CN109218308A - A kind of data high-speed secure exchange method based on intelligent network adapter - Google Patents
A kind of data high-speed secure exchange method based on intelligent network adapter Download PDFInfo
- Publication number
- CN109218308A CN109218308A CN201811072394.6A CN201811072394A CN109218308A CN 109218308 A CN109218308 A CN 109218308A CN 201811072394 A CN201811072394 A CN 201811072394A CN 109218308 A CN109218308 A CN 109218308A
- Authority
- CN
- China
- Prior art keywords
- data
- intelligent network
- network adapter
- exchange method
- queue
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0823—Errors, e.g. transmission errors
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/50—Queue scheduling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The data high-speed secure exchange method based on intelligent network adapter that the invention discloses a kind of, as the server of inside and outside network physical isolation, is placed between Intranet and outer net by the way that two intelligent accelerator cards are installed on testing service device.Outer net can be the not high internet of safety herein, also can be the lower network of level of confidentiality in same department, it is also possible to the lower department of series in different safety class.When there is outer network data to be transmitted, it can be by intercepting TCP/IP data flow, filtering abandons ICP/IP protocol format, restores upper layer application data and data safety, high speed are exchanged to Intranet by a series of safety prevention measures such as safe handling and then by this method.
Description
Technical field
The present invention relates to computer network security field, can integrate in security isolation and Information Exchange System, Ke Yizhi
Hold the data high-speed secure exchange in multiple logical transport channels.
Background technique
With network technology it is continuous application and it is perfect, internet have become information publication important channel, in information
Play indispensable key player, enterprise's office, e-commerce, openness of government affairsization, constituent parts informatization in exchange
It flourishes therewith etc. a series of network applications.But due to hacker and virus etc. brought by network attack, virus it is general
Excessively, a series of problems, such as unauthorized access, information-leakage, lead to information network, the core business data of business and government organ
It there is security risk or timeliness when realizing partial sharing with the external world.
Summary of the invention
The technical problem to be solved by the present invention is to solve existing data between high sensitive network and low sensitive network at present
The above-mentioned technical problem faced in high-speed secure exchange.
In order to solve the above-mentioned technical problem deficiency, the technical solution adopted by the present invention are as follows: a kind of based on intelligent network adapter
Data high-speed secure exchange method, includes the following steps:
It two intelligent network adapters is configured, is separately mounted on two hosts as testing service device, wherein intelligent network adapter
Physical interface is direct-connected;
The host of transmitting terminal sends program and writes data into the memory of zero-copy sendaisle, and limits transmission speed
Rate, and monitoring transmission state, in the case where both sides' Network Abnormal, the transmission of real-time interrupt data;
It sends program and is switched to kernel state, the data in zero-copy sendaisle will be had been written into, be transformed into hardware instruction
It is inserted into IQ hardware queue;
It sends program and doorbell signal is sent to intelligent network adapter by PCI-E;
Intelligent network adapter gets originally transmitted data by PKI, and by initial data by hardware enciphering and deciphering engine into
Row data encryption operation;
Encrypted data are inserted into and send in backup queue by intelligent network adapter, then logical transmission unit is sent to opposite end;
The intelligent network adapter of receiving end receives data by PKI, and passes through crypto-engine for data deciphering;
Data after decryption are inserted into and are received in order-preserving queue, and initial data is passed through DMA engine by intelligent network adapter, it will
Initial data is by PCI-E bus transfer into the receiving queue of host;
Packet loss message and back-pressure information are transmitted to opposite end intelligent network adapter by transmission unit by the intelligent network adapter of receiving end;
Receiving end host receives program by zero-copy receiving queue, obtains initial data.
Further, when correctly configuration or receiving channel do not block receiving end intelligent network adapter, data transmission is interrupted.
Further, the serial number of kernel automatically generated data is to realize order-preserving function.
Further, the receiving queue of the intelligent network adapter real-time monitoring data packet loss and receiving end host of receiving end.
The invention has the following advantages that the data in logical transport channel are protected using ten thousand Broadcom multi-core platforms of intelligence
The functions such as sequence, re-transmission, encryption and decryption, zero-copy transmission are handled by the multi-core platform of intelligent network adapter, the dedicated transmitting-receiving provided in conjunction with x86
Interface realizes exchanging every discrete data for internal wet end network, it is ensured that high-performance, high reliability, high security.
Detailed description of the invention
Fig. 1 is sending logic schematic diagram of the invention.
Fig. 2 is reception logical schematic of the invention.
Specific embodiment
A specific embodiment of the invention is illustrated below in conjunction with attached drawing.
Two intelligent accelerator cards by being installed to by the data high-speed secure exchange method based on intelligent network adapter of the invention
On testing service device, as the server of inside and outside network physical isolation, it is placed on Intranet (high sensitive network) and outer net (muting sensitive sense net
Network) between.Outer net can be the not high internet of safety herein, also can be the lower net of level of confidentiality in same department
Network, it is also possible to the lower department of series in different safety class.When there is outer network data to be transmitted, interception can be passed through
TCP/IP data flow, filtering abandon ICP/IP protocol format, restore upper layer application data and by a series of peaces such as safe handlings
Full protection measure and then data safety, high speed are exchanged to by Intranet by this method, vice versa.
Network deployment is carried out first:
A) two testing service devices are as high sensitive network and muting sensitive sense network interconnection device.
B) on each testing service device, installation one with intelligent network adapters more than multiple 10,000,000,000 network interfaces, and by all ten thousand
Million interfaces use fiber direct connection.
Configure intelligent network adapter multi-core platform: including hardware co-processor configuration include PKI (packet receiving unit), (transmission is single by PKO
Member), DMA, Crypto (encryption and decryption) etc., the configuration of double card Handshake Protocol, TX (transmissions) condition monitoring configures, and TX backup queue is matched
It sets, TX retransmits configuration, the configuration of RX (reception) congestion, RX order-preserving queue configuration, the concurrent logical transport channel configuration in 64 tunnels, network interface prison
Control statistics configuration etc..
Configure x86: data high-speed receives and dispatches zero-copy memory configurations, and transmission rate limitation arrangement, reiving/transmitting state, interface are matched
It sets, Information Statistics management and intelligent network adapter associated drives etc..
As shown in Figure 1, sending logic following steps of the invention:
1) whole transmission rate limitation, (within the scope of 10,000,000,000 interfaces can be born, herein by rate control 9Gbps with
Under): mainly by Data Transmission Controlling within zone of reasonableness, to ensure the reliable transmission of data.
2) condition monitoring is sent: in the case where both sides' Network Abnormal, real-time interrupt/prevent data from transmitting;Data transmission
In the process, if there is link down, it will automatically switch to other one effective link and continue data transmission.
3) program is sent to write data into the memory of zero-copy sendaisle.
4) it sends program and is switched to kernel state, the data in zero-copy sendaisle will be had been written into, be transformed into hardware and refer to
It enables.
5) hardware instruction is inserted into IQ hardware queue.
6) doorbell signal is sent to intelligent network adapter by PCI-E.
7) intelligent network adapter gets originally transmitted data by PKI.
8) initial data is carried out data encryption operation by hardware enciphering and deciphering engine by intelligent network adapter.
9) encrypted data are inserted into and send in backup queue by intelligent network adapter.
10) encrypted data are sent to opposite end by PKO by intelligent network adapter.
In step 2), both sides' Network Abnormal, including link are all interrupted, and opposite end intelligent network adapter does not configure correctly, are received
Channel congestion.
In step 4), the serial number of kernel automatically generated data is to realize order-preserving function.
In step 9), order-preserving/re-transmission that backup queue mainly serves for ensuring data transmission is sent.
As shown in Fig. 2, reception logic following steps of the invention
1) intelligent network adapter receives data by PKI
2) intelligent network adapter passes through crypto-engine for data deciphering.
3) initial data is inserted into and receives in order-preserving queue by intelligent network adapter.
4) intelligent network adapter is received initial data by PCI-E bus transfer to x86 by initial data by DMA engine
In queue.
5) intelligent network adapter real-time monitoring data packet loss and x86 receiving queue.
6) related news are transmitted to opposite end by PKO by intelligent network adapter.
7) x86 receives program by zero-copy receiving queue, obtains initial data.
In step 3), order-preserving/re-transmission that order-preserving queue mainly serves for ensuring data transmission is received.
In step 5), x86 receiving queue is monitored in real time, by sending back-pressure to realize congestion management.
In step 6), the message of forwarding includes packet loss message and transmission backpressure messages.
The present invention is using ten thousand Broadcom multi-core platforms of intelligence, by data order-preserving, re-transmission plus the solution in logical transport channel
The functions such as close, zero-copy transmission are handled by the multi-core platform of intelligent network adapter, and the dedicated transceiver interface provided in conjunction with x86 is realized internal
Wet end network is exchanged every discrete data, it is ensured that high-performance, high reliability, high security.
Claims (4)
1. a kind of data high-speed secure exchange method based on intelligent network adapter, includes the following steps:
Two intelligent network adapters are configured, are separately mounted to be used as testing service device on two hosts, wherein the physics of intelligent network adapter
Interface is direct-connected;
The host of transmitting terminal sends program and writes data into the memory of zero-copy sendaisle, and limits transmission rate,
And monitoring transmission state, in the case where both sides' Network Abnormal, the transmission of real-time interrupt data;
It sends program and is switched to kernel state, the data in zero-copy sendaisle will be had been written into, be transformed into hardware instruction and be inserted into
To hardware instruction input rank;
It sends program and doorbell signal is sent to intelligent network adapter by PCI-E;
Intelligent network adapter gets originally transmitted data by PKI, and initial data is counted by hardware enciphering and deciphering engine
According to cryptographic operation;
Encrypted data are inserted into and send in backup queue by intelligent network adapter, then logical transmission unit is sent to opposite end;
The intelligent network adapter of receiving end receives data by PKI, and passes through crypto-engine for data deciphering;
Data after decryption are inserted into and are received in order-preserving queue, and initial data is passed through DMA engine by intelligent network adapter, it will be original
Data are by PCI-E bus transfer into the receiving queue of host;
Packet loss message and back-pressure information are transmitted to opposite end intelligent network adapter by transmission unit by the intelligent network adapter of receiving end;
Receiving end host receives program by zero-copy receiving queue, obtains initial data.
2. the data high-speed secure exchange method according to claim 1 based on intelligent network adapter, it is characterised in that: work as reception
When end intelligent network adapter does not configure correctly or receiving channel blocks, data transmission is interrupted.
3. the data high-speed secure exchange method according to claim 1 based on intelligent network adapter, it is characterised in that: kernel is certainly
The dynamic serial number for generating data is to realize order-preserving function.
4. the data high-speed secure exchange method according to claim 1 based on intelligent network adapter, it is characterised in that: receiving end
Intelligent network adapter real-time monitoring data packet loss and receiving end host receiving queue.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811072394.6A CN109218308A (en) | 2018-09-14 | 2018-09-14 | A kind of data high-speed secure exchange method based on intelligent network adapter |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811072394.6A CN109218308A (en) | 2018-09-14 | 2018-09-14 | A kind of data high-speed secure exchange method based on intelligent network adapter |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109218308A true CN109218308A (en) | 2019-01-15 |
Family
ID=64983969
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811072394.6A Pending CN109218308A (en) | 2018-09-14 | 2018-09-14 | A kind of data high-speed secure exchange method based on intelligent network adapter |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109218308A (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109889506A (en) * | 2019-01-24 | 2019-06-14 | 黄洪廉 | Electric power big data network monitoring system |
CN112637176A (en) * | 2020-12-17 | 2021-04-09 | 山东云天安全技术有限公司 | Industrial network data isolation method, device and storage medium |
CN113595694A (en) * | 2021-09-28 | 2021-11-02 | 阿里巴巴(中国)有限公司 | Data transmission method, computing device and storage medium |
CN113778320A (en) * | 2020-06-09 | 2021-12-10 | 华为技术有限公司 | Network card and method for processing data by network card |
CN115118459A (en) * | 2022-06-02 | 2022-09-27 | 合肥卓讯云网科技有限公司 | Method and equipment for realizing secure data exchange based on security card and isolation card heterogeneous |
US12014173B2 (en) | 2020-06-09 | 2024-06-18 | Huawei Technologies Co., Ltd. | Data processing method for network adapter and network adapter |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102624726A (en) * | 2012-03-07 | 2012-08-01 | 上海盖奇信息科技有限公司 | Multi-core intelligent network card platform-based ultrahigh-bandwidth network security audit method |
WO2016086385A1 (en) * | 2014-12-04 | 2016-06-09 | 华为技术有限公司 | Congestion control method, device and system |
CN106506540A (en) * | 2016-12-15 | 2017-03-15 | 北京三未信安科技发展有限公司 | A kind of intranet data transmission method of attack resistance and system |
CN108243116A (en) * | 2016-12-23 | 2018-07-03 | 华为技术有限公司 | A kind of flow control methods and switching equipment |
-
2018
- 2018-09-14 CN CN201811072394.6A patent/CN109218308A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102624726A (en) * | 2012-03-07 | 2012-08-01 | 上海盖奇信息科技有限公司 | Multi-core intelligent network card platform-based ultrahigh-bandwidth network security audit method |
WO2016086385A1 (en) * | 2014-12-04 | 2016-06-09 | 华为技术有限公司 | Congestion control method, device and system |
CN106506540A (en) * | 2016-12-15 | 2017-03-15 | 北京三未信安科技发展有限公司 | A kind of intranet data transmission method of attack resistance and system |
CN108243116A (en) * | 2016-12-23 | 2018-07-03 | 华为技术有限公司 | A kind of flow control methods and switching equipment |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109889506A (en) * | 2019-01-24 | 2019-06-14 | 黄洪廉 | Electric power big data network monitoring system |
CN113778320A (en) * | 2020-06-09 | 2021-12-10 | 华为技术有限公司 | Network card and method for processing data by network card |
US12014173B2 (en) | 2020-06-09 | 2024-06-18 | Huawei Technologies Co., Ltd. | Data processing method for network adapter and network adapter |
CN112637176A (en) * | 2020-12-17 | 2021-04-09 | 山东云天安全技术有限公司 | Industrial network data isolation method, device and storage medium |
CN112637176B (en) * | 2020-12-17 | 2021-08-20 | 山东云天安全技术有限公司 | Industrial network data isolation method, device and storage medium |
CN113595694A (en) * | 2021-09-28 | 2021-11-02 | 阿里巴巴(中国)有限公司 | Data transmission method, computing device and storage medium |
CN113595694B (en) * | 2021-09-28 | 2022-04-01 | 阿里巴巴(中国)有限公司 | Data transmission method, computing device and storage medium |
CN115118459A (en) * | 2022-06-02 | 2022-09-27 | 合肥卓讯云网科技有限公司 | Method and equipment for realizing secure data exchange based on security card and isolation card heterogeneous |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109218308A (en) | A kind of data high-speed secure exchange method based on intelligent network adapter | |
CN109842585B (en) | Network information safety protection unit and protection method for industrial embedded system | |
JP4698982B2 (en) | Storage system that performs cryptographic processing | |
EP2104892B1 (en) | Secure archive | |
US10678913B2 (en) | Apparatus and method for enhancing security of data on a host computing device and a peripheral device | |
US10255463B2 (en) | Secure computer architecture | |
CN206712810U (en) | A kind of high speed password card based on PCI E buses | |
CN103237036A (en) | Device for realizing physical partition of internal and external networks | |
KR101534566B1 (en) | Apparatus and method for security control of cloud virtual desktop | |
CN103209191A (en) | Method for realizing physical partition of internal and external networks | |
CN109660565A (en) | A kind of isolation gap equipment and implementation method | |
CN112804265B (en) | Unidirectional network gate interface circuit, method and readable storage medium | |
US20180241723A1 (en) | Interconnection device, management device, resource-disaggregated computer system, method, and medium | |
EP2577548B1 (en) | Network security content checking | |
CN114553577B (en) | Network interaction system and method based on multi-host double-isolation secret architecture | |
CN209419652U (en) | A kind of isolation gap equipment | |
KR101227086B1 (en) | Method and apparatus for data communication between physically separated networks | |
CN109688155A (en) | A kind of network data security processing method, device and platform | |
CN218850785U (en) | Network data isolation encryption system | |
Anderson et al. | High-Performance Interface Architectures for Cryptographic Hardware | |
US11539755B1 (en) | Decryption of encrypted network traffic using an inline network traffic monitor | |
KR101495522B1 (en) | Communication system for high speed data interlocking in multi-network separation environment and communication method therefor | |
Tawfik et al. | A New Security Mechanism for MIL-STD-1553 Using Authenticated Encryption Algorithms | |
Liu et al. | A Secure and Efficient USB-based In-band Communication Interface between Host and BMC | |
CN118199877A (en) | Global quantum personal security terminal and communication system thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190115 |