CN111163058B - DPDK data encryption processing method, device and network device - Google Patents
DPDK data encryption processing method, device and network device Download PDFInfo
- Publication number
- CN111163058B CN111163058B CN201911249478.7A CN201911249478A CN111163058B CN 111163058 B CN111163058 B CN 111163058B CN 201911249478 A CN201911249478 A CN 201911249478A CN 111163058 B CN111163058 B CN 111163058B
- Authority
- CN
- China
- Prior art keywords
- encryption
- packet
- encrypted
- queue
- dpdk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/50—Queue scheduling
- H04L47/62—Queue scheduling characterised by scheduling criteria
- H04L47/625—Queue scheduling characterised by scheduling criteria for service slots or service orders
- H04L47/6275—Queue scheduling characterised by scheduling criteria for service slots or service orders based on priority
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明涉及DPDK数据加密处理方法、装置和网络设备。DPDK数据加密处理方法包括:获取DPDK端口上的待加密报文;根据待加密报文的长度进行报文分类,并根据分类结果将待加密报文入队至相应优先级的DPDK端口队列;对各DPDK端口队列进行SP调度,分别将各DPDK端口队列中的待加密报文调度至各加密队列;分别根据各加密队列的加密门限,对各加密队列中的待加密报文进行统一加密处理。通过DPDK原有的端口队列机制及SP调度,结合不同门限加密队列实现报文统一加密,减少了小包组合后加密的时延,降低加密小包数据时对CPU时钟周期的消耗。有效提升了DPDK小包数据加密处理能力,提升小包数据的吞吐量且无需增加设备硬件,有效降低了提升加密性能的成本。
The present invention relates to a DPDK data encryption processing method, device and network equipment. The DPDK data encryption processing method includes: obtaining the to-be-encrypted message on the DPDK port; classifying the message according to the length of the to-be-encrypted message, and enqueuing the to-be-encrypted message to the DPDK port queue of the corresponding priority according to the classification result; Each DPDK port queue performs SP scheduling, and schedules the to-be-encrypted packets in each DPDK port queue to each encryption queue; respectively, according to the encryption threshold of each encryption queue, uniformly encrypts the to-be-encrypted packets in each encryption queue. Through DPDK's original port queue mechanism and SP scheduling, combined with different threshold encryption queues to achieve unified encryption of packets, it reduces the delay of encryption after small packets are combined, and reduces the consumption of CPU clock cycles when encrypting small packets of data. It effectively improves the encryption processing capability of DPDK small packet data, improves the throughput of small packet data without adding equipment hardware, and effectively reduces the cost of improving encryption performance.
Description
Technical Field
The present invention relates to the field of communications network technologies, and in particular, to a method, an apparatus, and a network device for DPDK data encryption processing.
Background
With the development of communication network technology, the types of network services in a wired communication network are continuously abundant, and the proportion of packet network data is continuously increasing, for example, voice communication, interactive games, TCP (Transmission Control Protocol) -based interactive software and Control messages are all transmitted by packets. The DPDK (Data Plane Development Kit) is a fast Data packet processing Development Kit developed by Intel corporation, and can greatly improve Data processing performance and throughput.
In practical applications, network devices using DPDK technology need to implement various communication protocols and network functions. In an application scenario considering network data security, the data encryption and decryption functions are necessary and core functions of the network, and common encryption algorithms such as AES, DES, RSA, DSA, and the like all need to perform complex logic operations, so that CPU clock consumption is increased sharply, and thus, when packet network data is encrypted in network equipment using the DPDK technique, the requirement on line speed performance cannot be met. In order to improve the encryption processing performance of packet network data in network devices using the DPDK technique, a conventional encryption performance improvement method is mostly implemented by adding a hardware encryption accelerator card. However, in the implementation process, the inventor finds that the conventional encryption performance improving method has the problem of high performance improving cost.
Disclosure of Invention
Therefore, it is necessary to provide a DPDK data encryption processing method, a DPDK data encryption processing apparatus, a network device, and a computer-readable storage medium, which can effectively reduce the cost of improving encryption performance, in order to solve the above problems of the conventional encryption performance improving method.
In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:
in one aspect, an embodiment of the present invention provides a DPDK data encryption processing method, including:
acquiring a message to be encrypted on a DPDK port;
classifying the messages according to the length of the messages to be encrypted, and enqueuing the messages to be encrypted to DPDK port queues with corresponding priorities according to classification results; the classification result comprises small packet data or big packet data, and the priority of the DPDK port queue corresponding to the small packet data is higher than the priority of the DPDK port queue corresponding to the big packet data;
performing SP scheduling on each DPDK port queue, and scheduling the messages to be encrypted in each DPDK port queue to each encryption queue; the encryption queue comprises at least two encryption queues, and the encryption threshold of the encryption queue for processing the small packet data is greater than the encryption threshold of the encryption queue for processing the large packet data;
and respectively carrying out unified encryption processing on the messages to be encrypted in each encryption queue according to the encryption threshold of each encryption queue.
In one embodiment, when the classification result is packet data, the step of classifying the packet according to the length of the packet to be encrypted and enqueuing the packet to be encrypted to the DPDK port queue of the corresponding priority according to the classification result includes:
determining the packet type of the message to be encrypted according to the length of the message to be encrypted; the packet type comprises a first packet and a second packet, and the length of the first packet is smaller than that of the second packet;
and if the message to be encrypted is the first small packet, putting the message to be encrypted into the SP queue with the highest priority in the DPDK port queue.
In one embodiment, the steps of classifying the packet according to the length of the packet to be encrypted, and enqueuing the packet to be encrypted to the DPDK port queue of the corresponding priority according to the classification result further include:
and if the message to be encrypted is the second packet, putting the message to be encrypted into an SP queue with the highest priority in the DPDK port queue.
In one embodiment, when the classification result is packet data, the step of classifying the packet according to the length of the packet to be encrypted and enqueuing the packet to be encrypted to the DPDK port queue of the corresponding priority according to the classification result includes:
determining the packet type of the message to be encrypted according to the length of the message to be encrypted; the small packet types comprise a first small packet, a second small packet and a third small packet, and the lengths of the first small packet, the second small packet and the third small packet are sequentially increased;
and if the message to be encrypted is the first small packet, putting the message to be encrypted into the SP queue with the highest priority in the DPDK port queue.
In one embodiment, the steps of classifying the packet according to the length of the packet to be encrypted, and enqueuing the packet to be encrypted to the DPDK port queue of the corresponding priority according to the classification result further include:
and if the message to be encrypted is the second packet, putting the message to be encrypted into an SP queue with the highest priority in the DPDK port queue.
In one embodiment, the steps of classifying the packet according to the length of the packet to be encrypted, and enqueuing the packet to be encrypted to the DPDK port queue of the corresponding priority according to the classification result further include:
and if the message to be encrypted is the third small packet, putting the message to be encrypted into the SP queue with the lowest priority in the DPDK port queue.
In one embodiment, the encryption queue comprises four encryption queues respectively corresponding to a first small packet, a second small packet, a third small packet and big packet data, the encryption threshold of each encryption queue is sequentially reduced, and the encryption threshold of the encryption queue corresponding to the big packet data is 1;
respectively carrying out unified encryption processing on the messages to be encrypted in each encryption queue according to the encryption threshold of each encryption queue, wherein the step comprises the following steps:
and respectively combining the messages to be encrypted in each encryption queue according to the corresponding encryption threshold, and carrying out unified encryption processing by taking the corresponding encryption threshold as a unit.
In one embodiment, the step of performing unified encryption processing on the to-be-encrypted messages in each encryption queue according to the encryption threshold of each encryption queue includes:
if the waiting time is set to be over, the quantity of each message to be encrypted in the encryption queue for processing the packet data does not reach the corresponding encryption threshold, and then the encryption processing is directly carried out.
On the other hand, a DPDK data encryption processing apparatus is also provided, which includes:
the message acquisition module is used for acquiring a message to be encrypted on a DPDK port;
the message classification module is used for classifying messages according to the length of the messages to be encrypted and enqueuing the messages to be encrypted to DPDK port queues with corresponding priorities according to classification results; the classification result comprises small packet data or big packet data, and the priority of the DPDK port queue corresponding to the small packet data is higher than the priority of the DPDK port queue corresponding to the big packet data;
the message scheduling module is used for performing SP scheduling on each DPDK port queue and scheduling the messages to be encrypted in each DPDK port queue to each encryption queue; the encryption queue comprises at least two encryption queues, and the encryption threshold of the encryption queue for processing the small packet data is greater than the encryption threshold of the encryption queue for processing the large packet data;
and the encryption processing module is used for uniformly encrypting the messages to be encrypted in each encryption queue according to the encryption threshold of each encryption queue.
In another aspect, a network device is further provided, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the DPDK data encryption processing method when executing the computer program.
In still another aspect, a computer-readable storage medium is provided, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the DPDK data encryption processing method described above.
One of the above technical solutions has the following advantages and beneficial effects:
according to the DPDK data encryption processing method, the DPDK data encryption processing device and the network equipment, the SP queues (or called SP type scheduling queues) which are specially used for processing the small packet data are configured in the 8 port queues of the DPDK port, and the large packet data are processed through other common DPDK port queues. When a DPDK port receives a message to be encrypted, classifying the received message to be encrypted according to the length of the message, and putting the message to be encrypted into an SP queue with high priority when the packet data is determined to be small packet data, and putting the packet data into other common DPDK port queues with lower priority relative to the SP queue when the packet data is determined to be large packet data. SP scheduling is carried out on each DPDK port queue, the small packet data are scheduled preferentially, meanwhile, unified encryption is carried out according to the set encryption threshold, time delay of encryption after small packet combination is reduced, consumption of CPU clock period when the small packet data are encrypted is reduced, and therefore the purpose of greatly improving the encryption performance of the DPDK data on the basis of guaranteeing the service time delay of the small packet data is achieved, and the requirement of linear speed performance is met. Therefore, the encryption processing capacity of the DPDK packet data is effectively improved, the throughput of the packet data is improved, equipment hardware does not need to be increased, and the cost for improving the encryption performance is effectively reduced.
Drawings
Fig. 1 is a first flowchart of a DPDK data encryption processing method according to an embodiment;
fig. 2 is a schematic diagram illustrating a second process of the DPDK data encryption processing method according to an embodiment;
fig. 3 is a third flowchart of a DPDK data encryption processing method according to an embodiment;
FIG. 4 is a diagram illustrating a packet classification process according to an embodiment;
FIG. 5 is a diagram illustrating a SP scheduling process in one embodiment;
FIG. 6 is a fourth flowchart illustrating a DPDK data encryption processing method according to an embodiment;
FIG. 7 is a diagram of an encryption queue in one embodiment;
FIG. 8 is a diagram illustrating a fifth flowchart of a DPDK data encryption processing method according to an embodiment;
fig. 9 is a block diagram of a module structure of a DPDK data encryption processing apparatus in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
It is to be noted that, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
In a wired communication network, line speed is an important measure of the network data forwarding capability, and line speed is the network device with sufficient capability to handle the forwarding of the smallest data packets at full speed. Taking ethernet as an example, the minimum MAC frame is 64 bytes, and if the network device has a wire-speed forwarding capability of 1G, about 148.8 ten thousand packets must be forwarded per second. If the message is 1518 bytes, only about 8.1 million messages need to be processed. That is, the wire speed requirement of small packet data (e.g. 64 byte message) is much higher than that of large packet data (e.g. 1518 byte message).
The Intel official data is that the CPU of the 3.6G single core has a capacity of processing one 64-byte packet data of 90 mbps, that is, about 9 million packets of data are forwarded every second, each packet consumes 80 cycles, and the data is only data which is forwarded only and does not involve any other logic processing. From the surface data, the requirement of network data forwarding line speed can be met by using the DPDK. In practical application, network devices using the DPDK technique need to implement various communication protocols and network functions, and after a data packet passes through the network devices, according to the type of network service, various logic processes, such as packet parsing and classification, packet filtering, route lookup, packet compression, packet encryption and decryption, need to be performed, and these logic processes all need to consume a large number of CPU clock cycles; in an application scenario considering network data security, data encryption and decryption functions are necessary and core functions of a network, common encryption algorithms such as AES, DES, RSA, DSA and the like all need to perform complex logic operations, CPU clock cycle consumption is increased sharply, and up to thousands of CPU clock cycles. Therefore, if 64-byte small packet network data (also called packet data) is encrypted in a network device based on the DPDK technique, the requirement of line speed performance cannot be met at all, and additional device hardware, for example, multiple cores or an encryption accelerator card (such as a multiple network card) is required to be added to share the operation burden of the encryption processing part of the CPU. However, increasing the encryption processing performance by increasing the hardware of the device may greatly increase the device cost of the network device. Aiming at the defects of the encryption performance improving mode in the network equipment based on the DPDK technology, the application provides the following technical scheme:
referring to fig. 1, in an embodiment, a method for processing DPDK data encryption is provided, which is specifically described below by taking the network device based on the DPDK technology as an example. The DPDK data encryption processing method includes the following steps S12 to S18:
s12, acquiring the message to be encrypted on the DPDK port.
It can be understood that the packet to be encrypted is network data received by a port of a DPDK module (i.e., the aforementioned DPDK port) in the network device. In practical application, the DPDK port is correspondingly provided with 8 queues for storing packets to be encrypted of different service types in the data stream received by the DPDK port. The network device may receive an external network data stream through a port of the DPDK module to obtain each input packet to be encrypted.
S14, classifying the messages according to the length of the messages to be encrypted, and enqueuing the messages to be encrypted to DPDK port queues with corresponding priorities according to the classification result. The classification result comprises small packet data or big packet data, and the priority of the DPDK port queue corresponding to the small packet data is higher than the priority of the DPDK port queue corresponding to the big packet data.
It can be understood that the messages to be encrypted of different service types can be divided into two message types, i.e., small packet data or large packet data, according to the size of the byte length of the messages to be encrypted, for example, the messages to be encrypted having a byte length in the interval of 64 bytes to 512 bytes are uniformly classified into small packet data, and the messages to be encrypted having a byte length greater than 512 bytes are uniformly classified into large packet data, that is, two types in total. For packet data, classification with finer granularity can be performed according to the performance improvement degree required in practical application, for example, but not limited to, each message to be encrypted with a byte length in a range from 64 bytes to 512 bytes is divided into two, three or four types of packet data.
If each message to be encrypted with the byte length in the interval of 64 bytes to 255 bytes is classified into one type of packet data, and each message to be encrypted with the byte length in the interval of 256 bytes to 512 bytes is classified into another type of packet data, each message to be encrypted in the network data flow can be totally classified into three types by adding large packet data, and the granularity of the message classification is finer than that of the classification modes of the two types. Correspondingly, each message to be encrypted with the byte length of 64-127 bytes can be divided into one type of packet data, each message to be encrypted with the byte length of 128-255 bytes can be divided into another type of packet data, and each message to be encrypted with the byte length of 256-512 bytes can be divided into the last type of packet data; thus, by adding the large packet data, each message to be encrypted in the network data stream can be totally divided into four types, and the granularity of the message classification is finer than that of the three types of classification modes. The division of the four types of packet data can be understood in the same way. The finer the granularity of packet classification is, the higher the degree of enhancement of the encryption performance achieved by the subsequent processing steps is, and the minimum classification granularity that can be achieved specifically can be determined by the processing capability that can be supported by the hardware of the network device itself.
In each DPDK port queue, a part of the DPDK port queues may be configured as a queue (i.e., SP queue) of an SP (Strict Priority) scheduling type in advance, and the queue is used as a dedicated queue for small packet data, and large packet data is put into other common DPDK port queues as usual. It can be understood that in practical application, if the packet data is only classified into one type, the configured SP queue may be one; if the packet data is divided into two types, the number of the configured SP queues can be two; if the packet data is divided into three types, the number of the configured SP queues can be three, and the shorter the byte length of the packet data is, the higher the priority of the SP queue for storing the packet data is, so as to preferentially ensure the scheduling of the packet data and ensure the control of the bandwidth and delay of the packet data. For the classification mode with finer granularity, the configuration number and the priority setting mode of the SP queues can be understood in the same way.
Specifically, for any message to be encrypted in the network data stream, the classification result of the message to be encrypted may be determined according to the byte length of the message to be encrypted, that is, the byte length of the message to be encrypted is compared and determined with the set byte interval, so as to determine the byte interval in which the length of the message to be encrypted is located, and thus the message to be encrypted is classified into the category corresponding to the located byte interval. And if the classification result of the message to be encrypted is large packet data, enqueuing the message to be encrypted to a common DPDK port queue (the priority of the queue is lower than that of the SP queue). And if the classification result of the message to be encrypted is packet data, enqueuing the message to be encrypted into a dedicated DPDK port queue, namely, an SP queue.
S16, SP scheduling is carried out on each DPDK port queue, and the messages to be encrypted in each DPDK port queue are respectively scheduled to each encryption queue. The encryption queue comprises at least two encryption queues, and the encryption threshold of the encryption queue for processing the small packet data is larger than the encryption threshold of the encryption queue for processing the large packet data.
It can be understood that the number of encryption queues configured by the encryption module in the network device can be determined according to the number of packet classifications, so as to meet the requirement of respectively and uniformly encrypting different types of packets to be encrypted. If messages to be encrypted of different service types are divided into two types, namely big packet data and small packet data according to the size of the byte length of the messages, the number of encryption queues configured by the encryption module is two, one encryption queue is used for processing the encryption of the small packet data, and the other encryption queue is used for processing the encryption of the big packet data. For another example, when the packet data is divided into two or more types, the number of the encryption queues configured by the encryption module may be three or more, so as to respectively meet the encryption processing requirements of different types of messages to be encrypted. Each encryption queue has its own encryption threshold for determining a trigger node for the encryption queue to perform unified encryption processing each time, that is, when the number of messages to be encrypted scheduled from the DPDK port queue to the encryption queue reaches the encryption threshold, performing encryption processing once to uniformly encrypt the same number of messages to be encrypted at the encryption threshold.
The encryption threshold may be determined according to the upper limit of the byte length interval divided in the packet classification, that is, the encryption threshold is the ratio of 1518 bytes to the upper limit of the byte length interval and is an integer. Therefore, the encryption threshold of the encryption queue for processing the small packet data is larger than the encryption threshold of the encryption queue for processing the large packet data, the encryption threshold of the encryption queue for processing the large packet data is usually 1, namely for the large packet data, each large packet data is independently encrypted, the small packet data can be combined according to the encryption threshold, the small packet data in each encryption threshold are uniformly encrypted, and the effect of encrypting the large packet data is equivalent to the effect of greatly reducing the consumption of the small packet data on the clock cycle of a CPU (Central processing Unit), so that the encryption performance of the DPDK small packet data is improved on the basis of ensuring the service delay of the small packet data, and the required linear speed capability is achieved.
Specifically, according to the SP scheduling principle, when each type of packet to be encrypted in each DPDK port queue is scheduled to each corresponding encryption queue for encryption processing, the packet data in the SP queue is scheduled first, that is, the scheduling is started from the DPDK port queue with the highest priority. And when the DPDK port queue with the highest priority is empty, sending the message to be encrypted in the DPDK port queue with the next highest priority, and scheduling in this order. And the SP scheduling strategy is adopted to schedule the packet data, so that the bandwidth of the packet data can be preferentially ensured, the time delay is reduced to the maximum extent, and the delay caused by combined encryption of the next-stage encryption threshold is offset.
And S18, respectively carrying out uniform encryption processing on the messages to be encrypted in each encryption queue according to the encryption threshold of each encryption queue.
It can be understood that the encryption thresholds of different encryption queues are different, and in each encryption queue, the messages to be encrypted in the queue are combined and then are subjected to unified encryption processing according to the encryption threshold of each encryption queue. The encryption algorithm used in the encryption processing process is any one of encryption algorithms commonly used in the art, and may be specifically determined according to a specific encryption algorithm configuration of the network device.
Specifically, the network device may perform uniform encryption processing on the messages to be encrypted in each encryption queue according to the encryption threshold of each encryption queue. Taking the example that the message types are divided into small packet data and large packet data, the encryption threshold of an encryption queue 1 for processing the small packet data is 2, the encryption threshold of an encryption queue 2 for processing the large packet data is 1, every two messages to be encrypted are uniformly encrypted in the encryption queue 1, and each message to be encrypted is independently encrypted in the encryption queue 2. Taking three types of messages which are divided into big packet data and two types of small packet data as an example, the encryption threshold of an encryption queue 1 for processing the small packet data with the minimum byte length is 5, the encryption threshold of an encryption queue 2 for processing the other type of small packet data with the large byte length is 2, the encryption threshold of an encryption queue 3 for processing the big packet data is 1, every five messages to be encrypted are uniformly encrypted in the encryption queue 1, every two messages to be encrypted are uniformly encrypted in the encryption queue 2, and each message to be encrypted is independently encrypted in the encryption queue 3.
The unified encryption processing under other classification modes can be understood in the same way. In the process of uniformly encrypting the message to be encrypted in each encryption queue, the network device may schedule each encryption queue by using a common average scheduling algorithm and a polling method.
In the DPDK data encryption processing method, an SP queue (or SP type scheduling queue) dedicated to processing small packet data is configured in 8 port queues of a DPDK port, and large packet data is processed through other common DPDK port queues. When a DPDK port receives a message to be encrypted, classifying the received message to be encrypted according to the length of the message, and putting the message to be encrypted into an SP queue with high priority when the packet data is determined to be small packet data, and putting the packet data into other common DPDK port queues with lower priority relative to the SP queue when the packet data is determined to be large packet data. SP scheduling is carried out on each DPDK port queue, the small packet data are scheduled preferentially, meanwhile, unified encryption is carried out according to the set encryption threshold, time delay of encryption after small packet combination is reduced, consumption of CPU clock period when the small packet data are encrypted is reduced, and therefore the purpose of greatly improving the encryption performance of the DPDK data on the basis of guaranteeing the service time delay of the small packet data is achieved, and the requirement of linear speed performance is met. Therefore, the encryption processing capacity of the DPDK packet data is effectively improved, the throughput of the packet data is improved, equipment hardware does not need to be increased, and the cost for improving the encryption performance is effectively reduced.
Referring to fig. 2, in an embodiment, when the classification result is packet data, the step S14 may specifically include the following processing steps S142 and S144:
s142, determining the packet type of the message to be encrypted according to the length of the message to be encrypted; the packet type includes a first packet and a second packet, and the length of the first packet is smaller than the length of the second packet.
It can be understood that, in this embodiment, the packet data may be specifically divided into two types, and therefore, together with the large packet data, the obtained message to be encrypted may be divided into three message types in total: a first small packet, a second small packet, and a large packet of data. The dividing manner of the first small packet and the second small packet may be determined according to the byte length of the packet data that needs to be preferentially guaranteed in practical application, for example, but not limited to, dividing each message to be encrypted, whose byte length is in a range of 64 bytes to 255 bytes, into the first small packet, and dividing each message to be encrypted, whose byte length is in a range of 256 bytes to 512 bytes, into the second small packet. Or dividing each message to be encrypted with the byte length of 64 bytes to 127 bytes into first small packets, and dividing each message to be encrypted with the byte length of 128 bytes to 512 bytes into second small packets.
Specifically, when the network device performs packet classification, it may determine whether the packet to be encrypted is the first packet or the second packet according to comparison between the byte length of the packet to be encrypted and the set byte length interval.
And S144, if the message to be encrypted is the first packet, putting the message to be encrypted into an SP queue with the highest priority in the DPDK port queue.
It can be understood that, in each DPDK port queue, two of each DPDK port queue may be configured as an SP queue, where the SP queue with the highest priority is used to store each to-be-encrypted message belonging to a first small packet type, and the SP queue with the second highest priority is used to store each to-be-encrypted message belonging to a second small packet type, so as to preferentially ensure the bandwidth of each to-be-encrypted message belonging to the first small packet type, then the bandwidth of each to-be-encrypted message belonging to the second small packet type, and finally the bandwidth of each large packet data, thereby reducing the delay of the queue where the small packet data is located.
Specifically, when the network device determines that the packet type of the currently acquired packet to be encrypted is the first packet, the packet to be encrypted is placed in the SP queue with the highest priority. Therefore, in the subsequent SP scheduling process, the first small packet with the shortest byte length is scheduled preferentially, the second small packet is scheduled, and the data of the large packet is scheduled finally, so that the bandwidth of the first small packet and the bandwidth of the second small packet can be guaranteed preferentially, and the time delay is reduced.
By the processing steps, the packet data is divided into the first packet and the second packet, so that the granularity of packet classification can be further refined, the encryption processing capability of the DPDK packet data can be effectively improved, and the throughput of the packet data can be improved.
In an embodiment, as shown in fig. 2, the step S14 may specifically include the following processing step S146:
s146, if the message to be encrypted is the second packet, the message to be encrypted is placed into the SP queue with the highest priority in the DPDK port queue.
Specifically, when the network device determines that the packet type of the currently acquired packet to be encrypted is the second packet, the packet to be encrypted is placed in the SP queue with the next highest priority, and the enqueue processing of the second packet is completed. Therefore, in the subsequent SP scheduling process, the first small packet with the shortest byte length is scheduled preferentially, the second small packet is scheduled, and the data of the large packet is scheduled finally, so that the bandwidth of the first small packet and the bandwidth of the second small packet can be guaranteed preferentially, and the time delay is reduced.
By the processing steps, the packet data is divided into the first packet and the second packet, so that the granularity of packet classification can be further refined, the encryption processing capability of the DPDK packet data can be effectively improved, and the throughput of the packet data can be improved.
Referring to fig. 3, in an embodiment, when the classification result is the packet data, the step S14 may specifically include the following processing steps S141 and S143:
s141, determining the packet type of the message to be encrypted according to the length of the message to be encrypted. The packet type includes a first packet, a second packet, and a third packet, and the lengths of the first packet, the second packet, and the third packet are sequentially increased.
It can be understood that, in this embodiment, the above-mentioned small packet data may be specifically divided into three types, and therefore, together with the above-mentioned large packet data, the obtained message to be encrypted may be divided into four message types in total: a first small packet, a second small packet, a third small packet and a big packet. The dividing manner of the first small packet, the second small packet and the third small packet may be determined according to the byte length of the packet data that needs to be preferentially guaranteed in practical application, for example, each message to be encrypted, the byte length of which is in an interval of 64 bytes to 127 bytes, is divided into the first small packet, each message to be encrypted, the byte length of which is in an interval of 128 bytes to 255 bytes, is divided into the second small packet, and each message to be encrypted, the byte length of which is in an interval of 256 bytes to 512 bytes, is divided into the third small packet.
Specifically, when performing packet classification, the network device may determine whether the packet to be encrypted is the first packet, the second packet, or the third packet according to a comparison between the byte length of the packet to be encrypted and the set byte length interval.
S143, if the message to be encrypted is the first packet, the message to be encrypted is placed into the SP queue with the highest priority in the DPDK port queue.
It can be understood that, in each DPDK port queue, three of each DPDK port queue may be configured as an SP queue, where the SP queue with the highest priority is used to store each to-be-encrypted message belonging to the first small packet type, the SP queue with the second highest priority is used to store each to-be-encrypted message belonging to the second small packet type, the SP queue with the lowest priority is used to store each to-be-encrypted message belonging to the third small packet type, so as to preferentially ensure the bandwidth of each to-be-encrypted message belonging to the first small packet type, the bandwidth of each to-be-encrypted message belonging to the second small packet type, the bandwidth of each to-be-encrypted message belonging to the third small packet type, and the bandwidth of each large packet data, so as to further reduce the delay of the queue where the small packet data is located.
Specifically, when the network device determines that the packet type of the currently acquired packet to be encrypted is the first packet, the packet to be encrypted is placed in the SP queue with the highest priority. Therefore, in the subsequent SP scheduling process, the first small packet with the shortest byte length is scheduled preferentially, then the second small packet is scheduled, then the third small packet is scheduled, and finally the data of the big packet is scheduled, so that the bandwidths of the first small packet, the second small packet and the third small packet can be guaranteed preferentially, and the time delay is reduced more finely.
Through the processing steps, data of the first packet can be dispatched in preference to data of the second packet and data of the third packet, the packet data can be divided into three specific types, namely the first packet, the second packet, the third packet and the like, the granularity of message classification can be further refined, the DPDK packet data encryption processing capacity can be effectively improved, and the throughput of packet data is further improved.
In an embodiment, as shown in fig. 3, regarding step S14, the following processing step S145 may be specifically included:
and S45, if the message to be encrypted is the second packet, placing the message to be encrypted into an SP queue with the highest priority in the DPDK port queue.
Specifically, when the network device determines that the packet type of the currently acquired packet to be encrypted is the second packet, the packet to be encrypted is placed in the SP queue with the next highest priority, and the enqueue processing of the second packet is completed. Therefore, in the subsequent SP scheduling process, the first small packet with the shortest byte length is scheduled preferentially, then the second small packet is scheduled, then the third small packet is scheduled, and finally the data of the big packet is scheduled, so that the bandwidths of the first small packet, the second small packet and the third small packet can be guaranteed preferentially, and the time delay is reduced.
Through the processing steps, data of the second small packet can be dispatched in preference to data of the third small packet and data of the big packet, the small packet data is divided into three specific types, namely the first small packet, the second small packet, the third small packet and the like, the granularity of message classification can be further refined, the DPDK small packet data encryption processing capacity can be effectively improved, and the throughput of the small packet data is further improved.
In an embodiment, as shown in fig. 3, the step S14 may specifically include the following processing step S147:
and S147, if the message to be encrypted is the third small packet, placing the message to be encrypted into an SP queue with the lowest priority in the DPDK port queue.
Specifically, when the network device determines that the packet type of the currently acquired packet to be encrypted is the third packet, the packet to be encrypted is placed in the SP queue with the lowest priority, and the enqueue processing of the third packet is completed. Therefore, in the subsequent SP scheduling process, the first small packet with the shortest byte length is scheduled preferentially, then the second small packet is scheduled, then the third small packet is scheduled, and finally the data of the big packet is scheduled, so that the bandwidths of the first small packet, the second small packet and the third small packet can be guaranteed preferentially, and the time delay is reduced.
Through the processing steps, data of a third small packet can be scheduled in preference to data of a large packet, granularity of message classification is further refined, data encryption processing capacity of the DPDK small packet can be effectively improved, and throughput of the small packet data is further improved.
To more intuitively understand the enqueue processing procedure, fig. 4 is a schematic diagram of a packet classification procedure under four packet types, and fig. 5 is a schematic diagram of an SP scheduling procedure under four packet types. Specifically, after receiving a message to be encrypted, a DPDK port first classifies and enqueues according to the length of the message to be encrypted: if the length of the message to be encrypted is within the interval of 64 bytes to 127 bytes, the first packet is determined to be placed into the port queue with the priority of 7 (i.e. the SP queue with the priority of 7). If the length of the message to be encrypted is within the interval of 128 bytes to 255 bytes, the second packet is determined to be placed into the port queue with the priority of 6 (namely, the SP queue with the priority of 6). If the length of the message to be encrypted is within the range of 256 bytes to 512 bytes, the third packet is determined to be placed into the port queue with the priority of 5 (i.e. the SP queue with the priority of 5). If the length of the message to be encrypted is larger than 512 bytes, the message to be encrypted is determined to be large packet data and is put into other common DPDK port queues.
In the SP scheduling process, the SP scheduling strategy is to schedule the data in each queue strictly according to the sequence of the priority from high to low, and when the queue with higher priority is empty, the data in the queue with lower priority is sent. According to the principle of SP scheduling, first packet data with the length of 64 bytes-127 bytes in an SP queue with the priority of 7 is scheduled, and then second packet data with the length of 128 bytes-255 bytes in an SP queue with the priority of 6 is scheduled; and after the SP queue with the priority of 6 is empty, scheduling the third packet data with the length between 256 bytes and 512 bytes in the SP queue with the priority of 5. The SP scheduling strategy is adopted to schedule the packet data, so that the bandwidth of the packet data can be guaranteed preferentially, the time delay is reduced to the maximum extent, and the delay problem caused by the combined encryption of the next-stage packet data is solved.
Referring to fig. 6, in one embodiment, the encryption queue includes four encryption queues respectively corresponding to the first small packet, the second small packet, the third small packet and the large packet data. The encryption thresholds of the encryption queues decrease in sequence and the encryption threshold of the encryption queue corresponding to the large packet data is 1. As for the above step S18, the following processing step S182 may be included:
and S182, combining the messages to be encrypted in each encryption queue according to the corresponding encryption threshold respectively, and carrying out unified encryption processing by taking the corresponding encryption threshold as a unit.
Specifically, the network device combines respective messages to be encrypted in the encryption queues according to respective encryption thresholds of the encryption queues, so as to form respective combined messages with the respective encryption thresholds as unit lengths, and performs uniform encryption processing on the respective combined messages. For example: fig. 7 is a schematic diagram of an encryption queue under four encryption queues. The encryption module sets four encryption queues, and each queue sets a different encryption number threshold value (namely, encryption threshold). The encryption threshold value of the encryption queue 0 is 10, the encryption threshold value of the encryption queue 1 is 5, the encryption threshold value of the encryption queue 2 is 2, and the encryption threshold value of the encryption queue 3 is 1. Thus, in the encryption queue 0, every 10 small packets of data are uniformly encrypted; in the encryption queue 1, uniformly encrypting every 5 small packet data; in the encryption queue 2, uniformly encrypting every 2 small packet data; in the encryption queue 3, each large packet data is individually encrypted.
By the message combination and unified encryption, small packet data can be combined and encrypted, namely, the small packet data is converted into big packet data for encryption, so that the consumption of CPU resources is reduced, the encryption performance of DPDK small packet data is improved, the required linear speed capability is met, and the throughput rate of a small packet network is improved.
Referring to fig. 8, in an embodiment, the step S18 may include the following processing steps S183:
and S183, if the waiting time is set to be over, and the number of the messages to be encrypted in the encryption queue for processing the packet data does not reach the corresponding encryption threshold, directly performing encryption processing.
It can be understood that the setting of the waiting time refers to a combined time-consuming threshold (also referred to as drain time) set for an encryption queue processing packet data, and the setting of the waiting time can be realized by a timer existing in the network device. When there are multiple encryption queues, for example, the two encryption queues, the three encryption queues, or the four encryption queues, correspondingly, one, two, or three set waiting times are also set, the set waiting time corresponding to each encryption queue for processing packet data may be different, and the specific size of the set waiting time may be determined according to the size of packet traffic (i.e., the number of packets) in each encryption queue, as long as the problem of large network delay of data in the case of small packet traffic can be effectively avoided.
