CN101262405B - High-speed secure virtual private network channel based on network processor and its realization method - Google Patents
High-speed secure virtual private network channel based on network processor and its realization method Download PDFInfo
- Publication number
- CN101262405B CN101262405B CN2008100273501A CN200810027350A CN101262405B CN 101262405 B CN101262405 B CN 101262405B CN 2008100273501 A CN2008100273501 A CN 2008100273501A CN 200810027350 A CN200810027350 A CN 200810027350A CN 101262405 B CN101262405 B CN 101262405B
- Authority
- CN
- China
- Prior art keywords
- execution
- micromodule
- grouping
- ike
- security association
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a high-speed and secure VPN system which is based on a network processor. The VPN channel comprises micro engine clusters, a kernel, at least one SRAM and a memory controller thereof, at least one DRAM and a memory controller thereof, an MSF and a Hash unit, wherein, two micro engine clusters are connected in sequence and each micro engine cluster consists of eight micro engines in sequence; two micro engine clusters, the kernel, the MSF and the hash unit are respectively connected with a PCI bush; each SRAM and DRAM are connected with the PCI bush through the respective memory controller and the PCI bush is connected with an administrative system module of an upper computer. The invention adopts a network processor IXP2850 to realize the VNP functions, and effectively shortens the period of the encoding, decoding and verifying of effective loads by sufficiently utilizing a quick-slow data formed by the micro engine-kernel and the kernel which is specially for encoding and decoding, and is highly integrated with a router and a firewall, thereby effectively relieving the conflict between the security requirement and the data processing rate.
Description
Technical field
The present invention relates to filed of network information security, specifically be meant high-speed secure virtual private network system and its implementation of network processor-based.
Background technology
Virtual Private Network (Virtual Private Network; VPN) be meant dependence ISP and other Internet Service Providers; Utilize public network (like Internet, frame relay etc.) as transmission medium, through safe practices such as encryption, authentication and access control; On insecure public network, realize and the similar security performance of dedicated network, thus a kind of private network in logic that forms.VPN is a kind of functional network, and the user is multiple to the requirement of this functional network.The user who has stresses safety of data transmission, and the user who has possibly need higher transmission rate, and therefore the function aspects of various private network is also given priority to.The technology of at present common realization VPN mainly contains two kinds: based on the VPN of ipsec technology with based on the technological VPN of MPLS (Multiprotocol Label Switching).
IPSec is one group of open network security protocol of the IPSec working group definition of IETF, and it is operated in the IP layer, for IP layer and above layer thereof provide safeguard protection.IPSec provides security services such as access control, connectionless integrality, data origin authentication, anti-replay protection, confidentiality, automatic key management, makes communication security reliable.The IKE agreement can produce the SA that needs automatically, and the life cycle of ASA is very short, makes to decode difficulty more.The definition security strategy is convenient, flexible, only needs in configuration file, to edit, and just can realize security strategy.But the encryption technology that IPSec adopts causes IPSec vpn system and original network security mechanism (like fire compartment wall etc.) to produce and conflict, and the encryption and decryption meeting generation certain delay when communicating by letter in addition influences the efficient of Network Transmission.
Developing rapidly and applying of internet makes people propose constantly to increase the demand of bandwidth and complex services to it.Following network not only needs bigger bandwidth, also requires it can constantly increase new service.For adapting to the network technology of this continuous development, this new microprocessor of network processing unit has appearred.Network processing unit is a kind of microprocessor that is exclusively used in network system, and it makes network system can possess high-performance and flexibility.IXA (Internet Exchange Architecture) is the system configuration of the network processing unit product line that is used for the internet data switching equipment of former Intel Company exploitation.IXP2850 is an IXA new generation network processor, is the enhanced network processor of IXP2800, and it has increased by two encryption function parts on the basis of IXP2800, can realize various encryption and decryption functions.
Summary of the invention
The object of the invention is exactly the problem that exists in the above-mentioned prior art in order to solve; A kind of high-speed secure virtual private network system of network processor-based is proposed; It adopts network processing unit IXP2850 to realize the VNP function; Fast-slow data system that fully utilization micro engine (ME)-kernel (XSCale) constitutes utilizes special-purpose encryption and decryption kernel, shortens the cycle of payload encryption and decryption and checking effectively; Can be integrated with other module height such as route, fire compartment walls, thus effective baffle safety requires and the contradiction of data processing speed.
The present invention also aims to provide the implementation method of the high-speed secure virtual private network system of above-mentioned network processor-based.
The object of the invention is realized through following technical proposals: the high-speed secure virtual private network system of this network processor-based; Comprise micro engine bunch, XScale (kernel), at least one SRAM memory cell (static random access memory) and SRAM storage control, at least one DRAM memory cell (dynamic random access memory) and DRAM storage control, MSF (Media Switch Fabric, multimedia switching fabric), hash units; 2 said micro engines bunch connect successively, and 2 micro engines bunch are connected to form by 8 micro engines respectively successively; Said micro engine bunch, kernel, MSF, hash units are connected with pci bus respectively; Each SRAM memory cell, DRAM memory cell are corresponding to be connected with pci bus respectively through SRAM storage control, DRAM storage control, and said pci bus is connected with the management system module of host computer.
For realizing the present invention better, said network processing unit adopts IXP2850.
Said micro engine comprises interface micromodule I, security association micromodule, encryption and decryption micromodule, protocol processes micromodule, IKE micromodule; Said kernel comprises initialization micromodule, interface micromodule II, supervisor micro module, abnormal conditions processing micromodule;
Said initialization micromodule is handled micromodule with said interface micromodule I, security association micromodule, encryption and decryption micromodule, protocol processes micromodule, IKE micromodule, interface micromodule II, supervisor micro module, abnormal conditions and is connected respectively; Said interface micromodule I is connected respectively with interface micromodule II, security association micromodule, protocol processes micromodule, IKE micromodule; Said interface micromodule II handles micromodule with supervisor micro module, abnormal conditions and is connected respectively;
Said security association micromodule is connected with protocol processes micromodule, IKE micromodule, supervisor micro module, encryption and decryption micromodule, SRAM memory cell, DRAM memory cell; Said protocol processes micromodule is connected with supervisor micro module, IKE micromodule, encryption and decryption micromodule, SRAM storage control, DRAM storage control; Said supervisor micro module is connected with the management system module of IKE micromodule, SRAM storage control, DRAM storage control and host computer.
Said encryption and decryption micromodule and system's encryption and decryption kernel are combined closely, and support DES, 3DES, HMAC-MD5, HMAC-SHA-1 algorithm, can realize all kinds of high-speed encryptions and the deciphering of data.
Said security association micromodule is through the data manipulation to SRAM, DRAM; Provide service state and security association data automatic foundation, renewal, delete, search filtering function; Promptly security strategy ID (SPID), Security Policy Database (SPD) and security association database (SADB) are carried out the fast regular coupling; The filtration that realizes ESP tunnel mode, security association that the AH tunnel mode is corresponding (SA, hereinafter all with) is mated, and all kinds of protocol parameters are provided.In order effectively to improve processing speed, said security association match filtering adopts HASH to search algorithm and carries out matched and searched.
Said protocol processes micromodule can be realized parsing, removal, the encapsulation function of packet network agreement, promptly protocol analysis, encapsulation process is carried out in inbound data grouping and outbound data grouping, transmits the realization of handling and resisting the Replay Attack function.
Said IKE micromodule can realize and network peer between foundation, renewal, the delete function of associated safety parameter; Said IKE micromodule according to the tabulation of the service state of management system, is accomplished the IKE key change of the aggressive mode of ISAKMP specified standard with specific vpn server, takes this to resist certain man-in-the-middle attack.Said IKE micromodule, through 8 thread parallel operations of system, to improve treatment effeciency, the memory space of wherein sharing is managed through Read-Write Locks, prevents data corruption.Said IKE micromodule; Create the ike negotiation state list item in the service state tabulation, record swap status, all kinds of exchange parameter and respective resources memory address pointer etc. have timer, counter; Effectively solve the multithreading coordinated manipulation, and have certain anti-playback.
Said supervisor micro module can realize the management of the communications and data table stack between ME module, XSCale module, the management system; It adopts bi-directional communication mechanism, and (1) communicates with management system, realizes the service state tabulation, Security Policy Database, and security association database, the manual administration of key, daily record is safeguarded, the function adjustment; (2) communicate with micro engine (ME) module, realize the abnormal conditions processing, time synchronized, the data passes of preset IKE key change.
Said abnormal conditions are handled the processing that micromodule can be realized abnormal conditions, and the process that prevents is congested.
Said initialization micromodule is realized the initialization of each functional module and the foundation of related data.Said initialization micromodule, in said IXP2850, (1) is provided with each function micromodule code; (2) memory allocated resource, the initialization address pointer; (3) each register of network processing unit inside is carried out initialization; (4) security association (SA) is arranged at the SRAM memory device.
The implementation method of the high-speed secure virtual private network system of above-mentioned network processor-based, said method comprises the steps:
(1) sets up system and carry out initial configuration;
(2) receive legal VPN packet when network processing unit; To divide into groups to recombinate and be stored among the said DRAM; Generate corresponding packet descriptor at said SRAM, record is grouped in the stored parameter of said DRAM, and said stored parameter comprises 15 yuan of parameters such as memory location, receiving port, protocol type; Interface micromodule I is through identification receiving port, protocol type, gives protocol processes micromodule etc. pending the VPN Data packets transit;
(3) the protocol processes micromodule receives after the signal and packet descriptor that interface routine passes over; According to packet descriptor to reading packet header; Crucial word bit is resolved, grouping is divided into get into divides into groups, go out to divide into groups and IKE divides into groups three types to handle; The said processing that entering is divided into groups comprises the processing of ESPi, Ahi, the said processing that the processing of going out to divide into groups is comprised ESPo, Aho;
(4) said interface micromodule II obtains the packet memory address pointer; One side is handled micromodule according to the demand of the management system of host computer with dissimilar packet forward to abnormal conditions or is directly transmitted and transmit the entering network; Request according to micro engine is uploaded to the host computer management system with dissimilar packet forward to abnormal conditions processing micromodule processing or supervisor micro module on the other hand, and interface micromodule II deposits in designated memory space with use to be extracted with memory address pointer then;
(5) abnormal conditions are handled the request of micromodule response micro engine, and abnormal conditions are handled, and read all kinds of packet headers, carry out classification processing, and packet delivery is transmitted the entering network;
(6) supervisor micro module responds host computer system administration request generates the IKE request, is sent to micro engine IKE micromodule; Receive the daily record of uploading of micro engine, and all kinds of processing signals, and pass to the management system module of host computer on time through the agreement communication mechanism; The information of receiving management system, the resolution system order, and carry out the active operation that security strategy is revised, the service state tabulation is revised.
