CN109639513A - A kind of IPSec scheme debugging apparatus, method and system - Google Patents

A kind of IPSec scheme debugging apparatus, method and system Download PDF

Info

Publication number
CN109639513A
CN109639513A CN201910085481.3A CN201910085481A CN109639513A CN 109639513 A CN109639513 A CN 109639513A CN 201910085481 A CN201910085481 A CN 201910085481A CN 109639513 A CN109639513 A CN 109639513A
Authority
CN
China
Prior art keywords
module
ipsec
host side
packet
fpga
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910085481.3A
Other languages
Chinese (zh)
Inventor
陈贝
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201910085481.3A priority Critical patent/CN109639513A/en
Publication of CN109639513A publication Critical patent/CN109639513A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a kind of IPSec scheme debugging apparatus, suitable for the end FPGA, transparent transmission module is connect with IPSec module, pending data packet for transmitting received host side is sent to IPSec module, in order to which IPSec module is handled data packet to be processed according to ipsec protocol, and processing result is fed back into host side.Extraction module is connect with IPSec module and transparent transmission module respectively, is transferred to host side for monitoring the network packet in IPSec module and transparent transmission module, and by the network packet of crawl.Pass through setting transparent transmission module and extraction module, the end FPGA is realized to connect with the winding of host side, and the synchronous contrast observation analysis to hardware implementations and software scenario may be implemented according to network packet in host side, thus in the quick positioning of system problem of implementation when something goes wrong.The effect of IPSec scheme adjustment method and system is as described above.

Description

A kind of IPSec scheme debugging apparatus, method and system
Technical field
The present invention relates to Design of Digital Circuit technical field, more particularly to a kind of IPSec scheme debugging apparatus, method and System.
Background technique
Network connection protocol (Internet Protocol Security, IPSec) is a kind of frame knot of open standard Structure ensures to be maintained secrecy on Internet protocol network and the communication of safety by using the security service of encryption.At present The IPSec of software realization is relatively more, and software realization is more flexible, and cost is relatively low, but processing speed is slower, cannot support high speed Demand in network system, so people start to consider hard-wired scheme.
Typical hardware implementations sampling location programmable gate array (Field Programmable Gate Array, FPGA), this scheme can use the characteristics of FPGA parallel computation, is maximumlly accelerated to the processing of ipsec protocol, is mentioned High processing rate is very fast, supports High Speed System.FPGA realizes the schematic diagram of IPSec as shown in Figure 1, FPGA is real by PCIE interface Now with the connection of host side, when debugging, is debugged mainly for FPGA hardware circuit, but is related to high speed in view of ipsec protocol Network communication, and operation, the complexity that FPGA is debugged such as to calculate, shake hands also higher for complicated encryption and decryption.
In traditional approach, using the on-line debugging tool of FPGA, the signal data of desired observation is passed by jtag interface It is defeated to being observed on the Special debugging software of the end PC;Or using reserved FPGA pin, it will need that observes to be signally attached to On pin, the equipment such as oscillograph is recycled to be observed signal.These debugging plans are often distinguished at the end FPGA and host side Debugging result data are observed, the tune-up data connection of FPGA and host side is not intuitive close enough, can not carry out quick joint debugging.
It is those skilled in the art as it can be seen that how to realize the synchronous contrast observation analysis of hardware implementations and software scenario Member's urgent problem to be solved.
Summary of the invention
The purpose of the embodiment of the present invention is that providing a kind of IPSec scheme debugging apparatus, method and system, hardware may be implemented The synchronous contrast observation analysis of implementation and software scenario, thus in the quick positioning of system problem of implementation when something goes wrong.
In order to solve the above technical problems, the embodiment of the present invention provides a kind of IPSec scheme debugging apparatus, including IPSec mould Block is suitable for the end FPGA, and described device further includes extraction module and transparent transmission module;
The transparent transmission module is connect with the IPSec module, the pending data packet for transmitting received host side Be sent to the IPSec module, in order to the IPSec module according to ipsec protocol to the pending data packet at Reason, and processing result is fed back into the host side;
The extraction module is connect with the IPSec module and the transparent transmission module respectively, for monitoring the IPSec Network packet in module and the transparent transmission module, and the network packet of crawl is transferred to the host side, in order to The host side is verified according to IPSec scheme of the network packet to the end FPGA.
Optionally, the extraction module is specifically used for storing the network packet of crawl to preset caching mould Block, and the network packet in the cache module is successively transferred to the host side.
Optionally, the extraction module is also used to store by the network packet of crawl to preset cache module Before, data markers are arranged to the network packet of crawl.
Optionally, the cache module is the SDRAM being set to outside the FPGA piece.
Optionally, the transparent transmission module is connect with IPSec module by Ethernet interface.
The embodiment of the invention also provides a kind of IPSec scheme adjustment methods, are suitable for host side, which comprises
Pending data packet is transmitted to the end FPGA;
Receive the processing result of the end the FPGA feedback and the network packet of the end FPGA transmission;
Judge whether the processing result and the network packet meet corresponding preset condition;If it is not, then carrying out Warning note.
Optionally, described to judge whether the processing result and the network packet meet corresponding preset condition packet It includes:
Judge whether the processing result is consistent with pre-stored initial data packets;
If it is not, then judging whether the encryption and decryption key for including in the network packet is consistent with preset-key;
If it is not, it is abnormal then to determine the end FPGA encryption and decryption functions, and execute the step of carrying out warning note.
Optionally, further includes:
Judge the pending data packet of the pending data packet for including in the network packet and host side storage It is whether consistent;
If it is not, then transmitting the pending data packet that the host side stores to the end FPGA again.
The embodiment of the invention also provides a kind of IPSec scheme debugging apparatus, are suitable for host side, and described device includes passing Defeated module, receiving module, processing module and cue module;
The transmission module, for transmitting pending data packet to the end FPGA;
The receiving module, for receiving the processing result of the end the FPGA feedback and the network of the end FPGA transmission Data packet;
The processing module, for judging it is corresponding default whether the processing result and the network packet meet Condition;If it is not, then triggering the cue module;
The cue module, for carrying out warning note.
Optionally, the processing module be specifically used for judge the processing result whether with pre-stored initial data packets Unanimously;If it is not, then judging whether the encryption and decryption key for including in the network packet is consistent with preset-key;If it is not, then sentencing The fixed end FPGA encryption and decryption functions are abnormal, and trigger the cue module.
Optionally, the processing module be also used to judge the pending data packet for including in the network packet with it is described Whether the pending data packet of host side storage is consistent;If it is not, then transmitting what the host side stored to the end FPGA again Pending data packet.
The embodiment of the invention also provides a kind of IPSec scheme debugging systems, including host side and the end FPGA;
The host side receives the processing result of the end the FPGA feedback for transmitting pending data packet to the end FPGA And the network packet of the end the FPGA transmission;Judge whether the processing result and the network packet meet accordingly Preset condition;If it is not, then carrying out warning note;
The end FPGA, the pending data for the transmission of receiving host end;According to ipsec protocol to the number to be processed It is handled according to packet, processing result is fed back into the host side;And the network packet of crawl is transferred to the host side.
It is suitable for the IPSec scheme debugging apparatus at the end FPGA, including IPSec module it can be seen from above-mentioned technical proposal, It further include extraction module and transparent transmission module;Transparent transmission module is connect with IPSec module, for by received host side transmit wait locate Reason data packet be sent to IPSec module, in order to IPSec module according to ipsec protocol to the pending data packet at Reason, and processing result is fed back into host side;It transparent transmission module is set realizes host side and connect with the winding at the end FPGA, utilize master Generator terminal realizes sending and receiving for ipsec protocol data packet, carries out minimum system verifying to the IPSec scheme at the end FPGA.It extracts Module is connect with IPSec module and transparent transmission module respectively, for monitoring the network number in IPSec module and the transparent transmission module It is transferred to the host side according to packet, and by the network packet of crawl, in order to which host side foundation network packet is to the end FPGA IPSec scheme verified.In the technical scheme, the network packet of crawl is transferred to host side and is divided by the end FPGA Analysis processing, generates host side will in the treatment process of itself software scenario and the hardware plan treatment process at the end FPGA Data synchronize paired observation analysis, and the quick positioning of problem may be implemented when something goes wrong in system.
Detailed description of the invention
In order to illustrate the embodiments of the present invention more clearly, attached drawing needed in the embodiment will be done simply below It introduces, it should be apparent that, drawings in the following description are only some embodiments of the invention, for ordinary skill people For member, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is the connection schematic diagram of a kind of host side and the end FPGA that the prior art provides;
Fig. 2 is a kind of structural representation of the IPSec scheme debugging apparatus suitable for the end FPGA provided in an embodiment of the present invention Figure;
Fig. 3 is a kind of integrated stand composition of IPSec scheme debugging system provided in an embodiment of the present invention;
Fig. 4 is a kind of flow chart of IPSec scheme adjustment method provided in an embodiment of the present invention;
Fig. 5 is a kind of structural representation of the IPSec scheme debugging apparatus suitable for host side provided in an embodiment of the present invention Figure;
Fig. 6 is a kind of structural schematic diagram of IPSec scheme debugging system provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, rather than whole embodiments.Based on this Embodiment in invention, those of ordinary skill in the art are without making creative work, obtained every other Embodiment belongs to the scope of the present invention.
In order to enable those skilled in the art to better understand the solution of the present invention, with reference to the accompanying drawings and detailed description The present invention is described in further detail.
Next, a kind of IPSec scheme debugging apparatus provided by the embodiment of the present invention is discussed in detail.Fig. 2 is the present invention A kind of structural schematic diagram for IPSec scheme debugging apparatus that embodiment provides is suitable for the end FPGA, including IPSec module 10, also Including extraction module 11 and transparent transmission module 12.
Transparent transmission module 12 is connect with IPSec module 10, and the pending data packet for transmitting received host side is sent To IPSec module 10, in order to which IPSec module 10 is handled data packet to be processed according to ipsec protocol, and processing is tied Fruit feeds back to host side.
In embodiments of the present invention, transparent transmission module 12 can be connect with IPSec module 10 using Ethernet interface.Specific In realization, an Ethernet interface can be set for transparent transmission module 12, an Ethernet is also provided with for IPSec module 10 and is connect Mouthful, the connected with network cable between two Ethernet interfaces can realize the communication connection of transparent transmission module 12 Yu IPSec module 10.
In view of the interface of 10 pairs of outsides of IPSec module is Ethernet interface, needed when verifying IPSec functions of modules The verifying that network data communication is carried out based on complete IPSec interface, authenticates to real interface, so in this hair In bright embodiment, it is provided with transparent transmission module 12 at the end FPGA, in order to send IPSec module by Ethernet interface for data The Ethernet interface of 10 connections.
Extraction module 11 is connect with IPSec module 10 and transparent transmission module 12 respectively, for monitor IPSec module 10 and thoroughly Network packet in transmission module 12, and the network packet of crawl is transferred to host side, in order to which host side is according to network Data packet verifies the IPSec scheme at the end FPGA.
Extraction module 11 can grab the data packet of the transmission of host side received by transparent transmission module 12, IPSec module Generated data packet and IPSec module 10 are in ipsec protocol processing during 10 pairs of data packets are encrypted or decrypted These information are recorded and pass to host side by the information such as the key generated in the process, extraction module 11.
In view of in practical applications, for high speed network interfaces, amount of communication data can be very big, therefore, extraction module 11 When grabbing network packet, network packet can be stored to preset cache module, then will cache mould again Network packet in block is successively transferred to host side.
In the concrete realization, it can choose outer synchronous DRAM (the Synchronous Dynamic of piece Random Access Memory, SDRAM) it is used as cache module, network packet is cached.
In order to guarantee the order of network packet access, extraction module 11 is stored by the network packet of crawl to pre- Before the cache module first set, data markers first can be arranged to the network packet of crawl.
Data markers can be used for recording the specific location and serial number of network packet generation, thus when facilitating subsequent processing Finishing analysis.
In embodiments of the present invention, the end FPGA is realized real-time with host side by extraction module 11 and transparent transmission module 12 Interaction, the integrated stand composition of IPSec scheme debugging system shown in Figure 3, in host side setting software I PSec realization pair The analysis of the end FPGA network packet is handled.The end FPGA is provided with transparent transmission module 12, transparent transmission module 12 and IPSec module 10 are logical It crosses Ethernet interface and realizes connection, according to the flow direction of black arrow shown in Fig. 3, it can be seen that host side and the end FPGA realize Winding connection.
By taking integrated stand composition shown in Fig. 3 as an example, the software I PSec of host side is software I PSec agreement, the end FPGA IPSec module is Hardware I PSec.Test environment is that software I PSec agreement is docked with Hardware I PSec, software I PSec association View encryption data packet be sent into Hardware I PSec be decrypted, Hardware I PSec encryption data packet be sent into software I PSec into Row decryption processing, can verify whether Hardware I PSec can completely realize encryption process and decryption in ipsec protocol in this way Whether treatment process, i.e. verifying Hardware I PSec scheme are correct.
By the assistance of transparent transmission module 12, the verifying to encryption and decryption result in Hardware I PSec scheme may be implemented, in this hair In bright embodiment, in order to which whether the process flow of IPSec module in the more detailed analysis end FPGA is correct, in the end FPGA also It, will for monitoring the network packet in the end FPGA in IPSec module 10 and transparent transmission module 12 provided with an extraction module 11 The data such as the network packet and encryption and decryption cipher key calculation result that need to grab in the IPSec course of work are passed back to by PCIe Host side is further analyzed for host side.The ike negotiation of IPSec module 10 and software I PSec in FPGA can be monitored in this way The transmission process of journey and AH, ESP data packet, monitors whether IPSec module in the end FPGA properly generates key, if correct raw At AH/ESP data packet.
Because host side can monitor the data packet of communicate with each other two communication port simultaneously, when in the end FPGA When IPSec module and software I PSec carry out the processes such as ike negotiation, data packet can all pass through the two communication port, and host side is logical It crosses and records these communication data packets, data packet one by one is then carried out according to ipsec protocol and compares analysis, can be restored whole A ike negotiation process and AH, ESP data packet transmission process, then analyze whether these processes meet ipsec protocol.
It is suitable for the IPSec scheme debugging apparatus at the end FPGA, including IPSec module it can be seen from above-mentioned technical proposal, It further include extraction module and transparent transmission module;Transparent transmission module is connect with IPSec module, for by received host side transmit wait locate Reason data packet be sent to IPSec module, in order to IPSec module according to ipsec protocol to the pending data packet at Reason, and processing result is fed back into host side;It transparent transmission module is set realizes host side and connect with the winding at the end FPGA, utilize master Generator terminal realizes sending and receiving for ipsec protocol data packet, carries out minimum system verifying to the IPSec scheme at the end FPGA.It extracts Module is connect with IPSec module and transparent transmission module respectively, for monitoring the network number in IPSec module and the transparent transmission module It is transferred to the host side according to packet, and by the network packet of crawl, in order to which host side foundation network packet is to the end FPGA IPSec scheme verified.In the technical scheme, the network packet of crawl is transferred to host side and is divided by the end FPGA Analysis processing, generates host side will in the treatment process of itself software scenario and the hardware plan treatment process at the end FPGA Data synchronize paired observation analysis, and the quick positioning of problem may be implemented when something goes wrong in system.
Fig. 4 is a kind of flow chart of IPSec scheme adjustment method provided in an embodiment of the present invention, is suitable for host side, side Method includes:
S401: pending data packet is transmitted to the end FPGA.
In embodiments of the present invention, it is analyzed by the way that the end FPGA data to be analyzed are transferred to host side, Ke Yiti Rise the treatment effeciency of data.
Pending data packet can be encrypted data packet, be also possible to raw network data packet.
S402: the processing result of the end FPGA feedback and the network packet of the end FPGA transmission are received.
When pending data packet is encrypted data packet, when FPGA termination receives the data packet, can use in it Data packet is decrypted in the IPSec module of portion's setting, and decrypted result is fed back to host side, and host side receives at this time Processing result be decrypt after data packet.Similarly, when pending data packet is raw data packets, host side is received at this time Processing result be encrypted data packet.
Other than being verified to encryption and decryption result, in embodiments of the present invention, the master that the end FPGA can be grabbed The data packet of generator terminal transmission, IPSec module generated data packet during data packet is encrypted or decrypted, and The information such as the key that IPSec module generates in ipsec protocol treatment process pass to host side together and are analyzed.
S403: judge whether processing result and network packet meet corresponding preset condition.
Processing result and network packet have its respective preset condition.
When either network packet is unsatisfactory for corresponding preset condition to processing result, then illustrate the IPSec at the end FPGA There is exception in scheme, can execute S104 at this time.
For example, being previously stored with primary data corresponding with processing result in host side by taking processing result as an example Packet, specifically, may determine that whether processing result is consistent with pre-stored initial data packets.
When processing result and pre-stored initial data packets are inconsistent, then illustrate that the IPSec module at the end FPGA treats place The processing for managing data packet is wrong.In view of having recorded the more detailed treatment process in the end FPGA in network packet, then may be used at this time Further to judge whether the encryption and decryption key for including in network packet is consistent with preset-key.
When the encryption and decryption key and preset-key that include in network packet are inconsistent, then it can be determined that the end FPGA encryption and decryption Dysfunction, and execute the step of carrying out warning note.
S404: warning note is carried out.
The mode of warning note can there are many, can be with audio alert either light warning etc., it is not limited here.
As can be seen from the above scheme, host side transmits pending data packet to the end FPGA, receives the place of the end FPGA feedback Reason as a result, and the transmission of the end FPGA network packet, it is corresponding pre- to judge whether processing result and network packet meet If condition;When processing result or network packet are unsatisfactory for corresponding preset condition, then illustrate the IPSec scheme at the end FPGA It is abnormal, administrative staff can be reminded to handle in time by warning note.In the technical scheme, by by the number at the end FPGA It is analyzed according to host side is transferred to, host side realizes the synchronous contrast observation point to hardware implementations and software scenario Analysis, thus in the quick positioning of system problem of implementation when something goes wrong
In view of the pending data packet that in practical applications, host side is transmitted to the end FPGA is it is possible that data are lost It loses or imperfect, there is mistake in the processing result so as to cause the end FPGA, the occurrence of in order to reduce this kind, host termination When the network packet that the processing result and the end FPGA for receiving the end FPGA feedback are transmitted, it can first judge to wrap in network packet Whether the pending data packet contained and the pending data packet that host side stores are consistent.
When the pending data packet for pending data packet and the host side storage for including in network packet is inconsistent, then There is mistake in the data for illustrating that FPGA termination receives, and the corresponding end FPGA does not have according to data processing result generated The meaning of judgement, the pending data packet that host side can be stored to the end FPGA transmission host side again at this time.
Fig. 5 is a kind of structural schematic diagram of IPSec scheme debugging apparatus provided in an embodiment of the present invention, is suitable for host End, device includes transmission module 51, receiving module 52, processing module 53 and cue module 54;
Transmission module 51, for transmitting pending data packet to the end FPGA;
Receiving module 52, for receiving the processing result of the end FPGA feedback and the network packet of the end FPGA transmission;
Processing module 53, for judging whether processing result and network packet meet corresponding preset condition;If it is not, Then trigger cue module;
Cue module 54, for carrying out warning note.
Optionally, processing module is specifically used for judging whether processing result is consistent with pre-stored initial data packets;If It is no, then judge whether the encryption and decryption key for including in network packet is consistent with preset-key;If it is not, then determining that the end FPGA adds solution Close dysfunction, and trigger cue module.
Optionally, processing module is also used to judge that the pending data packet for including in network packet and host side store Whether pending data packet is consistent;If it is not, the pending data packet then stored again to the end FPGA transmission host side.
The explanation of feature may refer to the related description of embodiment corresponding to Fig. 4 in embodiment corresponding to Fig. 5, here no longer It repeats one by one.
Fig. 6 is a kind of structural schematic diagram of IPSec scheme debugging system 60 provided in an embodiment of the present invention, including host side The end 61 and FPGA 62;
Host side 61, for the end FPGA transmit pending data packet, receive the end FPGA feedback processing result and The network packet of the end FPGA transmission;Judge whether processing result and network packet meet corresponding preset condition;If it is not, Then carry out warning note;
The end FPGA 62, the pending data for the transmission of receiving host end;According to ipsec protocol to data packet to be processed into Row processing, feeds back to host side for processing result;And the network packet of crawl is transferred to host side.
It is provided for the embodiments of the invention a kind of IPSec scheme debugging apparatus above, method and system has carried out in detail It introduces.Each embodiment is described in a progressive manner in specification, and the highlights of each of the examples are implement with other The difference of example, the same or similar parts in each embodiment may refer to each other.For the device disclosed in the embodiment, Since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part illustration It can.It should be pointed out that for those skilled in the art, without departing from the principle of the present invention, may be used also With several improvements and modifications are made to the present invention, these improvements and modifications also fall within the scope of protection of the claims of the present invention.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered Think beyond the scope of this invention.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.

Claims (10)

1. a kind of IPSec scheme debugging apparatus, including IPSec module, which is characterized in that be suitable for the end FPGA, described device is also Including extraction module and transparent transmission module;
The transparent transmission module is connect with the IPSec module, and the pending data packet for transmitting received host side is sent The extremely IPSec module, in order to which the IPSec module is handled the pending data packet according to ipsec protocol, and Processing result is fed back into the host side;
The extraction module is connect with the IPSec module and the transparent transmission module respectively, for monitoring the IPSec module With the network packet in the transparent transmission module, and the network packet of crawl is transferred to the host side, in order to described Host side is verified according to IPSec scheme of the network packet to the end FPGA.
2. the apparatus according to claim 1, which is characterized in that the extraction module is specifically used for the network data that will be grabbed Packet is stored to preset cache module, and the network packet in the cache module is successively transferred to the host End.
3. the apparatus of claim 2, which is characterized in that the extraction module is also used in the network data that will be grabbed Packet is stored to before preset cache module, and data markers are arranged to the network packet of crawl.
4. the apparatus of claim 2, which is characterized in that the cache module is to be set to outside the FPGA piece SDRAM。
5. device according to any one of claims 1-4, which is characterized in that the transparent transmission module and IPSec module are logical Cross Ethernet interface connection.
6. a kind of IPSec scheme adjustment method, which is characterized in that be suitable for host side, which comprises
Pending data packet is transmitted to the end FPGA;
Receive the processing result of the end the FPGA feedback and the network packet of the end FPGA transmission;
Judge whether the processing result and the network packet meet corresponding preset condition;If it is not, then alarming Prompt.
7. according to the method described in claim 6, it is characterized in that, the judgement processing result and the network data Whether packet, which meets corresponding preset condition, includes:
Judge whether the processing result is consistent with pre-stored initial data packets;
If it is not, then judging whether the encryption and decryption key for including in the network packet is consistent with preset-key;
If it is not, it is abnormal then to determine the end FPGA encryption and decryption functions, and execute the step of carrying out warning note.
8. according to the method described in claim 6, it is characterized by further comprising:
Judge the pending data packet for including in the network packet and the host side storage pending data packet whether Unanimously;
If it is not, then transmitting the pending data packet that the host side stores to the end FPGA again.
9. a kind of IPSec scheme debugging apparatus, which is characterized in that be suitable for host side, described device includes transmission module, receives Module, processing module and cue module;
The transmission module, for transmitting pending data packet to the end FPGA;
The receiving module, for receiving the processing result of the end the FPGA feedback and the network data of the end FPGA transmission Packet;
The processing module, for judging whether the processing result and the network packet meet default item accordingly Part;If it is not, then triggering the cue module;
The cue module, for carrying out warning note.
10. a kind of IPSec scheme debugging system, which is characterized in that including host side and the end FPGA;
The host side, for transmitting pending data packet to the end FPGA, receive the end FPGA feedback processing result and The network packet of the end the FPGA transmission;It is corresponding pre- to judge whether the processing result and the network packet meet If condition;If it is not, then carrying out warning note;
The end FPGA, the pending data for the transmission of receiving host end;According to ipsec protocol to the pending data packet It is handled, processing result is fed back into the host side;And the network packet of crawl is transferred to the host side.
CN201910085481.3A 2019-01-29 2019-01-29 A kind of IPSec scheme debugging apparatus, method and system Pending CN109639513A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910085481.3A CN109639513A (en) 2019-01-29 2019-01-29 A kind of IPSec scheme debugging apparatus, method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910085481.3A CN109639513A (en) 2019-01-29 2019-01-29 A kind of IPSec scheme debugging apparatus, method and system

Publications (1)

Publication Number Publication Date
CN109639513A true CN109639513A (en) 2019-04-16

Family

ID=66062494

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910085481.3A Pending CN109639513A (en) 2019-01-29 2019-01-29 A kind of IPSec scheme debugging apparatus, method and system

Country Status (1)

Country Link
CN (1) CN109639513A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116319093A (en) * 2023-05-18 2023-06-23 湖北微源卓越科技有限公司 IPsec anti-replay method based on FPGA

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103186756A (en) * 2011-12-31 2013-07-03 国民技术股份有限公司 Testing device and testing method for card reader
US8646090B1 (en) * 2007-10-03 2014-02-04 Juniper Networks, Inc. Heuristic IPSec anti-replay check
CN105610790A (en) * 2015-12-17 2016-05-25 武汉邮电科学研究院 IPSec encryption card and CPU coordinative user plane data processing method
CN107491317A (en) * 2017-10-10 2017-12-19 郑州云海信息技术有限公司 A kind of symmetrical encryption and decryption method and systems of AES for accelerating platform based on isomery
CN107528690A (en) * 2017-10-10 2017-12-29 郑州云海信息技术有限公司 A kind of symmetrical encryption and decryption method and systems of SM4 for accelerating platform based on isomery

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8646090B1 (en) * 2007-10-03 2014-02-04 Juniper Networks, Inc. Heuristic IPSec anti-replay check
CN103186756A (en) * 2011-12-31 2013-07-03 国民技术股份有限公司 Testing device and testing method for card reader
CN105610790A (en) * 2015-12-17 2016-05-25 武汉邮电科学研究院 IPSec encryption card and CPU coordinative user plane data processing method
CN107491317A (en) * 2017-10-10 2017-12-19 郑州云海信息技术有限公司 A kind of symmetrical encryption and decryption method and systems of AES for accelerating platform based on isomery
CN107528690A (en) * 2017-10-10 2017-12-29 郑州云海信息技术有限公司 A kind of symmetrical encryption and decryption method and systems of SM4 for accelerating platform based on isomery

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116319093A (en) * 2023-05-18 2023-06-23 湖北微源卓越科技有限公司 IPsec anti-replay method based on FPGA

Similar Documents

Publication Publication Date Title
US10728229B2 (en) Method and device for communicating securely between T-box device and ECU device in internet of vehicles system
EP1986069A1 (en) A storage system executing encryption and decryption processing
CN106487749A (en) Key generation method and device
EP3644548A1 (en) Key exchange system and key exchange method
CN103973715B (en) Cloud computing security system and method
CN106453314B (en) The method and device of data encrypting and deciphering
CN107124385B (en) Mirror flow-based SSL/TLS protocol plaintext data acquisition method
CN112270020B (en) Terminal equipment safety encryption device based on safety chip
CN107819650A (en) Data safety method of testing and device
CN109639513A (en) A kind of IPSec scheme debugging apparatus, method and system
CN107911567A (en) A kind of system and method for resisting printer physical attacks
CN108848084B (en) A kind of safety monitoring network communication method based on safety
CN114500064A (en) Communication security verification method and device, storage medium and electronic equipment
CN104732614A (en) Access device for encrypting wiegand protocol signal and encryption and decryption method thereof
CN109246148A (en) Message processing method, device, system, equipment and computer readable storage medium
CN104821879A (en) Encryption method in data transfer of electric power system
CN110391898A (en) A kind of data managing method and system based on biological secret key
CN108600173B (en) Distributed traveling wave ranging system and method with encryption security
CN110139163A (en) A kind of method and relevant apparatus obtaining barrage
CN108900555A (en) A kind of data processing method and device
CN111343421B (en) Video sharing method and system based on white-box encryption
CN114827529A (en) Monitoring video encryption gateway
CN205961167U (en) Safe data transmission device
CN114422200A (en) Domain name interception method and device and electronic equipment
CN110381505A (en) Access the method and device of network hard disk video recorder

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190416

RJ01 Rejection of invention patent application after publication