Specifically, in practical applications, the network device may set a waiting time for the encryption queue that processes the packet data. For any encryption queue for processing packet data, the number of the packet data (namely, each message to be encrypted) in any encryption queue cannot reach the corresponding encryption threshold within the set waiting time, the network equipment can directly perform encryption processing, and uniformly encrypt all currently scheduled packet data as a whole, so that the occurrence of large network delay of data under the condition of extremely small packet traffic is prevented.
Through the processing steps, the occurrence of large network delay of data can be effectively avoided in the unified encryption processing process of the packet data, so that the encryption performance of the DPDK packet data is further improved.
It should be understood that, although the respective steps in the flowcharts of fig. 1 to 3, and fig. 6 and 8 are sequentially shown as indicated by arrows, the steps are not necessarily performed sequentially in the order indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 1-3, and fig. 6 and 8 may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternatingly with other steps or at least some of the sub-steps or stages of other steps.
Referring to fig. 9, in an embodiment, a DPDK data encryption processing apparatus 100 is further provided, which includes a packet obtaining module 11, a packet classifying module 13, a packet scheduling module 15, and an encryption processing module 17. The message obtaining module 11 is configured to obtain a message to be encrypted on a DPDK port. The message classification module 13 is configured to classify messages according to the lengths of the messages to be encrypted, and enqueue the messages to be encrypted to DPDK port queues of corresponding priorities according to classification results; the classification result comprises small packet data or big packet data, and the priority of the DPDK port queue corresponding to the small packet data is higher than the priority of the DPDK port queue corresponding to the big packet data. The message scheduling module 15 is configured to perform SP scheduling on each DPDK port queue, and schedule the to-be-encrypted messages in each DPDK port queue to each encryption queue; the encryption queue comprises at least two encryption queues, and the encryption threshold of the encryption queue for processing the small packet data is larger than the encryption threshold of the encryption queue for processing the large packet data. The encryption processing module 17 is configured to perform unified encryption processing on the messages to be encrypted in each encryption queue according to the encryption threshold of each encryption queue.
The DPDK data encryption processing apparatus 100, through cooperation of each module, when a DPDK port receives a packet to be encrypted, classifies the received packet to be encrypted according to the packet length, and places the packet into an SP queue with a high priority when determining that the packet is small packet data, and places the packet into another common DPDK port queue with a lower priority relative to the SP queue when determining that the packet is large packet data. SP scheduling is carried out on each DPDK port queue, the small packet data are scheduled preferentially, meanwhile, unified encryption is carried out according to the set encryption threshold, time delay of encryption after small packet combination is reduced, consumption of CPU clock period when the small packet data are encrypted is reduced, and therefore the purpose of greatly improving the encryption performance of the DPDK data on the basis of guaranteeing the service time delay of the small packet data is achieved, and the requirement of linear speed performance is met. Therefore, the encryption processing capacity of the DPDK packet data is effectively improved, the throughput of the packet data is improved, equipment hardware does not need to be increased, and the cost for improving the encryption performance is effectively reduced.
In an embodiment, when the classification result is packet data, the packet classification module 13 may be specifically configured to determine a packet type of a packet to be encrypted according to a length of the packet to be encrypted; the packet type comprises a first packet and a second packet, and the length of the first packet is smaller than that of the second packet; and the SP queue with the highest priority is used for placing the message to be encrypted into the DPDK port queue when the message to be encrypted is the first small packet.
In an embodiment, when the classification result is packet data, the packet classification module 13 may be further configured to, when the packet to be encrypted is a second packet, place the packet to be encrypted in an SP queue with a highest priority in the DPDK port queue.
In an embodiment, when the classification result is packet data, the packet classification module 13 may be further configured to determine a packet type of the packet to be encrypted according to a length of the packet to be encrypted; the small packet types comprise a first small packet, a second small packet and a third small packet, and the lengths of the first small packet, the second small packet and the third small packet are sequentially increased; and the SP queue with the highest priority is used for placing the message to be encrypted into the DPDK port queue when the message to be encrypted is the first small packet.
In an embodiment, when the classification result is packet data, the packet classification module 13 may be further configured to, when the packet to be encrypted is a second packet, place the packet to be encrypted in an SP queue with a highest priority in the DPDK port queue.
In an embodiment, when the classification result is packet data, the packet classification module 13 may be further configured to, when the packet to be encrypted is a third packet, place the packet to be encrypted in an SP queue with the lowest priority in the DPDK port queue.
In one embodiment, the encryption queue includes four encryption queues respectively corresponding to the first small packet, the second small packet, the third small packet and the big packet data, the encryption threshold of each encryption queue decreases sequentially and the encryption threshold of the encryption queue corresponding to the big packet data is 1. The encryption processing module 17 may be specifically configured to combine the messages to be encrypted in each encryption queue according to the corresponding encryption threshold, and perform unified encryption processing with the corresponding encryption threshold as a unit.
In an embodiment, the encryption processing module 17 may be further configured to directly perform encryption processing when the set waiting time is over and the number of each message to be encrypted in the encryption queue for processing the packet data does not reach the corresponding encryption threshold.
For specific limitations of the DPDK data encryption processing apparatus 100, reference may be made to the corresponding limitations of the DPDK data encryption processing method in the above description, and details are not described here again. The modules in the DPDK data encryption processing apparatus 100 may be implemented in whole or in part by software, hardware, or a combination thereof. The modules can be embedded in a hardware form or independent of a processor in the network device, or can be stored in a memory in the network device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a network device is also provided, such as but not limited to a microwave station device or a network element device in an ethernet for point-to-point communication. The network device comprises a memory and a processor, the memory stores a computer program, and the processor realizes the following steps when executing the computer program: acquiring a message to be encrypted on a DPDK port; classifying the messages according to the length of the messages to be encrypted, and enqueuing the messages to be encrypted to DPDK port queues with corresponding priorities according to classification results; the classification result comprises small packet data or big packet data, and the priority of the DPDK port queue corresponding to the small packet data is higher than the priority of the DPDK port queue corresponding to the big packet data; performing SP scheduling on each DPDK port queue, and scheduling the messages to be encrypted in each DPDK port queue to each encryption queue; the encryption queue comprises at least two encryption queues, and the encryption threshold of the encryption queue for processing the small packet data is greater than the encryption threshold of the encryption queue for processing the large packet data; and respectively carrying out unified encryption processing on the messages to be encrypted in each encryption queue according to the encryption threshold of each encryption queue.
Those skilled in the art can understand that the network device in this embodiment may include other components besides the memory and the processor, which may be determined according to the structural components of the network device and the functions implemented in the network device in practical application, and the description in this specification is not repeated.
In an embodiment, the processor, when executing the computer program, may further implement the additional steps or sub-steps in the above-mentioned embodiments of the DPDK data encryption processing method.
In one embodiment, there is also provided a computer readable storage medium having a computer program stored thereon, the computer program when executed by a processor implementing the steps of: acquiring a message to be encrypted on a DPDK port; classifying the messages according to the length of the messages to be encrypted, and enqueuing the messages to be encrypted to DPDK port queues with corresponding priorities according to classification results; the classification result comprises small packet data or big packet data, and the priority of the DPDK port queue corresponding to the small packet data is higher than the priority of the DPDK port queue corresponding to the big packet data; performing SP scheduling on each DPDK port queue, and scheduling the messages to be encrypted in each DPDK port queue to each encryption queue; the encryption queue comprises at least two encryption queues, and the encryption threshold of the encryption queue for processing the small packet data is greater than the encryption threshold of the encryption queue for processing the large packet data; and respectively carrying out unified encryption processing on the messages to be encrypted in each encryption queue according to the encryption threshold of each encryption queue.
In an embodiment, the computer program, when executed by the processor, may further implement the additional steps or sub-steps of the above-mentioned DPDK data encryption processing method in various embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features. The above examples only show some embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A DPDK data encryption processing method is characterized by comprising the following steps:
acquiring a message to be encrypted on a DPDK port;
classifying the messages according to the length of the messages to be encrypted, and enqueuing the messages to be encrypted to DPDK port queues with corresponding priorities according to classification results; the classification result comprises small packet data or big packet data, and the priority of the DPDK port queue corresponding to the small packet data is higher than the priority of the DPDK port queue corresponding to the big packet data;
performing SP scheduling on each DPDK port queue, and scheduling the message to be encrypted in each DPDK port queue to each encryption queue; the encryption queues comprise at least two encryption queues, and the encryption threshold of the encryption queue for processing the small packet data is greater than the encryption threshold of the encryption queue for processing the big packet data;
if the set waiting time is over, the quantity of each message to be encrypted in the encryption queue for processing the packet data does not reach the corresponding encryption threshold, and then the encryption processing is directly carried out.
2. The DPDK data encryption processing method of claim 1, wherein when the classification result is the packet data, the step of classifying the packet according to the length of the packet to be encrypted and enqueuing the packet to be encrypted to a DPDK port queue of a corresponding priority according to the classification result includes:
determining the packet type of the message to be encrypted according to the length of the message to be encrypted; the packet type comprises a first packet and a second packet, and the length of the first packet is smaller than that of the second packet;
and if the message to be encrypted is the first small packet, putting the message to be encrypted into an SP queue with the highest priority in the DPDK port queue.
3. The DPDK data encryption processing method of claim 2, wherein the step of classifying the packet according to the length of the packet to be encrypted and enqueuing the packet to be encrypted to a DPDK port queue of a corresponding priority according to the classification result further includes:
and if the message to be encrypted is the second packet, putting the message to be encrypted into an SP queue with the highest priority in the DPDK port queue.
4. The DPDK data encryption processing method of claim 1, wherein when the classification result is the packet data, the step of classifying the packet according to the length of the packet to be encrypted and enqueuing the packet to be encrypted to a DPDK port queue of a corresponding priority according to the classification result includes:
determining the packet type of the message to be encrypted according to the length of the message to be encrypted; the small packet types comprise a first small packet, a second small packet and a third small packet, and the lengths of the first small packet, the second small packet and the third small packet are sequentially increased;
and if the message to be encrypted is the first small packet, putting the message to be encrypted into an SP queue with the highest priority in the DPDK port queue.
5. The DPDK data encryption processing method of claim 4, wherein the step of classifying the packet according to the length of the packet to be encrypted and enqueuing the packet to be encrypted to the DPDK port queue of the corresponding priority according to the classification result further includes:
and if the message to be encrypted is the second packet, putting the message to be encrypted into an SP queue with the highest priority in the DPDK port queue.
6. The DPDK data encryption processing method of claim 4, wherein the step of classifying the packet according to the length of the packet to be encrypted and enqueuing the packet to be encrypted to the DPDK port queue of the corresponding priority according to the classification result further includes:
and if the message to be encrypted is the third small packet, putting the message to be encrypted into an SP queue with the lowest priority in the DPDK port queue.
7. The method for encryption processing of DPDK data according to any of claims 4 to 6, wherein the encryption queue includes four encryption queues respectively corresponding to the first small packet, the second small packet, the third small packet and the large packet data, the encryption threshold of each encryption queue decreases sequentially and the encryption threshold of the encryption queue corresponding to the large packet data is 1;
respectively carrying out unified encryption processing on the messages to be encrypted in the encryption queues according to the encryption threshold of each encryption queue, wherein the step comprises the following steps:
and respectively combining the messages to be encrypted in each encryption queue according to the corresponding encryption threshold, and carrying out unified encryption processing by taking the corresponding encryption threshold as a unit.
8. A DPDK data encryption processing apparatus, comprising:
the message acquisition module is used for acquiring a message to be encrypted on a DPDK port;
the message classification module is used for classifying the messages according to the length of the messages to be encrypted and enqueuing the messages to be encrypted to DPDK port queues with corresponding priorities according to classification results; the classification result comprises small packet data or big packet data, and the priority of the DPDK port queue corresponding to the small packet data is higher than the priority of the DPDK port queue corresponding to the big packet data;
the message scheduling module is used for performing SP scheduling on each DPDK port queue and scheduling the message to be encrypted in each DPDK port queue to each encryption queue; the encryption queues comprise at least two encryption queues, and the encryption threshold of the encryption queue for processing the small packet data is greater than the encryption threshold of the encryption queue for processing the big packet data;
and the encryption processing module is used for directly carrying out encryption processing if the set waiting time is over and the quantity of the messages to be encrypted in the encryption queue for processing the packet data does not reach the corresponding encryption threshold.
9. A network device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the DPDK data encryption processing method of any one of claims 1 to 8 when executing the computer program.
10. A computer-readable storage medium having stored thereon a computer program, the computer program, when being executed by a processor, implementing the steps of the DPDK data encryption processing method according to any one of claims 1 to 8.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911249478.7A CN111163058B (en) | 2019-12-09 | 2019-12-09 | DPDK data encryption processing method, device and network device |
| PCT/CN2020/133773 WO2021115196A1 (en) | 2019-12-09 | 2020-12-04 | Dpdk data encryption method and apparatus, and network device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911249478.7A CN111163058B (en) | 2019-12-09 | 2019-12-09 | DPDK data encryption processing method, device and network device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111163058A CN111163058A (en) | 2020-05-15 |
| CN111163058B true CN111163058B (en) | 2021-11-02 |
Family
ID=70555782
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911249478.7A Expired - Fee Related CN111163058B (en) | 2019-12-09 | 2019-12-09 | DPDK data encryption processing method, device and network device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN111163058B (en) |
| WO (1) | WO2021115196A1 (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111163058B (en) * | 2019-12-09 | 2021-11-02 | 京信网络系统股份有限公司 | DPDK data encryption processing method, device and network device |
| CN113382014B (en) * | 2021-06-23 | 2022-12-06 | 中移(杭州)信息技术有限公司 | Negotiation processing method, device, terminal equipment and storage medium |
| CN114051008B (en) * | 2021-10-27 | 2024-05-03 | 上海寰创通信科技股份有限公司 | System for reducing game service time delay of wireless network |
| CN116980890B (en) * | 2023-09-20 | 2023-12-22 | 北京集度科技有限公司 | Information security communication device, method, vehicle and computer program product |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102916880A (en) * | 2011-08-01 | 2013-02-06 | 中兴通讯股份有限公司 | Method and device for sending and receiving data packet in packet switched network |
| US8811173B2 (en) * | 2011-02-04 | 2014-08-19 | Alcatel Lucent | Method of managing user traffic to prevent aggressive users from abusing network resources |
| CN104956637A (en) * | 2012-10-25 | 2015-09-30 | 柏思科技有限公司 | Method, apparatus and system for prioritizing encapsulated data packets among multiple logical network connections |
| CN105141637A (en) * | 2015-09-25 | 2015-12-09 | 中铁工程装备集团有限公司 | Transmission encryption method taking flows as granularity |
| CN108390738A (en) * | 2018-01-29 | 2018-08-10 | 全球能源互联网研究院有限公司 | A kind of data transmission method and system based on the synchronization of intelligent substation clock |
| US10164726B2 (en) * | 2015-10-30 | 2018-12-25 | Citrix Systems, Inc. | Method for packet scheduling using multiple packet schedulers |
Family Cites Families (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006069219A2 (en) * | 2004-12-20 | 2006-06-29 | Telchemy, Incorporated | System and method for prioritizing individual streams within a multimedia flow |
| CN101841456B (en) * | 2009-03-18 | 2012-07-25 | 中国电信股份有限公司 | Method and system for implementing service application division |
| US9141831B2 (en) * | 2010-07-08 | 2015-09-22 | Texas Instruments Incorporated | Scheduler, security context cache, packet processor, and authentication, encryption modules |
| US11212590B2 (en) * | 2016-07-11 | 2021-12-28 | Harmonic, Inc. | Multiple core software forwarding |
| US10237885B2 (en) * | 2017-05-01 | 2019-03-19 | Bae Systems Information And Electronic Systems Integration Inc. | Multiple access wireless network with low latency subnet |
| US11630693B2 (en) * | 2018-04-12 | 2023-04-18 | Intel Corporation | Technologies for power-aware scheduling for network packet processing |
| CN108990115B (en) * | 2018-07-16 | 2023-06-16 | 鼎桥通信技术有限公司 | Method for guaranteeing QoS under multi-core network networking of cluster communication system |
| US11805065B2 (en) * | 2019-02-27 | 2023-10-31 | Intel Corporation | Scalable traffic management using one or more processor cores for multiple levels of quality of service |
| KR102020978B1 (en) * | 2019-04-03 | 2019-09-11 | 한화시스템(주) | Tactical data link modem based on TDMA |
| US20190280991A1 (en) * | 2019-05-16 | 2019-09-12 | Intel Corporation | Quality of service traffic management in high-speed packet processing systems |
| CN111163058B (en) * | 2019-12-09 | 2021-11-02 | 京信网络系统股份有限公司 | DPDK data encryption processing method, device and network device |
-
2019
- 2019-12-09 CN CN201911249478.7A patent/CN111163058B/en not_active Expired - Fee Related
-
2020
- 2020-12-04 WO PCT/CN2020/133773 patent/WO2021115196A1/en active Application Filing
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8811173B2 (en) * | 2011-02-04 | 2014-08-19 | Alcatel Lucent | Method of managing user traffic to prevent aggressive users from abusing network resources |
| CN102916880A (en) * | 2011-08-01 | 2013-02-06 | 中兴通讯股份有限公司 | Method and device for sending and receiving data packet in packet switched network |
| CN104956637A (en) * | 2012-10-25 | 2015-09-30 | 柏思科技有限公司 | Method, apparatus and system for prioritizing encapsulated data packets among multiple logical network connections |
| CN105141637A (en) * | 2015-09-25 | 2015-12-09 | 中铁工程装备集团有限公司 | Transmission encryption method taking flows as granularity |
| US10164726B2 (en) * | 2015-10-30 | 2018-12-25 | Citrix Systems, Inc. | Method for packet scheduling using multiple packet schedulers |
| CN108390738A (en) * | 2018-01-29 | 2018-08-10 | 全球能源互联网研究院有限公司 | A kind of data transmission method and system based on the synchronization of intelligent substation clock |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111163058A (en) | 2020-05-15 |
| WO2021115196A1 (en) | 2021-06-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111163058B (en) | DPDK data encryption processing method, device and network device | |
| CN112737979B (en) | A Best Effort Flow Scheduling Method for Time Sensitive Networks | |
| JP5677588B2 (en) | System and method for multi-channel packet transmission | |
| US8144588B1 (en) | Scalable resource management in distributed environment | |
| CN112799861B (en) | Method for realizing flow rate limiting lock-free concurrency under multi-core architecture | |
| US20160330128A1 (en) | Queue scheduling method and device, and computer storage medium | |
| US20140281390A1 (en) | System and method for ordering packet transfers in a data processor | |
| CN110087324B (en) | Resource allocation method, device, access network equipment and storage medium | |
| CN101369962A (en) | Method and network device for forwarding message | |
| US8155003B2 (en) | Aggregate policing applying max-min fairness for each data source based on probabilistic filtering | |
| JP4465394B2 (en) | Packet relay device, packet relay method, and packet relay program | |
| CN107113251A (en) | Dispatched using the dynamic bandwidth of transmission net | |
| WO2014067339A1 (en) | Method and apparatus for supervising flow | |
| CN110011934B (en) | A Hybrid Scheduling Method for Hybrid Queue Architectures for Input Queue Switches | |
| US20170048145A1 (en) | Switching device and control method of switching device | |
| WO2016082603A1 (en) | Scheduler and dynamic multiplexing method for scheduler | |
| Zhang et al. | PIPO: Efficient programmable scheduling for time sensitive networking | |
| CN115914130B (en) | Data flow processing method and device of intelligent network card | |
| US9331853B2 (en) | Method and apparatus for increasing the output of a cryptographic system | |
| CN112188557A (en) | Method and device for ensuring priority QoS of green packet during congestion | |
| CN103546392B (en) | Single queue cycle dispatching method and device | |
| KR102384685B1 (en) | Centralized scheduling apparatus and method considering non-uniform traffic | |
| US7350208B1 (en) | Method and apparatus for scheduling using a resource variable decreased by amounts corresponding to the efficiency of the resource | |
| WO2017032075A1 (en) | Quality of service multiplexing method and device, and computer storage medium | |
| CN102594670B (en) | Multiport multi-flow scheduling method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 510663 Shenzhou Road 10, Guangzhou Science City, Guangzhou economic and Technological Development Zone, Guangzhou, Guangdong Applicant after: Jingxin Network System Co.,Ltd. Address before: 510663 Shenzhou Road 10, Guangzhou Science City, Guangzhou economic and Technological Development Zone, Guangzhou, Guangdong Applicant before: COMBA TELECOM SYSTEMS (CHINA) Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20211102 |