For realizing said method better, wherein, the said initial configuration of step (1) is meant:
1.1 interface micromodule I, security association micromodule, encryption and decryption micromodule, each program of protocol processes micromodule are arranged at micro engine;
1.2 being handled micromodule, interface micromodule II, supervisor micro module, abnormal conditions are arranged at kernel;
1.3 each memory cell of initialization, the memory allocated space, with the security association data that made up, service state list storage in respective memory unit, wherein:
1.3.1 ESP go out the to divide into groups data of SPD (E1) are carried out keyword Hash computing, make up corresponding Hash tabulation, this list item is stored in SRAM, every SPD clauses and subclauses address pointer or be empty or certain SA of pointing among the security association database SADB (E2) restraints;
Be stored in SRAM 1.3.2 ESP is got into the Hash table of grouping SAID, corresponding SADB (E2) is stored in DRAM, and every SAID address pointer points to certain the SA bundle among the SADB, and every SADB address pointer points to certain the bar SPD clauses and subclauses among the SPD (E1);
1.3.3 AH go out the to divide into groups data of SPD (A1) are carried out keyword Hash calculation process, make up corresponding Hash tabulation, this list item is stored in SRAM, every SPD clauses and subclauses address pointer or be empty or certain SA of pointing among the SADB (A2) restraints;
Be stored in SRAM 1.3.4 AH is got into the Hash table of grouping SAID, corresponding SADB (A2) is stored in DRAM, and every SAID address pointer points to certain the SA bundle among the SADB, and every SADB address pointer points to certain the bar SPD clauses and subclauses among the SPD (A1);
1.3.5 with the service state list storage in SRAM; ISAKM SA is stored in DRAM.
Service state described in step 1.3.5 tabulation comprises that book server provides VPN the source address of service, destination address, and port numbers provides the type of service, security strategy and ike negotiation state, and comprise the above E1 that relates to, A1, ISAKM SA address pointer.
Wherein, step (3) is said to getting into the processing of grouping ESP, may further comprise the steps:
Divide into groups 3.a.1 be grouped into entering according to the receiving port differentiation of dividing into groups, number differentiation is grouped into ESP load, execution in step 3.a.2 according to grouping tunnel IP header protocol;
3.a.2 whether differentiation divides into groups to recombinate to finish according to packet descriptor, is then to carry out step 3.a.3, otherwise abandons grouping and be recorded in daily record, execution in step 3.a.1;
Be stored in the ME transmission register 3.a.3 read packet header according to the packet descriptor memory address; Read tunnel IP header destination address, protocol number, read ESP header SPI and constitute SAID, carry out the Hash hash and obtain He (x2); The corresponding security association of matched and searched in SRAM; If can not mate, then abandon this grouping and be recorded in daily record, execution in step 3.a.1; If coupling then reads corresponding security association and is stored in DRAM transmission register, execution in step 3.a.4;
3.a.4 read the ESP header sequence number, whether inspection falls within the active window of this security association, is execution in step 3.a.5 then, otherwise abandons this grouping and be recorded in daily record, execution in step 3.a.1;
Read ESP checking 3.a.5 ESP is carried out ICV reconstruct, the algorithm that provides according to security association carries out integrity verification, if unanimity then execution in step 3.a.6, if inconsistent then abandon this grouping and be recorded in daily record, execution in step 3.a.1;
3.a.6 read the ESP header initial vector, according to cryptographic algorithm and the key that security association provides, encrypted payload is deciphered, if successful decryption then execution in step 3.a.7; If the deciphering failure then abandons this grouping and is recorded in daily record, execution in step 3.a.1;
3.a.7 the plaintext that deciphering is obtained removes the ESP tail, obtains former grouping; Read former grouping destination address, source address, protocol number, port numbers and SPD (E1) and carry out legitimate verification, transmit if meet then pass to routing module, and be recorded in daily record; If do not meet then abandon this grouping, send interrupt requests to interface micromodule II, transfer to abnormal conditions and handle micromodule, and be recorded in daily record, execution in step 3.a.1.
Wherein, step (3) is said to getting into the processing of grouping AH, may further comprise the steps:
Divide into groups 3.b.1 be grouped into entering according to the receiving port differentiation of dividing into groups, number differentiation is grouped into AH load, execution in step 3.b.2 according to grouping tunnel IP header protocol;
Whether, be then execution in step 3.b.3, divide into groups and be recorded in daily record, execution in step 3.b.1 otherwise abandon 3.b.2 differentiate to divide into groups to recombinate according to packet descriptor if finishing;
Be stored in the ME transmission register 3.b.3 read packet header according to the packet descriptor memory address; Read tunnel IP header destination address, protocol number; Read AH header SPI and constitute SAID, carry out the Hash hash and obtain Ha (x2), the corresponding security association of matched and searched in SRAM; If can not mate, then abandon this grouping and be recorded in daily record, execution in step 3.b.1; If coupling then reads corresponding security association and is stored in DRAM transmission register, execution in step 3.b.4;
3.b.4 read AH preamble sequence number, whether inspection falls within the active window of this security association, is execution in step 3.b.5 then, otherwise abandons this grouping and be recorded in daily record, execution in step 3.b.1;
3.b.5 the ICV field of intercepting AH checking is preserved and with this field zero clearing, is differentiated the execution in step 3.b.6 if total is consistent with ICV according to identification algorithm and key that security association provides; If inconsistent, then abandon this grouping and record and daily record, execution in step 3.b.1;
3.b.6 remove tunnel IP header, AH header, read former grouping destination address, source address, protocol number, port numbers and SPD (A1) carry out legitimate verification, transmit if meet then pass to routing module; If do not meet then abandon this grouping, send interrupt requests to interface micromodule II, transfer to abnormal conditions and handle micromodule, and be recorded in daily record, execution in step 3.b.1.
Wherein, divide into groups to the going out processing of ESP of said step (3) may further comprise the steps:
3.c.1 the receiving port differentiation according to dividing into groups is grouped into the grouping of going out, number differentiation is grouped into ESP load, execution in step 3.c.2 according to grouping tunnel IP header protocol;
Be stored in the ME transmission register 3.c.2 read packet header according to the packet descriptor memory address; Read IP of packet header destination address, source address, protocol number, port numbers formation SPD; Carry out the Hash hash and obtain He (x1), the corresponding security association of matched and searched in SRAM is if can not mate; Then abandon this grouping and be recorded in daily record, execution in step 3.c.1; If coupling, then execution in step 3.c.3;
3.c.3 whether inspection SPD (E1) corresponding address pointer is zero, is then to send security association to the IKE micromodule to set up request, abandons this grouping, and is recorded in daily record, execution in step 3.c.1, otherwise execution in step 3.c.4;
The IP of packet header stores is in register 3.c.4 will go out; The afterbody of will going out to divide into groups is filled; Reach the length of 32n-16 (bit); Increase 8bit and fill length field and represent the length of filling, increase the agreement of next this ESP encapsulated content of payload field sign of 8bit, the IP of packet header TTL that will go out successively decreases 1; The AES, key, the initial vector that provide according to security association divide into groups to arise from after the initial vector to going out of finishing of filling, and the data that terminate between next payload header field are encrypted, and encrypt back output and replace former clear packets, execution in step 3.c.5;
3.c.5, read SPI, sequence number structure ESP head according to security association structure ESP load, add initial vector after the ESP head, the ESP head that structure is finished makes an addition to last step encrypted packet portion before, execution in step 3.c.6;
3.c.6 differentiating according to security association is to start identification function, if then read identification algorithm and key carries out hash computations to whole ESP load, the result is inserted the ICV field of ESP, execution in step 3.c.7 is if not execution in step 3.c.7 then;
3.c.7 according to the tunnel header that this ESP that goes out of security association structure divides into groups, wherein total length is for constructing the brand-new block length that finishes, protocol number is 50, and source address, destination address are specified execution in step 3.c.8 by SADB (E1);
The ESP that divides into groups 3.c.8 will go out passes to routing module and transmits.
Wherein, divide into groups to the going out processing of AH of step (3) may further comprise the steps:
3.d.1 the receiving port differentiation according to dividing into groups is grouped into the grouping of going out, number differentiation is grouped into AH load, execution in step 3.d.2 according to grouping tunnel IP header protocol;
Be stored in the ME transmission register 3.d.2 read packet header, read IP of packet header destination address, source address, protocol number, port numbers formation SPD, carry out the Hash hash and obtain Ha (x1) according to the packet descriptor memory address; The corresponding security association of matched and searched in SRAM; If can not mate, then abandon this grouping and be recorded in daily record, execution in step 3.d.1; If coupling, then execution in step 3.d.3;
3.d.3 whether inspection SPD (A1) corresponding address pointer is zero, is then to send security association to the IKE micromodule to set up request, abandons this grouping, and is recorded in daily record, execution in step 3.d.1, otherwise execution in step 3.d.4;
3.d.4 read the version number that divides into groups of going out, read SPI, sequence number, assumed (specified) load length structure AH header according to security association; The AH header is made an addition to the grouping portion before of going out, read identification algorithm and key, arising from the AH header; Terminate in the grouping afterbody and carry out hash; Obtain authentication data, make an addition in the AH header execution in step 3.d.5;
3.d.5 according to the tunnel header that this AH that goes out of security association structure divides into groups, wherein total length is for constructing the brand-new block length that finishes, protocol number is 51, and source address, destination address are specified execution in step 3.d.6 by SADB (A1);
The AH that divides into groups 3.d.6 will go out passes to routing module and transmits.
Wherein, the said processing that IKE is divided into groups of step (3) may further comprise the steps:
3.e.1 monitor signal from internal system, whether there is the IKE request, be execution in step 3.e.3 then, otherwise execution in step 3.e.2;
3.e.2 monitor the UDP bag come from port 500, whether exist the IKE request to divide into groups, be execution in step 3.e.3 then, otherwise execution in step 3.e.1;
3.e.3 read that this IKE seedbed in dividing into groups refers to, destination address, port numbers, differentiate currently whether carrying out other ike negotiations of similar Socket with service state tabulation contrast, be execution in step 3.e.4 then, otherwise execution in step 3.e.5;
3.e.4 read the service state tabulation; Obtain corresponding certificate parameter and negotiation state parameter, divide into groups to verify, meet then and carry out the concrete steps redirect according to negotiation state with current I KE; Otherwise refusal request; Send interrupt requests to interface micromodule II, transfer to abnormal conditions and handle micromodule, execution in step 3.e.1;
3.e.5 with destination address, port numbers, carry out matched and searched, differentiate this request and whether belong to and provide in the VPN service range with service state tabulation; Be execution in step 3.e.6 then; Otherwise send interrupt requests to interface micromodule II, transfer to abnormal conditions and handle micromodule, execution in step 8.1;
3.e.6 create the IKE descriptor, create book server cookie, the ike negotiation state list item that constitutes the current service status list with parameter such as counter is stored in SRAM, and inwardly authorizes and give this request permission signal, execution in step 3.e.7;
3.e.7 if book server is IKE promoter then execution in step 3.e.8, if book server is IKE respondent then execution in step 3.e.21;
3.e.8 structure promoter HDR reads ISAKMP SA, structure SA load; Add the UDP head, add the packet header of going out, pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM; Revise the negotiation state list item, start timer, execution in step 3.e.9;
3.e.9 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.8, otherwise execution in step 3.e.10;
3.e.10 receive the respond packet of destination server, read response cookie and SA load, obtain and consult the phase I parameter, set up corresponding security association, execution in step 3.e.11 at DRAM;
3.e.11 produce random key X, transient load Ni carries out Diffie-Hellman (following abbreviation D-H) exchange; HDR and promoter D-H PKI Kx, transient load Ni are built into grouping; Add the UDP head, add the packet header of going out, pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM; Start timer, execution in step 3.e.12;
3.e.12 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.11, otherwise execution in step 3.e.13;
3.e.13 receive the respond packet of destination server, obtain and consult the second stage parameter, read respondent D-H PKI Ky and transient load Nr, generate and share key K xy, and carry out independently cipher key derivative, execution in step 3.e.14;
The consistency check of phase III 3.e.14 hold consultation; Utilize negotiation algorithm to use private cipher key to produce digital signature SIGi, the HDR* that encrypted, book server identity, negotiation certificate and SIGi are docile and obedient preface set up into grouping, add the UDP head; Add the packet header of going out; Pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, start timer, execution in step 3.e.15;
3.e.15 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.14, otherwise execution in step 3.e.16;
3.e.16 receive the respond packet of destination server, obtain and consult the phase III parameter, the other side's identity and certificate are verified; Use negotiation algorithm and key that the other side's digital signature is differentiated; If errorless then consult successfully, if execution in step 3.e.17 is wrong then abandon this grouping; The enabling counting device, execution in step 3.e.14;
3.e.17 set up IPSec SA,, generate transient load Ni, digital signature HASH (1) according to RFC2049; According to the service state tabulation, one or more S A are provided, and whether decision provides PFS (Perfect Forward Service); Make up promoter IPSec SA negotiation packets, add the UDP head, add the packet header of going out; Pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, start timer, execution in step 3.e.18
3.e.18 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.17, otherwise execution in step 3.e.19;
3.e.19 receive the respond packet of destination server, carry out status authentication, digital signature verification, if errorless then execution in step 3.e.20, wrong this grouping, the execution in step 3.e.17 of then abandoning;
3.e.20 obtain corresponding security association, set up IPSec SA success, generate digital signature HASH (3); Make up last negotiate response; Add the UDP head, add the packet header of going out, pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM; Inwardly authorize and send ike negotiation to become function signal, execution in step 3.e.1;
3.e.21 receive the initiation packet of ike negotiation, read promoter's HDR parameter, resolve the SA load of this grouping; Read the security decision of service list, propose to mate with the security association that the promoter provides, if there is matching value; Execution in step 3.e.22; If there is not matching value, then abandons this grouping, and inwardly authorize and send refusal IKE request signal;
3.e.22 tectonic response person HDR; Choose relevant SA load through service state tabulation and ISAKM SA, make up the phase I respective packets, add the UDP head; Add the packet header of going out; Pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, start timer, execution in step 3.e.23;
3.e.23 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.22, otherwise execution in step 3.e.24;
3.e.24 receive the initiation packet of destination server, obtain and consult the second stage parameter, read promoter D-H PKI Kx and transient load Ni; Produce random key Y, transient load Nr generates and shares key K xy; And carry out independently cipher key derivative, obtain and consult the phase III parameter.HDR and respondent D-H PKI Ky, transient load Nr are made up respond packet, add the UDP head, add the packet header of going out, pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, execution in step 3.e.25;
3.e.25 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.24, otherwise execution in step 3.e.26;
3.e.26 receive the respond packet of destination server, promoter's HDR*, server identity, certificate and SIGi differentiated checking, if errorless then consult successfully; The HDR* that encrypted, book server identity, negotiation certificate and SIGr are docile and obedient preface set up into grouping, add the UDP head, add the packet header of going out; Pass to routing module and transmit,, revise ike negotiation state list item the security parameter record; Execution in step 3.e.27; If it is wrong then abandon this grouping, enabling counting device, execution in step 3.e.24;
3.e.27 set up IPSec SA, receive the initiation packet of destination server, carry out authentication, digital signature verification, if errorless then execution in step 3.e.28, wrong this grouping, the execution in step 3.e.24 of then abandoning;
3.e.28 obtain promoter HASH (1), transient load Ni, alternative security association, and other service entry parameter, relevant SA load chosen through service state tabulation and IPSec SA; Generate transient load Ni, digital signature HASH (2), make up respond packet, add the UDP head; Add the packet header of going out; Pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, start timer, execution in step 3.e.29;
3.e.29 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.28, otherwise execution in step 3.e.29;
3.e.30 receive the respond packet of destination server, carry out authentication, digital signature verification, if errorless then ike negotiation success; Modification negotiation state list item is recorded in deposits SRAM; Inwardly authorize and send ike negotiation to become function signal, if execution in step 3.e.1 is wrong; Enabling counting device then, execution in step 3.e.28.
3.e.31 more than relate to service state tabulation read-write operation, overall general register is specified in preliminary examination, value is 1 and waits poll to wait for; Value is 0 further operation; Before the operation register value is put 1, after the operation register value is put 0.
Wherein, step (5) is said to be handled abnormal conditions, may further comprise the steps:
5.1 resolve all kinds of interrupt requests that interface micromodule II transmits, classification processing;
5.1.1 the security association database address chain picks out fault reason, obtains the security association data parameters of makeing mistakes, the retrieval service status list, if coupling then, then send SPD and make up request to management system; If do not match then delete the security association of makeing mistakes, and send deletion information to management system;
5.1.2IKE the key change conflict is handled, and obtains the parameter of conflict IKE, starts conflict source counter, timer, when next time, similar conflict occurred, will shine time and number of times, ranking operation is when the result exceeds threshold values then to the management system signal that gives the alarm;
5.2 monitor each list storage space, when exceed capacity is guarded against, to the management system signal that gives the alarm.
Principle of the present invention is: the high-speed secure virtual private network system of this network processor-based is positioned trusted zone (white area) between public network (red sector); Particular port inserts in the white area; Particular port inserts in red sector, go out to divide into groups and entering be grouped in here filter, route and VPN of the present invention handle.
The present invention realizes at Intel new generation network processor IXP2850; Adopt ipsec protocol so that the transmission data are maintained secrecy; On the basis of gigabit route, make up the VPN module; The proprietary encryption and decryption kernel of utilization IXP2850, the utilization hash algorithm carries out matched and searched to Security Parameter Index, realizes the fast processing of security strategy, AES, decipherment algorithm, authentification of user, digital signature function; In key change is overweight, have anti-playback, resist the man-in-the-middle attack function, and adopt micro engine (ME) and kernel (XScale) two-way communication technology to carry out the maintenance of database update, daily record.
Microcode part and the kernel program of VPN have partly constituted technological main body of the present invention, owing on the basis of portable framework, designed the interface micromodule, can realize the server of integrated route, VNP function with surrounding resources jointly; The present invention supports the VPN of ipsec protocol tunnel safety pattern; Adopt two-way communication to carry out control data transmission in the constructed VPN module between micro engine (ME) and the kernel (XSCale).Constructed VPN module; Be divided into a plurality of micromodules according to function; Avoid of the influence of operating system independent process, adopt the multi-threaded parallel treatment mechanism to carry out data manipulation, shorten storage, search cycle this vpn system overall performance; Under the prerequisite that guarantees safety requirements, effectively improve the VPN processing speed.
The present invention has the following advantages with respect to prior art: adopt network processing unit IXP2850 to realize the VNP function; Fast-slow data system that fully utilization micro engine (ME)-kernel (XSCale) constitutes; Utilize the special-purpose encryption and decryption kernel of this network processing unit; With micro engine (ME) and kernel (XSCale) close-coupled, realize the high-speed encryption and decryption processing, shorten the cycle of payload encryption and decryption and checking effectively; Can be integrated with other module height such as route, fire compartment walls, constitute the virtual private network system of a high-speed secure.
Description of drawings
Fig. 1 is the structural representation that the present invention is based on the high-speed secure virtual private network system of network processing unit.
Fig. 2 is the internal structure sketch map of micro engine shown in Figure 1, kernel.
Embodiment
Below in conjunction with enforcement and accompanying drawing the present invention is described in further detail, but execution mode of the present invention is not limited thereto.
As shown in Figure 1; The high-speed secure virtual private network system of this network processor-based; Said network processing unit adopts IXP2850; Said virtual private network system comprises micro engine bunch, Xsacale (kernel), 3 SRAM memory cell (static random access memory) and SRAM storage control, 1 DRAM memory cell (dynamic random access memory) and DRAM storage control, MSF (Media Switch Fabric, multimedia switching fabric), hash units; 2 said micro engines bunch connect successively, and each micro engine bunch is connected to form by 8 micro engines respectively successively; Said 2 micro engines bunch, kernel, MSF, hash units are connected with pci bus respectively; 3 SRAM memory cell, 1 DRAM memory cell is corresponding is connected with pci bus respectively through SRAM storage control, DRAM storage control, and said pci bus is connected with the management system module of host computer.
As shown in Figure 2, said micro engine comprises interface micromodule I, security association micromodule, encryption and decryption micromodule, protocol processes micromodule, IKE micromodule; Said kernel comprises initialization micromodule, interface micromodule II, supervisor micro module, abnormal conditions processing micromodule;
Said initialization micromodule is handled micromodule with said interface micromodule I, security association micromodule, encryption and decryption micromodule, protocol processes micromodule, IKE micromodule, interface micromodule II, supervisor micro module, abnormal conditions and is connected respectively; Said interface micromodule I is connected respectively with interface micromodule II, security association micromodule, protocol processes micromodule, IKE micromodule; Said interface micromodule II handles micromodule with supervisor micro module, abnormal conditions and is connected respectively;
Said security association micromodule is connected with protocol processes micromodule, IKE micromodule, supervisor micro module, encryption and decryption micromodule, SRAM memory cell, DRAM memory cell; Said protocol processes micromodule is connected with supervisor micro module, IKE micromodule, encryption and decryption micromodule, SRAM storage control, DRAM storage control; Said supervisor micro module is connected with the management system module of IKE micromodule, SRAM storage control, DRAM storage control and host computer.
Realize the method for the high-speed secure virtual private network system of above-mentioned network processor-based, comprise the steps:
(1) sets up system and carry out initial configuration;
(2) receive legal VPN packet when network processing unit; To divide into groups to recombinate and be stored among the said DRAM; Generate corresponding packet descriptor at said SRAM, record is grouped in the stored parameter of said DRAM, and said stored parameter comprises 15 yuan of parameters such as memory location, receiving port, protocol type; Interface micromodule I is through identification receiving port, protocol type, gives protocol processes micromodule etc. pending the VPN Data packets transit;
(3) the protocol processes micromodule receives after the signal and packet descriptor that interface routine passes over; According to packet descriptor to reading packet header; Crucial word bit is resolved, grouping is divided into get into divides into groups, go out to divide into groups and IKE divides into groups three types to handle; The said processing that entering is divided into groups comprises the processing of ESPi, Ahi, the said processing that the processing of going out to divide into groups is comprised ESPo, Aho;
(4) said interface micromodule II obtains the packet memory address pointer; One side is handled micromodule according to the demand of the management system of host computer with dissimilar packet forward to abnormal conditions or is directly transmitted and transmit the entering network; Request according to micro engine is uploaded to the host computer management system with dissimilar packet forward to abnormal conditions processing micromodule processing or supervisor micro module on the other hand, and interface micromodule II deposits in designated memory space with use to be extracted with memory address pointer then;
(5) abnormal conditions are handled the request of micromodule response micro engine, and abnormal conditions are handled, and read all kinds of packet headers, carry out classification processing, and packet delivery is transmitted the entering network;
(6) supervisor micro module responds host computer system administration request generates the IKE request, is sent to micro engine IKE micromodule; Receive the daily record of uploading of micro engine, and all kinds of processing signals, and pass to the management system module of host computer on time through the agreement communication mechanism; The information of receiving management system, the resolution system order, and carry out the active operation that security strategy is revised, the service state tabulation is revised.
Wherein, the said initial configuration of step (1) is meant:
1.1 interface micromodule I, security association micromodule, encryption and decryption micromodule, each program of protocol processes micromodule are arranged at micro engine;
1.2 being handled micromodule, interface micromodule II, supervisor micro module, abnormal conditions are arranged at kernel;
1.3 each memory cell of initialization, the memory allocated space, with the security association data that made up, service state list storage in respective memory unit, wherein:
1.3.1 ESP go out the to divide into groups data of SPD (E1) are carried out keyword Hash computing, make up corresponding Hash tabulation, this list item is stored in SRAM, every SPD clauses and subclauses address pointer or be empty or certain SA of pointing among the security association database SADB (E2) restraints;
Be stored in SRAM 1.3.2 ESP is got into the Hash table of grouping SAID, corresponding SADB (E2) is stored in DRAM, and every SAID address pointer points to certain the SA bundle among the SADB, and every SADB address pointer points to certain the bar SPD clauses and subclauses among the SPD (E1);
1.3.3 AH go out the to divide into groups data of SPD (A1) are carried out keyword Hash calculation process, make up corresponding Hash tabulation, this list item is stored in SRAM, every SPD clauses and subclauses address pointer or be empty or certain SA of pointing among the SADB (A2) restraints;
Be stored in SRAM 1.3.4 AH is got into the Hash table of grouping SAID, corresponding SADB (A2) is stored in DRAM, and every SAID address pointer points to certain the SA bundle among the SADB, and every SADB address pointer points to certain the bar SPD clauses and subclauses among the SPD (A1);
1.3.5 with the service state list storage in SRAM; ISAKM SA is stored in DRAM.
Service state described in step 1.3.5 tabulation comprises that book server provides VPN the source address of service, destination address, and port numbers provides the type of service, security strategy and ike negotiation state, and comprise the above E1 that relates to, A1, ISAKM SA address pointer.
Wherein, step (3) is said to getting into the processing of grouping ESP, may further comprise the steps:
Divide into groups 3.a.1 be grouped into entering according to the receiving port differentiation of dividing into groups, number differentiation is grouped into ESP load, execution in step 3.a.2 according to grouping tunnel IP header protocol;
3.a.2 whether differentiation divides into groups to recombinate to finish according to packet descriptor, is then to carry out step 3.a.3, otherwise abandons grouping and be recorded in daily record, execution in step 3.a.1;
Be stored in the ME transmission register 3.a.3 read packet header according to the packet descriptor memory address; Read tunnel IP header destination address, protocol number, read ESP header SPI and constitute SAID, carry out the Hash hash and obtain He (x2); The corresponding security association of matched and searched in SRAM; If can not mate, then abandon this grouping and be recorded in daily record, execution in step 3.a.1; If coupling then reads corresponding security association and is stored in DRAM transmission register, execution in step 3.a.4;
3.a.4 read the ESP header sequence number, whether inspection falls within the active window of this security association, is execution in step 3.a.5 then, otherwise abandons this grouping and be recorded in daily record, execution in step 3.a.1;
Read ESP checking 3.a.5 ESP is carried out ICV reconstruct, the algorithm that provides according to security association carries out integrity verification, if unanimity then execution in step 3.a.6, if inconsistent then abandon this grouping and be recorded in daily record, execution in step 3.a.1;
3.a.6 read the ESP header initial vector, according to cryptographic algorithm and the key that security association provides, encrypted payload is deciphered, if successful decryption then execution in step 3.a.7; If the deciphering failure then abandons this grouping and is recorded in daily record, execution in step 3.a.1;
3.a.7 the plaintext that deciphering is obtained removes the ESP tail, obtains former grouping; Read former grouping destination address, source address, protocol number, port numbers and SPD (E1) and carry out legitimate verification, transmit if meet then pass to routing module, and be recorded in daily record; If do not meet then abandon this grouping, send interrupt requests to interface micromodule II, transfer to abnormal conditions and handle micromodule, and be recorded in daily record, execution in step 3.a.1.
Wherein, step (3) is said to getting into the processing of grouping AH, may further comprise the steps:
Divide into groups 3.b.1 be grouped into entering according to the receiving port differentiation of dividing into groups, number differentiation is grouped into AH load, execution in step 3.b.2 according to grouping tunnel IP header protocol;
Whether, be then execution in step 3.b.3, divide into groups and be recorded in daily record, execution in step 3.b.1 otherwise abandon 3.b.2 differentiate to divide into groups to recombinate according to packet descriptor if finishing;
Be stored in the ME transmission register 3.b.3 read packet header according to the packet descriptor memory address; Read tunnel IP header destination address, protocol number; Read AH header SPI and constitute SAID, carry out the Hash hash and obtain Ha (x2), the corresponding security association of matched and searched in SRAM; If can not mate, then abandon this grouping and be recorded in daily record, execution in step 3.b.1; If coupling then reads corresponding security association and is stored in DRAM transmission register, execution in step 3.b.4;
3.b.4 read AH preamble sequence number, whether inspection falls within the active window of this security association, is execution in step 3.b.5 then, otherwise abandons this grouping and be recorded in daily record, execution in step 3.b.1;
3.b.5 the ICV field of intercepting AH checking is preserved and with this field zero clearing, is differentiated the execution in step 3.b.6 if total is consistent with ICV according to identification algorithm and key that security association provides; If inconsistent, then abandon this grouping and record and daily record, execution in step 3.b.1;
3.b.6 remove tunnel IP header, AH header, read former grouping destination address, source address, protocol number, port numbers and SPD (A1) carry out legitimate verification, transmit if meet then pass to routing module; If do not meet then abandon this grouping, send interrupt requests to interface micromodule II, transfer to abnormal conditions and handle micromodule, and be recorded in daily record, execution in step 3.b.1.
Wherein, divide into groups to the going out processing of ESP of said step (3) may further comprise the steps:
3.c.1 the receiving port differentiation according to dividing into groups is grouped into the grouping of going out, number differentiation is grouped into ESP load, execution in step 3.c.2 according to grouping tunnel IP header protocol;
Be stored in the ME transmission register 3.c.2 read packet header according to the packet descriptor memory address; Read IP of packet header destination address, source address, protocol number, port numbers formation SPD; Carry out the Hash hash and obtain He (x1), the corresponding security association of matched and searched in SRAM is if can not mate; Then abandon this grouping and be recorded in daily record, execution in step 3.c.1; If coupling, then execution in step 3.c.3;
3.c.3 whether inspection SPD (E1) corresponding address pointer is zero, is then to send security association to the IKE micromodule to set up request, abandons this grouping, and is recorded in daily record, execution in step 3.c.1, otherwise execution in step 3.c.4;
The IP of packet header stores is in register 3.c.4 will go out; The afterbody of will going out to divide into groups is filled; Reach the length of 32n-16 (bit); Increase 8bit and fill length field and represent the length of filling, increase the agreement of next this ESP encapsulated content of payload field sign of 8bit, the IP of packet header TTL that will go out successively decreases 1; The AES, key, the initial vector that provide according to security association divide into groups to arise from after the initial vector to going out of finishing of filling, and the data that terminate between next payload header field are encrypted, and encrypt back output and replace former clear packets, execution in step 3.c.5;
3.c.5, read SPI, sequence number structure ESP head according to security association structure ESP load, add initial vector after the ESP head, the ESP head that structure is finished makes an addition to last step encrypted packet portion before, execution in step 3.c.6;
3.c.6 differentiating according to security association is to start identification function, if then read identification algorithm and key carries out hash computations to whole ESP load, the result is inserted the ICV field of ESP, execution in step 3.c.7 is if not execution in step 3.c.7 then;
3.c.7 according to the tunnel header that this ESP that goes out of security association structure divides into groups, wherein total length is for constructing the brand-new block length that finishes, protocol number is 50, and source address, destination address are specified execution in step 3.c.8 by SADB (E1);
The ESP that divides into groups 3.c.8 will go out passes to routing module and transmits.
Wherein, divide into groups to the going out processing of AH of step (3) may further comprise the steps:
3.d.1 the receiving port differentiation according to dividing into groups is grouped into the grouping of going out, number differentiation is grouped into AH load, execution in step 3.d.2 according to grouping tunnel IP header protocol;
Be stored in the ME transmission register 3.d.2 read packet header, read IP of packet header destination address, source address, protocol number, port numbers formation SPD, carry out the Hash hash and obtain Ha (x1) according to the packet descriptor memory address; The corresponding security association of matched and searched in SRAM; If can not mate, then abandon this grouping and be recorded in daily record, execution in step 3.d.1; If coupling, then execution in step 3.d.3;
3.d.3 whether inspection SPD (A1) corresponding address pointer is zero, is then to send security association to the IKE micromodule to set up request, abandons this grouping, and is recorded in daily record, execution in step 3.d.1, otherwise execution in step 3.d.4;
3.d.4 read the version number that divides into groups of going out, read SPI, sequence number, assumed (specified) load length structure AH header according to security association; The AH header is made an addition to the grouping portion before of going out, read identification algorithm and key, arising from the AH header; Terminate in the grouping afterbody and carry out hash; Obtain authentication data, make an addition in the AH header execution in step 3.d.5;
3.d.5 according to the tunnel header that this AH that goes out of security association structure divides into groups, wherein total length is for constructing the brand-new block length that finishes, protocol number is 51, and source address, destination address are specified execution in step 3.d.6 by SADB (A1);
The AH that divides into groups 3.d.6 will go out passes to routing module and transmits.
Wherein, the said processing that IKE is divided into groups of step (3) may further comprise the steps:
3.e.1 monitor signal from internal system, whether there is the IKE request, be execution in step 3.e.3 then, otherwise execution in step 3.e.2;
3.e.2 monitor the UDP bag come from port 500, whether exist the IKE request to divide into groups, be execution in step 3.e.3 then, otherwise execution in step 3.e.1;
3.e.3 read that this IKE seedbed in dividing into groups refers to, destination address, port numbers, differentiate currently whether carrying out other ike negotiations of similar Socket with service state tabulation contrast, be execution in step 3.e.4 then, otherwise execution in step 3.e.5;
3.e.4 read the service state tabulation; Obtain corresponding certificate parameter and negotiation state parameter, divide into groups to verify, meet then and carry out the concrete steps redirect according to negotiation state with current I KE; Otherwise refusal request; Send interrupt requests to interface micromodule II, transfer to abnormal conditions and handle micromodule, execution in step 3.e.1;
3.e.5 with destination address, port numbers, carry out matched and searched, differentiate this request and whether belong to and provide in the VPN service range with service state tabulation; Be execution in step 3.e.6 then; Otherwise send interrupt requests to interface micromodule II, transfer to abnormal conditions and handle micromodule, execution in step 8.1;
3.e.6 create the IKE descriptor, create book server cookie, the ike negotiation state list item that constitutes the current service status list with parameter such as counter is stored in SRAM, and inwardly authorizes and give this request permission signal, execution in step 3.e.7;
3.e.7 if book server is IKE promoter then execution in step 3.e.8, if book server is IKE respondent then execution in step 3.e.21;
3.e.8 structure promoter HDR reads ISAKMP SA, structure SA load; Add the UDP head, add the packet header of going out, pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM; Revise the negotiation state list item, start timer, execution in step 3.e.9;
3.e.9 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.8, otherwise execution in step 3.e.10;
3.e.10 receive the respond packet of destination server, read response cookie and SA load, obtain and consult the phase I parameter, set up corresponding security association, execution in step 3.e.11 at DRAM;
3.e.11 produce random key X, transient load Ni carries out Diffie-Hellman (following abbreviation D-H) exchange; HDR and promoter D-H PKI Kx, transient load Ni are built into grouping; Add the UDP head, add the packet header of going out, pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM; Start timer, execution in step 3.e.12;
3.e.12 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.11, otherwise execution in step 3.e.13;
3.e.13 receive the respond packet of destination server, obtain and consult the second stage parameter, read respondent D-H PKI Ky and transient load Nr, generate and share key K xy, and carry out independently cipher key derivative, execution in step 3.e.14;
The consistency check of phase III 3.e.14 hold consultation; Utilize negotiation algorithm to use private cipher key to produce digital signature SIGi, the HDR* that encrypted, book server identity, negotiation certificate and SIGi are docile and obedient preface set up into grouping, add the UDP head; Add the packet header of going out; Pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, start timer, execution in step 3.e.15;
3.e.15 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.14, otherwise execution in step 3.e.16;
3.e.16 receive the respond packet of destination server, obtain and consult the phase III parameter, the other side's identity and certificate are verified; Use negotiation algorithm and key that the other side's digital signature is differentiated; If errorless then consult successfully, if execution in step 3.e.17 is wrong then abandon this grouping; The enabling counting device, execution in step 3.e.14;
3.e.17 set up IPSec SA,, generate transient load Ni, digital signature HASH (1) according to RFC2049; According to the service state tabulation, one or more SA are provided, and whether decision provides PFS (Perfect Forward Service); Make up promoter IPSec SA negotiation packets, add the UDP head, add the packet header of going out; Pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, start timer, execution in step 3.e.18
3.e.18 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.17, otherwise execution in step 3.e.19;
3.e.19 receive the respond packet of destination server, carry out status authentication, digital signature verification, if errorless then execution in step 3.e.20, wrong this grouping, the execution in step 3.e.17 of then abandoning;
3.e.20 obtain corresponding security association, set up IPSec SA success, generate digital signature HASH (3); Make up last negotiate response; Add the UDP head, add the packet header of going out, pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM; Inwardly authorize and send ike negotiation to become function signal, execution in step 3.e.1;
3.e.21 receive the initiation packet of ike negotiation, read promoter's HDR parameter, resolve the SA load of this grouping; Read the security decision of service list, propose to mate with the security association that the promoter provides, if there is matching value; Execution in step 3.e.22; If there is not matching value, then abandons this grouping, and inwardly authorize and send refusal IKE request signal;
3.e.22 tectonic response person HDR; Choose relevant SA load through service state tabulation and ISAKM SA, make up the phase I respective packets, add the UDP head; Add the packet header of going out; Pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, start timer, execution in step 3.e.23;
3.e.23 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.22, otherwise execution in step 3.e.24;
3.e.24 receive the initiation packet of destination server, obtain and consult the second stage parameter, read promoter D-H PKI Kx and transient load Ni; Produce random key Y, transient load Nr generates and shares key K xy; And carry out independently cipher key derivative, obtain and consult the phase III parameter.HDR and respondent D-H PKI Ky, transient load Nr are made up respond packet, add the UDP head, add the packet header of going out, pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, execution in step 3.e.25;
3.e.25 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.24, otherwise execution in step 3.e.26;
3.e.26 receive the respond packet of destination server, promoter's HDR*, server identity, certificate and SIGi differentiated checking, if errorless then consult successfully; The HDR* that encrypted, book server identity, negotiation certificate and SIGr are docile and obedient preface set up into grouping, add the UDP head, add the packet header of going out; Pass to routing module and transmit,, revise ike negotiation state list item the security parameter record; Execution in step 3.e.27; If it is wrong then abandon this grouping, enabling counting device, execution in step 3.e.24;
3.e.27 set up IPSec SA, receive the initiation packet of destination server, carry out authentication, digital signature verification, if errorless then execution in step 3.e.28, wrong this grouping, the execution in step 3.e.24 of then abandoning;
3.e.28 obtain promoter HASH (1), transient load Ni, alternative security association, and other service entry parameter, relevant SA load chosen through service state tabulation and IPSec SA; Generate transient load Ni, digital signature HASH (2), make up respond packet, add the UDP head; Add the packet header of going out; Pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, start timer, execution in step 3.e.29;
3.e.29 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.28, otherwise execution in step 3.e.29;
3.e.30 receive the respond packet of destination server, carry out authentication, digital signature verification, if errorless then ike negotiation success; Modification negotiation state list item is recorded in deposits SRAM; Inwardly authorize and send ike negotiation to become function signal, if execution in step 3.e.1 is wrong; Enabling counting device then, execution in step 3.e.28.
3.e.31 more than relate to service state tabulation read-write operation, overall general register is specified in preliminary examination, value is 1 and waits poll to wait for; Value is 0 further operation.Before the operation register value is put 1, after the operation register value is put 0.
