Method for negotiating about security alliance

[0051] The core idea of ​​the present invention is to set selection rules, and when it is determined that there is a conflict between the two SA negotiation processes, obtain the features of the conflicting SA negotiation process according to the selection rules, and select the conflicting SA according to the acquired features and selection rules. One SA corresponding to the negotiation process of the two SAs.

[0052] Here, there are two ways to determine that there is a conflict between the two SA negotiation processes. One is: when the communicating party generates two SAs to protect the same IP traffic, it is determined that the SA negotiation processes corresponding to the two SAs are in conflict; the other is : When the communication party receives the SA negotiation request message, it determines whether there is a conflict in the SA negotiation process corresponding to the SA negotiation request message. When there is a conflict in the SA negotiation process, it means that there is another traffic for the same IP in the communication party. During the SA negotiation process, it can be determined that there is a conflict between the two SA negotiation processes.

[0053] Here, for the same IP traffic, for the IKE SA negotiation, it is: the SA generated by the communicating parties to protect the IPsec SA negotiation process; for the IPsec SA negotiation, it is: the SA generated by the communicating parties to protect the same IP data flow SA.

[0054] In order to make the objectives, technical solutions, and advantages of the present invention clearer and more comprehensible, the present invention will be further described in detail with reference to the drawings and two preferred embodiments.

[0055] Among them, the first preferred embodiment is mainly aimed at: the determination that there is a conflict in the security alliance negotiation process is a situation where two SAs are generated before and after the communicating party is to protect the same IP traffic; the second preferred embodiment is mainly aimed at: It is determined that there is a conflict in the security alliance negotiation process, when the communicating party receives the security alliance negotiation request message, it is determined that the security alliance negotiation process corresponding to the security alliance request message has a conflict.

[0056] The first preferred embodiment

[0057] This embodiment is based on figure 2 The described situation is taken as an example for illustration. Before executing the process of this embodiment, selection rules need to be set in advance. The selection rules described here are used to select and retain the same SA according to the selection rules when SA conflicts occur. The selection rule adopted in this embodiment is: to retain the SA with a large Cookie value, and the selection parameter corresponding to the selection rule is the Cookie value, that is, when the SA generated by the communicating parties conflict, the communicating party retains the SA with the large Cookie value. Among them, Cookies is a random number used in the SA negotiation process.

[0058] Only the specific implementation process of communication party B is introduced here. The specific implementation process of communication party A is the same as that of communication party B. The specific process is as follows: image 3 Shown:

[0059] Step 301: After communicating party B receives the SA negotiation end message of SA negotiation process A sent by communicating party A, it generates SA-B, and finds that the previously generated SA-A and SA-B are generated to protect the same IP traffic If there are two SAs, it is determined that the currently generated SA-B conflicts.

[0060] Step 302: The communicating party B obtains the Cookies used in the SA negotiation process corresponding to SA-B and SA-A. We call the cookies generated by SA-B negotiated as Cookies-B; we call the cookies generated by SA-A negotiated as Cookies-A.

[0061] Since both parties in the communication will generate cookies during the SA negotiation process, there are two cookies generated by the two parties in an SA negotiation process. Therefore, the value of Cookies used in the SA negotiation process referred to in the present invention is The sum of the values ​​of Cookies generated by both parties in communication. Here, because the communicating party will retain some parameters used in the SA negotiation process, such as Cookies, the initiator of the SA negotiation process, and the private network information of the communicating parties, the communicating party can find the corresponding Cookies only according to the SA. , Get the sum of Cookies used in the SA negotiation process.

[0062] Step 303: Compare the sizes of Cookies-B and Cookies-A. If Cookies-B is larger than Cookies-A, then correspondent B keeps SA-B corresponding to Cookies-B; if Cookies-B is smaller than Cookies-A, correspondent B Keep Cookies-A.

[0063] In this embodiment, a waiting threshold may be further set to distinguish between SA conflicts caused by the arrival of the soft timeout time point initiating the SA negotiation process and SA conflicts caused by the two communicating parties initiating the SA negotiation process almost simultaneously. If the SA conflict is caused by the arrival of the soft timeout time point to initiate the SA negotiation process, the time difference between the generation of the two SAs that conflict is large, so no error will occur when the previous SA is deleted. Therefore, the waiting threshold is set. When the generation time difference between the two SAs in conflict is greater than or equal to the waiting threshold, it is determined that the cause of the conflict is due to the arrival of the soft timeout point. In this case, the method according to the prior art can guarantee The two communication parties keep the matching SA; when the generation time difference between the two SAs in conflict is less than the waiting threshold, it is determined that the cause of the conflict is caused by the two communication parties initiating the SA negotiation process almost at the same time. Therefore, the method provided by the present invention must be followed. , In order to ensure that the communicating parties retain the matching SA.

[0064] Here, the specific method for setting the waiting threshold can be determined according to the actual network environment and experience, and can be a time length of several milliseconds. Correspondingly, the specific implementation method is: after it is determined that the currently generated SA-B conflicts in step 301, the difference between the generation time of SA-B and SA-A can be further calculated to determine SA-B and SA-A Whether the difference in the generation time is greater than the preset waiting threshold, if it is greater than or equal to, it is determined that the cause of the conflict is due to the arrival of the soft timeout time point, so this situation may not be processed, and the process according to the prior art is executed; otherwise; , Go to step 302.

[0065] In this embodiment, different selection rules can also be used according to the locations of the two communicating parties. For example, when neither communicating parties are inside a private network, you can choose according to the IP address corresponding to the SA, and you can choose The SA with the smaller source or destination IP address, or the SA with the larger source or destination IP address. When one of the two communicating parties is inside a certain private network, and the other party is not inside a certain private network, you can choose the communicating party inside the private network to initiate the SA generated during the SA negotiation process.

[0066] Because, the use of IP address for selection is only applicable to the situation where both communicating parties are not inside a private network; at the same time, the SA generated by the communicating party that is kept inside the private network is also only applicable when one of the communicating parties is in a private network. The situation inside the network, therefore, when the SA conflicts, the selection rule can be further determined according to the current locations of the communication parties, and then the reserved SA can be determined according to the selection rule.

[0067] In addition, during the SA negotiation process, the communicating parties will initiate NAT detection based on each other, and know where the communicating parties are located, whether both communicating parties are in the private network, or one of the communicating parties is in the private network, or Neither party is in the private network. Therefore, when the SA conflicts, the selection rule can be determined according to the positions of the communicating parties determined in the SA negotiation process.

[0068] Of course, because the use of cookies is applicable to any network location, in the present invention, the selection rule may not be determined, and the selection can be made directly based on the cookies. Of course, when Cookies are used as the selection parameter, the selection rule is also to choose Coolies SA.

[0069] The method introduced in this embodiment is also suitable for the situation where the IKE SA and the IPsec SA conflict.

[0070] The second preferred embodiment

[0071] In this embodiment, the negotiation process of IPsec SA is first introduced. Assuming that there is a communicating party A and a communicating party B, the communicating party B sends an IPsec SA negotiation request message to the communicating party A for the IP traffic X to be protected. Among them, X is equivalent to the name of the IP traffic, which is used to uniquely identify the IP traffic to be protected by the current correspondent A and correspondent B, and the IPsec SA negotiation process is uniquely determined by the SA classification information. The specific execution process of correspondent A is as follows: Figure 4 As shown, it includes the following steps:

[0072] Steps 401 to 402: Correspondent A receives the IPsec SA negotiation request message sent by Correspondent B for IP traffic X, and judges whether there is a conflict in the IPsec SA negotiation process for the current IP traffic X according to the received IPsec SA negotiation request message. If yes, go to step 403; otherwise, go to step 404.

[0073] Here, it is judged whether there is a conflict in the IPsec SA negotiation for the current IP traffic X, that is, the correspondent A judges whether it has initiated the IPsec SA negotiation process for the current IP traffic X to the correspondent B, specifically: the correspondent A receives The SA classification information carried in the IPsec SA negotiation request message B sent by the communication party B to determine whether there is an IPsec SA negotiation process with the same SA classification information in the IPsec SA being negotiated. If it exists, the communication party A has sent Correspondent B initiated another IPsec SA negotiation process for IP traffic X. The current IPsec SA negotiation process for IP traffic X has a conflict. Correspondent A and Correspondent B participate in the IPsec SA negotiation process initiated by Correspondent A. A. IPsec SA negotiation process B initiated by correspondent B; otherwise, there is no conflict in the current IPsec SA negotiation process for IP traffic X, and only current correspondent B exists between correspondent A and correspondent B for IP traffic X Initiated IPsecSA negotiation process.

[0074] Step 403: Correspondent A retains an IPsecSA negotiation process for the current IP traffic X with Correspondent B; or suspends all IPsec SA negotiation processes for IP traffic X between Correspondent B and re-establishes a negotiation process with Correspondent B. The negotiation process of IPsec SA for current IP traffic X between B. End the processing flow.

[0075] In order to enable both parties in communication to retain the same IPsec SA negotiation process, or to enable both parties in communication to determine which party is to re-initiate the IPsec SA for the current IP traffic X, it can be determined according to a preset selection rule.

[0076] The communication parties determine the reserved IPsec SA negotiation process, or determine the initiator of the IPsec SA negotiation process to re-initiate the IPsec SA negotiation process, either after determining that there is a conflict in the IPsec SA negotiation process for the current IP traffic X; or when there is a current conflict The two IPsec SA negotiation process is completed after the determination.

[0077] If the determination is made after there is a conflict in the IPsec SA negotiation process for the current IP traffic X, the selection rule for retaining the same IPsec SA negotiation process can be: to retain the IPsec SA negotiation process with a large Cookie value, and the corresponding selection parameter is Cookies ; For the communication party that restarts the IPsec SA negotiation process, the selection rule can be: select the communication party corresponding to the IPsec SA negotiation process with a large Cookie value to re-initiate the IPsec SA negotiation process. The specific usage method is the same as the usage method in the first preferred embodiment. It is also necessary to obtain the Cookies value during the negotiation process of the two IPsec SAs that conflict, and then compare and determine the value. The specific process is not described in detail here.

[0078] If the current conflicting IPsec SA negotiation process is completed after the two IPsec SA negotiation processes are completed, the selection rule can be selected according to the positions of the communicating parties determined in the IPsec SA negotiation process, and then the corresponding selection parameters can be obtained according to the selection rule, and the selection is based on the obtained selection The parameters and selection rules determine the reserved IPsec SA negotiation process, or determine the initiator that re-initiates the IPsec SA negotiation process. Here, the same can also be determined using only the Cookies value.

[0079] Step 404: The communicating party A negotiates the IPsec SA according to the normal process.

[0080] The process described above is also used in the IKE SA negotiation process.

[0081] In addition, due to the characteristics of the IKE SA, the IKE SA exists to protect the second-stage IPsec SA negotiation, that is, the SA generated by the IKE SA negotiation exists to protect the multiple IPsec SA negotiation processes in the second stage. There can only be one IKE SA negotiation process between the two parties. If there are two IKE SA negotiation processes, the IKE SA negotiation process of the communicating parties conflicts. Therefore, in the judgment of step 402, it is not necessary to judge whether there is a conflict with the current IPsec SA according to all the parameters in the SA classification information like the IPsec SA, but only according to the specific network environment according to some parameters in the SA classification information Just judge.

[0082] Since there is only one IKE SA negotiation process between the communicating parties, the IKE SA negotiation process of the communicating parties can be uniquely determined by the communicating party's IP address. However, in some environments, when the communicating party is in a private network, the communicating party must communicate with the outside world through the NAT of the private network. When the communicating party sends or receives a message through NAT, it sends and receives messages. The source address of the text will be translated into a certain IP address of NAT, so in some environments, the IKE SA negotiation process cannot be uniquely determined by the IP address of the communicating party. In this way, it can be divided into three categories according to the different network environments of the two communicating parties, including: both communicating parties are not in the private network, one of the communicating parties is in the private network, and both communicating parties are in the private network.

[0083] The following describes the collision detection in IKE SA negotiation in detail for these three situations.

[0084] When both parties in communication are not in the private network, or are in the same private network, when conducting IKE SA negotiation, the communication party can judge according to the source IP address or destination IP address in the SA classification information carried in the received IKE SA negotiation request message Whether there is a conflict in the current IKE SA negotiation.

[0085] For example, if the SA information used by the correspondent A is the source IP address, the correspondent A obtains the source IP address in the SA negotiation request message sent by the correspondent B, that is, the IP address of the correspondent B, and then uses the IKE Search in the SA to see if there is an IKE SA negotiation process with the destination IP address of the source IP address information. If there is, there is a conflict in the current IKE SA negotiation process; otherwise, there is no conflict in the current IKE SA negotiation process.

[0086] When one of the two communicating parties, or both parties are located in the private network, the IP address of the communicating party can no longer uniquely identify an IKE SA negotiation process, therefore, in the case of static allocation of ports on the private network, the IP address and port can be used to uniquely identify An IKE SA negotiation process. Correspondingly, the method for judging the conflict may be: judging whether there is a conflict in the current IKE SA negotiation based on the source IP address and source port, or the destination IP address and destination port in the SA classification information carried in the IKE SA negotiation request message. The specific judgment method is similar to the judgment method using the source IP address, and will not be described in detail here.

[0087] In the invention, the SA classification information, the source IP address, the destination IP address, the source IP address and the source port, or the destination IP address and the destination port used to detect whether there is a conflict between the two SA negotiation processes are SA identification information. The SA identification information is used to identify whether there is a conflict between the two SA negotiation processes.

[0088] In addition, since the prior art does not stipulate that the life cycle of the SA negotiated by the two communication parties must be strictly the same, it may cause that the SA of the communication party has reached the life cycle and the negotiated SA can no longer be used; and the other party has not reached the SA In the life cycle, the same SA is also used to send data to the opposite end, which leads to the interruption of data communication between the two parties and the waste of network resources.

[0089] The life cycle includes two timeout points, a hard timeout point and a soft timeout point. The hard timeout point is the end point of the life cycle of the SA. When the SA reaches the hard timeout point, the SA will be invalid. The communicating party cannot use the SA to encrypt data, and at the same time, it will not receive the data encrypted with the timeout SA. The soft timeout point is the time point for negotiating the standby SA in advance. When the communicating party reaches the soft timeout point, SA negotiation is initiated so that when the originally negotiated SA exceeds the hard timeout point, the standby SA can be used to ensure data Normal communication. The above-mentioned difference in the life cycle of the SA of the two communicating parties means that the hard timeout point and/or the soft timeout time point of the communicating parties are different. In the prior art, the initiator of the SA negotiation process usually initiates the negotiation of the backup SA when the soft timeout time point is reached, but when the hard timeout time point of the responder was originally less than the soft timeout time point of the initiator SA, the response The SA of the party has passed its life cycle, and the initiator is still using the SA, which will make the data communication terminals of the communicating parties.

[0090] In order to solve the problem that the communication between the two communication parties is interrupted due to the different life cycles of the communication parties, it is possible to set the communication parties to initiate a standby SA negotiation process to the opposite end when their soft timeout time point is reached. In this case, both communication parties initiate SA negotiation to the opposite end almost at the same time, but during the negotiation process, only the SA negotiation method proposed by the present invention is needed to ensure that the communication parties negotiate the same SA.

[0091] Since the negotiation process of the IKE protocol includes the negotiation of IKE SA and IPsec SA, both types of SA have their own life cycles. Therefore, when the IKE SA or IPsec SA reaches its soft timeout point, SA negotiation can be initiated.

[0092] The above are only the preferred embodiments of the present invention, and are not used to limit the protection scope of the present invention.