[go: up one dir, main page]

CN105025004B - A kind of double stack IPSec VPN devices - Google Patents

A kind of double stack IPSec VPN devices Download PDF

Info

Publication number
CN105025004B
CN105025004B CN201510307310.2A CN201510307310A CN105025004B CN 105025004 B CN105025004 B CN 105025004B CN 201510307310 A CN201510307310 A CN 201510307310A CN 105025004 B CN105025004 B CN 105025004B
Authority
CN
China
Prior art keywords
vpn
outgoing
message
ipsec
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510307310.2A
Other languages
Chinese (zh)
Other versions
CN105025004A (en
Inventor
李冰
郭安
朱卫卫
涂云晶
刘勇
陈帅
董乾
赵霞
王刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southeast University
Original Assignee
Southeast University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southeast University filed Critical Southeast University
Priority to CN201510307310.2A priority Critical patent/CN105025004B/en
Publication of CN105025004A publication Critical patent/CN105025004A/en
Application granted granted Critical
Publication of CN105025004B publication Critical patent/CN105025004B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of double stack IPSec VPN devices, belong to Network Communicate Security technical field.Double stack IPSec VPN devices of the invention include double stack VPN process parts, safety database structure and search part, security protocol process part, data stream transmitting machined part and CPU part.Compared with prior art, the present invention can be good at offer IPv4 and realize that VPN technologies need the Network Security Service provided into IPv6 transition processes, all using hardware circuits which process, CPU is used for safeguarding database and tables of data the process part of data flow, adapts to express network information security application.

Description

一种双栈IPSec VPN装置A dual-stack IPSec VPN device

技术领域technical field

本发明涉及网络通信安全技术领域,尤其涉及一种双栈IPSec VPN装置。The invention relates to the technical field of network communication security, in particular to a dual-stack IPSec VPN device.

背景技术Background technique

网络本身具有的开放性一方面给使得任意用户都可以接入享用其便利性,另一角度来说网络通信若不采取安全保护措施就会使得通信数据对任何一个进入网络的用户都是可获取的,通信过程不具备安全性。就目前而言随着网络技术的发展和网络新兴业务的大量崛起,特别是在政府、电信、金融和数据通信公司对网络通信的安全性要求已经达到了一个前所未有的高度,这些机构对保密的信息种类急剧增多。而IPv4地址资源短缺是当前IP网络面临的严峻问题,业界公认向IPv6迁移是彻底解决IPv4地址耗尽最有效的方法,另一方面IPv4向IPv6迁移又会遇到已经会影响部署好的VPN网络的问题。另外,随着高速网络的普及,10G和40G网络已经开始普及,100G网络已经在较为发达的地区开始部署,400G的网络也正在走出实验室开始面向应用,如何在如此高速的网络下保证数据的安全性,也成为了一个非常迫切的问题。On the one hand, the openness of the network itself allows any user to access and enjoy its convenience. On the other hand, if the network communication does not take security protection measures, the communication data will be available to any user who enters the network. Yes, the communication process is not secure. For now, with the development of network technology and the rise of a large number of new network services, especially in the government, telecommunications, finance and data communication companies, the security requirements for network communications have reached an unprecedented height. The types of information have increased dramatically. The shortage of IPv4 address resources is a serious problem facing the current IP network. The industry recognizes that migrating to IPv6 is the most effective way to completely solve the exhaustion of IPv4 addresses. On the other hand, migrating from IPv4 to IPv6 will encounter problems that have already affected the deployed VPN network. The problem. In addition, with the popularization of high-speed networks, 10G and 40G networks have begun to be popularized, 100G networks have begun to be deployed in more developed areas, and 400G networks are also coming out of laboratories and starting to be application-oriented. How to ensure data security under such a high-speed network? Security has also become a very pressing issue.

针对网络安全的问题,因特网工程部(IETF)提出了一组保护IP层数据的安全协议,即为IPSec协议。IPSec协议是一种标准的、健壮的和包容广泛的机制,协议本身提供了一套默认的、强制实施的安全算法以保证不同的IPSec实现方案可以实现互通,其为IPv4和IPv6的IP层数据提供安全性保证,这种安全性包括数据源认证、数据完整性认证、数据保密性和抗重播保护。Aiming at the problem of network security, the Internet Engineering Task Force (IETF) proposed a set of security protocols for protecting data at the IP layer, which is the IPSec protocol. The IPSec protocol is a standard, robust and inclusive mechanism. The protocol itself provides a set of default and mandatory security algorithms to ensure that different IPSec implementations can achieve intercommunication. It is the IP layer data of IPv4 and IPv6 Provide security assurance, this security includes data source authentication, data integrity authentication, data confidentiality and anti-replay protection.

针对未来将长期处于IPv4向IPv6的迁移阶段问题,现有的过渡技术包括双栈技术、隧道技术、NAT-PT技术。双栈技术即通信的节点是双协议栈节点,与IPv4节点通信的时候选择IPv4协议栈,与IPv6节点通信的时候选择IPv6协议栈。隧道技术即实现了两个IPv6的站点之间通过IPv4网络进行通信,包括多种手工隧道技术和自动隧道技术。NAT-PT技术即通过IPv4和IPv6地址之间的相互转换实现IPv4网络和IPv6网络互通。就目前而言,双栈技术方案最为成熟、适用范围更宽,是当前全球运营商部署IPv6的主流选择方案。In view of the long-term migration stage from IPv4 to IPv6 in the future, existing transition technologies include dual-stack technology, tunnel technology, and NAT-PT technology. Dual-stack technology means that the communication node is a dual-protocol stack node. When communicating with an IPv4 node, the IPv4 protocol stack is selected, and when communicating with an IPv6 node, the IPv6 protocol stack is selected. The tunnel technology realizes the communication between two IPv6 sites through the IPv4 network, including various manual tunnel technologies and automatic tunnel technologies. NAT-PT technology realizes the intercommunication between IPv4 network and IPv6 network through mutual conversion between IPv4 and IPv6 addresses. For now, the dual-stack technology solution is the most mature and has a wider scope of application, and is currently the mainstream choice for global operators to deploy IPv6.

把在双栈网络技术、IPSec技术和VPN技术的结合使得设备具有很强的适用范围,可以达到网络协议迁移、网络安全性保护和VPN网络构建的目标。The combination of dual-stack network technology, IPSec technology and VPN technology makes the device have a strong scope of application, and can achieve the goals of network protocol migration, network security protection and VPN network construction.

目前实现双栈IPSec VPN的实现主要有三种方式,通用处理器+纯软件的方式、通用处理器+硬件算法加速模块和集成的网络处理器的实现方式。第一种方式灵活性最大,速度最慢,不适合高速网络下的应用,第二种灵活较低,CPU仍然负担很大的数据流,同样也不适合高速网络下的应用,第三种灵活性适中,CPU不干预数据流流动,CPU只是用来配置管理操作,总线构架中分为CPU的总线和报文数据流进入和外出的总线三条总线,相互独立。IPSec协议实现全部硬件电路实现,可扩展性强,速度最高,适合高速网络场景。At present, there are mainly three ways to realize dual-stack IPSec VPN, the way of general processor + pure software, the way of general processor + hardware algorithm acceleration module and integrated network processor. The first method has the greatest flexibility and the slowest speed, and is not suitable for applications under high-speed networks. The second method is less flexible, and the CPU still bears a large data flow. It is also not suitable for applications under high-speed networks. The third method is flexible. The performance is moderate, the CPU does not interfere with the flow of data flow, and the CPU is only used for configuration and management operations. The bus architecture is divided into three buses: the bus of the CPU and the bus of the incoming and outgoing message data streams, which are independent of each other. The IPSec protocol realizes all hardware circuits, has strong scalability and the highest speed, and is suitable for high-speed network scenarios.

发明内容Contents of the invention

本发明所要解决的技术问题在于克服现有技术不足,提供一种双栈IPSec VPN装置,可以满足给下一代IPv4向IPv6高速网络部署提供安全服务,数据处理和传输效率高,可扩展性强。The technical problem to be solved by the present invention is to overcome the deficiencies of the prior art, and provide a dual-stack IPSec VPN device, which can provide security services for the deployment of the next generation IPv4 to IPv6 high-speed network, with high data processing and transmission efficiency and strong scalability.

本发明具体采用以下技术方案解决上述技术问题:The present invention specifically adopts the following technical solutions to solve the above technical problems:

一种双栈IPSec VPN装置,包括双栈VPN处理部分、安全数据库构建和查找部分、安全协议处理部分、数据流传输机制部分和CPU部分;A dual-stack IPSec VPN device, including a dual-stack VPN processing part, a security database construction and search part, a security protocol processing part, a data stream transmission mechanism part and a CPU part;

所述双栈VPN处理部分,用于双协议栈的处理、VPN头的处理,包括外出双栈VPN预处理模块、外出VPN管理表和进入双栈VPN预处理模块;The dual-stack VPN processing part is used for the processing of dual protocol stacks and the processing of VPN headers, including an outgoing dual-stack VPN preprocessing module, an outgoing VPN management table, and an incoming dual-stack VPN preprocessing module;

所述安全数据库构建和查找部分,用于完成IPv4和IPv6两种类型的安全策略数据库维护、匹配查找和一种类型的安全联盟数据库维护、匹配查找;其包括外出双栈安全处理模块、数据报文缓存模块、外出安全数据库操作接口、外出双栈安全数据库模块、进入双栈安全处理模块、进入安全数据库操作接口和进入双栈安全数据库模块;The security database construction and search part is used to complete two types of IPv4 and IPv6 security policy database maintenance, matching search and one type of security association database maintenance, matching search; it includes outgoing dual-stack security processing module, datagram Document caching module, outbound security database operation interface, outbound dual-stack security database module, entry dual-stack security processing module, entry security database operation interface and entry dual-stack security database module;

所述安全协议处理部分,用于完成IPSec AH和ESP协议的封装和解封装处理和对数据报文加密、解密、认证算法处理,其包括IPSec协议处理模块和算法处理模块;The security protocol processing part is used to complete the encapsulation and decapsulation processing of the IPSec AH and ESP protocols and the data message encryption, decryption, and authentication algorithm processing, which includes an IPSec protocol processing module and an algorithm processing module;

所述数据流传输机制部分,用于控制进入和外出方向数据流以一定的顺序流经不同的模块和网络通信接口;内网外出外网的报文数据通过外出双栈安全处理模块、外出双栈VPN预处理模块处理后,分别将安全参数和VPN参数封装到原始报文的头部;外网进入内网的报文数据通过进入双栈VPN预处理后就会将VPN的头部信息剥掉,这个剥掉VPN信息的报文通过双栈安全处理模块处理后,将安全参数封装到这个报文头部;The data stream transmission mechanism part is used to control the incoming and outgoing data streams to flow through different modules and network communication interfaces in a certain order; After being processed by the stack VPN preprocessing module, the security parameters and VPN parameters are respectively encapsulated into the header of the original message; the packet data entering the internal network from the external network will be stripped of the VPN header information after entering the dual-stack VPN preprocessing After the message stripped of VPN information is processed by the dual-stack security processing module, the security parameters are encapsulated into the message header;

所述CPU部分,包括一个CPU和与其搭配工作的总线架构,用来管理安全数据库和VPN数据表以及分析必要的OSI模型定义的运输层及以上的上层协议,并不干预正常的报文流量处理;The CPU part, including a CPU and a bus architecture that works with it, is used to manage the security database and the VPN data table and analyze the necessary OSI model-defined transport layer and upper layer protocols above, and does not interfere with normal message flow processing ;

其中,CPU、进入安全数据库操作接口、外出VPN管理表和外出安全数据库操作接口通过片内总线相互连接,外网通信接口与外出双栈安全处理模块之间通过双端口缓冲器连接,外出双栈安全处理模块与外出安全数据库操作接口和数据报文缓存模块连接,外出双栈安全数据库模块与外出数据库操作接口连接,外出双栈安全处理模块与外出双栈VPN预处理模块之间通过双端口缓冲器连接,外出双栈VPN预处理模块与外出VPN管理表连接,外出双栈VPN预处理模块与IPSec协议处理模块之间通过双端口缓冲器连接,IPSec协议处理模块与算法处理模块之间通过双端口缓冲器连接,IPSec协议处理模块与外网通信接口之间通过双端口缓冲器连接,内网通信接口与进入双栈VPN预处理模块之间通过双端口缓冲器连接,进入双栈VPN预处理模块与进入双栈安全处理模块之间通过双端口存储器连接,进入双栈安全处理模块与进入安全数据库操作接口连接,进入双栈安全处理模块与IPSec协议处理模块之间通过双端口缓冲器连接,IPSec协议处理模块与内网通信接口之间通过双端口缓冲器连接。Among them, the CPU, the access security database operation interface, the outgoing VPN management table, and the outgoing security database operation interface are connected to each other through the on-chip bus, the external network communication interface is connected to the outgoing dual-stack security processing module through a dual-port buffer, and the outgoing dual-stack The security processing module is connected to the outbound security database operation interface and the data message cache module, the outbound dual-stack security database module is connected to the outbound database operation interface, and the outbound dual-stack security processing module and the outbound dual-stack VPN preprocessing module are buffered through dual ports The outgoing dual-stack VPN preprocessing module is connected to the outgoing VPN management table, the outgoing dual-stack VPN preprocessing module is connected to the IPSec protocol processing module through a dual-port buffer, and the IPSec protocol processing module Port buffer connection, the IPSec protocol processing module and the external network communication interface are connected through a dual-port buffer, and the internal network communication interface and the dual-stack VPN preprocessing module are connected through a dual-port buffer to enter the dual-stack VPN preprocessing The module is connected to the dual-stack security processing module through a dual-port memory, the dual-stack security processing module is connected to the security database operation interface, and the dual-stack security processing module is connected to the IPSec protocol processing module through a dual-port buffer. The IPSec protocol processing module is connected to the intranet communication interface through a dual-port buffer.

作为其中一个优选方案,所述外出双栈安全数据库模块包括:用于存储安全策略条目的外出安全策略数据库,用于存储外出安全联盟条目的外出安全联盟数据库,以及对两种数据库的读写逻辑转化接口;As one of the preferred solutions, the outbound dual-stack security database module includes: an outbound security policy database for storing security policy entries, an outbound security association database for storing outbound security association entries, and read and write logic for the two databases conversion interface;

所述外出安全策略数据库包括分别对应于IPv4和IPv6的两个数据库:外出IPv4策略数据库和外出IPv6策略数据库,外出IPv4策略数据库用于匹配查询IPv4类型报文流量的策略,外出IPv6策略数据库用于匹配查询IPv6类型报文流量的策略;The outgoing security policy database includes two databases respectively corresponding to IPv4 and IPv6: the outgoing IPv4 policy database and the outgoing IPv6 policy database, the outgoing IPv4 policy database is used to match the strategy for querying IPv4 type message traffic, and the outgoing IPv6 policy database is used for Match the policy for querying IPv6 type packet traffic;

所述外出安全联盟数据库是一个用来存储安全联盟条目信息的存储单元,其所存放的信息包括传输模式选择字段、采取的协议类型选择字段、序列号溢出处理选择字段、加密算法选择字段、认证算法选择字段、加密IV是否需要选择字段、加密算法密钥长度字段、认证算法密钥长度字段、PMTU字段、安全参数索引字段和序列号计数器字段。The outgoing security association database is a storage unit used to store security association entry information, and the stored information includes a transmission mode selection field, a protocol type selection field adopted, a serial number overflow processing selection field, an encryption algorithm selection field, an authentication Algorithm selection field, encryption IV needs to be selected field, encryption algorithm key length field, authentication algorithm key length field, PMTU field, security parameter index field and serial number counter field.

作为其中另一个优选方案,所述算法处理模块包括加密算法运算器、解密算法运算器、认证算法运算器、解认证算法运算器;其中,在内网数据包外出外网方向上,加密算法运算器的输入接口连接IPSec协议处理模块的加密算法处理输出接口,认证算法运算器的输入接口连接一个二选一选择器的输出接口,该二选一选择器的两个输入接口分别连接IPSec协议处理模块的认证算法处理输出接口和加密算法运算器的输出接口,认证算法运算器的输出接口连接IPSec协议处理模块的认证算法处理结果输入接口;在外网数据包进入内网方向上,解认证算法运算器的输入接口连接IPSec协议处理模块的解认证算法处理结果输出接口,解认证算法运算器的输出接口和解密算法运算器的输出接口分别连接一个二选一选择器的两个输入接口,该二选一选择器的输出接口连接IPSec协议处理模块的算法处理结果输入接口,解认证算法运算器的输出接口还与解密算法运算器的输入接口连接。As another preferred solution, the algorithm processing module includes an encryption algorithm operator, a decryption algorithm operator, an authentication algorithm operator, and a solution authentication algorithm operator; wherein, in the direction of the internal network data packet going out to the external network, the encryption algorithm operation The input interface of the device is connected to the encryption algorithm processing output interface of the IPSec protocol processing module, the input interface of the authentication algorithm operator is connected to the output interface of a two-to-one selector, and the two input interfaces of the two-to-one selector are respectively connected to the IPSec protocol processing The authentication algorithm processing output interface of the module and the output interface of the encryption algorithm operator, the output interface of the authentication algorithm operator is connected to the authentication algorithm processing result input interface of the IPSec protocol processing module; in the direction of the external network data packet entering the internal network, the authentication algorithm operation is solved The input interface of the device is connected to the output interface of the de-authentication algorithm processing result of the IPSec protocol processing module, and the output interface of the de-authentication algorithm operator and the output interface of the decryption algorithm operator are respectively connected to two input interfaces of a two-to-one selector. The output interface of the selector is connected to the input interface of the algorithm processing result of the IPSec protocol processing module, and the output interface of the de-authentication algorithm operator is also connected to the input interface of the decryption algorithm operator.

进一步地,所述加/解密算法运算器中包括至少两种采用不同加/解密算法的加/解密算法运算器;所述认证/解认证算法运算器中包括至少两种采用不同认证/解认证算法的认证/解认证算法运算器。Further, the encryption/decryption algorithm operator includes at least two encryption/decryption algorithm operators using different encryption/decryption algorithms; the authentication/de-authentication algorithm operator includes at least two different authentication/de-authentication algorithm operators. Algorithm authentication/deauthentication algorithm operator.

作为本发明再一优选方案,所述IPSec协议处理模块包括:As another preferred solution of the present invention, the IPSec protocol processing module includes:

IPSec协议封装前处理器,用于分析外出方向报文的安全策略和安全联盟信息,决定报文需要加密运算和认证运算或是只是需要做认证运算处理,然后将该报文发往相应的运算器;The pre-processor of IPSec protocol encapsulation is used to analyze the security policy and security association information of outgoing packets, determine whether the packets need encryption and authentication operations or just authentication operations, and then send the packets to the corresponding operations device;

IPSec协议封装后处理器,用于将已经过加密运算和/或认证运算器处理过后的报文进行协议封装处理,并将封装处理结束的报文写入与外网通信接口之间的双端口缓冲器;IPSec protocol encapsulation post-processor, which is used to perform protocol encapsulation processing on the message processed by the encryption operation and/or authentication operator, and write the encapsulation-processed message into the dual port between the external network communication interface buffer;

抗重播保护器,用于对所接收的进入方向的报文进行抗重播检测并根据检测结果进行抗重播处理;The anti-replay protector is used to perform anti-replay detection on received packets in the incoming direction and perform anti-replay processing according to the detection results;

IPSec协议解封装前处理器,用于分析进入方向报文的安全策略和安全联盟信息,决定报文需要解密运算和解认证运算或是只是需要做解认证运算处理,然后将该报文发往相应的运算器;The pre-processor for IPSec protocol decapsulation is used to analyze the security policy and security association information of incoming packets, determine whether the packets need decryption and de-authentication operations or just de-authentication operations, and then send the packets to the corresponding the operator;

IPSec协议解封装后处理器,用于将已经过解密运算和/或解认证运算器处理过后的报文进行协议解封装处理,然后检查该报文的安全策略和安全联盟信息是否合法,若不合法,将该报文丢弃,若合法则将解封装处理结束的报文写入与内网通信接口之间的双端口缓冲器;IPSec protocol decapsulation post-processor, used to decapsulate the message that has been processed by the decryption operation and/or de-authentication operator, and then check whether the security policy and security association information of the message are legal, if not If it is legal, discard the message. If it is legal, write the decapsulated message into the dual-port buffer between the internal network communication interface;

IPSec协议封装前处理器、IPSec协议封装后处理器、IPSec协议解封装后处理器、IPSec协议解封装后处理器,这四个部分工作独立,属于并行工作,相互之间没有电路连接,并且各自通过独立的数据通路与分别与算法处理模块中的各运算器连接。IPSec protocol encapsulation pre-processor, IPSec protocol encapsulation post-processor, IPSec protocol decapsulation post-processor, IPSec protocol decapsulation post-processor, these four parts work independently and belong to parallel work, there is no circuit connection between them, and each It is respectively connected with each arithmetic unit in the algorithm processing module through an independent data path.

与现有技术相比较,本发明所提出的双栈IPSec VPN装置中,引入了双栈VPN的管理,双栈安全数据库的维护和使用,CPU对数据库和数据表的维护以及对必要的IP上层协议的处理;本发明报文流经的各个模块之间通过双端口缓冲器连接,降低了模块之间的耦合性,可以加快开发进度;采用多总线的数据报文流处理方法,使得本发明具有极强的处理效率和可扩展性。本发明技术方案中,报文数据流的处理完全由硬件电路的实现,具有很高的处理效率,而且减少了系统的复杂性,有利于系统设计可实现性。Compared with the prior art, in the dual-stack IPSec VPN device proposed by the present invention, the management of the dual-stack VPN, the maintenance and use of the dual-stack security database, the maintenance of the database and the data table by the CPU and the necessary IP upper layer are introduced. The processing of agreement; The module of the present invention message flow through is connected by dual-port buffer, has reduced the coupling between the module, can accelerate development progress; Adopt the data message stream processing method of multi-bus, make the present invention It has strong processing efficiency and scalability. In the technical scheme of the present invention, the processing of the message data flow is completely realized by the hardware circuit, which has high processing efficiency, reduces the complexity of the system, and is beneficial to the realizability of the system design.

附图说明Description of drawings

图1为本发明双栈IPSec VPN装置的一种优选结构;Fig. 1 is a kind of preferred structure of dual-stack IPSec VPN device of the present invention;

图2为本发明双栈IPSec VPN装置对于外出方向数据的基本处理流程;Fig. 2 is the basic processing flow of the dual-stack IPSec VPN device of the present invention for outgoing direction data;

图3为本发明双栈IPSec VPN装置对于进入方向数据的基本处理流程;Fig. 3 is the basic processing flow of the dual-stack IPSec VPN device of the present invention for incoming direction data;

图4为本发明双栈IPSec VPN装置中双栈安全数据库的维护和使用方法流程;Fig. 4 is the maintenance and usage process of the dual-stack security database in the dual-stack IPSec VPN device of the present invention;

图5为本发明双栈IPSec VPN装置中双栈VPN处理部分的工作流程;Fig. 5 is the workflow of the dual-stack VPN processing part in the dual-stack IPSec VPN device of the present invention;

图6为本发明双栈IPSec VPN装置的一种典型部署方式。FIG. 6 is a typical deployment mode of the dual-stack IPSec VPN device of the present invention.

具体实施方式detailed description

下面结合附图对本发明的技术方案进行详细说明:The technical scheme of the present invention is described in detail below in conjunction with accompanying drawing:

图1显示了本发明双栈IPSec VPN装置的一个优选实施例的基本结构。该双栈IPSec VPN装置100包括双栈VPN处理部分、安全数据库构建和查找部分、安全协议处理部分、数据流传输机制部分和CPU部分;其中,双栈VPN处理部分包括外出双栈VPN预处理模块112、外出VPN管理表105和进入双栈VPN预处理模块115;安全数据库构建和查找部分包括外出双栈安全处理模块110、数据报文缓存模块111、外出安全数据库操作接口103、外出双栈安全数据库模块104、进入双栈安全处理模块114、进入安全数据库操作接口107和进入双栈安全数据库模块108;安全协议处理部分包括IPSec协议处理模块113和算法处理模块106;数据流传输机制部分包括进入和外出方向数据流以一定的顺序流经不同的模块和网络通信接口109和116;CPU部分包括一个可嵌入式的CPU101和其搭配工作的总线架构102;Fig. 1 shows the basic structure of a preferred embodiment of the dual-stack IPSec VPN device of the present invention. The dual-stack IPSec VPN device 100 includes a dual-stack VPN processing part, a security database construction and search part, a security protocol processing part, a data flow transmission mechanism part and a CPU part; wherein, the dual-stack VPN processing part includes an outgoing dual-stack VPN preprocessing module 112. Outgoing VPN management table 105 and entering dual-stack VPN pre-processing module 115; the security database construction and search part includes an outgoing dual-stack security processing module 110, a data message cache module 111, an outgoing security database operation interface 103, and an outgoing dual-stack security The database module 104, enters the dual-stack security processing module 114, enters the security database operation interface 107 and enters the dual-stack security database module 108; the security protocol processing part includes the IPSec protocol processing module 113 and the algorithm processing module 106; the data stream transmission mechanism part includes the entry The data flow in the outgoing direction flows through different modules and network communication interfaces 109 and 116 in a certain order; the CPU part includes an embeddable CPU 101 and a bus architecture 102 that works with it;

网络通信接口109或116,是指网络通信接口的物理接口,可以选择以太网接口和POS接口,该网络通信接口109和116可以支持封装和解封装IPv4和IPv6的报文帧。网络通信接口109一方面用于接收发送给自己的内网端数据链路层数据,将其数据帧解封装成为网络层数据报文并将其写入与外出双栈安全处理模块之间的FIFO,另一方面用于将存储在IPSec协议处理模块之间FIFO的网络层数据报文封装成帧发送给内网端的数据链路层。网络通信接口116一方面将存储在IPSec协议处理模块之间FIFO的网络层数据报文封装成帧发送给外网端的数据链路层,另一方面将接收外网端发给自己的数据链路层数据并将其数据帧解封装成为网络层数据报文并写入与进入双栈VPN预处理模块115之间的FIFO。The network communication interface 109 or 116 refers to the physical interface of the network communication interface. Ethernet interface and POS interface can be selected. The network communication interface 109 and 116 can support encapsulation and decapsulation of IPv4 and IPv6 message frames. On the one hand, the network communication interface 109 is used to receive the internal network end data link layer data sent to itself, decapsulate its data frame into a network layer data message and write it into the FIFO between the outgoing dual-stack security processing module On the other hand, it is used to encapsulate the network layer data message stored in the FIFO between the IPSec protocol processing modules into a frame and send it to the data link layer of the intranet end. On the one hand, the network communication interface 116 encapsulates the network layer data packets stored in the FIFO between the IPSec protocol processing modules into frames and sends them to the data link layer of the external network end; Layer data and decapsulate its data frame into a network layer data message and write and enter the FIFO between the dual-stack VPN preprocessing module 115.