Wherein, step (5) is said to be handled abnormal conditions, may further comprise the steps:
5.1 resolve all kinds of interrupt requests that interface micromodule II transmits, classification processing;
5.1.1 the security association database address chain picks out fault reason, obtains the security association data parameters of makeing mistakes, the retrieval service status list, if coupling then, then send SPD and make up request to management system; If do not match then delete the security association of makeing mistakes, and send deletion information to management system;
5.1.2IKE the key change conflict is handled, and obtains the parameter of conflict IKE, starts conflict source counter, timer, when next time, similar conflict occurred, will shine time and number of times, ranking operation is when the result exceeds threshold values then to the management system signal that gives the alarm;
5.2 monitor each list storage space, when exceed capacity is guarded against, to the management system signal that gives the alarm.
As stated, just can realize the present invention preferably.
The foregoing description is a preferred implementation of the present invention; But execution mode of the present invention is not restricted to the described embodiments; Other any do not deviate from change, the modification done under spirit of the present invention and the principle, substitutes, combination, simplify; All should be the substitute mode of equivalence, be included within protection scope of the present invention.
Claims (5)
1. the high-speed secure virtual private network system of network processor-based comprises micro engine bunch, kernel, at least one SRAM memory cell and SRAM storage control, at least one DRAM memory cell and DRAM storage control, MSF, hash units; 2 said micro engines bunch connect successively, and each micro engine bunch is connected to form by 8 micro engines respectively successively; Said 2 micro engines bunch, kernel, MSF, hash units are connected with pci bus respectively; Each SRAM memory cell, DRAM memory cell are corresponding to be connected with pci bus respectively through SRAM storage control, DRAM storage control, and said pci bus is connected with the management system module of host computer; Said network processing unit adopts, IXP2850; It is characterized in that:
Said micro engine comprises interface micromodule I, security association micromodule, encryption and decryption micromodule, protocol processes micromodule, IKE micromodule; Said kernel comprises initialization micromodule, interface micromodule II, supervisor micro module, abnormal conditions processing micromodule;
Said initialization micromodule is handled micromodule with said interface micromodule I, security association micromodule, encryption and decryption micromodule, protocol processes micromodule, IKE micromodule, interface micromodule II, supervisor micro module, abnormal conditions and is connected respectively; Said interface micromodule I is connected respectively with interface micromodule II, security association micromodule, protocol processes micromodule, IKE micromodule; Said interface micromodule II handles micromodule with supervisor micro module, abnormal conditions and is connected respectively;
Said security association micromodule is connected with protocol processes micromodule, IKE micromodule, supervisor micro module, encryption and decryption micromodule, SRAM memory cell, DRAM memory cell; Said protocol processes micromodule is connected with supervisor micro module, IKE micromodule, encryption and decryption micromodule, SRAM storage control, DRAM storage control; Said supervisor micro module is connected with the management system module of IKE micromodule, SRAM storage control, DRAM storage control and host computer;
Said encryption and decryption micromodule and system's encryption and decryption kernel are combined closely, and support DES, 3DES, HMAC-MD5 and HMAC-SHA-1 algorithm, realize the data in high speed encrypt and decrypt;
Said security association micromodule is through the data manipulation to SRAM, DRAM; Provide service state and security association data automatic foundation, renewal, delete and search filtering function; Promptly security strategy ID, Security Policy Database and security association database are carried out the fast regular coupling, realize the filtration coupling of the security association of ESP tunnel mode, AH tunnel mode correspondence, and protocol parameter is provided; Said security association match filtering adopts HASH to search algorithm and carries out matched and searched;
Said protocol processes micromodule is realized parsing, removal and the encapsulation function of packet network agreement, promptly protocol analysis, encapsulation process is carried out in inbound data grouping and outbound data grouping, transmits the realization of processing and opposing Replay Attack function;
Foundation, renewal, the delete function of the associated safety parameter between said IKE micromodule realization and the network peer; Said IKE micromodule according to the tabulation of the service state of management system, is accomplished the IKE key change of the aggressive mode of ISAKMP specified standard with specific vpn server, takes this to resist certain man-in-the-middle attack; Said IKE micromodule, through 8 thread parallel operations of system, to improve treatment effeciency, the memory space of wherein sharing is managed through Read-Write Locks, prevents data corruption; Said IKE micromodule; Create the ike negotiation state list item in the service state tabulation, record swap status, all kinds of exchange parameter and respective resources memory address pointer etc. have timer and counter; Effectively solve the multithreading coordinated manipulation, and have certain anti-playback;
Said supervisor micro module realizes the management of the communications and data table stack between ME module, XSCale module and the management system; It adopts bi-directional communication mechanism, and (1) communicates with management system, realizes the service state tabulation, Security Policy Database, and security association database, the manual administration of key, daily record is safeguarded, the function adjustment; (2) communicate with micro engine (ME) module, realize the abnormal conditions processing, time synchronized, the data passes of preset IKE key change;
Said abnormal conditions are handled the processing that micromodule is realized abnormal conditions, and the process that prevents is congested;
Said initialization micromodule is realized the initialization of each functional module and the foundation of related data; Said initialization micromodule in said IXP2850, is provided with each function micromodule code; The memory allocated resource, the initialization address pointer; Each register of network processing unit inside is carried out initialization; Security association is arranged at the SRAM memory device.
2. the implementation method of the high-speed secure virtual private network system of the said network processor-based of claim 1 is characterized in that comprising the steps:
(1) sets up system and carry out initial configuration;
(2) receive legal VPN packet when network processing unit; To divide into groups to recombinate and be stored among the said DRAM; Generate corresponding packet descriptor at said SRAM, record is grouped in the stored parameter of said DRAM, and said stored parameter comprises memory location, receiving port, protocol type; Interface micromodule I is through identification receiving port, protocol type, gives protocol processes micromodule etc. pending the VPN Data packets transit;
(3) the protocol processes micromodule receives after the signal and packet descriptor that interface routine passes over; According to packet descriptor to reading packet header; Crucial word bit is resolved, grouping is divided into get into divides into groups, go out to divide into groups and IKE divides into groups three types to handle; The said processing that entering is divided into groups comprises the processing of ESPi, Ahi, the said processing that the processing of going out to divide into groups is comprised ESPo, Aho:
(4) said interface micromodule II obtains the packet memory address pointer; One side is handled micromodule according to the demand of the management system of host computer with dissimilar packet forward to abnormal conditions or is directly transmitted and transmit the entering network; Request according to micro engine is uploaded to the host computer management system with dissimilar packet forward to abnormal conditions processing micromodule processing or supervisor micro module on the other hand, and interface micromodule II deposits in designated memory space with use to be extracted with memory address pointer then;
(5) abnormal conditions are handled the request of micromodule response micro engine, and abnormal conditions are handled, and read all kinds of packet headers, carry out classification processing, and packet delivery is transmitted the entering network;
(6) supervisor micro module responds host computer system administration request generates the IKE request, is sent to micro engine IKE micromodule; Receive the daily record of uploading of micro engine, and all kinds of processing signals, and pass to the management system module of host computer on time through the agreement communication mechanism; The information of receiving management system, the resolution system order, and carry out the active operation that security strategy is revised, the service state tabulation is revised.
3. according to the implementation method of the high-speed secure virtual private network system of the said network processor-based of claim 2, it is characterized in that: the said initial configuration of step (1) is meant:
1.1 interface micromodule I, security association micromodule, encryption and decryption micromodule, each program of protocol processes micromodule are arranged at micro engine;
1.2 being handled micromodule, interface micromodule II, supervisor micro module, abnormal conditions are arranged at kernel;
1.3 each memory cell of initialization, the memory allocated space, with the security association data that made up, service state list storage in respective memory unit, wherein:
1.3.1 ESP go out the to divide into groups data of SPD (E1) are carried out keyword Hash computing, make up corresponding Hash tabulation, this list item is stored in SRAM, every SPD clauses and subclauses address pointer or be empty or certain SA of pointing among the security association database SADB (E2) restraints;
Be stored in SRAM 1.3.2 ESP is got into the Hash table of grouping SAID, corresponding SADB (E2) is stored in DRAM, and every SAID address pointer points to certain the SA bundle among the SADB, and every SADB address pointer points to certain the bar SPD clauses and subclauses among the SPD (E1);
1.3.3 AH go out the to divide into groups data of SPD (A1) are carried out keyword Hash calculation process, make up corresponding Hash tabulation, this list item is stored in SRAM, every SPD clauses and subclauses address pointer or be empty or certain SA of pointing among the SADB (A2) restraints;
Be stored in SRAM 1.3.4 AH is got into the Hash table of grouping SAID, corresponding SADB (A2) is stored in DRAM, and every SAID address pointer points to certain the SA bundle among the SADB, and every SADB address pointer points to certain the bar SPD clauses and subclauses among the SPD (A1);
1.3.5 with the service state list storage in SRAM; ISAKM SA is stored in DRAM;
Step (3) is said to getting into the processing of grouping ESP, may further comprise the steps:
Divide into groups 3.a.1 be grouped into entering according to the receiving port differentiation of dividing into groups, number differentiation is grouped into ESP load, execution in step 3.a.2 according to grouping tunnel IP header protocol;
3.a.2 whether differentiation divides into groups to recombinate to finish according to packet descriptor, is then to carry out step 3.a.3, otherwise abandons grouping and be recorded in daily record, execution in step 3.a.1;
Be stored in the ME transmission register 3.a.3 read packet header according to the packet descriptor memory address; Read tunnel IP header destination address, protocol number, read ESP header SPI and constitute SAID, carry out the Hash hash and obtain He (x2); The corresponding security association of matched and searched in SRAM; If can not mate, then abandon this grouping and be recorded in daily record, execution in step 3.a.1; If coupling then reads corresponding security association and is stored in DRAM transmission register, execution in step 3.a.4;
3.a.4 read the ESP header sequence number, whether inspection falls within the active window of this security association, is execution in step 3.a.5 then, otherwise abandons this grouping and be recorded in daily record, execution in step 3.a.1;
Read ESP checking 3.a.5 ESP is carried out ICV reconstruct, the algorithm that provides according to security association carries out integrity verification, if unanimity then execution in step 3.a.6, if inconsistent then abandon this grouping and be recorded in daily record, execution in step 3.a.1;
3.a.6 read the ESP header initial vector, according to cryptographic algorithm and the key that security association provides, encrypted payload is deciphered, if successful decryption then execution in step 3.a.7; If the deciphering failure then abandons this grouping and is recorded in daily record, execution in step 3.a.1;
3.a.7 the plaintext that deciphering is obtained removes the ESP tail, obtains former grouping; Read former grouping destination address, source address, protocol number, port numbers and SPD (E1) and carry out legitimate verification, transmit if meet then pass to routing module, and be recorded in daily record; If do not meet then abandon this grouping, send interrupt requests to interface micromodule II, transfer to abnormal conditions and handle micromodule, and be recorded in daily record, execution in step 3.a.1;
Step (3) is said to getting into the processing of grouping AH, may further comprise the steps:
Divide into groups 3.b.1 be grouped into entering according to the receiving port differentiation of dividing into groups, number differentiation is grouped into AH load, execution in step 3.b.2 according to grouping tunnel IP header protocol;
Whether, be then execution in step 3.b.3, divide into groups and be recorded in daily record, execution in step 3.b.1 otherwise abandon 3.b.2 differentiate to divide into groups to recombinate according to packet descriptor if finishing;
3.b.3 according to the packet descriptor memory address read packet header be stored in 4E transmission register; Read tunnel IP header destination address, protocol number; Read AH header SPI and constitute SAID, carry out the Hash hash and obtain Ha (x2), the corresponding security association of matched and searched in SRAM; If can not mate, then abandon this grouping and be recorded in daily record, execution in step 3.b.1; If coupling then reads corresponding security association and is stored in DRAM transmission register, execution in step 3.b.4;
3.b.4 read AH preamble sequence number, whether inspection falls within the active window of this security association, is execution in step 3.b.5 then, otherwise abandons this grouping and be recorded in daily record, execution in step 3.b.1;
3.b.5 the ICV field of intercepting AH checking is preserved and with this field zero clearing, is differentiated the execution in step 3.b.6 if total is consistent with ICV according to identification algorithm and key that security association provides; If inconsistent, then abandon this grouping and record and daily record, execution in step 3.b.1;
3.b.6 remove tunnel IP header, AH header, read former grouping destination address, source address, protocol number, port numbers and SPD (A1) carry out legitimate verification, transmit if meet then pass to routing module; If do not meet then abandon this grouping, send interrupt requests to interface micromodule II, transfer to abnormal conditions and handle micromodule, and be recorded in daily record, execution in step 3.b.1;
Divide into groups to the going out processing of ESP of said step (3) may further comprise the steps:
3.c.1 the receiving port differentiation according to dividing into groups is grouped into the grouping of going out, number differentiation is grouped into ESP load, execution in step 3.b.2 according to grouping tunnel IP header protocol;
Be stored in the ME transmission register 3.c.2 read packet header according to the packet descriptor memory address; Read IP of packet header destination address, source address, protocol number, port numbers formation SPD; Carry out the Hash hash and obtain He (x1), the corresponding security association of matched and searched in SRAM is if can not mate; Then abandon this grouping and be recorded in daily record, execution in step 3.c.1; If coupling, then execution in step 3.c.3;
3.c.3 whether inspection SPD (E1) corresponding address pointer is zero, is then to send security association to the IKE micromodule to set up request, abandons this grouping, and is recorded in daily record, execution in step 3.c.1, otherwise execution in step 3.c.4;
The IP of packet header stores is in register 3.c.4 will go out; The afterbody of will going out to divide into groups is filled; Reach the length of 32n-16 (bit); Increase 8bit and fill length field and represent the length of filling, increase the agreement of next this ESP encapsulated content of payload field sign of 8bit, the IP of packet header TTL that will go out successively decreases 1; The AES, key, the initial vector that provide according to security association divide into groups to arise from after the initial vector to going out of finishing of filling, and the data that terminate between next payload header field are encrypted, and encrypt back output and replace former clear packets, execution in step 3.c.5;
3.c.5, read SPI, sequence number structure ESP head according to security association structure ESP load, add initial vector after the ESP head, the ESP head that structure is finished makes an addition to last step encrypted packet portion before, execution in step 3.c.6;
3.c.6 differentiating according to security association is to start identification function, if then read identification algorithm and key carries out hash computations to whole ESP load, the result is inserted the ICV field of ESP, execution in step 3.c.7 is if not execution in step 3.c.7 then;
3.c.7 according to the tunnel header that this ESP that goes out of security association structure divides into groups, wherein total length is for constructing the brand-new block length that finishes, protocol number is 50, and source address, destination address are specified execution in step 3.c.8 by SADB (E1);
The ESP that divides into groups 3.c.8 will go out passes to routing module and transmits;
Divide into groups to the going out processing of AH of step (3) may further comprise the steps:
3.d.1 the receiving port differentiation according to dividing into groups is grouped into the grouping of going out, number differentiation is grouped into AH load, execution in step 3.d.2 according to grouping tunnel IP header protocol;
Be stored in the ME transmission register 3.d.2 read packet header, read IP of packet header destination address, source address, protocol number, port numbers formation SPD, carry out the Hash hash and obtain Ha (x1) according to the packet descriptor memory address; The corresponding security association of matched and searched in SRAM; If can not mate, then abandon this grouping and be recorded in daily record, execution in step 3.d.1; If coupling, then execution in step 3.d.3;
3.d.3 whether inspection SPD (A1) corresponding address pointer is zero, is then to send security association to the IKE micromodule to set up request, abandons this grouping, and is recorded in daily record, execution in step 3.d.1, otherwise execution in step 3.d.4;
3.d.4 read the version number that divides into groups of going out, read SPI, sequence number, assumed (specified) load length structure AH header according to security association; The AH header is made an addition to the grouping portion before of going out, read identification algorithm and key, arising from the AH header; Terminate in the grouping afterbody and carry out hash; Obtain authentication data, make an addition in the AH header execution in step 3.d.5;
3.d.5 according to the tunnel header that this AH that goes out of security association structure divides into groups, wherein total length is for constructing the brand-new block length that finishes, protocol number is 51, and source address, destination address are specified execution in step 3.d.6 by SADB (A1);
The AH that divides into groups 3.d.6 will go out passes to routing module and transmits;
The said processing that IKE is divided into groups of step (3) may further comprise the steps:
3.e.1 monitor signal from internal system, whether there is the IKE request, be execution in step 3.e.3 then, otherwise execution in step 3.e.2;
3.e.2 monitor the UDP bag come from port 500, whether exist the IKE request to divide into groups, be execution in step 3.e.3 then, otherwise execution in step 3.e.1;
3.e.3 read that this IKE seedbed in dividing into groups refers to, destination address, port numbers, differentiate currently whether carrying out other ike negotiations of similar Socket with service state tabulation contrast, be execution in step 3.e.4 then, otherwise execution in step 3.e.5;
3.e.4 read the service state tabulation; Obtain corresponding certificate parameter and negotiation state parameter, divide into groups to verify, meet then and carry out the concrete steps redirect according to negotiation state with current I KE; Otherwise refusal request; Send interrupt requests to interface micromodule II, transfer to abnormal conditions and handle micromodule, execution in step 3.e.1;
3.e.5 with destination address, port numbers, carry out matched and searched, differentiate this request and whether belong to and provide in the VPN service range with service state tabulation; Be execution in step 3.e.6 then; Otherwise send interrupt requests to interface micromodule II, transfer to abnormal conditions and handle micromodule, execution in step 8.1;
3.e.6 create the IKE descriptor, create book server cookie, the ike negotiation state list item that constitutes the current service status list with parameter such as counter is stored in SRAM, and inwardly authorizes and give this request permission signal, execution in step 3.e.7;
3.e.7 if book server is IKE promoter then execution in step 3.e.8, if book server is IKE respondent then execution in step 3.e.21;
3.e.8 structure promoter HDR reads ISAKMP SA, structure SA load; Add the UDP head, add the packet header of going out,, pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM; Revise the negotiation state list item, start timer, execution in step 3.e.9;
3.e.9 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.8, otherwise execution in step 3.e.10;
3.e.10 receive the respond packet of destination server, read response cookie and SA load, obtain and consult the phase I parameter, set up corresponding security association, execution in step 3.e.11 at DRAM;
3.e.11 produce random key X, transient load Ni carries out Diffie-Hellman (following abbreviation D-H) exchange; HDR and promoter D-H PKI Kx, transient load Ni are built into grouping; Add the LJDP head, add the packet header of going out, pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM; Start timer, execution in step 3.e.12;
3.e.12 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.11, otherwise execution in step 3.e.13;
3.e.13 receive the respond packet of destination server, obtain and consult the second stage parameter, read respondent D-H PKI Ky and transient load Nr, generate and share key K xy, and carry out independently cipher key derivative, execution in step 3.e.14;
The consistency check of phase III 3.e.14 hold consultation; Utilize negotiation algorithm to use private cipher key to produce digital signature SIGi, the HDRx that encrypted, book server identity, negotiation certificate and SIGi are docile and obedient preface set up into grouping, add the UDP head; Add the packet header of going out; Pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, start timer, execution in step 3.e.15;
3.e.15 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.14, otherwise execution in step 3.e.16;
3.e.16 receive the respond packet of destination server, obtain and consult the phase III parameter, the other side's identity and certificate are verified; Use negotiation algorithm and key that the other side's digital signature is differentiated; If errorless then consult successfully, if execution in step 3.e.17 is wrong then abandon this grouping; The enabling counting device, execution in step 3.e.14;
3.e.17 set up IPSec SA,, generate transient load Ni, digital signature HASH (1) according to RFC2049; According to the service state tabulation, one or more SA are provided, and whether decision provides PFS (Perfect Forward Service); Make up promoter IPSec SA negotiation packets, add the UDP head, add the packet header of going out; Pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, start timer, execution in step 3.e.18;
3.e.18 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.17, otherwise execution in step 3.e.19;
3.e.19 receive the respond packet of destination server, carry out status authentication, digital signature verification, if errorless then execution in step 3.e.20, wrong this grouping, the execution in step 3.e.17 of then abandoning;
3.e.20 obtain corresponding security association, set up IPSec SA success, generate digital signature HASH (3); Make up last negotiate response; Add the UDP head, add the packet header of going out, pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM; Inwardly authorize and send ike negotiation to become function signal, execution in step 3.e.1;
3.e.21 receive the initiation packet of ike negotiation, read promoter's HDR parameter, resolve the SA load of this grouping; Read the security decision of service list, propose to mate with the security association that the promoter provides, if there is matching value; Execution in step 3.e.22; If there is not matching value, then abandons this grouping, and inwardly authorize and send refusal IKE request signal;
3.e.22 tectonic response person HDR; Choose relevant SA load through service state tabulation and ISAKM SA, make up the phase I respective packets, add the UDP head; Add the packet header of going out; Pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, start timer, execution in step 3.e.23;
3.e.23 wake events thread during the timer ballad reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.22, otherwise execution in step 3.e.24;
3.e.24 receive the initiation packet of destination server, obtain and consult the second stage parameter, read promoter D-H PKI Kx and transient load Ni; Produce random key Y, transient load Nr generates and shares key K xy; And carry out independently cipher key derivative, and obtain and consult the phase III parameter, HDR and respondent D-H PKI Ky, transient load Nr are made up respond packet; Add the UDP head; Add the packet header of going out, pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, execution in step 3.e.25;
3.e.25 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.24, otherwise execution in step 3.e.26;
3.e.26 receive the respond packet of destination server, promoter's HDR*, server identity, certificate and SIGi differentiated checking, if errorless then consult successfully; The HDR* that encrypted, book server identity, negotiation certificate and SIGr are docile and obedient preface set up into grouping, add the UDP head, add the packet header of going out; Pass to routing module and transmit,, revise ike negotiation state list item the security parameter record; Execution in step 3.e.27; If it is wrong then abandon this grouping, enabling counting device, execution in step 3.e.24;
3.e.27 set up IPSec SA, receive the initiation packet of destination server, carry out authentication, digital signature verification, if errorless then execution in step 3.e.28, wrong this grouping, the execution in step 3.e.24 of then abandoning;
3.e.28 obtain promoter HASH (1), transient load Ni, alternative security association, and other service entry parameter, relevant SA load chosen through service state tabulation and IPSec SA; Generate transient load Ni, digital signature HASH (2), make up respond packet, add the UDP head; Add the packet header of going out; Pass to routing module and transmit and revise the negotiation state list item and be recorded in and deposit SRAM, start timer, execution in step 3.e.29;
3.e.29 timer expired wake events thread reads the negotiation state list item, checks the counter threshold values, revises the negotiation state list item, execution in step 3.e.28, otherwise execution in step 3.E.29;
3.e.30 receive the respond packet of destination server, carry out authentication, digital signature verification, if errorless then ike negotiation success; Modification negotiation state list item is recorded in deposits SRAM; Inwardly authorize and send ike negotiation to become function signal, if execution in step 3.e.1 is wrong; Enabling counting device then, execution in step 3.e.28;
3.e.31 more than relate to service state tabulation read-write operation, overall general register is specified in preliminary examination, value is 1 and waits poll to wait for; Value is 0 further operation; Before the operation register value is put 1, after the operation register value is put 0.
4. according to the implementation method of the high-speed secure virtual private network system of the said network processor-based of claim 3; It is characterized in that: the tabulation of service state described in the step 1.3.5 comprises that book server provides VPN the source address of service; Destination address, port numbers provides the type of service; Security strategy and ike negotiation state, and comprise the above E1 that relates to, A1, ISAKM SA address pointer.
5. according to the implementation method of the high-speed secure virtual private network system of the said network processor-based of claim 2, it is characterized in that: step (5) is said to be handled abnormal conditions, may further comprise the steps:
5.1 resolve all kinds of interrupt requests that interface micromodule II transmits, classification processing;
5.1.1 the security association database address chain picks out fault reason, obtains the security association data parameters of makeing mistakes, the retrieval service status list, if coupling then, then send SPD and make up request to management system; If do not match then delete the security association of makeing mistakes, and send deletion information to management system;
5.1.21KE the key change conflict is handled, and obtains the parameter of conflict IKE, starts conflict source counter, timer, when next time, similar conflict occurred, will shine time and number of times, ranking operation is when the result exceeds threshold values then to the management system signal that gives the alarm;
5.2 monitor each list storage space, when exceed capacity is guarded against, to the management system signal that gives the alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100273501A CN101262405B (en) | 2008-04-11 | 2008-04-11 | High-speed secure virtual private network channel based on network processor and its realization method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100273501A CN101262405B (en) | 2008-04-11 | 2008-04-11 | High-speed secure virtual private network channel based on network processor and its realization method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101262405A CN101262405A (en) | 2008-09-10 |
| CN101262405B true CN101262405B (en) | 2012-10-31 |
Family
ID=39962624
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100273501A Expired - Fee Related CN101262405B (en) | 2008-04-11 | 2008-04-11 | High-speed secure virtual private network channel based on network processor and its realization method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101262405B (en) |
Families Citing this family (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101478390B (en) * | 2009-01-15 | 2011-11-02 | 华南理工大学 | Second generation cipher key exchange system and method based on network processor |
| US8433880B2 (en) | 2009-03-17 | 2013-04-30 | Memoir Systems, Inc. | System and method for storing data in a virtualized high speed memory system |
| US8266408B2 (en) * | 2009-03-17 | 2012-09-11 | Memoir Systems, Inc. | System and method for storing data in a virtualized high speed memory system |
| US9442846B2 (en) | 2009-03-17 | 2016-09-13 | Cisco Technology, Inc. | High speed memory systems and methods for designing hierarchical memory systems |
| EP2807807A4 (en) | 2012-01-23 | 2015-08-26 | Hewlett Packard Development Co | Identifying a polling communication pattern |
| CN103793285A (en) * | 2012-10-29 | 2014-05-14 | 百度在线网络技术(北京)有限公司 | Method and platform server for processing online anomalies |
| CN103198105A (en) * | 2013-03-25 | 2013-07-10 | 清华大学深圳研究生院 | Searching device and method for Ethernet internet protocol security (IPSec) database |
| CN105556498B (en) * | 2013-09-27 | 2018-08-17 | 英特尔公司 | The computing device and machine readable media communicated via overlay network |
| CN106341295B (en) * | 2015-07-07 | 2020-12-22 | 中兴通讯股份有限公司 | Communication method and device of intelligent platform management interface equipment and communication equipment |
| CN105824767B (en) * | 2016-03-15 | 2019-03-08 | 珠海全志科技股份有限公司 | Cut a control circuit and method and controller |
| CN106549850B (en) * | 2016-12-06 | 2019-09-17 | 东软集团股份有限公司 | Virtual special network server and its message transmitting method |
| CN109428867B (en) * | 2017-08-30 | 2020-08-25 | 华为技术有限公司 | Message encryption and decryption method, network equipment and system |
| US11095626B2 (en) * | 2018-09-26 | 2021-08-17 | Marvell Asia Pte, Ltd. | Secure in-line received network packet processing |
| CN110120907B (en) * | 2019-04-25 | 2021-05-25 | 北京奇安信科技有限公司 | Proposed group-based IPSec VPN tunnel communication method and device |
| CN112394683B (en) * | 2020-11-24 | 2022-03-11 | 桂林电子科技大学 | File transmission method using industrial control system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7239634B1 (en) * | 2002-06-17 | 2007-07-03 | Signafor, Inc. | Encryption mechanism in advanced packet switching system |
| CN101102321A (en) * | 2007-08-10 | 2008-01-09 | 中兴通讯股份有限公司 | Implementation method of virtual route redundancy protocol based on layer 3 VLAN technology |
-
2008
- 2008-04-11 CN CN2008100273501A patent/CN101262405B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7239634B1 (en) * | 2002-06-17 | 2007-07-03 | Signafor, Inc. | Encryption mechanism in advanced packet switching system |
| CN101102321A (en) * | 2007-08-10 | 2008-01-09 | 中兴通讯股份有限公司 | Implementation method of virtual route redundancy protocol based on layer 3 VLAN technology |
Non-Patent Citations (2)
| Title |
|---|
| 冯少少等.基于网络处理器的防火墙集成虚拟专用网模块.***工程与电子技术30 2.2008,30(2),358-361. |
| 冯少少等.基于网络处理器的防火墙集成虚拟专用网模块.***工程与电子技术30 2.2008,30(2),358-361. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101262405A (en) | 2008-09-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101262405B (en) | High-speed secure virtual private network channel based on network processor and its realization method | |
| US7650500B2 (en) | Encryption communication system | |
| CN1284327C (en) | Packet encrypton system and method | |
| CN100596062C (en) | Secure protection device and method for distributed packet transfer | |
| US8468337B2 (en) | Secure data transfer over a network | |
| CN100479451C (en) | Security association method and portable computing device | |
| CA2257477C (en) | Process for cryptographic code management between a first computer unit and a second computer unit | |
| CN105099711B (en) | A kind of small cipher machine and data ciphering method based on ZYNQ | |
| CN112073375A (en) | Isolation device and isolation method suitable for power Internet of things client side | |
| TWI278210B (en) | Multi-protocol network encryption system | |
| CN103929299B (en) | Self-securing lightweight network message transmitting method with address as public key | |
| JP3599552B2 (en) | Packet filter device, authentication server, packet filtering method, and storage medium | |
| CN103746815B (en) | Safety communicating method and device | |
| CN101447907A (en) | VPN secure access method and system thereof | |
| JP2002287620A (en) | Security communication packet processor and security communication packet processing method | |
| CN107040536A (en) | Data ciphering method, device and system | |
| JP2004532543A (en) | Portable device to protect packet traffic on host platform | |
| CN100499451C (en) | Network communication safe processor and its data processing method | |
| CN108810023A (en) | Safe encryption method, key sharing method and safety encryption isolation gateway | |
| CN101521667B (en) | Method and device for safety data communication | |
| CN102118426A (en) | Network security payment terminal and network security payment method thereof | |
| CN111800436B (en) | IPSec isolation network card equipment and secure communication method | |
| CN100550030C (en) | On portable terminal host, add the method for credible platform | |
| CN110430178A (en) | A kind of safety chip protected for network safety system and the network safety system using the chip | |
| CN1984131A (en) | Method for processing distributed IPSec |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121031 Termination date: 20150411 |
|
| EXPY | Termination of patent right or utility model |