Check patentability & draft patents in minutes with Patsnap Eureka AI!

Method and device for IKE (internet key exchange) coordinated congestion control

A congestion control and key exchange protocol technology, applied in the field of network security, can solve the problems that EXCH cannot effectively and accurately control congestion, and the number cannot truly reflect the busyness of the system, so as to achieve the effect of congestion control

Active Publication Date: 2013-01-09
NEW H3C TECH CO LTD
View PDF2 Cites 2 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0016] In view of this, the present invention provides a congestion control method and device for IKE negotiation, to at least solve the problem in the congestion control method of the prior art that the number of concurrent EXCHs in the system cannot truly reflect the current busyness of the system , therefore, limiting the number of concurrent EXCHs cannot effectively and accurately control the occurrence of congestion

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for IKE (internet key exchange) coordinated congestion control
  • Method and device for IKE (internet key exchange) coordinated congestion control
  • Method and device for IKE (internet key exchange) coordinated congestion control

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0034] The processing flow of the congestion control method of IKE negotiation in Embodiment 1 of the present invention, such as figure 1 shown, including the following steps:

[0035] Step S102, after receiving the first message from the opposite end, obtain the operation time of the other end from the first message, wherein, the operation time is to parse the received second message and construct a response to the second message The time consumed by the first message of , or the time consumed to construct the first message;

[0036] For example, during the IKE negotiation process, when the initiating end or the responding end sends (including actively sending and replying) a message (called the third message) to the opposite end, it will carry its calculation time in the third message. The text is sent to the opposite end, wherein, when the third message is the first message sent by the initiator, the calculation time is the time consumed to construct the third message, and...

Embodiment 2

[0046] In the first embodiment, the introduction of a delay reply mechanism can effectively prevent the system from entering a congested state, but this mechanism uses the peer end to control the congestion problem of the local end through the delay reply message, and it cannot control the ongoing negotiation in the system (ie The total number of concurrent EXCH) in the system is a passive defense mechanism.

[0047] In the second embodiment of the present invention, by calculating the busy index of the local end, the local end can identify whether it has entered the busy state. If the status is busy, you can stop initiating or accepting new IKE negotiations, that is, whether the new IKE negotiations triggered by the local end or the peer end will be rejected. This mechanism is an active defense mechanism implemented at the local end, and its essence is to control the total number of EXCH in the control system.

[0048] Such as figure 2 As shown, the processing flow of the ...

Embodiment 3

[0059] EXCH (one EXCH corresponds to one IKE negotiation) exists to negotiate IKE SA (generated in the first phase of negotiation) or IPSec SA (generated in the second phase of negotiation). Normally, the local system Create EXCH and start message interaction with the peer. After all message interactions are completed, the corresponding SA will be generated. At this time, EXCH has completed its mission and will be deleted by the system. This period of time is the survival time of EXCH, which is recorded as EXCH_DURATION.

[0060] Therefore, the EXCH_DURATION of each EXCH in the system (that is, the ongoing IKE negotiation in the system) should be controlled within a reasonable time (called the survival time threshold), and the survival time threshold should meet the following requirements:

[0061] (1) The time should be long enough to have enough time to complete a complete IKE negotiation. If it is too short, EXCH will be released before the negotiation is completed, and the...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method and a device for IKE (internet key exchange) coordinated congestion control. The method includes: obtaining operation time of an opposite end from a first message after receiving the first message sent by the opposite end, wherein the operation time refers to time consumed for analyzing a second message received and building the first message needing to reply aiming at the second message, or time consumed for building the first message; judging whether the operation time obtained exceeds a preset operation time threshold or not; and if yes, determining delay time according to the obtained operation time and replying to the opposite end after the determined delay time arrives, wherein the delay time and the obtained operation time are in positive correlation. By the method and the device for IKE coordinated congestion control, congestion of the opposite end can be effectively and accurately controlled.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a congestion control method and device for IKE negotiation. Background technique [0002] IPSec (IP Security, IP (Internet Protocol, Internet Protocol) security) is a framework protocol developed by IETF (Internet Engineering Task Force, Internet Engineering Task Force) to ensure the security and encryption performance of data transmitted on the Internet. IPSec is a three-layer tunnel encryption protocol that provides high-quality, interoperable, and cryptography-based security guarantees for data transmitted on the Internet. It is a traditional implementation of a three-layer VPN (Virtual Private Network, Virtual Private Network) network) security technology. Specific communication parties establish IPSec tunnels to transmit user's private data, and provide data confidentiality, data integrity, data source authentication and anti-replay security services at the IP laye...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L12/801H04L9/08
Inventor 王海生
Owner NEW H3C TECH CO LTD
Features
  • R&D
  • Intellectual Property
  • Life Sciences
  • Materials
  • Tech Scout
Why Patsnap Eureka
  • Unparalleled Data Quality
  • Higher Quality Content
  • 60% Fewer Hallucinations
Social media
Patsnap Eureka Blog
Learn More

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2025 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com