[go: up one dir, main page]

CN117955648B - A key negotiation system and method based on DPDK architecture - Google Patents

A key negotiation system and method based on DPDK architecture Download PDF

Info

Publication number
CN117955648B
CN117955648B CN202410338237.4A CN202410338237A CN117955648B CN 117955648 B CN117955648 B CN 117955648B CN 202410338237 A CN202410338237 A CN 202410338237A CN 117955648 B CN117955648 B CN 117955648B
Authority
CN
China
Prior art keywords
module
key
key negotiation
processing module
service processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410338237.4A
Other languages
Chinese (zh)
Other versions
CN117955648A (en
Inventor
陈先进
郭林祥
苏云学
李岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Huayi Microelectronic Material Co Ltd
Original Assignee
Shandong Aerospace Artificial Intelligence Security Chip Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Aerospace Artificial Intelligence Security Chip Research Institute filed Critical Shandong Aerospace Artificial Intelligence Security Chip Research Institute
Priority to CN202410338237.4A priority Critical patent/CN117955648B/en
Publication of CN117955648A publication Critical patent/CN117955648A/en
Application granted granted Critical
Publication of CN117955648B publication Critical patent/CN117955648B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of network security, in particular to a key negotiation system and method based on a DPDK architecture. The invention redesigns the functions of key management algorithm, SAD, SPD structure and stored design, IKE configuration, etc., the above functions are realized by a key negotiation module, the functions of network data receiving and transmitting, service data encrypting and decrypting, data packaging/decapsulating, negotiation flow triggering, etc. are processed by a service processing module, and the management configuration module issues the contents of system configuration, security policy, etc. to the service processing module and the key negotiation module. The invention solves the defect that the open source framework of the traditional key agreement is excessively dependent on CPU performance due to the fact that the open source framework cannot be used based on a DPDK framework, ensures the synchronism and stability interaction among all modules in the equipment, and ensures that the VPN equipment has higher reliability.

Description

一种基于DPDK架构的密钥协商系统及方法A key negotiation system and method based on DPDK architecture

技术领域Technical Field

本发明涉及网络安全技术领域,具体是一种基于DPDK架构的密钥协商方法及系统。The present invention relates to the field of network security technology, and in particular to a key negotiation method and system based on a DPDK architecture.

背景技术Background technique

随着计算机网络安全的发展,网络密钥交换技术应运而生,通过网络密钥交换技术可以在不同的VPN(Virtual Private Network,虚拟专用网络)网关之间进行加密通信。传统技术中,通过不同的VPN网关之间进行IKE(Internet Key Exchange,网络密钥交换)协商,以协商出双方的密钥,从而通过密钥实现两个网关之间的加解密通信。With the development of computer network security, network key exchange technology has emerged. Through network key exchange technology, encrypted communication can be carried out between different VPN (Virtual Private Network) gateways. In traditional technology, IKE (Internet Key Exchange) negotiation is carried out between different VPN gateways to negotiate the keys of both parties, so as to realize encryption and decryption communication between the two gateways through the keys.

在新的网络形势下,面对大量高吞吐、高并发的网络环境,基于传统操作系统内核的网络数据收集机制在丢包率以及吞吐量方面已经难以匹配现有的需求。在当前高速网络中,高性能系统需要在极其有限的时间内成功地收集和处理大量数据,因此如何高效、完整、快速捕获数据包,是准确分析网络数据的基础以及进行下一步管控的关键。In the new network situation, facing a large number of high-throughput and high-concurrency network environments, the network data collection mechanism based on the traditional operating system kernel has been unable to match the existing needs in terms of packet loss rate and throughput. In the current high-speed network, high-performance systems need to successfully collect and process a large amount of data in an extremely limited time. Therefore, how to efficiently, completely and quickly capture data packets is the basis for accurate analysis of network data and the key to the next step of management and control.

DPDK是专为网络报文快速处理而提供的一系列库和驱动的集合。DPDK通过环境抽象层数据平面功能以取代内核的系统调用,使用UIO机制使网卡驱动模块运行在用户态,绕开内核网络协议栈,采用轮询和零拷贝技术从网卡收取报文,并且使用大页和CPU亲和机制提高应用模块处理报文的性能,由此可以节约开销,达到提高数据包处理性能的要求。DPDK is a collection of libraries and drivers designed for fast processing of network packets. DPDK replaces the kernel system call through the data plane function of the environment abstraction layer, uses the UIO mechanism to make the network card driver module run in user mode, bypasses the kernel network protocol stack, uses polling and zero copy technology to collect packets from the network card, and uses large pages and CPU affinity mechanisms to improve the performance of application modules in processing packets, thereby saving overhead and achieving the requirements for improving data packet processing performance.

目前大部分传统的开源项目其协商流程及业务依赖于Linux内核及成熟硬件配置,性能极大的受制于硬件性能。设备吞吐量的大小主要由网络设备的硬件及模块算法的效率决定,尤其是模块算法,算法的低效会使通信量大打折扣。传统IKE协议需要多次(往返数目最多达9条)信息交互,每次交互都会进行大量的数据加密和解密操作,以及所有的密钥管理等复杂算法的性能都依赖和占用CPU。所以传统IKE协商的算法的交互次数及算法的性能对通信的整体性能下降会产生一定的影响。尤其是在大规模并发连接和高负载的情况下,可能会导致通信速度的降低和延迟的增加。At present, the negotiation process and services of most traditional open source projects rely on the Linux kernel and mature hardware configuration, and the performance is greatly restricted by the hardware performance. The size of the device throughput is mainly determined by the efficiency of the hardware and module algorithms of the network equipment, especially the module algorithm. The inefficiency of the algorithm will greatly reduce the communication volume. The traditional IKE protocol requires multiple (up to 9 round trips) information interactions, and each interaction will perform a large number of data encryption and decryption operations, and the performance of all complex algorithms such as key management depends on and occupies the CPU. Therefore, the number of interactions and the performance of the traditional IKE negotiation algorithm will have a certain impact on the overall performance of the communication. Especially in the case of large-scale concurrent connections and high loads, it may lead to a decrease in communication speed and an increase in latency.

由上述可知, 现有技术存在的缺陷是:目前的密钥协商方法不支架DPDK架构,过度依赖于CPU性能,性能极大的受制于硬件性能。As can be seen from the above, the defects of the prior art are: the current key negotiation method does not support the DPDK architecture, is overly dependent on CPU performance, and its performance is greatly restricted by hardware performance.

发明内容Summary of the invention

针对现有技术的缺陷,本发明提供一种基于DPDK架构的密钥协商系统及方法,解决了传统密钥协商的开源框架由于无法基于DPDK架构进行使用而导致的过度依赖于CPU性能的弊端,保证了设备内部各模块之间的同步性和稳定性交互,使得VPN设备更具有可靠性。In view of the defects of the prior art, the present invention provides a key negotiation system and method based on the DPDK architecture, which solves the disadvantage of excessive dependence on CPU performance caused by the open source framework of traditional key negotiation due to the inability to be used based on the DPDK architecture, ensures the synchronization and stable interaction between the modules inside the device, and makes the VPN device more reliable.

为了解决所述技术问题,本发明采用的技术方案是:一种基于DPDK架构的密钥协商系统,包括管理配置模块、业务处理模块、密钥协商模块、DPDK组件和DPDK驱动,管理配置模块分别与业务处理模块和密钥协商模块相连,用于向业务管理模块和密钥协商模块发送管理配置数据;业务处理模块用于网络数据收发、业务数据加密和解密、数据封装和解封装、协商流量触发,密钥协商模块用于实现密钥管理算法、SAD维护、SPD维护、IKE配置,业务处理模块与DPDK组件、DPDK驱动依次连接,用于实现网络数据包的交互。In order to solve the technical problem, the technical solution adopted by the present invention is: a key negotiation system based on DPDK architecture, including a management configuration module, a business processing module, a key negotiation module, a DPDK component and a DPDK driver. The management configuration module is respectively connected to the business processing module and the key negotiation module, and is used to send management configuration data to the business management module and the key negotiation module; the business processing module is used for network data transmission and reception, business data encryption and decryption, data encapsulation and decapsulation, and negotiation traffic triggering. The key negotiation module is used to implement key management algorithm, SAD maintenance, SPD maintenance, and IKE configuration. The business processing module is connected to the DPDK component and the DPDK driver in sequence to realize the interaction of network data packets.

进一步的,管理配置数据包括系统配置以及安全策略。Furthermore, the management configuration data includes system configuration and security policies.

本发明还公开一种基于DPDK架构的密钥协商方法,本方法基于上述密钥协商系统实现,包括以下步骤:The present invention also discloses a key negotiation method based on the DPDK architecture. The method is implemented based on the above key negotiation system and includes the following steps:

S01)、密钥协商发起,密钥协商模块支持自动触发与流量触发两种密钥协商发起方式,流量触发是必选项,自动触发是可配项;如果配置了自动触发,当策略加载成功并且整个设备开始工作后,对整个策略表按顺序发起协商,直至所有策略协商、安全联盟下发完成,如果未配置自动触发,由业务处理模块向密钥协商模块发送协商发起请求消息来触发策略协商;S01), key negotiation initiation, the key negotiation module supports two key negotiation initiation modes: automatic trigger and traffic trigger. Traffic trigger is a mandatory option, and automatic trigger is an optional option. If automatic triggering is configured, when the policy is loaded successfully and the entire device starts working, the entire policy table is negotiated in sequence until all policy negotiations and security alliances are issued. If automatic triggering is not configured, the business processing module sends a negotiation initiation request message to the key negotiation module to trigger policy negotiation;

S02)、协商网络数据包的交互,密钥协商模块将发起方的协商包转为私有格式并发送给业务处理模块,业务处理模块接收后对数据包进行解析,还原成标准的TCP/IP网络数据包并发送给响应方,响应方处理完成后将网络数据包发送给业务处理模块,业务处理模块将接收到的网络数据包按照TCP/IP网络报文格式,剥离掉该网络报文所有头部信息,仅保留原地址、目的地址、源端口、目的端口、IKE载荷信息,通过私有格式交由密钥协商模块进行处理;经过多次交互后,协商出最终SA和SA-SP关联关系,下发给业务处理模块,由业务处理模块进行业务数据加密和解密;其中SA表示安全联盟,SP表示安全策略;S02), negotiate the interaction of network data packets. The key negotiation module converts the negotiation packet of the initiator into a private format and sends it to the business processing module. After receiving the packet, the business processing module parses the packet, restores it to a standard TCP/IP network packet and sends it to the responder. After the responder completes the processing, it sends the network packet to the business processing module. The business processing module strips off all the header information of the received network packet according to the TCP/IP network message format, retains only the original address, destination address, source port, destination port, and IKE payload information, and hands it over to the key negotiation module for processing in a private format; after multiple interactions, the final SA and SA-SP association relationship are negotiated and sent to the business processing module, which encrypts and decrypts the business data; SA stands for security alliance and SP stands for security policy;

S03)、算法运算,密钥协商过程中使用到的加密算法,由密钥协商模块通过应用层接口调用,运算结果发送给密钥协商模块;S03), algorithm operation, the encryption algorithm used in the key negotiation process is called by the key negotiation module through the application layer interface, and the operation result is sent to the key negotiation module;

S04)、SAD、SPD维护,SAD表示安全联盟数据库,SPD表示安全策略数据库,密钥协商模块负责维护SAD表以及对SAD表的操作,初始SPD表由管理配置模块下发并由密钥协商模块进行后续维护;S04), SAD, SPD maintenance, SAD stands for security association database, SPD stands for security policy database, the key negotiation module is responsible for maintaining the SAD table and operating the SAD table, the initial SPD table is issued by the management configuration module and subsequently maintained by the key negotiation module;

S05)、密钥重协商,密钥重协商完成后,通知业务处理模块删除旧SA,装载新SA。S05), key re-negotiation, after key re-negotiation is completed, notify the service processing module to delete the old SA and load the new SA.

密钥协商过程中使用到的加密算法集成在硬件加密卡、FPGA或者软算法上,密钥协商模块通过应用层接口调用加密算法。The encryption algorithm used in the key negotiation process is integrated in the hardware encryption card, FPGA or soft algorithm, and the key negotiation module calls the encryption algorithm through the application layer interface.

进一步的,密钥协商模块调用FPGA中加密算法进行算法运算的过程为:Furthermore, the process of the key negotiation module calling the encryption algorithm in the FPGA to perform algorithm calculation is as follows:

S11)、密钥协商模块依据所需运算服务类型,使用自定义数据格式进行数据请求包的组建;S11), the key negotiation module uses a custom data format to construct a data request packet according to the required computing service type;

S12)、密钥协商模块通过应用层接口将所组建的数据请求包传递到FPGA算法空闲队列内部;S12), the key negotiation module transmits the formed data request packet to the FPGA algorithm idle queue through the application layer interface;

S13)、FPGA监测到空闲队列有数据请求包,对数据请求包进行解析并依据请求服务类型标识来进行密码运算并将结果返回;S13), FPGA detects that there is a data request packet in the idle queue, parses the data request packet, performs cryptographic operation according to the request service type identifier, and returns the result;

S14)、密钥协商模块接收响应数据包并进行解析,获取本次请求数据的结果。S14), the key negotiation module receives and parses the response data packet to obtain the result of the request data.

进一步的,单个SA属性包括策略属性、序号、生命周期和SPI,SPI是ipsec报文中的安全参数索引,用于唯一标记一个SA,SA序号、同方向的SA的SPI具有唯一性,由密钥协商模块生成并下发给业务处理模块;SAD的存储采用链表结构,占用的内存空间采用动态分配的方式。Furthermore, a single SA attribute includes a policy attribute, a sequence number, a life cycle and an SPI. The SPI is a security parameter index in an IPsec message and is used to uniquely mark an SA. The SA sequence number and the SPI of the SA in the same direction are unique and are generated by the key negotiation module and sent to the service processing module. The SAD is stored in a linked list structure and the memory space occupied is dynamically allocated.

进一步的,对SAD的操作包括增、删、查,由密钥协商模块完成;Furthermore, operations on SAD, including adding, deleting, and checking, are completed by the key negotiation module;

新增SA的具体流程为:The specific process of adding a new SA is as follows:

S21)、假设策略号为1,生成SA序号,生成规则为:本次生成的SA序号等于上一次生成的SA的序号加1;S21), assuming that the policy number is 1, generate an SA number, and the generation rule is: the SA number generated this time is equal to the SA number generated last time plus 1;

S22)、生成SPI并获得对方生成的SPI,每个设备负责生成其入站SPI,本端的入站SPI与对端出站SPI相同,本端的出站SPI与对端的入站SPI相同;S22), generate SPI and obtain the SPI generated by the other party, each device is responsible for generating its inbound SPI, the inbound SPI of the local end is the same as the outbound SPI of the other end, and the outbound SPI of the local end is the same as the inbound SPI of the other end;

S23)、计算密钥值,计算出站SA和入站SA两个密钥,密钥值的部分明文来自于SPI;S23), calculate the key value, calculate the outbound SA and inbound SA keys, and part of the plain text of the key value comes from the SPI;

S24)、查找SPD序号为1的出站SA,如果有,则删除,并在设定时间后通知业务处理模块删除,同时释放其序号;S24), search for the outbound SA with SPD number 1, if there is one, delete it, and notify the service processing module to delete it after the set time, and release its number at the same time;

S25)、配置出站SA属性,出站SA属性一部分来自于策略1,其他由密钥协商模块产生;S25), configure outbound SA attributes, part of which comes from policy 1, and the rest is generated by the key negotiation module;

S26)、下发出站SA给业务处理模块,并将出站SA插入链表;S26), send the outbound SA to the business processing module, and insert the outbound SA into the linked list;

S27)、查找SPD序号为1的入站SA,如果有,则删除,并在设定时间后通知业务处理模块删除,同时释放其序号;S27) Find the inbound SA with SPD number 1. If there is one, delete it and notify the service processing module to delete it after a set time, and release its number at the same time;

S28)、配置新入站SA属性,新入站SA属性一部分来自于策略1,其他由密钥协商模块产生;S28), configure new inbound SA attributes, part of which comes from strategy 1, and the rest is generated by the key negotiation module;

S29)、下发入站SA给业务处理模块,并将入站SA插入链表。S29) Send the inbound SA to the business processing module and insert the inbound SA into the linked list.

进一步的,步骤S21)、S22)中,采用bitmap方式保证SA序号和SPI的唯一性。Furthermore, in steps S21) and S22), a bitmap method is used to ensure the uniqueness of the SA sequence number and the SPI.

进一步的,密钥重协商的触发方式包括包个数触发和时间触发,包个数触发由业务处理模块实施,当包个数生命周期到达后,业务处理模块通过消息队列向密钥协商模块发出重协商命令,密钥协商模块依据其中的SPD序号进行重协商;Furthermore, the triggering methods of key renegotiation include packet number triggering and time triggering. The packet number triggering is implemented by the service processing module. When the packet number life cycle is reached, the service processing module sends a renegotiation command to the key negotiation module through the message queue, and the key negotiation module performs renegotiation according to the SPD sequence number therein;

进一步的,时间触发由密钥协商模块实施,当SA到达生命周期,密钥协商模块自动发起密钥重协商。Furthermore, the time trigger is implemented by the key negotiation module. When the SA reaches its life cycle, the key negotiation module automatically initiates key re-negotiation.

进一步的,时间触发方式下,发起密钥重协商的时间设定为其生命周期的80%,如果100%生命周期达到后还没有协商出新SA,则强制删除SA。Furthermore, in the time-triggered mode, the time for initiating key renegotiation is set to 80% of its life cycle. If a new SA is not negotiated after 100% of the life cycle is reached, the SA is forcibly deleted.

本发明的有益效果:本发明解决了传统密钥协商的开源框架由于无法基于DPDK架构进行使用而导致的过度依赖于CPU性能的弊端,保证了设备内部各模块之间的同步性和稳定性交互,使得VPN设备更具有可靠性。Beneficial effects of the present invention: The present invention solves the problem of over-reliance on CPU performance caused by the inability to use the traditional open source framework of key negotiation based on the DPDK architecture, ensures the synchronization and stable interaction between the modules inside the device, and makes the VPN device more reliable.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为基于DPDK架构的密钥协商系统原理框图;FIG1 is a block diagram of a key agreement system based on the DPDK architecture;

图2为密钥协商算法服务调用模型示意图;FIG2 is a schematic diagram of a key agreement algorithm service call model;

图3为密钥协商数据包自定义协议示意图。FIG3 is a schematic diagram of a custom protocol for a key negotiation data packet.

具体实施方式Detailed ways

下面结合附图和具体实施例对本发明作进一步的说明。The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments.

实施例1Example 1

本实施例公开一种基于DPDK架构的密钥协商系统,如图1所示,包括管理配置模块、业务处理模块、密钥协商模块、DPDK组件、DPDK驱动,本系统对密钥管理算法、SAD(Security Association Database,安全联盟数据库)、SPD(Security Policy Database,安全策略数据库)结构及存储的设计、IKE配置等功能进行了重设计,以上功能由密钥协商模块实现,将网络数据收发、业务数据解密和解密、数据封装/解封装、协商流量触发等功能交由业务处理模块处理,管理配置模块将系统配置、安全策略等内容下发给业务处理模块和密钥协商模块。业务办理模块与DPDK组件、DPDK驱动依次连接,实现网络数据包的交互。This embodiment discloses a key negotiation system based on the DPDK architecture, as shown in FIG1 , including a management configuration module, a business processing module, a key negotiation module, a DPDK component, and a DPDK driver. This system redesigns the key management algorithm, the SAD (Security Association Database), the SPD (Security Policy Database) structure and storage design, the IKE configuration and other functions. The above functions are implemented by the key negotiation module, and the functions of network data transmission and reception, business data decryption and decryption, data encapsulation/decapsulation, negotiation traffic triggering, etc. are handed over to the business processing module for processing. The management configuration module sends the system configuration, security policy and other contents to the business processing module and the key negotiation module. The business processing module is connected to the DPDK component and the DPDK driver in sequence to realize the interaction of network data packets.

实施例2Example 2

本实施例公开一种基于DPDK架构的密钥协商方法,本方法基于实施例1所述密钥协商系统,为了保证基于DPDK架构的密钥协商的总体安全性和性能,将所涉及的对称、非对称、杂凑等算法通过硬件加密卡/FPGA/软算法库提供密码服务,减少了单次协商算法运算的时间。使用DPDK套件提高了网络数据包转发的速度,提高了单次协商的速度。下面从密钥协商发起、协商网络数据包的交互、算法运算、SAD维护、密钥重协商等方面对本发明进行描述。This embodiment discloses a key negotiation method based on the DPDK architecture. This method is based on the key negotiation system described in Example 1. In order to ensure the overall security and performance of the key negotiation based on the DPDK architecture, the symmetric, asymmetric, and hash algorithms involved are provided with cryptographic services through hardware encryption cards/FPGAs/soft algorithm libraries, thereby reducing the time for single negotiation algorithm operations. The use of the DPDK suite increases the speed of network data packet forwarding and increases the speed of a single negotiation. The present invention is described below from the aspects of key negotiation initiation, negotiation of network data packet interaction, algorithm operation, SAD maintenance, and key renegotiation.

密钥协商发起。密钥协商模块支持自动触发与流量触发两种方式。其中,流量触发是必选项,自动触发是可配项。如果配置了自动触发,当策略加载成功并且整个系统(即实施例1所述的由管理配置模块、业务处理模块、密钥协商模块、DPDK组件和DPDK驱动组成的密钥协商系统)开始工作后,对整个策略表按顺序发起协商,直至所有策略协商、SA下发完成。如果未配置自动触发,则由业务处理模块向密钥协商模块发送协商发起请求消息来触发策略协商。自动触发适用于安全要求低、协商速度快、策略较少的场景,业务处理模块触发常用于大型网络环境中。在实际使用过程中,可根据策略条数灵活选择。本实施例中,流量触发的流程为:业务处理模块查询该流量是否已经协商过,如果未协商过,则向密钥协商模块发出“协商发起命令”,触发协商。因此,流量触发的发起点是业务处理模块,处理点是密钥协商模块。Key negotiation is initiated. The key negotiation module supports two modes: automatic triggering and traffic triggering. Among them, traffic triggering is a mandatory option, and automatic triggering is an optional option. If automatic triggering is configured, when the policy is loaded successfully and the entire system (i.e., the key negotiation system composed of the management configuration module, the business processing module, the key negotiation module, the DPDK component and the DPDK driver described in Example 1) starts working, the entire policy table is negotiated in sequence until all policy negotiations and SA issuance are completed. If automatic triggering is not configured, the business processing module sends a negotiation initiation request message to the key negotiation module to trigger policy negotiation. Automatic triggering is suitable for scenarios with low security requirements, fast negotiation speed and fewer policies. Business processing module triggering is often used in large network environments. In actual use, it can be flexibly selected according to the number of policies. In this embodiment, the process of traffic triggering is: the business processing module queries whether the traffic has been negotiated. If it has not been negotiated, it sends a "negotiation initiation command" to the key negotiation module to trigger the negotiation. Therefore, the initiation point of traffic triggering is the business processing module, and the processing point is the key negotiation module.

协商网络数据包的交互。本端网络密码设备(发起方)的协商包,密钥协商模块将其转为私有格式并通过消息队列发送业务处理模块,业务处理模块接收后对数据包进行解析,还原成标准的TCP/IP网络数据包并发送给对端网络密码设备(响应方)。对端设备处理完成后,将网络数据包发送给业务处理模块,业务处理模块将接收到的网络数据包按照TCP/IP网络报文格式,剥离掉该网络报文所有头部信息,仅保留原地址、目的地址、源端口、目的端口、IKE载荷信息,通过私有格式交由密钥协商模块进行处理。经过多次交互后,协商出最终SA和SA-SP关联关系,下发给业务处理模块,由其进行业务数据加密和解密。其中SA表示安全联盟,SP表示安全策略。Negotiate the interaction of network data packets. The negotiation packet of the local network cryptographic device (initiator) is converted by the key negotiation module into a private format and sent to the business processing module through the message queue. After receiving the packet, the business processing module parses the packet, restores it to a standard TCP/IP network packet and sends it to the peer network cryptographic device (responder). After the peer device completes the processing, it sends the network packet to the business processing module. The business processing module strips off all the header information of the received network packet according to the TCP/IP network message format, retains only the original address, destination address, source port, destination port, and IKE payload information, and hands it over to the key negotiation module for processing in a private format. After multiple interactions, the final SA and SA-SP association relationship are negotiated and sent to the business processing module, which encrypts and decrypts the business data. SA stands for security alliance and SP stands for security policy.

算法运算。协商过程中使用到的加密算法,由密钥协商模块通过硬件加密卡/FPGA/软算法应用层接口进行调用,硬件加密卡/FPGA/软算法将运算结果发送给密钥协商模块。网络数据包的加解密过程与密钥协商无关,此处不再赘述。Algorithm operation. The encryption algorithm used in the negotiation process is called by the key negotiation module through the hardware encryption card/FPGA/soft algorithm application layer interface, and the hardware encryption card/FPGA/soft algorithm sends the operation result to the key negotiation module. The encryption and decryption process of network data packets has nothing to do with key negotiation and will not be described here.

SAD/SPD维护。SAD的维护是整个网络密码设备的安全核心。密钥协商模块负责维护SAD表。单个SA属性既包括其策略的属性,例如传输、隧道、协议号等,也包括它的序号、生命周期、SPI(是ipsec报文中的安全参数索引,用于唯一标记一个SA)等特有属性。SA序号、同方向的SA的SPI都具有唯一性,他们都由密钥协商模块生成并下发给业务处理模块。对SAD的操作包括增、删、查,都由密钥协商模块完成。SPD维护。密钥协商模块会维护一个简单SPD表,用于建立SA和SP的关联,SPD表由管理配置模块下发。SAD/SPD maintenance. The maintenance of SAD is the security core of the entire network cryptographic device. The key negotiation module is responsible for maintaining the SAD table. The attributes of a single SA include not only the attributes of its policy, such as transmission, tunnel, protocol number, etc., but also its unique attributes such as serial number, life cycle, SPI (the security parameter index in the ipsec message, used to uniquely mark an SA). The SA serial number and the SPI of the SA in the same direction are unique. They are all generated by the key negotiation module and sent to the business processing module. Operations on SAD include adding, deleting, and checking, which are all completed by the key negotiation module. SPD maintenance. The key negotiation module will maintain a simple SPD table to establish the association between SA and SP. The SPD table is issued by the management configuration module.

本实施例中,SAD的存储采用链表结构,占用的内存空间采用动态分配的方式。以上方式使得SA能够更方便的进行增删查操作。In this embodiment, the storage of SAD adopts a linked list structure, and the occupied memory space adopts a dynamic allocation method. The above method enables SA to perform addition, deletion and query operations more conveniently.

以发起方为例,新增SA的具体流程为:Taking the initiator as an example, the specific process of adding a new SA is as follows:

1)假设策略号为1,生成两字节SA序号(sad_seq),SA序号(sad_seq)生成规则为:本次生成的SA序号等于上一次生成的SA的序号加1。采用bitmap的方式保证SA序号的唯一性。1) Assuming the policy number is 1, a two-byte SA sequence number (sad_seq) is generated. The SA sequence number (sad_seq) generation rule is: the SA sequence number generated this time is equal to the SA sequence number generated last time plus 1. The bitmap method is used to ensure the uniqueness of the SA sequence number.

本实施例中,SA序号从1开始,每生成一个SA,其序号值加1,一直到我们设定的最大值后,SA又从1开始。在这期间,肯定有若干SA被删除,回收他们的SA序号。如果1被占用,则使用2。如果SA的个数达到了最大数量,则意味着所有的序号均被使用,则标记本次协商失败。In this embodiment, the SA sequence number starts from 1. Each time an SA is generated, its sequence number value increases by 1 until the maximum value we set is reached, and then the SA starts from 1 again. During this period, some SAs must be deleted and their SA sequence numbers are recycled. If 1 is occupied, 2 is used. If the number of SAs reaches the maximum number, it means that all sequence numbers are used, and this negotiation is marked as failed.

2)生成SPI,并获得对端设备生成的SPI。每个设备生成其入站SPI,并保证唯一。本端设备的入站SPI与对端设备的出站SPI相同,本端设备的出站SPI与对端设备的入站SPI相同。可采用bitmap的方式保证SPI的唯一性。2) Generate SPI and obtain the SPI generated by the peer device. Each device generates its inbound SPI and ensures that it is unique. The inbound SPI of the local device is the same as the outbound SPI of the peer device, and the outbound SPI of the local device is the same as the inbound SPI of the peer device. The bitmap method can be used to ensure the uniqueness of the SPI.

3)计算密钥值。需要计算出站SA与入站SA两个密钥,密钥值的部分明文来自于SPI。3) Calculate the key value. It is necessary to calculate the outbound SA and inbound SA keys, and part of the plaintext of the key value comes from the SPI.

4)查找SPD序号为1的出站SA。如果有,则删除,并3秒后通知业务处理模块删除。延时通知业务处理模块的原因在于,同方向同策略下可同时存在新旧两个SA,避免丢包的情况产生。通知业务处理模块删除的同时,释放其序号,可以被后续占用。4) Search for the outbound SA with SPD number 1. If there is one, delete it and notify the service processing module to delete it after 3 seconds. The reason for delaying the notification of the service processing module is that the old and new SAs can exist at the same time in the same direction and with the same policy to avoid packet loss. When notifying the service processing module to delete it, its number is released so that it can be occupied later.

5)配置出站SA属性,出站SA属性一部分来自于策略1,其他由密钥协商模块产生。5) Configure outbound SA attributes. Some of the outbound SA attributes come from policy 1, and the rest are generated by the key negotiation module.

6)下发出站SA给业务处理模块,并将出站SA插入链表。6) Send the outbound SA to the business processing module and insert the outbound SA into the linked list.

7)查找SPD序号为1的入站SA。如果有,则删除,并3秒后通知业务处理模块删除。延时通知业务处理模块的原因在于,同方向同策略下可同时存在新旧两个SA,避免丢包的情况产生。通知业务处理模块删除的同时,释放其序号,可以被后续占用。7) Search for the inbound SA with SPD number 1. If there is one, delete it and notify the service processing module to delete it after 3 seconds. The reason for delaying the notification of the service processing module is that the old and new SAs can exist at the same time in the same direction and with the same policy to avoid packet loss. When notifying the service processing module to delete it, its sequence number is released so that it can be occupied later.

8)配置新入站SA属性,新入站SA属性一部分来自于策略1,其他由密钥协商模块产生。8) Configure new inbound SA attributes. Some of the new inbound SA attributes come from policy 1, and the rest are generated by the key negotiation module.

9)下发入站SA给业务处理模块,并将入站SA插入链表。9) Send the inbound SA to the business processing module and insert the inbound SA into the linked list.

密钥重协商。密钥重协商的触发有两种:包个数触发和时间触发。Key renegotiation. There are two types of triggers for key renegotiation: packet number trigger and time trigger.

包个数触发由业务处理模块进行管理,因为加解密的包个数由业务处理模块统计。当包个数生命周期到达后,业务处理模块通过消息队列向密钥协商模块发出重协商命令,密钥协商模块依据其中的SPD序号进行重协商。The packet number trigger is managed by the business processing module, because the number of encrypted and decrypted packets is counted by the business processing module. When the packet number life cycle is reached, the business processing module sends a renegotiation command to the key negotiation module through the message queue, and the key negotiation module performs renegotiation based on the SPD sequence number.

时间触发由密钥协商模块管控。当SA到达生命周期,密钥协商模块会自动发起重协商。发起重协商的时间一般设定为其生命周期的80%。如果100%生命周期达到后还没有协商出新SA,则强制删除SA。The time trigger is controlled by the key negotiation module. When the SA reaches its life cycle, the key negotiation module automatically initiates renegotiation. The time to initiate renegotiation is generally set to 80% of its life cycle. If no new SA is negotiated after 100% of the life cycle is reached, the SA is forcibly deleted.

重协商流程与首次协商基本一致。不同处在于,重协商完成后,会通知业务处理模块删除旧SA,装载新SA。The re-negotiation process is basically the same as the initial negotiation process. The difference is that after the re-negotiation is completed, the service processing module will be notified to delete the old SA and load the new SA.

实施例3Example 3

如图2所示,硬件加密卡/FPGA/软算法通过应用层接口为密钥协商模块提供对称算法服务、非对称算法服务、散列函数运算服务、随机数等服务。As shown in Figure 2, the hardware encryption card/FPGA/soft algorithm provides symmetric algorithm services, asymmetric algorithm services, hash function operation services, random number services and other services for the key negotiation module through the application layer interface.

以密钥协商使用FPGA算法服务为例,密钥协商模块通过应用层接口调用加密算法的过程为:Taking the key negotiation using FPGA algorithm service as an example, the process of the key negotiation module calling the encryption algorithm through the application layer interface is as follows:

S11)、密钥协商模块依据所需对应运算服务类型,使用自定义数据格式进行数据请求包的组建。S11), the key negotiation module uses a custom data format to construct a data request packet according to the required corresponding operation service type.

S12)、密钥协商模块通过应用层接口将所组建的请求包数据传递到FPGA算法空闲队列内部。S12), the key negotiation module transmits the assembled request packet data to the FPGA algorithm idle queue through the application layer interface.

S13)、FPGA监测到空闲队列有算法请求包,对请求包进行解析并依据请求服务类型标识来进行密码运算并将结果返回。S13), FPGA detects that there is an algorithm request packet in the idle queue, parses the request packet, performs cryptographic operation according to the request service type identifier, and returns the result.

S14)、密钥协商模块接收响应数据包并进行解析,获取本次请求数据的结果。S14), the key negotiation module receives and parses the response data packet to obtain the result of the request data.

实施例4Example 4

本实施例中,密钥协商模块与业务处理模块通过系统消息队列采用私有格式进行通信。In this embodiment, the key negotiation module and the service processing module communicate with each other through the system message queue in a private format.

如图3所示,协商交互网络数据包采用自定义私有格式,针对密钥协商模块发送的数据(包含原地址、目的地址、源端口、目的端口、IKE载荷信息),业务处理模块还原成标准的TCP/IP网络报文格式,通过网络发送出去。反方向,业务处理模块将接收到的协商数据包,按照TCP/IP网络报文格式,剥离掉该网络报文所有头部信息,仅保留原地址、目的地址、源端口、目的端口、IKE载荷信息,通过私有格式交由密钥协商模块进行处理。通过该方法,彻底切断TCP/IP协议通讯,从而满足密钥协商处理安全的需要。As shown in Figure 3, the negotiation interaction network data packet adopts a custom private format. For the data sent by the key negotiation module (including the original address, destination address, source port, destination port, and IKE payload information), the business processing module restores it to the standard TCP/IP network message format and sends it out through the network. In the opposite direction, the business processing module strips off all the header information of the received negotiation data packet according to the TCP/IP network message format, retaining only the original address, destination address, source port, destination port, and IKE payload information, and passes it to the key negotiation module for processing in a private format. Through this method, the TCP/IP protocol communication is completely cut off, thereby meeting the needs of key negotiation processing security.

密钥协商成员与业务处理模块交互其他数据包同样采用私有格式,包括SA下发、IKE请求数据包等。Other data packets exchanged between the key negotiation members and the service processing module also use a private format, including SA delivery, IKE request data packets, etc.

以上描述的仅是本发明的基本原理和优选实施例,本领域技术人员根据本发明做出的改进和替换,属于本发明的保护范围。The above description is only the basic principle and preferred embodiments of the present invention. Improvements and substitutions made by those skilled in the art based on the present invention belong to the protection scope of the present invention.

Claims (8)

1. A key negotiation method based on DPDK architecture is characterized in that: the method is realized based on a key negotiation system, wherein the key negotiation system comprises a management configuration module, a service processing module, a key negotiation module, a DPDK component and a DPDK driver, wherein the management configuration module is respectively connected with the service processing module and the key negotiation module and is used for sending management configuration data to the service management module and the key negotiation module, and the management configuration data comprises system configuration and a security policy; the service processing module is used for network data receiving and transmitting, service data encrypting and decrypting, data packaging and decapsulating and negotiating flow triggering, the key negotiation module is used for realizing key management algorithm, SAD maintenance, SPD maintenance and IKE configuration, and the service processing module is connected with the DPDK component and the DPDK drive in sequence and used for realizing interaction of network data packets;
The method comprises the following steps:
s01), initiating key agreement, wherein the key agreement module supports two key agreement initiating modes of automatic triggering and flow triggering, the flow triggering is a necessary option, and the automatic triggering is a configuration item; if automatic triggering is configured, after the strategy is loaded successfully and the whole key negotiation system starts working, sequentially initiating negotiation on the whole strategy table until all strategy negotiation and security alliance issuing are completed, and if automatic triggering is not configured, sending a negotiation initiation request message to the key negotiation module by the service processing module to trigger the strategy negotiation;
S02), negotiating interaction of network data packets, converting the data packets of an initiator into a private format by a key negotiation module and sending the private format to a service processing module, analyzing the data packets after the service processing module receives the data packets, restoring the data packets into standard TCP/IP network data packets and sending the standard TCP/IP network data packets to a responder, sending the network data packets to the service processing module after the responder finishes processing, stripping all header information of the received network data packets according to a TCP/IP network message format by the service processing module, and only reserving original addresses, destination addresses, source ports, destination ports and IKE load information and processing the network data packets by the key negotiation module through the private format; after multiple interactions, negotiating a final SA and SA-SP association relationship, and sending the final SA and SA-SP association relationship to a service processing module, wherein the service processing module encrypts and decrypts service data; wherein SA represents a security association and SP represents a security policy;
s03), algorithm operation, wherein an encryption algorithm used in the key negotiation process is called by the key negotiation module through an application layer interface, and an operation result is sent to the key negotiation module;
S04), SAD and SPD maintenance, wherein SAD represents a security alliance database, SPD represents a security policy database, a key negotiation module is responsible for maintaining SAD tables and operating the SAD tables, and an initial SPD table is issued by a management configuration module and is subsequently maintained by the key negotiation module;
S05), key renegotiation, and after the key renegotiation is completed, notifying a service processing module to delete the old SA and load the new SA.
2. The DPDK architecture based key agreement method according to claim 1, wherein: the encryption algorithm used in the key negotiation process is integrated on a hardware encryption card, an FPGA or a soft algorithm, and the key negotiation module calls the encryption algorithm through an application layer interface.
3. The DPDK architecture based key agreement method according to claim 2, wherein: the key negotiation module calls an encryption algorithm in the FPGA to carry out algorithm operation, and the process comprises the following steps:
S11), the key negotiation module builds a data request packet by using a custom data format according to the required operation service type;
s12), the key negotiation module transmits the built data request packet to the inside of an FPGA algorithm idle queue through an application layer interface;
S13), the FPGA monitors that the idle queue has a data request packet, analyzes the data request packet, carries out password operation according to the request service type identifier and returns a result;
S14), the key negotiation module receives and analyzes the response data packet to obtain the result of the request data.
4. The DPDK architecture based key agreement method according to claim 1, wherein: the single SA attribute comprises a strategy attribute, a serial number, a life cycle and an SPI, wherein the SPI is a security parameter index in an ipsec message and is used for uniquely marking one SA, the SA serial number and the SPI of the SA in the same direction are unique, and the SPI is generated by a key negotiation module and issued to a service processing module; the SAD is stored in a linked list structure, and the occupied memory space is dynamically allocated.
5. The DPDK architecture based key agreement method according to claim 4, wherein: the SAD operation comprises adding, deleting and checking, which are completed by a key negotiation module;
the specific flow of the newly added SA is as follows:
S21), assuming that the policy number is 1, generating an SA number, and the generation rule is: the SA serial number generated at this time is equal to the serial number of the SA generated last time plus 1;
S22), generating SPIs and obtaining SPIs generated by opposite terminal equipment, wherein each opposite terminal equipment generates an inbound SPI thereof, the inbound SPI of the local terminal equipment is identical to the outbound SPI of the opposite terminal equipment, and the outbound SPI of the local terminal equipment is identical to the inbound SPI of the opposite terminal equipment;
S23), calculating a key value, and calculating two keys of the outbound SA and the inbound SA, wherein partial plaintext of the key value is from the SPI;
s24), searching an outbound SA with SPD serial number of 1, deleting if the outbound SA is found, informing a service processing module of deleting after the set time, and releasing the serial number;
s25), configuring an outbound SA attribute, wherein part of the outbound SA attribute is from the strategy 1, and the other part of the outbound SA attribute is generated by a key negotiation module;
S26), issuing an outbound SA to a service processing module, and inserting the outbound SA into a linked list;
s27), searching an inbound SA with SPD sequence number of 1, deleting if the inbound SA is available, notifying a service processing module of deleting after a set time, and releasing the sequence number;
s28), configuring new inbound SA attributes, wherein part of the new inbound SA attributes come from the strategy 1, and the other new inbound SA attributes are generated by a key negotiation module;
S29), issuing the inbound SA to the service processing module, and inserting the inbound SA into the linked list.
6. The DPDK architecture based key agreement method according to claim 5, wherein: steps S21) and S22), uniqueness of the SA sequence number and the SPI is ensured by adopting a bitmap method.
7. The DPDK architecture based key agreement method according to claim 1, wherein: the triggering mode of key renegotiation comprises packet number triggering and time triggering, wherein the packet number triggering is implemented by a service processing module, and when the life cycle of the packet number arrives, the service processing module sends a renegotiation command to a key negotiation module through a message queue, and the key negotiation module renegotiates according to the SPD sequence number in the key negotiation module;
The time triggering is implemented by a key agreement module which automatically initiates a key renegotiation when the SA arrives at the lifecycle.
8. The DPDK architecture based key agreement method according to claim 7, wherein: in the time triggered mode, the time for initiating the key renegotiation is set to 80% of its life cycle, and if no new SA has been negotiated after 100% of the life cycle is reached, the SA is forcedly deleted.
CN202410338237.4A 2024-03-25 2024-03-25 A key negotiation system and method based on DPDK architecture Active CN117955648B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410338237.4A CN117955648B (en) 2024-03-25 2024-03-25 A key negotiation system and method based on DPDK architecture

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410338237.4A CN117955648B (en) 2024-03-25 2024-03-25 A key negotiation system and method based on DPDK architecture

Publications (2)

Publication Number Publication Date
CN117955648A CN117955648A (en) 2024-04-30
CN117955648B true CN117955648B (en) 2024-06-04

Family

ID=90793097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410338237.4A Active CN117955648B (en) 2024-03-25 2024-03-25 A key negotiation system and method based on DPDK architecture

Country Status (1)

Country Link
CN (1) CN117955648B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131245A (en) * 2019-12-24 2020-05-08 杭州赛客睿特技术有限公司 Data transmission method and device, electronic equipment and storage medium
CN113364811A (en) * 2021-07-05 2021-09-07 北京慧橙信息科技有限公司 Network layer safety protection system and method based on IKE protocol
CN114285594A (en) * 2021-11-12 2022-04-05 贵州电网有限责任公司 Key negotiation method for software implementation design
CN115277036A (en) * 2021-04-30 2022-11-01 中创为(成都)量子通信技术有限公司 Communication method, network device, and computer-readable storage medium
CN115314195A (en) * 2022-08-08 2022-11-08 北京国领科技有限公司 A method for implementing high-speed IPSec using a network card with a password function
CN115941171A (en) * 2022-11-28 2023-04-07 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Network key exchange negotiation method, device and network equipment
CN116132025A (en) * 2022-11-22 2023-05-16 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Key negotiation method, device and communication system based on preset key group

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7536719B2 (en) * 2003-01-07 2009-05-19 Microsoft Corporation Method and apparatus for preventing a denial of service attack during key negotiation
US11102186B2 (en) * 2018-04-26 2021-08-24 Vmware, Inc. Packet capture in software-defined networking (SDN) environments

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111131245A (en) * 2019-12-24 2020-05-08 杭州赛客睿特技术有限公司 Data transmission method and device, electronic equipment and storage medium
CN115277036A (en) * 2021-04-30 2022-11-01 中创为(成都)量子通信技术有限公司 Communication method, network device, and computer-readable storage medium
CN113364811A (en) * 2021-07-05 2021-09-07 北京慧橙信息科技有限公司 Network layer safety protection system and method based on IKE protocol
CN114285594A (en) * 2021-11-12 2022-04-05 贵州电网有限责任公司 Key negotiation method for software implementation design
CN115314195A (en) * 2022-08-08 2022-11-08 北京国领科技有限公司 A method for implementing high-speed IPSec using a network card with a password function
CN116132025A (en) * 2022-11-22 2023-05-16 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Key negotiation method, device and communication system based on preset key group
CN115941171A (en) * 2022-11-28 2023-04-07 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) Network key exchange negotiation method, device and network equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
配电安全交互网关报文处理机制;郭江涛;沈佳;刘昆;邹岳林;;计算机与现代化;20180715(07);全文 *

Also Published As

Publication number Publication date
CN117955648A (en) 2024-04-30

Similar Documents

Publication Publication Date Title
CN100576849C (en) Method and apparatus for managing address translation for secure connections
US7162630B2 (en) Systems and methods for implementing host-based security in a computer network
US20060002388A1 (en) System and method for supporting secured communication by an aliased cluster
WO2019024880A1 (en) Message sending method and network device
US20020184487A1 (en) System and method for distributing security processing functions for network applications
US7783035B2 (en) Systems and methods for implementing host-based security in a computer network
WO2019114703A1 (en) Secure communication method, apparatus and device
CN106411767A (en) Transporting operations of arbitrary size over remote direct memory access
WO2020258302A1 (en) Method, switch, and sites for data transmission
WO2009082889A1 (en) A method for internet key exchange negotiation and device, system thereof
CN115567205A (en) Method and system for implementing encryption and decryption of network session data streams by using quantum key distribution
CN100499451C (en) Network communication safe processor and its data processing method
CN113810397B (en) Protocol data processing method and device
CN106161340B (en) Service distribution method and system
US20250158953A1 (en) In-line transmission control protocol processing engine using a systolic array
CN113765885B (en) Firewall rule synchronization method and device, electronic equipment and storage medium
WO2023061158A1 (en) Encryption and decryption method and apparatus, and computer-readable storage medium
CN110768870A (en) Quality monitoring method and device for intelligent special line
CN100539537C (en) A kind of IPSec of utilization expands to the network route in the method and the device of telecommunication network
CN117955648B (en) A key negotiation system and method based on DPDK architecture
CN114641014A (en) User plane entity, configuration method, system and equipment
WO2024037366A1 (en) Forwarding rule issuing method, and intelligent network interface card and storage medium
CN1984131A (en) Method for processing distributed IPSec
US11025728B2 (en) Methods for facilitating secure connections for an operating system kernel and devices thereof
CN109905213A (en) Data security transmission method and node device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20250425

Address after: 250101 room 1901, No. 933, Shuntai North Road, high tech Zone, Jinan City, Shandong Province

Patentee after: SHANDONG HUAYI MICRO-ELECTRONICS Co.,Ltd.

Country or region after: China

Address before: No. 933 Shuntai North Road, High tech Zone, Jinan City, Shandong Province, 250101

Patentee before: Shandong Aerospace Artificial Intelligence Security Chip Research Institute

Country or region before: China

TR01 Transfer of patent right