WO2012079462A1 - Method and device for internet key exchange (ike) message negotiation - Google Patents

Method and device for internet key exchange (ike) message negotiation Download PDF

Info

Publication number
WO2012079462A1
WO2012079462A1 PCT/CN2011/083230 CN2011083230W WO2012079462A1 WO 2012079462 A1 WO2012079462 A1 WO 2012079462A1 CN 2011083230 W CN2011083230 W CN 2011083230W WO 2012079462 A1 WO2012079462 A1 WO 2012079462A1
Authority
WO
WIPO (PCT)
Prior art keywords
negotiation
message
received
packet
last
Prior art date
Application number
PCT/CN2011/083230
Other languages
French (fr)
Chinese (zh)
Inventor
谭龙远
Original Assignee
成都市华为赛门铁克科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都市华为赛门铁克科技有限公司 filed Critical 成都市华为赛门铁克科技有限公司
Publication of WO2012079462A1 publication Critical patent/WO2012079462A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • IKE Internet Key Exchange
  • SA Security Association
  • IKE Internet Key Exchange
  • ISAKMP Internet Security Association and Key Management Protocal, Internet Security Alliance and Key Management Protocol
  • IKE also implements some of the features of the two key management technologies Oakley and SKEME. IKE follows the foundation of ISAKMP, Oakley's model, and SKEME's sharing and key update technology to define authentication encryption material generation techniques and negotiated sharing strategies. Among them, Oakley defines the mode, and ISAKMP defines the negotiation phase.
  • IKE negotiation creates an IKE SA and the IKE is negotiated.
  • the SA performs authentication to provide confidentiality, data integrity, and data source authentication services for further IKE communication between the two parties.
  • an established IPsec SA is established using the established IKE SA negotiation.
  • the negotiation process of each stage can be implemented by different modes. For example, the first stage can be negotiated by the main mode or the barbaric mode, and the second stage can be negotiated by the fast mode.
  • FIG. 1 is a schematic diagram of a negotiation process for implementing the first phase negotiation by the main mode.
  • the first four consultations are exchanged for civilized texts, and the last two negotiation messages are encrypted and exchanged.
  • the first stage of negotiation can also be implemented by the barbaric mode.
  • Figure 2 which is implemented by the barbaric mode.
  • the negotiation between the negotiation initiator and the negotiation responder can complete the first phase of negotiation by sending and receiving three negotiation packets.
  • After completing the first phase of negotiations enter the second phase of negotiations.
  • FIG. 3 which is a schematic diagram of a negotiation process for implementing the second phase negotiation by the fast mode.
  • the negotiation between the negotiation initiator and the negotiation responder completes the second phase negotiation by interacting with three negotiation messages.
  • the VPN Virtual Private Network
  • the negotiation responder in the negotiation party fails to negotiate the negotiation responder, after receiving the message sent by the negotiation initiator, will completely discard the received message because it cannot be decrypted.
  • the negotiation initiator continues to send packets to the invalid responder's S A (security association), bandwidth is wasted and these packets are dropped into the black hole.
  • an embodiment of the present invention provides a method and a device for negotiating an IKE packet, so as to ensure that the negotiation in the first phase and the second phase succeeds, and the quality of the IKE negotiation is improved.
  • the embodiment of the present invention discloses the following technical solution: A method for negotiating IKE packets, including: sending a last negotiation packet that needs to be sent by itself; determining whether a peer response packet is received; and receiving the peer response When the packet is received, the SA is established. Otherwise, the last negotiation packet is resent.
  • a device for implementing IKE packet negotiation includes: a sending unit, configured to send a last negotiation packet that needs to be sent by itself; a determining unit, configured to determine whether a peer response packet is received; and a negotiating unit, configured to receive And the re-sending unit is configured to resend the last negotiation packet when the peer response packet is not received. It can be seen from the foregoing embodiment that after the last negotiation packet that needs to be sent is sent, it is determined whether the peer response packet is received. If the peer response packet is received, the negotiation is successful, and the security association is established. The peer response packet is received, indicating that the negotiation is not successful, and the last negotiation packet is resent, thereby improving the quality of the IKE negotiation. At the same time, when one party fails to negotiate and the other party fails, the party that fails the negotiation in the direction of the successful negotiation sends an encrypted message and wastes bandwidth due to falling into the black hole.
  • FIG. 1 is a schematic diagram of a negotiation process for implementing the first phase negotiation by the main mode
  • FIG. 2 is a schematic diagram of a negotiation process for implementing the first phase negotiation by the barbaric mode
  • FIG. 3 is a schematic diagram of a negotiation process for implementing the second phase negotiation by the fast mode
  • FIG. 5 is a flowchart of another embodiment of a method for negotiating IKE packets
  • FIG. 6 is a flowchart of another embodiment of a method for negotiating IKE packets
  • Figure ⁇ is a schematic diagram of the negotiation process of the first phase IKE message by the barbaric mode under network failure
  • FIG. 8 is a flowchart of another embodiment of a method for negotiating IKE packets
  • FIG. 9 is a flowchart of a method for sending a last negotiation message in a negotiation process
  • FIG. 10 is a structural diagram of an embodiment of an apparatus for implementing IKE message negotiation. detailed description
  • FIG. 4 it is a flowchart of an embodiment of a method for negotiating IKE packets. Includes the following steps:
  • Step 401 Send the last negotiation packet that needs to be sent by itself
  • Step 402 Determine whether the peer response message is received, and if yes, proceed to step 403, otherwise, go to step 404;
  • the receiving the peer response packet is specifically: determining whether the peer response packet is received within the preset time, and if yes, determining that the peer response packet is received, otherwise, determining that the peer response packet is not received The peer responds to the message. Or, in the aggressive mode, determining whether the first negotiation message of the next stage arrives before the peer response message, and if yes, determining that the peer response message is not received, otherwise, determining that the message is received The peer responds to the message.
  • the aggressive mode it is determined whether the preset time or the first negotiation message of the next stage arrives before the peer response message. If yes, it is determined that the peer response message is not received, otherwise, the determination is received. The peer responds to the message.
  • the preset time may be times x 2 + 5s, where times is the number of times the last negotiation message is retransmitted.
  • the preset time is not limited, and in addition to the above values, the setting may be arbitrarily set according to the application requirements of the user.
  • Step 403 When the peer response packet is received, a SA is established.
  • Step 404 Resend the last association when the peer response message is not received. Business message.
  • the resending the last negotiation message is specifically:: retrieving the last negotiation message, and sending the retrieved last negotiation message;
  • the negotiation process is re-initiated, and the last negotiation message is sent in the re-initiated negotiation process.
  • the life cycle of the message can also be set.
  • each executor does not send the message.
  • the life cycle of the packet arrives, each executor does not send the message.
  • the life cycle of the main mode negotiation message (6) arrives, even if the negotiation responder re-receives the main mode negotiation message (5), the main mode negotiation report will not be sent again to the negotiation initiator.
  • Text (6) is not be sent again to the negotiation initiator.
  • the first phase of the message life cycle can be 60s, and the second phase can be 50s. It should be noted that, in the embodiment of the present application, the life cycle is not limited, and in addition to the above values, it may be arbitrarily set according to the application requirements of the user.
  • the method for negotiating the packet is described by taking an example of determining whether the peer response packet is received within the preset time.
  • FIG. 5 it is a flowchart of another embodiment of a method for negotiating IKE packets. Includes the following steps:
  • Step 501 When the negotiation party does not receive the negotiation response message sent by the negotiation peer within the preset time after sending the last negotiation message that needs to be sent, the negotiation party sends the last negotiation that needs to be sent to the negotiation party. Message
  • the negotiation initiator when the negotiation of the first phase is implemented by the primary mode, the negotiation initiator sends the last negotiation packet that should be sent to the negotiation responder, that is, the main mode negotiation message (5), and then The negotiation responder sends a response negotiation message to the negotiation initiator, that is, the main mode negotiation message (6).
  • the negotiation responder sends the last negotiation message that should be sent to the negotiation initiator, that is, the barbaric negotiation message (2), and then the negotiation initiator sends the negotiation responder to the negotiation.
  • Sends a response negotiation packet which is a bargain mode negotiation message (3).
  • the negotiation responder sends the last negotiation message that should be sent to the negotiation initiator, that is, the fast mode negotiation message (2), and then initiated by the negotiation.
  • the sender sends a response negotiation message to the negotiation responder, that is, the fast mode negotiation message (3).
  • the negotiation initiator does not receive the primary mode negotiation message (6) within the preset time after sending the primary mode negotiation message (5), the negotiation will be re-negotiated.
  • the responder sends a main mode negotiation message (5).
  • the negotiation responder When the negotiation of the first phase is implemented by the barbaric mode, if the negotiation responder does not receive the barbarian mode negotiation message (3) within the preset time after sending the barbarian mode negotiation message (2), it will re-negotiate.
  • the initiator sends a barbarian mode negotiation message (2).
  • the negotiation responder does not receive the fast mode negotiation message (3) within the preset time after sending the fast mode negotiation message (2), the negotiation will be re-negotiated.
  • the initiator sends a fast mode negotiation message (2).
  • the preset time may be times X 2 + 5s, where times is the number of times the last negotiation message is retransmitted.
  • the preset time is not limited, and in addition to the above values, the setting may be arbitrarily set according to the application requirements of the user.
  • each execution entity when the life cycle of the packet arrives, each execution entity does not send the message.
  • the life cycle of the main mode negotiation message (6) arrives, even if the negotiation responder re-receives the main mode negotiation message (5), it will not resend the main mode negotiation report to the negotiation initiator.
  • Text (6) The first phase of the message life cycle can be 60s, and the second phase can be 50s. It should be noted that, in the embodiment of the present application, the life cycle is not limited, and in addition to the above values, it may be arbitrarily set according to the application requirements of the user.
  • the negotiation initiator when the negotiation initiator does not negotiate the negotiation response message sent by the responder within the preset time, in addition to resending the last negotiation message that needs to be sent by itself, it may also After re-initiating the negotiation and re-initiating the negotiation process, the last negotiation message that needs to be sent is sent to the negotiation responder again.
  • Step 502 Presetting after the negotiating party sends the last negotiation message that needs to be sent by itself.
  • the security association is established when the negotiation response packet sent by the negotiation peer is received.
  • FIG. 6 is a flowchart of another embodiment of a method for negotiating IKE messages. The method includes the following steps:
  • Step 601 In the aggressive mode, after the negotiation responder sends the last negotiation packet that needs to be sent, the first negotiation packet of the second phase is received before receiving the negotiation response packet sent by the negotiation initiator. Resending the last negotiation message that it needs to send;
  • Figure 7 is a schematic diagram of the negotiation process of the first-phase IKE message by the aggressive mode under network failure.
  • the negotiation initiator since the negotiation process of the first phase has been completed and the negotiation process of the second phase is entered, the negotiation initiator will continue to send the second phase to the negotiation responder. The first negotiation message. At this time, the negotiation responder still does not receive the last negotiation packet. For the negotiation responder, the first phase is not established. Therefore, the negotiation responder will resend the last negotiation packet that needs to be sent to the negotiation initiator. .
  • Step 602 After the negotiation responder sends the last negotiation packet that needs to be sent by itself, if the negotiation response packet sent by the negotiation initiator is received before receiving the first negotiation packet of the second phase, the security association is established. .
  • each execution entity when the life cycle of the packet arrives, each execution entity does not send the packet.
  • the first phase of the message life cycle can be 60s, and the second phase can be 50s. It should be noted that, in the embodiment of the present application, the life cycle is not limited, and in addition to the above values, it may be arbitrarily set according to the application requirements of the user.
  • This embodiment provides another method for negotiating IKE packets.
  • the IKE message negotiation method in this embodiment is applicable to the negotiation mode. If the preset response time is reached before the peer response message is received, the negotiation responder negotiates after the preset time arrives. The initiator resends the last negotiation packet that needs to be sent by itself. If the first negotiation packet arrives in the second phase before receiving the peer response packet, the negotiation responder receives the first negotiation in the second phase. After the message is sent, the initiator of the negotiation resends the last negotiation packet that needs to be sent.
  • FIG. 8 is a flowchart of another embodiment of a method for negotiating an IKE message.
  • Step 801 In the aggressive mode, after the negotiation responder sends the last negotiation message that needs to be sent, if the preset time arrives before receiving the peer response message, or receives Receiving the first negotiation packet of the next stage before the peer response message arrives, and resending the last negotiation message that needs to be sent by itself;
  • Step 802 After the negotiation responder sends the last negotiation message that needs to be sent by itself, if the negotiation response message is received before the preset time arrives and the first negotiation message of the next stage is received, the negotiation response message sent by the negotiation initiator is received. Text, establish a security alliance.
  • each execution entity when the life cycle of the packet arrives, each execution entity does not send the message.
  • the life cycle of the barbarian mode negotiation message (3) arrives, even if the negotiation initiator receives the barb mode negotiation message (2) again, it will not send the barb mode negotiation to the negotiation responder again.
  • Message (3) when the life cycle of the barbarian mode negotiation message (3) arrives, even if the negotiation initiator receives the barb mode negotiation message (2) again, it will not send the barb mode negotiation to the negotiation responder again.
  • the life cycle of a message can be 60s in the first phase and 50s in the second phase. It should be noted that, in the embodiment of the present application, the life cycle is not limited, and in addition to the above values, it may be arbitrarily set according to the application requirements of the user.
  • the judgment is The first negotiation message of the next stage is received before the preset time arrives, or the preset time arrives before the first negotiation message of the next stage is received, indicating that the negotiation is successful, and the security association is established.
  • the negotiation response message sent by the negotiation initiator is received before the preset time arrives and the first negotiation message of the next stage is received, indicating that the negotiation is not successful, and the last negotiation message is resent, thereby improving the IKE negotiation. the quality of.
  • the party that fails the negotiation in the direction of negotiation successfully sends an encrypted message and wastes bandwidth due to falling into the black hole.
  • the specific negotiation message is sent when the negotiation party (the negotiation responder in the main mode or the negotiation initiator in the aggressive mode) sends the last negotiation packet.
  • the implementation process is shown in Figure 9, which is a flowchart of a method for sending the last negotiation message in the negotiation process. The implementation steps are as follows:
  • Step 901 Determine, according to the logical condition, whether the negotiation message to be sent is the last negotiation message of the negotiation process. If the logical condition is true, go to step 902; if the logical condition is false, end the process;
  • the initiator indicates the identifier of the sender of the negotiation message to be sent currently. If the sender is the negotiation initiator, the initiator is 1 and if it is the negotiation responder, the initiator is 0. Step indicates the negotiation step, step starts counting from 0, step 0 indicates that the negotiation step is 1, and so on. Status indicates the serial number of the negotiation packet to be sent. The status is counted from 1. The status is 1 to indicate that the negotiation packet to be sent is the packet (1). If it is the last negotiation packet in the negotiation process, the status is Ready.
  • the logical condition it is not difficult to find that if the type of the negotiation packet to be sent is the last negotiation packet of the negotiation process, the logical condition is true.
  • Step 902 According to the logical condition (last_ sent&& (flag & MSG- LAST)) to determine whether to save the last negotiation message to be sent, if the logical condition is false, proceed to step 903, if the logical condition is true, proceed to step 904;
  • Step 903 Set the type of the last negotiation packet to be sent to MSG_LAST, record the last negotiation packet to be sent in the variable last_sent, send the last negotiation packet, and end the process;
  • Step 904 Send the last negotiation message, and end the process.
  • the negotiation responder is based on the logical condition. ( last_sent&& ( flags & MSG_LAST )) to determine whether to save the message. If the ( last- sent && ( flags & MSG- LAST ) condition is false, indicating that the last negotiation message is sent for the first time, the flag needs to be set to MSG_LAST, and the last negotiation report sent for the first time.
  • the text (6) is stored in the variable last_sent and sent, and if the logical condition is true, the last negotiation message is sent repeatedly, because the last negotiation message has been sent the first time. Save, you do not need to save again, but directly retransmit the message.
  • the negotiation initiator determines whether to save the message according to the logical condition (last_sent &&(flag& MSG- LAST )). If ( last_ sent
  • the && (flag & MSG- LAST ) condition is false, indicating that the first time the first negotiation message is sent, the flag needs to be set to MSG_LAST, and the last negotiation message (3) sent for the first time is recorded. Save the variable last_sent and send the message; if the condition is true, it means that the last negotiation message is sent repeatedly, because the last negotiation message has been saved when it is sent for the first time. You don't need to save it anymore, but you can retransmit the message directly.
  • the embodiment of the present invention further provides a retransmission system for negotiating packets.
  • FIG. 10 is a device for implementing IKE message negotiation according to the present application.
  • the structure diagram of the embodiment includes: a sending unit 1001, a determining unit 1002, a negotiating unit 1003, and a resending unit 1004, where
  • the sending unit 1001 is configured to send a last negotiation packet that needs to be sent by itself;
  • the determining unit 1002 is configured to determine whether the peer response message is received.
  • the negotiating unit 1003 is configured to: when the peer end response message is received, establish a security association SA; the resending unit 1004, configured to resend the last negotiation when the peer end response message is not received Message.
  • the determining unit 1002 includes: a first determining subunit, configured to determine whether the peer response message is received within the preset time, and if yes, determining that the peer response message is received, otherwise, determining that the peer response message is not received The peer responds to the message.
  • a second determining sub-unit configured to: in the aggressive mode, whether the first negotiation packet of the next phase arrives before the peer response packet, and if yes, determines that the peer response packet is not received, No, it is determined that the peer response message is received.
  • a third determining sub-unit configured to determine, in the aggressive mode, whether the first negotiation message of the preset time or the next phase arrives before the peer response message, and if yes, determine that the peer response is not received. The message, otherwise, determines that the peer response message is received.
  • the retransmission unit 1004 includes: a first retransmission subunit, configured to retrieve the last negotiation packet, and send the retrieved last negotiation packet;
  • a second retransmission sub-unit configured to re-initiate the negotiation process in the main mode, and send the last negotiation message in the re-initiated negotiation process.
  • the retransmission method and the retransmission system of the negotiation packet in this application are applicable between the host and the host, and the host
  • An IPSec tunnel is established between the gateway and the gateway and the gateway.
  • An IPsec tunnel is established between the public networks to encrypt traffic.
  • Firewalls A and B can serve as negotiation initiators and negotiation responders to the negotiation process.
  • the retransmission method and the retransmission system of the negotiation message in the present application are also applicable to the person who is on a business trip.
  • the firewall can be configured as a template. Install the client software on the PC connected to the public network. When accessing data from the headquarters, each PC establishes its own tunnel to protect the transmission of data on the public network.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
  • the program may be stored in a computer readable storage medium, and the storage medium may include: Read-only memory, random access memory, disk or optical disk, etc.

Abstract

The embodiment of the invention discloses a method and device for Internet Key Exchange (IKE) message negotiation. The method includes: transmitting the last negotiation message to be transmitted; determining whether the response message has been received from the opposite end; if the response message has been received from the opposite end, establishing a security alliance (SA); if not, retransmitting the last negotiation message. According to the embodiment of the invention, the quality of the IKE negotiation of phase 1 and phase 2 can be improved.

Description

一种 IKE报文的协商方法和设备 本申请要求于 2010 年 12 月 16 日提交中国专利局、 申请号为 201010592414.X,发明名称为"一种 IKE报文的协商方法和设备"的中国专利 申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域 本发明涉及通信技术领域, 特别是涉及一种 IKE报文的协商方法和设备。  Method and device for negotiating IKE message This application claims to be submitted to the Chinese Patent Office on December 16, 2010, the application number is 201010592414.X, and the invention name is "an IKE message negotiation method and device" Chinese patent Priority of the application, the entire contents of which are incorporated herein by reference. The present invention relates to the field of communications technologies, and in particular, to a method and device for negotiating IKE packets.
背景技术 Background technique
在 IPsec ( IP Security, IP通信安全协议)发送一个数据包之前, 需要先建 立一个 SA ( Security Association, 安全联盟) 。 IKE ( Internet Key Exchange, 互联网密钥交换)是一种混合型协议, 用于动态建立 SA。 其中, IKE是一种密 钥交换以及管理协议,用于为 IPsec提供密钥服务,建立在一个由 SA和 ISAKMP ( Internet Security Association and Key Management Protocal , 互联网安全联盟 和密钥管理协议)定义的框架之上。 同时, IKE还实现了两种密钥管理技术 Oakley和 SKEME的一部分功能。 IKE沿用了 ISAKMP的基础、 Oakley的模式以 及 SKEME的共享和密钥更新技术, 从而定义出了验证加密材料生成技术, 以 及协商共享策略。 其中, Oakley定义模式, ISAKMP定义协商的阶段。  Before IPsec (IP Security, IP Security) sends a packet, you need to establish a SA (Security Association). IKE (Internet Key Exchange) is a hybrid protocol used to dynamically establish SAs. Among them, IKE is a key exchange and management protocol for providing key services for IPsec, based on a framework defined by SA and ISAKMP (Internet Security Association and Key Management Protocal, Internet Security Alliance and Key Management Protocol). Above. At the same time, IKE also implements some of the features of the two key management technologies Oakley and SKEME. IKE follows the foundation of ISAKMP, Oakley's model, and SKEME's sharing and key update technology to define authentication encryption material generation techniques and negotiated sharing strategies. Among them, Oakley defines the mode, and ISAKMP defines the negotiation phase.
IKE协商有两个阶段,在第一阶段, IKE协商创建一个 IKE SA, 并对该 IKE There are two phases in IKE negotiation. In the first phase, IKE negotiation creates an IKE SA and the IKE is negotiated.
SA进行认证, 为通信双方的进一步 IKE通信提供机密性、数据完整性以及数据 源认证服务;在第二阶段,使用已建立的 IKE SA协商创建一个 IPsec SA。其中, 每一个阶段的协商过程又可以由不同的模式实现,如, 第一阶段可以由主模式 或者野蛮模式实现协商, 第二阶段由快速模式实现协商。 The SA performs authentication to provide confidentiality, data integrity, and data source authentication services for further IKE communication between the two parties. In the second phase, an established IPsec SA is established using the established IKE SA negotiation. The negotiation process of each stage can be implemented by different modes. For example, the first stage can be negotiated by the main mode or the barbaric mode, and the second stage can be negotiated by the fast mode.
请参阅图 1 , 其为由主模式实现第一阶段协商的协商过程示意图。 如图 1 的协商。 前四个协商报文明文交换, 后两个协商报文加密交换。 除了主模式之 夕卜, 还可以由野蛮模式实现第一阶段的协商。 请参阅图 2, 其为由野蛮模式实 现第一阶段协商的协商过程示意图。 如图 2所示, 协商发起者和协商响应者之 间通过交互收发 3个协商报文即可完成第一阶段的协商。 当完成第一阶段的协 商后, 进入第二阶段的协商。 请参阅图 3 , 其为由快速模式实现第二阶段协商 的协商过程示意图。如图 3所示,协商发起者和协商响应者之间通过交互 3个协 商报文完成第二阶段的协商。 Please refer to FIG. 1 , which is a schematic diagram of a negotiation process for implementing the first phase negotiation by the main mode. As discussed in Figure 1. The first four consultations are exchanged for civilized texts, and the last two negotiation messages are encrypted and exchanged. In addition to the main mode, the first stage of negotiation can also be implemented by the barbaric mode. Please refer to Figure 2, which is implemented by the barbaric mode. A schematic diagram of the negotiation process for the first phase of negotiations. As shown in Figure 2, the negotiation between the negotiation initiator and the negotiation responder can complete the first phase of negotiation by sending and receiving three negotiation packets. After completing the first phase of negotiations, enter the second phase of negotiations. Please refer to FIG. 3 , which is a schematic diagram of a negotiation process for implementing the second phase negotiation by the fast mode. As shown in Figure 3, the negotiation between the negotiation initiator and the negotiation responder completes the second phase negotiation by interacting with three negotiation messages.
但是, 发明人在研究中发现, 在各个协商过程中, 由于网络的不稳定, 如 网络发生故障或者拥塞,使各个协商过程的最后一个协商报文在传输中容易丟 失, 从而导致协商双方中的一方完成协商, 而另一方没有完成协商。 在第一阶 段, 当协商双方中的一方出现协商失败后, VPN ( Virtual Private Network, 虚 拟专用网) 网络在 IKE超时老化前不可用。 在第二阶段, 当协商双方中的协商 响应者出现协商失败后,协商响应者在接收到协商发起者发送的报文后, 由于 不能解密会将接收到的报文全部丟掉。 同时, 由于协商发起者继续向无效的响 应者的 S A ( security Association , 安全联盟 )发送数据包, 从而浪费了带宽并 使这些数据包掉入黑洞。  However, the inventors found in the study that in the negotiation process, due to network instability, such as network failure or congestion, the last negotiation packet of each negotiation process is easily lost in transmission, resulting in the negotiation between the two parties. One party completed the negotiation and the other party did not complete the negotiation. In the first stage, the VPN (Virtual Private Network) network is unavailable before the IKE timeout expires after the negotiation fails. In the second phase, after the negotiation responder in the negotiation party fails to negotiate, the negotiation responder, after receiving the message sent by the negotiation initiator, will completely discard the received message because it cannot be decrypted. At the same time, since the negotiation initiator continues to send packets to the invalid responder's S A (security association), bandwidth is wasted and these packets are dropped into the black hole.
发明内容 为了解决上述技术问题, 本发明实施例提供了一种 IKE报文的协商方法和 设备, 以保证第一阶段和第二阶段的协商能够成功, 提高 IKE协商的质量。 本发明实施例公开了如下技术方案: 一种 IKE报文的协商方法, 包括:发送自身需要发送的最后一个协商报文; 判断是否接收到对端响应报文; 当接收到所述对端响应报文时, 建立安全联盟 SA, 否则, 重新发送所述最后一个协商报文。 SUMMARY OF THE INVENTION In order to solve the above technical problem, an embodiment of the present invention provides a method and a device for negotiating an IKE packet, so as to ensure that the negotiation in the first phase and the second phase succeeds, and the quality of the IKE negotiation is improved. The embodiment of the present invention discloses the following technical solution: A method for negotiating IKE packets, including: sending a last negotiation packet that needs to be sent by itself; determining whether a peer response packet is received; and receiving the peer response When the packet is received, the SA is established. Otherwise, the last negotiation packet is resent.
一种实现 IKE报文协商的设备, 包括: 发送单元, 用于发送自身需要发送 的最后一个协商报文; 判断单元, 用于判断是否接收到对端响应报文; 协商单 元, 用于当接收到所述对端响应报文时, 建立安全联盟 SA; 重发单元, 用于 当没有接收到所述对端响应报文时, 重新发送所述最后一个协商报文。 由上述实施例可以看出,在发送自身需要发送的最后一个协商报文后, 判 断是否接收到对端响应报文, 如果接收到对端响应报文, 表示协商成功, 建立 安全联盟, 如果没有接收到对端响应报文, 表示协商没有成功, 重新发送最后 一个协商报文, 由此提高了 IKE协商的质量。 同时, 防止当一方协商成功另一 方失败时,协商成功的一方向协商失败的一方发送加密报文因落入黑洞而浪费 带宽。 A device for implementing IKE packet negotiation includes: a sending unit, configured to send a last negotiation packet that needs to be sent by itself; a determining unit, configured to determine whether a peer response packet is received; and a negotiating unit, configured to receive And the re-sending unit is configured to resend the last negotiation packet when the peer response packet is not received. It can be seen from the foregoing embodiment that after the last negotiation packet that needs to be sent is sent, it is determined whether the peer response packet is received. If the peer response packet is received, the negotiation is successful, and the security association is established. The peer response packet is received, indicating that the negotiation is not successful, and the last negotiation packet is resent, thereby improving the quality of the IKE negotiation. At the same time, when one party fails to negotiate and the other party fails, the party that fails the negotiation in the direction of the successful negotiation sends an encrypted message and wastes bandwidth due to falling into the black hole.
附图说明 DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施 例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地, 下面描述 中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲,在不付 出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.
图 1为由主模式实现第一阶段协商的协商过程示意图;  FIG. 1 is a schematic diagram of a negotiation process for implementing the first phase negotiation by the main mode;
图 2为由野蛮模式实现第一阶段协商的协商过程示意图;  2 is a schematic diagram of a negotiation process for implementing the first phase negotiation by the barbaric mode;
图 3为由快速模式实现第二阶段协商的协商过程示意图;  FIG. 3 is a schematic diagram of a negotiation process for implementing the second phase negotiation by the fast mode;
图 4为一种 IKE 4艮文的协商方法的一个实施例的流程图;  4 is a flow chart of an embodiment of a IKE 4 negotiation method;
图 5为一种 IKE报文的协商方法的另一个实施例的流程图;  FIG. 5 is a flowchart of another embodiment of a method for negotiating IKE packets;
图 6为一种 IKE报文的协商方法的另一个实施例的流程图;  6 is a flowchart of another embodiment of a method for negotiating IKE packets;
图 Ί为网络故障下由野蛮模式实现第一阶段 IKE报文的协商过程的一个 示意图;  Figure Ί is a schematic diagram of the negotiation process of the first phase IKE message by the barbaric mode under network failure;
图 8为一种 IKE报文的协商方法的另一个实施例的流程图;  8 is a flowchart of another embodiment of a method for negotiating IKE packets;
图 9为一种发送协商过程最后一个协商报文的方法流程图;  FIG. 9 is a flowchart of a method for sending a last negotiation message in a negotiation process;
图 10为一种实现 IKE报文协商的设备的一个实施例的结构图。 具体实施方式 FIG. 10 is a structural diagram of an embodiment of an apparatus for implementing IKE message negotiation. detailed description
为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施 例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所 描述的实施例仅仅是本发明一部分的实施例, 而不是全部的实施例。基于本发 明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所 有其他实施例, 都应当属于本发明保护的范围。 The technical solutions in the embodiments of the present invention will be clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is an embodiment of the invention, but not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without departing from the inventive scope should fall within the scope of the present invention.
实施例一  Embodiment 1
请参阅图 4, 其为本申请一种 IKE报文的协商方法的一个实施例的流程图。 包括以下步骤:  Referring to FIG. 4, it is a flowchart of an embodiment of a method for negotiating IKE packets. Includes the following steps:
步骤 401 : 发送自身需要发送的最后一个协商报文;  Step 401: Send the last negotiation packet that needs to be sent by itself;
步骤 402: 判断是否接收到对端响应报文, 如果是, 进入步骤 403 , 否贝' J , 进入步骤 404;  Step 402: Determine whether the peer response message is received, and if yes, proceed to step 403, otherwise, go to step 404;
其中, 所述是否接收到对端响应报文具体为: 判断是否在预置时间内接收 到对端响应报文, 如果是, 判定接收到所述对端响应报文, 否则, 判定未接收 到所述对端响应报文。 或者, 在野蛮模式下, 判断下一阶段的第一个协商报文 是否在所述对端响应报文之前到达,如果是,判定未接收到所述对端响应报文, 否则, 判定接收到所述对端响应报文。  The receiving the peer response packet is specifically: determining whether the peer response packet is received within the preset time, and if yes, determining that the peer response packet is received, otherwise, determining that the peer response packet is not received The peer responds to the message. Or, in the aggressive mode, determining whether the first negotiation message of the next stage arrives before the peer response message, and if yes, determining that the peer response message is not received, otherwise, determining that the message is received The peer responds to the message.
或者,  Or,
在野蛮模式下,判断预置时间或者下一阶段的第一个协商报文是否在对端 响应报文之前到达, 如果是, 判定未接收到所述对端响应报文, 否则, 判定接 收到所述对端响应报文。  In the aggressive mode, it is determined whether the preset time or the first negotiation message of the next stage arrives before the peer response message. If yes, it is determined that the peer response message is not received, otherwise, the determination is received. The peer responds to the message.
所述预置时间可以为 times x 2 + 5s, 其中, times为重传所述最后一个协商 报文的次数。  The preset time may be times x 2 + 5s, where times is the number of times the last negotiation message is retransmitted.
需要说明的是, 本申请实施例对预置时间并不进行限定, 除了采用上述数 值之外, 还可以根据用户的应用需求进行任意设定。  It should be noted that, in the embodiment of the present application, the preset time is not limited, and in addition to the above values, the setting may be arbitrarily set according to the application requirements of the user.
步骤 403: 当接收到所述对端响应报文时, 建立安全联盟 SA;  Step 403: When the peer response packet is received, a SA is established.
步骤 404: 当没有接收到所述对端响应报文时, 重新发送所述最后一个协 商报文。 Step 404: Resend the last association when the peer response message is not received. Business message.
其中, 所述重新发送所述最后一个协商报文具体为: 调取所述最后一个协 商报文, 并发送调取的所述最后一个协商报文;  The resending the last negotiation message is specifically:: retrieving the last negotiation message, and sending the retrieved last negotiation message;
或者,  Or,
在主模式下, 重新发起协商过程,在所述重新发起的协商过程中发送所述 最后一个协商报文。  In the main mode, the negotiation process is re-initiated, and the last negotiation message is sent in the re-initiated negotiation process.
在本申请实施例中,还可以设定报文的生命周期。 当报文的生命周期到达 时,各个执行主体不再发送该报文。例如,在主模式中, 当主模式协商报文(6 ) 的生命周期到达时, 即使协商响应者重新收到主模式协商报文(5 ), 也不会重 新向协商发起者发送主模式协商报文( 6 )。  In the embodiment of the present application, the life cycle of the message can also be set. When the life cycle of the packet arrives, each executor does not send the message. For example, in the main mode, when the life cycle of the main mode negotiation message (6) arrives, even if the negotiation responder re-receives the main mode negotiation message (5), the main mode negotiation report will not be sent again to the negotiation initiator. Text (6).
报文的生命周期第一阶段可以为 60s, 在第二阶段可以为 50s。 需要说明的 是, 本申请实施例对生命周期并不进行限定, 除了采用上述数值之外, 还可以 根据用户的应用需求进行任意设定。  The first phase of the message life cycle can be 60s, and the second phase can be 50s. It should be noted that, in the embodiment of the present application, the life cycle is not limited, and in addition to the above values, it may be arbitrarily set according to the application requirements of the user.
由上述实施可以看出, 在发送自身需要发送的最后一个协商报文后, 判断 是否接收到对端响应报文, 如果接收到对端响应报文, 表示协商成功, 建立安 全联盟, 如果没有接收到对端响应报文, 表示协商没有成功, 重新发送最后一 个协商报文。 由此提高了 IKE协商的质量。 同时, 防止当一方协商成功另一方 失败时,协商成功的一方向协商失败的一方发送加密报文因落入黑洞而浪费带 宽。 实施例二  It can be seen from the above implementation that after transmitting the last negotiation packet that needs to be sent, it is determined whether the peer response packet is received. If the peer response packet is received, the negotiation succeeds, and the security association is established. The response packet to the peer indicates that the negotiation is unsuccessful and the last negotiation packet is resent. This improves the quality of IKE negotiation. At the same time, when one party fails to negotiate and the other party fails, the party that fails the negotiation in the first direction of negotiation fails to send the encrypted message and wastes the bandwidth because it falls into the black hole. Embodiment 2
在本实施例中, 以判断是否在预置时间内接收到对端响应报文为例,说明 报文的协商方法。 请参阅图 5 , 其为本申请一种 IKE报文的协商方法的另一个 实施例的流程图。 包括以下步骤:  In this embodiment, the method for negotiating the packet is described by taking an example of determining whether the peer response packet is received within the preset time. Referring to FIG. 5, it is a flowchart of another embodiment of a method for negotiating IKE packets. Includes the following steps:
步骤 501 : 当协商一方在发送自身需要发送的最后一个协商报文后的预置 时间内, 没有接收到协商对端发送的协商响应报文时, 重新向协商对方发送自 身需要发送的最后一个协商报文;  Step 501: When the negotiation party does not receive the negotiation response message sent by the negotiation peer within the preset time after sending the last negotiation message that needs to be sent, the negotiation party sends the last negotiation that needs to be sent to the negotiation party. Message
例如, 在第一阶段, 当由主模式实现第一阶段的协商时, 由协商发起者向 协商响应者发送其应该发送的最后一个协商报文, 即主模式协商报文(5 ), 再 由协商响应者向协商发起者发送应答协商报文, 即主模式协商报文(6 )。 当由野蛮模式实现第一阶段的协商时,由协商响应者向协商发起者发送其 应该发送的最后一个协商报文, 即野蛮式协商报文(2 ), 再由协商发起者向协 商响应者发送应答协商报文, 即野蛮模式协商报文(3 )。 For example, in the first phase, when the negotiation of the first phase is implemented by the primary mode, the negotiation initiator sends the last negotiation packet that should be sent to the negotiation responder, that is, the main mode negotiation message (5), and then The negotiation responder sends a response negotiation message to the negotiation initiator, that is, the main mode negotiation message (6). When the negotiation of the first phase is implemented by the barbaric mode, the negotiation responder sends the last negotiation message that should be sent to the negotiation initiator, that is, the barbaric negotiation message (2), and then the negotiation initiator sends the negotiation responder to the negotiation. Sends a response negotiation packet, which is a bargain mode negotiation message (3).
在第二阶段, 当由快速模式实现第二阶段的协商时, 由协商响应者向协商 发起者发送其应该发送的最后一个协商报文, 即快速模式协商报文(2 ), 再由 协商发起者向协商响应者发送应答协商报文, 即快速模式协商报文(3 )。  In the second phase, when the negotiation of the second phase is implemented by the fast mode, the negotiation responder sends the last negotiation message that should be sent to the negotiation initiator, that is, the fast mode negotiation message (2), and then initiated by the negotiation. The sender sends a response negotiation message to the negotiation responder, that is, the fast mode negotiation message (3).
当由主模式实现第一阶段的协商时,如果协商发起者在发送主模式协商报 文(5 )后的预置时间内, 没有接收到主模式协商报文(6 ), 就会重新向协商 响应者发送主模式协商报文( 5 )。  When the negotiation of the first phase is implemented by the primary mode, if the negotiation initiator does not receive the primary mode negotiation message (6) within the preset time after sending the primary mode negotiation message (5), the negotiation will be re-negotiated. The responder sends a main mode negotiation message (5).
当由野蛮模式实现第一阶段的协商时,如果协商响应者在发送野蛮模式协 商报文(2 )后的预置时间内, 没有接收到野蛮模式协商报文(3 ), 就会重新 向协商发起者发送野蛮模式协商报文(2 )。  When the negotiation of the first phase is implemented by the barbaric mode, if the negotiation responder does not receive the barbarian mode negotiation message (3) within the preset time after sending the barbarian mode negotiation message (2), it will re-negotiate. The initiator sends a barbarian mode negotiation message (2).
当由快速模式实现第二阶段的协商时,如果协商响应者在发送快速模式协 商报文(2 )后的预置时间内, 没有接收到快速模式协商报文(3 ), 就会重新 向协商发起者发送快速模式协商报文( 2 )。  When the second phase negotiation is implemented by the fast mode, if the negotiation responder does not receive the fast mode negotiation message (3) within the preset time after sending the fast mode negotiation message (2), the negotiation will be re-negotiated. The initiator sends a fast mode negotiation message (2).
所述预置时间可以为 times X 2 + 5s, 其中, times为重传所述最后一个协 商报文的次数。  The preset time may be times X 2 + 5s, where times is the number of times the last negotiation message is retransmitted.
需要说明的是, 本申请实施例对预置时间并不进行限定, 除了采用上述数 值之外, 还可以根据用户的应用需求进行任意设定。  It should be noted that, in the embodiment of the present application, the preset time is not limited, and in addition to the above values, the setting may be arbitrarily set according to the application requirements of the user.
另外, 在本申请实施例中, 当报文的生命周期到达时, 各个执行主体不再 发送该报文。 例如, 在主模式中, 当主模式协商报文(6 )的生命周期到达时, 即使协商响应者重新收到主模式协商报文( 5 ),也不会重新向协商发起者发送 主模式协商报文(6 )。 报文的生命周期第一阶段可以为 60s, 在第二阶段可以 为 50s。 需要说明的是, 本申请实施例对生命周期并不进行限定, 除了采用上 述数值之外, 还可以根据用户的应用需求进行任意设定。  In addition, in the embodiment of the present application, when the life cycle of the packet arrives, each execution entity does not send the message. For example, in the main mode, when the life cycle of the main mode negotiation message (6) arrives, even if the negotiation responder re-receives the main mode negotiation message (5), it will not resend the main mode negotiation report to the negotiation initiator. Text (6). The first phase of the message life cycle can be 60s, and the second phase can be 50s. It should be noted that, in the embodiment of the present application, the life cycle is not limited, and in addition to the above values, it may be arbitrarily set according to the application requirements of the user.
还需要说明的是,在主模式下, 当协商发起者在预置时间内没有协商响应 者发送的协商响应报文时,除了重新发送自身需要发送的最后一个协商报文之 夕卜, 也可以通过重新发起协商, 再重新发起的协商过程, 再次向协商响应者发 送自身需要发送的最后一个协商报文。  It should also be noted that, in the main mode, when the negotiation initiator does not negotiate the negotiation response message sent by the responder within the preset time, in addition to resending the last negotiation message that needs to be sent by itself, it may also After re-initiating the negotiation and re-initiating the negotiation process, the last negotiation message that needs to be sent is sent to the negotiation responder again.
步骤 502: 当协商一方在发送自身需要发送的最后一个协商报文后的预置 时间内, 接收到协商对端发送的协商响应报文时, 建立安全联盟。 Step 502: Presetting after the negotiating party sends the last negotiation message that needs to be sent by itself. The security association is established when the negotiation response packet sent by the negotiation peer is received.
由上述实施例可以看出,在发送自身需要发送的最后一个协商报文后, 判 断是否在预置时间内接收到对端响应报文,如果在预置时间内接收到对端响应 报文, 表示协商成功, 建立安全联盟, 如果没有在预置时间内接收到对端响应 报文, 表示协商没有成功, 重新发送最后一个协商报文, 由此提高了 IKE协商 的质量。 同时, 防止当一方协商成功另一方失败时, 协商成功的一方向协商失 败的一方发送加密报文因落入黑洞而浪费带宽。 实施例三  It can be seen from the foregoing embodiment that after transmitting the last negotiation packet that needs to be sent, it is determined whether the peer response packet is received within the preset time, and if the peer response packet is received within the preset time, If the negotiation is successful, the security association is established. If the peer response packet is not received within the preset time, the negotiation fails. The last negotiation packet is resent, which improves the quality of IKE negotiation. At the same time, when one party fails to negotiate and the other party fails, the party that failed the negotiation in the direction of negotiation successfully sends an encrypted message and wastes bandwidth due to falling into the black hole. Embodiment 3
本实施例提供了另一种 IKE报文的协商方法。 本实施例的 IKE报文协商方 法仅适用于野蛮模式。 请参阅图 6, 其为一种 IKE报文的协商方法的另一个实 施例的流程图。 该方法包括以下步骤:  This embodiment provides another method for negotiating IKE packets. The IKE packet negotiation method in this embodiment is only applicable to the aggressive mode. Please refer to FIG. 6, which is a flowchart of another embodiment of a method for negotiating IKE messages. The method includes the following steps:
步骤 601 : 在野蛮模式下, 当协商响应者发送自身需要发送的最后一个协 商报文后,如果在接收到协商发起者发送的协商响应报文之前接收到了第二阶 段的第一个协商报文, 重新发送自身需要发送的最后一个协商报文;  Step 601: In the aggressive mode, after the negotiation responder sends the last negotiation packet that needs to be sent, the first negotiation packet of the second phase is received before receiving the negotiation response packet sent by the negotiation initiator. Resending the last negotiation message that it needs to send;
例如, 请参阅图 7, 其为网络故障下由野蛮模式实现第一阶段 IKE报文的 协商过程的一个示意图。 如图 7所示, 对于协商发起者而言, 由于其已经完成 了第一阶段的协商过程, 并进入第二阶段的协商过程, 因此, 协商发起者会向 协商响应者继续发送第二阶段的第一个协商报文。而此时协商响应者仍然没有 收到最后一个协商报文, 对于协商响应者而言, 第一阶段并未建立, 因此协商 响应者会重新向协商发起者发送自身需要发送的最后一个协商报文。  For example, refer to Figure 7, which is a schematic diagram of the negotiation process of the first-phase IKE message by the aggressive mode under network failure. As shown in FIG. 7, for the negotiation initiator, since the negotiation process of the first phase has been completed and the negotiation process of the second phase is entered, the negotiation initiator will continue to send the second phase to the negotiation responder. The first negotiation message. At this time, the negotiation responder still does not receive the last negotiation packet. For the negotiation responder, the first phase is not established. Therefore, the negotiation responder will resend the last negotiation packet that needs to be sent to the negotiation initiator. .
步骤 602: 当协商响应者在发送自身需要发送的最后一个协商报文后, 如 果在接收到第二阶段的第一个协商报文之前接收到了协商发起者发送的协商 响应报文, 建立安全联盟。  Step 602: After the negotiation responder sends the last negotiation packet that needs to be sent by itself, if the negotiation response packet sent by the negotiation initiator is received before receiving the first negotiation packet of the second phase, the security association is established. .
同时, 需要说明的是, 在本申请实施例中, 当报文的生命周期到达时, 各个执行主体不再发送该报文。例如,在野蛮模式中,当野蛮模式协商报文( 3 ) 的生命周期到达时, 即使协商发起者重新收到野蛮模式协商报文(2 ), 也不会 重新向协商响应者发送野蛮模式协商报文( 3 )。报文的生命周期第一阶段可以 为 60s, 在第二阶段可以为 50s。 需要说明的是, 本申请实施例对生命周期并不 进行限定,除了采用上述数值之外 ,还可以根据用户的应用需求进行任意设定。 由上述实施例可以看出,在发送自身需要发送的最后一个协商报文后, 判 断是否在接收到协商发起者发送的协商响应报文之前接收到了第二阶段的第 一个协商报文对端响应报文,如果是,表示协商成功,建立安全联盟,如果否, 表示协商没有成功,重新发送最后一个协商报文, 由此提高了 IKE协商的质量。 同时, 防止当一方协商成功另一方失败时,协商成功的一方向协商失败的一方 发送加密报文因落入黑洞而浪费带宽。 实施例四 At the same time, it should be noted that, in the embodiment of the present application, when the life cycle of the packet arrives, each execution entity does not send the packet. For example, in the aggressive mode, when the life cycle of the barbarian mode negotiation message (3) arrives, even if the negotiation initiator re-receives the barbarian mode negotiation message (2), it will not send the barb mode negotiation to the negotiation responder again. Message (3). The first phase of the message life cycle can be 60s, and the second phase can be 50s. It should be noted that, in the embodiment of the present application, the life cycle is not limited, and in addition to the above values, it may be arbitrarily set according to the application requirements of the user. It can be seen from the foregoing embodiment that after transmitting the last negotiation packet that needs to be sent by itself, it is determined whether the first negotiation packet end of the second phase is received before receiving the negotiation response packet sent by the negotiation initiator. The response packet, if yes, indicates that the negotiation is successful, and the security association is established. If no, the negotiation is not successful, and the last negotiation packet is resent, thereby improving the quality of the IKE negotiation. At the same time, when one party fails to negotiate and the other party fails, the party that fails the negotiation in the direction of the successful negotiation sends an encrypted message and wastes bandwidth due to falling into the black hole. Embodiment 4
本实施例提供了另一种 IKE报文的协商方法。 本实施例的 IKE报文协商方 法仅适用于野蛮模式下,对于协商响应者,如果在接收到所述对端响应报文之 前预置时间周期到达,协商响应者在预置时间到达后向协商发起者重新发送自 身需要发送的最后一个协商报文,如果在接收到所述对端响应报文之前第二阶 段的第一协商报文到达,协商响应者在接收到第二阶段的第一协商报文后向协 商发起者重新发送自身需要发送的最后一个协商报文。 请参阅图 8, 其为本申 请一种 IKE报文的协商方法的另一个实施例的流程图。 该方法包括以下步骤: 步骤 801 : 在野蛮模式下, 当协商响应者发送自身需要发送的最后一个协 商报文后,如果在接收到所述对端响应报文之前预置时间到达, 或者在接收到 所述对端响应报文之前下一阶段的第一个协商报文到达,重新发送自身需要发 送的最后一个协商报文;  This embodiment provides another method for negotiating IKE packets. The IKE message negotiation method in this embodiment is applicable to the negotiation mode. If the preset response time is reached before the peer response message is received, the negotiation responder negotiates after the preset time arrives. The initiator resends the last negotiation packet that needs to be sent by itself. If the first negotiation packet arrives in the second phase before receiving the peer response packet, the negotiation responder receives the first negotiation in the second phase. After the message is sent, the initiator of the negotiation resends the last negotiation packet that needs to be sent. Please refer to FIG. 8, which is a flowchart of another embodiment of a method for negotiating an IKE message. The method includes the following steps: Step 801: In the aggressive mode, after the negotiation responder sends the last negotiation message that needs to be sent, if the preset time arrives before receiving the peer response message, or receives Receiving the first negotiation packet of the next stage before the peer response message arrives, and resending the last negotiation message that needs to be sent by itself;
步骤 802: 当协商响应者在发送自身需要发送的最后一个协商报文后, 如 果在预置时间到达和接收到下一阶段的第一个协商报文之前接收到了协商发 起者发送的协商响应报文, 建立安全联盟。  Step 802: After the negotiation responder sends the last negotiation message that needs to be sent by itself, if the negotiation response message is received before the preset time arrives and the first negotiation message of the next stage is received, the negotiation response message sent by the negotiation initiator is received. Text, establish a security alliance.
同时, 需要说明的是, 在本申请实施例中, 当报文的生命周期到达时, 各 个执行主体不再发送该报文。 例如, 在野蛮模式中, 当野蛮模式协商报文(3 ) 的生命周期到达时, 即使协商发起者重新收到野蛮模式协商报文(2 ), 也不会 重新向协商响应者发送野蛮模式协商报文(3 )。  At the same time, it should be noted that, in the embodiment of the present application, when the life cycle of the packet arrives, each execution entity does not send the message. For example, in the aggressive mode, when the life cycle of the barbarian mode negotiation message (3) arrives, even if the negotiation initiator receives the barb mode negotiation message (2) again, it will not send the barb mode negotiation to the negotiation responder again. Message (3).
报文的生命周期在第一阶段可以为 60s, 在第二阶段可以为 50s。 需要说明 的是, 本申请实施例对生命周期并不进行限定, 除了采用上述数值之外, 还可 以根据用户的应用需求进行任意设定。  The life cycle of a message can be 60s in the first phase and 50s in the second phase. It should be noted that, in the embodiment of the present application, the life cycle is not limited, and in addition to the above values, it may be arbitrarily set according to the application requirements of the user.
由上述实施例可以看出,在发送自身需要发送的最后一个协商报文后, 判 断在预置时间到达之前先接收到下一阶段的第一个协商报文,或者在接收到下 一阶段的第一个协商报文之前预置时间到达, 表示协商成功, 建立安全联盟, 如果在预置时间到达和接收到下一阶段的第一个协商报文之前接收到了协商 发起者发送的协商响应报文,表示协商没有成功,重新发送最后一个协商报文, 由此提高了 IKE协商的质量。 同时, 防止当一方协商成功另一方失败时, 协商 成功的一方向协商失败的一方发送加密报文因落入黑洞而浪费带宽。 实施例五 It can be seen from the above embodiment that after transmitting the last negotiation message that needs to be sent by itself, the judgment is The first negotiation message of the next stage is received before the preset time arrives, or the preset time arrives before the first negotiation message of the next stage is received, indicating that the negotiation is successful, and the security association is established. The negotiation response message sent by the negotiation initiator is received before the preset time arrives and the first negotiation message of the next stage is received, indicating that the negotiation is not successful, and the last negotiation message is resent, thereby improving the IKE negotiation. the quality of. At the same time, when one party fails to negotiate and the other party fails, the party that fails the negotiation in the direction of negotiation successfully sends an encrypted message and wastes bandwidth due to falling into the black hole. Embodiment 5
下面将详细说明在 IKE协商的两个阶段的不同模式中, 当协商一方 ((当 主模式下为协商响应者, 或者当野蛮模式下为协商发起者)发送协商过程的最 后一个协商报文的具体实现过程。 请参阅图 9, 其为一种发送协商过程最后一 个协商报文的方法流程图, 实施步骤如下:  In the following, in the different modes of the two phases of the IKE negotiation, the specific negotiation message is sent when the negotiation party (the negotiation responder in the main mode or the negotiation initiator in the aggressive mode) sends the last negotiation packet. The implementation process is shown in Figure 9, which is a flowchart of a method for sending the last negotiation message in the negotiation process. The implementation steps are as follows:
步骤 901 :根据逻辑条件 判断当前要发送的协商报文是否为协商过程的最 后一个协商报文, 如果该逻辑条件为真, 进入步骤 902; 如果该逻辑条件为假, 结束流程;  Step 901: Determine, according to the logical condition, whether the negotiation message to be sent is the last negotiation message of the negotiation process. If the logical condition is true, go to step 902; if the logical condition is false, end the process;
其中, initiator表示当前要发送的协商报文的发送者的标识, 如果发送者 是协商发起者, 则 initiator为 1 , 如果是协商响应者, 则 initiator为 0。 step表示协 商步骤, step从 0开始计数, step为 0时表示协商步骤为 1 , 以此类推。 status表示 当前要发送的协商报文的序列号, status从 1开始计数, status为 1表示当前要发 送的协商报文为报文( 1 ),如果是协商过程的最后一个协商报文, status为 ready。  The initiator indicates the identifier of the sender of the negotiation message to be sent currently. If the sender is the negotiation initiator, the initiator is 1 and if it is the negotiation responder, the initiator is 0. Step indicates the negotiation step, step starts counting from 0, step 0 indicates that the negotiation step is 1, and so on. Status indicates the serial number of the negotiation packet to be sent. The status is counted from 1. The status is 1 to indicate that the negotiation packet to be sent is the packet (1). If it is the last negotiation packet in the negotiation process, the status is Ready.
根据该逻辑条件不难发现,如果当前要发送的协商报文的类型为协商过程 的最后一个协商报文, 其逻辑条件为真。  According to the logical condition, it is not difficult to find that if the type of the negotiation packet to be sent is the last negotiation packet of the negotiation process, the logical condition is true.
步骤 902: 根据逻辑条件(last— sent&& ( flags& MSG— LAST ) ) 来判断是 否保存要发送的最后一个协商报文, 如果逻辑条件为假, 进入步骤 903 , 如果 逻辑条件为真, 进入步骤 904;  Step 902: According to the logical condition (last_ sent&& (flag & MSG- LAST)) to determine whether to save the last negotiation message to be sent, if the logical condition is false, proceed to step 903, if the logical condition is true, proceed to step 904;
步骤 903: 将要发送的最后一个协商报文的类型 flags设为 MSG— LAST, 将 要发送的最后一个协商报文记录在变量 last— sent中, 发送最后一个协商报文, 结束流程;  Step 903: Set the type of the last negotiation packet to be sent to MSG_LAST, record the last negotiation packet to be sent in the variable last_sent, send the last negotiation packet, and end the process;
步骤 904: 发送最后一个协商报文, 结束流程。  Step 904: Send the last negotiation message, and end the process.
其中, (1 ) 若为主模式, 则有 initiator为 0 , 由协商响应者根据逻辑条件 ( last_sent&& ( flags& MSG_LAST ) )来判断是否保存该报文。 如果( last— sent && ( flags& MSG— LAST ) )条件为假, 说明第一次发送该最后一个协商报文, 则需要将 flags设为 MSG— LAST, 同时将第一次发送的最后一个协商报文(6 ) 记录在变量 last— sent中进行保存, 并发送该报文; 若逻辑条件为真, 说明是重 复发送最后一个协商报文,由于最后一个协商报文已经在第一次发送时进行了 保存, 此时就不需要再进行保存, 而是直接重传该报文即可。 Among them, (1) if it is the main mode, there is an initiator of 0, and the negotiation responder is based on the logical condition. ( last_sent&& ( flags & MSG_LAST )) to determine whether to save the message. If the ( last- sent && ( flags & MSG- LAST ) condition is false, indicating that the last negotiation message is sent for the first time, the flag needs to be set to MSG_LAST, and the last negotiation report sent for the first time. The text (6) is stored in the variable last_sent and sent, and if the logical condition is true, the last negotiation message is sent repeatedly, because the last negotiation message has been sent the first time. Save, you do not need to save again, but directly retransmit the message.
( 2 ) 若为野蛮模式, 则有 initiator为 1, 由协商发起者根据逻辑条件 ( last_sent &&( flags& MSG— LAST ) )来是判断是否保存该报文。如果( last— sent (2) In the case of the aggressive mode, the initiator is 1, and the negotiation initiator determines whether to save the message according to the logical condition (last_sent &&(flag& MSG- LAST )). If ( last_ sent
&& ( flags& MSG— LAST ) )条件为假, 说明第一次发送该最后一个协商报文, 则需要将 flags设为 MSG— LAST, 同时将第一次发送的最后一个协商报文(3 ) 记录在变量 last— sent中进行保存, 并发送该报文; 若条件为真, 则说明是重复 发送最后一个协商报文,由于最后一个协商报文已经在第一次发送时进行了保 存, 此时就不需要再进行保存, 而是直接重传该报文即可。 The && (flag & MSG- LAST ) condition is false, indicating that the first time the first negotiation message is sent, the flag needs to be set to MSG_LAST, and the last negotiation message (3) sent for the first time is recorded. Save the variable last_sent and send the message; if the condition is true, it means that the last negotiation message is sent repeatedly, because the last negotiation message has been saved when it is sent for the first time. You don't need to save it anymore, but you can retransmit the message directly.
( 3 )若为快速模式, 同样有 initiator为 1 , 由发起者根据逻辑条件( last— sent && ( flags& MSG_LAST ) ) 来是判断是否保存该报文。 如果( last— sent && (3) In the fast mode, the same initiator is 1, and the initiator determines whether to save the message according to the logical condition (last_sent && (flag & MSG_LAST)). If ( last_ sent &&
( flags& MSG— LAST ) )条件为假, 说明第一次发送该最后一个报文, 则需要 将 flags设为 MSG— LAST, 同时将第一次发送的最后一个协商报文(3 )记录在 变量 last_sent中进行保存, 并发送该报文; 若条件为真, 则说明已经是重复发 送最后一个协商报文, 由于最后一个协商报文已经在第一次发送时进行了保 存, 此时就不需要再进行保存, 而是直接重传该报文即可。 (flag & MSG- LAST )) The condition is false, indicating that the first time the first message is sent, the flag needs to be set to MSG_LAST, and the last negotiation message (3) sent for the first time is recorded in the variable. Saved in last_sent, and sends the message; if the condition is true, it means that the last negotiation message has been sent repeatedly. Since the last negotiation message has been saved when it is sent for the first time, it is not necessary. Save it again, but retransmit the message directly.
由上述实施例可以看出,在发送自身需要发送的最后一个协商报文后, 判 断是否接收到对端响应报文, 如果接收到对端响应报文, 表示协商成功, 建立 安全联盟, 如果没有接收到对端响应报文, 表示协商没有成功, 重新发送最后 一个协商报文, 由此提高了 IKE协商的质量。 同时, 防止当一方协商成功另一 方失败时,协商成功的一方向协商失败的一方发送加密报文因落入黑洞而浪费 带宽。 实施例六  It can be seen from the foregoing embodiment that after the last negotiation packet that needs to be sent is sent, it is determined whether the peer response packet is received. If the peer response packet is received, the negotiation is successful, and the security association is established. The peer response packet is received, indicating that the negotiation is not successful, and the last negotiation packet is resent, thereby improving the quality of the IKE negotiation. At the same time, when one party fails to negotiate and the other party fails, the party that fails the negotiation in the direction of the successful negotiation sends an encrypted message and wastes bandwidth due to falling into the black hole. Embodiment 6
与上述一种协商报文的重传方法相对应,本发明实施例还提供了一种协商 报文的重传系统。 请参阅图 10, 其为本申请一种实现 IKE报文协商的设备的一 个实施例的结构图, 包括: 发送单元 1001、 判断单元 1002、 协商单元 1003和重 发单元 1004, 其中, Corresponding to the retransmission method of the foregoing negotiation packet, the embodiment of the present invention further provides a retransmission system for negotiating packets. Please refer to FIG. 10 , which is a device for implementing IKE message negotiation according to the present application. The structure diagram of the embodiment includes: a sending unit 1001, a determining unit 1002, a negotiating unit 1003, and a resending unit 1004, where
发送单元 1001 , 用于发送自身需要发送的最后一个协商报文;  The sending unit 1001 is configured to send a last negotiation packet that needs to be sent by itself;
判断单元 1002, 用于判断是否接收到对端响应报文;  The determining unit 1002 is configured to determine whether the peer response message is received.
协商单元 1003 , 用于当接收到所述对端响应报文时, 建立安全联盟 SA; 重发单元 1004, 用于当没有接收到所述对端响应报文时, 重新发送所述最 后一个协商报文。  The negotiating unit 1003 is configured to: when the peer end response message is received, establish a security association SA; the resending unit 1004, configured to resend the last negotiation when the peer end response message is not received Message.
其中, 判断单元 1002包括: 第一判断子单元, 用于判断是否在预置时间内 接收到对端响应报文, 如果是, 判定接收到所述对端响应报文, 否则, 判定未 接收到所述对端响应报文。  The determining unit 1002 includes: a first determining subunit, configured to determine whether the peer response message is received within the preset time, and if yes, determining that the peer response message is received, otherwise, determining that the peer response message is not received The peer responds to the message.
或者,  Or,
第二判断子单元, 用于在野蛮模式下, 下一阶段的第一个协商报文是否在 所述对端响应报文之前到达,如果是,判定未接收到所述对端响应报文,否贝' J , 判定接收到所述对端响应报文。  a second determining sub-unit, configured to: in the aggressive mode, whether the first negotiation packet of the next phase arrives before the peer response packet, and if yes, determines that the peer response packet is not received, No, it is determined that the peer response message is received.
或者,  Or,
第三判断子单元, 用于在野蛮模式下, 判断预置时间或者下一阶段的第一 个协商报文是否在对端响应报文之前到达,如果是, 判定未接收到所述对端响 应报文, 否则, 判定接收到所述对端响应报文。  a third determining sub-unit, configured to determine, in the aggressive mode, whether the first negotiation message of the preset time or the next phase arrives before the peer response message, and if yes, determine that the peer response is not received. The message, otherwise, determines that the peer response message is received.
其中, 重发单元 1004包括: 第一重发子单元, 用于调取所述最后一个协商 报文, 并发送调取的所述最后一个协商报文;  The retransmission unit 1004 includes: a first retransmission subunit, configured to retrieve the last negotiation packet, and send the retrieved last negotiation packet;
或者,  Or,
第二重发子单元, 用于在主模式下, 重新发起协商过程, 在所述重新发起 的协商过程中发送所述最后一个协商报文。  And a second retransmission sub-unit, configured to re-initiate the negotiation process in the main mode, and send the last negotiation message in the re-initiated negotiation process.
由上述实施例可以看出,在发送自身需要发送的最后一个协商报文后, 判 断是否接收到对端响应报文, 如果接收到对端响应报文, 表示协商成功, 建立 安全联盟, 如果没有接收到对端响应报文, 表示协商没有成功, 重新发送最后 一个协商报文。 由此提高了 IKE协商的质量。 同时, 防止当一方协商成功另一 方失败时,协商成功的一方向协商失败的一方发送加密报文因落入黑洞而浪费 带宽。  It can be seen from the foregoing embodiment that after the last negotiation packet that needs to be sent is sent, it is determined whether the peer response packet is received. If the peer response packet is received, the negotiation is successful, and the security association is established. The peer response packet is received, indicating that the negotiation is not successful, and the last negotiation packet is resent. This improves the quality of IKE negotiation. At the same time, when one party fails to negotiate and the other party fails, the party that fails the negotiation in the direction of the successful negotiation sends an encrypted message and wastes bandwidth due to falling into the black hole.
本申请中协商报文的重传方法和重传系统适用于主机和主机之间, 主机 和网关之间, 以及网关与网关之间建立 IPSec道道。 公网之间建立 IPsec隧道, 对流量进行加密。防火墙 A和 B可以作为协商过程的协商发起者和协商响应者。 此外, 本申请中协商报文的重传方法和重传系统还适用于出差在外的人员, 此 时可以将防火墙配置成模板。 与公网相连的 PC上安装客户端软件。 当需要访 问总部的数据时, 每一台 PC都单独建立一条自己的隧道, 保护在公网上的传 输数据。 The retransmission method and the retransmission system of the negotiation packet in this application are applicable between the host and the host, and the host An IPSec tunnel is established between the gateway and the gateway and the gateway. An IPsec tunnel is established between the public networks to encrypt traffic. Firewalls A and B can serve as negotiation initiators and negotiation responders to the negotiation process. In addition, the retransmission method and the retransmission system of the negotiation message in the present application are also applicable to the person who is on a business trip. In this case, the firewall can be configured as a template. Install the client software on the PC connected to the public network. When accessing data from the headquarters, each PC establishes its own tunnel to protect the transmission of data on the public network.
需要说明的是,本领域普通技术人员可以理解实现上述实施例方法中的全 部或部分流程,是可以通过计算机程序来指令相关的硬件来完成, 所述的程序 可存储于一计算机可读取存储介质中, 该程序在执行时, 可包括如上述各方法 的实施例的流程。 其中, 所述的存储介质可为磁碟、 光盘、 只读存储记忆体 ( Read-Only Memory, ROM )或随机存储记忆体 ( Random Access Memory, RAM )等。  It should be noted that those skilled in the art can understand that all or part of the processes in the foregoing embodiments can be implemented by a computer program to instruct related hardware, and the program can be stored in a computer readable storage. In the medium, the program, when executed, may include the flow of an embodiment of the methods as described above. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步 骤是可以通过程序来指令相关的硬件来完成,该程序可以存储于一计算机可读 存储介质中, 存储介质可以包括: 只读存储器、 随机存储器、 磁盘或光盘等。  A person skilled in the art may understand that all or part of the various steps of the foregoing embodiments may be completed by a program instructing related hardware. The program may be stored in a computer readable storage medium, and the storage medium may include: Read-only memory, random access memory, disk or optical disk, etc.
以上对本发明实施例所提供的云系统分布式拒绝服务攻击防护方法以及 式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思 想; 同时, 对于本领域的一般技术人员, 依据本发明的思想, 在具体实施方式 及应用范围上均会有改变之处, 综上, 本说明书内容不应理解为对本发明的限 制。  The cloud system distributed denial of service attack protection method and the method provided by the embodiment of the present invention are described above, and the description of the above embodiment is only used to help understand the method and core idea of the present invention. Meanwhile, the general technology in the field In the following, the description of the present invention is not limited to the scope of the present invention.

Claims

权 利 要 求 Rights request
1、 一种 11^^艮文的协商方法, 其特征在于, 包括: A method for negotiating 11^^艮, characterized in that it comprises:
发送自身需要发送的最后一个协商报文;  Send the last negotiation packet that needs to be sent by itself;
判断是否接收到对端响应报文;  Determine whether the peer response message is received;
当接收到所述对端响应报文时, 建立安全联盟 SA, 否则, 重新发送所述 最后一个协商报文。  When the peer response packet is received, the SA is established. Otherwise, the last negotiation packet is resent.
2、根据权利要求 1所述的方法, 其特征在于, 所述判断是否接收到对端响 应报文具体为:  The method according to claim 1, wherein the determining whether the peer response message is received is:
判断是否在预置时间内接收到对端响应报文,如果是, 判定接收到所述对 端响应报文, 否则, 判定未接收到所述对端响应报文。  It is determined whether the peer response message is received within the preset time. If yes, it is determined that the peer response message is received, otherwise, it is determined that the peer response message is not received.
3、根据权利要求 1所述的方法, 其特征在于, 所述判断是否接收到对端响 应报文具体为:  The method according to claim 1, wherein the determining whether the peer response message is received is:
在野蛮模式下,判断下一阶段的第一个协商报文是否在所述对端响应报文 之前到达, 如果是, 判定未接收到所述对端响应报文, 否则, 判定接收到所述 对端响应艮文。  In the aggressive mode, it is determined whether the first negotiation message of the next stage arrives before the peer response message, and if yes, it is determined that the peer response message is not received, otherwise, it is determined that the received message is received. The opposite end responds to the text.
4、根据权利要求 1所述的方法, 其特征在于, 所述判断是否接收到对端响 应报文具体为:  The method according to claim 1, wherein the determining whether the peer response message is received is:
在野蛮模式下, 判断预置时间内是否收到报文、或者判断下一阶段的第一 个协商报文是否在对端响应报文之前到达,  In the aggressive mode, it is determined whether the packet is received within the preset time, or whether the first negotiation packet of the next phase arrives before the peer response packet.
如果是, 判定未接收到所述对端响应报文, 否则, 判定接收到所述对端响 应报文。  If yes, it is determined that the peer response message is not received, otherwise, it is determined that the peer response message is received.
5、 根据权利要求 1 - 4中的任意一项所述的方法, 其特征在于, 所述重新 发送所述最后一个协商报文具体为: The method according to any one of claims 1 to 4, characterized in that The last negotiation message sent is specifically:
调取所述最后一个协商报文, 并发送调取的所述最后一个协商报文; 或者,  Retrieving the last negotiation message, and sending the last negotiation message that is retrieved; or
在主模式下, 重新发起协商过程,在所述重新发起的协商过程中发送所述 最后一个协商报文。  In the main mode, the negotiation process is re-initiated, and the last negotiation message is sent in the re-initiated negotiation process.
6、 根据权利要求 2所述的方法, 其特征在于, 所述预置时间为 times X 2 + 5s, 其中, times为重传所述最后一个协商报文的次数。  The method according to claim 2, wherein the preset time is times X 2 + 5s, wherein times is the number of times the last negotiation message is retransmitted.
7、 一种实现 IKE报文协商的设备, 其特征在于, 包括:  A device for implementing IKE packet negotiation, which is characterized by:
发送单元, 用于发送自身需要发送的最后一个协商报文;  a sending unit, configured to send a last negotiation packet that needs to be sent by itself;
判断单元, 用于判断是否接收到对端响应报文;  a determining unit, configured to determine whether a peer response message is received;
协商单元, 用于当接收到所述对端响应报文时, 建立安全联盟 SA;  a negotiating unit, configured to: when receiving the peer response packet, establish a security association SA;
重发单元, 用于当没有接收到所述对端响应报文时, 重新发送所述最后一 个协商报文。  And a retransmission unit, configured to resend the last negotiation packet when the peer response packet is not received.
8、 根据权利要求 7所述的设备, 其特征在于, 所述判断单元包括: 第一判断子单元, 用于判断是否在预置时间内接收到对端响应报文,如果 是, 判定接收到所述对端响应报文, 否则, 判定未接收到所述对端响应报文。  The device according to claim 7, wherein the determining unit comprises: a first determining sub-unit, configured to determine whether a peer response message is received within a preset time, and if yes, determine that the message is received The peer responds to the message, otherwise, it determines that the peer response message is not received.
9、 根据权利要求 7所述的设备, 其特征在于, 所述判断单元包括: 第二判断子单元, 用于在野蛮模式下, 判断下一阶段的第一个协商报文是 否在所述对端响应报文之前到达, 如果是, 判定未接收到所述对端响应报文, 否则, 判定接收到所述对端响应报文。  The device according to claim 7, wherein the determining unit comprises: a second determining subunit, configured to determine, in the aggressive mode, whether the first negotiation message of the next stage is in the pair The end response message arrives before, if yes, it is determined that the peer response message is not received, otherwise, it is determined that the peer response message is received.
10、 根据权利要求 7 - 9中的任意一项所述的设备, 其特征在于, 所述重发 单元包括: 第一重发子单元, 用于调取所述最后一个协商报文, 并发送调取的所述最 后一个协商报文; The device according to any one of claims 7-9, wherein the retransmission unit comprises: a first retransmission subunit, configured to retrieve the last negotiation packet, and send the last negotiation packet that is retrieved;
或者,  Or,
第二重发子单元, 用于在主模式下, 重新发起协商过程, 在所述重新发起 的协商过程中发送所述最后一个协商报文。  And a second retransmission sub-unit, configured to re-initiate the negotiation process in the main mode, and send the last negotiation message in the re-initiated negotiation process.
PCT/CN2011/083230 2010-12-16 2011-11-30 Method and device for internet key exchange (ike) message negotiation WO2012079462A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010592414.X 2010-12-16
CN201010592414XA CN102025742A (en) 2010-12-16 2010-12-16 Negotiation method and device of internet key exchange (IKE) message

Publications (1)

Publication Number Publication Date
WO2012079462A1 true WO2012079462A1 (en) 2012-06-21

Family

ID=43866596

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/083230 WO2012079462A1 (en) 2010-12-16 2011-11-30 Method and device for internet key exchange (ike) message negotiation

Country Status (2)

Country Link
CN (1) CN102025742A (en)
WO (1) WO2012079462A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025742A (en) * 2010-12-16 2011-04-20 成都市华为赛门铁克科技有限公司 Negotiation method and device of internet key exchange (IKE) message
CN102420770B (en) * 2011-12-27 2014-03-12 汉柏科技有限公司 Method and equipment for negotiating internet key exchange (IKE) message
CN102868522B (en) * 2012-09-12 2016-04-20 汉柏科技有限公司 A kind of processing method of ike negotiation exception
WO2014100967A1 (en) * 2012-12-25 2014-07-03 华为技术有限公司 Method, apparatus, device and system for ipsec negotiation
CN104104573A (en) * 2014-08-06 2014-10-15 汉柏科技有限公司 Method and system for controlling IPsec tunnel of network devices
CN115378764B (en) * 2022-08-19 2024-04-05 山石网科通信技术股份有限公司 Communication method, device, storage medium and electronic device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030142823A1 (en) * 2002-01-25 2003-07-31 Brian Swander Method and apparatus for fragmenting and reassembling internet key exchange data packets
CN101527729A (en) * 2009-05-05 2009-09-09 杭州华三通信技术有限公司 Reliable IKE message negotiation method, device and system thereof
CN102025742A (en) * 2010-12-16 2011-04-20 成都市华为赛门铁克科技有限公司 Negotiation method and device of internet key exchange (IKE) message

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030142823A1 (en) * 2002-01-25 2003-07-31 Brian Swander Method and apparatus for fragmenting and reassembling internet key exchange data packets
CN101527729A (en) * 2009-05-05 2009-09-09 杭州华三通信技术有限公司 Reliable IKE message negotiation method, device and system thereof
CN102025742A (en) * 2010-12-16 2011-04-20 成都市华为赛门铁克科技有限公司 Negotiation method and device of internet key exchange (IKE) message

Also Published As

Publication number Publication date
CN102025742A (en) 2011-04-20

Similar Documents

Publication Publication Date Title
US8639936B2 (en) Methods and entities using IPSec ESP to support security functionality for UDP-based traffic
JP4271451B2 (en) Method and apparatus for fragmenting and reassembling Internet key exchange data packets
US20180219954A1 (en) Method and apparatus for initiating and maintaining sessions between endpoints
WO2010003335A1 (en) Method, system and device for negotiating security association (sa) in ipv6 network
WO2012079462A1 (en) Method and device for internet key exchange (ike) message negotiation
EP1746801A2 (en) Transmission of packet data over a network with a security protocol
WO2009082889A1 (en) A method for internet key exchange negotiation and device, system thereof
US9350711B2 (en) Data transmission method, system, and apparatus
US7222234B2 (en) Method for key agreement for a cryptographic secure point—to—multipoint connection
US8782772B2 (en) Multi-session secure tunnel
WO2014056454A1 (en) Method and system for ike packet negotiation
EP2561663A2 (en) System and method for providing secured access to services
JP2013042536A (en) Operation of control protocol data units in packet data convergence protocol
WO2014173365A1 (en) Ftp application layer packet filtering method, device and computer storage medium
WO2016124016A1 (en) Ipsec acceleration method, device and system
CN104184646A (en) VPN data interaction method and system and VPN data interaction device
WO2011127761A1 (en) Method and device for multiplexing host identity protocol security tunnels
WO2014094251A1 (en) Method and apparatus for communication security processing
US8423767B2 (en) Security association verification and recovery
CN102469063A (en) Routing protocol security alliance management method, device and system
EP1863254B1 (en) Negotiating VPN tunnel establishment parameters on user's interaction
Seggelmann Sctp: Strategies to secure end-to-end communication
WO2011160390A1 (en) Method and system for managing agent network equipment
WO2010124549A1 (en) Method, apparatus and system for obtaining public key
CN107277035B (en) Method for transmitting client information in TCP connection stage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11849796

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11849796

Country of ref document: EP

Kind code of ref document: A1