CPU101和片内总线102,CPU可以是开源或商业类型嵌入式型的CPU,其位数优选为32位或64位的通用CPU,片内总线102是可以与所选类型的CPU搭配工作的总线类型,CPU101作为总线上的主设备,其它挂在总线上的设备都作为从设备,所以CPU101通过片内总线102访问挂在总线上的所有设备。所述的这种访问是CPU101对进入安全数据库操作接口107、外出VPN管理表105和外出安全数据库操作接口103进行维护,这种维护包括增添、删除和查询操作。具体行为描述为:CPU101送出指令和参数送到总线上,总线对指令和参数进行分析译码,选中CPU要访问的从设备,该从设备读取总线上的指令和参数并作出反应。CPU101 and on-chip bus 102, CPU can be the CPU of open source or commercial type embedded type, and its number of digits is preferably the general-purpose CPU of 32 or 64 bits, and on-chip bus 102 is the bus that can work with the CPU of selected type Type, CPU101 is the master device on the bus, and other devices on the bus are all slave devices, so CPU101 accesses all devices on the bus through the on-chip bus 102. The access described above is that the CPU 101 maintains the inbound security database operation interface 107, the outbound VPN management table 105 and the outbound security database operation interface 103, and this maintenance includes addition, deletion and query operations. The specific behavior is described as: CPU101 sends instructions and parameters to the bus, the bus analyzes and decodes the instructions and parameters, selects the slave device to be accessed by the CPU, and the slave device reads the instructions and parameters on the bus and responds.

外出双栈安全数据库模块104和进入双栈安全联盟108用于存储安全策略数据库(即SPD)和安全联盟数据库(即SAD)以及对两种数据库的读写逻辑转化接口,安全策略数据库是用来存储安全策略条目信息的存储单元,包括IPv4和IPv6的两个数据库,IPv4策略数据库(即SPD_V4)用来匹配查询IPv4类型报文流量的策略,IPv6策略数据库(即SPD_V6)用来匹配查询IPv6类型报文流量的策略。安全策略数据库模块匹配查找功能的是实现是由CAM/TCAM结构设计实现,策略信息和SA指针信息都存在片内的RAM,安全联盟信息存在片内的SRAM中。而CAM/TCAM的匹配地址输出对应到存在在片内RAM的一条策略信息和SA指针信息,若是策略要求是应用IPSec并且SA指针有效,则将SA指针作为安全联盟存储单元的地址输入,将SA信息读出来以及应用IPSec策略信息送出给对应的安全联盟操作接口103或107;若策略是应用IPSec但是SA指针无效,对于进入方向,则将应用IPSec策略信息和SA指针无效信息送出给安全操作接口103,对于外出方向,则将丢弃策略信息送出给安全操作接口107;若策略是绕过IPSec,则将绕过IPSec策略信息送出给对应的安全操作接口103或107;若策略是丢弃数据报文,则将策略信息送出给对应的安全操作接口103或107;The outgoing dual-stack security database module 104 and the incoming dual-stack security association 108 are used to store the security policy database (that is, SPD) and the security association database (that is, SAD) and the read-write logic conversion interface for the two databases. The security policy database is used to The storage unit for storing security policy entry information, including two databases of IPv4 and IPv6, the IPv4 policy database (SPD_V4) is used to match and query the policy of IPv4 type packet traffic, and the IPv6 policy database (SPD_V6) is used to match and query IPv6 type Packet traffic policy. The matching search function of the security policy database module is realized by the design of the CAM/TCAM structure. The policy information and SA pointer information are stored in the on-chip RAM, and the security association information is stored in the on-chip SRAM. The matching address output of CAM/TCAM corresponds to a piece of policy information and SA pointer information existing in the on-chip RAM. If the policy requirement is to apply IPSec and the SA pointer is valid, the SA pointer is used as the address input of the security association storage unit, and the SA The information is read out and the application IPSec policy information is sent to the corresponding security association operation interface 103 or 107; if the policy is to apply IPSec but the SA pointer is invalid, for the incoming direction, the application IPSec policy information and the SA pointer invalid information are sent to the security operation interface 103. For the outgoing direction, send the discard policy information to the security operation interface 107; if the policy is to bypass IPSec, then send the bypass IPSec policy information to the corresponding security operation interface 103 or 107; if the policy is to discard the data packet , the policy information is sent to the corresponding security operation interface 103 or 107;

外出安全操作接口103和进入安全操作接口107,首先用于解析安全处理模块110或114和总线102访问的指令和参数解析,其次将解析后的指令和参数转化成对数据库存储单元的操作逻辑;The going out security operation interface 103 and the entry security operation interface 107 are first used to analyze the instructions and parameters accessed by the security processing module 110 or 114 and the bus 102, and secondly convert the resolved instructions and parameters into the operation logic of the database storage unit;

外出双栈安全处理模块110和进入双栈安全处理模块114,首先从各自FIFO接收缓冲器读IP报文,直到将所有选择符读出来送入安全数据库操作接口去匹配查询安全策略SP和安全联盟SA信息,收到安全策略SP和安全联盟SA的信息后,会有如下四种情况:Going out of the dual-stack security processing module 110 and entering the dual-stack security processing module 114, first read the IP message from the respective FIFO receiving buffers until all selectors are read out and sent to the security database operation interface to match the query security policy SP and security association SA information, after receiving the information of security policy SP and security association SA, there will be the following four situations:

a) 若是应用IPSec并且SA都存在,双栈安全处理模块110或114就会把SA信息封装在报文头部,会先把SA信息和IP报文头部封装写入双栈安全处理模块发送FIFO,然后将余留在写入双栈安全处理模块接收FIFO的报文读出来写入其发送FIFO;a) If IPSec is applied and both SAs exist, the dual-stack security processing module 110 or 114 will encapsulate the SA information in the packet header, and will first encapsulate the SA information and the IP packet header into the dual-stack security processing module to send FIFO, and then read out the message remaining in the receiving FIFO of the dual-stack security processing module and write it into the sending FIFO;

b) 若是应用IPSec并且有SA不存在,对于外出双栈安全处理模块110,把无效的SA指针并IP报文头部写入数据报文缓存模块111,然后将余留在其接收FIFO的报文读出来写入数据报文缓存模块111,对于进入双栈安全处理模块114,则会把IP报文头部信息丢弃并将余留在其接收FIFO的报文读出来丢弃。b) If IPSec is used and SA does not exist, for the outbound dual-stack security processing module 110, write the invalid SA pointer and the IP message header into the data message cache module 111, and then write the message remaining in it to receive FIFO The text is read out and written into the data message cache module 111, and for entering the dual-stack security processing module 114, the IP message header information will be discarded and the message remaining in its receiving FIFO will be read out and discarded.

c) 若是绕过IPSec处理,双栈安全处理模块110或114就会把绕过IPSec控制信息封装在报文头部,然后将封装的报文头部写入其发送FIFO,然后把余留在接收FIFO的报文也写入其发送FIFO;c) If IPSec is bypassed, the dual-stack security processing module 110 or 114 will encapsulate the bypass IPSec control information in the message header, then write the encapsulated message header into its sending FIFO, and then put the remaining The message of the receiving FIFO is also written into its sending FIFO;

d) 若是丢弃,双栈安全处理模块110或114把整个IP报文读出来丢弃;d) If it is discarded, the dual-stack security processing module 110 or 114 reads out the entire IP message and discards it;

外出VPN管理表,用于内网的报文流向外网的时候查询该报文需要发送的VPN头部。VPN表存在片内的RAM存储单元,其查询实现是通过CAM/TCAM结构实现。当其收到源IP和目的IP时,用其作为VPN选择符,送入CAM/TCAM,则会得出一个VPN条目在RAM存储单元的所在地址,然后将该地址送入VPN表RAM存储单元,读出VPN的信息,并将VPN信息送出给外出双栈VPN预处理模块;外出双栈VPN预处理模块112,首先从其接收FIFO读取源、目的IP,然后将源、目的IP送入外出VPN管理表,然后外出VPN管理表会送出VPN头的源、目的IP给外出VPN预处理模块,然后外出VPN预处理模块会把VPN的信息封装到报文头部并将其封装后的报文头部写入其发送FIFO当中,然后将余留在其接收FIFO的报文读出来写入其发送FIFO;Outgoing VPN management table, which is used to query the VPN header that needs to be sent when the packet from the internal network flows to the external network. The VPN table exists in the on-chip RAM storage unit, and its query is realized through the CAM/TCAM structure. When it receives the source IP and destination IP, use it as a VPN selector and send it to CAM/TCAM, then it will get the address of a VPN entry in the RAM storage unit, and then send the address to the RAM storage unit of the VPN table , read out the information of VPN, and VPN information is sent out to the dual-stack VPN preprocessing module of going out; The dual-stack VPN preprocessing module 112 of going out, at first reads source, purpose IP from its receiving FIFO, then sends source, purpose IP into Outgoing VPN management table, and then the outbound VPN management table will send the source and destination IP of the VPN header to the outbound VPN preprocessing module, and then the outbound VPN preprocessing module will encapsulate the VPN information into the packet header and encapsulate the packet Write the header of the message into its sending FIFO, and then read out the message remaining in its receiving FIFO and write it into its sending FIFO;

进入双栈VPN预处理模块115,读取其接收FIFO的报文,然后将报文的VPN头部剥掉,然后将剥掉报文头部的报文写入其发送FIFO;Enter dual-stack VPN preprocessing module 115, read the message that it receives FIFO, then the VPN header of message is stripped off, then the message that strips message header is written into it and sends FIFO;

算法处理模块106,其用于加密、解密、认证和解认证四种运算器的实现,其中加密算法有DES、3DES和AES加密器,解密算法有DES、3DES和AES解密器,认证算法有HMAC-SHA-96和HMAC-MD5-96。对于报文外出方向,收到IPSec协议处理模块113需要加密和认证的报文后,会将报文送入加密运算器或者认证运算器进行加密或者认证处理,加密完的报文还需要送到认证运算器当中做认证算法处理,认证运算器的报文输入是通过一个外出调度器选择处理加密算法运算器的报文还是IPSec协议处理模块113需要认证的报文,经过外出算法的处理结束后,将报文返回给IPSec协议处理模块;对于报文进入方向,收到IPSec协议封装处理模块的报文后,将报文送入解认证算法运算器进行解认证处理,若解认证失败,则将报文丢弃,若解认证成功,则将报文送入解密算法运算器前的FIFO或进入调度器前的FIFO,解密运算器处理需要解密的报文,将报文写入进入调度器前的FIFO,进入调度器选择将解认证算法运算器或者解密算法运算器结果输出FIFO的报文送出给IPSec协议处理模块113。Algorithm processing module 106, which is used for the realization of encryption, decryption, authentication and de-authentication four arithmetic units, wherein the encryption algorithm has DES, 3DES and AES encryptor, the decryption algorithm has DES, 3DES and AES decryptor, and the authentication algorithm has HMAC- SHA-96 and HMAC-MD5-96. For the outgoing direction of the message, after receiving the message that needs to be encrypted and authenticated by the IPSec protocol processing module 113, the message will be sent to the encryption operator or the authentication operator for encryption or authentication processing, and the encrypted message also needs to be sent to The authentication algorithm is processed in the authentication calculator. Whether the message input of the authentication calculator is selected through an outgoing scheduler to process the message of the encryption algorithm calculator or the message that needs to be authenticated by the IPSec protocol processing module 113, after the processing of the outgoing algorithm is completed , return the message to the IPSec protocol processing module; for the incoming direction of the message, after receiving the message from the IPSec protocol encapsulation processing module, send the message to the de-authentication algorithm operator for de-authentication processing, if the de-authentication fails, then Discard the message. If the de-authentication is successful, send the message to the FIFO before the decryption algorithm operator or the FIFO before the scheduler. The decryption operator processes the message to be decrypted, and writes the message into the FIFO before entering the scheduler. Enter the FIFO of the scheduler and select to send the message of the output FIFO of the result of the deauthentication algorithm calculator or the decryption algorithm calculator to the IPSec protocol processing module 113 .

IPSec协议处理模块113,用于对报文的IPSec中ESP和AH协议的实现。对于外出方向,有IPSec协议封装前处理器和IPSec协议封装后处理器,IPSec协议封装前处理将报文从进入双栈VPN预处理模块112的数据FIFO读取报文,分析报文的安全策略和安全联盟信息,选择报文输入算法处理模块106中的加密算法运算器的输入FIFO还是外出调度器的输入FIFO,然后将报文写入选择的输入FIFO,IPSec协议封装后处理读取算法处理模块106中的认证算法运算器输出FIFO的报文,进行报文的IPSec协议封装处理,添加IPSec头,封装成IP层报文后交给网络通信接口116;对于进入方向,有抗重播保护器、IPSec协议解封装前处理器和IPSec协议封装后处理器,抗重播保护器读取进入双栈安全处理模块114输出FIFO的报文,然后读取IPSec头部的SN,进行抗重放保护处理,若发现是重放报文,则将报文丢弃,若不是重放报文,则将报文交给IPSec协议封装前处理器,IPSec协议封装前处理器分析报文的安全策略和安全联盟信息,将报文写入算法处理模块106中的解认证算法运算器的输入FIFO,IPSec协议解封装后处理器读取算法处理模块中的算法调度器送入的报文,检查报文的安全联盟对应的安全策略的合法性,若发现不合法,则将报文丢弃,若合法,剥去报文的IPSec头,将报文处理成IP层报文,然后交给网络通信接口109。所述外出调度器和进入调度器均可采用二选一选择器实现。The IPSec protocol processing module 113 is used to implement the ESP and AH protocols in the IPSec of the message. For the outgoing direction, there are pre-processors for IPSec protocol encapsulation and post-processors for IPSec protocol encapsulation. The pre-processing of IPSec protocol encapsulation reads messages from the data FIFO that enters the dual-stack VPN preprocessing module 112, and analyzes the security policy of the messages. and security association information, select the input FIFO of the encryption algorithm operator in the message input algorithm processing module 106 or the input FIFO of the outgoing scheduler, then write the message into the selected input FIFO, and process the reading algorithm after IPSec protocol encapsulation The authentication algorithm operator in the module 106 outputs the message of the FIFO, carries out the IPSec protocol encapsulation processing of the message, adds the IPSec header, and delivers it to the network communication interface 116 after being encapsulated into an IP layer message; for the incoming direction, there is an anti-replay protector , IPSec protocol decapsulation pre-processor and IPSec protocol encapsulation post-processor, the anti-replay protector reads the message entering the dual-stack security processing module 114 output FIFO, then reads the SN of the IPSec header, and performs anti-replay protection processing , if it is found to be a replay packet, the packet will be discarded; if it is not a replay packet, the packet will be handed over to the pre-encapsulation processor of the IPSec protocol, and the pre-encapsulation processor of the IPSec protocol will analyze the security policy and security association of the packet information, write the message into the input FIFO of the de-authentication algorithm operator in the algorithm processing module 106, and after the IPSec protocol is decapsulated, the processor reads the message sent by the algorithm scheduler in the algorithm processing module to check the security of the message If the validity of the security policy corresponding to the alliance is found to be illegal, the message will be discarded; if it is legal, the IPSec header of the message will be stripped, the message will be processed into an IP layer message, and then delivered to the network communication interface 109. Both the outbound scheduler and the inbound scheduler can be implemented by using an alternative selector.

图2显示了本发明双栈IPSec VPN装置对于外出方向数据的基本处理流程,包括如下步骤:Fig. 2 shows the basic processing flow of the dual-stack IPSec VPN device of the present invention for outgoing direction data, including the following steps:

OS00:内网端网络通信接口接收到内网网络的数据链路层数据就会对其解封装,转化为IP层的数据报文;OS00: When the network communication interface of the intranet receives the data link layer data of the intranet network, it will decapsulate it and convert it into a data packet of the IP layer;

OS01:提取去外出安全策略选择符送到安全数据库匹配查找,得到安全策略信息和安全联盟信息,这里的外出安全策略选择符优选为源IP、目的IP、上层协议号、源端口和目的端口组成;OS01: Extract the outbound security policy selector and send it to the security database for matching search to obtain security policy information and security association information. The outbound security policy selector here is preferably composed of source IP, destination IP, upper layer protocol number, source port and destination port ;

OS02:分析安全策略信息和安全联盟信息,选择数据报文流的处理方式,若是染过IPSec,就将绕过IPSec的策略信息发到其发送FIFO缓冲器,若是丢弃策略,就将数据报文流读出来丢弃,若是应用IPSec,进一步SA是否有效,若无效,则将报文送入数据报文缓冲模块,若有效,则发送到其发送FIFO缓冲器;OS02: Analyze the security policy information and security association information, and select the processing method of the data packet flow. If IPSec is passed, the policy information bypassing IPSec will be sent to its sending FIFO buffer. If the strategy is discarded, the data packet will be The stream is read out and discarded. If IPSec is used, whether the further SA is valid, if not, the message is sent to the data message buffer module, and if it is valid, it is sent to its sending FIFO buffer;

OS03:外出双栈VPN预处理模块提取报文的VPN选择符,然后将VPN选择符送入外出VPN管理表;OS03: The outbound dual-stack VPN preprocessing module extracts the VPN selector of the message, and then sends the VPN selector into the outbound VPN management table;

OS04:外出双栈VPN预处理模块将VPN信息封装好的以后,将报文写入其下一个模块之间的发送FIFO;OS04: After the outbound dual-stack VPN preprocessing module encapsulates the VPN information, write the message into the sending FIFO between the next modules;

OS05:IPSec协议处理模块读到与外出双栈VPN预处理模块之间的FIFO有数据报文要处理,就将报文读出来,对报文进行IPSec协议封装前处理;OS05: The IPSec protocol processing module reads that the FIFO between the outbound dual-stack VPN preprocessing module has a data message to be processed, reads the message, and performs IPSec protocol encapsulation pre-processing on the message;

OS06:算法处理模块读入要进行算法处理的报文,对报文进行相应的算法运算处理;OS06: The algorithm processing module reads in the message to be processed by the algorithm, and performs corresponding algorithm operation processing on the message;

OS07:经过算法处理的报文,对报文进行IPSec协议封装后处理。OS07: For packets processed by algorithms, the packets are encapsulated by IPSec protocol and then processed.

OS08:外网通信接口将封装好的IP层数据报文重新封装成数据链路层的数据帧发送出去。OS08: The external network communication interface re-encapsulates the encapsulated IP layer data message into a data link layer data frame and sends it out.

图3显示了本发明双栈IPSec VPN装置对于进入方向数据的基本处理流程,包括如下步骤:Fig. 3 shows the basic processing flow of the dual-stack IPSec VPN device of the present invention for the incoming direction data, including the following steps:

IS00:外网端网络通信接口收到数据链路层的数据帧,将其解封装成为IP层的数据报文,写入与下一个模块之间的FIFO缓冲器;IS00: The network communication interface of the external network receives the data frame of the data link layer, decapsulates it into a data message of the IP layer, and writes it into the FIFO buffer between the next module;

IS01:进入双栈VPN预处理模块读到报文后,将报文的VPN头部剥掉,然后将报文写入与下一个模块之间的FIFO缓冲器;IS01: After entering the dual-stack VPN preprocessing module to read the message, strip off the VPN header of the message, and then write the message into the FIFO buffer between the next module;

IS02:提取报文的进入安全策略选择符和进入安全联盟选择符,将其送入安全数据库去匹配查找安全策略和安全联盟的信息,所述的进入安全策略选择符,优选为源IP、目的IP、上一层协议号组成,所述的进入安全联盟选择符,优选为源IP、目的IP、上一层协议号、SPI值组成;IS02: Extract the incoming security policy selector and incoming security association selector of the message, and send them into the security database to match and find information about the security policy and security association. The incoming security policy selector is preferably source IP, destination Composed of IP and an upper-layer protocol number, the entry security association selector is preferably composed of source IP, destination IP, upper-layer protocol number, and SPI value;

IS03:分析安全策略和安全联盟的信息,若是绕过IPSec,则将绕过IPSec的信息封装到报文头部,并将报文写入与下一个模块之间的FIFO缓冲器,分析安全策略:若是应用IPSec策略并且SA有效,则将安全策略信息和安全联盟信息封装在报文头部,写入与下一个模块之间的FIFO缓冲器;若是应用IPSec但是SA无效或者丢弃报文的策略,则将报文读取出来直接丢弃;若是绕过IPSec,则将报文绕过IPSec处理;IS03: Analyze the security policy and security association information. If IPSec is bypassed, encapsulate the bypassed IPSec information into the header of the message, and write the message into the FIFO buffer between the next module and analyze the security policy : If the IPSec policy is applied and the SA is valid, the security policy information and security association information will be encapsulated in the packet header, and written into the FIFO buffer between the next module; if the IPSec policy is applied but the SA is invalid or the packet is discarded , the message is read out and discarded directly; if IPSec is bypassed, the message is bypassed for IPSec processing;

IS04:IPSec协议处理模块读到与进入双栈VPN安全处理模块之间的FIFO缓冲器有数据报文需要处理,首先根据报文的安全序列号SN信息进行抗重播保护,分析该报文是否是重播报文,若发现是重播报文,则直接丢弃,若不是重播报文则进行下一步处理;IS04: When the IPSec protocol processing module reads and enters the FIFO buffer between the dual-stack VPN security processing module, there is a data message to be processed. First, perform anti-replay protection according to the security sequence number SN information of the message, and analyze whether the message is If the replay message is found to be a replay message, it will be discarded directly, and if it is not a replay message, it will be processed in the next step;

IS05:IPSec协议处理模块对报文进行IPSec协议解封装预处理,然后将报文融入算法模块中;IS05: The IPSec protocol processing module performs IPSec protocol decapsulation preprocessing on the message, and then integrates the message into the algorithm module;

IS06:算法模块读到有数据报文需要处理,将报文送入解密或者认证算法运算器中进行算法处理,在解认证完毕后分析解认证结果,若发现解认证失败,则将报文丢弃,若解认证成功,则将报文送入下一步处理;IS06: The algorithm module reads that there is a data message that needs to be processed, and sends the message to the decryption or authentication algorithm calculator for algorithm processing. After the de-authentication is completed, the de-authentication result is analyzed, and if the de-authentication fails, the message is discarded , if the de-authentication is successful, send the message to the next step for processing;

IS07:IPSec协议处理模块中的IPSec协议解封装后处理器读到报文,对报文的安全联盟和安全策略做合法性检查,若合法性检查失败,则将报文丢弃,若检查结果合法,则将报文送入下一步;IS07: After the IPSec protocol decapsulation in the IPSec protocol processing module reads the message, the processor checks the validity of the security association and security policy of the message. If the validity check fails, the message is discarded. If the check result is legal , send the message to the next step;

IS08:IPSec协议处理模块中的IPSec协议解封装后处理器将报文进行解封装后处理,剥掉IPSec头部,将其处理成IP层报文交给内网端通信接口;IS08: The IPSec protocol decapsulation processor in the IPSec protocol processing module decapsulates the message, strips off the IPSec header, and processes it into an IP layer message to the intranet communication interface;

IS07:内网端数据通信接口将IP层的数据报文封装成数据链路层帧,发送出去。IS07: The data communication interface at the intranet end encapsulates the data packets at the IP layer into data link layer frames and sends them out.

图4显示了本发明双栈IPSec VPN装置中双栈安全数据库的维护和使用方法流程。需要特别注意的是,并不是每个步骤都需要一个时钟节拍来完成,本领域技术人员应该理解为一个时钟节拍至少可以做一个步骤,外出数据库操作接口或者进入安全数据库操作接口(以下简称安全操作接口103或111)收到访问请求,会区别是CPU访问还是安全处理模块113或106的查找访问,其中CPU访问过程如下:CPU通过发出指令和参数到片内总线102上,安全数据库操作接口收到命令和参数并对其解析,然后选择安全联盟还是安全策略的库,若是安全策略库,进一步选择是IPv4还是IPv6的库,然后选择IPv4或者IPv6数据库,将解析过的命令和参数转化为对其中之一的安全策略数据库的读写操作;双栈安全处理模块的访问如下:双栈安全处理模块发送匹配查找请求命令和参数,安全操作接口103或111对接收到的命令和参数进行解析,然后将解析后的命令和参数转化为对安全策略数据库的读操作,判断是否需要访问安全联盟数据库SAD,若需要,进一步将命令和参数转化为安全联盟数据库SAD的读操作,然后输出安全信息结果,如果不需要则直接输出数据安全信息结果,最后结束。Fig. 4 shows the flow of the method for maintaining and using the dual-stack security database in the dual-stack IPSec VPN device of the present invention. It should be noted that not every step requires one clock tick to complete. Those skilled in the art should understand that one clock tick can perform at least one step, going out of the database operation interface or entering the security database operation interface (hereinafter referred to as security operation) When the interface 103 or 111) receives the access request, it will distinguish whether it is the CPU access or the search access of the security processing module 113 or 106, wherein the CPU access process is as follows: the CPU sends instructions and parameters to the on-chip bus 102, and the security database operation interface receives Get the commands and parameters and analyze them, and then select the library of security association or security policy. If it is a security policy library, further select the library of IPv4 or IPv6, and then select the database of IPv4 or IPv6, and convert the parsed commands and parameters into objects. One of them is the read and write operation of the security policy database; the access of the dual-stack security processing module is as follows: the dual-stack security processing module sends matching search request commands and parameters, and the security operation interface 103 or 111 parses the received commands and parameters, Then convert the parsed commands and parameters into read operations on the security policy database, determine whether access to the security association database SAD is required, and if necessary, further convert the commands and parameters into read operations on the security association database SAD, and then output the security information results , if not needed, directly output the data security information result, and end at last.

图5为本发明优选的一种双栈VPN处理方法,包括外出双栈VPN预处理和进入双栈VPN预处理。对于外出VPN预处理,首先读取报文的VPN选择符,这个选择符是报文头部的源、目的IP,VPN表模块会将选择符送入里面的匹配电路查找VPN信息,所述的匹配电路优选为CAM结构来实现,VPN表的信息存在片内的RAM里面,然后输出VPN头的信息,外出VPN预处理模块读到VPN头信息以后,将VPN头信息封装在报文头部,把报文写入与IPSec协议处理模块之间的FIFO;对于进入双栈VPN预处理,读取报文,分析报文的类别是IPv4还是IPv6,并将这个类别的VPN头部剥掉,然后写入与进入双栈安全处理模块之间的FIFO。Fig. 5 is a preferred dual-stack VPN processing method of the present invention, including outgoing dual-stack VPN preprocessing and entering dual-stack VPN preprocessing. For outgoing VPN preprocessing, first read the VPN selector of the message, which is the source and destination IP of the message header, and the VPN table module will send the selector into the matching circuit inside to find the VPN information. The matching circuit is preferably realized by a CAM structure. The information of the VPN table is stored in the RAM inside the chip, and then the information of the VPN header is output. After the outgoing VPN preprocessing module reads the VPN header information, the VPN header information is encapsulated in the message header. Write the message into the FIFO between the IPSec protocol processing module; for entering the dual-stack VPN preprocessing, read the message, analyze whether the type of the message is IPv4 or IPv6, and strip off the VPN header of this type, and then Writes to and enters the FIFO between the dual-stack security processing modules.

图6显示了双栈IPSec VPN装置的一种典型部署方式。如图6所示,某个组织有分散在不同的办公地点的一个总部网络和两个分部网络:分部1、分部2,总部网络是一个IPv4和IPv6的双栈网络,分部1是一个IPv4网络,分部2是一个IPv6网络,总部网络和分部网络中的主机都是支持双栈的节点,里面有IPv4服务器和IPv6服务器,总部网络中的交换机是支持双栈的交换机,总部网络的主机节点访问总部网络、分部1和分部2的IPv4的节点的时候,就利用IPv4的地址,访问IPv6的节点的时候就用IPv6的地址,如图所示,三个本发明的双栈IPSec VPN设备分别作为总部网络和两个分部网络默认的VPN节点,每个双栈IPSec VPN装置与外网端的端口都具有IPv4和IPv6两个IP地址,这种IP地址全球唯一,双栈IPSec VPN装置与内网端有内网网段的IPv4和IPv6的两个IP地址。VPN通信过程例如,当总部的主机a利用IPv4的地址去访问分部1网络的主机a的时候,数据报文会流经交换机、双栈IPSec VPN设备1、互联网、双栈IPSec VPN设备2然后到分部1网络的主机a,在这个过程中,双栈IPSecVPN设备1和双栈IPSec VPN设备2之间会建立一条IPSec VPN通道来保护数据通信,由于发起通信的双方的IP地址是采用IPv4地址,所以双栈IPSec VPN设备处理报文的时候,就采用IPv4的处理方法;又例如,当分部2的主机b利用IPv6的地址去访问总部网络的IPv6服务器的时候,数据报文的会流经双栈IPSec VPN设备3、互联网、双栈VPN设备1、交换机和IPv6服务器,由于发起通信和接收通信的双方采用IPv6的地址,所以在双栈IPSec VPN设备1和双栈IPSec VPN设备3就会采用IPv6的处理方法,但是对于双栈IPSec VPN设备3来说,在外出VPN预处理的时候,会添上IPv4的VPN头部信息,使得IPv6的报文能够通过IPv4类型的互联网网络。Figure 6 shows a typical deployment of a dual-stack IPSec VPN device. As shown in Figure 6, an organization has a headquarters network and two branch networks scattered in different office locations: branch 1 and branch 2. The headquarters network is a dual-stack network of IPv4 and IPv6, and branch 1 It is an IPv4 network, and branch 2 is an IPv6 network. The hosts in the headquarters network and the branch network are nodes that support dual-stack, and there are IPv4 servers and IPv6 servers in them. The switches in the headquarters network are switches that support dual-stack. When the host node of the headquarters network visits the IPv4 nodes of the headquarters network, branch 1 and branch 2, it uses the IPv4 address, and when it visits the IPv6 nodes, it uses the IPv6 address. As shown in the figure, the three inventions The dual-stack IPSec VPN device of the company is used as the default VPN node of the headquarters network and the two branch networks respectively. Each port of the dual-stack IPSec VPN device and the external network has two IP addresses, IPv4 and IPv6. This IP address is unique globally. The dual-stack IPSec VPN device and the intranet end have two IP addresses of IPv4 and IPv6 of the intranet segment. VPN communication process For example, when host a in the headquarters uses an IPv4 address to access host a in branch 1, the data packet will flow through the switch, dual-stack IPSec VPN device 1, the Internet, dual-stack IPSec VPN device 2 and then In this process, an IPSec VPN tunnel will be established between dual-stack IPSec VPN device 1 and dual-stack IPSec VPN device 2 to protect data communication. Since the IP addresses of the two parties that initiate the communication use IPv4 Therefore, when the dual-stack IPSec VPN device processes packets, it adopts the IPv4 processing method; for example, when host b in branch 2 uses an IPv6 address to access the IPv6 server in the headquarters network, the data packets will flow Through the dual-stack IPSec VPN device 3, the Internet, the dual-stack VPN device 1, the switch and the IPv6 server, since the two parties that initiate the communication and receive the communication use IPv6 addresses, the dual-stack IPSec VPN device 1 and the dual-stack IPSec VPN device 3 The IPv6 processing method will be adopted, but for the dual-stack IPSec VPN device 3, the IPv4 VPN header information will be added during the outbound VPN preprocessing, so that the IPv6 message can pass through the IPv4 type Internet network.

Claims (6)

1. a kind of double stack IPSec VPN devices, it is characterised in that including double stack VPN process parts, safety database structure and look into Look for part, security protocol process part, data stream transmitting machined part and CPU part;
Double stack VPN process parts, processing, the processing of VPN heads for dual stack, including outgoing double stack VPN pretreatments Module, outgoing VPN manage table and enter double stack VPN pretreatment modules;
The safety database structure and lookup part, for completing the two kinds of Security Policy Database dimensions of IPv4 and IPv6 Shield, matched and searched and a type of security association database are safeguarded, matched and searched;It includes outgoing double stack safe handling moulds Block, data message cache module, outgoing safety database operate interface, outgoing double stack secure data library modules, pacify into double stacks Full processing module, into safety database operate interface and enter double stack secure data library modules;
The security protocol process part, the encapsulation for completing IPSec AH and ESP agreements conciliate encapsulation process and to data Message encryption, decryption, identifying algorithm processing, it includes ipsec protocol processing module and algorithm processing module;
The data stream transmitting machined part, sequentially flowed through for control entrance and outgoing bearing data stream different Module and network communication interface;The message data of the outgoing outer net of Intranet passes through outgoing double stack secure processing modules, outgoing double stack VPN After pretreatment module processing, security parameter and VPN parameters are encapsulated into the head of original message respectively;Outer net enters the report of Intranet By will peel VPN header information off after entering double stack VPN pretreatments, this message for peeling VPN information off leads to literary data After crossing double stack secure processing module processing, security parameter is encapsulated into this header;
The CPU part, including a CPU and the bus architecture with its work of arranging in pairs or groups, for managing safety database and VPN numbers The transportation level and the upper-layer protocol of the above defined according to table and analysis osi model, and do not intervene normal message flow processing;
Wherein, CPU, pass through into safety database operate interface, outgoing VPN management table and outgoing safety database operate interface Bus on chip is connected with each other, and is connected between outbound communication interface and outgoing double stack secure processing modules by dual-port buffer, Outgoing double stack secure processing modules are connected with outgoing safety database operate interface and data packet buffer module, double stack peaces of going out Full database module is connected with outgoing database manipulation interface, and double stack secure processing modules of going out pre-process with outgoing double stack VPN Connected between module by dual-port buffer, outgoing double stack VPN pretreatment modules are connected with outgoing VPN management tables, are gone out double Connected between stack VPN pretreatment modules and ipsec protocol processing module by dual-port buffer, ipsec protocol processing module It is connected by dual-port buffer between algorithm processing module, is led between ipsec protocol processing module and outbound communication interface The connection of dual-port buffer is crossed, is connected between Intranet communication interface and the double stack VPN pretreatment modules of entrance by dual-port buffer Connect, connected into double stack VPN pretreatment modules and entering between double stack secure processing modules by dual-ported memory, into double Stack secure processing module is connected with into safety database operate interface, at double stack secure processing modules and ipsec protocol Connected between reason module by dual-port buffer, pass through dual-port between ipsec protocol processing module and Intranet communication interface Buffer connects.
2. double stack IPSec VPN devices as claimed in claim 1, it is characterised in that outgoing double stack secure data library modules Including:For the outgoing Security Policy Database of Saving Safe Strategy entry, for storing the outgoing of outgoing Security Association entry Security association database, and the read-write logic conversion interface to two kinds of databases;
The outgoing Security Policy Database includes two databases for corresponding respectively to IPv4 and IPv6:Outgoing IPv4 strategy numbers According to storehouse and outgoing IPv6 policy databases, IPv4 policy databases of going out are used for the plan of matching inquiry IPv4 type message flows Slightly, outgoing IPv6 policy databases are used for the strategy of matching inquiry IPv6 type message flows;
The outgoing security association database is a memory cell for being used for storing Security Association items for information, what it was deposited Information is calculated including transmission mode selection field, the protocol type taken selection field, sequence number Overflow handling selection field, encryption Whether method selection field, identifying algorithm selection field, encryption IV need to select field, encryption algorithm key length field, certification Algorithm secret key length field, PMTU fields, Security Parameter Index field and sequence number counter field.
3. double stack IPSec VPN devices as claimed in claim 1, it is characterised in that the outgoing VPN management table include IPv4 and The two kinds of VPN tables memory cell of IPv6 and control access logic controller, and the control, which accesses logic controller, to be included: CPU manages VPN the inquiry, addition, the control logic circuit of deletion action of table list item, double stack VPN pretreatment modules pair of going out The control logic circuit of the inquiry operation of VPN management tables.
4. double stack IPSec VPN devices as claimed in claim 1, it is characterised in that the algorithm processing module includes encryption and calculated Method arithmetic unit, decipherment algorithm arithmetic unit, identifying algorithm arithmetic unit, solution identifying algorithm arithmetic unit;Wherein, gone out in intranet data bag On outer net direction, the AES processing output of the input interface connection ipsec protocol processing module of AES arithmetic unit connects Mouthful, the output interface of input interface one alternative selector of connection of identifying algorithm arithmetic unit, the two of the alternative selector Individual input interface connect respectively ipsec protocol processing module identifying algorithm processing output interface and AES arithmetic unit it is defeated Outgoing interface, the identifying algorithm result input of the output interface connection ipsec protocol processing module of identifying algorithm arithmetic unit connect Mouthful;Enter in outer network data bag on Intranet direction, the input interface connection ipsec protocol processing module of solution identifying algorithm arithmetic unit Solution identifying algorithm result output interface, solve identifying algorithm arithmetic unit output interface and decipherment algorithm arithmetic unit output Interface connects two input interfaces of an alternative selector, the output interface connection IPSec of the alternative selector respectively The algorithm process result input interface of protocol process module, solve identifying algorithm arithmetic unit output interface also with decipherment algorithm computing The input interface connection of device.
5. double stack IPSec VPN devices as claimed in claim 3, it is characterised in that the encryption/decryption algorithm arithmetic unit includes At least two use the encryption/decryption algorithm arithmetic unit of different encryption/decryption algorithms;Wrapped in the certification/solution identifying algorithm arithmetic unit Include at least two certification/solution identifying algorithm arithmetic units using different authentication/solution identifying algorithm.
6. double stack IPSec VPN devices as claimed in claim 1, it is characterised in that the ipsec protocol processing module includes:
Ipsec protocol encapsulates front processor, for analyzing the security strategy and safety alliance information of outer outgoing packet, determines report Text needs cryptographic calculation and authentication algorithm or simply needs to do authentication algorithm processing, and the message then is sent into corresponding computing Device;
Ipsec protocol encapsulates preprocessor, for by have been subjected to cryptographic calculation and/or authentication algorithm device it is treated after message enter The processing of row protocol encapsulation, and the dual-port buffer between the message write-in that encapsulation process is terminated and outbound communication interface;
Anti- Replay Protection device, the message for the approach axis to being received carry out anti-replay and detect and carried out according to testing result Anti- replay processing;
Ipsec protocol decapsulates front processor, for analyzing the security strategy and safety alliance information of approach axis message, determines Message needs to decrypt computing reconciliation authentication algorithm or simply needs do solution authentication algorithm processing, is then sent to the message accordingly Arithmetic unit;
Ipsec protocol decapsulates preprocessor, for will have been subjected to decryption computing and/or solve the report after authentication algorithm device treats Text carries out multi-protocol decapsulation processing, then checks whether the security strategy of the message and safety alliance information are legal, if illegal, By the packet loss, the dual-port that the message for terminating decapsulation processing if legal is write between Intranet communication interface buffers Device;
Ipsec protocol encapsulation front processor, ipsec protocol encapsulation preprocessor, ipsec protocol decapsulation preprocessor, IPSec Multi-protocol decapsulation preprocessor, this four parts work independently, belong to concurrent working, are connected between each other without circuit, and Each via independent data path with being connected respectively with each arithmetic unit in algorithm processing module.
CN201510307310.2A 2015-07-16 2015-07-16 A kind of double stack IPSec VPN devices Active CN105025004B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510307310.2A CN105025004B (en) 2015-07-16 2015-07-16 A kind of double stack IPSec VPN devices

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510307310.2A CN105025004B (en) 2015-07-16 2015-07-16 A kind of double stack IPSec VPN devices

Publications (2)

Publication Number Publication Date
CN105025004A CN105025004A (en) 2015-11-04
CN105025004B true CN105025004B (en) 2018-01-02

Family

ID=54414710

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510307310.2A Active CN105025004B (en) 2015-07-16 2015-07-16 A kind of double stack IPSec VPN devices

Country Status (1)

Country Link
CN (1) CN105025004B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180091556A1 (en) * 2016-09-29 2018-03-29 Futurewei Technologies, Inc. System and method for packet classification using multiple security databases
CN111585986A (en) * 2020-04-24 2020-08-25 广东纬德信息科技股份有限公司 Safe transmission method, device, medium and terminal equipment based on power gateway
CN111614538B (en) * 2020-04-30 2022-03-29 网络通信与安全紫金山实验室 Message forwarding method based on IPsec encapsulation protocol

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005025141A1 (en) * 2003-09-05 2005-03-17 Ntt Docomo, Inc. Communication between fixed terminals of an ipv4 private network and an ipv6 global network interconnected through the ipv4-internet
CN101043411A (en) * 2006-03-24 2007-09-26 华为技术有限公司 Method and system for realizing mobile VPN service in hybrid network
CN101043410A (en) * 2006-03-24 2007-09-26 华为技术有限公司 Method and system for realizing mobile VPN service
CN102932767A (en) * 2011-08-11 2013-02-13 中兴通讯股份有限公司 Information transmission method, packet data network gateway as well as policy and charging rules function

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005025141A1 (en) * 2003-09-05 2005-03-17 Ntt Docomo, Inc. Communication between fixed terminals of an ipv4 private network and an ipv6 global network interconnected through the ipv4-internet
CN101043411A (en) * 2006-03-24 2007-09-26 华为技术有限公司 Method and system for realizing mobile VPN service in hybrid network
CN101043410A (en) * 2006-03-24 2007-09-26 华为技术有限公司 Method and system for realizing mobile VPN service
CN102932767A (en) * 2011-08-11 2013-02-13 中兴通讯股份有限公司 Information transmission method, packet data network gateway as well as policy and charging rules function

Also Published As

Publication number Publication date
CN105025004A (en) 2015-11-04

Similar Documents

Publication Publication Date Title
US11283733B2 (en) Proxy ports for network device functionality
US10958627B2 (en) Offloading communication security operations to a network interface controller
US7017042B1 (en) Method and circuit to accelerate IPSec processing
JP5074558B2 (en) Network processing using IPSec
US8438641B2 (en) Security protocol processing for anti-replay protection
CN101262405B (en) High Speed Security Virtual Private Network System Based on Network Processor and Its Realization Method
CN106341404A (en) IPSec VPN system based on many-core processor and encryption and decryption processing method
CN102065021B (en) IPSecVPN (Internet Protocol Security Virtual Private Network) realizing system and method based on NetFPGA (Net Field Programmable Gate Array)
US7937592B2 (en) Network communication security processor and data processing method
JP2008035300A (en) Packet encryption processing apparatus and packet encryption processing method
CN105025004B (en) A kind of double stack IPSec VPN devices
CN115314195A (en) A method for implementing high-speed IPSec using a network card with a password function
CN114915451B (en) Fusion tunnel encryption transmission method based on enterprise-level router
CN108718268A (en) A method of improving VPN service terminal concurrent processing performance
US20210092103A1 (en) In-line encryption of network data
US11722525B2 (en) IPsec processing of packets in SoCs
US20250071146A1 (en) Policy-based application of a point-to-point security protocol to a network flow from a source application
CN104980497B (en) ESP encapsulation process devices based on Wishbone buses
US11936726B2 (en) Methods and systems for implementing traffic mirroring for network telemetry
KR20240042765A (en) Mobile Edge Computing system and method for constructing traffic data feature set using the same
CN115361181A (en) A Method for High-Performance Link Encryption Using DPDK and Cipher Cards
CN119892391A (en) FPGA-based high-performance IPSec VPN working method and system
Tan et al. A 10 Gbit/s IPSec Gateway Implementation
CN113114607A (en) Terminal equipment
HK1182562B (en) Online network security processor and processing method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant