[go: up one dir, main page]

CN116599661A - Message forwarding method, device, device, and computer-readable storage medium - Google Patents

Message forwarding method, device, device, and computer-readable storage medium Download PDF

Info

Publication number
CN116599661A
CN116599661A CN202310651775.4A CN202310651775A CN116599661A CN 116599661 A CN116599661 A CN 116599661A CN 202310651775 A CN202310651775 A CN 202310651775A CN 116599661 A CN116599661 A CN 116599661A
Authority
CN
China
Prior art keywords
message
ipsec
processed
library
dpu
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310651775.4A
Other languages
Chinese (zh)
Inventor
陈建虎
赵鲲鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yusur Technology Co ltd
Original Assignee
Yusur Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yusur Technology Co ltd filed Critical Yusur Technology Co ltd
Priority to CN202310651775.4A priority Critical patent/CN116599661A/en
Publication of CN116599661A publication Critical patent/CN116599661A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本公开涉及一种报文转发方法、装置、设备及计算机可读存储介质,该方法包括:响应于本端主机的配置指令,完成与所述配置指令相应的配置操作,所述本端主机与所述DPU通信连接;与目标主机进行协商,获得IPSec SA库,所述目标主机与所述DPU通信连接;接收待处理报文;基于所述IPSec SA库中的IPSec SA,对所述待处理报文进行处理,得到处理后的报文;将所述处理后的报文转发至目标主机。本公开通过将IPSec处理功能卸载至专用的DPU中,由DPU的核心完成IPSec业务处理,提高IPSec业务处理的效率,解放本端主机的系统资源,降低本端主机系统的性能消耗。

The present disclosure relates to a message forwarding method, device, device, and computer-readable storage medium. The method includes: responding to a configuration instruction of a local host, completing a configuration operation corresponding to the configuration instruction, and the local host and The DPU is connected in communication; negotiate with the target host to obtain an IPSec SA library, and the target host is connected to the DPU in communication; receive messages to be processed; based on the IPSec SA in the IPSec SA library, process the pending The message is processed to obtain the processed message; and the processed message is forwarded to the target host. The disclosure offloads the IPSec processing function to a dedicated DPU, and the core of the DPU completes the IPSec service processing, improves the efficiency of IPSec service processing, liberates the system resources of the local host, and reduces the performance consumption of the local host system.

Description

Message forwarding method, device, equipment and computer readable storage medium
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a computer readable storage medium for forwarding a message.
Background
IPSec VPN (Virtual Private Network ) is a tunneling technique that uses IPSec (Internet Protocol Security, internet security protocol) to enable secure transmission of data based on public network infrastructure. The IPSec protocol is not a separate protocol, but is a set of security protocol suite defined by the Internet Engineering Task Force (IETF) as a network layer tunneling protocol, which provides high-quality, interoperable, cryptography-based security for IP data, and the architecture comprises: security alliance, security protocols, key management, modes of operation, authentication algorithms, encryption algorithms, security policies, and the like.
The prior art mainly realizes IPSec function in xfrm layer of system kernel, and maintains security alliance (Security Association, SA) and SP policy library; after IPSec authentication and negotiation are completed by application layer software, network data enter a system kernel through a network card, and reach an xfrm layer IPSec code module through a driver, a kernel protocol stack and interrupt processing, and if decryption conditions are met, the encryption algorithm module is called to decrypt the data and check a check value; and the processed data packet is sent out from the network port through the kernel protocol stack, interrupt processing and a driver.
However, the method occupies a large amount of kernel resources when processing data, so that the processing capability of the system kernel becomes a performance bottleneck, which not only affects the performance of the host, but also causes the processing efficiency of the IPSec service to be low.
Disclosure of Invention
In order to solve the above technical problems, the present disclosure provides a method, an apparatus, a device, and a computer readable storage medium for forwarding a message, so as to reduce the influence of IPSec service on the performance of a host and improve the processing efficiency of the IPSec service.
In a first aspect, an embodiment of the present disclosure provides a method for forwarding a packet, which is applied to a DPU, including:
responding to a configuration instruction of a local host, completing configuration operation corresponding to the configuration instruction, wherein the local host is in communication connection with the DPU;
negotiating with a target host to obtain an IPSec SA library, wherein the target host is in communication connection with the DPU;
receiving a message to be processed;
processing the message to be processed based on the IPSec SA in the IPSec SA library to obtain a processed message;
and forwarding the processed message to a target host.
In some embodiments, negotiating with the target host to obtain the IPSec SA includes:
performing IKE negotiation with the target host to obtain an IKE SA;
and negotiating with the target host based on the IKE SA to obtain the IPSec SA.
In some embodiments, the processing the message to be processed based on the IPSec SA in the IPSec SA library to obtain a processed message includes:
when the message to be processed is an encrypted message, determining whether an IPSec SA matched with the message to be processed exists in the IPSec SA library according to the SPID of the message to be processed;
if so, carrying out decryption operation on the message to be processed based on the IPSec SA matched with the message to be processed in the IPSec SA library, and obtaining the processed message.
In some embodiments, the responding to the configuration instruction of the local end host completes the configuration operation corresponding to the configuration instruction, including:
and responding to the IPSec SP configuration instruction of the host end, and completing the configuration operation of the IPSec SP library.
In some embodiments, the processing the message to be processed based on the IPSec SA in the IPSec SA library to obtain a processed message further includes:
when the message to be processed is a plaintext message, determining whether an IPSec SP matched with the message to be processed exists in the IPSec SP library according to five-tuple information of the message to be processed;
and if so, carrying out encryption operation on the message to be processed based on the IPSec SA matched with the message to be processed in the IPSec SA library, so as to obtain the processed message.
In a second aspect, an embodiment of the present disclosure provides a packet forwarding device, including:
the configuration module is used for responding to a configuration instruction of a local host, completing configuration operation corresponding to the configuration instruction, and the local host is in communication connection with the DPU;
the negotiation module is used for negotiating with a target host to obtain an IPSec SA library, and the target host is in communication connection with the DPU;
the receiving module is used for receiving the message to be processed;
the processing module is used for processing the message to be processed based on the IPSec SA in the IPSec SA library to obtain a processed message;
and the sending module is used for forwarding the processed message to a target host.
In some embodiments of the present invention, in some embodiments,
the configuration module is also used for responding to the IPSec SP configuration instruction of the host computer at the home end to complete the configuration operation of the IPSec SP library.
In some embodiments of the present invention, in some embodiments,
the processing module is specifically configured to determine whether an IPSec SP matched with the to-be-processed message exists in the IPSec SP library according to five-tuple information of the to-be-processed message when the to-be-processed message is a plaintext message; and if so, carrying out encryption operation on the message to be processed based on the IPSec SA matched with the message to be processed in the IPSec SA library, so as to obtain the processed message.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including:
a memory;
a processor; and
a computer program;
wherein the computer program is stored in the memory and configured to be executed by the processor to implement the method according to the first aspect.
In a fourth aspect, embodiments of the present disclosure provide a computer-readable storage medium having stored thereon a computer program for execution by a processor to implement the method of the first aspect.
In a fifth aspect, the disclosed embodiments also provide a computer program product comprising a computer program or instructions which, when executed by a processor, implement a message forwarding method as described above.
According to the message forwarding method, device, equipment and computer readable storage medium provided by the embodiment of the disclosure, by unloading the IPSec processing function into the special DPU, the core of the DPU completes IPSec service processing, so that the efficiency of IPSec service processing is improved, the system resources of the host computer at the end are liberated, and the performance consumption of the host computer system at the end is reduced.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, the drawings that are required for the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a flowchart of a message forwarding method provided in an embodiment of the present disclosure;
fig. 2 is a schematic diagram of an application scenario provided in an embodiment of the present disclosure;
fig. 3 is a flowchart of a message forwarding method according to another embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a message forwarding device according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, a further description of aspects of the present disclosure will be provided below. It should be noted that, without conflict, the embodiments of the present disclosure and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced otherwise than as described herein; it will be apparent that the embodiments in the specification are only some, but not all, embodiments of the disclosure.
Currently, there are two main technical architectures for implementing IPSec, one is implementing the IPSec function at the xfrm layer of the system kernel, but this approach consumes relatively more kernel resources in the system processing procedure. And secondly, implementing IPSec by using a DPDK technology. The data plane development kit (Data Plane Development Kit, DPDK) consists of a set of function libraries and drivers running in user space to provide high performance data transceiving and processing for the data plane. In a DPDK environment, a network data packet is driven by a user state, a kernel processing flow is bypassed, a message is directly sent to the user state, and after the user state finishes encryption, decryption, encapsulation, decapsulation and check value calculation or verification of the message, the message is sent out from a network port by the DPDK.
The current society has wider and wider requirements on data security, and for some small and medium-sized enterprises, a set of security products is independently developed and maintained, so that the cost is higher, and the development period is longer. The implementation of IPSec in the kernel of the operation system such as the standard Linux is mature, and the kernel implementation mode is adopted in most systems. However, since the data packet consumes relatively more kernel resources in the processes of passing through the driver, the kernel protocol stack and the interrupt processing, especially when there is a large amount of data traffic to be processed by IPSec, the processing capability of the system kernel becomes a performance bottleneck.
Compared with the IPSec implementation method using DPDK, the IPSec implementation method using DPDK has the advantages that performance of the DPDK framework is improved greatly, performance requirements of the DPDK framework on a CPU and the like of a host operating system are high, resource consumption is also high, and when IPSec encryption and decryption processing is carried out on a large amount of data, the resource consumption of the CPU is high, and the performance of the host is seriously affected.
In view of this problem, the embodiments of the present disclosure provide a method for forwarding a message, which is described below with reference to specific embodiments.
Fig. 1 is a flowchart of a message forwarding method provided in an embodiment of the present disclosure. The method can be applied to the application scenario shown in fig. 2, where the application scenario includes a data processor (Data Processing Unit, DPU) 21, a remote host 22, and a local host 23, where the local host 23 is communicatively connected to the DPU21, and where the DPU21 is communicatively connected to the remote host. Specifically, the DPU21 is communicatively connected to the remote host 22 through a network port 217 (the number of network ports is not limited), and the DPU21 is communicatively connected to the local host 23 through a PCIe bus 24. The DPU21 includes a System On Chip (SOC) 211, on which an IPsec negotiation process 212 and a user mode protocol stack 213 are disposed, for processing IPsec services. Also included in DPU21 are IPsec policy store 214, data processing engine 215, and cryptographic module 216. A configuration management process 231 for user configuration management of the DPU21 is arranged in the home end-host 23. It can be appreciated that the message forwarding method provided by the embodiment of the disclosure may also be applied in other scenarios.
The message forwarding method shown in fig. 1 is described below in conjunction with the application scenario shown in fig. 2, and the method includes the following specific steps:
s101, responding to a configuration instruction of a local host, and completing configuration operation corresponding to the configuration instruction.
The local host is in communication connection with the DPU, and the DPU can acquire configuration instructions input by a user at the local host side. The configuration instruction is used for configuring relevant information for processing the IPsec service in the DPU card. After the DPU receives the configuration instruction, the corresponding configuration operation is completed according to the configuration instruction.
In some embodiments, the local end hosts communicate with the DPU based on a high speed serial computer expansion bus standard (peripheral component interconnect express, PCIe). PCIe belongs to high-speed serial point-to-point dual-channel high-bandwidth transmission, where connected devices allocate exclusive channel bandwidth, do not share bus bandwidth, and mainly support functions such as active power management, error reporting, end-to-end reliability transmission, hot plug, and quality of service (QOS).
S102, negotiating with the target host to obtain an IPSec SA library.
Specifically, the target host includes a remote host and a local host.
Wherein the remote host is communicatively coupled to the DPU.
In some embodiments, the target host communicates with the DPU through the DPU's portal, completes negotiations with the target host, and offloads the IPSec management plane onto the DPU.
The security association (Security Association, SA) is an agreement between communicating peers on certain elements that describes how the peers communicate securely using security services (e.g., encryption). These elements include what security protocol is used between peers, the characteristics of the data stream that needs to be protected, the encapsulation mode of the data transmitted between peers, the encryption and authentication algorithms employed by the protocol, and the lifetime of the keys and SA used for data security conversion, transmission, etc.
Each SA is uniquely identified by a triplet (SPI, IP destination address, IPSec protocol). Among them, IPSec protocols generally employ AH or ESP; SPI (Security Parameter Index ) is a 32-bit security parameter index for identifying different SAs with the same IP address and the same security protocol, which is typically placed in an AH or ESP header; the IP destination address is the address of the target host of the SA.
All IPSec SAs in the DPU are stored in the IPSec SA library. In the scenario shown in fig. 2, the IPSec SA library is included in the IPSec policy library.
In some embodiments, the user may also perform configuration management on the negotiation process in the DPU by calling the SDK provided by the DPU through the home end host, and start or stop the IPSec function.
S103, receiving a message to be processed.
The DPU receives the message to be processed through the network port.
S104, processing the message to be processed based on the IPSec SA in the IPSec SA library to obtain a processed message.
The DPU processes the message to be processed based on the IPSec SA in the IPSec policy repository (specifically, the IPSec SA repository), including but not limited to: encrypting the message to be processed, decrypting the message to be processed, encapsulating the message to be processed, decapsulating the message to be processed, and the like.
After the DPU processes the message to be processed, the processed message is obtained.
S105, forwarding the processed message to a target host.
The message to be processed comprises the identification information of the target host, and the target host of the processed message corresponding to the message to be processed can be determined according to the identification information of the target host. After the message to be processed is correspondingly processed, the DPU can forward the processed message to the target host according to the identification information of the target host, and the current message transmission is completed.
It should be noted that, in the embodiment of the present disclosure, the DPU directly communicates with the target host to complete the negotiation in step S102, and a dedicated core (SOC) in the DPU completes each operation in steps S103 to S105, and the local host communicatively connected to the DPU is used for the user to perform each configuration on the DPU through the SDK interface.
According to the embodiment of the disclosure, the configuration operation corresponding to the configuration instruction is completed by responding to the configuration instruction of the local host, and the local host is in communication connection with the DPU; negotiating with a target host to obtain an IPSec SA library, wherein the target host is in communication connection with the DPU to receive a message to be processed; processing the message to be processed based on the IPSec SA in the IPSec SA library to obtain a processed message; and forwarding the processed message to a target host, unloading the IPSec management layer and the processing function to a special DPU, and completing IPSec service processing by the core of the DPU, thereby improving the efficiency of IPSec service processing, freeing system resources of the host and reducing the performance consumption of a host system of the host.
On the basis of the foregoing embodiment, the negotiating with the target host to obtain the IPSec SA includes: performing IKE negotiation with the target host to obtain an IKE SA; and negotiating with the target host based on the IKE SA to obtain the IPSec SA.
The internet key exchange protocol (Internet Key Exchange, IKE) is a signaling protocol of IPSec, which provides services of auto-negotiation of exchange keys and establishment of security association for IPSec, and can simplify the use and management of IPSec, and greatly simplify the configuration and maintenance work of IPSec. IKE is the final calculation of the key shared by both parties through a series of data exchanges. Under the IKE mode, the encryption and verification keys required for establishing the IPSec SA are generated through a DH algorithm and can be dynamically refreshed, so that the key management cost is low and the security is higher. The IKE approach is to negotiate an IKE SA by first negotiating an IPSec SA based on encryption of the IKE SA. Where IKE is a composite protocol, the Internet key exchange IKE protocol builds on the framework defined by the Internet SA and key management protocol ISAKMP, an application layer protocol based on UDP (User Datagram Protocol) 500 port numbers.
In the scenario shown in fig. 2, an IPSec negotiation process is run in the SOC on the DPU, and the process first performs IKE negotiation with the target host to obtain an IKE SA, further performs IPSec negotiation based on the IKE SA to obtain an IPSec SA, and stores the IPSec SA in an IPSec policy repository in the DPU, specifically, stores the IPSec SA in an IPSec SA repository in the IPSec policy repository.
According to the embodiment of the disclosure, the DPU and the target host are firstly negotiated to obtain the IKE SA, and the IPSec SA is further obtained based on the negotiation of the IKE SA and the target host, so that the key management cost is effectively reduced, and the security of message forwarding is improved. Meanwhile, the DPU directly negotiates with the target host to finish hardware unloading, so that the occupation of operation resources of the host at the local end is avoided, and the efficiency of the message forwarding method is further improved.
In some embodiments, the processing the message to be processed based on the IPSec SA in the IPSec SA library to obtain a processed message includes: when the message to be processed is an encrypted message, determining whether an IPSec SA matched with the message to be processed exists in the IPSec SA library according to the SPID of the message to be processed; if so, carrying out decryption operation on the message to be processed based on the IPSec SA matched with the message to be processed in the IPSec SA library, and obtaining the processed message.
When the DPU receives a message to be processed, whether the message is an encrypted message or not is firstly judged. And when the message to be processed is an encrypted message, inquiring whether the IPSec SA matched with the message to be processed exists in the IPSec SA library according to the SPID of the message to be processed. When there is an IPSec SA matched with the message to be processed in the IPSec SA library, the data processing engine calls a cryptographic module to decrypt the message to be processed based on the corresponding IPSec SA, and performs operations such as de-encapsulation, etc., so as to obtain a processed message, and sends the processed message to a corresponding target host; specifically, when the message to be processed is an encrypted message, the processed message (decrypted message) is sent to the local host.
When there is no IPSec SA in the IPSec SA library that matches the pending packet, then the routing determines a next processing operation of the pending packet, such as discarding, etc., which is not limited by the embodiments of the disclosure.
In some embodiments, the responding to the configuration instruction of the local end host completes the configuration operation corresponding to the configuration instruction, including: and responding to the IPSec SP configuration instruction of the host end, and completing the configuration operation of the IPSec SP library.
IPSec SP refers to an IPSec security policy for managing operations that need to be performed when a message passes through an IPSec boundary.
Specifically, the user configures IPSec SPs in the DPU by calling the SDK interface at the host side of the home terminal, the DPU obtains the IPSec SPs according to the configuration instruction of the host side of the home terminal, and stores all the IPSec SPs in the IPSec SP library.
In some embodiments, the processing the message to be processed based on the IPSec SA in the IPSec SA library to obtain a processed message further includes: when the message to be processed is a plaintext message, determining whether an IPSec SP matched with the message to be processed exists in the IPSec SP library according to five-tuple information of the message to be processed; and if so, carrying out encryption operation on the message to be processed based on the IPSec SA matched with the message to be processed in the IPSec SA library, so as to obtain the processed message.
The quintuple information contains a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol of the message to be processed. When the DPU receives a message to be processed, whether the message is an encrypted message or not is firstly judged. If the message to be processed is a plaintext message, it is necessary to determine whether a security policy (IPSec SP) of the message to be processed exists in the DPU, and if not, the reason may be that the message to be processed is not allowed to pass through the device or lacks a routing path, the data is discarded.
If so, the corresponding IPSec SP policy is executed. Specifically, searching an IPSec SA library matched with the message to be processed, calling a cryptographic module by a data processing engine based on the IPSec SA to encrypt the message to be processed, performing operations such as encapsulation and the like to obtain the processed message, and sending the processed message to a corresponding target host; specifically, when the message to be processed is a plaintext message, the processed message (encrypted message) is sent to the remote host according to the destination IP address.
According to the embodiment of the disclosure, the DPU processes the message to be processed, inquires whether the DPU has the IPSec SA and the IPSec SP corresponding to the message to be processed, processes the message to be processed based on the corresponding IPSec SA if the message to be processed exists, obtains the processed message, and sends the processed message to the corresponding target host, so that the IPSec system with ultra-high throughput and extremely-low network delay is realized by unloading operations such as IPSec encryption and decryption, encapsulation, decapsulation, checksum calculation and verification into the DPU, and processing by the DPU special core, thereby improving the IPSec service processing performance, reducing the performance consumption of the host system, and realizing the IPSec system with ultra-high throughput and extremely-low network delay. Meanwhile, the special core of the DPU has stronger data processing capability, so that the IPSec encryption and decryption throughput is greatly improved, and the time delay is reduced.
Fig. 3 is a flowchart of a message forwarding method according to another embodiment of the present disclosure, as shown in fig. 3, where the method includes the following steps:
s301, responding to a configuration instruction of a local end host, and completing configuration operation corresponding to the configuration instruction, wherein the local end host is in communication connection with the DPU.
In some embodiments, the step comprises: and responding to the IPSec SP configuration instruction of the host end, and completing the configuration operation of the IPSec SP library.
S302, negotiating with a target host to obtain an IPSec SA library, wherein the target host is in communication connection with the DPU.
In some embodiments, the step comprises: performing IKE negotiation with the target host to obtain an IKE SA; and negotiating with the target host based on the IKE SA to obtain the IPSec SA.
S303, receiving a message to be processed.
S304, judging whether the message to be processed is an encrypted message or not. If yes, executing S305; if not, S307 is performed.
S305, determining the IPSec SA matched with the message to be processed in the IPSec SA library according to the SPID of the message to be processed.
S306, based on the IPSec SA matched with the message to be processed in the IPSec SA library, performing decryption operation on the message to be processed to obtain the processed message.
S307, determining whether the IPSec SP matched with the message to be processed exists in the IPSec SP library according to the five-tuple information of the message to be processed.
And S308, if the message exists, carrying out encryption operation on the message to be processed based on the IPSec SA matched with the message to be processed in the IPSec SA library, and obtaining the message after processing.
S309, forwarding the processed message to a target host.
According to the embodiment of the disclosure, the IPSec processing function is unloaded to the special DPU, the kernel of the DPU completes the IPSec service processing, the efficiency of the IPSec service processing is improved, the system resources of the host computer at the home terminal are liberated, and the performance consumption of the host computer system at the home terminal is reduced.
Fig. 4 is a schematic structural diagram of a packet forwarding device according to an embodiment of the present disclosure. The message forwarding device may be a DPU as described in the above embodiments, or the message forwarding device may be a part or component in the DPU. The message forwarding apparatus provided in the embodiments of the present disclosure may execute the processing flow provided in the embodiment of the message forwarding method, as shown in fig. 4, where the message forwarding apparatus 40 includes: configuration module 41, negotiation module 42, receiving module 43, processing module 44, transmitting module 45. The configuration module 41 is configured to respond to a configuration instruction of a local host, and complete a configuration operation corresponding to the configuration instruction, where the local host is in communication connection with the DPU; the negotiation module 42 is configured to negotiate with a target host, to obtain an IPSec SA library, where the target host is communicatively connected to the DPU; the receiving module 43 is configured to receive a message to be processed; the processing module 44 is configured to process the message to be processed based on the IPSec SA in the IPSec SA library, to obtain a processed message; the sending module 45 is configured to forward the processed packet to a target host.
Optionally, the negotiation module 42 is specifically configured to perform IKE negotiation with the target host to obtain an IKE SA; and negotiating with the target host based on the IKE SA to obtain the IPSec SA.
Optionally, the processing module 44 is specifically configured to determine, when the message to be processed is an encrypted message, whether an IPSec SA matched with the message to be processed exists in the IPSec SA library according to the SPID of the message to be processed; if so, carrying out decryption operation on the message to be processed based on the IPSec SA matched with the message to be processed in the IPSec SA library, and obtaining the processed message.
Optionally, the configuration module 41 is further configured to complete a configuration operation for the IPSec SP library in response to an IPSec SP configuration instruction of the home end host.
Optionally, the processing module 44 is specifically configured to determine, when the message to be processed is a plaintext message, whether an IPSec SP matching the message to be processed exists in the IPSec SP library according to five-tuple information of the message to be processed; and if so, carrying out encryption operation on the message to be processed based on the IPSec SA matched with the message to be processed in the IPSec SA library, so as to obtain the processed message.
The message forwarding apparatus of the embodiment shown in fig. 4 may be used to implement the technical solution of the above method embodiment, and its implementation principle and technical effects are similar, and are not described herein again.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. The electronic device may be a DPU as described in the above embodiments. The electronic device provided in the embodiment of the present disclosure may execute the processing flow provided in the embodiment of the method for forwarding a message, as shown in fig. 5, where the electronic device 50 includes: memory 51, processor 52, computer programs and communication interface 53; wherein the computer program is stored in the memory 51 and configured to be executed by the processor 52 for the message forwarding method as described above.
In addition, the embodiment of the present disclosure further provides a computer readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the method for forwarding a packet according to the foregoing embodiment.
Furthermore, the embodiments of the present disclosure also provide a computer program product comprising a computer program or instructions which, when executed by a processor, implement a message forwarding method as described above.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a specific embodiment of the disclosure to enable one skilled in the art to understand or practice the disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1.一种报文转发方法,其特征在于,所述方法应用于DPU,所述方法包括:1. A message forwarding method, characterized in that, the method is applied to a DPU, and the method comprises: 响应于本端主机的配置指令,完成与所述配置指令相应的配置操作,所述本端主机与所述DPU通信连接;In response to the configuration instruction of the local host, complete the configuration operation corresponding to the configuration instruction, and the local host communicates with the DPU; 与目标主机进行协商,获得IPSec SA库,所述目标主机与所述DPU通信连接;Negotiate with the target host to obtain an IPSec SA library, and the target host communicates with the DPU; 接收待处理报文;Receive pending messages; 基于所述IPSec SA库中的IPSec SA,对所述待处理报文进行处理,得到处理后的报文;Based on the IPSec SA in the IPSec SA library, process the message to be processed to obtain a processed message; 将所述处理后的报文转发至目标主机。Forward the processed message to the target host. 2.根据权利要求1所述的方法,其特征在于,所述与目标主机进行协商,获得IPSec SA,包括:2. The method according to claim 1, wherein said negotiating with the target host to obtain the IPSec SA comprises: 与所述目标主机进行IKE协商,获得IKE SA;Perform IKE negotiation with the target host to obtain IKE SA; 基于所述IKE SA与所述目标主机进行协商,获得所述IPSec SA。Negotiate with the target host based on the IKE SA to obtain the IPSec SA. 3.根据权利要求1所述的方法,其特征在于,所述基于所述IPSec SA库中的IPSec SA,对所述待处理报文进行处理,得到处理后的报文,包括:3. The method according to claim 1, wherein the processing of the message to be processed based on the IPSec SA in the IPSec SA library to obtain the processed message includes: 当所述待处理报文为加密报文时,根据所述待处理报文的SPID确定所述IPSec SA库中是否存在与所述待处理报文匹配的IPSec SA;When the message to be processed is an encrypted message, determine whether there is an IPSec SA matching the message to be processed in the IPSec SA library according to the SPID of the message to be processed; 若存在,则基于所述IPSec SA库中与所述待处理报文匹配的IPSec SA,对所述待处理报文进行解密操作,得到处理后的报文。If it exists, based on the IPSec SA in the IPSec SA library that matches the message to be processed, decrypt the message to be processed to obtain a processed message. 4.根据权利要求1所述的方法,其特征在于,所述响应于本端主机的配置指令,完成与所述配置指令相应的配置操作,包括:4. The method according to claim 1, wherein the responding to the configuration instruction of the local host, completing the configuration operation corresponding to the configuration instruction comprises: 响应于本端主机的IPSec SP配置指令,完成对于IPSec SP库的配置操作。In response to the IPSec SP configuration command of the local host, the configuration operation of the IPSec SP library is completed. 5.根据权利要求4所述的方法,其特征在于,所述基于所述IPSec SA库中的IPSec SA,对所述待处理报文进行处理,得到处理后的报文,还包括:5. The method according to claim 4, wherein the processing of the message to be processed based on the IPSec SA in the IPSec SA storehouse to obtain the processed message further includes: 当所述待处理报文为明文报文时,根据所述待处理报文的五元组信息确定所述IPSecSP库中是否存在与所述待处理报文匹配的IPSec SP;When the message to be processed is a plaintext message, determine whether there is an IPSec SP matching the message to be processed in the IPSec SP library according to the quintuple information of the message to be processed; 若存在,则基于所述IPSec SA库中与所述待处理报文匹配的IPSec SA,对所述待处理报文进行加密操作,得到处理后的报文。If it exists, based on the IPSec SA in the IPSec SA library that matches the message to be processed, an encryption operation is performed on the message to be processed to obtain a processed message. 6.一种报文转发装置,其特征在于,所述装置包括:6. A message forwarding device, characterized in that the device comprises: 配置模块,用于响应于本端主机的配置指令,完成与所述配置指令相应的配置操作,所述本端主机与所述DPU通信连接;A configuration module, configured to respond to a configuration instruction of the local host, and complete a configuration operation corresponding to the configuration instruction, and the local host communicates with the DPU; 协商模块,用于与目标主机进行协商,获得IPSec SA库,所述目标主机与所述DPU通信连接;A negotiation module, configured to negotiate with a target host to obtain an IPSec SA library, and the target host communicates with the DPU; 接收模块,用于接收待处理报文;A receiving module, configured to receive messages to be processed; 处理模块,用于基于所述IPSec SA库中的IPSec SA,对所述待处理报文进行处理,得到处理后的报文;A processing module, configured to process the message to be processed based on the IPSec SA in the IPSec SA library, to obtain a processed message; 发送模块,用于将所述处理后的报文转发至目标主机。A sending module, configured to forward the processed message to a target host. 7.根据权利要求6所述的装置,其特征在于,7. The device of claim 6, wherein: 配置模块还用于响应于本端主机的IPSec SP配置指令,完成对于IPSec SP库的配置操作。The configuration module is also used to respond to the IPSec SP configuration command of the local host to complete the configuration operation of the IPSec SP library. 8.根据权利要求7所述的装置,其特征在于,8. The device of claim 7, wherein: 处理模块具体用于当所述待处理报文为明文报文时,根据所述待处理报文的五元组信息确定所述IPSec SP库中是否存在与所述待处理报文匹配的IPSec SP;若存在,则基于所述IPSec SA库中与所述待处理报文匹配的IPSec SA,对所述待处理报文进行加密操作,得到处理后的报文。The processing module is specifically used to determine whether there is an IPSec SP matching the message to be processed in the IPSec SP library according to the quintuple information of the message to be processed when the message to be processed is a plaintext message ; If it exists, based on the IPSec SA in the IPSec SA library that matches the message to be processed, perform an encryption operation on the message to be processed to obtain a processed message. 9.一种电子设备,其特征在于,包括:9. An electronic device, characterized in that it comprises: 存储器;memory; 处理器;以及processor; and 计算机程序;Computer program; 其中,所述计算机程序存储在所述存储器中,并被配置为由所述处理器执行以实现如权利要求1-5中任一项所述的方法。Wherein, the computer program is stored in the memory and is configured to be executed by the processor to implement the method according to any one of claims 1-5. 10.一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1-5中任一项所述的方法。10. A computer-readable storage medium, on which a computer program is stored, wherein, when the computer program is executed by a processor, the method according to any one of claims 1-5 is implemented.
CN202310651775.4A 2023-06-02 2023-06-02 Message forwarding method, device, device, and computer-readable storage medium Pending CN116599661A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310651775.4A CN116599661A (en) 2023-06-02 2023-06-02 Message forwarding method, device, device, and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310651775.4A CN116599661A (en) 2023-06-02 2023-06-02 Message forwarding method, device, device, and computer-readable storage medium

Publications (1)

Publication Number Publication Date
CN116599661A true CN116599661A (en) 2023-08-15

Family

ID=87606236

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310651775.4A Pending CN116599661A (en) 2023-06-02 2023-06-02 Message forwarding method, device, device, and computer-readable storage medium

Country Status (1)

Country Link
CN (1) CN116599661A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117424739A (en) * 2023-10-31 2024-01-19 中科驭数(北京)科技有限公司 Message forwarding method and system based on DPU, user mode protocol stack and IP core
CN117811787A (en) * 2023-12-26 2024-04-02 中科驭数(北京)科技有限公司 Information configuration method, device, equipment and storage medium
CN118713911A (en) * 2024-07-22 2024-09-27 中移(苏州)软件技术有限公司 Message processing method, device, DPU and SDN controller
CN119484123A (en) * 2024-11-20 2025-02-18 山石网科通信技术股份有限公司 Message processing method, system and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1964251A (en) * 2000-12-22 2007-05-16 睦塞德技术公司 Packet encrypton system and method
US20100223458A1 (en) * 2009-02-27 2010-09-02 Mcgrew David Pair-wise keying for tunneled virtual private networks
CN115766172A (en) * 2022-11-09 2023-03-07 中科驭数(北京)科技有限公司 Message forwarding method, device, equipment and medium based on DPU and national password

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1964251A (en) * 2000-12-22 2007-05-16 睦塞德技术公司 Packet encrypton system and method
US20100223458A1 (en) * 2009-02-27 2010-09-02 Mcgrew David Pair-wise keying for tunneled virtual private networks
CN115766172A (en) * 2022-11-09 2023-03-07 中科驭数(北京)科技有限公司 Message forwarding method, device, equipment and medium based on DPU and national password

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈亮: "基于多核处理器的IPSec_VPN系统安全策略检索研究", 《计算机工程与应用》, vol. 53, no. 23, 31 December 2017 (2017-12-31), pages 67 - 71 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117424739A (en) * 2023-10-31 2024-01-19 中科驭数(北京)科技有限公司 Message forwarding method and system based on DPU, user mode protocol stack and IP core
CN117811787A (en) * 2023-12-26 2024-04-02 中科驭数(北京)科技有限公司 Information configuration method, device, equipment and storage medium
CN118713911A (en) * 2024-07-22 2024-09-27 中移(苏州)软件技术有限公司 Message processing method, device, DPU and SDN controller
CN119484123A (en) * 2024-11-20 2025-02-18 山石网科通信技术股份有限公司 Message processing method, system and device

Similar Documents

Publication Publication Date Title
US11038846B2 (en) Internet protocol security tunnel maintenance method, apparatus, and system
CN116599661A (en) Message forwarding method, device, device, and computer-readable storage medium
EP3605976B1 (en) Message sending method and network device
CN109150688B (en) IPSec VPN data transmission method and device
US10250571B2 (en) Systems and methods for offloading IPSEC processing to an embedded networking device
US11153289B2 (en) Secure communication acceleration using a System-on-Chip (SoC) architecture
CN102882789B (en) A kind of data message processing method, system and equipment
CN110719248A (en) Method and device for forwarding user datagram protocol message
JP6617984B2 (en) IPSec acceleration method, apparatus and system
CN113055269B (en) Virtual private network data transmission method and device
CN116647425B (en) IPSec-VPN implementation method and device of OVN architecture, electronic equipment and storage medium
CN110266725B (en) Password security isolation module and mobile office security system
CN111355695B (en) A security proxy method and device
CN101222512A (en) Encryption and decryption card, encryption method and decryption method
CN115174482A (en) Message distribution method and device of network equipment
CN117811787A (en) Information configuration method, device, equipment and storage medium
WO2012126432A2 (en) Method, device and system for data transmission
CN109905310B (en) Data transmission method and device and electronic equipment
US11652910B2 (en) Data transmission method, device, and system
CN117254976B (en) National standard IPsec VPN implementation method, device, system and electronic equipment based on VPP
CN115529180B (en) IPSec encryption and decryption unloading method
CN115134806B (en) IPSec security reinforcement transmission method, CPE and network transmission system
US7437548B1 (en) Network level protocol negotiation and operation
CN114070606B (en) Network security terminal device based on domestic operating system and working method
US20240106647A1 (en) Methods and systems of a packet orchestration to provide data encryption at the ip layer, utilizing a data link layer encryption scheme

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination