CN115037563B - Pre-fragmentation processing method of IP datagram under IPSec encryption transmission mode - Google Patents
Pre-fragmentation processing method of IP datagram under IPSec encryption transmission mode Download PDFInfo
- Publication number
- CN115037563B CN115037563B CN202210959295.XA CN202210959295A CN115037563B CN 115037563 B CN115037563 B CN 115037563B CN 202210959295 A CN202210959295 A CN 202210959295A CN 115037563 B CN115037563 B CN 115037563B
- Authority
- CN
- China
- Prior art keywords
- datagram
- fragment
- ipsec
- header
- fragmentation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a pre-fragmentation processing method of IP datagram under IPSec encryption transmission mode, comprising the following steps: if the length of the IP datagram is larger than the path MTU, the IP datagram is processed in a fragmentation mode; adopting IPSec encryption transmission mode protection enhancement protocol to encrypt the IP datagram fragments obtained by fragmentation; and decrypting the encrypted IP datagram fragments to recover the original IP datagram. The invention fragments the IP datagram in advance before encrypting, ensures that the IP datagram fragment does not have the condition that the length exceeds the maximum length of the path MTU even after being encrypted, and solves the problems of discontinuous service, service interruption and the like caused by the over-limit of the IP datagram length in the network encryption transmission process.
Description
Technical Field
The invention relates to the technical field of computer network communication, in particular to a pre-fragmentation processing method of IP datagrams in an IPSec encryption transmission mode.
Background
Data expansion may occur in IP packets protected by IPSec encapsulation. If the expanded message is larger than the path MTU, the data message needs to be sliced. In the tunnel mode, IPSec protects the IP header and payload portion of the original packet, so there is no problem that the IPSec receiving end cannot identify whether the fragment is before or after IPSec processing. In transport mode, the IP header is not IPSec protected. In an extreme case, the IP fragment packet is larger than the path MTU after being processed by the IPSec sender, and needs to be fragmented. The reassembly process on the IPSec receiving end will not be able to distinguish between the fragmentation performed before IPSec processing and the fragmentation performed after IPSec processing. RFC4301 therefore specifies that IPSec transmission mode does not support protection of IP packet packets. However, in an actual application environment, the IP fragment packet is greater than the MTU length after being processed by the IPSec sender, which results in abnormal encrypted service transmission.
Disclosure of Invention
Aiming at the problems that the length of an IP datagram fragment is over-limit after the IP datagram fragment is encrypted by IPSec, the fragment field of the IP datagram fragment is easy to attack and the like, the invention improves and enhances the design of an IPSec encryption transmission mode protocol by utilizing the mode of carrying out fragment pretreatment on the IP datagram before encryption, and provides a pre-fragment processing method of the IP datagram in an IPSec encryption transmission mode.
The invention discloses a pre-fragmentation processing method of IP datagram under IPSec encryption transmission mode, comprising the following steps:
step 1: if the length of the IP datagram is larger than the path MTU, the IP datagram is subjected to fragmentation processing;
step 2: adopting an IPSec encryption transmission mode protection enhancement protocol to encrypt the IP datagram fragments obtained by fragmentation;
and 3, step 3: and decrypting the encrypted IP datagram fragments to recover the original IP datagram.
Further, the fragmentation processing of the IP datagram includes:
step 11: the IPSec sending end carries out IPSec processing on the IP datagram, determines all IP datagrams needing to be fragmented, extracts quintuple information of the first IP datagram in the IP datagrams to carry out SPD matching, and determines a processing mode;
step 12: and (4) carrying out fragmentation processing on all IP datagrams needing fragmentation.
Further, the step 12 includes:
and respectively fragmenting all the IP datagrams needing fragmentation to obtain a plurality of IP datagram fragments corresponding to each IP datagram.
Further, the IP datagram includes an IP header and a payload; the IP datagram fragment comprises an IP1 header and a load fragment; and the fragment field of the IP1 header is determined by the fragment field of the IP header and the fragment pointer of the load together, and the length of the IP datagram is revised again.
Further, the encrypted IP datagram fragment comprises an IP2 header, an ESP header and an encryption protection area; the encryption protection area consists of a fragment field, a load fragment and an ESP tail; the fragmentation field is located after the ESP header and before the payload fragment; the Esp tail is located after the load patch.
Furthermore, the fragment field of the encrypted IP datagram fragment is cleared, then the fragment field information of the IP1 header is reserved, the header check is calculated, and the IP2 header after the package is finished is generated.
Further, the length of the encrypted IP datagram fragment does not exceed the maximum length of the path MTU.
Further, after the step 2 and before the step 3, the method further includes:
the IPSec receiving terminal extracts the load of each IP datagram fragment and judges whether the IP datagram fragment is IPSec protection or not;
if the payload of the IP datagram fragment is protected by IPSec, then the SPI of the ESP header is used for SA matching.
Further, if the SA matching fails, performing SPD matching, and performing discarding or transparent transmission processing according to SPD configuration; and if the SA is successfully matched, decrypting the encrypted IP datagram fragment.
Further, the step 3 comprises:
the receiving end respectively extracts the effective loads of all the encrypted IP datagram fragments for decryption; each encrypted IP datagram fragment can be independently decrypted without waiting for all the encrypted IP datagram fragments to be completely collected;
after decryption, all the decrypted IP datagram fragments are recombined according to the fragment field information of the IP1 header, and the original IP datagram information is recovered.
Due to the adoption of the technical scheme, the invention has the following advantages:
(1) The invention innovatively provides a pre-fragmentation processing method in an IPSec transmission mode, which is used for pre-fragmenting an IP datagram before encryption, so that the condition that the length of an IP fragmentation packet exceeds the maximum length 1518 bytes of a path MTU (maximum transmission unit) can be avoided even after the IP fragmentation packet is encrypted. The method solves a series of troublesome problems of discontinuous service, service interruption (for example, in video service application) and the like caused by the fact that the length of the IP datagram is over limit in the encryption transmission process of the network.
(2) In addition, the invention designs field encryption for the reserved important fragment information, thereby achieving the purpose of protecting the important information; meanwhile, the mode of clearing the IP head fragment field of the IPSec encrypted fragment transmitted on the network is adopted, so that the intermediate router is ensured not to fragment and recombine the IPSec encrypted fragment. For the receiving end, each fragment can be independently decrypted without waiting for all the fragments to be collected, so that the receiving flow is greatly simplified. The whole protocol design has no exposed fragmentation information, and the possibility of fragmentation attack is avoided.
(3) In the protocol specification of RFC4301, although the ESP tunnel mode performs overall encryption protection on the original IPv4 header, and the security is guaranteed, in some application scenarios, for example, for a network that needs to provide QOS service, plaintext address information in the IP header needs to be provided, that is, the ESP tunnel mode cannot meet the application requirement, and needs to use an ESP transmission mode; however, in the RFC4301 protocol specification, ESP transmission mode does not carry fragments. As described above, the ESP transmission mode protocol in the RFC4301 protocol specification cannot meet the practical application requirement of fragment length overrun after encryption, but the front-sheet processing method provided by the present invention is a beneficial addition to the RFC4301 protocol specification.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments described in the embodiments of the present invention, and it is obvious for those skilled in the art that other drawings may be obtained according to the drawings.
Fig. 1 is a schematic diagram of processing performed by a pre-fragmentation sending end before IPSec encryption according to an embodiment of the present invention;
fig. 2 is a schematic diagram of processing at a receiving end of a pre-fragmentation before IPSec encryption according to an embodiment of the present invention.
Detailed Description
The invention will be further described with reference to the drawings and examples, it being understood that the examples described are only some of the examples and are not intended to be exhaustive. All other embodiments available to those of ordinary skill in the art are intended to be within the scope of the embodiments of the present invention.
The invention improves the original IPSec encryption transmission protection protocol by providing an IPSec encryption transmission mode protection enhancement protocol design, carries out encryption protection on the fragment field of the original IP datagram, and simultaneously clears the fragment information of the original IP header to zero, thereby achieving the purpose of preventing a network attacker from carrying out IP datagram fragment attack by utilizing the fragment information. According to the RFC4301, in the IPSec protocol transmission mode, all information of the IP header is exposed and is not protected by encryption, which is required in some network services, such as services requiring QOS provision, address information of the IP header is required to be used, and the IP header information without encryption will help to implement such network services. However, the fragment field information of the IP header is easily utilized by a network attacker, and the attacker usually uses the characteristics of IP reassembly to forge an IP datagram to attack the IPSec receiving end, thereby consuming the reassembly channel resources of the receiving end. Denial of service will occur once the re-assembly channel resources are exhausted. If there is a vulnerability in the reorganization robustness design, it may also lead to more serious denial of service consequences. Therefore, the IPSec encryption transmission mode protection enhanced protocol provided by the invention is very necessary to protect the network from the forgery and the attack of the IP datagram fragment.
The scheme is designed by taking an IPSec protocol architecture as a frame, aiming at the problems that the length of an IP datagram after IPSec encryption is over-limited, a fragment field of the IP datagram is easy to attack and the like, the IPSec encryption transmission mode protocol is improved and enhanced by utilizing a mode of carrying out fragment pretreatment on the IP datagram before encryption.
1. Pre-fragmentation processing method before IPSec encryption
As shown in fig. 1: after the IPSec is encrypted and 3 fields of the Esp header, the Esp trailer and the fragment field of the original IP datagram are added, the length of the IP fragment may exceed the maximum length of the path MTU of 1518 bytes, which may result in the case that the network cannot transmit normally. The scheme provides that the IP datagram before encryption is fragmented, the fragmentation process is shown in figure 1, the fragmentation field of a new IP1 header is determined by the fragmentation field of an original IP header and a load fragmentation pointer together, and the IP1 header check is recalculated. After the load is fragmented, the IP datagram fragments are ensured not to exceed the path MTU even if being encrypted by IPSec. Meanwhile, in order to ensure that the fragments are not recombined by the intermediate router again, the fragments are cleared to the fragment field of the new IP2 header after being encrypted by IPSec. Referring to fig. 2, each fragment can be decrypted independently at the receiving end, and decryption can be performed without the process of fragment reassembly. The processing method greatly reduces the processing difficulty of the receiving end and improves the system operation efficiency.
2. IPSec transmission mode security enhanced design
Referring to fig. 2, after the original IP datagram is fragmented, the original payload needs to be encrypted; the receiving end extracts the effective load for decryption and restores the original information. And after decryption, carrying out fragment recombination according to the fragment field (the new IP1 head fragment field) information. Therefore, the new IP1 header fragment field information is very important for recovering the original information without errors. In network countermeasure, a network attacker usually uses fragment field information to forge an IP fragment, consume a large amount of channel recombination resources, and make fragment protection and attack. Therefore, the invention mainly considers the encryption protection of the fragment information in the protocol design, specially designs the fragment field to be positioned behind the ESP head and in front of the load data, stores the fragment field information of the IP1 head, and places the fragment field in the encryption protection area to carry out encryption protection together with the data load, thereby achieving the purpose of protecting the fragment important information.
The embodiment of the invention provides a pre-fragmentation processing method of IP datagram under IPSec encryption transmission mode, the method flow comprises:
the first step is as follows: and the IPSec sending end carries out IPSec processing, extracts quintuple information of the first IP datagram for SPD matching after all the IP datagrams are confirmed to be collected, and determines a processing mode.
The second step is that: the IP datagram before encryption is fragmented, the fragmentation process of the IP datagram is shown in figure 1, the fragmentation field of a new IP1 header is determined by the fragmentation field of an original IP header and a load fragmentation pointer together, the IP length is modified again, and a new IP1 header after packaging is generated.
The third step: after the IP fragment is encrypted, 3 fields of an Esp head, an Esp tail field and a fragment field are added. Wherein the fragmentation field retains fragmentation field information of the new IP1 header. The encryption protection area comprises a fragment field, a load and an ESP tail. And meanwhile, clearing 0 for the fragment field of the new IP1 head, calculating head verification, and generating a new IP2 head after packaging and packaging are completed.
The fourth step: and the IPSec receiving terminal extracts the load piece of each fragment and judges whether the load piece is IPSec protection or not. If protected, SA matching is performed using the SPI of the ESP header. And if the matching fails, carrying out SPD matching, and carrying out discarding or transparent transmission processing according to SPD configuration. If the matching is successful, the next step is needed.
The fifth step: and finishing the fragment decryption of the IP datagram according to the encryption strategy.
And a sixth step: the original data recovery is completed (original fragmentation field + data payload).
Finally, it should be noted that: although the present invention has been described in detail with reference to the above embodiments, it should be understood by those skilled in the art that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.
Claims (6)
1. A pre-slicing processing method for IP datagram under IPSec encryption transmission mode is characterized in that it includes following steps:
step 1: if the length of the IP datagram is larger than the path MTU, the IP datagram is subjected to fragmentation processing;
step 2: adopting IPSec encryption transmission mode protection enhancement protocol to encrypt the IP datagram fragments obtained by fragmentation;
the IPSec receiving terminal extracts the load of each IP datagram fragment and judges whether the IP datagram fragment is IPSec protection or not;
if the load of the IP datagram fragment is protected by IPSec, the SPI of the ESP head is used for SA matching;
and 3, step 3: decrypting the encrypted IP datagram fragments to recover the original IP datagram;
the IP datagram comprises an IP header and a payload; the IP datagram fragment comprises an IP1 header and a load fragment; the fragment field of the IP1 header is determined by the fragment field of the IP header and the fragment pointer of the load together, and the length of the IP datagram is revised again;
the encrypted IP datagram fragment comprises an IP2 header, an ESP header and an encryption protection area; the encryption protection area consists of a fragment field, a load fragment and an ESP tail; the fragmentation field is located after the ESP header and before the payload fragment; the Esp tail is positioned behind the load sheet;
and clearing the fragment field of the encrypted IP datagram fragment, then reserving fragment field information of an IP1 head, calculating head verification, and generating an IP2 head after packaging.
2. The method of claim 1, wherein the fragmenting the IP datagram comprises:
step 11: the IPSec sending end carries out IPSec processing on the IP datagram, determines all IP datagrams needing to be fragmented, extracts quintuple information of the first IP datagram in the IP datagrams to carry out SPD matching, and determines a processing mode;
step 12: and (4) carrying out fragmentation processing on all IP datagrams needing fragmentation.
3. The method of claim 2, wherein step 12 comprises:
and respectively fragmenting all the IP datagrams needing fragmentation to obtain a plurality of IP datagram fragments corresponding to each IP datagram.
4. The method of claim 1 wherein the length of the encrypted fragments of IP datagrams does not exceed the maximum length of the path MTU.
5. The method of claim 1, wherein if the SA matching fails, performing SPD matching, and performing discard or transparent transmission processing according to SPD configuration; and if the SA is successfully matched, decrypting the encrypted IP datagram fragment.
6. The method of claim 1, wherein step 3 comprises:
the receiving end respectively extracts the effective loads of all the encrypted IP datagram fragments for decryption; each encrypted IP datagram fragment can be independently decrypted without waiting for all the encrypted IP datagram fragments to be completely collected;
after decryption, all the decrypted IP datagram fragments are recombined according to the fragment field information of the IP1 header, and the original IP datagram information is recovered.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210959295.XA CN115037563B (en) | 2022-08-11 | 2022-08-11 | Pre-fragmentation processing method of IP datagram under IPSec encryption transmission mode |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210959295.XA CN115037563B (en) | 2022-08-11 | 2022-08-11 | Pre-fragmentation processing method of IP datagram under IPSec encryption transmission mode |
Publications (2)
Publication Number | Publication Date |
---|---|
CN115037563A CN115037563A (en) | 2022-09-09 |
CN115037563B true CN115037563B (en) | 2022-12-09 |
Family
ID=83130614
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210959295.XA Active CN115037563B (en) | 2022-08-11 | 2022-08-11 | Pre-fragmentation processing method of IP datagram under IPSec encryption transmission mode |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115037563B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115242561B (en) * | 2022-09-23 | 2023-01-31 | 中国电子科技集团公司第三十研究所 | Method, device and medium for fragment processing after IPSec transmission mode overrun packet |
CN115720214B (en) * | 2022-11-15 | 2024-04-16 | 北京安盟信息技术股份有限公司 | Method, system, medium and equipment for recombining IP data message in IPSec transmission mode |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1777174A (en) * | 2004-11-15 | 2006-05-24 | 中兴通讯股份有限公司 | Internet safety protocol high-speed processing IP burst method |
WO2009018510A1 (en) * | 2007-08-02 | 2009-02-05 | Imagineer Software, Inc. | Systems and methods for implementing a mutating internet protocol security |
CN114050920A (en) * | 2021-10-29 | 2022-02-15 | 山东多次方半导体有限公司 | Transparent network encryption system implementation method based on FPGA |
-
2022
- 2022-08-11 CN CN202210959295.XA patent/CN115037563B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1777174A (en) * | 2004-11-15 | 2006-05-24 | 中兴通讯股份有限公司 | Internet safety protocol high-speed processing IP burst method |
WO2009018510A1 (en) * | 2007-08-02 | 2009-02-05 | Imagineer Software, Inc. | Systems and methods for implementing a mutating internet protocol security |
CN114050920A (en) * | 2021-10-29 | 2022-02-15 | 山东多次方半导体有限公司 | Transparent network encryption system implementation method based on FPGA |
Non-Patent Citations (2)
Title |
---|
3GPP."5G System ; Public Land Mobile Network (PLMN)Interconnection".《3GPP TS 29.573 V15.2.0》.2019, * |
Windows平台中IPSec VPN的设计与实现;刘伟等;《微计算机信息》;20061230(第36期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN115037563A (en) | 2022-09-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7818564B2 (en) | Deciphering of fragmented enciphered data packets | |
US8468337B2 (en) | Secure data transfer over a network | |
US8379638B2 (en) | Security encapsulation of ethernet frames | |
CN115037563B (en) | Pre-fragmentation processing method of IP datagram under IPSec encryption transmission mode | |
US8867745B2 (en) | Efficient transmission of cryptographic information in secure real time protocol | |
KR101357026B1 (en) | Air-interface application layer security for wireless networks | |
EP2777217B1 (en) | Protocol for layer two multiple network links tunnelling | |
US20220174051A1 (en) | Packet transmission method and apparatus and computer storage medium | |
US20080162922A1 (en) | Fragmenting security encapsulated ethernet frames | |
US7290281B1 (en) | Method and apparatus for cryptographically blocking network denial of service attacks based on payload size | |
US20050198498A1 (en) | System and method for performing cryptographic operations on network data | |
US9185130B2 (en) | Transmission apparatus, reception apparatus, communication system, transmission method, and reception method | |
CN106161386B (en) | Method and device for realizing IPsec (Internet protocol Security) shunt | |
CN112600802B (en) | SRv6 encrypted message and SRv6 message encryption and decryption methods and devices | |
CN115242561B (en) | Method, device and medium for fragment processing after IPSec transmission mode overrun packet | |
Chakraborty et al. | 6LoWPAN security: classification, analysis and open research issues | |
CN116260579A (en) | Message encryption and decryption method for IP packet | |
US20120163383A1 (en) | Method and device for transmitting data between two secured ethernet-type networks through a routed network | |
US7564976B2 (en) | System and method for performing security operations on network data | |
CN114244577A (en) | Message processing method based on ESP | |
KR100522090B1 (en) | METHOD FOR SECURING PAEKETS IN IPv6 LAYER | |
Noisternig | Cryptographic transforms for a lightweight and efficient DVB link-layer security extension | |
KR20050064093A (en) | Next generation internet system having a function of packet protection and method of the same | |
Doomun et al. | Modified Temporal Key Integrity Protocol for Efficient Wireless Network Security | |
CN118842599A (en) | Communication chip, communication device, computer storage medium, and method of operating communication chip |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |