CN115664773B - Message processing method, device, storage medium and program product - Google Patents
Message processing method, device, storage medium and program productInfo
- Publication number
- CN115664773B CN115664773B CN202211289296.4A CN202211289296A CN115664773B CN 115664773 B CN115664773 B CN 115664773B CN 202211289296 A CN202211289296 A CN 202211289296A CN 115664773 B CN115664773 B CN 115664773B
- Authority
- CN
- China
- Prior art keywords
- data packet
- encrypted
- security association
- information
- association information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本公开实施例提供一种报文处理方法、设备、存储介质及程序产品,通过云端计算节点的虚拟交换机根据虚拟专用网络网关预先发送安全关联信息对数据包加密,并发送给虚拟专用网络网关,由虚拟专用网络网关对加密数据包填充报文信息,封装为完整的目标报文,并将目标报文发送给目标客户网关。充分利用了各计算节点的算力资源,使得虚拟专用网络网关无需执行加密处理,解决了虚拟交换机过多的场景下虚拟专用网络网关的性能瓶颈问题,保证了报文的传输。
The disclosed embodiments provide a message processing method, device, storage medium and program product, which encrypts a data packet according to the security association information sent in advance by the virtual private network gateway through the virtual switch of the cloud computing node, and sends it to the virtual private network gateway, and the virtual private network gateway fills the encrypted data packet with message information, encapsulates it into a complete target message, and sends the target message to the target customer gateway. The computing power resources of each computing node are fully utilized, so that the virtual private network gateway does not need to perform encryption processing, solves the performance bottleneck problem of the virtual private network gateway in the scenario of too many virtual switches, and ensures the transmission of messages.
Description
Technical Field
The embodiment of the disclosure relates to the technical field of computer and network communication and the technical field of cloud computing, in particular to a message processing method, message processing equipment, a storage medium and a program product.
Background
The virtual private network (Virtual Private Network, VPN) is a private network established over a public network for encrypted communications, and remote access is achieved by encrypting the data packets and translating the destination addresses of the data packets using VPN gateways or using tunneling techniques. The VPN may be implemented in a variety of ways, e.g., by a server, hardware, software, etc. IPSec VPN refers to a VPN technology that uses IPSec (Internet Protocol Security, internet security protocol) to implement remote access.
When the cloud implements the IPsec VPN, the computing node is connected with the IPsec VPN gateway through the Virtual switch, a data packet externally transmitted by each Virtual Machine (VM) in the computing node is sent to the IPsec VPN gateway by the Virtual switch, and a message is encrypted by the IPsec VPN gateway and then sent to the target gateway.
In the prior art, in a cloud scene, the number of virtual machines in a computing node is large, the flow is large, the distribution is scattered, the pressure is increased when an IPSec VPN gateway processes a large number of encrypted messages, and the performance requirement is high.
Disclosure of Invention
The embodiment of the disclosure provides a message processing method, device, storage medium and program product, which are used for reducing the pressure of an IPSec VPN gateway and avoiding the performance bottleneck problem of the IPSec VPN gateway.
In a first aspect, an embodiment of the present disclosure provides a method for processing a message, where the method includes:
Receiving an encrypted data packet sent by a virtual switch of a cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to security association information of an Internet security protocol;
Filling message information into the encrypted data packet, and packaging the encrypted data packet into a complete target message;
And sending the target message to a target client gateway.
In a second aspect, an embodiment of the present disclosure provides a method for processing a message, where the method includes:
Receiving a data packet to be transmitted, which is transmitted by a virtual machine of a cloud computing node;
Judging whether the data packet to be sent needs to be encrypted or not according to an encryption strategy in security association information of an internet security protocol, and encrypting the data packet to be sent according to a secret key in the security association information to obtain an encrypted data packet if the data packet to be sent needs to be encrypted, wherein the security association information is sent in advance by a virtual private network gateway based on the internet security protocol by a cloud;
and sending the encrypted data packet to the virtual private network gateway so that the virtual private network gateway fills message information into the encrypted data packet, encapsulates the encrypted data packet into a complete target message and sends the complete target message to a target client gateway.
In a third aspect, an embodiment of the present disclosure provides a packet processing device, including:
The receiving unit is used for receiving an encrypted data packet sent by a virtual switch of a cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to security association information of an Internet security protocol;
the processing unit is used for filling message information into the encrypted data packet and packaging the encrypted data packet into a complete target message;
and the sending unit is used for sending the target message to a target client gateway.
In a fourth aspect, an embodiment of the present disclosure provides a packet processing device, including:
the receiving unit is used for receiving the data packet to be transmitted, which is transmitted by the virtual machine of the cloud computing node;
The processing unit is used for judging whether the data packet to be transmitted needs encryption or not according to an encryption strategy in security association information of an internet security protocol, and encrypting the data packet to be transmitted according to a secret key in the security association information to obtain an encrypted data packet if the data packet to be transmitted needs encryption, wherein the security association information is sent in advance by a virtual private network gateway based on the internet security protocol by a cloud;
And the sending unit is used for sending the encrypted data packet to the virtual private network gateway so that the virtual private network gateway fills message information into the encrypted data packet, packages the encrypted data packet into a complete target message and sends the complete target message to the target client gateway.
In a fifth aspect, embodiments of the present disclosure provide an electronic device comprising at least one processor and a memory;
The memory stores computer-executable instructions;
The at least one processor executes the computer-executable instructions stored by the memory such that the at least one processor performs the message processing method as described above for the first aspect and the various possible designs of the first aspect, or the message processing method as described above for the second aspect and the various possible designs of the second aspect.
In a sixth aspect, embodiments of the present disclosure provide a computer readable storage medium, where computer executable instructions are stored, when executed by a processor, to implement a message processing method according to the above first aspect and the various possible designs of the first aspect, or a message processing method according to the second aspect and the various possible designs of the second aspect.
In a seventh aspect, embodiments of the present disclosure provide a computer program product, including computer-executable instructions, which when executed by a processor implement the message processing method according to the first aspect and the various possible designs of the first aspect, or the message processing method according to the second aspect and the various possible designs of the second aspect.
According to the message processing method, the device, the storage medium and the program product, the virtual switch of the cloud computing node is used for pre-sending security association information to encrypt the data packet according to the virtual private network gateway and sending the data packet to the virtual private network gateway, the virtual private network gateway is used for filling the message information into the encrypted data packet, packaging the encrypted data packet into a complete target message, and sending the target message to the target client gateway. The computing power resources of all the computing nodes are fully utilized, so that the virtual private network gateway does not need to execute encryption processing, the performance bottleneck problem of the virtual private network gateway under the scene of excessive virtual switches is solved, and the transmission of messages is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, a brief description will be given below of the drawings that are needed in the embodiments or the description of the prior art, it being obvious that the drawings in the following description are some embodiments of the present disclosure, and that other drawings may be obtained from these drawings without inventive effort to a person of ordinary skill in the art.
Fig. 1a is a diagram illustrating an architecture for implementing an IPsec VPN in a cloud in the prior art;
fig. 1b is a schematic diagram of data encryption and encapsulation performed by an IPsec VPN gateway in the prior art;
FIG. 2 is a flow chart of a message processing method according to an embodiment of the disclosure;
Fig. 3 is a flow chart of a message processing method according to another embodiment of the disclosure;
fig. 4 is a flow chart of a message processing method according to another embodiment of the disclosure;
Fig. 5 is a signaling diagram of a message processing method according to an embodiment of the present disclosure;
FIG. 6 is a block diagram of a message processing apparatus according to an embodiment of the present disclosure;
fig. 7 is a block diagram of a message processing apparatus according to another embodiment of the present disclosure;
fig. 8 is a schematic hardware structure of an electronic device according to an embodiment of the disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
The virtual private network (Virtual Private Network, VPN) is a private network established over a public network for encrypted communications, and remote access is achieved by encrypting the data packets and translating the destination addresses of the data packets using VPN gateways or using tunneling techniques. The VPN may be implemented in a variety of ways, e.g., by a server, hardware, software, etc. IPSec VPN refers to a VPN technology that uses IPSec (Internet Protocol Security, internet security protocol) to implement remote access, where IPSec is a protocol packet that protects the network transport protocol family (a collection of interrelated protocols) of the IP protocol by encrypting and authenticating the packet of the IP protocol.
IPSec consists essentially of the following protocols:
1. An authentication header (Authentication Header, AH) providing connectionless data integrity, message authentication, and replay attack protection for the IP datagram;
2. Encapsulating security payload (Encapsulating Security Payload, ESP) providing confidentiality, data source authentication, connectionless integrity, anti-replay and limited transport stream (traffic-flow) confidentiality;
3. An internet key Exchange (INTERNET KEY Exchange, IKE or IKEv2 for short) provides algorithms, packets and key parameters for the security association (Security Association, SA) required for AH, ESP operation.
In implementing the IPsec VPN in the cloud, the architecture is shown in fig. 1a, where each computing node (for example, computing node 1 and computing node 2) may include a virtual switch and multiple Virtual Machines (VMs) of VPCs (Virtual Private Cloud, virtual private clouds), where the VPCs (for example, VPC1 and VPC 2) may be isolated from each other, the virtual machines of the VPCs are connected to the virtual switch, and the virtual switch is connected to the IPsec VPN gateway on the cloud.
And (3) a data packet externally transmitted by any Virtual Machine (VM) in the computing node is sent to the IPSec VPN gateway by the Virtual switch, and the IPSec VPN gateway encrypts and encapsulates the data packet according to the IPSec SA information negotiated with the target client gateway to generate a message, and then sends the message to the target client gateway (also the IPSec VPN gateway).
IPSec VPN over cloud generally uses ESP protocol, using tunnel mode, IPSec VPN gateway encrypts and encapsulates data packets as shown in fig. 1b, where left is an unencrypted packet and right is an ESP encrypted packet, i.e. IPSec VPN gateway encrypts (grey part) data packets, and adds ESP header information (especially ESP Sequence Number) and trailer information.
In the prior art, in a cloud scene, because of the large number of virtual machines, large flow and scattered distribution in the VPC in the computing node, the IPSec VPN gateway increases pressure when processing a large number of encrypted messages, and has higher performance requirements.
In order to solve the technical problems, the disclosure provides a message processing method, which includes that a virtual switch of a cloud computing node sends IPSec SA information to encrypt a data packet in advance according to an IPSec VPN gateway, the data packet is sent to the IPSec VPN gateway, the IPSec VPN gateway fills the message information into the encrypted data packet, the encrypted data packet is packaged into a complete target message, and the target message is sent to a target client gateway. The computational power resources of all the computational nodes are fully utilized, so that the IPSec VPN gateway does not need to execute encryption processing, the performance bottleneck problem of the IPSec VPN gateway under the scene of excessive virtual switches is solved, and the transmission of messages is ensured.
The message processing method of the present disclosure will be described in detail with reference to specific embodiments.
Referring to fig. 2, fig. 2 is a flow chart of a message processing method according to an embodiment of the disclosure. The method of the embodiment can be applied to a virtual private network IPSec VPN gateway based on an internet security protocol in a cloud, and the message processing method comprises the following steps:
s201, receiving an encrypted data packet sent by a virtual switch of a cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to IPSec SA information, and the IPSec SA information is sent to the virtual switch in advance by the IPSec VPN gateway.
In this embodiment, the IPSec VPN gateway negotiates with the target client gateway (also the VPN gateway) in advance to determine the IPSec SA information, specifically, the IPSec SA information may be determined by internet key exchange (IKE or IKEv 2) of IPSec, which includes an encryption policy, a key, etc., where the encryption policy is used to determine which data needs to be encrypted according to the IPSec SA information, for example, 192.168.1.0/24→ 172.16.1.0/24 data needs to be encrypted using the key K1. Further, the IPSec VPN gateway may send the IPSec SA information to a virtual switch of a cloud computing node connected to the IPSec VPN gateway, and optionally, in order to ensure information security, an encrypted connection, for example, an SSH (Secure Shell) connection, may be first established with the virtual switch, and the IPSec SA information is sent to the virtual switch through the encrypted connection.
When the virtual switch needs to send a data packet to the target client gateway, the virtual switch can check according to an encryption strategy in the IPSec SA information to determine whether the data packet to be sent needs to be encrypted, if yes, the data packet to be sent is encrypted according to a key in the IPSec SA information to obtain an encrypted data packet, specifically, the virtual switch encrypts the data packet to be sent according to the key in the IPSec SA information, and further, the virtual switch sends the encrypted data packet to the IPSec VPN gateway, so that the IPSec VPN gateway does not need to execute an encryption process according to the IPSec SA information after receiving the encrypted data packet encrypted according to the IPSec SA information, and can skip an encryption processing process.
Optionally, not all the data packets conform to the encryption policy in the IPSec SA information, so that the IPSec VPN gateway may receive the data packet that is encrypted according to the IPSec SA information or may not be encrypted, for convenience of distinction, the virtual switch may add an identifier to the encrypted data packet that is encrypted according to the IPSec SA information, which is used to indicate that the data packet is encrypted according to the IPSec SA information, and after the IPSec VPN gateway receives the data packet, if it is identified that the data packet carries the identifier, it may determine that the data packet is encrypted according to the IPSec SA information, and may skip the encryption process.
S202, filling message information into the encrypted data packet, and packaging the encrypted data packet into a complete target message.
In this embodiment, the IPSec VPN gateway may fill in the remaining packet information, including but not limited to header information and trailer information, based on the encrypted packet that has been encrypted according to the IPSec SA information, and encapsulate the encrypted packet into a complete target packet.
Optionally, the encrypted data packet may be filled with ESP header information (especially ESP sequence number) and trailer information, and the VPN public network IP may be used for tunnel encapsulation.
S203, the target message is sent to a target client gateway.
In this embodiment, after the IPSec VPN gateway encapsulates the complete target packet, the target packet is sent to the target client gateway, so that data transmission from the cloud computing node to the target client gateway is completed.
According to the message processing method, the virtual switch of the cloud computing node is used for sending IPSec SA information in advance to encrypt the data packet according to the IPSec VPN gateway and sending the data packet to the IPSec VPN gateway, the IPSec VPN gateway is used for filling the encrypted data packet with the message information, packaging the encrypted data packet into a complete target message, and sending the target message to the target client gateway. The computational power resources of all the computational nodes are fully utilized, so that the IPSec VPN gateway does not need to execute encryption processing, the performance bottleneck problem of the IPSec VPN gateway under the scene of excessive virtual switches is solved, and the transmission of messages is ensured.
On the basis of the above embodiment, when the IPSec VPN gateway establishes an encrypted connection with the virtual switch and sends the IPSec SA information to the virtual switch through the encrypted connection, since there may be a plurality of cloud computing nodes connected to the IPSec VPN gateway, the IPSec VPN gateway may send the IPSec SA information to all virtual switches of the cloud computing nodes connected to the IPSec VPN gateway, or may just send the IPSec SA information to the virtual switch of the cloud computing node in which there is a need to transmit a packet to the target client gateway, specifically, as shown in fig. 3, the establishing an encrypted connection with the virtual switch and sending the IPSec SA information to the virtual switch through the encrypted connection may include:
s301, receiving a data packet to be encrypted sent by the virtual switch, encrypting and packaging the data packet to be encrypted into a complete target message according to the IPSec SA information, and sending the complete target message to the target client gateway.
In this embodiment, after the IPSec VPN gateway obtains the IPSec SA information, the IPSec SA information may be sent to the virtual switch according to the transmission requirement, so that the IPSec VPN gateway needs to determine which virtual switches need to transmit the data packet to the target client gateway first, in this embodiment, after the IPSec VPN gateway receives the data packet to be encrypted that needs to be sent to the target client gateway and is sent to any virtual switch, whether the data packet to be sent needs to be encrypted may be determined according to an encryption policy in the IPSec SA information first, if it is determined that encryption is needed, it is determined that the virtual switch needs to transmit the data packet to the target client gateway, at this time, the IPSec VPN gateway may first assume responsibility of encryption processing, encrypt the data packet to be encrypted according to the IPSec SA information, and encapsulate the data packet to be a complete target packet, and send the data packet to the target client gateway (see the above embodiment).
Optionally, the virtual switch may encapsulate the data packet to be encrypted by VXLAN (Virtual Extensible Local Area Network, virtual extended local area network), and then send the encapsulated data packet to the IPSec VPN gateway, where the IPSec VPN gateway, after receiving the data packet to be encrypted, first encapsulates the data packet to be encrypted by VXLAN, then encrypts the data packet to be encrypted according to the IPSec SA information, encapsulates the data packet to be encrypted to a complete target packet, and sends the target packet to the target client gateway.
S302, inquiring the virtual switch information based on the data packet to be encrypted.
In this embodiment, the virtual switch information may include computing node information of the virtual switch, and the IPSec VPN gateway may query the VPC controller for computing node information of the virtual switch that sends the data packet to be encrypted, where the VPC controller stores information of each computing node and the virtual switch included therein.
S303, establishing encryption connection with the virtual switch according to the virtual switch information, and sending the IPSec SA information to the virtual switch through the encryption connection.
In this embodiment, the IPSec VPN gateway may establish an encrypted connection with the virtual switch according to the virtual switch information, send IPSec SA information to the virtual switch through the encrypted connection, and then the virtual switch assumes responsibility of encryption processing according to the IPSec SA information, where the IPSec VPN gateway only needs to fill the message information, encapsulates the message information into a complete target message, and reduces pressure of the IPSec VPN gateway.
On the basis of any of the above embodiments, the virtual switch may encapsulate the encrypted data packet after encryption, optionally may encapsulate VXLAN, query the VPC routing table and send the encrypted data packet to the IPSec VPN gateway, and after receiving the encrypted data packet, the IPSec VPN gateway first decapsulates the VXLAN and then fills the encrypted data packet with the message information. Further, in the above embodiment, the virtual switch adds an identifier to the encrypted data packet, and the identifier may be added in the VXLAN encapsulation format.
On the basis of any of the above embodiments, according to one mechanism of the IPSec protocol, after encrypting a data volume (i.e., a preset encryption length threshold) of a certain length of IPSec SA information, the IPSec SA information may expire and fail, because the IPSec SA information may be used by different virtual switches to encrypt the data volume by using the IPSec SA information when the IPSec VPN gateway receives the encrypted data packet sent by the virtual switch, it cannot be directly known from the encrypted data packet how much the encrypted data volume is encrypted by using the IPSec SA information by the virtual switch, therefore, in this embodiment, after encrypting the data packet to be sent by using the IPSec SA information, the virtual switch may add a length of the data packet to be sent (i.e., a length of the encrypted data), and may also add identification information of the encrypted data packet (different preset encryption length thresholds of the IPSec SA information may be different), and then, after receiving the encrypted data packet sent by the virtual switch, the IPSec SA information may be directly obtained by the IPSec VPN gateway, the length of the encrypted data carried by using the IPSec SA information is updated, and the preset encryption length of the IPSec SA information is accumulated, and the length of the IPSec SA information is calculated, and the encrypted data is accumulated and the length of the encrypted data is calculated and the encrypted data is accumulated and the length is accumulated if the length exceeds the preset encryption threshold.
Optionally, the length of the encrypted data carried in the encrypted data packet and the identification information of the security association information may also be added in the VXLAN encapsulation format.
Based on any of the above embodiments, according to another mechanism of the IPSec protocol, the IPSec SA information, especially, the key therein has a certain lifetime, and after the lifetime is exceeded, the IPSec SA information will expire, and the IPSec VPN gateway needs to renegotiate with the target client gateway to update the IPSec SA information. If the IPSec VPN gateway determines that the IPSec SA information is updated, the updated IPSec SA information is sent to the virtual switch through the encrypted connection. In addition, the IPSec SA information may also be destroyed, for example, the IPSec VPN gateway and the target client gateway are disconnected, and if it is determined that the IPSec SA information is destroyed, the IPSec VPN gateway sends an instruction for deleting the IPSec SA information to the virtual switch through the encrypted connection, so that the virtual switch deletes the stored IPSec SA information.
Referring to fig. 4, fig. 4 is a flow chart illustrating a message processing method according to an embodiment of the disclosure. The method of the embodiment can be applied to a virtual switch of a cloud computing node, and the message processing method comprises the following steps:
s401, receiving a data packet to be transmitted, which is transmitted by a virtual machine of the cloud computing node.
In this embodiment, when a virtual machine of a certain VPC of a cloud computing node needs to send a data packet to a target client gateway, the data packet to be sent is sent to a virtual switch of the cloud computing node.
S402, judging whether the data packet to be sent needs encryption or not according to an encryption strategy in the IPSec SA information, and encrypting the data packet to be sent according to a key in the IPSec SA information to obtain an encrypted data packet if the data packet to be sent needs encryption, wherein the IPSec SA information is sent to the virtual switch in advance by the IPSec VPN gateway.
In this embodiment, the IPSec VPN gateway performs negotiation with the target client gateway in advance, determines IPSec SA information, and sends the IPSec SA information to a virtual switch of a cloud computing node connected to the IPSec VPN gateway. Optionally, an encrypted connection may be established between the virtual switch and the IPSec VPN gateway, and IPSec SA information sent by the VPN gateway may be received through the encrypted connection.
When the virtual switch needs to send a data packet to a target client gateway, the virtual switch can check according to an encryption strategy in the IPSec SA information to judge whether the data packet to be sent needs to be encrypted, if yes, the data packet to be sent is encrypted according to a key in the IPSec SA information to obtain an encrypted data packet, and particularly, ESP encryption is carried out on the data packet to be sent according to the key in the IPSec SA information.
S403, sending the encrypted data packet to the IPSec VPN gateway so that the IPSec VPN gateway fills message information into the encrypted data packet, packages the encrypted data packet into a complete target message and sends the complete target message to a target client gateway.
In this embodiment, the virtual switch sends the encrypted data packet to the IPSec VPN gateway, and the IPSec VPN gateway may execute the method embodiment on the IPSec VPN gateway side described above, which is not described herein again.
On the basis of the above embodiment, optionally, the virtual switch may add an identifier to an encrypted data packet encrypted according to IPSec SA information, so as to indicate that the data packet is encrypted according to the IPSec SA information, and after receiving the data packet, the IPSec VPN gateway determines that the data packet is encrypted according to the IPSec SA information if it is identified that the data packet carries the identifier, and may skip the encryption process.
On the basis of any of the above embodiments, after the virtual switch encrypts the data packet to be sent by using the IPSec SA information, the virtual switch may add the length of the data packet to be sent (i.e., the length of the encrypted data) to the encrypted data packet, and may also add the identification information of the IPSec SA information to the encrypted data packet (the identification information of the IPSec SA information may be the number or the name of the IPSec SA information, etc.), so that after the IPSec VPN gateway receives the encrypted data packet sent by the virtual switch, the IPSec VPN gateway may accumulate the length of the encrypted data carried in the encrypted data packet encrypted by using the IPSec SA information, to obtain the accumulated length of the encrypted data, and compare the accumulated length of the encrypted data with a preset encryption length threshold corresponding to the IPSec SA information, and if the accumulated length of the encrypted data exceeds the preset encryption length threshold, the IPSec SA information is expired at this time, the IPSec VPN gateway performs a negotiation process with the target client gateway again, to determine the updated security association information.
Optionally, the virtual switch may encapsulate the encrypted data packet after encrypting, optionally, may encapsulate VXLAN, and then send the encrypted data packet to the IPSec VPN gateway, where the IPSec VPN gateway first unpacks the VXLAN after receiving the encrypted data packet, and then fills the encrypted data packet with the message information. Further, in the above embodiment, the virtual switch adds an identifier to the encrypted data packet, and the identifier may be added in the VXLAN encapsulation format.
Optionally, the virtual switch may also update or delete IPSec SA information, which specifically includes the following steps:
Receiving updated IPSec SA information sent by the IPSec VPN gateway through encrypted connection, and updating the current IPSec SA information into the updated IPSec SA information, or
And receiving an instruction for deleting the IPSec SA information sent by the IPSec VPN gateway through an encrypted connection, and deleting the current IPSec SA information.
According to the message processing method, the virtual switch of the cloud computing node is used for sending IPSec SA information in advance to encrypt the data packet according to the IPSec VPN gateway and sending the data packet to the IPSec VPN gateway, the IPSec VPN gateway is used for filling the encrypted data packet with the message information, packaging the encrypted data packet into a complete target message, and sending the target message to the target client gateway. The computational power resources of all the computational nodes are fully utilized, so that the IPSec VPN gateway does not need to execute encryption processing, the performance bottleneck problem of the IPSec VPN gateway under the scene of excessive virtual switches is solved, and the transmission of messages is ensured.
Referring to fig. 5, fig. 5 is a signaling diagram of a message processing method according to an embodiment of the disclosure. Based on the above embodiment, the method for processing a message includes:
s501, the IPSec VPN gateway negotiates with a target client gateway to determine IPSec SA information;
S502, a virtual machine of a VPC of a cloud computing node sends a first data packet to be sent to a virtual switch of the cloud computing node;
s503, the virtual switch encapsulates the first data packet to be sent and then sends the first data packet to the IPSec VPN gateway;
Optionally, the virtual switch performs VXLAN encapsulation on the first data packet to be sent (not encrypted), queries the VPC routing table, and sends the data packet to the IPSec VPN gateway;
s504, the IPSec VPN gateway encrypts a first data packet to be sent according to the IPSec SA information and encapsulates the first data packet to be sent into a complete first target message;
Optionally, if the virtual switch performs VXLAN encapsulation on the first data packet to be sent, after receiving the first data packet to be sent, the IPSec VPN gateway first unpacks the VXLAN encapsulation, and then encrypts and encapsulates the first data packet to be sent into a complete target packet according to the IPSec SA information;
S505, the IPSec VPN gateway inquires the VPC controller about the information of the computing node where the virtual switch which sends the data packet to be sent is located;
s506, the VPC controller sends the computing node information to the IPSec VPN gateway;
S507, establishing encryption connection between the IPSec VPN gateway and the virtual switch, and sending IPSec SA information to the virtual switch through the encryption connection;
S508, the virtual machine of the VPC of the cloud computing node sends a second data packet to be sent to the virtual switch;
The second data packet to be sent here is a data packet to be sent subsequent to the first data packet to be sent in step S502;
s509, the virtual switch encrypts the second data packet to be sent according to the IPSec SA information to obtain an encrypted data packet, and sends the encrypted data packet to the IPSec VPN gateway;
Optionally, the virtual switch encapsulates the encrypted data packet by VXLAN and sends the encapsulated encrypted data packet to the IPSec VPN gateway;
s510, filling message information into the encrypted data packet by the IPSec VPN gateway, and packaging the encrypted data packet into a complete target message;
s511, the IPSec VPN gateway sends the target message to a target client gateway;
Optionally, S512, updating or destroying IPSec SA information between the IPSec VPN gateway and the target client gateway;
s513, the IPSec VPN gateway inquires the calculation node information of the virtual switch from the VPC controller;
s514, the VPC controller sends the computing node information to the IPSec VPN gateway;
S515, the IPSec VPN gateway establishes encryption connection with the virtual switch and updates or destroys IPSec SA information in the virtual switch.
Corresponding to the message processing method of the IPSec VPN gateway side in the above embodiment, fig. 6 is a block diagram of a message processing apparatus provided in the embodiment of the present disclosure, which is applied to a cloud IPSec VPN gateway. For ease of illustration, only portions relevant to embodiments of the present disclosure are shown. Referring to fig. 6, the message processing apparatus 600 includes a receiving unit 601, a processing unit 602, and a transmitting unit 603.
The receiving unit 601 is configured to receive an encrypted data packet sent by a virtual switch of a cloud computing node, where the encrypted data packet is encrypted by the virtual switch according to security association information of an internet security protocol, where the security association information is sent in advance by the virtual private network gateway;
A processing unit 602, configured to populate the encrypted data packet with message information, and encapsulate the encrypted data packet into a complete target message;
And the sending unit 603 is configured to send the target packet to a target client gateway.
In one or more embodiments of the present disclosure, before receiving the encrypted data packet sent by the virtual switch of the cloud computing node, the processing unit 602 is further configured to perform a negotiation procedure with the target client gateway to determine the security association information;
the sending unit 603 is further configured to establish an encrypted connection with the virtual switch, and send the security association information to the virtual switch through the encrypted connection.
In one or more embodiments of the present disclosure, the sending unit 603 is further configured to receive a data packet to be encrypted sent by the virtual switch;
the processing unit 602 is further configured to encrypt and encapsulate the data packet to be encrypted according to the security association information into a complete target packet;
The processing unit 602 is further configured to query the virtual switch information based on the data packet to be encrypted;
The sending unit 603 is further configured to establish an encrypted connection with the virtual switch according to the virtual switch information, and send the security association information to the virtual switch through the encrypted connection.
In one or more embodiments of the present disclosure, the encrypted data packet carries an identifier, where the identifier is added by the virtual switch, and is used to indicate that the data packet is encrypted according to the security association information;
the processing unit 602 is configured to, when filling the encrypted data packet with the packet information and encapsulating the encrypted data packet into a complete target packet:
If the encrypted data packet is identified to carry the identifier, skipping encryption processing, adding head information and tail information of the encapsulation security load to the encrypted data packet, and encapsulating the head information and the tail information into a complete target message.
In one or more embodiments of the present disclosure, the encrypted data packet carries a length of encrypted data and identification information of the security association information;
The processing unit 602 is further configured to, before filling the encrypted data packet with the packet information and encapsulating the encrypted data packet into the complete target packet:
accumulating the length of the encrypted data carried in the encrypted data packet encrypted by the security association information to obtain the accumulated length of the encrypted data;
Comparing the accumulated length of the encrypted data with a preset encryption length threshold corresponding to the security association information;
If the accumulated length of the encrypted data exceeds the preset encryption length threshold corresponding to the security association information, carrying out a negotiation process with the target client gateway again, and determining updated security association information.
In one or more embodiments of the present disclosure, the encrypted data packet is encapsulated by the virtual switch after encryption;
the processing unit 602 is further configured to, before filling the encrypted data packet with the message information:
And decapsulating the encrypted data packet.
In one or more embodiments of the present disclosure, the sending unit 603 is further configured to:
If the security association information is determined to be updated, the updated security association information is sent to the virtual switch through encrypted connection, or
And if the security association information is destroyed, sending an instruction for deleting the security association information to the virtual switch through encrypted connection.
The device provided in this embodiment may be used to execute the technical solution of the foregoing embodiment of the packet processing method on the IPSec VPN gateway side, and its implementation principle and technical effects are similar, which is not described herein again.
Fig. 7 is a block diagram of a message processing device provided by an embodiment of the present disclosure, which is applied to a virtual switch of a cloud computing node. For ease of illustration, only portions relevant to embodiments of the present disclosure are shown. Referring to fig. 7, the message processing apparatus 700 includes a receiving unit 701, a processing unit 702, and a transmitting unit 703.
The receiving unit 701 is configured to receive a data packet to be sent, which is sent by a virtual machine of a cloud computing node;
The processing unit 702 is configured to determine whether the data packet to be sent needs to be encrypted according to an encryption policy in security association information of an internet security protocol, and if it is determined that encryption is needed, encrypt the data packet to be sent according to a key in the security association information to obtain an encrypted data packet, where the security association information is sent in advance by a virtual private network gateway based on the internet security protocol by a cloud;
And the sending unit 703 is configured to send the encrypted data packet to the virtual private network gateway, so that the virtual private network gateway fills the message information into the encrypted data packet, encapsulates the encrypted data packet into a complete target message, and sends the target message to a target client gateway.
In one or more embodiments of the present disclosure, the receiving unit 701 is further configured to:
Establishing encryption connection with the virtual private network gateway, and receiving the security association information sent by the virtual private network gateway through the encryption connection.
In one or more embodiments of the present disclosure, the processing unit 702 is further configured to, after encrypting the data packet to be sent according to the key in the security association information, obtain an encrypted data packet:
adding an identification to the encrypted data packet, the identification being indicative of the data packet having been encrypted according to the security association information, and/or
Adding the length of the encrypted data and the identification information of the security association information to the encrypted data packet, and/or
And packaging the encrypted data packet.
In one or more embodiments of the present disclosure, the receiving unit 701 is further configured to receive updated security association information sent by the virtual private network gateway through an encrypted connection;
The processing unit 702 is further configured to update current security association information to the updated security association information, or
The receiving unit 701 is further configured to receive, through an encrypted connection, an instruction for deleting the security association information sent by the virtual private network gateway;
the processing unit 702 is further configured to delete current security association information.
The device provided in this embodiment may be used to execute the technical solution of the packet processing method embodiment on the virtual switch side, and its implementation principle and technical effect are similar, and this embodiment is not repeated here.
Referring to fig. 8, there is shown a schematic structural diagram of an electronic device 800 suitable for use in implementing embodiments of the present disclosure, which electronic device 800 may be a terminal device or a server. The terminal device may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a digital broadcast receiver, a Personal Digital Assistant (PDA) or the like, a tablet computer (Portable Android Device) or the like, a Portable Multimedia Player (PMP) or the like, a car-mounted terminal (e.g., car navigation terminal) or the like, and a fixed terminal such as a digital TV or a desktop computer or the like. The electronic device shown in fig. 8 is merely an example and should not be construed to limit the functionality and scope of use of the disclosed embodiments.
As shown in fig. 8, the electronic device 800 may include a processing means (e.g., a central processor, a graphics processor, etc.) 801 that may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage 808 into a random access Memory (Random Access Memory RAM) 803. In the RAM 803, various programs and data required for the operation of the electronic device 800 are also stored. The processing device 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. An input/output (I/O) interface 805 is also connected to the bus 804.
In general, devices may be connected to I/O interface 805 including input devices 806 such as a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc., output devices 807 including a Liquid crystal display (LCD for short), speakers, vibrator, etc., storage devices 808 including magnetic tape, hard disk, etc., and communication devices 809. The communication means 809 may allow the electronic device 800 to communicate wirelessly or by wire with other devices to exchange data. While fig. 8 shows an electronic device 800 having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via communication device 809, or installed from storage device 808, or installed from ROM 802. When the computer program is executed by the processing apparatus 801, the above-described functions defined in the message processing method of the IPSec VPN gateway side or the virtual switch side of the embodiment of the present disclosure are performed.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of a computer-readable storage medium may include, but are not limited to, an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to electrical wiring, fiber optic cable, RF (radio frequency), and the like, or any suitable combination of the foregoing.
The computer readable medium may be included in the electronic device or may exist alone without being incorporated into the electronic device.
The computer-readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to perform the methods shown in the above-described embodiments.
Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a local area network (Local Area Network, LAN for short) or a wide area network (Wide Area Network, WAN for short), or may be connected to an external computer (e.g., through the internet using an internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present disclosure may be implemented by means of software, or may be implemented by means of hardware. The name of the unit does not in any way constitute a limitation of the unit itself, for example the first acquisition unit may also be described as "unit acquiring at least two internet protocol addresses".
The functions described above herein may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic that may be used include Field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems-on-a-chip (SOCs), complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
In a first aspect, according to one or more embodiments of the present disclosure, there is provided a method for processing a message, the method including:
Receiving an encrypted data packet sent by a virtual switch of a cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to security association information of an Internet security protocol;
Filling message information into the encrypted data packet, and packaging the encrypted data packet into a complete target message;
And sending the target message to a target client gateway.
According to one or more embodiments of the present disclosure, before receiving the encrypted data packet sent by the virtual switch of the cloud computing node, the method further includes:
Carrying out a negotiation process with the target client gateway to determine the security association information;
Establishing encryption connection with the virtual switch, and sending the security association information to the virtual switch through the encryption connection.
According to one or more embodiments of the present disclosure, the establishing an encrypted connection with the virtual switch and transmitting the security association information to the virtual switch through the encrypted connection includes:
Receiving a data packet to be encrypted sent by the virtual switch, encrypting and packaging the data packet to be encrypted into a complete target message according to the security association information, and sending the target message to the target client gateway;
Inquiring the virtual switch information based on the data packet to be encrypted;
and establishing encryption connection with the virtual switch according to the virtual switch information, and sending the security association information to the virtual switch through the encryption connection.
According to one or more embodiments of the present disclosure, the encrypted data packet carries an identifier, where the identifier is added by the virtual switch, and is used to indicate that the data packet is encrypted according to the security association information;
the filling of the encrypted data packet with message information, the encapsulation into a complete target message, includes:
If the encrypted data packet is identified to carry the identifier, skipping encryption processing, adding head information and tail information of the encapsulation security load to the encrypted data packet, and encapsulating the head information and the tail information into a complete target message.
According to one or more embodiments of the present disclosure, the encrypted data packet carries the length of the encrypted data and the identification information of the security association information;
and before the encrypted data packet is filled with the message information and packaged into the complete target message, the method further comprises the following steps:
accumulating the length of the encrypted data carried in the encrypted data packet encrypted by the security association information to obtain the accumulated length of the encrypted data;
Comparing the accumulated length of the encrypted data with a preset encryption length threshold corresponding to the security association information;
If the accumulated length of the encrypted data exceeds the preset encryption length threshold corresponding to the security association information, carrying out a negotiation process with the target client gateway again, and determining updated security association information.
According to one or more embodiments of the present disclosure, the encrypted data packet is encapsulated by the virtual switch after encryption;
Before the message information is filled in the encrypted data packet, the method further comprises the following steps:
And decapsulating the encrypted data packet.
According to one or more embodiments of the present disclosure, the method further comprises:
If the security association information is determined to be updated, the updated security association information is sent to the virtual switch through encrypted connection, or
And if the security association information is destroyed, sending an instruction for deleting the security association information to the virtual switch through encrypted connection.
In a second aspect, according to one or more embodiments of the present disclosure, there is provided a message processing method, the method including:
Judging whether the data packet to be sent needs to be encrypted or not according to an encryption strategy in security association information of an internet security protocol, and encrypting the data packet to be sent according to a secret key in the security association information to obtain an encrypted data packet if the data packet to be sent needs to be encrypted, wherein the security association information is sent in advance by a virtual private network gateway based on the internet security protocol by a cloud;
and sending the encrypted data packet to the virtual private network gateway so that the virtual private network gateway fills message information into the encrypted data packet, encapsulates the encrypted data packet into a complete target message and sends the complete target message to a target client gateway.
According to one or more embodiments of the present disclosure, the method further comprises:
Establishing encryption connection with the virtual private network gateway, and receiving the security association information sent by the virtual private network gateway through the encryption connection.
According to one or more embodiments of the present disclosure, the encrypting the data packet to be sent according to the key in the security association information, after obtaining an encrypted data packet, further includes:
adding an identification to the encrypted data packet, the identification being indicative of the data packet having been encrypted according to the security association information, and/or
Adding the length of the encrypted data and the identification information of the security association information to the encrypted data packet, and/or
And packaging the encrypted data packet.
According to one or more embodiments of the present disclosure, the method further comprises:
Receiving updated security association information sent by the virtual private network gateway through an encrypted connection, and updating the current security association information into the updated security association information, or
And receiving an instruction for deleting the security association information sent by the virtual private network gateway through encrypted connection, and deleting the current security association information.
In a third aspect, according to one or more embodiments of the present disclosure, there is provided a message processing apparatus, including:
The receiving unit is used for receiving an encrypted data packet sent by a virtual switch of a cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to security association information of an Internet security protocol;
the processing unit is used for filling message information into the encrypted data packet and packaging the encrypted data packet into a complete target message;
and the sending unit is used for sending the target message to a target client gateway.
According to one or more embodiments of the present disclosure, before receiving the encrypted data packet sent by the virtual switch of the cloud computing node, the processing unit is further configured to perform a negotiation procedure with the target client gateway, to determine the security association information;
the sending unit is further configured to establish an encrypted connection with the virtual switch, and send the security association information to the virtual switch through the encrypted connection.
According to one or more embodiments of the present disclosure, the sending unit is further configured to receive a data packet to be encrypted sent by the virtual switch;
The processing unit is also used for encrypting and packaging the data packet to be encrypted into a complete target message according to the security association information;
The processing unit is further used for inquiring the virtual switch information based on the data packet to be encrypted;
The sending unit is further configured to establish an encrypted connection with the virtual switch according to the virtual switch information, and send the security association information to the virtual switch through the encrypted connection.
According to one or more embodiments of the present disclosure, the encrypted data packet carries an identifier, where the identifier is added by the virtual switch, and is used to indicate that the data packet is encrypted according to the security association information;
the processing unit is used for filling message information into the encrypted data packet and encapsulating the encrypted data packet into a complete target message when the encrypted data packet is encapsulated into the complete target message:
If the encrypted data packet is identified to carry the identifier, skipping encryption processing, adding head information and tail information of the encapsulation security load to the encrypted data packet, and encapsulating the head information and the tail information into a complete target message.
According to one or more embodiments of the present disclosure, the encrypted data packet carries the length of the encrypted data and the identification information of the security association information;
the processing unit is further configured to, before filling the encrypted data packet with the message information and encapsulating the encrypted data packet into the complete target message:
accumulating the length of the encrypted data carried in the encrypted data packet encrypted by the security association information to obtain the accumulated length of the encrypted data;
Comparing the accumulated length of the encrypted data with a preset encryption length threshold corresponding to the security association information;
If the accumulated length of the encrypted data exceeds the preset encryption length threshold corresponding to the security association information, carrying out a negotiation process with the target client gateway again, and determining updated security association information.
According to one or more embodiments of the present disclosure, the encrypted data packet is encapsulated by the virtual switch after encryption;
the processing unit is further configured to, before filling the encrypted data packet with the message information:
And decapsulating the encrypted data packet.
According to one or more embodiments of the present disclosure, the transmitting unit is further configured to:
If the security association information is determined to be updated, the updated security association information is sent to the virtual switch through encrypted connection, or
And if the security association information is destroyed, sending an instruction for deleting the security association information to the virtual switch through encrypted connection.
In a fourth aspect, according to one or more embodiments of the present disclosure, there is provided a message processing apparatus, including:
The receiving unit is used for receiving the data packet to be sent, which is sent by the virtual machine of the cloud computing node;
The processing unit is used for judging whether the data packet to be transmitted needs encryption or not according to an encryption strategy in security association information of an internet security protocol, and encrypting the data packet to be transmitted according to a secret key in the security association information to obtain an encrypted data packet if the data packet to be transmitted needs encryption, wherein the security association information is sent in advance by a virtual private network gateway based on the internet security protocol by a cloud;
And the sending unit is used for sending the encrypted data packet to the virtual private network gateway so that the virtual private network gateway fills message information into the encrypted data packet, packages the encrypted data packet into a complete target message and sends the complete target message to the target client gateway.
According to one or more embodiments of the present disclosure, the receiving unit is further configured to:
Establishing encryption connection with the virtual private network gateway, and receiving the security association information sent by the virtual private network gateway through the encryption connection.
According to one or more embodiments of the present disclosure, the processing unit is further configured to, after encrypting the data packet to be sent according to the key in the security association information, obtain an encrypted data packet:
adding an identification to the encrypted data packet, the identification being indicative of the data packet having been encrypted according to the security association information, and/or
Adding the length of the encrypted data and the identification information of the security association information to the encrypted data packet, and/or
And packaging the encrypted data packet.
According to one or more embodiments of the present disclosure, the receiving unit is further configured to receive updated security association information sent by the virtual private network gateway through an encrypted connection;
The processing unit is also used for updating the current security association information into the updated security association information, or
The receiving unit is further configured to receive an instruction for deleting the security association information sent by the virtual private network gateway through an encrypted connection;
The processing unit is further configured to delete current security association information.
In a fifth aspect, according to one or more embodiments of the present disclosure, there is provided an electronic device comprising at least one processor and a memory;
The memory stores computer-executable instructions;
The at least one processor executes the computer-executable instructions stored by the memory such that the at least one processor performs the message processing method as described above for the first aspect and the various possible designs of the first aspect, or the message processing method as described above for the second aspect and the various possible designs of the second aspect.
In a sixth aspect, according to one or more embodiments of the present disclosure, there is provided a computer readable storage medium having stored therein computer executable instructions which, when executed by a processor, implement the message processing method according to the above first aspect and the various possible designs of the first aspect, or the message processing method according to the second aspect and the various possible designs of the second aspect.
In a seventh aspect, according to one or more embodiments of the present disclosure, there is provided a computer program product comprising computer-executable instructions which, when executed by a processor, implement the message processing method according to the first aspect and the various possible designs of the first aspect, or the message processing method according to the second aspect and the various possible designs of the second aspect.
The foregoing description is only of the preferred embodiments of the present disclosure and description of the principles of the technology being employed. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in this disclosure is not limited to the specific combinations of features described above, but also covers other embodiments which may be formed by any combination of features described above or equivalents thereof without departing from the spirit of the disclosure. Such as those described above, are mutually substituted with the technical features having similar functions disclosed in the present disclosure (but not limited thereto).
Moreover, although operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limiting the scope of the present disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are example forms of implementing the claims.
Claims (16)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211289296.4A CN115664773B (en) | 2022-10-20 | 2022-10-20 | Message processing method, device, storage medium and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211289296.4A CN115664773B (en) | 2022-10-20 | 2022-10-20 | Message processing method, device, storage medium and program product |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115664773A CN115664773A (en) | 2023-01-31 |
| CN115664773B true CN115664773B (en) | 2025-07-18 |
Family
ID=84989229
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211289296.4A Active CN115664773B (en) | 2022-10-20 | 2022-10-20 | Message processing method, device, storage medium and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115664773B (en) |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2853187B1 (en) * | 2003-03-28 | 2006-01-13 | At & T Corp | SYSTEM FOR ALL NETWORK APPLICATION TO OPERATE TRANSPARENTLY THROUGH A NETWORK ADDRESS TRANSLATION DEVICE |
| US8595479B2 (en) * | 2009-02-25 | 2013-11-26 | Cisco Technology, Inc. | Aggregation of cryptography engines |
| KR101585936B1 (en) * | 2011-11-22 | 2016-01-18 | 한국전자통신연구원 | System for managing virtual private network and and method thereof |
| US9712504B2 (en) * | 2015-04-22 | 2017-07-18 | Aruba Networks, Inc. | Method and apparatus for avoiding double-encryption in site-to-site IPsec VPN connections |
| US10205706B2 (en) * | 2016-05-11 | 2019-02-12 | Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. | System and method for programmable network based encryption in software defined networks |
| US10904217B2 (en) * | 2018-05-31 | 2021-01-26 | Cisco Technology, Inc. | Encryption for gateway tunnel-based VPNs independent of wan transport addresses |
| CN110519259B (en) * | 2019-08-23 | 2022-02-18 | 北京浪潮数据技术有限公司 | Method and device for configuring communication encryption between cloud platform objects and readable storage medium |
| CN114500176B (en) * | 2022-03-29 | 2022-09-16 | 阿里云计算有限公司 | Multi-flow load balancing method, device and system for VPN and storage medium |
-
2022
- 2022-10-20 CN CN202211289296.4A patent/CN115664773B/en active Active
Non-Patent Citations (1)
| Title |
|---|
| 安全VPN服务器中IKE协议的设计与实现;汪海航, 师成江, 谭成翔;计算机应用研究;20020328(03);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115664773A (en) | 2023-01-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109150688B (en) | IPSec VPN data transmission method and device | |
| JP5746446B2 (en) | Network node with network-attached stateless security offload device | |
| KR20180079324A (en) | Internet Key Exchange (IKE) for security association between devices | |
| CN115766902B (en) | A method, device, equipment, and medium for sending non-sensitive data via QUIC | |
| WO2016124016A1 (en) | Ipsec acceleration method, device and system | |
| CN111786955A (en) | Method and apparatus for protecting a model | |
| CN105471827A (en) | Message transmission method and device | |
| CN116647425A (en) | A kind of IPSec-VPN implementation method, device, electronic equipment and storage medium of OVN architecture | |
| US20180176230A1 (en) | Data packet transmission method, apparatus, and system, and node device | |
| Abolade et al. | Overhead effects of data encryption on TCP throughput across IPSEC secured network | |
| US11251992B2 (en) | Data transmission method and processing method, and device | |
| CN115664773B (en) | Message processing method, device, storage medium and program product | |
| US20230239279A1 (en) | Method and apparatus for security communication | |
| CN113676389A (en) | Message sending method and device | |
| CN115766339A (en) | System and method for configuring SSLVPN (secure virtual private network) security tunnel of mobile terminal | |
| US11652910B2 (en) | Data transmission method, device, and system | |
| CN105592030A (en) | IP message processing method and device | |
| US20240357423A1 (en) | Methods and apparatus for reducing communications delay | |
| CN118802130A (en) | A computing method, device, system, equipment, medium and product | |
| JP2014183562A (en) | Encryption communication device, encryption communication method, and encryption communication program | |
| CN103179055B (en) | A kind of message transmitting method based on IPsec and equipment | |
| CN119583375A (en) | Virtual private network communication method, device, equipment and readable storage medium | |
| US20250247378A1 (en) | Method and apparatus for providing internet protocol security communication | |
| CN1859404B (en) | Devices, systems and methods for safe handling | |
| CN120223751A (en) | Data transmission method, device, equipment and storage medium based on kTLS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |