+

CN115766290A - Message forwarding method, device and network equipment - Google Patents

Message forwarding method, device and network equipment Download PDF

Info

Publication number
CN115766290A
CN115766290A CN202211672743.4A CN202211672743A CN115766290A CN 115766290 A CN115766290 A CN 115766290A CN 202211672743 A CN202211672743 A CN 202211672743A CN 115766290 A CN115766290 A CN 115766290A
Authority
CN
China
Prior art keywords
message
target
encryption
module
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211672743.4A
Other languages
Chinese (zh)
Inventor
龚海东
米特特
姚飞
杨八双
成伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Centec Communications Co Ltd
Original Assignee
Suzhou Centec Communications Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Centec Communications Co Ltd filed Critical Suzhou Centec Communications Co Ltd
Priority to CN202211672743.4A priority Critical patent/CN115766290A/en
Publication of CN115766290A publication Critical patent/CN115766290A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of communication, and provides a message forwarding method, a message forwarding device and network equipment. The device comprises a transceiving module, an analysis module, an encryption and decryption module and a DMA (direct memory access) which are connected through a bus; the receiving and sending module identifies the received message, if the message is identified to be a plaintext, the message to be encrypted is marked to obtain a message to be encrypted, the message to be encrypted is sent to the DMA through the analysis module to be stored in the storage module, so that the CPU packages the message to be encrypted to obtain a packaged message, obtains a target encryption index value according to the packaged message, and sends the target encryption index value to the encryption and decryption module through the DMA; the encryption and decryption module obtains the target encryption parameter according to the target encryption index value, encrypts and authenticates the packaged message to obtain an encrypted message, and then forwards the encrypted message through the transceiving module. The encryption and decryption module is arranged between the transceiving module and the DMA, so that interaction with the CPU is reduced to one time, channel following processing is realized, resources are saved, and time delay is reduced through hardware encryption.

Description

报文转发方法、装置和网络设备Message forwarding method, device and network equipment

技术领域technical field

本发明涉及通信技术领域,具体而言,涉及一种报文转发方法、装置5和网络设备。The present invention relates to the technical field of communication, and specifically relates to a message forwarding method, device 5 and network equipment.

背景技术Background technique

随着大数据时代的到来,对于通信数据传输的安全性要求也越来越高。目前一般是通过纯软件的方式来对通信数据进行加解密,但是这样会产生With the advent of the era of big data, the security requirements for communication data transmission are also getting higher and higher. At present, the communication data is generally encrypted and decrypted by pure software, but this will cause

较大的时延。虽然也有硬件的加解密方式,但是由于需要与CPU进行多次0交互,往往会占用过多的资源导致CPU的消耗较大。Larger delay. Although there are also hardware encryption and decryption methods, due to the need for multiple 0 interactions with the CPU, it often takes up too many resources and causes a large CPU consumption.

发明内容Contents of the invention

有鉴于此,本发明的目的在于提供一种报文转发方法、装置和网络设备。In view of this, the object of the present invention is to provide a message forwarding method, device and network equipment.

为了实现上述目的,本发明采用的技术方案如下:5第一方面,本发明提供一种报文转发方法,应用于网络设备的报文转发装置,所述装置包括通过总线连接的收发模块、解析模块、加解密模块和DMA,所述DMA与所述网络设备中的CPU和存储模块通信连接,所述CPU与所述存储模块通信连接;所述方法包括:In order to achieve the above object, the technical solution adopted by the present invention is as follows: 5. In the first aspect, the present invention provides a message forwarding method, which is applied to a message forwarding device of a network device, and the device includes a transceiver module connected through a bus, an analysis module, an encryption and decryption module, and a DMA, the DMA communicates with the CPU and the storage module in the network device, and the CPU communicates with the storage module; the method includes:

所述收发模块对接收到的报文进行识别,若识别出所述报文为明文,0则对所述报文标记待加密标识得到待加密报文并发送给所述解析模块;The transceiver module identifies the received message, if it recognizes that the message is plaintext, 0 then marks the message to be encrypted and obtains the message to be encrypted and sends it to the parsing module;

所述解析模块将所述待加密报文发送给所述DMA;The parsing module sends the message to be encrypted to the DMA;

所述DMA将所述待加密报文存储至所述存储模块,以使所述CPU从所述存储模块获取所述待加密报文,并和对所述待加密报文进行封装操作得到已封装报文和根据所述已封装报文获得目标加密索引值后,将所述已封装报文存储至所述存储模块和将所述目标加密索引值发送给所述DMA;The DMA stores the message to be encrypted in the storage module, so that the CPU obtains the message to be encrypted from the storage module, and performs an encapsulation operation on the message to be encrypted to obtain an encapsulated After the message and the target encrypted index value are obtained according to the encapsulated message, store the encapsulated message in the storage module and send the target encrypted index value to the DMA;

所述DMA将所述目标加密索引值和从所述存储模块获取的所述已封装报文发送给所述加解密模块;The DMA sends the target encryption index value and the encapsulated message obtained from the storage module to the encryption and decryption module;

所述加解密模块根据所述目标加密索引值得到目标加密参数,并根据所述目标加密参数对所述已封装报文进行加密操作和认证操作得到已加密报文后,将所述已加密报文发送给所述收发模块;The encryption and decryption module obtains a target encryption parameter according to the target encryption index value, and performs an encryption operation and an authentication operation on the encapsulated message according to the target encryption parameter to obtain an encrypted message, and sends the encrypted message to Send the text to the transceiver module;

所述收发模块转发所述已加密报文。The transceiver module forwards the encrypted message.

在可选的实施方式中,所述CPU存储有明文特征表和明文索引表,所述明文特征表包括多个明文特征值及其对应的明文索引值;所述明文索引表包括每个所述明文索引值对应的加密索引值和封装规则;In an optional embodiment, the CPU stores a plaintext feature table and a plaintext index table, the plaintext feature table includes a plurality of plaintext feature values and their corresponding plaintext index values; the plaintext index table includes each of the The encrypted index value and encapsulation rules corresponding to the plaintext index value;

所述CPU对所述待加密报文进行封装操作得到已封装报文和根据所述已封装报文获得目标加密索引值,包括:The CPU performs an encapsulation operation on the message to be encrypted to obtain an encapsulated message and obtains a target encryption index value according to the encapsulated message, including:

提取所述待加密报文的明文特征值,并根据所述明文特征表获取与所述待加密报文的明文特征值对应的初始明文索引值;Extracting the plaintext feature value of the message to be encrypted, and obtaining an initial plaintext index value corresponding to the plaintext feature value of the message to be encrypted according to the plaintext feature table;

根据所述明文索引表获取与所述初始明文索引值对应的目标封装规则;Obtaining a target encapsulation rule corresponding to the initial plaintext index value according to the plaintext index table;

按照所述目标封装规则对所述待加密报文进行封装操作,得到所述已封装报文;Encapsulating the message to be encrypted according to the target encapsulation rule to obtain the encapsulated message;

提取所述已封装报文的明文特征值,并根据所述明文特征表获取与所述已封装报文的明文特征值对应的目标明文索引值;Extracting the plaintext feature value of the encapsulated message, and obtaining a target plaintext index value corresponding to the plaintext feature value of the encapsulated message according to the plaintext feature table;

根据所述明文索引表获取与所述目标明文索引值对应的目标加密索引值。Obtain a target encrypted index value corresponding to the target plaintext index value according to the plaintext index table.

在可选的实施方式中,所述加解密模块包括多个存储有加密参数的加密存储块,一个所述加密存储块的地址与一个所述加密索引值对应;In an optional implementation, the encryption and decryption module includes a plurality of encryption storage blocks storing encryption parameters, and the address of one encryption storage block corresponds to one encryption index value;

所述加解密模块根据所述目标加密索引值得到目标加密参数,包括:The encryption and decryption module obtains target encryption parameters according to the target encryption index value, including:

在全部加密存储块中确定目标加密存储块,所述目标加密存储块的地址与所述目标加密索引值对应;Determining a target encrypted storage block in all encrypted storage blocks, the address of the target encrypted storage block corresponds to the target encrypted index value;

获取所述目标加密存储块中的加密参数,得到所述目标加密参数。Obtain the encryption parameters in the target encrypted storage block to obtain the target encryption parameters.

在可选的实施方式中,在所述收发模块对接收到的报文进行识别之后,所述方法还包括:In an optional implementation manner, after the transceiver module identifies the received message, the method further includes:

若识别出所述报文为密文,则对所述报文标记待解密标识得到待解密报文,并提取所述待解密报文的密文特征值和根据所述待解密报文的密文特征值得到目标解密索引信息后,将所述目标解密索引信息和所述待解密报文发送给所述解析模块;If it is recognized that the message is a ciphertext, mark the message to be decrypted with an identifier to obtain the message to be decrypted, and extract the ciphertext feature value of the message to be decrypted and the ciphertext of the message to be decrypted. After obtaining the target decryption index information by the text feature value, sending the target decryption index information and the message to be decrypted to the parsing module;

所述解析模块对目标解密索引信息进行解析得到目标解密索引值,并将所述目标解密索引值和所述待解密报文发送给所述加解密模块;The analysis module analyzes the target decryption index information to obtain a target decryption index value, and sends the target decryption index value and the message to be decrypted to the encryption and decryption module;

所述加解密模块根据所述目标解密索引值得到目标解密参数,并根据所述目标解密参数对所述待解密报文进行认证操作和解密操作得到已解密报文后,将所述已解密报文发送给所述DMA;The encryption and decryption module obtains target decryption parameters according to the target decryption index value, and performs authentication and decryption operations on the message to be decrypted according to the target decryption parameter to obtain a decrypted message, and then sends the decrypted message to send the text to the DMA;

所述DMA将所述已解密报文存储至所述存储模块,以使CPU从所述存储模块获取所述已解密报文,并对所述已解密报文进行编辑操作得到已编辑报文后,将所述已编辑报文存储至所述存储模块;The DMA stores the decrypted message in the storage module, so that the CPU obtains the decrypted message from the storage module, and edits the decrypted message to obtain the edited message , storing the edited message in the storage module;

所述DMA将从所述存储模块获取的所述已编辑报文发送给所述收发模块;The DMA sends the edited message obtained from the storage module to the transceiver module;

所述收发模块转发所述已编辑报文。The transceiver module forwards the edited message.

在可选的实施方式中,所述收发模块存储有密文特征表,所述密文特征表包括多个密文特征值及其对应的密文索引值,所述收发模块包括多个存储有解密索引信息的存储块,一个所述存储块的地址与一个所述密文索引值对应;In an optional implementation, the transceiver module stores a ciphertext feature table, the ciphertext feature table includes a plurality of ciphertext feature values and their corresponding ciphertext index values, and the transceiver module includes a plurality of ciphertext feature values stored in Decrypt the storage block of the index information, the address of one storage block corresponds to one of the ciphertext index values;

所述收发模块根据所述待解密报文的密文特征值得到目标解密索引信息,包括:The transceiver module obtains target decryption index information according to the ciphertext feature value of the message to be decrypted, including:

根据密文特征表获取与所述待解密报文的密文特征值对应的目标密文索引值;Obtaining a target ciphertext index value corresponding to the ciphertext feature value of the message to be decrypted according to the ciphertext feature table;

在全部存储块中确定目标存储块,所述目标存储块的地址与所述目标密文索引值对应;Determining a target storage block in all storage blocks, the address of the target storage block corresponds to the target ciphertext index value;

获取所述目标存储块中的解密索引信息,得到所述目标解密索引信息。Obtain decryption index information in the target storage block to obtain the target decryption index information.

在可选的实施方式中,所述加解密模块包括多个存储有解密参数的解密存储块,一个所述解密存储块的地址与一个所述解密索引值对应;In an optional implementation manner, the encryption and decryption module includes a plurality of decryption storage blocks storing decryption parameters, and the address of one decryption storage block corresponds to one decryption index value;

所述加解密模块根据所述目标解密索引值得到目标解密参数的步骤,包括:The step of obtaining the target decryption parameter according to the target decryption index value by the encryption and decryption module includes:

在全部解密存储块中确定目标解密存储块,所述目标解密存储块的地址与所述目标解密索引值对应;Determining a target decrypted storage block in all decrypted storage blocks, the address of the target decrypted storage block corresponds to the target decrypted index value;

获取所述目标解密存储块中的解密参数,得到所述目标解密参数。Obtain the decryption parameters in the target decryption storage block to obtain the target decryption parameters.

在可选的实施方式中,所述收发模块对接收到的报文进行识别,包括:In an optional implementation manner, the transceiver module identifies the received message, including:

对接收到的报文进行识别;Identify the received message;

若识别出所述报文存在预设的明文特征,则将所述报文识别为明文;其中,所述明文特征包括网络协议类型、源IP地址、目的IP地址、源端口号和目的端口号;If it is identified that the message has a preset plaintext feature, then the message is identified as plaintext; wherein the plaintext feature includes network protocol type, source IP address, destination IP address, source port number and destination port number ;

若识别出所述报文存在预设的密文特征,则将所述报文识别为密文;其中,所述密文特征包括网络协议类型、目地端口号和加密协议类型。If it is identified that the message has a preset ciphertext feature, then identify the message as ciphertext; wherein the ciphertext feature includes a network protocol type, a destination port number, and an encryption protocol type.

第二方面,本发明提供一种报文转发装置,所述装置包括通过总线连接的收发模块、解析模块、加解密模块和DMA,所述DMA与网络设备中的CPU和存储模块通信连接,所述CPU与所述存储模块通信连接;In a second aspect, the present invention provides a message forwarding device, which includes a transceiver module, an analysis module, an encryption and decryption module, and a DMA connected through a bus, and the DMA communicates with a CPU and a storage module in a network device. The CPU is communicatively connected to the storage module;

所述收发模块用于对接收到的报文进行识别,若识别出所述报文为明文,则对所述报文标记待加密标识得到待加密报文并发送给所述解析模块;The transceiver module is used to identify the received message, if it is recognized that the message is plain text, then mark the message to be encrypted to obtain the message to be encrypted and send it to the parsing module;

所述解析模块用于将所述待加密报文发送给所述DMA;The parsing module is used to send the message to be encrypted to the DMA;

所述DMA用于将所述待加密报文存储至所述存储模块,以使所述CPU从所述存储模块获取所述待加密报文,并根据所述待加密报文获得目标加密索引值和对所述待加密报文进行封装操作得到已封装报文后,将所述已封装报文存储至所述存储模块和将所述目标加密索引值发送给所述DMA;The DMA is used to store the message to be encrypted in the storage module, so that the CPU obtains the message to be encrypted from the storage module, and obtains a target encryption index value according to the message to be encrypted and after encapsulating the message to be encrypted to obtain the packaged message, storing the packaged message in the storage module and sending the target encryption index value to the DMA;

所述DMA用于将所述目标加密索引值和从所述存储模块获取的所述已封装报文发送给所述加解密模块;The DMA is used to send the target encryption index value and the encapsulated message obtained from the storage module to the encryption and decryption module;

所述加解密模块用于根据所述目标加密索引值得到目标加密参数,并根据所述目标加密参数对所述已封装报文进行加密操作和认证操作得到已加密报文后,将所述已加密报文发送给所述收发模块;The encryption and decryption module is used to obtain a target encryption parameter according to the target encryption index value, and perform an encryption operation and an authentication operation on the encapsulated message according to the target encryption parameter to obtain the encrypted message, and convert the encrypted message The encrypted message is sent to the transceiver module;

所述收发模块用于转发所述已加密报文。The transceiver module is used to forward the encrypted message.

在可选的实施方式中,所述收发模块还用于:In an optional implementation manner, the transceiver module is also used for:

对接收到的报文进行识别;Identify the received message;

若识别出所述报文存在预设的明文特征,则将所述报文识别为明文;其中,所述明文特征包括网络协议类型、源IP地址、目的IP地址、源端口号和目的端口号;If it is identified that the message has a preset plaintext feature, then the message is identified as plaintext; wherein the plaintext feature includes network protocol type, source IP address, destination IP address, source port number and destination port number ;

若识别出所述报文存在预设的密文特征,则将所述报文识别为密文;其中,所述密文特征包括网络协议类型、目地端口号和加密协议类型。If it is identified that the message has a preset ciphertext feature, then identify the message as ciphertext; wherein the ciphertext feature includes a network protocol type, a destination port number, and an encryption protocol type.

第三方面,本发明提供一种网络设备,包括通信连接的CPU和存储模块,以及前述实施方式中任一项所述的报文转发装置,所述CPU和所述存储模块均与所述报文转发装置中的DMA通信连接。In a third aspect, the present invention provides a network device, including a communication-connected CPU and a storage module, and the message forwarding device described in any one of the preceding embodiments, the CPU and the storage module are both connected to the message DMA communication connection in the text forwarding device.

本发明提供的报文转发方法、装置和网络设备,报文转发装置包括通过总线连接的收发模块、解析模块、加解密模块和DMA,DMA与网络设备中的CPU和存储模块通信连接,CPU与存储模块通信连接;收发模块对接收到的报文进行识别,若识别出报文为明文,则对报文标记待加密标识得到待加密报文并通过给解析模块发送给DMA;DMA将待加密报文存储至存储模块,以使CPU从存储模块获取待加密报文,并对待加密报文进行封装操作得到已封装报文和根据已封装报文获得目标加密索引值后,将已封装报文存储至存储模块,以通过DMA将目标加密索引值和已封装报文发送给加解密模块;加解密模块根据目标加密索引值得到目标加密参数,并根据目标加密参数对已封装报文进行加密操作和认证操作得到已加密报文后,将已加密报文发送给收发模块以进行转发。通过总线连接收发模块、加解密模块和DMA以将加解密模块设置于收发模块和DMA之间,并通过DMA实现CPU与加解密模块之间的通信交互,以将与CPU的交互次数减少至一次,实现了随路处理,节省了CPU资源。同时采用加解密模块对报文进行硬件加密的方式,降低了时延并提高了处理效率。In the message forwarding method, device and network equipment provided by the present invention, the message forwarding device includes a transceiver module, an analysis module, an encryption and decryption module and a DMA connected by a bus, and the DMA communicates with the CPU and the storage module in the network equipment, and the CPU communicates with the storage module. The storage module is connected by communication; the transceiver module identifies the received message, and if it recognizes that the message is plain text, it marks the message to be encrypted to obtain the message to be encrypted and sends it to the DMA through the parsing module; the DMA will The message is stored in the storage module, so that the CPU obtains the message to be encrypted from the storage module, and performs encapsulation operation on the message to be encrypted to obtain the packaged message and obtains the target encryption index value according to the packaged message, and then converts the packaged message to Store in the storage module to send the target encryption index value and the encapsulated message to the encryption and decryption module through DMA; the encryption and decryption module obtains the target encryption parameter according to the target encryption index value, and performs an encryption operation on the encapsulated message according to the target encryption parameter After obtaining the encrypted message through the authentication and authentication operations, the encrypted message is sent to the transceiver module for forwarding. Connect the transceiver module, encryption and decryption module and DMA through the bus to set the encryption and decryption module between the transceiver module and the DMA, and realize the communication interaction between the CPU and the encryption and decryption module through the DMA, so as to reduce the number of interactions with the CPU to one , which realizes road-associated processing and saves CPU resources. At the same time, the encryption and decryption module is used to encrypt the message in hardware, which reduces the delay and improves the processing efficiency.

为使本发明的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。In order to make the above-mentioned objects, features and advantages of the present invention more comprehensible, preferred embodiments will be described in detail below together with the accompanying drawings.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本发明的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of the present invention, and thus It should be regarded as a limitation on the scope, and those skilled in the art can also obtain other related drawings based on these drawings without creative work.

图1示出了现有技术的一种报文转发方法的示例图;Fig. 1 shows an example diagram of a message forwarding method in the prior art;

图2示出了现有技术的另一种报文转发方法的示例图;FIG. 2 shows an example diagram of another message forwarding method in the prior art;

图3示出了本发明实施例提供的网络设备方框示意图;FIG. 3 shows a schematic block diagram of a network device provided by an embodiment of the present invention;

图4示出了本发明实施例提供的报文转发方法的一种流程示意图;FIG. 4 shows a schematic flowchart of a message forwarding method provided by an embodiment of the present invention;

图5示出了本发明实施例提供的报文转发方法的一个示例图;FIG. 5 shows an example diagram of a message forwarding method provided by an embodiment of the present invention;

图6示出了本发明实施例提供的报文转发方法的又一种流程示意图;FIG. 6 shows another schematic flow chart of a message forwarding method provided by an embodiment of the present invention;

图7示出了本发明实施例提供的报文转发方法的又一个示例图。FIG. 7 shows another example diagram of the packet forwarding method provided by the embodiment of the present invention.

图标:10-报文转发装置;20-CPU;30-存储模块;110-总线;120-收发模块;130-解析模块;150-加解密模块;170-DMA。Icons: 10-message forwarding device; 20-CPU; 30-storage module; 110-bus; 120-transceiving module; 130-analysis module; 150-encryption and decryption module; 170-DMA.

具体实施方式Detailed ways

下面将结合本发明实施例中附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。通常在此处附图中描述和示出的本发明实施例的组件可以以各种不同的配置来布置和设计。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. The components of the embodiments of the invention generally described and illustrated in the figures herein may be arranged and designed in a variety of different configurations.

因此,以下对在附图中提供的本发明的实施例的详细描述并非旨在限制要求保护的本发明的范围,而是仅仅表示本发明的选定实施例。基于本发明的实施例,本领域技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本发明保护的范围。Accordingly, the following detailed description of the embodiments of the invention provided in the accompanying drawings is not intended to limit the scope of the claimed invention, but merely represents selected embodiments of the invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without making creative efforts belong to the protection scope of the present invention.

需要说明的是,术语“第一”和“第二”等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that relative terms such as the terms "first" and "second" are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any relationship between these entities or operations. There is no such actual relationship or order between them. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

随着大数据时代的到来,对于通信数据传输的安全性要求也越来越高。如图1所示是目前通过纯软件的方式在报文转发过程中进行加密的示例图,即收发模块将接收到的明文报文发送给DMA(Direct Memory Access,直接内存访问模块),然后DMA将明文报文发送给CPU,CPU通过软件对明文报文进行加密得到密文报文,并通过DMA将密文报文发送给收发模块,以通过收发模块进行转发,但是这种纯软件进行加解密的方式会产生较大的时延,并且由于加解密都由CPU来执行则会消耗过多的CPU资源。With the advent of the era of big data, the security requirements for communication data transmission are also getting higher and higher. As shown in Figure 1, it is an example diagram of encryption during message forwarding by pure software at present, that is, the transceiver module sends the received plaintext message to DMA (Direct Memory Access, direct memory access module), and then DMA Send the plaintext message to the CPU, the CPU encrypts the plaintext message through software to obtain a ciphertext message, and sends the ciphertext message to the transceiver module through DMA for forwarding through the transceiver module, but this pure software encryption The decryption method will generate a large delay, and since the encryption and decryption are all performed by the CPU, it will consume too much CPU resources.

如图2所示是目前通过硬件的方式在报文转发过程中进行加密的示例图,即收发模块将接收到的明文报文发送给第一个DMA,然后第一个DMA将明文报文发送给CPU,CPU通过第二个DMA将明文报文发送给加解密模块,加解密模块通过各个硬件元件对明文报文进行加密得到密文报文,并通过第二个DMA将密文报文发送给CPU,CPU通过第一个DMA将密文报文发送给收发模块,以通过收发模块进行转发。可以看出,这种方式会与CPU进行两次交互,则会占用过多的资源导致CPU的消耗较大。也就是说,目前在报文转发过程中进行加解密的方式,存在时延较高、占用过多CPU资源的问题,进而本发明实施例提供了一种报文转发方法以解决上述问题。As shown in Figure 2, it is an example diagram of encryption during message forwarding by hardware, that is, the transceiver module sends the received plaintext message to the first DMA, and then the first DMA sends the plaintext message to To the CPU, the CPU sends the plaintext message to the encryption and decryption module through the second DMA, and the encryption and decryption module encrypts the plaintext message through each hardware component to obtain the ciphertext message, and sends the ciphertext message through the second DMA To the CPU, the CPU sends the ciphertext message to the transceiver module through the first DMA, so as to be forwarded by the transceiver module. It can be seen that this method will interact with the CPU twice, which will occupy too many resources and cause a large CPU consumption. That is to say, the current encryption and decryption method in the message forwarding process has the problems of high delay and excessive CPU resource occupation. Furthermore, the embodiment of the present invention provides a message forwarding method to solve the above problems.

请参照图3,是本发明实施例提供的一种网络设备的方框示意图。网络设备包括报文转发装置10、CPU20和存储模块30。报文转发装置10包括通过总线110连接的收发模块120、解析模块130、加解密模块150和DMA170。Please refer to FIG. 3 , which is a schematic block diagram of a network device provided by an embodiment of the present invention. The network device includes a packet forwarding device 10 , a CPU 20 and a storage module 30 . The message forwarding device 10 includes a transceiver module 120 , an analysis module 130 , an encryption and decryption module 150 and a DMA170 connected through a bus 110 .

收发模块120用于接收和转发报文。解析模块130可以解析出报文中的部分信息。加解密模块150用于对报文进行加密和解密。DMA170与CPU20和存储模块30通信连接,其用于实现报文转发装置10与CPU20之间的数据传输。The transceiver module 120 is used for receiving and forwarding messages. The parsing module 130 can parse out part of the information in the message. The encryption and decryption module 150 is used to encrypt and decrypt messages. The DMA170 communicates with the CPU20 and the storage module 30 , and is used to implement data transmission between the message forwarding device 10 and the CPU20 .

CPU20是一种集成电路芯片,其具有信号处理能力,可以对报文进行封装、编辑等操作。存储模块30可以是DDR(Double Data Rate,双倍速率同步动态随机存储器),也可以是SRAM(Static Random-Access Memory,静态随机存取存储器)。The CPU 20 is an integrated circuit chip, which has signal processing capabilities and can perform operations such as encapsulation and editing of messages. The storage module 30 may be DDR (Double Data Rate, double-rate synchronous dynamic random access memory), or SRAM (Static Random-Access Memory, static random access memory).

可以理解的是,图3所示的结构仅为网络设备的结构示意图,网络设备还可包括比图3中所示更多或者更少的组件,或者具有与图3所示不同的配置。图3中所示的各组件可以采用硬件、软件或其组合实现。It can be understood that the structure shown in FIG. 3 is only a schematic structural diagram of a network device, and the network device may include more or less components than those shown in FIG. 3 , or have a configuration different from that shown in FIG. 3 . Each component shown in FIG. 3 may be implemented by hardware, software or a combination thereof.

本发明实施例提供的网络设备是用于构成信息通信网络的专用硬件设备,其可以是路由器、交换机等,本发明实施例对此不作限定。The network device provided in the embodiment of the present invention is a dedicated hardware device used to form an information communication network, which may be a router, a switch, etc., which is not limited in the embodiment of the present invention.

下面将以上述的报文转发装置10作为执行主体,执行本发明实施例提供的各个方法中的各个步骤,并实现对应技术效果。In the following, the above-mentioned message forwarding device 10 will be used as an execution subject to execute each step in each method provided by the embodiment of the present invention, and achieve corresponding technical effects.

请参阅图4,图4是本发明实施例提供的一种报文转发方法的流程示意图。Please refer to FIG. 4 . FIG. 4 is a schematic flowchart of a message forwarding method provided by an embodiment of the present invention.

步骤S202,收发模块对接收到的报文进行识别,若识别出报文为明文,则对报文标记待加密标识得到待加密报文并发送给解析模块;Step S202, the transceiver module identifies the received message, if the message is recognized as plain text, then marks the message to be encrypted to obtain the message to be encrypted and sends it to the parsing module;

步骤S204,解析模块将待加密报文发送给DMA;Step S204, the parsing module sends the message to be encrypted to the DMA;

在本实施例中,待加密标识可以理解为用于表示报文需要进行加密的标签。待加密标识可以按照实际应用设置,本发明实施例不作限定。In this embodiment, the identifier to be encrypted can be understood as a label used to indicate that the message needs to be encrypted. The identifier to be encrypted can be set according to the actual application, which is not limited in this embodiment of the present invention.

网络设备通过收发模块120接收其他设备发送的报文,并且收发模块120对接收到的报文进行识别以确定其是明文还是密文。如果收发模块120识别出接收到的报文为明文,则对报文标记待加密标识以标记报文需要进行加密,即得到待加密报文并将其发送给解析模块130。The network device receives the message sent by other devices through the transceiver module 120, and the transceiver module 120 identifies the received message to determine whether it is plain text or cipher text. If the transceiver module 120 recognizes that the received message is plain text, it marks the message to be encrypted to mark that the message needs to be encrypted, that is, obtains the message to be encrypted and sends it to the parsing module 130 .

解析模块130接收到待加密报文,然后对待加密报文的部分关键信息进行解析,以得到接收时间戳、接收端口信息、报文类型即flowid等信息,再将待加密报文和部分关键信息发送给DMA170。The parsing module 130 receives the message to be encrypted, and then analyzes part of the key information of the message to be encrypted to obtain information such as the receiving time stamp, receiving port information, message type, namely flowid, and then converts the message to be encrypted and part of the key information Send to DMA170.

步骤S206,DMA将待加密报文存储至存储模块,以使CPU从存储模块获取待加密报文,并对待加密报文进行封装操作得到已封装报文和根据已封装报文获得目标加密索引值后,将已封装报文存储至存储模块和将目标加密索引值发送给DMA;Step S206, DMA stores the message to be encrypted in the storage module, so that the CPU obtains the message to be encrypted from the storage module, and performs encapsulation operation on the message to be encrypted to obtain the encapsulated message and obtains the target encryption index value according to the encapsulated message After that, store the encapsulated message to the storage module and send the target encryption index value to the DMA;

步骤S208,DMA将目标加密索引值和从存储模块30获取的已封装报文发送给加解密模块;Step S208, the DMA sends the target encryption index value and the encapsulated message obtained from the storage module 30 to the encryption and decryption module;

在本实施例中,DMA170包括接收通道RX和发送通道TX,并且两者均有环形缓冲区ring buffer,接收通道的环形缓冲区可以用RX Ring表示,发送通道的环形缓冲区可以用TX Ring表示。RX Ring中的每个指针指向每个RX方向描述符,TX Ring中的每个指针指向每个TX方向描述符。描述符Packet Descriptor用来表达报文的状态,其是一个硬件相关的数据结构。In this embodiment, DMA170 includes receiving channel RX and transmitting channel TX, and both have ring buffer ring buffer, the ring buffer of receiving channel can be represented by RX Ring, the ring buffer of transmitting channel can be represented by TX Ring . Each pointer in the RX Ring points to each RX direction descriptor, and each pointer in the TX Ring points to each TX direction descriptor. The descriptor Packet Descriptor is used to express the status of the message, which is a hardware-related data structure.

存储模块30中包括用于缓存报文的缓存单元如Packet Buffer。DMA170将接收到待加密报文存储至存储模块30中的Packet Buffer,并采用一个RX方向的描述符来记录待加密报文的状态。例如,RX方向描述符记录有接收时间戳、接收端口信息、报文类型和待加密报文在存储空间中的地址等信息。The storage module 30 includes a cache unit such as a Packet Buffer for caching packets. The DMA170 stores the received message to be encrypted into the Packet Buffer in the storage module 30, and uses a descriptor in the RX direction to record the state of the message to be encrypted. For example, the RX direction descriptor records information such as receiving time stamp, receiving port information, packet type, address of the packet to be encrypted in the storage space, and the like.

然后,CPU20通过RX方向描述符中的地址,从存储模块30中获取待加密报文,并对待加密报文进行封装操作得到已封装报文,然后根据已封装报文获得目标加密索引值,再将已封装报文存储至存储模块30,并且将已封装报文在存储模块30中的地址和目标加密索引值更新到TX方向描述符中。Then, the CPU 20 obtains the message to be encrypted from the storage module 30 through the address in the RX direction descriptor, and performs an encapsulation operation on the message to be encrypted to obtain the encapsulated message, and then obtains the target encryption index value according to the encapsulated message, and then Store the encapsulated message in the storage module 30, and update the address and target encryption index value of the encapsulated message in the storage module 30 into the TX direction descriptor.

DMA170通过TX方向描述符获取目标加密索引值,并根据TX方向描述符中的地址从存储模块30中获取已封装报文,然后将已封装报文和目标加密索引值发送给加解密模块150。DMA170 obtains the target encryption index value through the TX direction descriptor, and obtains the encapsulated message from the storage module 30 according to the address in the TX direction descriptor, and then sends the encapsulated message and the target encryption index value to the encryption and decryption module 150 .

步骤S210,加解密模块根据目标加密索引值得到目标加密参数,并根据目标加密参数对已封装报文进行加密操作和认证操作得到已加密报文后,将已加密报文发送给收发模块;Step S210, the encryption and decryption module obtains the target encryption parameter according to the target encryption index value, and performs encryption and authentication operations on the encapsulated message according to the target encryption parameter to obtain the encrypted message, and then sends the encrypted message to the transceiver module;

步骤S212,收发模块转发已加密报文;Step S212, the transceiver module forwards the encrypted message;

在本实施例中,加解密模块150根据接收到的目标加密索引值得到目标加密参数,并根据目标加密参数对已封装报文进行加密操作和认证操作以得到已加密报文,再将已加密报文发送给收发模块120,以通过收发模块120将已加密报文转发给其他设备。In this embodiment, the encryption and decryption module 150 obtains the target encryption parameter according to the received target encryption index value, and performs encryption and authentication operations on the encapsulated message according to the target encryption parameter to obtain the encrypted message, and then encrypts the encrypted message The message is sent to the transceiver module 120, so that the encrypted message is forwarded to other devices through the transceiver module 120.

应当理解的是,加解密模块150可以对报文只进行加密操作、或者只进行认证操作,或者先进行加密操作再进行认证操作,或者先进行认证操作再进行加密操作,又或者不进行任何操作。即加解密模块150所执行的操作可以按照实际应用设置,本发明实施例不作限定。It should be understood that the encryption and decryption module 150 can only perform encryption operations on the message, or only perform authentication operations, or perform encryption operations before performing authentication operations, or perform authentication operations before performing encryption operations, or do not perform any operations. . That is, the operations performed by the encryption and decryption module 150 may be set according to actual applications, which is not limited in this embodiment of the present invention.

可以看出,通过总线连接收发模块、加解密模块和DMA以将加解密模块设置于收发模块和DMA之间,并通过DMA实现CPU与加解密模块之间的通信交互,以使对报文进行加密的过程仅需与CPU进行一次交互,从而减少了交互次数并且节省了CPU资源,实现了随路加密处理。同时通过加解密模块采用硬件的加密方式,降低了时延并提高了处理效率。It can be seen that the transceiver module, the encryption and decryption module and the DMA are connected through the bus so that the encryption and decryption module is set between the transceiver module and the DMA, and the communication interaction between the CPU and the encryption and decryption module is realized through the DMA, so that the message can be processed The encryption process only needs to interact with the CPU once, thereby reducing the number of interactions and saving CPU resources, and realizing on-road encryption processing. At the same time, the hardware encryption method is adopted through the encryption and decryption module, which reduces the delay and improves the processing efficiency.

可见基于上述步骤,报文转发装置包括通过总线连接的收发模块、解析模块、加解密模块和DMA,DMA与网络设备中的CPU和存储模块通信连接,CPU与存储模块通信连接;收发模块对接收到的报文进行识别,若识别出报文为明文,则对报文标记待加密标识得到待加密报文并通过给解析模块发送给DMA;DMA将待加密报文存储至存储模块,以使CPU从存储模块获取待加密报文,并对待加密报文进行封装操作得到已封装报文和根据已封装报文获得目标加密索引值后,将已封装报文存储至存储模块,以通过DMA将目标加密索引值和已封装报文发送给加解密模块;加解密模块根据目标加密索引值得到目标加密参数,并根据目标加密参数对已封装报文进行加密操作和认证操作得到已加密报文后,将已加密报文发送给收发模块以进行转发。通过总线连接收发模块、加解密模块和DMA以将加解密模块设置于收发模块和DMA之间,并通过DMA实现CPU与加解密模块之间的通信交互,以将与CPU的交互次数减少至一次,实现了随路处理,节省了CPU资源。同时采用加解密模块对报文进行硬件加密的方式,降低了时延并提高了处理效率。It can be seen that based on the above steps, the message forwarding device includes a transceiver module, an analysis module, an encryption and decryption module and a DMA connected by the bus, and the DMA communicates with the CPU and the storage module in the network equipment, and the CPU communicates with the storage module; If it is recognized that the message is plaintext, then the message is marked to be encrypted to obtain the message to be encrypted and sent to the DMA through the parsing module; the DMA stores the message to be encrypted to the storage module, so that The CPU obtains the message to be encrypted from the storage module, and encapsulates the message to be encrypted to obtain the packaged message and obtains the target encryption index value according to the packaged message, then stores the packaged message to the storage module, so that the The target encryption index value and the encapsulated message are sent to the encryption and decryption module; the encryption and decryption module obtains the target encryption parameter according to the target encryption index value, and performs encryption and authentication operations on the encapsulated message according to the target encryption parameter to obtain the encrypted message , and send the encrypted message to the transceiver module for forwarding. Connect the transceiver module, encryption and decryption module and DMA through the bus to set the encryption and decryption module between the transceiver module and the DMA, and realize the communication interaction between the CPU and the encryption and decryption module through the DMA, so as to reduce the number of interactions with the CPU to one , which realizes road-associated processing and saves CPU resources. At the same time, the encryption and decryption module is used to encrypt the message in hardware, which reduces the delay and improves the processing efficiency.

可选地,对于上述步骤202中收发模块对接收到的报文进行识别的过程,本发明实施例提供了一种可能的实现方式,即:Optionally, for the process of identifying the received message by the transceiver module in step 202 above, this embodiment of the present invention provides a possible implementation, namely:

对接收到的报文进行识别;若识别出报文存在预设的明文特征,则将报文识别为明文;其中,明文特征包括网络协议类型、源IP地址、目的IP地址、源端口号和目的端口号;若识别出报文存在预设的密文特征,则将报文识别为密文;其中,密文特征包括网络协议类型、目地端口号和加密协议类型。Identify the received message; if it recognizes that the message has preset plaintext features, then identify the message as plaintext; where the plaintext features include network protocol type, source IP address, destination IP address, source port number and Destination port number; if it is identified that the message has a preset ciphertext feature, the message is identified as ciphertext; wherein, the ciphertext feature includes a network protocol type, a destination port number, and an encryption protocol type.

在本实施例中,明文特征和密文特征均是预先设置的。明文特征可以是网络协议类型、源IP地址、目的IP地址、源端口号和目的端口号,即明文特征可以是报文的五元组信息。In this embodiment, both the plaintext feature and the ciphertext feature are preset. The plaintext feature may be network protocol type, source IP address, destination IP address, source port number, and destination port number, that is, the plaintext feature may be 5-tuple information of the packet.

密文特征可以是网络协议类型如用ipProtocol[7:0]表示、目地端口号如用14DestPort[15:0]表示和加密协议类型如用spi[31:0]表示。应当理解的是,明文特征和密文特征均可以按照实际应用设置,本发明实施例不作限定。The ciphertext feature can be represented by network protocol type such as ipProtocol[7:0], destination port number such as represented by 14DestPort[15:0] and encryption protocol type such as represented by spi[31:0]. It should be understood that both the plaintext feature and the ciphertext feature can be set according to actual applications, which are not limited in this embodiment of the present invention.

收发模块120通过硬件解析的方式对接收到的报文进行解析,然后对报文进行识别。如果识别出报文存在明文特征即网络协议类型、源IP地址、目的IP地址、源端口号和目的端口号,则将报文识别为明文,以便于后续按照加密的流程对报文进行加密处理。如果识别出报文存在密文特征即网络协议类型、目地端口号和加密协议类型,则将报文识别为密文,以便于后续按照解密的流程对报文进行解密处理。The transceiver module 120 parses the received message through hardware parsing, and then identifies the message. If it is identified that the message has plaintext features, that is, network protocol type, source IP address, destination IP address, source port number, and destination port number, the message will be identified as plaintext, so that the message can be encrypted in accordance with the encryption process. . If it is identified that the message has ciphertext characteristics, that is, network protocol type, destination port number, and encryption protocol type, the message is identified as ciphertext, so that the message can be decrypted according to the decryption process.

可选地,对于上述CPU对待加密报文进行封装操作得到已封装报文和根据已封装报文获得目标加密索引值的过程,本发明实施例提供了一种可能的实现方式,即:Optionally, the embodiment of the present invention provides a possible implementation for the process of the CPU performing an encapsulation operation on the to-be-encrypted message to obtain the encapsulated message and obtaining the target encryption index value according to the encapsulated message, namely:

提取待加密报文的明文特征值,并根据明文特征表获取与待加密报文的明文特征值对应的初始明文索引值;根据明文索引表获取与初始明文索引值对应的目标封装规则;按照目标封装规则对待加密报文进行封装操作,得到已封装报文;提取已封装报文的明文特征值,并根据明文特征表获取与已封装报文的明文特征值对应的目标明文索引值;根据明文索引表获取与目标明文索引值对应的目标加密索引值。Extract the plaintext feature value of the message to be encrypted, and obtain the initial plaintext index value corresponding to the plaintext feature value of the message to be encrypted according to the plaintext feature table; obtain the target encapsulation rule corresponding to the initial plaintext index value according to the plaintext index table; according to the target Encapsulation rules Encapsulate the encrypted message to obtain the encapsulated message; extract the plaintext feature value of the encapsulated message, and obtain the target plaintext index value corresponding to the plaintext feature value of the encapsulated message according to the plaintext feature table; according to the plaintext The index table obtains the target encrypted index value corresponding to the target plaintext index value.

在本实施例中,CPU20存储有明文特征表和明文索引表,明文特征表包括多个明文特征值及其对应的明文索引值;明文索引表包括每个明文索引值对应的加密索引值和封装规则。其中,明文特征值即为明文特征的值、封装规则包括安全策略、封装策略等。应当理解的是,明文特征值、明文索引值、加密索引值和封装规则可以按照实际应用设置,本发明实施例不做限定。In this embodiment, the CPU 20 stores a plaintext feature table and a plaintext index table, the plaintext feature table includes a plurality of plaintext feature values and their corresponding plaintext index values; the plaintext index table includes an encrypted index value and a package corresponding to each plaintext index value rule. Wherein, the plaintext feature value is the value of the plaintext feature, and the encapsulation rules include security policies, encapsulation policies, and the like. It should be understood that the plaintext feature value, plaintext index value, encrypted index value, and encapsulation rule may be set according to actual applications, which are not limited in this embodiment of the present invention.

CPU20从存储模块30获取到待加密报文后,对其进行解析以提取出待加密报文的明文特征值即五元组信息值,并在明文特征表中获取与待加密报文的明文特征值对应的明文索引值,即得到初始明文索引值如adindex1;然后在明文索引表中获取与初始明文索引值adindex1对应的封装规则,即得到目标封装规则如rule1;再按照目标封装规则rule1对待加密报文进行封装操作,如对待加密报文内层路由进行封装,添加Tunnel头和加上全0的校验值icv等操作后,即得到已封装报文。After the CPU 20 obtains the message to be encrypted from the storage module 30, it is parsed to extract the plaintext feature value of the message to be encrypted, that is, the five-tuple information value, and obtains the plaintext feature of the message to be encrypted in the plaintext feature table. value corresponding to the plaintext index value, that is, get the initial plaintext index value such as adindex1; then obtain the encapsulation rule corresponding to the initial plaintext index value adindex1 in the plaintext index table, that is, obtain the target encapsulation rule such as rule1; and then treat encryption according to the target encapsulation rule rule1 The packet is encapsulated, such as encapsulating the inner layer route of the encrypted packet, adding the Tunnel header and adding the check value icv of all 0s, etc., to obtain the encapsulated packet.

接着提取已封装报文的明文特征值即五元组信息值,并在明文特征表中获取与已封装报文的明文特征值对应的明文索引值,即得到目标明文索引值如adindex1’;最后在明文索引表中获取与目标明文索引值adindex1’对应的加密索引值,即得到目标加密索引值如saindex1。Then extract the plaintext feature value of the encapsulated message, that is, the quintuple information value, and obtain the plaintext index value corresponding to the plaintext feature value of the encapsulated message in the plaintext feature table, that is, obtain the target plaintext index value such as adindex1'; finally Obtain the encrypted index value corresponding to the target plaintext index value adindex1' in the plaintext index table, that is, obtain the target encrypted index value such as saindex1.

可选地,对于上述步骤S210中加解密模块根据目标加密索引值得到目标加密参数的过程,本发明实施例提供了一种可能的实现方式,即:Optionally, for the process of obtaining the target encryption parameter by the encryption and decryption module according to the target encryption index value in the above step S210, this embodiment of the present invention provides a possible implementation, namely:

在全部加密存储块中确定目标加密存储块,目标加密存储块的地址与目标加密索引值对应;获取目标加密存储块中的加密参数,得到目标加密参数。The target encrypted storage block is determined in all the encrypted storage blocks, the address of the target encrypted storage block corresponds to the target encrypted index value; the encryption parameters in the target encrypted storage block are obtained to obtain the target encrypted parameters.

在本实施例中,加解密模块150包括存储单元如SRAM,SRAM包括多个存储有加密参数的加密存储块,一个加密存储块的地址与一个加密索引值对应,可以采用第一地址表如SRAM1表记录每个加密存储块的地址与每个加密索引值的映射关系。In this embodiment, the encryption and decryption module 150 includes a storage unit such as an SRAM, and the SRAM includes a plurality of encrypted storage blocks that store encryption parameters. The address of an encrypted storage block corresponds to an encrypted index value, and a first address table such as SRAM1 can be used. The table records the mapping relationship between the address of each encrypted storage block and each encrypted index value.

加解密模块150接收到已封装报文和目标加密索引值后,根据SRAM1表确定与目标加密索引值对应的第一目标地址,并根据这个第一目标地址在全部加密存储块中确定其所指向的加密存储块,即确定出目标加密存储块。After the encryption and decryption module 150 receives the encapsulated message and the target encryption index value, it determines the first target address corresponding to the target encryption index value according to the SRAM1 table, and determines the point it points to in all encrypted storage blocks according to the first target address The encrypted storage block, that is, the target encrypted storage block is determined.

然后,获取目标加密存储块中的加密参数,即得到目标加密参数,并基于这个目标加密参数对已封装报文进行加密操作和认证操作,如基于目标加密参数和已加密报文的长度,得到加密内容的长度和认证内容的长度,并按照预设的加密算法和认证算法进行加密和认证,再利用认证操作得到的校验值替换上述CPU20所生成的全0校验值,即得到已加密报文。Then, obtain the encryption parameters in the target encryption storage block, that is, obtain the target encryption parameters, and perform encryption and authentication operations on the encapsulated message based on the target encryption parameters, such as based on the target encryption parameters and the length of the encrypted message, get The length of the encrypted content and the length of the authenticated content are encrypted and authenticated according to the preset encryption algorithm and authentication algorithm, and then the check value obtained by the authentication operation is used to replace the check value of all 0s generated by the above CPU20, and the encrypted message.

为了便于理解,本发明实施例提供了一个示例图,请参阅图5,下面将结合图5说明对报文进行加密的过程。For ease of understanding, the embodiment of the present invention provides an example diagram, please refer to FIG. 5 , and the process of encrypting a message will be described below in conjunction with FIG. 5 .

收发模块120对接收到的报文进行识别,识别出报文存在明文特征即五元组信息,即将报文识别为明文,则对报文标记待加密标识得到待加密报文并发送给解析模块130。The transceiver module 120 identifies the received message, recognizes that the message has a plaintext feature, that is, quintuple information, is about to identify the message as plaintext, then marks the message to be encrypted to obtain the message to be encrypted and sends it to the analysis module 130.

解析模块130将解析得到的部分关键信息和待加密报文发送给DMA170。The parsing module 130 sends part of the key information obtained by parsing and the message to be encrypted to the DMA170.

DMA170将接收到待加密报文存储至存储模块30中的缓存单元,并采用RX方向描述符记录待加密报文的状态,其中包括待加密报文在存储模块30中的地址。The DMA170 stores the received message to be encrypted in the cache unit in the storage module 30 , and uses the RX direction descriptor to record the state of the message to be encrypted, including the address of the message to be encrypted in the storage module 30 .

CPU20通过RX方向描述符中的地址,从存储模块30中获取待加密报文并提取其明文特征值;然后根据明文特征表和明文索引表得到目标封装规则,并按照目标封装规则对待加密报文进行封装操作得到已封装报文和根据已封装报文获得目标加密索引值后,将已封装报文存储至存储模块30的缓存单元;接着将目标加密索引值、已封装报文在存储模块30中的地址、已封装报文的长度、已封装报文的转发出口信息、已封装报文的起始标志和结束标志等信息更新到TX方向描述符。The CPU 20 obtains the message to be encrypted from the storage module 30 through the address in the RX direction descriptor and extracts its plaintext feature value; then obtains the target encapsulation rule according to the plaintext feature table and the plaintext index table, and treats the encrypted message according to the target encapsulation rule After performing the encapsulation operation to obtain the encapsulated message and obtaining the target encryption index value according to the encapsulated message, the encapsulated message is stored in the cache unit of the storage module 30; then the target encryption index value and the packaged message are stored in the storage module 30 The address in the package, the length of the encapsulated message, the forwarding exit information of the encapsulated message, the start flag and the end flag of the encapsulated message and other information are updated to the TX direction descriptor.

DMA170根据TX方向描述符,对其中的信息进行转码解析得到目标加密索引值和已封装报文在存储模块30中的地址,并按照这个地址从存储模块30中获取已封装报文;然后将目标加密索引值和已封装报文发送给加解密模块150。According to the TX direction descriptor, the DMA170 transcodes and parses the information therein to obtain the target encryption index value and the address of the encapsulated message in the storage module 30, and obtains the encapsulated message from the storage module 30 according to this address; then The target encryption index value and the encapsulated message are sent to the encryption and decryption module 150 .

加解密模块150根据目标加密索引值和第一地址表,从对应的目标加密存储块中获取到目标加密参数,并根据目标加密参数对已封装报文进行加密操作和认证操作得到已加密报文,然后发送给收发模块120,以通过收发模块120转发已加密报文。The encryption and decryption module 150 obtains the target encryption parameter from the corresponding target encryption storage block according to the target encryption index value and the first address table, and performs encryption and authentication operations on the encapsulated message according to the target encryption parameter to obtain the encrypted message , and then send it to the transceiver module 120 to forward the encrypted message through the transceiver module 120.

可选地,在收发模块将接收到的报文识别为密文的情况下,本发明实施例提供了一种对报文进行解密的实现方式,请参阅图6。Optionally, in the case that the transceiver module recognizes the received message as ciphertext, this embodiment of the present invention provides an implementation manner of decrypting the message, please refer to FIG. 6 .

步骤S214,若识别出报文为密文,则对报文标记待解密标识得到待解密报文,并提取待解密报文的密文特征值和根据待解密报文的密文特征值得到目标解密索引信息后,将目标解密索引信息和待解密报文发送给解析模块;Step S214, if it is identified that the message is ciphertext, mark the message to be decrypted to obtain the message to be decrypted, and extract the ciphertext feature value of the message to be decrypted and obtain the target according to the ciphertext feature value of the message to be decrypted After decrypting the index information, send the target decryption index information and the message to be decrypted to the analysis module;

步骤S216,解析模块对目标解密索引信息进行解析得到目标解密索引值,并将目标解密索引值和待解密报文发送给加解密模块;Step S216, the analysis module analyzes the target decryption index information to obtain the target decryption index value, and sends the target decryption index value and the message to be decrypted to the encryption and decryption module;

在本实施例中,待加密标识可以理解为用于表示报文需要进行解密的标签。待解密标识可以按照实际应用设置,本发明实施例不作限定。In this embodiment, the identifier to be encrypted can be understood as a label used to indicate that the message needs to be decrypted. The identifier to be decrypted can be set according to the actual application, which is not limited in this embodiment of the present invention.

如果收发模块120识别出接收到的报文为密文,则对报文标记待解密标识以标记报文需要进行解密即得到待解密报文,并提取待解密报文的密文特征值以基于该密文特征值得到目标解密索引信息,然后将目标解密索引信息和待解密报文发送给解析模块130。If the transceiver module 120 recognizes that the received message is a ciphertext, the message is marked with an identifier to be decrypted to mark that the message needs to be decrypted to obtain a message to be decrypted, and the ciphertext feature value of the message to be decrypted is extracted based on The target decryption index information is obtained from the ciphertext feature value, and then the target decryption index information and the message to be decrypted are sent to the parsing module 130 .

解析模块130接收到目标解密索引信息和待解密报文后,对目标解密索引信息进行解析得到目标解密索引值,以及对待解密报文的部分关键信息进行解析,得到接收时间戳、接收端口信息、报文类型和报文长度等信息,然后将目标解密索引值、待加密报文和这些关键信息发送给加解密模块150。After receiving the target decryption index information and the message to be decrypted, the parsing module 130 analyzes the target decryption index information to obtain the target decryption index value, and analyzes some key information of the message to be decrypted to obtain the receiving time stamp, receiving port information, information such as message type and message length, and then send the target decryption index value, the message to be encrypted and these key information to the encryption and decryption module 150.

步骤S218,加解密模块根据目标解密索引值得到目标解密参数,并根据目标解密参数对待解密报文进行认证操作和解密操作得到已解密报文后,将已解密报文发送给DMA;Step S218, the encryption and decryption module obtains the target decryption parameter according to the target decryption index value, and performs authentication and decryption operations on the message to be decrypted according to the target decryption parameter to obtain the decrypted message, and then sends the decrypted message to the DMA;

在本实施例中,加解密模块150根据接收到的目标解密索引值得到目标解密参数,并根据目标解密参数对待解密报文进行认证操作和解密操作,得到已解密报文然后发送给DMA170。In this embodiment, the encryption and decryption module 150 obtains the target decryption parameter according to the received target decryption index value, and performs authentication and decryption operations on the message to be decrypted according to the target decryption parameter, and then sends the decrypted message to the DMA170.

应当理解的是,加解密模块150可以对报文只进行解密操作、或者只进行认证操作,或者先进行解密操作再进行认证操作,或者先进行认证操作再进行解密操作,又或者不进行任何操作。即加解密模块150所执行的操作可以按照实际应用设置,本发明实施例不作限定。It should be understood that the encryption and decryption module 150 can only perform decryption operations on the message, or only perform authentication operations, or perform decryption operations first and then perform authentication operations, or perform authentication operations before performing decryption operations, or do not perform any operations. . That is, the operations performed by the encryption and decryption module 150 may be set according to actual applications, which is not limited in this embodiment of the present invention.

步骤S220,DMA将已解密报文存储至存储模块,以使CPU从存储模块获取已解密报文,并对已解密报文进行编辑操作得到已编辑报文后,将已编辑报文存储至存储模块;Step S220, the DMA stores the decrypted message in the storage module, so that the CPU obtains the decrypted message from the storage module, and performs an editing operation on the decrypted message to obtain the edited message, and then stores the edited message in the storage module module;

步骤S222,DMA将从存储模块获取的已编辑报文发送给收发模块;Step S222, the DMA sends the edited message obtained from the storage module to the transceiver module;

步骤S224,收发模块转发已编辑报文;Step S224, the transceiver module forwards the edited message;

在本实施例中,DMA170将接收到的已解密报文存储至存储模块30中的缓存单元,并采用一个RX方向描述符来记录已解密报文的状态。例如,该描述符记录有接收时间戳、接收端口信息、报文类型和已解密报文在存储模块30中的地址、解密是否成功、校验是否通过等信息。In this embodiment, the DMA 170 stores the received decrypted message into the cache unit in the storage module 30, and uses an RX direction descriptor to record the status of the decrypted message. For example, the descriptor records information such as receiving time stamp, receiving port information, message type, address of the decrypted message in the storage module 30, whether the decryption is successful, and whether the check is passed.

然后,CPU20通过RX方向描述符中的地址,从存储模块30中获取已解密报文并进行解析后,按照预设的编辑策略对其进行编辑操作以得到已编辑报文,再将已编辑报文存储至存储模块,并且将已编辑报文在存储模块30中的地址更新到TX方向描述符中。DMA170通过TX方向描述符中的地址,从存储模块30中获取已编辑报文并发送给收发模块120,以通过收发模块120将已加密报文转发给其他设备。Then, the CPU 20 acquires the decrypted message from the storage module 30 through the address in the RX direction descriptor and parses it, then edits it according to the preset editing strategy to obtain the edited message, and then sends the edited message to The text is stored in the storage module, and the address of the edited message in the storage module 30 is updated in the TX direction descriptor. The DMA170 obtains the edited message from the storage module 30 through the address in the TX direction descriptor and sends it to the transceiver module 120, so that the encrypted message can be forwarded to other devices through the transceiver module 120.

可选地,对于上述步骤S214中收发模块根据待解密报文的密文特征值得到目标解密索引信息的过程,本发明实施例提供了一种可能的实现方式,即:Optionally, for the process of obtaining the target decryption index information by the transceiver module according to the ciphertext feature value of the message to be decrypted in the above step S214, the embodiment of the present invention provides a possible implementation, namely:

根据密文特征表获取与待解密报文的密文特征值对应的目标密文索引值;在全部存储块中确定目标存储块,目标存储块的地址与目标密文索引值对应;获取目标存储块中的解密索引信息,得到目标解密索引信息。Obtain the target ciphertext index value corresponding to the ciphertext feature value of the message to be decrypted according to the ciphertext feature table; determine the target storage block in all storage blocks, and the address of the target storage block corresponds to the target ciphertext index value; obtain the target storage block The decryption index information in the block is obtained to obtain the target decryption index information.

在本实施例中,收发模块120存储有密文特征表,密文特征表包括多个密文特征值及其对应的密文索引值,收发模块120包括多个存储有解密索引信息的存储块,一个存储块的地址与一个密文索引值对应,可以采用地址表如AD表记录每个存储块的地址与每个密文索引值的映射关系。应当理解的是,密文特征值和密文索引值可以按照实际应用设置,本发明实施例不作限定。In this embodiment, the transceiver module 120 stores a ciphertext feature table, the ciphertext feature table includes a plurality of ciphertext feature values and their corresponding ciphertext index values, and the transceiver module 120 includes a plurality of storage blocks storing decryption index information , the address of a storage block corresponds to a ciphertext index value, and an address table such as an AD table can be used to record the mapping relationship between the address of each storage block and each ciphertext index value. It should be understood that the ciphertext feature value and the ciphertext index value may be set according to actual applications, which are not limited in this embodiment of the present invention.

收发模块120提取待解密报文的密文特征值即网络协议类型、目地端口号和加密协议类型的值后,在密文特征表中获取与待解密报文的密文特征值对应的密文索引值,即得到目标密文索引值如adindex2,并根据AD表确定与目标密文索引值adindex2对应的目标地址,再根据这个目标地址在全部存储块中确定其所指向的存储块,即确定出目标存储块;然后获取目标存储块中的解密索引信息,即得到目标解密索引信息。After the transceiver module 120 extracts the ciphertext feature value of the message to be decrypted, that is, the value of the network protocol type, the destination port number and the encryption protocol type, the ciphertext corresponding to the ciphertext feature value of the message to be decrypted is obtained in the ciphertext feature table Index value, that is, obtain the target ciphertext index value such as adindex2, and determine the target address corresponding to the target ciphertext index value adindex2 according to the AD table, and then determine the storage block it points to in all storage blocks according to the target address, that is, determine output the target storage block; then obtain the decryption index information in the target storage block, that is, obtain the target decryption index information.

可选地,对于上述S218中加解密模块根据接收到的目标解密索引值得到目标解密参数的过程,本发明实施例提供了一种可能的实现方式,即:Optionally, for the process of obtaining the target decryption parameters by the encryption and decryption module in S218 according to the received target decryption index value, this embodiment of the present invention provides a possible implementation, namely:

在全部解密存储块中确定目标解密存储块,目标解密存储块的地址与目标解密索引值对应;获取目标解密存储块中的解密参数,得到目标解密参数。Determining the target decryption storage block in all the decryption storage blocks, the address of the target decryption storage block corresponds to the target decryption index value; obtaining the decryption parameters in the target decryption storage block to obtain the target decryption parameters.

在本实施例中,加解密模块150包括存储单元如SRAM,SRAM包括多个存储有解密参数的解密存储块,一个解密存储块的地址与一个解密索In this embodiment, the encryption and decryption module 150 includes a storage unit such as an SRAM, and the SRAM includes a plurality of decryption storage blocks storing decryption parameters, an address of a decryption storage block and a decryption index

引值对应,可以采用第二地址表如SRAM2表记录每个解密存储块的地址与5每个解密索引值的映射关系。Corresponding to the reference value, a second address table such as the SRAM2 table can be used to record the mapping relationship between the address of each decrypted storage block and each decrypted index value.

加解密模块150接收到待解密报文和目标解密索引值后,根据SRAM2表确定与目标解密索引值对应的第二目标地址,并根据这个第二目标地址在全部解密存储块中确定其所指向的解密存储块,即确定出目标解密存储块。After the encryption and decryption module 150 receives the message to be decrypted and the target decryption index value, it determines the second target address corresponding to the target decryption index value according to the SRAM2 table, and determines its pointing position in all decrypted storage blocks according to the second target address The decrypted storage block, that is, the target decrypted storage block is determined.

0然后,获取目标解密存储块中的加密参数,即得到目标解密参数,并基于这个目标解密参数对待解密报文进行认证操作和解密操作,如基于目标解密参数和待解密报文的长度,得到认证内容的长度和解密内容的长度,并确定校验值的长度,然后按照预设的认证算法和解密算法进行认证和解密,即得到已解密报文。0 Then, obtain the encryption parameter in the target decryption storage block, that is, obtain the target decryption parameter, and perform authentication and decryption operations on the message to be decrypted based on the target decryption parameter, such as based on the target decryption parameter and the length of the message to be decrypted, get The length of the authentication content and the length of the decrypted content are determined, and the length of the check value is determined, and then the authentication and decryption are performed according to the preset authentication algorithm and decryption algorithm, and the decrypted message is obtained.

5为了便于理解,本发明实施例提供了一个示例图,请参阅图7,下面将结合图7说明对报文进行解密的过程。5 For ease of understanding, the embodiment of the present invention provides an example diagram, please refer to FIG. 7 , and the process of decrypting a message will be described below in conjunction with FIG. 7 .

收发模块120对接收到的报文进行识别,识别出报文存在密文特征即网络协议类型、目地端口号和加密协议类型,即将报文识别为密文,则对The transceiver module 120 identifies the received message, recognizes that the message has ciphertext features, that is, network protocol type, destination port number and encryption protocol type, and is about to identify the message as ciphertext, then

报文标记待解密标识得到待解密报文,并提取待解密报文的密文特征值,0然后基于待解密报文的密文特征值和密文特征表,从对应的目标存储块中获取目标解密索引信息,再将目标解密索引信息和待解密报文发送给解析模块130。The message is marked to be decrypted to obtain the message to be decrypted, and the ciphertext feature value of the message to be decrypted is extracted, and then based on the ciphertext feature value and the ciphertext feature table of the message to be decrypted, it is obtained from the corresponding target storage block The target decrypts the index information, and then sends the target decryption index information and the message to be decrypted to the parsing module 130 .

解析模块130对目标解密索引信息进行解析得到目标解密索引值,并将目标解密索引值、待解密报文和部分关键信息发送给加解密模块150。5加解密模块150根据目标解密索引值和第二地址表,从对应的目标解密存储块中获取到目标解密参数,并根据目标解密参数对待解密报文进行认证操作和解密操作得到已解密报文,再将已解密报文发送给DMA170。The analysis module 130 analyzes the target decryption index information to obtain the target decryption index value, and sends the target decryption index value, the message to be decrypted and some key information to the encryption and decryption module 150. 5 The encryption and decryption module 150 uses the target decryption index value and the first The second address table obtains the target decryption parameters from the corresponding target decryption storage block, and performs authentication and decryption operations on the message to be decrypted according to the target decryption parameter to obtain the decrypted message, and then sends the decrypted message to the DMA170.

DMA170将接收到已解密报文存储至存储模块30中的缓存单元,并采用RX方向描述符记录已解密报文的状态,其中包括已解密报文在存储模块30中的地址。The DMA170 stores the received decrypted message into the cache unit in the storage module 30 , and uses the RX direction descriptor to record the state of the decrypted message, including the address of the decrypted message in the storage module 30 .

CPU20通过RX方向描述符中的地址,从存储模块30中获取已解密报文并进行编辑操作得到已编辑报文,然后将已编辑报文存储至存储模块30的缓存单元,并且将已编辑报文在存储模块30中的地址更新到TX方向描述符中。The CPU 20 obtains the decrypted message from the storage module 30 through the address in the RX direction descriptor and performs an editing operation to obtain the edited message, then stores the edited message to the cache unit of the storage module 30, and stores the edited message The address of the file in the storage module 30 is updated to the TX direction descriptor.

DMA170根据TX方向描述符中的地址,从存储模块30中获取已编辑报文并发送给收发模块120,以通过收发模块120转发已加密报文。The DMA170 obtains the edited message from the storage module 30 according to the address in the TX direction descriptor and sends it to the transceiver module 120 , so as to forward the encrypted message through the transceiver module 120 .

为了执行上述实施例及各个可能的方式中的相应步骤,下面给出一种报文转发装置10的实现方式。需要说明的是,本发明实施例提供的报文转发装置10,其基本原理及产生的技术效果和上述实施例相同,为简要描述,本实施例部分未提及之处,可参考上述的实施例中相应内容。该报文转发装置10包括:In order to execute the corresponding steps in the foregoing embodiments and various possible manners, an implementation manner of the packet forwarding device 10 is given below. It should be noted that the basic principles and technical effects of the message forwarding device 10 provided by the embodiment of the present invention are the same as those of the above-mentioned embodiment. corresponding content in the example. The message forwarding device 10 includes:

收发模块120用于对接收到的报文进行识别,若识别出报文为明文,则对报文标记待加密标识得到待加密报文并发送给解析模块130;The transceiver module 120 is used to identify the received message, if it is recognized that the message is plain text, then mark the message to be encrypted to obtain the message to be encrypted and send it to the parsing module 130;

解析模块130用于将待加密报文发送给DMA170;The parsing module 130 is used to send the message to be encrypted to the DMA170;

DMA170用于将待加密报文存储至存储模块30,以使CPU20从存储模块30获取待加密报文,并对待加密报文进行封装操作得到已封装报文和根据已封装报文获得目标加密索引值后,将已封装报文存储至存储模块30和将目标加密索引值发送给DMA170;DMA170 is used to store the message to be encrypted in the storage module 30, so that the CPU20 obtains the message to be encrypted from the storage module 30, and performs encapsulation operation on the message to be encrypted to obtain the encapsulated message and obtains the target encryption index according to the encapsulated message After the value, the encapsulated message is stored in the storage module 30 and the target encryption index value is sent to the DMA170;

DMA170用于将目标加密索引值和从存储模块30获取的已封装报文发送给加解密模块150;The DMA170 is used to send the target encryption index value and the encapsulated message obtained from the storage module 30 to the encryption and decryption module 150;

加解密模块150用于根据目标加密索引值得到目标加密参数,并根据目标加密参数对已封装报文进行加密操作和认证操作得到已加密报文后,将已加密报文发送给收发模块120;The encryption and decryption module 150 is used to obtain the target encryption parameter according to the target encryption index value, and perform an encryption operation and an authentication operation on the encapsulated message according to the target encryption parameter to obtain the encrypted message, and then send the encrypted message to the transceiver module 120;

收发模块120用于转发已加密报文。The transceiver module 120 is used for forwarding encrypted messages.

可选地,CPU20对待加密报文进行封装操作得到已封装报文和根据已封装报文获得目标加密索引值是按照以下方式实现的:提取待加密报文的明文特征值,并根据明文特征表获取与待加密报文的明文特征值对应的初始明文索引值;根据明文索引表获取与初始明文索引值对应的目标封装规则;按照目标封装规则对待加密报文进行封装操作,得到已封装报文;提取已封装报文的明文特征值,并根据明文特征表获取与已封装报文的明文特征值对应的目标明文索引值;根据明文索引表获取与目标明文索引值对应的目标加密索引值。Optionally, the CPU 20 performs encapsulation operation on the message to be encrypted to obtain the packaged message and obtains the target encryption index value according to the packaged message in the following manner: extract the plaintext feature value of the message to be encrypted, and Obtain the initial plaintext index value corresponding to the plaintext feature value of the message to be encrypted; obtain the target encapsulation rule corresponding to the initial plaintext index value according to the plaintext index table; perform encapsulation operation on the encrypted message according to the target encapsulation rule to obtain the encapsulated message ; Extract the plaintext feature value of the encapsulated message, and obtain the target plaintext index value corresponding to the plaintext feature value of the packaged message according to the plaintext feature table; obtain the target encryption index value corresponding to the target plaintext index value according to the plaintext index table.

可选地,加解密模块150还用于在全部加密存储块中确定目标加密存储块,目标加密存储块的地址与目标加密索引值对应;获取目标加密存储块中的加密参数,得到目标加密参数。Optionally, the encryption and decryption module 150 is also used to determine the target encrypted storage block in all encrypted storage blocks, the address of the target encrypted storage block corresponds to the target encryption index value; obtain the encryption parameters in the target encrypted storage block, and obtain the target encryption parameters .

可选地,收发模块120还用于若识别出报文为密文,则对报文标记待解密标识得到待解密报文,并提取待解密报文的密文特征值和根据待解密报文的密文特征值得到目标解密索引信息后,将目标解密索引信息和待解密报文发送给解析模块130;Optionally, the transceiver module 120 is also used to mark the message to be decrypted to obtain the message to be decrypted if it is identified that the message is a ciphertext, and extract the ciphertext feature value of the message to be decrypted and according to the After the ciphertext feature value of the target decryption index information is obtained, the target decryption index information and the message to be decrypted are sent to the analysis module 130;

解析模块130还用于对目标解密索引信息进行解析得到目标解密索引值,并将目标解密索引值和待解密报文发送给加解密模块150;The analysis module 130 is also used to analyze the target decryption index information to obtain the target decryption index value, and send the target decryption index value and the message to be decrypted to the encryption and decryption module 150;

加解密模块150还用于根据目标解密索引值得到目标解密参数,并根据目标解密参数对待解密报文进行认证操作和解密操作得到已解密报文后,将已解密报文发送给DMA170;The encryption and decryption module 150 is also used to obtain the target decryption parameter according to the target decryption index value, and after performing authentication and decryption operations on the message to be decrypted according to the target decryption parameter to obtain the decrypted message, send the decrypted message to the DMA170;

DMA170还用于将已解密报文存储至存储模块30,以使CPU20从存储模块30获取已解密报文,并对已解密报文进行编辑操作得到已编辑报文后,将已编辑报文存储至存储模块30;DMA170 is also used for storing the decrypted message to the storage module 30, so that the CPU 20 obtains the decrypted message from the storage module 30, and edits the decrypted message to obtain the edited message, then stores the edited message to the storage module 30;

DMA170还用于将从存储模块30获取的已编辑报文发送给收发模块120;The DMA170 is also used to send the edited message obtained from the storage module 30 to the transceiver module 120;

收发模块120还用于转发已编辑报文。The transceiver module 120 is also used for forwarding the edited message.

可选地,收发模块120还用于根据密文特征表获取与待解密报文的密文特征值对应的目标密文索引值;在全部存储块中确定目标存储块,目标存储块的地址与目标密文索引值对应;获取目标存储块中的解密索引信息,得到目标解密索引信息。Optionally, the transceiver module 120 is also used to obtain the target ciphertext index value corresponding to the ciphertext feature value of the message to be decrypted according to the ciphertext feature table; determine the target storage block in all storage blocks, the address of the target storage block and Corresponding to the target ciphertext index value; obtaining the decryption index information in the target storage block to obtain the target decryption index information.

可选地,加解密模块150还用于在全部解密存储块中确定目标解密存储块,目标解密存储块的地址与目标解密索引值对应;获取目标解密存储块中的解密参数,得到目标解密参数。Optionally, the encryption and decryption module 150 is also used to determine the target decryption storage block in all the decryption storage blocks, the address of the target decryption storage block corresponds to the target decryption index value; obtain the decryption parameter in the target decryption storage block, and obtain the target decryption parameter .

可选地,收发模块120还用于对接收到的报文进行识别;若识别出报文存在预设的明文特征,则将报文识别为明文;其中,明文特征包括网络协议类型、源IP地址、目的IP地址、源端口号和目的端口号;若识别出报文存在预设的密文特征,则将报文识别为密文;其中,密文特征包括网络协议类型、目地端口号和加密协议类型。Optionally, the transceiver module 120 is also used to identify the received message; if it is identified that the message has a preset plaintext feature, then the message is identified as plaintext; where the plaintext feature includes network protocol type, source IP address, destination IP address, source port number, and destination port number; if it is identified that the message has preset ciphertext features, the message will be identified as ciphertext; where the ciphertext features include network protocol type, destination port number, and Encryption protocol type.

本发明实施例还提供了一种网络设备,其包括通信连接的CPU和存储模块,以及本发明实施例提供的报文转发装置,CPU和存储模块均与报文转发装置中的DMA通信连接。The embodiment of the present invention also provides a network device, which includes a communication-connected CPU and a storage module, and the message forwarding device provided by the embodiment of the present invention. Both the CPU and the storage module are connected in communication with the DMA in the message forwarding device.

在本发明所提供的几个实施例中,应该理解到,所揭露的装置和方法,也可以通过其它的方式实现。以上所描述的装置实施例仅仅是示意性的,例如,附图中的流程图和框图显示了根据本发明的多个实施例的装置、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或代码的一部分,所述模块、程序段或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现方式中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或动作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。In the several embodiments provided by the present invention, it should be understood that the disclosed devices and methods may also be implemented in other ways. The device embodiments described above are only illustrative. For example, the flowcharts and block diagrams in the accompanying drawings show the architecture, functions and possible implementations of devices, methods and computer program products according to multiple embodiments of the present invention. operate. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or part of code that includes one or more Executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified function or action , or may be implemented by a combination of dedicated hardware and computer instructions.

另外,在本发明各个实施例中的各功能模块可以集成在一起形成一个独立的部分,也可以是各个模块单独存在,也可以两个或两个以上模块集成形成一个独立的部分。In addition, each functional module in each embodiment of the present invention can be integrated together to form an independent part, or each module can exist independently, or two or more modules can be integrated to form an independent part.

所述功能如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the functions are implemented in the form of software function modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes. .

以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (10)

1. A message forwarding method is characterized in that the message forwarding device is applied to network equipment and comprises a transceiving module, an analysis module, an encryption and decryption module and a DMA (direct memory access) which are connected through a bus, wherein the DMA is in communication connection with a CPU (central processing unit) and a storage module in the network equipment, and the CPU is in communication connection with the storage module; the method comprises the following steps:
the receiving and sending module identifies the received message, if the message is identified as a plaintext, the message is marked with an identifier to be encrypted to obtain a message to be encrypted, and the message to be encrypted is sent to the analysis module;
the analysis module sends the message to be encrypted to the DMA;
the DMA stores the message to be encrypted to the storage module so that the CPU obtains the message to be encrypted from the storage module, packages the message to be encrypted to obtain a packaged message, obtains a target encryption index value according to the packaged message, stores the packaged message to the storage module and sends the target encryption index value to the DMA;
the DMA sends the target encryption index value and the packaged message acquired from the storage module to the encryption and decryption module;
the encryption and decryption module obtains a target encryption parameter according to the target encryption index value, and sends the encrypted message to the transceiver module after carrying out encryption operation and authentication operation on the packaged message according to the target encryption parameter to obtain the encrypted message;
and the transceiver module forwards the encrypted message.
2. The method according to claim 1, wherein the CPU stores a plaintext feature table and a plaintext index table, the plaintext feature table comprising a plurality of plaintext feature values and corresponding plaintext index values; the plaintext index table comprises an encryption index value and an encapsulation rule corresponding to each plaintext index value;
the CPU carries out encapsulation operation on the message to be encrypted to obtain an encapsulated message and obtains a target encryption index value according to the encapsulated message, and the method comprises the following steps:
extracting a plaintext characteristic value of the message to be encrypted, and acquiring an initial plaintext index value corresponding to the plaintext characteristic value of the message to be encrypted according to the plaintext characteristic table;
acquiring a target encapsulation rule corresponding to the initial plaintext index value according to the plaintext index table;
performing encapsulation operation on the message to be encrypted according to the target encapsulation rule to obtain the encapsulated message;
extracting a plaintext feature value of the packaged message, and acquiring a target plaintext index value corresponding to the plaintext feature value of the packaged message according to the plaintext feature table;
and acquiring a target encryption index value corresponding to the target plaintext index value according to the plaintext index table.
3. The method according to claim 2, wherein the encryption/decryption module comprises a plurality of encrypted memory blocks storing encryption parameters, and an address of one of the encrypted memory blocks corresponds to one of the encryption index values;
the encryption and decryption module obtains the target encryption parameter according to the target encryption index value, and the method comprises the following steps:
determining a target encryption storage block in all encryption storage blocks, wherein the address of the target encryption storage block corresponds to the target encryption index value;
and acquiring the encryption parameters in the target encryption storage block to obtain the target encryption parameters.
4. The method of claim 1, wherein after the transceiver module identifies the received message, the method further comprises:
if the message is identified to be a ciphertext, marking a to-be-decrypted identifier on the message to obtain a to-be-decrypted message, extracting a ciphertext characteristic value of the to-be-decrypted message and target decryption index information according to the ciphertext characteristic value of the to-be-decrypted message, and then sending the target decryption index information and the to-be-decrypted message to the analysis module;
the analysis module analyzes the target decryption index information to obtain a target decryption index value, and sends the target decryption index value and the message to be decrypted to the encryption and decryption module;
the encryption and decryption module obtains a target decryption parameter according to the target decryption index value, performs authentication operation and decryption operation on the message to be decrypted according to the target decryption parameter to obtain a decrypted message, and then sends the decrypted message to the DMA;
the DMA stores the decrypted message into the storage module so that a CPU obtains the decrypted message from the storage module, edits the decrypted message to obtain an edited message, and then stores the edited message into the storage module;
the DMA sends the edited message acquired from the storage module to the transceiving module 5;
and the transceiver module forwards the edited message.
5. The method of claim 4, wherein the transceiver module stores a ciphertext feature table, the ciphertext feature table comprising a plurality of ciphertext feature values and corresponding ciphertext index values, the transceiver module comprises a plurality of storage blocks storing decryption index information, and a 0-address of one of the storage blocks corresponds to one of the ciphertext index values;
the receiving and sending module obtains target decryption index information according to the ciphertext characteristic value of the message to be decrypted, and the method comprises the following steps:
acquiring a target ciphertext index value corresponding to the ciphertext characteristic value of the message to be decrypted according to the ciphertext characteristic table;
5, determining a target storage block in all storage blocks, wherein the address of the target storage block corresponds to the target ciphertext index value;
and acquiring decryption index information in the target storage block to obtain the target decryption index information.
6. The method according to claim 5, wherein the encryption/decryption module comprises a plurality of decryption memory blocks storing decryption parameters, an address of one of the decryption memory blocks corresponding to one of the decryption 0 key values;
the step that the encryption and decryption module obtains the target decryption parameters according to the target decryption index value comprises the following steps:
determining a target decryption storage block in all decryption storage blocks, wherein the address of the target decryption storage block corresponds to the target decryption index value;
and 5, acquiring the decryption parameter in the target decryption storage block to obtain the target decryption parameter.
7. The method of claim 1, wherein the transceiver module identifies the received message, comprising:
identifying the received message;
if the message is identified to have the preset plaintext characteristics, identifying the message as a plaintext; wherein the plaintext characteristics comprise a network protocol type, a source IP address, a destination IP address, a source port number, and a destination port number;
if the message is identified to have the preset ciphertext characteristic, identifying the message as a ciphertext; wherein the ciphertext feature comprises a network protocol type, a destination port number, and an encryption protocol type.
8. A message forwarding device is characterized by comprising a transceiving module, an analysis module, an encryption and decryption module and a DMA (direct memory access) which are connected through a bus, wherein the DMA is in communication connection with a CPU (central processing unit) and a storage module in network equipment, and the CPU is in communication connection with the storage module;
the receiving and sending module is used for identifying the received message, if the message is identified as a plaintext, marking an identifier to be encrypted on the message to obtain a message to be encrypted, and sending the message to the analysis module;
the analysis module is used for sending the message to be encrypted to the DMA;
the DMA is used for storing the message to be encrypted to the storage module so that the CPU obtains the message to be encrypted from the storage module, obtains a target encryption index value according to the message to be encrypted, performs packaging operation on the message to be encrypted to obtain a packaged message, stores the packaged message to the storage module and sends the target encryption index value to the DMA;
the DMA is used for sending the target encryption index value and the packaged message acquired from the storage module to the encryption and decryption module;
the encryption and decryption module is used for obtaining a target encryption parameter according to the target encryption index value, carrying out encryption operation and authentication operation on the packaged message according to the target encryption parameter to obtain an encrypted message, and then sending the encrypted message to the transceiver module;
the transceiver module is used for forwarding the encrypted message.
9. The apparatus of claim 8, wherein the transceiver module is further configured to:
identifying the received message;
if the message is identified to have the preset plaintext characteristics, identifying the message as a plaintext; wherein the plaintext characteristics comprise a network protocol type, a source IP address, a destination IP address, a source port number, and a destination port number;
if the message is identified to have the preset ciphertext characteristics, identifying the message as a ciphertext; wherein the ciphertext feature comprises a network protocol type, a destination port number, and an encryption protocol type.
10. A network device comprising a CPU and a memory module communicatively coupled, and a message forwarding apparatus as claimed in any one of claims 8 and 9, the CPU and the memory module both communicatively coupled to a DMA in the message forwarding apparatus.
CN202211672743.4A 2022-12-26 2022-12-26 Message forwarding method, device and network equipment Pending CN115766290A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211672743.4A CN115766290A (en) 2022-12-26 2022-12-26 Message forwarding method, device and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211672743.4A CN115766290A (en) 2022-12-26 2022-12-26 Message forwarding method, device and network equipment

Publications (1)

Publication Number Publication Date
CN115766290A true CN115766290A (en) 2023-03-07

Family

ID=85347520

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211672743.4A Pending CN115766290A (en) 2022-12-26 2022-12-26 Message forwarding method, device and network equipment

Country Status (1)

Country Link
CN (1) CN115766290A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6701432B1 (en) * 1999-04-01 2004-03-02 Netscreen Technologies, Inc. Firewall including local bus
EP3051476A1 (en) * 2015-01-30 2016-08-03 NCR Corporation Authority trusted secure system component
US20190132120A1 (en) * 2017-10-27 2019-05-02 EMC IP Holding Company LLC Data Encrypting System with Encryption Service Module and Supporting Infrastructure for Transparently Providing Encryption Services to Encryption Service Consumer Processes Across Encryption Service State Changes
WO2020034118A1 (en) * 2018-08-15 2020-02-20 华为技术有限公司 Secure data transfer apparatus, system and method
US20200186330A1 (en) * 2018-12-06 2020-06-11 Nuvoton Technology Corporation Encryption and decryption system, encryption device, decryption device and encryption and decryption method
CN112199712A (en) * 2020-11-03 2021-01-08 湖南国科微电子股份有限公司 Data encryption and decryption method, system, equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6701432B1 (en) * 1999-04-01 2004-03-02 Netscreen Technologies, Inc. Firewall including local bus
EP3051476A1 (en) * 2015-01-30 2016-08-03 NCR Corporation Authority trusted secure system component
US20190132120A1 (en) * 2017-10-27 2019-05-02 EMC IP Holding Company LLC Data Encrypting System with Encryption Service Module and Supporting Infrastructure for Transparently Providing Encryption Services to Encryption Service Consumer Processes Across Encryption Service State Changes
WO2020034118A1 (en) * 2018-08-15 2020-02-20 华为技术有限公司 Secure data transfer apparatus, system and method
US20200186330A1 (en) * 2018-12-06 2020-06-11 Nuvoton Technology Corporation Encryption and decryption system, encryption device, decryption device and encryption and decryption method
CN112199712A (en) * 2020-11-03 2021-01-08 湖南国科微电子股份有限公司 Data encryption and decryption method, system, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN100525181C (en) Encrypted information pack processing apparatus and method
CN101309273B (en) A method and device for generating a security association
CN112448918B (en) Message transmission method and device, computer storage medium
CN111385259B (en) Data transmission method, device, related equipment and storage medium
WO2020215823A1 (en) Data processing method and device, medium and apparatus
CN112600802B (en) SRv6 encrypted message and SRv6 message encryption and decryption methods and devices
CN107294913B (en) Secure communication method based on HTTP, server and client
CN110620762A (en) RDMA (remote direct memory Access) -based data transmission method, network card, server and medium
CN113852552B (en) Network communication method, system and storage medium
CN116527405B (en) SRV6 message encryption transmission method and device and electronic equipment
CN101764825A (en) Data transmission method of virtual private network, system thereof, terminal thereof and gateway equipment thereof
CN104753925A (en) Gateway system and method for encrypting and decoding files
CN106161386B (en) Method and device for realizing IPsec (Internet protocol Security) shunt
CN107154917A (en) Data transmission method and server
CN101478733B (en) A short message transmission method, network equipment and network system
CN116489244B (en) Service data processing method and device, electronic equipment and storage medium
CN115766290A (en) Message forwarding method, device and network equipment
CN116488812B (en) Service data processing method and device, electronic equipment and storage medium
CN111416791B (en) Data transmission method, equipment and system
CN115801656B (en) SRv6 path authentication method, node, system, equipment and medium based on encryption and decryption
JP4551112B2 (en) ENCRYPTED PACKET PROCESSING DEVICE, METHOD, PROGRAM, AND PROGRAM RECORDING MEDIUM
WO2023179174A1 (en) Message transmission method and related device
CN114501143B (en) Video security access method and system based on port selective encryption
CN114826672A (en) Encryption and decryption methods and devices of cloud network, computing node and system
WO2001075559A2 (en) Agent-based secure handling of e-mail header information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载