[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN107454116A - The optimization method and device of IPsec ESP agreements under single tunnel mode - Google Patents

The optimization method and device of IPsec ESP agreements under single tunnel mode Download PDF

Info

Publication number
CN107454116A
CN107454116A CN201710936409.8A CN201710936409A CN107454116A CN 107454116 A CN107454116 A CN 107454116A CN 201710936409 A CN201710936409 A CN 201710936409A CN 107454116 A CN107454116 A CN 107454116A
Authority
CN
China
Prior art keywords
encryption
grouped data
data
destination address
mapping relations
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710936409.8A
Other languages
Chinese (zh)
Inventor
李光辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201710936409.8A priority Critical patent/CN107454116A/en
Publication of CN107454116A publication Critical patent/CN107454116A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2592Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of optimization method of IPsec ESP agreements under single tunnel mode, applied to encryption end, by determining the mapping relations in initial data between each grouped data and destination address, then the grouped data is encrypted to obtain encrypting grouped data, mapping relations are inserted into encryption grouped data again to obtain transmitting data, transmission data are finally sent to decrypting end, decrypting end is according to mapping relations, encryption grouped data is assigned to each execution equipment, equipment is performed and then encryption grouped data is decrypted.By this method, encryption grouped data is assigned to multiple execution equipment and goes to be decrypted by decrypting end, and encryption grouped data is decrypted multiple execution equipment, substantially increases decryption efficiency under single tunnel mode.Present invention also offers a kind of optimization method of IPsec ESP agreements under single tunnel mode, and applied to decrypting end, and corresponding with foregoing two methods two kinds of devices, effect are corresponding with preceding method.

