Nothing Special   »   [go: up one dir, main page]

CN105704122B - A kind of routing encryption system - Google Patents

A kind of routing encryption system Download PDF

Info

Publication number
CN105704122B
CN105704122B CN201610011849.8A CN201610011849A CN105704122B CN 105704122 B CN105704122 B CN 105704122B CN 201610011849 A CN201610011849 A CN 201610011849A CN 105704122 B CN105704122 B CN 105704122B
Authority
CN
China
Prior art keywords
message
sent
information
routing
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610011849.8A
Other languages
Chinese (zh)
Other versions
CN105704122A (en
Inventor
王建新
朱宇霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CICT Mobile Communication Technology Co Ltd
Original Assignee
Beijing Northern Fiberhome Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Northern Fiberhome Technologies Co Ltd filed Critical Beijing Northern Fiberhome Technologies Co Ltd
Priority to CN201610011849.8A priority Critical patent/CN105704122B/en
Publication of CN105704122A publication Critical patent/CN105704122A/en
Application granted granted Critical
Publication of CN105704122B publication Critical patent/CN105704122B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a kind of routing encryption system, including at least one the routing encryption subsystem being integrated in programmable logic device, wherein, each routing encryption subsystem includes routing forwarding engine modules, the lookup routing table engine modules and IPSEC protocol engine module being connected respectively with routing forwarding engine modules, and the IPSEC crypto engine module being connected with IPSEC protocol engine module.It is provided by the present application be integrated in programmable logic device it is each routing encryption subsystem pass through using its setting the achievable routing encryption function to message to be sent of each engine modules, and then in such a way that devices at full hardware is realized to the routing encryption function of message, during avoiding the prior art from realizing using software mode to the routing encryption function of message, caused base station and the problem of core network communications low efficiency.

Description

A kind of routing encryption system
Technical field
This application involves fields of communication technology, more specifically to a kind of routing encryption system.
Background technique
Routing (routing) is the activity for message being transferred to from source address by the network of interconnection destination address.IPSec (Internet Protocol Security, Internet protocol safety) is the long-run development direction of safe networking, is led to End-to-end safety is crossed to provide the protection of active to prevent the attack of dedicated network and Internet.
The prior art, the communication between base station and core net are the routing forwardings to message realized by software mode With IPSEC encryption function (namely routing encryption function).It is well known, however, that, although logical between base station and core net Letter can realize that the routing encryption function to message still often exists because in software application process itself by software mode Cpu performance is limited, leads to message transmissions low efficiency and then leads to the problem that communication efficiency is low between base station and core net.
Therefore it provides a kind of routing encryption system, during prior art base station and core network communications, because using Software mode realizes that the low situation of communication efficiency between caused base station and core net, is urgently to the routing encryption function of message Problem to be solved.
Summary of the invention
In view of this, the application provides a kind of routing encryption system, is realized by devices at full hardware mode and the routing of message is added Close function, during avoiding the prior art from realizing using software mode to the routing encryption function of message, caused base station and core The problem of heart Network Communication low efficiency.
To achieve the goals above, it is proposed that technical solution it is as follows:
A kind of routing encryption system, at least one including being integrated in programmable logic device route encryption subsystem, The routing encryption subsystem includes routing forwarding engine modules, the lookup road being connected respectively with the routing forwarding engine modules By table engine modules and protocol safety IPSEC protocol engine module, and be connected with the IPSEC protocol engine module IPSEC crypto engine module, wherein
The routing forwarding engine modules are sent for receiving message to be sent to the lookup routing table engine modules The header information of the message to be sent;And receive the routing forwarding information searching routing table engine modules and returning, benefit The header information of the message to be sent described in the routing forwarding information update with by the message to be sent be updated to first to Message is sent, and sends first message to be sent to the IPSEC protocol engine module;
The lookup routing table engine modules, for receiving the header information of the message to be sent, and according to the report Head information generates routing forwarding information;
The IPSEC protocol engine module is believed for receiving the described first message to be sent according to pre-set encryption Breath judges whether to need to encrypt the described first message to be sent;When needed, it is sent out to the IPSEC crypto engine module Send the data information of the encryption information and first message to be sent, and according to the encryption information update described first to The header information of message is sent so that the described first message to be sent is updated to the second message to be sent;And described in reception The target data information that IPSEC crypto engine module returns is delivered newspaper using target data information update described second is pending The data information of text is to be updated to third message to be sent for the described second message to be sent, and to third message to be sent The destination address of header information instruction send the third message to be sent;
It is described to state IPSEC crypto engine module, for receiving the number of the encryption information and first message to be sent It is believed that breath, and the data information is encrypted to obtain target data information according to the encryption information.
Preferably, first message to be sent is received, judges whether to need to institute according to pre-set encryption information The IPSEC protocol engine module that the first message to be sent is encrypted is stated, is used for,
When judging not needing to encrypt the described first message to be sent according to pre-set encryption information, root First message to be sent is sent according to the destination address that the header information of the described first message to be sent indicates.
Preferably, the lookup routing table engine modules that routing forwarding information is generated according to the header information, are used for,
According to the former destination address information and pre-set routing forwarding in the header information of the message to be sent Algorithm obtains destination address corresponding with the former destination address of former destination address information instruction in the header information;
According to the former destination address information in the header information, and the former destination with the former destination address instruction The corresponding destination address in location generates routing forwarding information.
Preferably, it is closed when the routing forwarding information at least indicates that the former destination address is corresponding with the destination address When being,
Using the header information of message to be sent described in the routing forwarding information update with by the message to be sent more New is the routing forwarding engine modules of the first message to be sent, is used for,
It is to indicate the routing forwarding letter by the former destination address information update in the header information of the message to be sent The message to be sent is updated to the to realize by the address information of the destination address corresponding with the former destination address in breath One message to be sent.
Preferably, judge whether to need to encrypt the described first message to be sent according to pre-set encryption information The IPSEC protocol engine module, be used for,
Judge whether pre-set encryption information is identical as pre-set underlying cryptographic information;
When identical, determination does not need to encrypt the described first message to be sent;
When not identical, determine and need to encrypt the described first message to be sent.
Preferably, updated according to the encryption information header information of the described first message to be sent with by described first to The IPSEC protocol engine module that message is updated to the second message to be sent is sent, is used for,
Addition indicates the corresponding cipher mode of the encryption information in the header information of the described first message to be sent Described first message to be sent is updated to the second message to be sent to realize by header sub-information.
Preferably, the data information is encrypted to obtain described in target data information according to the encryption information IPSEC crypto engine module, is used for,
According to the encryption information indicate encryption method the data information is encrypted, obtain number of targets it is believed that Breath.
Preferably, the data information of the described second message to be sent is updated using the target data information with by described Two messages to be sent are updated to the IPSEC protocol engine module of third message to be sent, are used for,
The data information of described second message to be sent is updated to the target data information, to realize described second Message to be sent is updated to third message to be sent.
It preferably, further include the crypto engine module of eating dishes without rice or wine being connected with the routing forwarding engine modules,
The crypto engine module of eating dishes without rice or wine, for carrying out eating dishes without rice or wine to encrypt to the message to be sent.
Preferably, the message to be sent includes user face message to be sent and control plane message to be sent.
The application provides a kind of routing encryption system, at least one routing including being integrated in programmable logic device adds Close subsystem, wherein each routing encryption subsystem includes routing forwarding engine modules, respectively with routing forwarding engine modules phase Lookup routing table engine modules even and IPSEC protocol engine module, and the IPSEC being connected with IPSEC protocol engine module Crypto engine module.It is provided by the present application to be integrated in programmable logic device each routing encryption subsystem by setting using it The achievable routing encryption function to message to be sent of each engine modules set, and then realized by devices at full hardware to message The mode for routing encryption function is led during avoiding the prior art from being realized using software mode to the routing encryption function of message The problem of base station of cause and core network communications low efficiency.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is a kind of structural schematic diagram for routing encryption system provided by the embodiments of the present application;
Fig. 2 is a kind of detailed construction schematic diagram for routing encryption subsystem provided by the embodiments of the present application;
Fig. 3 is the detailed construction schematic diagram of another routing encryption subsystem provided by the embodiments of the present application.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
Embodiment:
A kind of routing encryption system provided by the embodiments of the present application is referring to Figure 1 and Fig. 2.Fig. 1 mentions for the embodiment of the present application A kind of structural schematic diagram of the routing encryption system supplied, Fig. 2 are a kind of routing encryption subsystem provided by the embodiments of the present application Detailed construction schematic diagram.
In conjunction with Fig. 1 and Fig. 2 it is found that a kind of routing encryption system 1 provided by the embodiments of the present application is programmable including being integrated in At least one routing encryption subsystem 2 on logical device.
Specifically, in the embodiment of the present application, it is preferred that the routing encryption subsystem being integrated in programmable logic device Quantity can be arbitrarily arranged according to invention Man's Demands, it is not limited here.
Also, in conjunction with Fig. 1 and Fig. 2 it is found that a kind of routing encryption subsystem provided by the embodiments of the present application includes: that routing turns Engine modules 21 are sent out, the lookup routing table engine modules 22 and IPSEC agreement being connected respectively with routing forwarding engine modules 21 are drawn Module 23 is held up, and the IPSEC crypto engine module 24 being connected with IPSEC protocol engine module 23.
In the embodiment of the present application, it is preferred that each routing encryption subsystem for including in routing encryption system can be complete The routing encryption function of pairs of message, specifically, each routing encryption subsystem completes the mistake to the routing encryption function of message Journey includes:
Routing forwarding engine modules 21, for receiving message to be sent, to searching, the transmission of routing table engine modules is to be sent The header information of message;And receive and search the routing forwarding information that routing table engine modules return, utilize routing forwarding information The header information of message to be sent is updated so that message to be sent is updated to the first message to be sent, and to IPSEC protocol engine Module sends the first message to be sent;
Routing table engine modules 22 are searched, are generated for receiving the header information of message to be sent, and according to header information Routing forwarding information;
IPSEC protocol engine module 23 judges for receiving the first message to be sent according to pre-set encryption information Whether need to encrypt the first message to be sent;When needed, encryption information and the are sent to IPSEC crypto engine module The data information of one message to be sent, and the header information of the first message to be sent is updated with pending by first according to encryption information Text of delivering newspaper is updated to the second message to be sent;And the target data information that IPSEC crypto engine module returns is received, it utilizes The second message to be sent to be updated to, third is pending to deliver newspaper the data information of target data information the second message to be sent of update Text, and the destination address indicated to the header information of third message to be sent sends third message to be sent;
IPSEC crypto engine module 24 is stated, for the data information of receiving encryption key and the first message to be sent, and root Data information is encrypted according to encryption information to obtain target data information.
In the embodiment of the present application, it is preferred that during being communicated between base station and core net, each message is sent In the process, a kind of routing encryption system provided by the embodiments of the present application can be applied as one end of transmitting terminal.For example, working as base station During message is sent to core net, as transmitting terminal, core net can be answered in base station end at this time as receiving end for base station With a kind of routing encryption system provided by the embodiments of the present application, with realize base station during message is sent to core net, Routing encryption is carried out to message.
In the embodiment of the present application, it is preferred that a kind of routing routed in encryption system turn provided by the embodiments of the present application The hair received message to be sent of engine modules is: when transmitting terminal needs message being sent to receiving end, being issued by transmitting terminal Message.
For the ease of those skilled in the art to each routing in a kind of routing encryption system provided by the embodiments of the present application Each engine modules of encryption subsystem carry out the understanding of routing ciphering process to message, now carry out routing encryption to message In implementation process, a kind of routing encryption subsystem provided by the embodiments of the present application is illustrated, specific as follows:
In the embodiment of the present application, it is preferred that, will be to be sent after routing forwarding engine modules receive message to be sent The header information of message is sent to routing table engine modules are searched.
When lookup routing table engine modules receive the header information of the message to be sent of routing forwarding engine modules transmission Afterwards, routing forwarding information can be generated according to the header information, and the routing forwarding information of generation is returned into routing forwarding engine mould Block.
After routing forwarding engine modules receive the routing forwarding information returned by lookup routing table engine modules, utilize The header information of routing forwarding information update message to be sent message to be sent is updated to the first message to be sent, and to IPSEC protocol engine module sends the first message to be sent.
After IPSEC protocol engine module receives the first message to be sent sent by routing forwarding engine modules, root Judge whether to need to encrypt the first message to be sent according to pre-set encryption information;When needed, it is encrypted to IPSEC The data information of engine modules transmission encryption information and the first message to be sent;And it delivers newspaper according to encryption information update first is pending The header information of text is to be updated to the second message to be sent for the first message to be sent.
When IPSEC crypto engine module receives the encryption information sent by IPSEC protocol engine module and first pending It delivers newspaper after the data information of text, target data information is obtained after encrypting according to encryption information to data information, and will obtain Target data information return IPSEC protocol engine module.
After IPSEC protocol engine module receives the target data information returned by IPSEC crypto engine module, utilize The second message to be sent to be updated to, third is pending to deliver newspaper the data information of target data information the second message to be sent of update Text, and the destination address indicated to the header information of third message to be sent at this time sends third message to be sent.
The application carries out the introduction of the implementation process of routing encryption by providing to message, so that the embodiment of the present application provides A kind of routing encryption subsystem each engine modules between interaction workflow be more clear it is clear.
Further, in a kind of routing encryption subsystem provided by the embodiments of the present application, the first message to be sent is received, Judge whether the IPSEC protocol engine mould for needing to encrypt the first message to be sent according to pre-set encryption information Block is used for, when judging not needing to encrypt the first message to be sent according to pre-set encryption information, according to The destination address of the header information instruction of one message to be sent sends the first message to be sent.
In the embodiment of the present application, it is preferred that when IPSEC protocol engine module judges according to pre-set encryption information When not needing to encrypt the first message to be sent out, IPSEC protocol engine module is not needed to IPSEC crypto engine module The data information of encryption information and the first message to be sent is sent, and updates the report of the first message to be sent according to encryption information First message to be sent to be updated to the process of the second message to be sent by head information, and it is only necessary to directly according at this time first The destination address of the header information instruction of message to be sent sends the first message to be sent.
In the embodiment of the present application, it is preferred that the lookup routing table engine of routing forwarding information is generated according to header information Module is used for, according to the former destination address information and the calculation of pre-set routing forwarding in the header information of message to be sent Method obtains destination address corresponding with the former destination address of former destination address information instruction in header information;And according to report Former destination address information in head information, and destination address corresponding with the former destination address of former destination address instruction, generate Routing forwarding information.
Specifically, pre-set routing forwarding algorithm can be arranged for the routing forwarding algorithm inputted previously according to user , wherein the mode that user inputs routing forwarding algorithm can be with are as follows: by user in the list for including multiple routing forwarding algorithms The routing forwarding algorithm that the routing forwarding algorithm selected is inputted as user.
Above is only the preferred embodiment of the embodiment of the present application, and inventor can be arbitrarily arranged according to their own needs to be set in advance Set the time of routing forwarding algorithm, such as a kind of routing encryption system provided by the embodiments of the present application to message carry out routing plus It is configured in close process, it is not limited here.
Also, the mode that user provided by the embodiments of the present application presets routing forwarding algorithm is also only that the application is real The preferred embodiment of example is applied, the mode that user presets routing forwarding algorithm can be arbitrarily arranged in inventor according to their own needs, It is not limited here.
In the embodiment of the present application, it is preferred that utilize routing forwarding algorithm, the header with message to be sent can be calculated The corresponding destination address of former destination address of former destination address information instruction in information, and then according to the former mesh in header information Address information, and with the corresponding destination address of former destination address of former destination address information instruction, that is, produce routing and turn Photos and sending messages.
In the embodiment of the present application, it is preferred that when routing forwarding information at least indicates former destination address and destination address When corresponding relationship, using the header information of routing forwarding information update message to be sent with by message to be sent be updated to first to The routing forwarding engine modules for sending message, are used for, by the former destination address information update in the header information of message to be sent For the address information of the destination address corresponding with former destination address in instruction routing forwarding information, to realize message to be sent It is updated to the first message to be sent.
In the embodiment of the present application, it is preferred that routing forwarding information at least indicates pair of former destination address and destination address It should be related to.
Specifically, the information for including in routing forwarding information can be arbitrarily arranged in inventor according to their own needs, in this Shen Please be in embodiment, the information that only need to guarantee that the routing forwarding information includes by it can indicate former destination address and destination address Corresponding relationship.
In the embodiment of the present application, it is preferred that when routing forwarding information at least indicates former destination address and destination address When corresponding relationship, routing forwarding engine modules are first according to the determining destination corresponding with former destination address of routing forwarding information Location, so by the former destination address information update in the header information of message to be sent be the above-mentioned determination of instruction with former destination Message to be sent is updated to the first message to be sent to realize by the address information of the corresponding destination address in location.
In the embodiment of the present application, it is preferred that judge whether to need according to pre-set encryption information pending to first Deliver newspaper the IPSEC protocol engine module that is encrypted of text, be used for, judge pre-set encryption information whether with it is pre-set Underlying cryptographic information is identical;And when identical, determination does not need to encrypt the first message to be sent;And it ought not phase Meanwhile determination needs to encrypt the first message to be sent.
In the embodiment of the present application, it is preferred that be previously provided with underlying cryptographic information and encryption information.
In the embodiment of the present application, it is preferred that the instruction of underlying cryptographic information is not required to connect current IPSEC protocol engine module First received data to be sent are encrypted, specifically, pre-set underlying cryptographic information can be indicated by number 0.
Specifically, by taking underlying cryptographic information is indicated by number 0 as an example, when IPSEC protocol engine module is judged to encrypt When information is indicated also by number 0, then illustrate that do not need to receive IPSEC protocol engine module at this time first is to be sent Message is encrypted;And when IPSEC protocol engine module, which judges encryption information not, to be indicated by number 0 (such as encrypt Situations such as information is indicated by number for 1), then illustrate that need to receive IPSEC protocol engine module at this time first is pending Text of delivering newspaper is encrypted, and the specific cipher mode mainly indicated by encryption information adds the first message to be sent It is close.
In the embodiment of the present application, it is preferred that encryption information includes: cryptography information, identifying algorithm information and/or envelope Fill pattern information.
In the embodiment of the present application, it is preferred that encapsulation mode information includes transmission mode/tunnel mode.
In the embodiment of the present application, it is preferred that the Encryption Algorithm of cryptography information instruction is merely able to be present in ESP agreement In.
Specifically, main Encryption Algorithm has NULL_ENC, DES_CBC, 3DES-CBC, AES128_CBC, AES192 mono- Mono- CBC of CBC, AES256 etc..
In the embodiment of the present application, it is preferred that the certification of AH agreement and ESP agreement all available to the instruction of identifying algorithm information Algorithm.
Specifically, main identifying algorithm has NON AUTH;HMAC MD5;HMAC—SHA1;HMAC—SHA2—256; HMAC—SHA2_384;HMAC—SHA2—512.
Above is only the preferred embodiment of the embodiment of the present application, and encryption can arbitrarily be arranged according to their own needs and calculate by inventor The particular content of method information, identifying algorithm information and/or encapsulation mode information, it is not limited here.
In the embodiment of the present application, it is preferred that the header information of the first message to be sent is updated to incite somebody to action according to encryption information First message to be sent is updated to the IPSEC protocol engine module of the second message to be sent, is used for, in the first message to be sent The header sub-information of the corresponding cipher mode of addition instruction encryption information in header information, to realize the first message to be sent more It is newly the second message to be sent.
In the embodiment of the present application, it is preferred that IPSEC protocol engine module is delivered newspaper according to encryption information update first is pending The header information of text includes: IPSEC protocol engine mould with the process that the first message to be sent is updated to the second message to be sent Block adds the information of the corresponding cipher mode of instruction encryption information in the header information of the first message to be sent, and this is added The information of the corresponding cipher mode of instruction encryption information be known as header sub-information, the embodiment of the present application by addition first to The mode for adding header sub-information in the header information of message is sent, realizes that the first message to be sent is updated to second is pending It delivers newspaper text.
Above is only the preferred embodiment of the embodiment of the present application, and IPSEC can be arbitrarily arranged in inventor according to their own needs Protocol engine module updates the header information of the first message to be sent according to encryption information the first message to be sent to be updated to The specific embodiment of second message to be sent, such as: when the encapsulation mode information that encryption information includes is transmission mode, only The purpose that the first message to be sent is updated to the second message to be sent is realized by the above process;However, working as encrypted message packet When the encapsulation mode information included is transmission mode, the first message to be sent is updated to second to realize except through the above process Other than the purpose of message to be sent, the header information to the first message to be sent is also needed to handle, it is related to be sent to first The detailed description that the header information of message is handled refers to the prior art, does not introduce herein.
In the embodiment of the present application, it is preferred that data information is encrypted to obtain number of targets according to encryption information it is believed that The IPSEC crypto engine module of breath, is used for, and is encrypted, is obtained to data information according to the encryption method that encryption information indicates Target data information.
In the embodiment of the present application, it is preferred that include in a kind of routing encryption subsystem provided by the embodiments of the present application At least one IPSEC crypto engine module, and each IPSEC crypto engine module is connected with IPSEC protocol engine module, with reality The parallel processing now encrypted to the data information of the multiple first messages to be sent improves the encryption efficiency to message.
For example, existing simultaneously two the first messages to be sent when existing, and exist simultaneously two IPSEC crypto engine moulds When block, the data information of each first message to be sent is sent to a unique IPSEC crypto engine module respectively, and Encryption information is respectively sent to two IPSEC crypto engine modules, and then each IPSEC crypto engine module can utilize it The encryption information and data information received is handled, and corresponding target data information is obtained.
Above is only the preferred embodiment of the embodiment of the present application, and the application can be arbitrarily arranged in inventor according to their own needs A kind of quantity for the IPSEC crypto engine module in routing encryption subsystem that embodiment provides, and setting are encrypted in routing Each IPSEC crypto engine module in subsystem is (e.g., parallel to locate to the processing mode of the data information of the first message to be sent Reason, non-parallel processing) etc., it is not limited here.
In the embodiment of the present application, it is preferred that routing forwarding engine modules are IPV4 routing forwarding engine modules/road IPV6 By forwarding engine modules.
Specifically, IPV4 routing forwarding engine modules indicate the routing forwarding engine modules based on IPV4 agreement;The road IPV6 The routing forwarding engine modules based on IPV6 agreement are indicated by forwarding engine modules.
Above is only the preferred embodiment of the embodiment of the present application, and inventor can arbitrarily set routing according to their own needs and turn Send out engine modules based on agreement, it is not limited here.
In the embodiment of the present application, it is preferred that the data information of the second message to be sent is updated using target data information It the second message to be sent to be updated to the IPSEC protocol engine module of third message to be sent, is used for, second pending is delivered newspaper The data information of text is updated to target data information, and the second message to be sent is updated to third message to be sent to realize.
In the embodiment of the present application, it is preferred that IPSEC protocol engine module is by believing the data of the second message to be sent Breath is updated to the mode of target data information, realizes the purpose that the second message to be sent is updated to third message to be sent.
Fig. 3 is the detailed construction schematic diagram of another routing encryption subsystem provided by the embodiments of the present application.
As shown in figure 3, the routing encryption subsystem includes: routing forwarding engine modules 21, respectively with routing forwarding engine Module 21 connected lookup routing table engine modules 22, IPSEC protocol engine module 23 and crypto engine module 25 of eating dishes without rice or wine, and The IPSEC crypto engine module 24 being connected with IPSEC protocol engine module 23.
A kind of routing encryption subsystem provided by the embodiments of the present application, by encrypting son in routing provided by the above embodiment The crypto engine module of eating dishes without rice or wine being connected with routing forwarding engine modules is further set on the basis of system, may make routing forwarding Engine modules receive message to be sent by crypto engine module of eating dishes without rice or wine, and message to be sent is passed by crypto engine module of eating dishes without rice or wine When transporting to routing forwarding engine modules, it can be encrypted by crypto engine module of eating dishes without rice or wine, to further increase the embodiment of the present application A kind of routing encryption system provided transmits the efficiency of transmission and safety of message to be sent.
In the embodiment of the present application, it is preferred that eat dishes without rice or wine to be previously provided with Encryption Algorithm of eating dishes without rice or wine in crypto engine module, with logical Pre-set Encryption Algorithm of eating dishes without rice or wine is crossed to encrypt received message to be sent.
In the embodiment of the present application, it is preferred that Encryption Algorithm of eating dishes without rice or wine includes: ZUC Encryption Algorithm, SNOW3g Encryption Algorithm And/or AES encryption algorithm.
Above is only the preferred embodiment of the embodiment of the present application, and inventor can be arbitrarily arranged according to their own needs to be eated dishes without rice or wine to add The particular content for the Encryption Algorithm of eating dishes without rice or wine being arranged in ciphertext engine module, it is not limited here.
In the embodiment of the present application, it is preferred that message to be sent includes that user face message to be sent and control plane are to be sent Message.
In the embodiment of the present application, it is preferred that the message to be sent that routing forwarding engine modules receive includes user face Message and control plane message to be sent to be sent.
Specifically, by the user face message to be sent for including in message to be sent that routing forwarding engine modules receive and Control plane message to be sent regards a message to be sent as respectively.That is: routing forwarding engine modules pending are delivered newspaper what is received The user face message to be sent for including in text regards the message to be sent mentioned in an above-mentioned the embodiment of the present application as, and will receive To message to be sent in include control plane message to be sent regard as mentioned in an above-mentioned the embodiment of the present application it is to be sent Message, and routing encryption is carried out respectively for user face message to be sent and control plane message to be sent.
In the embodiment of the present application, it is preferred that when the message to be sent that routing forwarding engine modules receive includes user When face message to be sent and control plane message to be sent, it is only necessary to route the header information of one of them message to be sent to searching Table engine modules send, with receive search routing table engine modules return according to the header information of the message to be sent generate Routing forwarding information;When being user face message by the message of header information to lookup routing table engine modules transmission, then connecing The control plane message received while receiving user face message, it is thus only necessary to routing forwarding corresponding with user face message letter Breath is used as its routing forwarding information.For example, directly according to the use indicated in the corresponding routing forwarding information of user face message The former destination address of family face message and the corresponding relationship of destination address determine mesh corresponding with the former destination address of control plane message Marking destination address, (wherein, which is reporting with user face for the corresponding routing forwarding information instruction of user face message The corresponding destination address of former destination address of text), and then determine routing forwarding information instruction control corresponding with control plane message The former destination address of face message and the corresponding relationship of target destination address.
Above is only the preferred embodiment of the embodiment of the present application, and inventor can be arbitrarily arranged according to their own needs when routing When the message to be sent that receives of forwarding engine modules includes user face message to be sent and control plane message to be sent, obtains and use The mode of the corresponding routing forwarding information of family face data message and the corresponding routing forwarding information of control plane message, does not limit herein It is fixed.
The application provides a kind of routing encryption system, at least one routing including being integrated in programmable logic device adds Close subsystem, wherein each routing encryption subsystem includes routing forwarding engine modules, respectively with routing forwarding engine modules phase Lookup routing table engine modules even and IPSEC protocol engine module, and the IPSEC being connected with IPSEC protocol engine module Crypto engine module.It is provided by the present application to be integrated in programmable logic device each routing encryption subsystem by setting using it The achievable routing encryption function to message to be sent of each engine modules set, and then realized by devices at full hardware to message The mode for routing encryption function is led during avoiding the prior art from being realized using software mode to the routing encryption function of message The problem of base station of cause and core network communications low efficiency.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that A little elements, but also including other elements that are not explicitly listed, or further include for this process, method, article or The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged Except there is also other identical elements in the process, method, article or equipment for including element.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other The difference of embodiment, the same or similar parts in each embodiment may refer to each other.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest scope of cause.

Claims (8)

1. a kind of routing encryption system, which is characterized in that at least one routing including being integrated in programmable logic device adds Close subsystem, the routing encryption subsystem includes routing forwarding engine modules, respectively with the routing forwarding engine modules phase Even lookup routing table engine modules and protocol safety IPSEC protocol engine module, and with the IPSEC protocol engine mould The connected IPSEC crypto engine module of block, wherein
The routing forwarding engine modules, for receiving message to be sent, to described in lookup routing table engine modules transmission The header information of message to be sent;And the routing forwarding information searching routing table engine modules and returning is received, utilize institute The header information for stating message to be sent described in routing forwarding information update is to be sent the message to be sent is updated to first Message, and first message to be sent is sent to the IPSEC protocol engine module;
The lookup routing table engine modules are believed for receiving the header information of the message to be sent, and according to the header Breath generates routing forwarding information;
The IPSEC protocol engine module is sentenced for receiving the described first message to be sent according to pre-set encryption information It is disconnected whether to need to encrypt the described first message to be sent;When needed, institute is sent to the IPSEC crypto engine module The data information of encryption information and first message to be sent is stated, and to be sent according to encryption information update described first The header information of message is to be updated to the second message to be sent for the described first message to be sent;And it receives the IPSEC and adds The target data information that ciphertext engine module returns, the data of the described second message to be sent are updated using the target data information Information is believed so that the described second message to be sent is updated to third message to be sent to the header of third message to be sent The destination address of breath instruction sends the third message to be sent;
The IPSEC crypto engine module, for receiving the data information of the encryption information and first message to be sent, And the data information is encrypted to obtain target data information according to the encryption information;
According to the header information generate routing forwarding information the lookup routing table engine modules, be used for, according to it is described to The former destination address information in the header information of message and pre-set routing forwarding algorithm are sent, is obtained and the header The corresponding destination address of former destination address of former destination address information instruction in information;According to the former mesh in the header information Address information, and destination address corresponding with the former destination address of the former destination address instruction generates routing forwarding letter Breath;
When the routing forwarding information at least indicates the corresponding relationship of the former destination address and the destination address, institute is utilized The header information for stating message to be sent described in routing forwarding information update is to be sent the message to be sent is updated to first The routing forwarding engine modules of message, are used for, by the former destination address information in the header information of the message to be sent It is updated to indicate the address information of the destination address corresponding with the original destination address in the routing forwarding information, to realize The message to be sent is updated to the first message to be sent.
2. system according to claim 1, which is characterized in that first message to be sent is received, according to presetting Encryption information judge whether the IPSEC protocol engine module for needing to encrypt the described first message to be sent, use In,
When judging not needing to encrypt the described first message to be sent according to pre-set encryption information, according to institute The destination address for stating the header information instruction of the first message to be sent sends first message to be sent.
3. system according to claim 2, which is characterized in that judge whether needs pair according to pre-set encryption information The IPSEC protocol engine module that first message to be sent is encrypted, is used for,
Judge whether pre-set encryption information is identical as pre-set underlying cryptographic information;
When identical, determination does not need to encrypt the described first message to be sent;
When not identical, determine and need to encrypt the described first message to be sent.
4. system according to claim 3, which is characterized in that deliver newspaper according to encryption information update described first is pending Described first message to be sent to be updated to the IPSEC protocol engine mould of the second message to be sent by the header information of text Block is used for,
Addition indicates the header of the corresponding cipher mode of the encryption information in the header information of the described first message to be sent Described first message to be sent is updated to the second message to be sent to realize by sub-information.
5. system according to claim 4, which is characterized in that added according to the encryption information to the data information The close IPSEC crypto engine module for obtaining target data information, is used for,
The data information is encrypted according to the encryption method that the encryption information indicates, obtains target data information.
6. system according to claim 5, which is characterized in that it is pending to update described second using the target data information Literary data information deliver newspaper so that the described second message to be sent to be updated to the IPSEC protocol engine of third message to be sent Module is used for,
The data information of described second message to be sent is updated to the target data information, it is pending by described second to realize Text of delivering newspaper is updated to third message to be sent.
7. system described in -6 any one according to claim 1, which is characterized in that further include and the routing forwarding engine mould The connected crypto engine module of eating dishes without rice or wine of block,
The crypto engine module of eating dishes without rice or wine, for carrying out eating dishes without rice or wine to encrypt to the message to be sent.
8. system according to claim 7, which is characterized in that the message to be sent include user face message to be sent and Control plane message to be sent.
CN201610011849.8A 2016-01-08 2016-01-08 A kind of routing encryption system Active CN105704122B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610011849.8A CN105704122B (en) 2016-01-08 2016-01-08 A kind of routing encryption system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610011849.8A CN105704122B (en) 2016-01-08 2016-01-08 A kind of routing encryption system

Publications (2)

Publication Number Publication Date
CN105704122A CN105704122A (en) 2016-06-22
CN105704122B true CN105704122B (en) 2018-12-18

Family

ID=56226989

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610011849.8A Active CN105704122B (en) 2016-01-08 2016-01-08 A kind of routing encryption system

Country Status (1)

Country Link
CN (1) CN105704122B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535834B (en) * 2019-08-09 2021-11-09 苏州浪潮智能科技有限公司 Accelerated processing method and system for network security IPsec

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1492317A (en) * 2003-08-27 2004-04-28 武汉理工大学 Enciphering/ciphering DSP system for treating IPSec safety protocol
CN101150572A (en) * 2006-09-22 2008-03-26 华为技术有限公司 Binding and update method and device for mobile node and communication end
CN101510889A (en) * 2009-04-03 2009-08-19 杭州华三通信技术有限公司 Method and equipment for obtaining dynamic route
CN102970228A (en) * 2012-11-22 2013-03-13 杭州华三通信技术有限公司 Message transmission method and equipment based on IPsec (Internet Protocol Security)
CN103457952A (en) * 2013-09-05 2013-12-18 杭州华三通信技术有限公司 IPSec processing method and device based on encrypting engine
US8763108B2 (en) * 2007-11-29 2014-06-24 Qualcomm Incorporated Flow classification for encrypted and tunneled packet streams

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1492317A (en) * 2003-08-27 2004-04-28 武汉理工大学 Enciphering/ciphering DSP system for treating IPSec safety protocol
CN101150572A (en) * 2006-09-22 2008-03-26 华为技术有限公司 Binding and update method and device for mobile node and communication end
US8763108B2 (en) * 2007-11-29 2014-06-24 Qualcomm Incorporated Flow classification for encrypted and tunneled packet streams
CN101510889A (en) * 2009-04-03 2009-08-19 杭州华三通信技术有限公司 Method and equipment for obtaining dynamic route
CN102970228A (en) * 2012-11-22 2013-03-13 杭州华三通信技术有限公司 Message transmission method and equipment based on IPsec (Internet Protocol Security)
CN103457952A (en) * 2013-09-05 2013-12-18 杭州华三通信技术有限公司 IPSec processing method and device based on encrypting engine

Also Published As

Publication number Publication date
CN105704122A (en) 2016-06-22

Similar Documents

Publication Publication Date Title
CN109995513B (en) Low-delay quantum key mobile service method
US11575660B2 (en) End-to-end encryption for personal communication nodes
CN202206418U (en) Traffic management device, system and processor
CN104935593B (en) The transmission method and device of data message
CN104917787B (en) File security sharing method based on group key and system
CN102035845B (en) Switching equipment for supporting link layer secrecy transmission and data processing method thereof
CN108075890A (en) Data sending terminal, data receiver, data transmission method and system
US20150229621A1 (en) One-time-pad data encryption in communication channels
CN106576043A (en) Virally distributable trusted messaging
CN110890962A (en) Authentication key negotiation method, device, storage medium and equipment
US20170126623A1 (en) Protected Subnet Interconnect
US10699031B2 (en) Secure transactions in a memory fabric
WO2018213916A1 (en) A secure transmission method for blockchain data based on sctp
CN112398651A (en) Quantum secret communication method and device, electronic equipment and storage medium
CN111447276A (en) Encryption continuous transmission method with key agreement function
EP2919498A1 (en) Method, device and system for message processing
WO2018214701A1 (en) Data message transmission method, network device, control device, and network system
CN104365127A (en) Method for tracking a mobile device onto a remote displaying unit
CN107819685A (en) The method and the network equipment of a kind of data processing
CN106453314A (en) Data encryption and decryption method and device
CN108141353B (en) Method and equipment for upgrading cryptographic algorithm
CN107534552B (en) Method executed at server device, client device and server device
CN105704122B (en) A kind of routing encryption system
CN103650457B (en) The detection method of a kind of shared access, equipment and terminal unit
CN112291196B (en) End-to-end encryption method and system suitable for instant messaging

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20190917

Address after: 430073 Hubei province Wuhan Dongxin East Lake high tech Development Zone, Road No. 5

Patentee after: Wuhan Hongxin Communication Technology Co., ltd.

Address before: 100085, building 1, tower 5, East Road, Haidian District, Beijing

Patentee before: Beifang Fenghuo Tech Co., Ltd., Beijing

CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 430205 Hubei city of Wuhan province Jiangxia Hidden Dragon Island Tan lake two Road No. 1

Patentee after: CITIC Mobile Communication Technology Co., Ltd

Address before: 430073 Hubei province Wuhan Dongxin East Lake high tech Development Zone, Road No. 5

Patentee before: Wuhan Hongxin Telecommunication Technologies Co.,Ltd.

CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 430205 No.1 tanhu 2nd Road, Canglong Island, Jiangxia District, Wuhan City, Hubei Province

Patentee after: CITIC Mobile Communication Technology Co.,Ltd.

Address before: 430205 No.1 tanhu 2nd Road, Canglong Island, Jiangxia District, Wuhan City, Hubei Province

Patentee before: CITIC Mobile Communication Technology Co., Ltd