the following command (specifically load Decryption function in eBPF program): load the decryption function in eBPF program: tc filter add dev eth0 inressbpf da objeBPF.elf sec decrypt.
- the kernel of node B after executing the above loading command, if the kernel of node B receives the network transport layer data packet (ingress) sent from node A from eth0, it will call the decrypt function in the previously mounted eBPF program, and The skb pointer is passed to the function.
- the decryption method used by the eBPF program for decryption needs to correspond to the encryption method adopted by the application program in node A.
- the eBPF program in the kernel is used to complete the decryption of the network transport layer data packet.
- the decrypt function also needs to perform the following operations: obtain the necessary parameters passed by the management program from the specified BPF MAP, such as X25519 encryption algorithm related parameters, private key, TCP port number, etc.; Record to the specified BPF MAP, such as the total number of encrypted/decrypted packets, success/failure times, etc.
- the management program running on the user plane of Node B is also responsible for the following tasks: passing necessary parameters to the decrypt function through the BPF MAP, Such as X25519 encryption algorithm related parameters, private key, TCP port number, etc.; through BPF MAP, read and summarize the statistical data recorded by the decrypt function at runtime, such as the total number of decrypted packets, success/failure times, etc.; through the command line (or other forms, Such as Restful, etc.) interface, allowing users to manage and query the running parameters and running status of eBPF programs.
- BPF MAP Such as X25519 encryption algorithm related parameters, private key, TCP port number, etc.
- BPF MAP read and summarize the statistical data recorded by the decrypt function at runtime, such as the total number of decrypted packets, success/failure times, etc.
- the command line or other forms, Such as Restful, etc.
- the network transport layer data processing method provided by this embodiment can realize network transport layer communication encryption without the system environment configuration and upper-layer applications being aware, so it has a lower deployment cost and a good environment and application compatibility.
- the encryption algorithm, parameters, and activation switch can be changed at any time during operation, and the upper-layer application can also choose to cooperate with the system to realize a custom joint encryption protection mechanism, so it has good flexibility and scalability.
- the method is also guaranteed in terms of security and performance.
- FIG. 9 is a schematic structural diagram of a network transport layer data processing device provided by an embodiment of the present application.
- the network transport layer data processing device includes: at least one processor 901 ; and a memory 902 communicatively connected to the at least one processor.
- the network transmission layer data processing equipment also includes a management program running on the user plane and an eBPF program running on the kernel.
- the hypervisor is used to load into the kernel of the environment, or to register the eBPF program, so that the eBPF program can run in the kernel
- the memory 902 stores instructions executable by at least one processor 901, and the instructions are executed by at least one processor 901 is executed, so that at least one processor 901 can execute the network transport layer data processing method described in the method embodiment applied to the management program, or the network transport layer data processing method described in the method embodiment applied to the eBPF program.
- the memory 902 and the processor 901 are connected by a bus, and the bus may include any number of interconnected buses and bridges, and the bus connects one or more processors 901 and various circuits of the memory 902 together.
- the bus may also connect together various other circuits such as peripherals, voltage regulators, and power management circuits, all of which are well known in the art and therefore will not be further described herein.
- the bus interface provides an interface between the bus and the transceivers.
- a transceiver may be a single element or multiple elements, such as multiple receivers and transmitters, providing means for communicating with various other devices over a transmission medium.
- the data processed by the processor 901 is transmitted on the wireless medium through the antenna, and further, the antenna also receives the data and transmits the data to the processor 901 .
- Processor 901 is responsible for managing the bus and general processing, and may also provide various functions, including timing, peripheral interface, voltage regulation, power management, and other control functions. And the memory 902 may be used to store data used by the processor 901 when performing operations.
- the embodiment of the present application also relates to a computer-readable storage medium storing a computer program.
- the computer program is executed by the processor, the network transport layer data processing method described in the above method embodiments is implemented.
- a storage medium includes several instructions to make a device ( It may be a single-chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods described in the various embodiments of the present application.
- the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (11)
- 一种网络传输层数据处理方法,应用于运行在内核的扩展伯克利包过滤器eBPF程序,所述网络传输层数据处理方法包括:获取需要分发的网络传输层数据包;对所述网络传输层数据包进行解析,确定需要对所述网络传输层数据包进行的网络传输层数据处理方式;根据所述网络传输层数据处理方式,对所述网络传输层数据包进行处理。
- 如权利要求1所述的网络传输层数据处理方法,其中,所述对所述网络传输层数据包进行解析,确定需要对所述网络传输层数据包进行的网络传输层数据处理方式,包括:对所述网络传输层数据包进行解析,提取出所述网络传输层数据包的协议头;根据所述协议头和预先配置的加解密条件,判断所述网络传输层数据包是否需要加密或解密,所述加解密条件由运行在用户面的管理程序提供;如果所述网络传输层数据包需要进行加密,确定需要对所述网络数据进行的网络传输层数据处理方式为加密处理方式;如果所述网络传输层数据包需要进行解密,确定需要对所述网络数据进行的网络传输层数据处理方式为解密处理方式。
- 如权利要求2所述的网络传输层数据处理方法,其中,所述网络传输层数据处理方式为所述加密处理方式;所述根据所述网络传输层数据处理方式,对所述网络传输层数据包进行处理,包括:从预先配置的加密规则中选取目标加密规则,所述加密规则由所述管理程序提供;根据所述目标加密规则,对所述网络传输层数据包的载荷部分进行加密处理;根据加密后的所述载荷部分,更新所述协议头,得到加密后的所述网络传输层数据包;将加密后的所述网络传输层数据包交由内核,由所述内核对加密后的所述网络传输层数据包进行分发。
- 如权利要求2所述的网络传输层数据处理方法,其中,所述网络传输层数据处理方式为所述解密处理方式;所述根据所述网络传输层数据处理方式,对所述网络传输层数据包进行处理,包括:从预先配置的解密规则中选取目标解密规则,所述解密规则由所述管理程序提供;根据所述目标解密规则,对所述网络传输层数据包的载荷部分进行解密处理;根据解密后的所述载荷部分,更新所述协议头,得到解密后的所述网络传输层数据包;将解密后的所述网络传输层数据包交由内核,由所述内核对解密后的所述网络传输层数据包进行分发。
- 如权利要求1至4中任一项所述的网络传输层数据处理方法,其中,所述方法还包括:接收运行在用户面的管理程序下发的配置信息更新指令;根据所述配置信息更新指令,更新预先配置的配置信息,所述配置信息包括加解密条件、加密规则、解密规则中的任意一种或几种。
- 一种网络传输层数据处理方法,应用于运行在用户面的管理程序,所述网络传输层数据处理方法包括:在所述管理程序启动后,监测是否接收到针对运行在内核的eBPF程序的操作指令和/或所述eBPF程序统计的针对网络传输层数据包处理过程中的统计数据;如果接收到针对所述eBPF程序的操作指令,根据所述操作指令对所述eBPF程序进行处理;如果接收到所述eBPF程序统计的针对网络传输层数据包处理过程中的统计数据,对所述统计数据进行处理。
- 如权利要求6所述的网络传输层数据处理方法,其中,所述操作指令为配置信息更新指令,或者eBPF程序替换指令,或者eBPF程序卸载指令;所述如果接收到针对所述eBPF程序的操作指令,根据所述操作指令对所述eBPF程序进行处理,包括:在所述操作指令为所述配置信息更新指令时,从所述配置信息更新指令中提取需要更新的配置信息,根据提取的所述需要更新的配置信息对所述eBPF程序对应的配置信息映射表更新;在所述操作指令为所述eBPF程序替换指令时,从所述eBPF程序替换指令中提取替换eBPF程序,将所述替换eBPF程序注册到内核中,并在所述替换eBPF程序注册到所述内核后,卸载所述内核中运行的所述eBPF程序;在所述操作指令为所述eBPF程序卸载指令时,卸载所述内核中运行的所述eBPF程序。
- 如权利要求6或7所述的网络传输层数据处理方法,其中,所述如果接收到所述eBPF程序统计的针对网络传输层数据包处理过程中的统计数据,对所述统计数据进行处理,包括:将所述统计数据存储到预设存储区域和/或以预设形式展示。
- 如权利要求6至8中任一项所述的网络传输层数据处理方法,其中,在所述管理程序启动后,监测是否接收到针对运行在内核的eBPF程序的操作指令和/或所述eBPF程序统计的针对网络传输层数据包处理过程中的统计数据之前,所述方法还包括:从预设地址读取配置信息,所述配置信息包括加解密条件、加密规则、解密规则中的任意一种或几种;检查需要注册到内核的所述eBPF程序和所述配置信息的完整性;如果所述eBPF程序和所述配置信息均完整,将所述eBPF程序注册到内核中,以使所述eBPF程序运行在所述内核;将所述配置信息配置到所述eBPF程序对应的配置信息映射表中。
- 一种网络传输层数据处理设备,包括:运行在用户面的管理程序和运行在内核的eBPF 程序,至少一个处理器;以及,与所述至少一个处理器通信连接的存储器;其中,所述管理程序用于向所在环境的内核加载所述eBPF程序,以使所述eBPF程序运行在所述内核,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行如权利要求1至5中任一项所述的网络传输层数据处理方法,或者权利要求6至9中任一项所述的网络传输层数据处理方法。
- 一种计算机可读存储介质,存储有计算机程序,所述计算机程序被处理器执行时实现权利要求1至5中任一项所述的网络传输层数据处理方法,或者权利要求6至9中任一项所述的网络传输层数据处理方法。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP22819245.6A EP4354285A1 (en) | 2021-06-11 | 2022-04-29 | Network transport layer data processing method, and device and storage medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110655627.0A CN115473660A (zh) | 2021-06-11 | 2021-06-11 | 网络传输层数据处理方法、设备及存储介质 |
CN202110655627.0 | 2021-06-11 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022257643A1 true WO2022257643A1 (zh) | 2022-12-15 |
Family
ID=84365362
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/090383 WO2022257643A1 (zh) | 2021-06-11 | 2022-04-29 | 网络传输层数据处理方法、设备及存储介质 |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP4354285A1 (zh) |
CN (1) | CN115473660A (zh) |
WO (1) | WO2022257643A1 (zh) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116016702A (zh) * | 2022-12-26 | 2023-04-25 | 浪潮云信息技术股份公司 | 一种应用可观测数据采集处理方法、装置及介质 |
CN117544506A (zh) * | 2023-11-09 | 2024-02-09 | 北京中电汇通科技有限公司 | 一种基于eBPF技术的容器云DNS性能优化方法 |
CN117857646A (zh) * | 2024-02-28 | 2024-04-09 | 荣耀终端有限公司 | 数据网络共享方法、电子设备及存储介质 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190173841A1 (en) * | 2017-12-06 | 2019-06-06 | Nicira, Inc. | Load balancing ipsec tunnel processing with extended berkeley packet filer (ebpf) |
CN110352400A (zh) * | 2017-03-08 | 2019-10-18 | 华为技术有限公司 | 用于处理报文的方法和装置 |
CN111580931A (zh) * | 2020-05-10 | 2020-08-25 | 江苏省互联网行业管理服务中心 | 支持多元协议变量的组合表达式的匹配规则引擎 |
CN112817597A (zh) * | 2021-01-12 | 2021-05-18 | 山东兆物网络技术股份有限公司 | 运行在用户空间的基于ebpf的软件容器实现方法 |
CN112860484A (zh) * | 2021-01-29 | 2021-05-28 | 深信服科技股份有限公司 | 容器运行时异常行为检测、模型训练方法及相关装置 |
-
2021
- 2021-06-11 CN CN202110655627.0A patent/CN115473660A/zh active Pending
-
2022
- 2022-04-29 WO PCT/CN2022/090383 patent/WO2022257643A1/zh active Application Filing
- 2022-04-29 EP EP22819245.6A patent/EP4354285A1/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110352400A (zh) * | 2017-03-08 | 2019-10-18 | 华为技术有限公司 | 用于处理报文的方法和装置 |
US20190173841A1 (en) * | 2017-12-06 | 2019-06-06 | Nicira, Inc. | Load balancing ipsec tunnel processing with extended berkeley packet filer (ebpf) |
CN111580931A (zh) * | 2020-05-10 | 2020-08-25 | 江苏省互联网行业管理服务中心 | 支持多元协议变量的组合表达式的匹配规则引擎 |
CN112817597A (zh) * | 2021-01-12 | 2021-05-18 | 山东兆物网络技术股份有限公司 | 运行在用户空间的基于ebpf的软件容器实现方法 |
CN112860484A (zh) * | 2021-01-29 | 2021-05-28 | 深信服科技股份有限公司 | 容器运行时异常行为检测、模型训练方法及相关装置 |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116016702A (zh) * | 2022-12-26 | 2023-04-25 | 浪潮云信息技术股份公司 | 一种应用可观测数据采集处理方法、装置及介质 |
CN117544506A (zh) * | 2023-11-09 | 2024-02-09 | 北京中电汇通科技有限公司 | 一种基于eBPF技术的容器云DNS性能优化方法 |
CN117544506B (zh) * | 2023-11-09 | 2024-05-24 | 北京中电汇通科技有限公司 | 一种基于eBPF技术的容器云DNS性能优化方法 |
CN117857646A (zh) * | 2024-02-28 | 2024-04-09 | 荣耀终端有限公司 | 数据网络共享方法、电子设备及存储介质 |
Also Published As
Publication number | Publication date |
---|---|
EP4354285A1 (en) | 2024-04-17 |
CN115473660A (zh) | 2022-12-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2022257643A1 (zh) | 网络传输层数据处理方法、设备及存储介质 | |
US10250571B2 (en) | Systems and methods for offloading IPSEC processing to an embedded networking device | |
CN111480328B (zh) | 将通信安全操作卸载到网络接口控制器 | |
EP1427164B1 (en) | Tagging mechanism for data path security processing | |
US7587587B2 (en) | Data path security processing | |
CN1926839B (zh) | 用于高速传输网际网络协议安全(ipsec)处理之两个并行引擎 | |
US8826003B2 (en) | Network node with network-attached stateless security offload device employing out-of-band processing | |
US8418244B2 (en) | Instant communication with TLS VPN tunnel management | |
CN104935593A (zh) | 数据报文的传输方法及装置 | |
WO2021207231A1 (en) | Application aware tcp performance tuning on hardware accelerated tcp proxy services | |
US11251972B2 (en) | Remote control of a computing device | |
CN113055269B (zh) | 虚拟专用网络数据的传输方法及装置 | |
US20170359214A1 (en) | IPSEC Acceleration Method, Apparatus, and System | |
US20130219171A1 (en) | Network node with network-attached stateless security offload device employing in-band processing | |
US20200322158A1 (en) | Method and apparatus for determining trust status of tpm, and storage medium | |
US20080199012A1 (en) | Method for identifying a server device in a network | |
WO2023061158A1 (zh) | 加解密方法、装置及计算机可读存储介质 | |
US11677727B2 (en) | Low-latency MACsec authentication | |
EP4181431A1 (en) | Service transmission method and apparatus, network device, and storage medium | |
JP2004328359A (ja) | パケット処理装置 | |
JP2003198530A (ja) | パケット通信装置及び暗号アルゴリズム設定方法 | |
US20230403136A1 (en) | Computer and Network Interface Controller Securely Offloading Encryption Keys and Encryption Processing to the Network Interface Controller | |
US11722525B2 (en) | IPsec processing of packets in SoCs | |
WO2024027419A1 (zh) | 报文发送方法、装置及系统 | |
US20230308424A1 (en) | Secure Session Resumption using Post-Quantum Cryptography |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22819245 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2023575990 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 18568817 Country of ref document: US |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2022819245 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2022819245 Country of ref document: EP Effective date: 20240111 |