Description

The optimization method and device of IPsec ESP agreements under single tunnel mode
Technical field
The present invention relates to computer realm, more particularly to a kind of optimization side of IPsec ESP agreements under single tunnel mode Method and device.
Background technology
With the development of internet, the scope of internet covering is more and more extensive.It is but a large amount of due to existing on internet Insecure user, the route among many networks managed by the unknown people of identity, and needed in data transmission procedure through These routes are crossed, therefore can not be guaranteed in the security of the Internet transmission data.
In order to ensure Internet data transmission security, IPSec, full name Intemet Protocol Security, be by A kind of mechanism for ensuring IP layer communication securities end to end of IEIF designs, it is not a single agreement, but a series of The agreement of complete safety and the set of service are provided for IP network.Wherein encapsulating security payload protocol IP sec ESP are IPsec A kind of main protocol in architecture, IPsec ESP encryptions need data to be protected, and in IPsec ESP data division Encryption information is placed to provide confidentiality and integrity.
IPsec provides tunnel and transmission two kinds of safe modes according to different network structure demands.Wherein tunnel mode is A kind of infrastructure by using internet transmits the mode of data between networks.Tunnel protocol is by the number of other agreements Reseal according to frame or bag and then sent by tunnel, routing iinformation is provided by new frame head, will pass through internet transmission Packed load data.
However, for the IPsec ESP agreements under single tunnel mode, because the encryption data in single tunnel has unique member Group information, the packet that network interface card receives this stream have all been assigned in same queue;Can in order to ensure data processing By property and cache hit probability, the packet of every stream can be by same CPU processing.Therefore, the encryption of this method transmission Data can only be carried out whole decryption works after decrypting end is reached by a CPU, and decryption efficiency is very low.
The content of the invention
It is an object of the invention to provide a kind of optimization method and device of IPsec ESP agreements under single tunnel mode, to Solve the problems, such as that decryption efficiency is low under single tunnel mode.
In order to solve the above technical problems, the present invention provides a kind of optimization method of IPsec ESP agreements under single tunnel mode, Applied to encryption end, including:
It is determined that the mapping relations in the initial data at encryption end between each grouped data and destination address;
Each grouped data is encrypted, obtains encrypting grouped data;
The mapping relations are inserted into each encryption grouped data, obtain transmitting data;
The transmission data are sent to decrypting end, closed so that the decrypting end maps according to the transmission data System, the encryption grouped data is assigned to each execution equipment corresponding with the destination address in the decrypting end, it is described Perform equipment and then the encryption grouped data is decrypted.
Wherein, the mapping relations bag in the initial data for determining encryption end between each grouped data and destination address Include:
Each grouped data and the target in the initial data at the encryption end are calculated using hash algorithm Hash values between address, the hash values react the mapping relations between the grouped data and the destination address.
Wherein, the grouped data is tuple data.
Wherein, the execution equipment is CPU.
Wherein, the mapping relations in the initial data for determining encryption end between each grouped data and destination address Before, in addition to:
Tunnel is established at the encryption end and the decrypting end.
Present invention also offers a kind of optimization method of IPsec ESP agreements under single tunnel mode, applied to decrypting end, bag Include:
The transmission data that encryption end is sent are received, the transmission packet includes encryption grouped data, grouped data and target Mapping relations between address, the encryption grouped data grouped data obtain by encryption;
The encryption grouped data is assigned to each execution corresponding with the destination address according to the mapping relations Equipment;
The encryption grouped data is decrypted by the execution equipment.
Wherein, the transmission data for receiving encryption end and sending, the transmission packet include encryption grouped data, packet count According to the mapping relations between destination address, the encryption grouped data is that the grouped data includes by what encryption obtained:
The transmission data that encryption end is sent are received, the transmission packet includes encryption grouped data, grouped data and target Corresponding hash values between address, the encryption grouped data grouped data obtain by encryption, the hash values It is that the encryption end is determined in the initial data between each grouped data and the destination address by hash algorithm Mapping relations obtain;
It is described according to the mapping relations by it is described encryption grouped data be assigned to it is corresponding with the destination address each Performing equipment includes:
The encryption grouped data is assigned into each execution corresponding with the destination address according to the hash values to set It is standby.
In addition, present invention also offers a kind of optimization device of IPsec ESP agreements under single tunnel mode, applied to encryption End, including:
Determining module:Mapping in initial data for determining encryption end between each grouped data and destination address is closed System;
Encrypting module:For encrypting each grouped data, obtain encrypting grouped data;
Insert module:For the mapping relations to be inserted into each encryption grouped data, obtain transmitting data;
Sending module:For the transmission data to be sent into decrypting end, so that decrypting end is according in the transmission data The mapping relations, the encryption grouped data is assigned to each execution corresponding with the destination address in the decrypting end Equipment, it is described to perform equipment and then the encryption grouped data is decrypted.
Wherein, described device also includes:
Establish module:For establishing tunnel between the encryption end and the decrypting end.
Finally, present invention also offers a kind of optimization device of IPsec ESP agreements under single tunnel mode, applied to decryption End, including:
Receiving module:The transmission data sent for receiving encryption end, the transmission packet include encryption grouped data, divided Mapping relations between group data and destination address, the encryption grouped data grouped data obtain by encryption;
Distribute module:For the encryption grouped data to be assigned to and the destination address pair according to the mapping relations The each execution equipment answered;
Deciphering module:For the encryption grouped data to be decrypted by the execution equipment.
The optimization method of IPsec ESP agreements under single tunnel mode provided by the invention, applied to encryption end, sending number According to preceding, the mapping relations in initial data between each grouped data and destination address can be first determined, then encrypt the packet Data, obtain encrypting grouped data, then the mapping relations are inserted into the encryption grouped data and obtain transmitting data, finally The transmission data are sent to decrypting end, will so as to the mapping relations of the decrypting end in the transmission data The encryption grouped data is assigned to each execution equipment corresponding with the destination address in the decrypting end, and the execution is set It is decrypted for and then to the encryption grouped data.
It can be seen that under single tunnel mode provided by the invention IPsec ESP agreements optimization method, before transmitting data, The mapping relations can be inserted the encryption grouped data and obtain transmitting data by encryption end, then transmission data are sent into decryption End.Then the encryption grouped data is assigned to each execution equipment so as to described by the decrypting end according to the mapping relations Equipment is performed the encryption grouped data is decrypted.By this method, the decrypting end is allow according to the mapping The encryption grouped data is assigned to multiple execution equipment and goes to be decrypted by relation, and multiple execution equipment are grouped to encryption simultaneously Data are decrypted, and substantially increase the decryption efficiency under single tunnel mode.
Present invention also offers a kind of optimization method of IPsec ESP agreements under single tunnel mode, applied to decrypting end, with And under two kinds of single tunnel modes corresponding with foregoing two methods IPsec ESP agreements optimization device, its act on it is foregoing Method is corresponding, repeats no more here.
Brief description of the drawings
, below will be to embodiment or existing for the clearer explanation embodiment of the present invention or the technical scheme of prior art The required accompanying drawing used is briefly described in technology description, it should be apparent that, drawings in the following description are only this hair Some bright embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can be with root Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the optimization method embodiment flow chart of IPsec ESP agreements under a kind of single tunnel mode provided by the invention;
Fig. 2 is the optimization method embodiment flow of IPsec ESP agreements under the single tunnel mode of another kind provided by the invention Figure;
Fig. 3 is the optimization apparatus structure functional diagram of IPsec ESP agreements under a kind of single tunnel mode provided by the invention;
Fig. 4 is the optimization apparatus structure functional diagram of IPsec ESP agreements under the single tunnel mode of another kind provided by the invention.
Embodiment
The core of the present invention is to provide a kind of optimization method and device of IPsec ESP agreements under single tunnel mode.
In order that those skilled in the art more fully understand the present invention program, with reference to the accompanying drawings and detailed description The present invention is described in further detail.Obviously, described embodiment is only part of the embodiment of the present invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise Lower obtained every other embodiment, belongs to the scope of protection of the invention.
Start to be discussed in detail the optimization method embodiment of IPsec ESP agreements under single tunnel mode provided by the invention below One, referring to Fig. 1, embodiment one specifically includes:
Step S11:It is determined that the mapping relations in the initial data at encryption end between each grouped data and destination address.
The encryption end refers to one end that initial data is encrypted, and the destination address refers to the initial data and finally passed The defeated address arrived.
Specifically, determine in the initial data at encryption end that mapping relations between each grouped data and target data can be with For, calculated using hash algorithm in the initial data of the transmitting terminal each grouped data and the destination address it Between hash values, the hash values react the mapping relations between the grouped data and the destination address.Wherein, described point Group data can be tuple data.
It is determined that in the initial data at the encryption end between each grouped data and the target data Before the mapping relations, two unidirectional security association SAs can be established between the encryption end and the decrypting end, used To form the tunnel between the encryption end and the decrypting end.
It should be noted that the tunnel can be used for connecting gateway and gateway, connection server and clothes can be used for Business device, it can be also used for connecting gateway and server.Therefore, for both ends Router A and the Router B in tunnel, both It is descending to there may be multiple host, it is notable that descending descending every of host and Router B of each of Router A All it is a single data flow between one host, an execution equipment of the decrypting end can be all flowed to per data stream In.
Step S12:Each grouped data is encrypted, obtains encrypting grouped data.
, it is necessary to be packaged to the encryption grouped data, so as to the encryption after the encryption grouped data is obtained Grouped data is transmitted in tunnel.IPsec ESP agreements can be used in the present embodiment, the grouped data is encrypted.
Step S13:The mapping relations are inserted into each encryption grouped data, obtain transmitting data.
Hash values can specifically be inserted to the encryption grouped data to obtain transmitting data.
Step S14:The transmission data are sent to decrypting end, so that the decrypting end is according to institute in the transmission data Mapping relations are stated, the encryption grouped data is assigned into each execution corresponding with the destination address in the decrypting end sets It is standby, it is described to perform equipment and then the encryption grouped data is decrypted.
The execution equipment is used to the encryption grouped data be decrypted, and the execution equipment can be CPU.Specifically , after the CPU1 up to the decrypting end is transmitted data to, the CPU1 can be according to mapping relations, by the transmission data point Into multiple data flows, each data flow flows to the solution corresponding with the destination address according to respective mapping relations Each execution equipment at close end.Finally, the encryption grouped data is decrypted each execution equipment.
The optimization method of IPsec ESP agreements under single tunnel mode that the present embodiment provides, before transmitting data, encryption The mapping relations can be inserted the encryption grouped data and obtain transmitting data by end, then transmission data are sent into decrypting end. Then the encryption grouped data is assigned to each execution equipment according to the mapping relations and held so as to described by the decrypting end The encryption grouped data is decrypted row equipment.By this method, the decrypting end is allow to be closed according to the mapping The encryption grouped data is assigned to multiple execution equipment and goes to be decrypted by system, and multiple execution equipment are simultaneously to encrypting packet count According to being decrypted, the decryption efficiency under single tunnel mode is substantially increased.
The optimization method of IPsec ESP agreements under single tunnel mode that embodiment one provides, applied to encryption end, the present invention A kind of optimization method embodiment two of IPsec ESP agreements under single tunnel mode is additionally provided, that is, applied to decrypting end The optimization method of IPsec ESP agreements under single tunnel mode.
Start to introduce embodiment two below, referring to Fig. 2, embodiment two specifically includes:
Step S21:The transmission data that encryption end is sent are received, the transmission packet includes encryption grouped data, packet count According to the mapping relations between destination address, the encryption grouped data grouped data obtains by encryption.
Specifically, the decrypting end receives the transmission data that encryption end is sent, the transmission data can include encryption point Corresponding hash values between group data, grouped data and destination address, the encryption grouped data are passed through for the grouped data What encryption obtained, the hash values can be that the encryption end determines in the initial data each described point by hash algorithm What the mapping relations between group data and the destination address obtained.
Step S22:According to the mapping relations by it is described encryption grouped data be assigned to it is corresponding with the destination address Each execution equipment.
Specifically, can be according to the hash values by it is described encryption grouped data be assigned to it is corresponding with the destination address Each execution equipment, wherein it is described execution equipment can be CPU.
Step S23:The encryption grouped data is decrypted by the execution equipment.
The optimization method of IPsec ESP agreements, applied to decrypting end, connects first under single tunnel mode that the present embodiment provides The transmission data that encryption end is sent are received, the transmission packet is included between encryption grouped data, grouped data and destination address Corresponding relation, the encryption grouped data grouped data obtain by encryption;Then will according to the mapping relations Data distribution is to each execution equipment corresponding with the destination address about the encryption point;Finally by the execution equipment pair The encryption grouped data is decrypted.By this method, allow the decrypting end according to the mapping relations by described in Encryption grouped data is assigned to multiple execution equipment and goes to be decrypted, and multiple execution equipment solve to encryption grouped data simultaneously It is close, substantially increase the decryption efficiency under single tunnel mode.
The optimization device of IPsec ESP agreements under single tunnel mode provided in an embodiment of the present invention is introduced below, The optimization device of IPsec ESP agreements and IPsec under above-described single tunnel mode under single tunnel mode described below The optimization method embodiment one of ESP agreements can be mutually to should refer to.
Fig. 3 is the structured flowchart of the optimization device of IPsec ESP agreements under single tunnel mode provided in an embodiment of the present invention, Reference picture 3, the device can include:
Determining module 31:Mapping in initial data for determining encryption end between each grouped data and destination address Relation.
Encrypting module 32:For encrypting each grouped data, obtain encrypting grouped data.
Insert module 33:For the mapping relations to be inserted into each encryption grouped data, obtain transmitting data.
Sending module 34:For the transmission data to be sent into decrypting end, so that decrypting end is according to the transmission data Described in mapping relations, the encryption grouped data is assigned to corresponding with the destination address in the decrypting end each hold Row equipment, it is described to perform equipment and then the encryption grouped data is decrypted.
Wherein, described device also includes:
Establish module:For establishing tunnel between the encryption end and the decrypting end.
Wherein, the encrypting module be can be also used for, and the initial data at the encryption end is calculated using hash algorithm In hash values between each grouped data and the destination address, the hash values react the grouped data with it is described Mapping relations between destination address.
The optimization device of IPsec ESP agreements is used to realize foregoing single tunnel mode under single tunnel mode of the present embodiment The optimization method of lower IPsec ESP agreements, therefore the specific implementation under single tunnel mode in the optimization device of IPsec ESP agreements The embodiment part of the optimization method of IPsec ESP agreements under the visible single tunnel mode hereinbefore of mode, for example, determining module 31, encrypting module 32, module 33 is inserted, sending module 34, is respectively used to realize IPsec ESP agreements under above-mentioned single tunnel mode Optimization method in step S11, S12, S13 and S14.So its embodiment is referred to corresponding various pieces reality The description of example is applied, will not be repeated here.
Because the present embodiment is used to realize the optimization methods of IPsec ESP agreements under foregoing single tunnel mode, therefore this reality It is corresponding with the effect of the optimization method of IPsec ESP agreements under foregoing single tunnel mode to apply the effect of example, repeats no more here.
Finally, present invention also offers a kind of optimization device of IPsec ESP agreements under single tunnel mode, applied to decryption Hold, the optimization device of IPsec ESP agreements and IPsec under above-described single tunnel mode under single tunnel mode described below The optimization method embodiment two of ESP agreements can be mutually to should refer to.
Fig. 4 is the structured flowchart of the optimization device of IPsec ESP agreements under single tunnel mode provided in an embodiment of the present invention, Reference picture 4, the device can include:
Receiving module 41:For receive encryption end send transmission data, the transmission packet include encryption grouped data, Mapping relations between grouped data and destination address, the encryption grouped data are that the grouped data obtains by encryption 's;
Distribute module 42:For the encryption grouped data to be assigned to and the destination address according to the mapping relations Corresponding each execution equipment;
Deciphering module 43:For the encryption grouped data to be decrypted by the execution equipment.
Wherein, the receiving module can be also used for, and receive the transmission data that encryption end is sent, and the transmission packet includes Corresponding hash values between encryption grouped data, grouped data and destination address, the encryption grouped data is the packet count Obtained according to by encryption, the hash values be the encryption end by hash algorithm determine in the initial data it is each described in What the mapping relations between grouped data and the destination address obtained;The distribute module can be also used for, according to described The encryption grouped data is assigned to each execution equipment corresponding with the destination address by hash values.
Wherein, described device can also include:
Establish module:For establishing tunnel between the encryption end and the decrypting end.
The optimization device of IPsec ESP agreements is used to realize foregoing single tunnel mode under single tunnel mode of the present embodiment The optimization method of lower IPsec ESP agreements, therefore the specific implementation under single tunnel mode in the optimization device of IPsec ESP agreements The embodiment part of the optimization method of IPsec ESP agreements under the visible single tunnel mode hereinbefore of mode, for example, receiving module 41, distribute module 42, deciphering module 43, it is respectively used to realize the optimization methods of IPsec ESP agreements under above-mentioned single tunnel mode Middle step S21, S22, S23.So its embodiment is referred to the description of corresponding various pieces embodiment, herein Repeat no more.
Because the present embodiment is used to realize the optimization methods of IPsec ESP agreements under foregoing single tunnel mode, therefore this reality It is corresponding with the effect of the optimization method of IPsec ESP agreements under foregoing single tunnel mode to apply the effect of example, repeats no more here.
Each embodiment is described by the way of progressive in this specification, what each embodiment stressed be with it is other The difference of embodiment, between each embodiment same or similar part mutually referring to.For dress disclosed in embodiment For putting, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part is referring to method part Explanation.
Professional further appreciates that, with reference to the unit of each example of the embodiments described herein description And algorithm steps, can be realized with electronic hardware, computer software or the combination of the two, in order to clearly demonstrate hardware and The interchangeability of software, the composition and step of each example are generally described according to function in the above description.These Function is performed with hardware or software mode actually, application-specific and design constraint depending on technical scheme.Specialty Technical staff can realize described function using distinct methods to each specific application, but this realization should not Think beyond the scope of this invention.
Directly it can be held with reference to the step of method or algorithm that the embodiments described herein describes with hardware, processor Capable software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.
The optimization method and device of IPsec ESP agreements under single tunnel mode provided by the present invention are carried out above It is discussed in detail.Specific case used herein is set forth to the principle and embodiment of the present invention, above example Illustrate to be only intended to help the method and its core concept for understanding the present invention.It should be pointed out that the common skill for the art For art personnel, under the premise without departing from the principles of the invention, some improvement and modification can also be carried out to the present invention, these change Enter and modify to also fall into the protection domain of the claims in the present invention.

Claims (10)

  1. A kind of 1. optimization method of IPsec ESP agreements under single tunnel mode, applied to encryption end, it is characterised in that including:
    It is determined that the mapping relations in the initial data at encryption end between each grouped data and destination address;
    Each grouped data is encrypted, obtains encrypting grouped data;
    The mapping relations are inserted into each encryption grouped data, obtain transmitting data;
    The transmission data are sent to decrypting end, so that the decrypting end transmits mapping relations described in data according to described, The encryption grouped data is assigned to each execution equipment corresponding with the destination address in the decrypting end, makes described hold The encryption grouped data is decrypted row equipment.
  2. 2. the method as described in claim 1, it is characterised in that each grouped data in the initial data for determining encryption end Mapping relations between destination address include:
    Each grouped data and the destination address in the initial data at the encryption end are calculated using hash algorithm Between hash values, the hash values react the mapping relations between the grouped data and the destination address.
  3. 3. method as claimed in claim 2, it is characterised in that the grouped data is tuple data.
  4. 4. method as claimed in claim 3, it is characterised in that the execution equipment is CPU.
  5. 5. the method as described in claim 1, it is characterised in that each packet count in the initial data for determining encryption end Before the mapping relations between destination address, in addition to:
    Tunnel is established at the encryption end and the decrypting end.
  6. A kind of 6. optimization method of IPsec ESP agreements under single tunnel mode, applied to decrypting end, it is characterised in that including:
    The transmission data that encryption end is sent are received, the transmission packet includes encryption grouped data, grouped data and destination address Between mapping relations, it is described encryption the grouped data grouped data obtained by encryption;
    The encryption grouped data is assigned to each execution equipment corresponding with the destination address according to the mapping relations;
    The encryption grouped data is decrypted by the execution equipment.
  7. 7. method as claimed in claim 6, it is characterised in that the transmission data for receiving encryption end and sending, the transmission The mapping relations that data are included between encryption grouped data, grouped data and destination address include:
    The transmission data that encryption end is sent are received, the transmission packet includes encryption grouped data, grouped data and destination address Between corresponding hash values, it is described encryption the grouped data grouped data obtained by encryption, the hash values are institutes State encryption end and reflecting between each grouped data and the destination address in the initial data is determined by hash algorithm What the relation of penetrating obtained;
    It is described that the encryption grouped data is assigned to each execution corresponding with the destination address according to the mapping relations Equipment includes:
    The encryption grouped data is assigned to by each execution equipment corresponding with the destination address according to the hash values.
  8. A kind of 8. optimization device of IPsec ESP agreements under single tunnel mode, applied to encryption end, it is characterised in that including:
    Determining module:Mapping relations in initial data for determining encryption end between each grouped data and destination address;
    Encrypting module:For encrypting each grouped data, obtain encrypting grouped data;
    Insert module:For the mapping relations to be inserted into each encryption grouped data, obtain transmitting data;
    Sending module:For the transmission data to be sent into decrypting end, so that decrypting end is according to the transmission data Mapping relations, the encryption grouped data is assigned to each execution corresponding with the destination address in the decrypting end and set It is standby, make the execution equipment that the encryption grouped data be decrypted.
  9. 9. device as claimed in claim 8, it is characterised in that described device also includes:
    Establish module:For establishing tunnel between the encryption end and the decrypting end.
  10. A kind of 10. optimization device of IPsec ESP agreements under single tunnel mode, applied to decrypting end, it is characterised in that including:
    Receiving module:The transmission data sent for receiving encryption end, the transmission packet include encryption grouped data, packet count According to the mapping relations between destination address, the encryption grouped data grouped data obtains by encryption;
    Distribute module:It is corresponding with the destination address for being assigned to the encryption grouped data according to the mapping relations Each execution equipment;
    Deciphering module:For the encryption grouped data to be decrypted by the execution equipment.
CN201710936409.8A 2017-10-10 2017-10-10 The optimization method and device of IPsec ESP agreements under single tunnel mode Pending CN107454116A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710936409.8A CN107454116A (en) 2017-10-10 2017-10-10 The optimization method and device of IPsec ESP agreements under single tunnel mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710936409.8A CN107454116A (en) 2017-10-10 2017-10-10 The optimization method and device of IPsec ESP agreements under single tunnel mode

Publications (1)

Publication Number Publication Date
CN107454116A true CN107454116A (en) 2017-12-08

Family

ID=60498761

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710936409.8A Pending CN107454116A (en) 2017-10-10 2017-10-10 The optimization method and device of IPsec ESP agreements under single tunnel mode

Country Status (1)

Country Link
CN (1) CN107454116A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109145620A (en) * 2018-08-13 2019-01-04 北京奇安信科技有限公司 Data flow diversion processing method and device
CN111385259A (en) * 2018-12-28 2020-07-07 中兴通讯股份有限公司 Data transmission method, data transmission device, related equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030169877A1 (en) * 2002-03-05 2003-09-11 Liu Fang-Cheng Pipelined engine for encryption/authentication in IPSEC
CN102549998A (en) * 2009-02-25 2012-07-04 思科技术公司 Aggregation of cryptography engines
CN102932141A (en) * 2012-09-27 2013-02-13 汉柏科技有限公司 Order-preserving method and system for encrypting and decrypting messages by multiple encryption and decryption chips in parallel
CN103139222A (en) * 2013-03-19 2013-06-05 成都卫士通信息产业股份有限公司 Internet protocol security (IPSEC) tunnel data transmission method and device thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030169877A1 (en) * 2002-03-05 2003-09-11 Liu Fang-Cheng Pipelined engine for encryption/authentication in IPSEC
CN102549998A (en) * 2009-02-25 2012-07-04 思科技术公司 Aggregation of cryptography engines
CN102932141A (en) * 2012-09-27 2013-02-13 汉柏科技有限公司 Order-preserving method and system for encrypting and decrypting messages by multiple encryption and decryption chips in parallel
CN103139222A (en) * 2013-03-19 2013-06-05 成都卫士通信息产业股份有限公司 Internet protocol security (IPSEC) tunnel data transmission method and device thereof

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109145620A (en) * 2018-08-13 2019-01-04 北京奇安信科技有限公司 Data flow diversion processing method and device
CN111385259A (en) * 2018-12-28 2020-07-07 中兴通讯股份有限公司 Data transmission method, data transmission device, related equipment and storage medium
CN111385259B (en) * 2018-12-28 2023-09-01 中兴通讯股份有限公司 Data transmission method, device, related equipment and storage medium

Similar Documents

Publication Publication Date Title
US9832015B2 (en) Efficient key derivation for end-to-end network security with traffic visibility
CN104272674B (en) Multiple tunnel VPN
US8379638B2 (en) Security encapsulation of ethernet frames
US10250571B2 (en) Systems and methods for offloading IPSEC processing to an embedded networking device
CN103929299B (en) Self-securing lightweight network message transmitting method with address as public key
US7483423B2 (en) Authenticity of communications traffic
Miltchev et al. A study of the relative costs of network security protocols
CN109450852A (en) Network communication encrypting and decrypting method and electronic equipment
CN108075890A (en) Data sending terminal, data receiver, data transmission method and system
CN110690962B (en) Application method and device of service node
JP2018522481A (en) Efficient use of IPSEC tunnels in multipath environments
CN108964880A (en) A kind of data transmission method and device
CN101521667B (en) Safe data communication method and device
CN106453314B (en) The method and device of data encrypting and deciphering
US20190372948A1 (en) Scalable flow based ipsec processing
Cho et al. Securing ethernet-based optical fronthaul for 5g network
CN107135190A (en) The data traffic ownership recognition methods connected based on Transport Layer Security and device
Angelo Secure Protocols And Virtual Private Networks: An Evaluation.
US9319222B2 (en) Two factor authentication of ICR transport and payload for interchassis redundancy
US20080244268A1 (en) End-to-end network security with traffic visibility
CN107454116A (en) The optimization method and device of IPsec ESP agreements under single tunnel mode
CN105227569B (en) The data pack transmission method and device of application
WO2021248999A1 (en) Method for checking application information, message processing method and device
CN103581034A (en) Message mirroring and encrypted transmitting method
CN107135226A (en) Transport-layer proxy communication means based on socks5

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20171208

RJ01 Rejection of invention patent application after publication