CN1301612C - IPSEC nesting strategy match correcting method - Google Patents
IPSEC nesting strategy match correcting method Download PDFInfo
- Publication number
- CN1301612C CN1301612C CNB2003101019685A CN200310101968A CN1301612C CN 1301612 C CN1301612 C CN 1301612C CN B2003101019685 A CNB2003101019685 A CN B2003101019685A CN 200310101968 A CN200310101968 A CN 200310101968A CN 1301612 C CN1301612 C CN 1301612C
- Authority
- CN
- China
- Prior art keywords
- security
- strategy
- ipsec
- security strategy
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a matching and verification method for IPSEC nesting strategies. For the situation of multiple tunnel nestification, security associations are associated with each other in the form of doubly linked lists or arrays according to a stripping sequence; strategies are searched according to the content of data packets, and each security strategy is corresponding to one security association; and therefore, the strategies are matched and verified. The method solves the problems existing in the matching and the verification of the strategies applied to IPSEC multiple tunnel nestification; for the situation of multiple nestification, a security strategy database has to be looked up for just once, and the association relation among the strategies is then used so as to complete all the matching work of the strategies. The method has the advantages of increased efficiency of the verification of security strategies and enhanced system performance.
Description
Technical field
The invention belongs to the information security technology in the areas of information technology, relate to IPSEC (IP Security) system, specifically, relate to stacked packet and adopt the maltilevel security protection, these safeguard protections and security strategy are mated the method for verification.
Background technology
Along with the decline of development of technology and cost, the Internet increased popularity.From the nineties so far, this network is constantly expanded.Many telecommunications companies provide high-speed line to insert Internet to the client, and local Internet service supplier (ISP) provides cheap local access service, attract increasing user's online.Today, the Internet bearer various communications, and the user only need pay the local expense that networks, and just can visit global resource.People have accepted the mode of using ecommerce to conclude the business, attempt carrying out some online transactions; The enterprise customer also more and more uses Internet to transmit some important informations; Government also comes into effect some online working flow processs.Along with the reinforcement of safe and secret consciousness, people more and more pay close attention to the information security of internet communication.
The IP agreement is the main bearing protocol of Internet, because the opening of IP agreement, itself does not provide any security feature the IP bag.Be easy to just pseudo-to produce the IP bag the address, revise its content, the packet before replaying and the interception and the content of checking packet in the transmission way.Therefore, we can not guarantee packet that we the receive transmit leg from our expectation, and what can not guarantee that packet comprises is the initial data that transmit leg provides, and whether the content that also can't know this packet stolen having seen.
For the safety of IP packet, IPSEC is strong, an extendible mechanism.IPSEC provides sufficient safeguard protection---data confidentiality, data integrity, data source authentication, anti-current component analysis and the anti-protection of replaying.By using IPSEC at the IP layer, the protection that any one upper layer application all can utilize IPSEC to provide, and needn't require each application to provide separately.Because the IPSEC protection is IP packet itself, therefore, IPSEC can provide multiple protection, and IPSEC continuous or recurrence uses.
IPSEC need distinguish the packet of input and the packet of output.When IPSEC when the outside sends a packet, whether it at first checks local security strategy, just checks IPSEC policy database SPD, allow this packet to send from this locality by the SPD decision.In general, for a packet, its safe handling strategy has three kinds: directly by (BYPASS), abandon (DROP) and application IPSEC protects (IPSEC).Carry out the protection of IPSEC if desired, strategy also needs regulation how to protect this packet.If this packet is required to carry out the IPSEC protection, usually, this security strategy can comprise one or more security association SA, and these security association SA are described the details of protection in detail.Particularly, SA has described and has used what security protocol (AH (authentication header) or ESP (secure tunnel encapsulation)) to protect this packet, and what cryptographic algorithm is this agreement used, and the key of cryptographic algorithm etc.Agreement is protected entire I P packet according to these parameters, sends then.As required, a packet can be carried out multiple protection, strengthens its fail safe.
For the IPSEC packet that receives, at first, the parameter of utilizing the IP packet to provide finds corresponding security association SA from security association database SADB, utilize the parameter among the SA, unties the secure package of IP packet.When carrying out decapsulation, may need the integrality of verification msg bag etc., prevent the generation of behaviors such as cheating and distort.After reduction obtained original packet, agreement needed also to verify whether the current protection that this packet is provided is the security strategy desired protection.If checking is not passed through, then proof just under attack or deception, need abandon this packet, and write down this audit event.If the verification passes, then send this packet or transmit this packet as required to upper-layer protocol.
For a user who carries out mobile office, in order to protect company's secret of transmitting on public network, the transfer of data between two places need add a secure tunnel, prevents the threat that may exist on the public network.Intra-company is divided into a plurality of departments usually, and the grade of needed information protection is inconsistent between each department, and some internal data also needs to prevent in-company employee's eavesdropping and attack.This also need with key sector between communicate by letter and set up an internal tunnel.If require to set up the inner passage with a plurality of departments, like this, the more complicated that can become of the relation between the security strategy.For example, the security strategy of communicating by letter between the security gateway of external host and company is PA, and security strategy is PB between the D of the department server, and the security strategy PC between the E of department server.And the communication security strategy between the D of department can be described as PB->PA, and the communication security strategy between the E of department can be described as PC->PA.Also have segmentation if department is inner, and protection is also had different requirements, just need more multiple security strategy.External policy and inner strategy are the relations of one-to-many, the networking structure that this is realistic, the regulatory requirement of the enterprise of the Secure Application that also suits the requirements.
Because the input and output flow process of IPSEC relates to considerable operation, and operation such as encryption and decryption all is quite time-consuming.Therefore, for a system that uses IPSEC, IPSEC communication becomes the bottleneck of systematic function probably.Under the situation of security doctrine, reduce as far as possible and simplify the operation, improve the treatment effeciency of IPSEC, will be an important content of IPSEC system design and realization.
Carrying out when security strategy searches, needing the content of using coupling many, generally including source IP address, purpose IP address, source port number, destination slogan, upper-layer protocol etc.Each processed packet all needs to carry out once or security strategy is repeatedly searched.In a big net, when security strategy is many, will produce bigger influence to the performance of system to searching of security strategy.
At present, support the nested product in this multiple tunnel to have only several families.From disclosed data, its basic processing way is that the security strategy that each packet all needs to carry out is repeatedly searched.
Summary of the invention
The present invention proposes under the nested situation in a kind of multiple tunnel, efficiently realize the method for security strategy coupling, nested for any multiple tunnel, search Security Policy Database, finish the coupling verification of security strategy.
Security strategy coupling method of calibration of the present invention, step is as follows:
One, in Security Policy Database,,, gets up to outer strategy link from the internal layer strategy according to the relation of the corresponding data channel of a plurality of security strategies for the security strategy that has nest relation;
Two, for the packet that receives, when peeling off IPSEC encapsulation, the security association that record uses, and these security associations are formed doubly linked list or array associates according to the sequencing of peeling off and is kept in the array;
Three, peeled off all IPSEC that should peel off encapsulation after, envelop address according to packet, carry out decision search at Security Policy Database, search the security strategy that obtains innermost layer, with this security strategy of security strategy pointed, and note the employed security association of last decapsulation, with the last security association of security association pointed;
Four, in Security Policy Database, the corresponding security association of each security strategy.Check whether the last security association corresponding security strategy of current security association pointed equates with the security strategy of current safety strategy pointed, if equate that then this strategy matching if do not wait, shows that the security strategy verification makes mistakes, and jumps to step 7;
Five, check whether security association chained list or array dispose, if then jump to step 6; Otherwise according to the doubly linked list or the array that form, security association pointer rollback points to outer one deck IPSEC and handles the security association that uses, and the security strategy pointer also points to the IPSEC security strategy of outer one deck, jumps to step 4;
Six, all security strategy empirical tests pass through, policy check is finished;
Seven, policy check is found not match, and safety check returns failure.
For first step, need when carrying out the security strategy configuration, define corresponding internal layer and outer ATM layer relationsATM, can use pointer or array to describe this points relationship.
For second step, simple treating method is to use a doubly linked list to be described.After using a security association to packet decapsulation correctly, the back of this security association being added to doubly linked list.When all security associations dispose, whole security association chained list is just set up and is finished.
For the 4th step; coupling verification criterion is: can search for corresponding security strategy by the packet encapsulation address in Security Policy Database; if with security association point to tactful identical; show that the IPSEC that packet is used protects consistent with the security strategy regulation; policy check is passed through; otherwise the security strategy verification makes mistakes.For the security strategy that search obtains, the employed strategy of the outer strategy that its points to outer encapsulation of packet just can be regarded as and searches for the security strategy that obtains by the outer envelop address of packet in Security Policy Database and handle.
The present invention takes all factors into consideration multiple applicable cases, under the prerequisite that does not reduce fail safe, solved the strategy matching check problem of the IPSEC nested application in multiple tunnel, for the situation of multinest, only need search the once safety policy database, then, utilize the incidence relation between the strategy, finish the coupling work of All Policies, improve the efficient of security strategy verification, improved the performance of system.
Description of drawings
Fig. 1 is the multiple tunnel safety policy check of a present invention method flow diagram.
Fig. 2: be the nested embodiment schematic diagram in maltilevel security of the present invention tunnel.
Embodiment
Specify IPSEC nested policy coupling method of calibration of the present invention below in conjunction with embodiment.At first define the relevant data structure of security association SA and security strategy SP:
Security association SA comprises following field: parameters (crypto) such as purpose IP address (dest_ipaddr), security protocol (proto), Security Parameter Index (spi), cryptographic algorithm, ownership security strategy (sp).
Security strategy SP comprises following field: security association (sa), the outer security strategy (out_sp) of source IP address (source_ipaddr), purpose IP address (dest_ipaddr), tunnel source IP address (tunnel_source_ipaddr), purpose IP address, tunnel (tunnel_dest_ipaddr), upper-layer protocol (proto), correspondence.
Use a security association array, deposit the SA to a data package operation, this array is SAG[].
N represents the number of the SA that write down.SP represents the security strategy that obtains from policy library search.
Flow process as shown in Figure 1, can realize as follows:
1) be not equal to NULL (promptly for empty) when security strategy, and N is not equal at 0 o'clock, execution in step 2), otherwise execution in step 3);
2) if packet A[N-1] security strategy be not equal to SP, represent that then the security strategy verification finds that certain security strategy does not match, security strategy verification failure, otherwise, Reparametrization, the next strategy that security strategy is pointed to for the current safety strategy, and the number of security association subtracts 1;
3) if security strategy is not equal to NULL, or N is not equal at 0 o'clock, represents that then the security strategy verification finds that certain security strategy does not match, security strategy verification failure, otherwise, represent that all security strategy verifications pass through the safety check success.
With the maltilevel security tunnel shown in the accompanying drawing 2 is example, describes in detail between the internal server D of host C and department to communicate by letter, and uses the IPSEC protection of double ESP, after packet arrives host C, and the complete procedure of execution security strategy verification.
Host C penetrates external network and router-A, arrives the secure tunnel of router B, uses the ESP security protocol to protect; Host C penetrates external network, arrives the secure tunnel of router-A, uses the ESP security protocol to protect.The IP address of definition host C is 192.168.1.1; The IP address of secure router A is 192.168.2.1; The IP address of secure router B is 192.168.3.1; The IP address of the internal server D of department is 192.168.4.1.Internal layer is the ESP tunnel from 192.168.1.1 to 192.168.3.1, and the Security Parameter Index of use (being used to search security association) is 100; Skin is the ESP tunnel from 192.168.1.1 to 192.168.2.1, and the Security Parameter Index of use is 200.
On host C, the security strategy that host C is communicated by letter with server D has two, and the implication of these two security strategies is: the main frame behind external reference secure router B uses Sain to protect; Machine behind the external reference secure router A uses Saout to protect.Like this, from host C access server D, just need to carry out double protection.
Among the internal layer strategy Spin, source_ipaddr=192.168.1.1, dest_ipaddr=192.168.4.1, tunnel_source_ipaddr=192.168.1.1, tunnel_dest_ipaddr=192.168.3.1, proto=any (agreement arbitrarily), SA=Sain, Out_sp=Spout.
Among the outer tactful Spout, source_ipaddr=192.168.1.1, dest_ipaddr=192.168.3.1, tunnel_source_ipaddr=192.168.1.1, tunnel_dest_ipaddr=192.168.2.1, proto=any (agreement arbitrarily), SA=Saout, Out_sp=NULL (not more outer field security strategy).
To two security associations should be arranged:
Internal layer SA:dest_ipaddr=192.168.1.1, spi=100, proto=esp, crypto=aes+md5, sp=Spin.
Outer SA:dest_ipaddr=192.168.1.1, spi=200, proto=esp, crypto=des+md5, sp=Spout.
When host C receives a packet that sends over from server D, outermost IP encapsulation is: source IP is that 192.168.2.1, purpose IP are 192.168.1.1, upper-layer protocol is ESP, check the parameter of ESP head, obtaining Security Parameter Index is 200, by 192.168.1.1, esp, 200 these three parameters, can search and obtain Saout, use this SA to untie the IPSEC encapsulation, can obtain the IP bag of internal layer.Record SAG[0]=Saout, and write down the number N=1 of already used SA.At this time, the IP bag of internal layer is: source IP is that 192.168.3.1, purpose IP are 192.168.1.1, upper-layer protocol is ESP, check the parameter of ESP head once more, obtain Security Parameter Index 100,, search and obtain Sain by 192.168.1.1, ESP, 100 these three parameters, use this SA to untie the IPSEC encapsulation, can obtain the IP bag of internal layer.Record SAG[1]=Sain, and write down the number N=2 of already used SA.Check once more and untie the IPSEC encapsulation; source IP address is that 192.168.4.1, purpose IP address are 192.168.1.1, and upper-layer protocol is not security protocol (AH or ESP), need carry out the security strategy verification to this packet; the protection that provides is provided, whether is satisfied the requirement of security strategy.
At first, use the IP packet that obtains at last, search the strategy in the security policy database, the parameter of searching is: source IP address 192.168.4.1, purpose IP address 192.168.1.1, upper-layer protocol are assumed to be TCP (because strategy is ANY, so controlling policy does not search), searching and obtaining strategy is Spin.Enter circulation then.According to the SA of record, SAG[N-1]=SAG[1]=Sain, Sain->sp=Spin, it is consistent with the SA corresponding strategy to find to search the strategy that obtains.According to the SP that current search obtains, search outer tactful Sp=Spin->out_sp=Spout.N=N-1=1。SAG[N-1]=SAG[0]=Saout, Saout->sp=Spout, relatively Sp and SA corresponding strategy are found consistent.Adjust parameter, N=N-1=0 according to the SP that current search obtains, searches outer tactful Sp=Spout->out_sp=NULL.This condition satisfies the condition of loop ends.
After the loop ends, find Sp=NULL, and N=0, the policy check success.
It more than is the example of policy check success.Illustrate the example of security strategy verification failure below again.This incident takes place, and system may be just under attack.Suppose to have in the company computer E, it has blocked communicating by letter between host C and the server D, and has pretended to be server D between secure router A, B, and the deception host C figures for confidential data.
When host C receives a packet that sends over from server D, outermost IP encapsulation is: source IP is that 192.168.2.1, purpose IP are 192.168.1.1, upper-layer protocol is ESP, check the parameter of ESP head, obtaining Security Parameter Index is 200, by 192.168.1.1, esp, 200 these three race-entries, can search and obtain Saout, use this SA to untie the IPSEC encapsulation, can obtain the IP bag of internal layer.Record SAG[0]=Saout, and write down the number N=1 of already used SA.Check and untie the IPSEC encapsulation; source IP address is that 192.168.4.1, purpose IP address are 192.168.1.1, and upper-layer protocol is not security protocol (AH or ESP), need carry out the security strategy verification to this packet; the protection that provides is provided, whether is satisfied the requirement of security strategy.
At first, use the IP packet that obtains at last, search the strategy in the security policy database, the parameter of searching is: source IP address 192.168.4.1, purpose IP address 192.168.1.1, upper-layer protocol are assumed to be TCP (because strategy is ANY, so controlling policy does not search), searching and obtaining strategy is Spin.Enter circulation then.According to the SA of record, SAG[N-1]=SAG[0]=Saout, Saout->sp=Spout, it is inconsistent to find to search the strategy and the SA corresponding strategy that obtain.The policy check failure.
Claims (3)
1. an IPSEC nested policy coupling method of calibration is characterized in that, said method comprising the steps of:
1),, gets up to outer strategy link from the internal layer strategy according to the relation of the corresponding data channel of a plurality of security strategies for the security strategy that has nest relation;
2) for the packet that receives, when peeling off the IPSEC encapsulation, the security association that record uses, and these security associations formation doubly linked list or array, associate according to the sequencing of peeling off;
3) peeled off all IPSEC that should peel off encapsulation after, envelop address according to packet, carry out decision search at Security Policy Database, search the security strategy that obtains innermost layer, with this security strategy of security strategy pointed, and note the employed security association of last decapsulation, with the last security association of security association pointed;
4) corresponding security association of each security strategy, check whether the last security association corresponding security strategy of current security association pointed equates with the security strategy of current safety strategy pointed, if equate, this strategy matching then, if not etc., show that the security strategy verification makes mistakes, and jumps to step 7;
5) check whether security association chained list or array dispose, if then jump to step 6; Otherwise according to the doubly linked list or the array that form, security association pointer rollback points to outer one deck IPSEC and handles the security association that uses, and the security strategy pointer also points to the IPSEC security strategy of outer one deck, jumps to step 4;
6) all security strategy empirical tests pass through, policy check is finished;
7) policy check is found not match, and safety check returns failure.
2. IPSEC nested policy coupling method of calibration according to claim 1, it is characterized in that, in the described step 1) when needs carrying out security strategy configuration time, define corresponding internal layer and outer ATM layer relationsATM, can use the mode of pointer or array to describe this points relationship.
3. according to claim 1 or 2 described IPSEC nested policy coupling methods of calibration, it is characterized in that, the security strategy that obtains for described search, the employed strategy of the outer strategy that its points to outer encapsulation of packet just can be regarded as and searches for the security strategy that obtains by the outer envelop address of packet in Security Policy Database and handle.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101019685A CN1301612C (en) | 2003-10-20 | 2003-10-20 | IPSEC nesting strategy match correcting method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2003101019685A CN1301612C (en) | 2003-10-20 | 2003-10-20 | IPSEC nesting strategy match correcting method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1529485A CN1529485A (en) | 2004-09-15 |
| CN1301612C true CN1301612C (en) | 2007-02-21 |
Family
ID=34304239
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003101019685A Expired - Fee Related CN1301612C (en) | 2003-10-20 | 2003-10-20 | IPSEC nesting strategy match correcting method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1301612C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101605136B (en) * | 2009-07-28 | 2012-09-26 | 杭州华三通信技术有限公司 | A method and an apparatus for Internet protocol security IPSec processing to packets |
| CN102932377B (en) * | 2012-11-28 | 2015-05-06 | 成都卫士通信息产业股份有限公司 | Method and device for filtering IP (Internet Protocol) message |
| CN106850672B (en) * | 2017-03-08 | 2019-09-03 | 迈普通信技术股份有限公司 | The Security Association lookup method and device of ipsec tunnel |
| CN112217769B (en) * | 2019-07-11 | 2023-01-24 | 奇安信科技集团股份有限公司 | Tunnel-based data decryption method, encryption method, device, equipment and medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6253321B1 (en) * | 1998-06-19 | 2001-06-26 | Ssh Communications Security Ltd. | Method and arrangement for implementing IPSEC policy management using filter code |
-
2003
- 2003-10-20 CN CNB2003101019685A patent/CN1301612C/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6253321B1 (en) * | 1998-06-19 | 2001-06-26 | Ssh Communications Security Ltd. | Method and arrangement for implementing IPSEC policy management using filter code |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1529485A (en) | 2004-09-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1965306B (en) | High-performance network content analysis platform | |
| EP3443710B1 (en) | Cryptologic rewritable blockchain | |
| US7864959B2 (en) | Methods and apparatus for multi-level dynamic security system | |
| US7788726B2 (en) | System and methodology providing information lockbox | |
| US7673344B1 (en) | Mechanism to search information content for preselected data | |
| US8775792B2 (en) | Method of and system for encryption and authentication | |
| US20010042124A1 (en) | Web-based method, apparatus, and system for secure data storage | |
| CN108737374A (en) | The method for secret protection that data store in a kind of block chain | |
| Singh et al. | Classification of data to enhance data security in cloud computing | |
| Buldas et al. | On provably secure time-stamping schemes | |
| EP1540542A2 (en) | Detection of preselected data | |
| US20080133905A1 (en) | Apparatus, system, and method for remotely accessing a shared password | |
| CN116805078A (en) | A data intelligent management system and method for logistics information platform based on big data | |
| Hendaoui et al. | SENTINEY: Securing ENcrypted mulTI-party computatIoN for Enhanced data privacY and phishing detection | |
| Thirupathi et al. | Developing a multilevel protection framework using EDF | |
| Bhandari et al. | Enhancement of MD5 Algorithm for Secured Web Development. | |
| CN1301612C (en) | IPSEC nesting strategy match correcting method | |
| Kotenko et al. | Detection of stego-insiders in corporate networks based on a hybrid NoSQL database model | |
| JPH10504168A (en) | Method and system for inspecting and selectively modifying data packets for security of communication in a computer network and method of operating the system | |
| CN118673518B (en) | Static connection keyword ciphertext retrieval method and system based on exclusive or filter and OXT protocol | |
| EP3461055A1 (en) | System and method for secure outsourced annotation of datasets | |
| Li et al. | Towards privacy-preserving dynamic deep packet inspection over outsourced middleboxes | |
| Kumar et al. | Secure data validation and transmission in cloud and iot through ban logic and kp-abe | |
| Tajudeen et al. | A systematic review on advanced encryption standard cryptography to enhance message security | |
| Chaum et al. | WOTSwana: A Generalized S leeve Construction for Multiple Proofs of Ownership |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20070221 Termination date: 20131020 |