CN115664773A - Message processing method, device, storage medium and program product - Google Patents

Abstract

The embodiment of the disclosure provides a message processing method, a message processing device, a message processing storage medium and a program product, wherein a virtual switch of a cloud computing node encrypts a data packet according to security association information sent by a virtual private network gateway in advance and sends the encrypted data packet to the virtual private network gateway, the virtual private network gateway fills message information into the encrypted data packet, the encrypted data packet is packaged into a complete target message, and the target message is sent to a target client gateway. The computing resources of each computing node are fully utilized, so that the virtual private network gateway does not need to execute encryption processing, the problem of performance bottleneck of the virtual private network gateway under the condition of excessive virtual switches is solved, and the transmission of messages is ensured.

Description

Message processing method, device, storage medium and program product

technical field

Embodiments of the present disclosure relate to the technical field of computer and network communication and the technical field of cloud computing, and in particular, to a message processing method, device, storage medium, and program product.

Background technique

A virtual private network (Virtual Private Network, VPN) is to establish a private network on a public network for encrypted communication, use VPN gateways to encrypt data packets and convert data packet destination addresses, or use tunneling technology to achieve remote access. VPN can be realized by server, hardware, software and other ways. IPSec VPN refers to a VPN technology that uses IPSec (Internet Protocol Security, Internet Security Protocol) to realize remote access.

When implementing IPsec VPN on the cloud, the computing nodes are connected to the IPSec VPN gateway through the virtual switch, and the data packets transmitted by each virtual machine (Virtual Machine, VM) in the computing node are sent to the IPSec VPN gateway by the virtual switch, and the IPSec VPN gateway encrypts and generates a packet. text, and then send it to the target gateway.

In the cloudification scenario in the prior art, the number of virtual machines in the computing nodes is large, the traffic is large, and the distribution is scattered. The pressure on the IPSecVPN gateway to process a large number of encrypted messages increases, and the performance requirements are high.

Contents of the invention

Embodiments of the present disclosure provide a message processing method, device, storage medium and program product, so as to reduce the pressure on the IPSec VPN gateway and avoid the performance bottleneck problem of the IPSec VPN gateway.

In a first aspect, an embodiment of the present disclosure provides a message processing method, the method including:

receiving the encrypted data packet sent by the virtual switch of the cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to the security association information of the Internet security protocol; the security association information is sent to the virtual switch in advance ;

Filling the encrypted data packet with message information and encapsulating it into a complete target message;

Send the target message to the target customer gateway.

In a second aspect, an embodiment of the present disclosure provides a message processing method, the method including:

Receive the data packet to be sent sent by the virtual machine of the cloud computing node;

According to the encryption strategy in the security-related information of the Internet security protocol, it is judged whether the data packet to be sent needs to be encrypted, and if it is determined that encryption is required, the data packet to be sent is encrypted according to the key in the security-related information, An encrypted data packet is obtained; wherein, the security association information is pre-sent by the virtual private network gateway based on the Internet security protocol in the cloud;

Sending the encrypted data packet to the virtual private network gateway, so that the virtual private network gateway fills the encrypted data packet with message information, encapsulates it into a complete target message, and sends it to the target customer gateway.

In a third aspect, an embodiment of the present disclosure provides a packet processing device, including:

The receiving unit is used to receive the encrypted data packet sent by the virtual switch of the cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to the security association information of the Internet security protocol; the security association information is pre-sent to of the virtual switch;

A processing unit, configured to fill the encrypted data packet with message information and encapsulate it into a complete target message;

A sending unit, configured to send the target message to the target customer gateway.

In a fourth aspect, an embodiment of the present disclosure provides a packet processing device, including:

The receiving unit is used to receive the data packet to be sent sent by the virtual machine of the cloud computing node;

The processing unit is configured to judge whether the data packet to be sent needs to be encrypted according to the encryption strategy in the security-related information of the Internet security protocol, and if it is determined that encryption is required, then encrypt the data packet to be sent according to the key in the security-related information The data packet is encrypted to obtain an encrypted data packet; wherein, the security-related information is sent in advance by the virtual private network gateway based on the Internet security protocol in the cloud;

A sending unit, configured to send the encrypted data packet to the virtual private network gateway, so that the virtual private network gateway fills the encrypted data packet with message information, encapsulates it into a complete target message, and sends it to the target customer gateway.

In a fifth aspect, an embodiment of the present disclosure provides an electronic device, including: at least one processor and a memory;

the memory stores computer-executable instructions;

The at least one processor executes the computer-executed instructions stored in the memory, so that the at least one processor executes the message processing method described in the above first aspect and various possible designs of the first aspect, or the second aspect and Various possible designs of the message processing method in the second aspect.

In the sixth aspect, the embodiments of the present disclosure provide a computer-readable storage medium, the computer-readable storage medium stores computer-executable instructions, and when the processor executes the computer-executable instructions, the above first aspect and the first Various possible designs of the packet processing method in the first aspect, or the packet processing method in the second aspect and various possible designs of the second aspect.

In the seventh aspect, the embodiments of the present disclosure provide a computer program product, including computer-executable instructions. When the processor executes the computer-executable instructions, the message described in the above first aspect and various possible designs of the first aspect is realized. The processing method, or the second aspect and the message processing method described in various possible designs of the second aspect.

In the message processing method, device, storage medium and program product provided by the embodiments of the present disclosure, the virtual switch of the cloud computing node encrypts the data packet according to the security association information sent by the virtual private network gateway in advance, and sends it to the virtual private network gateway. The virtual private network gateway fills the encrypted data packet with message information, encapsulates it into a complete target message, and sends the target message to the target customer gateway. The computing resources of each computing node are fully utilized, so that the virtual private network gateway does not need to perform encryption processing, which solves the performance bottleneck problem of the virtual private network gateway in the scenario of too many virtual switches, and ensures the transmission of messages.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present disclosure or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present disclosure. Those skilled in the art can also obtain other drawings based on these drawings without any creative effort.

Figure 1a is an example diagram of an architecture for implementing IPsec VPN in the cloud in the prior art;

Figure 1b is a schematic diagram of data encryption and encapsulation performed by an IPsec VPN gateway in the prior art;

FIG. 2 is a schematic flowchart of a message processing method provided by an embodiment of the present disclosure;

FIG. 3 is a schematic flowchart of a message processing method provided by another embodiment of the present disclosure;

FIG. 4 is a schematic flowchart of a message processing method provided by another embodiment of the present disclosure;

FIG. 5 is a signaling diagram of a message processing method provided by an embodiment of the present disclosure;

FIG. 6 is a structural block diagram of a packet processing device provided by an embodiment of the present disclosure;

FIG. 7 is a structural block diagram of a packet processing device provided by another embodiment of the present disclosure;

FIG. 8 is a schematic diagram of a hardware structure of an electronic device provided by an embodiment of the present disclosure.

Detailed ways

In order to make the purpose, technical solutions and advantages of the embodiments of the present disclosure clearer, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below in conjunction with the drawings in the embodiments of the present disclosure. Obviously, the described embodiments It is a part of the embodiments of the present disclosure, but not all of them. Based on the embodiments in the present disclosure, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present disclosure.

A virtual private network (Virtual Private Network, VPN) is to establish a private network on a public network for encrypted communication, use VPN gateways to encrypt data packets and convert data packet destination addresses, or use tunneling technology to achieve remote access. VPN can be realized by server, hardware, software and other ways. IPSec VPN refers to a VPN technology that uses IPSec (Internet Protocol Security, Internet Security Protocol) to achieve remote access. IPSec is a protocol package that protects IP protocol network transmission by encrypting and authenticating IP protocol packets. A protocol family (a collection of interrelated protocols).

IPSec mainly consists of the following protocols:

1. Authentication Header (Authentication Header, AH), which provides connectionless data integrity, message authentication and anti-replay attack protection for IP datagrams;

2. Encapsulating Security Payload (ESP), providing confidentiality, data source authentication, connectionless integrity, anti-replay and limited traffic-flow confidentiality;

3. Internet Key Exchange (IKE or IKEv2 for short), which provides algorithms, data packets and key parameters for the security association (Security Association, SA) required for AH and ESP operations.

When implementing IPsec VPN in the cloud, the architecture is shown in Figure 1a, each computing node (such as computing node 1, computing node 2) can include a virtual switch and a plurality of virtual machines (VMs) of VPC (Virtual Private Cloud, virtual private cloud). ), each VPC (such as VPC1, VPC2) can be isolated from each other, the virtual machine of each VPC is connected to the virtual switch, and the virtual switch is connected to the IPSec VPN gateway on the cloud.

The data packets transmitted externally by any virtual machine (Virtual Machine, VM) in the computing node are sent by the virtual switch to the IPSec VPN gateway, and the IPSec VPN gateway encrypts and encapsulates the packet according to the IPSec SA information negotiated with the target customer gateway, and then sends it to the target customer gateway (also IPSec VPN gateway).

IPSec VPN on the cloud usually uses the ESP protocol and tunnel mode. The IPSec VPN gateway encrypts and encapsulates data packets as shown in Figure 1b, where the unencrypted packets are on the left and the ESP encrypted packets are on the right, that is, IPSec VPN The gateway encrypts the data packet (gray part), and adds ESP header information (especially the ESP sequence number Sequence Number) and tail information.

In the cloudification scenario in the prior art, due to the large number of virtual machines in the VPC of the computing nodes, large traffic, and scattered distribution, the pressure on the IPSec VPN gateway to process a large number of encrypted messages increases, and the performance requirements are high.

In order to solve the above-mentioned technical problems, the present disclosure provides a message processing method, through which the virtual switch of the cloud computing node sends IPSec SA information to encrypt the data packet in advance according to the IPSec VPN gateway, and sends it to the IPSec VPN gateway, and the IPSec VPN gateway encrypts the packet The data packet is filled with message information, encapsulated into a complete target message, and the target message is sent to the target customer gateway. The computing resources of each computing node are fully utilized, so that the IPSec VPN gateway does not need to perform encryption processing, which solves the performance bottleneck problem of the IPSec VPN gateway in the scenario of too many virtual switches, and ensures the transmission of packets.

The message processing method of the present disclosure will be described in detail below in combination with specific embodiments.

Referring to FIG. 2 , FIG. 2 is a schematic flowchart of a packet processing method provided by an embodiment of the present disclosure. The method of this embodiment can be applied in the virtual private network IPSec VPN gateway based on the Internet security protocol in the cloud, and the message processing method includes:

S201. Receive an encrypted data packet sent by a virtual switch of a cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to IPSec SA information; the IPSec SA information is sent to the virtual switch in advance by the IPSec VPN gateway switch.

In this embodiment, the IPSec VPN gateway negotiates with the target customer gateway (also the VPN gateway) in advance to determine the IPSec SA information. Specifically, the IPSec SA information can be determined through IPSec Internet Key Exchange (IKE or IKEv2), where Including encryption policy, key, etc. The encryption policy is used to determine which data needs to be encrypted according to IPSec SA information. For example, the data of 192.168.1.0/24→172.16.1.0/24 needs to be encrypted with key K1. Further, the IPSec VPN gateway can send the IPSec SA information to the virtual switch of the cloud computing node connected to the IPSec VPN gateway. Optionally, in order to ensure information security, an encrypted connection can be established with the virtual switch, such as SSH (Secure Shell, secure shell) to send IPSec SA information to the virtual switch through an encrypted connection.

When the virtual switch needs to send a data packet to the target customer gateway, it can check according to the encryption policy in the IPSec SA information to determine whether the data packet to be sent needs to be encrypted. If it is determined that encryption is required, then according to the key in the IPSec SA information Encrypt the data packet to be sent to obtain the encrypted data packet, specifically, perform ESP encryption on the data packet to be sent according to the key in the IPSec SA information, further, the virtual switch sends the encrypted data packet to the IPSecVPN gateway, like this, After the IPSec VPN gateway receives the encrypted data packet that has been encrypted according to the IPSec SA information, it does not need to perform the encryption process according to the IPSec SA information, that is, the encryption process can be skipped.

Among them, optional, not all data packets conform to the encryption policy in the IPSec SA information, therefore, the data packet received by the IPSec VPN gateway may be an encrypted data packet that has been encrypted according to the IPSec SA information, or it may be an unencrypted In order to facilitate the distinction, the virtual switch can add an identifier to the encrypted data packet that has been encrypted according to the IPSec SA information to indicate that the data packet has been encrypted according to the IPSec SA information. After the IPSec VPN gateway receives the data packet, if it identifies If the data packet carries an identifier, it can be determined that the data packet has been encrypted according to the IPSec SA information, and the encryption process can be skipped.

S202. Fill the encrypted data packet with message information, and encapsulate it into a complete target message.

In this embodiment, the IPSec VPN gateway can fill the rest of the message information on the basis of the encrypted data packet encrypted according to the IPSec SA information, including but not limited to the message header information and tail information, and encapsulate the encrypted data packet For the complete target message.

Optionally, the encrypted data packet can be filled with ESP header information (especially the ESP serial number) and tail information, and the VPN public network IP is used for tunnel encapsulation.

S203. Send the target message to the target customer gateway.

In this embodiment, after the IPSec VPN gateway encapsulates the complete target message, it sends the target message to the target customer gateway, that is, the data transmission from the cloud computing node to the target customer gateway is completed.

In the message processing method of this embodiment, the virtual switch of the cloud computing node sends the IPSec SA information to encrypt the data packet according to the IPSec VPN gateway in advance, and sends it to the IPSec VPN gateway, and the encrypted data packet is filled with message information by the IPSec VPN gateway, Encapsulate into a complete target message, and send the target message to the target customer gateway. The computing resources of each computing node are fully utilized, so that the IPSec VPN gateway does not need to perform encryption processing, which solves the performance bottleneck problem of the IPSec VPN gateway in the scenario of too many virtual switches, and ensures the transmission of packets.

On the basis of the above-mentioned embodiments, when an encrypted connection is established between the IPSec VPN gateway and the virtual switch, and the IPSec SA information is sent to the virtual switch through the encrypted connection, since there may be multiple cloud computing nodes connected to the IPSec VPN gateway, it is related to There may be multiple virtual switches of the cloud computing nodes connected to the IPSec VPN gateway. In this embodiment, the IPSec VPN gateway can send the IPSec SA information to all the virtual switches of the cloud computing nodes connected to the IPSec VPN gateway; or, it can only send For the virtual switch of the cloud computing node that needs to transmit data packets to the target customer gateway, specifically, as shown in Figure 3, the encrypted connection is established with the virtual switch, and the IPSec SA information is sent through the encrypted connection For the virtual switch, may include:

S301. Receive a to-be-encrypted data packet sent by the virtual switch, encrypt and encapsulate the to-be-encrypted data packet according to the IPSec SA information into a complete target message, and send it to the target customer gateway.

In this embodiment, after the IPSec VPN gateway obtains the IPSec SA information, it can send the IPSec SA information to the virtual switch according to the transmission requirements, so the IPSec VPN gateway needs to first determine which virtual switches have the need to transmit data packets to the target customer gateway , in this embodiment, after the IPSec VPN gateway receives the data packet to be encrypted sent by any virtual switch and needs to be sent to the target customer gateway, it can first judge whether the data packet to be sent needs to be encrypted according to the encryption policy in the IPSec SA information , if it is determined that encryption is required, it is determined that the virtual switch has the need to transmit data packets to the target customer gateway. At this time, the IPSec VPN gateway can first undertake the responsibility of encryption processing, encrypt the data packets to be encrypted according to the IPSec SA information, and encapsulate them as The complete target message is sent to the target client gateway (refer to the above-mentioned embodiment).

Optionally, the virtual switch can perform VXLAN (Virtual Extensible Local Area Network, Virtual Extended Local Area Network) encapsulation on the data packet to be encrypted, and then send it to the IPSec VPN gateway, and the IPSec VPN gateway will first decompose the VXLAN encapsulation after receiving the data packet to be encrypted, According to the IPSec SA information, the data packet to be encrypted is encrypted and encapsulated into a complete target message, and sent to the target customer gateway.

S302. Query the information of the virtual switch based on the data packet to be encrypted.

In this embodiment, the virtual switch information may include information about the computing node where the virtual switch is located, and the IPSecVPN gateway may query the VPC controller for information about the computing node where the virtual switch that sends the data packet to be encrypted is located, wherein the VPC controller stores information about each computing node. Information about the node and its virtual switches.

S303. Establish an encrypted connection with the virtual switch according to the virtual switch information, and send the IPSec SA information to the virtual switch through the encrypted connection.

In this embodiment, the IPSec VPN gateway can establish an encrypted connection with the virtual switch according to the virtual switch information, and send the IPSec SA information to the virtual switch through the encrypted connection, and then the virtual switch will assume the responsibility of encrypting and processing the IPSec SA information , the IPSec VPN gateway only needs to fill in the message information and encapsulate it into a complete target message, reducing the pressure on the IPSec VPN gateway.

On the basis of any of the above embodiments, the virtual switch can encapsulate the encrypted data packet after encryption. Optionally, it can perform VXLAN encapsulation, query the VPC routing table and send it to the IPSec VPN gateway, and the IPSec VPN gateway receives the After encrypting the data packet, decapsulate the VXLAN first, and then fill the encrypted data packet with message information. In addition, in the above embodiment, the virtual switch adds an identifier to the encrypted data packet, and the identifier can be added in the VXLAN encapsulation format.

On the basis of any of the above embodiments, according to a mechanism of the IPSec protocol, the IPSec SA information will expire after the IPSec SA information is used to encrypt a certain length of data (preset encryption length threshold), because the IPSec SA information may be Different virtual switches use de-encrypted data, and when the IPSec VPN gateway receives the encrypted data packet sent by the virtual switch, it cannot directly know the length of data encrypted by the virtual switch using IPSec SA information from the encrypted data packet. Therefore, in this In the embodiment, after the virtual switch uses IPSec SA information to encrypt the data packet to be sent, it can add the length of the data packet to be sent (that is, the length of the encrypted data) to the encrypted data packet, and can also add IPSec to the encrypted data packet at the same time. The identification information of the SA information (the preset encryption length threshold of different IPSec SA information may be different, and the identification information of the IPSec SA information can be the number or name of the IPSec SA information, etc.), and then the encrypted data sent by the virtual switch is received at the IPSec VPN gateway After the package is completed, the length of the encrypted data carried in the encrypted data packet encrypted with IPSec SA information can be accumulated to obtain the accumulated length of the encrypted data, and the accumulated length of the encrypted data can be compared with the preset value corresponding to the IPSec SA information. If the accumulated length of the encrypted data exceeds the preset encryption length threshold, the IPSec SA information will expire at this time, and the IPSec VPN gateway will re-negotiate with the target customer gateway to determine the updated security association information.

Optionally, the length of the encrypted data carried in the encrypted data packet and the identification information of the security association information may also be added in the VXLAN encapsulation format.

On the basis of any of the above-mentioned embodiments, according to another mechanism of the IPSec protocol, the IPSec SA information, especially the key therein, has a certain life period, and will expire after exceeding the life period, requiring the IPSec VPN gateway to reconnect with The target client gateway is determined through negotiation, and the IPSec SA information is updated. If the IPSec VPN gateway determines that the IPSec SA information is updated, it sends the updated IPSec SA information to the virtual switch through an encrypted connection. In addition, the IPSec SA information can also be destroyed, such as disconnecting the connection between the IPSec VPN gateway and the target customer gateway. If the IPSec VPN gateway determines that the IPSec SA information is destroyed, it will send an instruction to delete the IPSec SA information to the virtual switch through an encrypted connection. In order to make the virtual switch delete the stored IPSec SA information.

Referring to FIG. 4 , FIG. 4 is a schematic flowchart of a packet processing method provided by an embodiment of the present disclosure. The method of this embodiment can be applied in a virtual switch of a cloud computing node, and the message processing method includes:

S401. Receive a data packet to be sent sent by a virtual machine of the cloud computing node.

In this embodiment, when a virtual machine of a certain VPC of a cloud computing node needs to send a data packet to a target customer gateway, it will send the data packet to be sent to the virtual switch of the cloud computing node.

S402. According to the encryption policy in the IPSec SA information, judge whether the data packet to be sent needs to be encrypted, and if it is determined that encryption is required, then encrypt the data packet to be sent according to the key in the IPSec SA information to obtain encrypted A data packet; wherein, the IPSec SA information is sent to the virtual switch in advance by the IPSec VPN gateway.

In this embodiment, the IPSec VPN gateway negotiates with the target customer gateway in advance, determines the IPSec SA information, and sends the IPSec SA information to the virtual switch of the cloud computing node connected to the IPSec VPN gateway. Optionally, an encrypted connection can be established between the virtual switch and the IPSec VPN gateway, and the IPSec SA information sent by the VPN gateway can be received through the encrypted connection.

When the virtual switch needs to send a data packet to the target customer gateway, it can check according to the encryption policy in the IPSec SA information to determine whether the data packet to be sent needs to be encrypted. If it is determined that encryption is required, then according to the key in the IPSec SA information Encrypt the data packet to be sent to obtain the encrypted data packet, specifically, perform ESP encryption on the data packet to be sent according to the key in the IPSec SA information.

S403. Send the encrypted data packet to the IPSec VPN gateway, so that the IPSec VPN gateway fills the encrypted data packet with message information, encapsulates it into a complete target message, and sends it to the target customer gateway.

In this embodiment, the virtual switch sends the encrypted data packet to the IPSec VPN gateway, and the IPSec VPN gateway can execute the above-mentioned method embodiment on the side of the IPSec VPN gateway, which will not be repeated here.

On the basis of the above embodiments, optionally, the virtual switch can add an identifier to the encrypted data packet that has been encrypted according to the IPSec SA information, which is used to indicate that the data packet has been encrypted according to the IPSec SA information, and the IPSec VPN gateway receives the data packet Finally, if it is recognized that the data packet carries an identifier, it can be determined that the data packet has been encrypted according to the IPSec SA information, and the encryption process can be skipped.

On the basis of any of the above embodiments, after the virtual switch uses IPSec SA information to encrypt the data packet to be sent, it can add the length of the data packet to be sent (that is, the length of the encrypted data) to the encrypted data packet, and can also Add the identification information of the IPSec SA information to the encrypted data packet (the identification information of the IPSec SA information can be the number or name of the IPSec SA information, etc.), so that after the IPSec VPN gateway receives the encrypted data packet sent by the virtual switch, it can use the IPSec SA information The length of the encrypted data carried in the encrypted data packet of the information encryption is accumulated to obtain the accumulated length of the encrypted data, and the accumulated length of the encrypted data is compared with the preset encrypted length threshold corresponding to the IPSec SA information. If the accumulated length of encrypted data exceeds the preset encrypted length threshold, the IPSec SA information will expire and become invalid at this time, and the IPSec VPN gateway will re-negotiate with the target customer gateway to determine the updated security association information.

Optionally, the virtual switch can encapsulate the encrypted data packet after encryption. Optionally, it can perform VXLAN encapsulation and then send it to the IPSec VPN gateway. After the IPSec VPN gateway receives the encrypted data packet, it first decomposes the VXLAN encapsulation. Then fill the encrypted data packet with message information. In addition, in the above embodiment, the virtual switch adds an identifier to the encrypted data packet, and the identifier can be added in the VXLAN encapsulation format.

Optionally, the virtual switch can also update or delete IPSec SA information, and the specific process is as follows:

receiving the updated IPSec SA information sent by the IPSec VPN gateway through an encrypted connection, and updating the current IPSec SA information to the updated IPSec SA information; or

receiving an instruction to delete the IPSec SA information sent by the IPSec VPN gateway through the encrypted connection, and delete the current IPSec SA information.

In the message processing method of this embodiment, the virtual switch of the cloud computing node sends the IPSec SA information to encrypt the data packet according to the IPSec VPN gateway in advance, and sends it to the IPSec VPN gateway, and the encrypted data packet is filled with message information by the IPSec VPN gateway, Encapsulate into a complete target message, and send the target message to the target customer gateway. The computing resources of each computing node are fully utilized, so that the IPSec VPN gateway does not need to perform encryption processing, which solves the performance bottleneck problem of the IPSec VPN gateway in the scenario of too many virtual switches, and ensures the transmission of packets.

Referring to FIG. 5 , FIG. 5 is a signaling diagram of a packet processing method provided by an embodiment of the present disclosure. On the basis of the above-mentioned embodiments, the message processing method includes:

S501. The IPSec VPN gateway negotiates with the target customer gateway to determine IPSec SA information;

S502. The virtual machine of the VPC of the cloud computing node sends the first data packet to be sent to the virtual switch of the cloud computing node;

S503. The virtual switch encapsulates the first data packet to be sent and sends it to the IPSec VPN gateway;

Optionally, the virtual switch performs VXLAN encapsulation on the first data packet to be sent (not encrypted), and sends it to the IPSec VPN gateway after querying the VPC routing table;

S504. The IPSec VPN gateway encrypts and encapsulates the first data packet to be sent into a complete first target packet according to the IPSec SA information;

Optionally, if the virtual switch performs VXLAN encapsulation on the first data packet to be sent, after receiving the first data packet to be sent, the IPSec VPN gateway first decapsulates the VXLAN encapsulation, and then performs VXLAN encapsulation on the first data packet to be sent according to the IPSec SA information. Encrypted and encapsulated into a complete target message;

S505. The IPSec VPN gateway queries the VPC controller for information about the computing node where the virtual switch that sends the data packet to be sent is located;

S506. The VPC controller sends computing node information to the IPSec VPN gateway;

S507, the IPSec VPN gateway establishes an encrypted connection with the virtual switch, and sends the IPSec SA information to the virtual switch through the encrypted connection;

S508. The virtual machine of the VPC of the cloud computing node sends a second data packet to be sent to the virtual switch;

Wherein, the second data packet to be sent here is the data packet to be sent subsequent to the first data packet to be sent in step S502;

S509. The virtual switch encrypts the second data packet to be sent according to the IPSec SA information, obtains the encrypted data packet, and sends it to the IPSec VPN gateway;

Optionally, the virtual switch performs VXLAN encapsulation on the encrypted data packet, and then sends it to the IPSec VPN gateway;

S510, the IPSec VPN gateway fills the encrypted data packet with message information and encapsulates it into a complete target message;

S511. The IPSec VPN gateway sends the target packet to the target customer gateway;

Optionally, update or destroy IPSec SA information between S512, the IPSec VPN gateway and the target customer gateway;

S513. The IPSec VPN gateway queries the VPC controller for the computing node information where the virtual switch is located;

S514. The VPC controller sends computing node information to the IPSec VPN gateway;

S515. The IPSec VPN gateway establishes an encrypted connection with the virtual switch, and updates or destroys the IPSec SA information in the virtual switch.

Corresponding to the packet processing method at the IPSec VPN gateway side of the above embodiment, FIG. 6 is a structural block diagram of a packet processing device provided by an embodiment of the present disclosure, which is applied to a cloud IPSec VPN gateway. For ease of description, only the parts related to the embodiments of the present disclosure are shown. Referring to FIG. 6 , the packet processing device 600 includes: a receiving unit 601 , a processing unit 602 and a sending unit 603 .

Wherein, the receiving unit 601 is configured to receive the encrypted data packet sent by the virtual switch of the cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to the security association information of the Internet security protocol; the security association information is sent in advance by the virtual private network gateway;

A processing unit 602, configured to fill the encrypted data packet with message information and encapsulate it into a complete target message;

A sending unit 603, configured to send the target message to the target customer gateway.

In one or more embodiments of the present disclosure, before receiving the encrypted data packet sent by the virtual switch of the cloud computing node, the processing unit 602 is further configured to perform a negotiation process with the target customer gateway to determine the security association information;

The sending unit 603 is further configured to establish an encrypted connection with the virtual switch, and send the security association information to the virtual switch through the encrypted connection.

In one or more embodiments of the present disclosure, the sending unit 603 is further configured to receive the data packet to be encrypted sent by the virtual switch;

The processing unit 602 is further configured to encrypt and encapsulate the data packet to be encrypted into a complete target message according to the security association information; the sending unit 603 is also configured to send the target message to the the target customer gateway;

The processing unit 602 is further configured to, based on the data packet to be encrypted, query the information of the virtual switch;

The sending unit 603 is further configured to establish an encrypted connection with the virtual switch according to the virtual switch information, and send the security association information to the virtual switch through the encrypted connection.

In one or more embodiments of the present disclosure, the encrypted data packet carries an identifier, and the identifier is added by the virtual switch to indicate that the data packet has been encrypted according to the security association information;

When the processing unit 602 fills the encrypted data packet with message information and encapsulates it into a complete target message, it is used to:

If it is identified that the encrypted data packet carries the identifier, the encryption process is skipped, header information and trailer information encapsulating a security payload are added to the encrypted data packet, and encapsulated into a complete target message.

In one or more embodiments of the present disclosure, the encrypted data packet carries the length of the encrypted data and identification information of the security association information;

The processing unit 602 fills the encrypted data packet with message information, and before encapsulating it into a complete target message, it is also used for:

Accumulate the length of the encrypted data carried in the encrypted data packet encrypted by using the security association information to obtain the accumulated length of the encrypted data;

Comparing the cumulative length of the encrypted data with a preset encryption length threshold corresponding to the security association information;

If the accumulated length of the encrypted data exceeds the preset encryption length threshold corresponding to the security association information, re-negotiate with the target customer gateway to determine the updated security association information.

In one or more embodiments of the present disclosure, the encrypted data packet is encapsulated by the virtual switch after being encrypted;

Before filling the encrypted data packet with message information, the processing unit 602 is further configured to:

Decapsulate the encrypted data packet.

In one or more embodiments of the present disclosure, the sending unit 603 is further configured to:

If it is determined that the security association information is updated, sending the updated security association information to the virtual switch through an encrypted connection; or

If it is determined that the security association information is destroyed, an instruction to delete the security association information is sent to the virtual switch through an encrypted connection.

The device provided in this embodiment can be used to implement the technical solution of the above-mentioned embodiment of the packet processing method on the IPSec VPN gateway side, and its implementation principle and technical effect are similar, so this embodiment will not repeat them here.

Corresponding to the packet processing method on the virtual switch side of the cloud computing node in the above embodiment, FIG. 7 is a structural block diagram of a packet processing device provided by an embodiment of the present disclosure, which is applied to the virtual switch of the cloud computing node. For ease of description, only the parts related to the embodiments of the present disclosure are shown. Referring to FIG. 7 , the packet processing device 700 includes: a receiving unit 701 , a processing unit 702 and a sending unit 703 .

Wherein, the receiving unit 701 is configured to receive the data packet to be sent sent by the virtual machine of the cloud computing node;

The processing unit 702 is configured to judge whether the data packet to be sent needs to be encrypted according to the encryption strategy in the security-related information of the Internet security protocol, and if it is determined that encryption is required, perform encryption on the to-be-sent data packet according to the key in the security-related information. Sending data packets for encryption to obtain encrypted data packets; wherein, the security association information is pre-sent by the virtual private network gateway based on the Internet security protocol in the cloud;

The sending unit 703 is configured to send the encrypted data packet to the virtual private network gateway, so that the virtual private network gateway fills the encrypted data packet with message information, encapsulates it into a complete target message, and sends it to the target customer gateway.

In one or more embodiments of the present disclosure, the receiving unit 701 is further configured to:

An encrypted connection is established with the virtual private network gateway, and the security association information sent by the virtual private network gateway is received through the encrypted connection.

In one or more embodiments of the present disclosure, after the processing unit 702 encrypts the data packet to be sent according to the key in the security association information to obtain the encrypted data packet, it is further configured to:

Adding an identifier to the encrypted data packet, where the identifier is used to indicate that the data packet has been encrypted according to the security association information; and/or

Adding the length of the encrypted data and the identification information of the security association information to the encrypted data packet; and/or

Encapsulate the encrypted data packet.

In one or more embodiments of the present disclosure, the receiving unit 701 is further configured to receive the updated security association information sent by the virtual private network gateway through an encrypted connection;

The processing unit 702 is further configured to update the current security association information to the updated security association information; or

The receiving unit 701 is further configured to receive an instruction to delete the security association information sent by the virtual private network gateway through an encrypted connection;

The processing unit 702 is further configured to delete current security association information.

The device provided in this embodiment can be used to implement the technical solution of the above-mentioned embodiment of the packet processing method on the virtual switch side, and its implementation principle and technical effect are similar, so this embodiment will not repeat them here.

Referring to FIG. 8 , it shows a schematic structural diagram of an electronic device 800 suitable for implementing the embodiments of the present disclosure. The electronic device 800 may be a terminal device or a server. Wherein, the terminal equipment may include but not limited to mobile phones, notebook computers, digital broadcast receivers, personal digital assistants (Personal Digital Assistant, PDA for short), tablet computers (Portable Android Device, PAD for short), portable multimedia players (Portable MediaPlayer (PMP for short), mobile terminals such as vehicle-mounted terminals (such as vehicle-mounted navigation terminals), and fixed terminals such as digital TVs and desktop computers. The electronic device shown in FIG. 8 is only an example, and should not limit the functions and scope of use of the embodiments of the present disclosure.

As shown in FIG. 8, an electronic device 800 may include a processing device (such as a central processing unit, a graphics processing unit, etc.) 801, which may be stored in a program in a read-only memory (Read Only Memory, ROM for short) 802 or from a storage device. 808 programs loaded into the Random Access Memory (RAM for short) 803 to execute various appropriate actions and processes. In the RAM 803, various programs and data necessary for the operation of the electronic device 800 are also stored. The processing device 801 , ROM 802 , and RAM 803 are connected to each other through a bus 804 . An input/output (I/O) interface 805 is also connected to the bus 804 .

Generally, the following devices can be connected to the I/O interface 805: input devices 806 including, for example, a touch screen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; including, for example, a liquid crystal display (Liquid Crystal Display, LCD for short) , an output device 807 such as a speaker, a vibrator, etc.; a storage device 808 including, for example, a magnetic tape, a hard disk, etc.; and a communication device 809. The communication means 809 may allow the electronic device 800 to communicate with other devices wirelessly or by wire to exchange data. While FIG. 8 shows electronic device 800 having various means, it is to be understood that implementing or having all of the means shown is not a requirement. More or fewer means may alternatively be implemented or provided.

In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product, which includes a computer program carried on a computer-readable medium, where the computer program includes program codes for executing the methods shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via communication means 809 , or from storage means 808 , or from ROM 802 . When the computer program is executed by the processing device 801, the above-mentioned functions defined in the packet processing method at the IPSec VPN gateway side or the virtual switch side of the embodiment of the present disclosure are executed.

It should be noted that the above-mentioned computer-readable medium in the present disclosure may be a computer-readable signal medium or a computer-readable storage medium or any combination of the above two. A computer readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to, electrical connections with one or more wires, portable computer diskettes, hard disks, random access memory (RAM), read-only memory (ROM), erasable Programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above. In the present disclosure, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In the present disclosure, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave carrying computer-readable program code therein. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium may also be any computer-readable medium other than a computer-readable storage medium, which can transmit, propagate, or transmit a program for use by or in conjunction with an instruction execution system, apparatus, or device . Program code embodied on a computer readable medium may be transmitted by any appropriate medium, including but not limited to wires, optical cables, RF (radio frequency), etc., or any suitable combination of the above.

The above-mentioned computer-readable medium may be included in the above-mentioned electronic device, or may exist independently without being incorporated into the electronic device.

The above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by the electronic device, the electronic device is made to execute the methods shown in the above-mentioned embodiments.

Computer program code for carrying out the operations of the present disclosure can be written in one or more programming languages, or combinations thereof, including object-oriented programming languages—such as Java, Smalltalk, C++, and conventional Procedural Programming Language - such as "C" or a similar programming language. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In cases involving a remote computer, the remote computer can be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or it can be connected to an external computer (e.g. using an Internet Service Provider to connect via the Internet).

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or portion of code that contains one or more logical functions for implementing specified executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified functions or operations , or may be implemented by a combination of dedicated hardware and computer instructions.

The units involved in the embodiments described in the present disclosure may be implemented by software or by hardware. Wherein, the name of the unit does not constitute a limitation of the unit itself under certain circumstances, for example, the first obtaining unit may also be described as "a unit for obtaining at least two Internet Protocol addresses".

The functions described herein above may be performed at least in part by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), System on Chips (SOCs), Complex Programmable Logical device (CPLD) and so on.

In the context of the present disclosure, a machine-readable medium may be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media would include one or more wire-based electrical connections, portable computer discs, hard drives, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, compact disk read only memory (CD-ROM), optical storage, magnetic storage, or any suitable combination of the foregoing.

In a first aspect, according to one or more embodiments of the present disclosure, a packet processing method is provided, the method including:

receiving the encrypted data packet sent by the virtual switch of the cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to the security association information of the Internet security protocol; the security association information is sent to the virtual switch in advance ;

Filling the encrypted data packet with message information and encapsulating it into a complete target message;

Send the target message to the target customer gateway.

According to one or more embodiments of the present disclosure, before receiving the encrypted data packet sent by the virtual switch of the cloud computing node, it also includes:

Carrying out a negotiation process with the target customer gateway to determine the security association information;

An encrypted connection is established with the virtual switch, and the security association information is sent to the virtual switch through the encrypted connection.

According to one or more embodiments of the present disclosure, the establishing an encrypted connection with the virtual switch, and sending the security association information to the virtual switch through the encrypted connection includes:

Receiving the data packet to be encrypted sent by the virtual switch, encrypting the data packet to be encrypted according to the security association information and encapsulating it into a complete target message, and sending it to the target customer gateway;

Querying the information of the virtual switch based on the data packet to be encrypted;

An encrypted connection is established with the virtual switch according to the virtual switch information, and the security association information is sent to the virtual switch through the encrypted connection.

According to one or more embodiments of the present disclosure, the encrypted data packet carries an identifier, and the identifier is added by the virtual switch to indicate that the data packet has been encrypted according to the security association information;

Filling the encrypted data packet with message information and encapsulating it into a complete target message includes:

If it is identified that the encrypted data packet carries the identifier, the encryption process is skipped, header information and trailer information encapsulating a security payload are added to the encrypted data packet, and encapsulated into a complete target message.

According to one or more embodiments of the present disclosure, the encrypted data packet carries the length of the encrypted data and identification information of the security association information;

Before the filling message information of the encrypted data packet is encapsulated into a complete target message, it also includes:

Accumulate the length of the encrypted data carried in the encrypted data packet encrypted by using the security association information to obtain the accumulated length of the encrypted data;

Comparing the cumulative length of the encrypted data with a preset encryption length threshold corresponding to the security association information;

If the accumulated length of the encrypted data exceeds the preset encryption length threshold corresponding to the security association information, re-negotiate with the target customer gateway to determine the updated security association information.

According to one or more embodiments of the present disclosure, the encrypted data packet is encapsulated by the virtual switch after being encrypted;

Before the said encrypted data packet is filled with message information, it also includes:

Decapsulate the encrypted data packet.

According to one or more embodiments of the present disclosure, the method further includes:

If it is determined that the security association information is updated, sending the updated security association information to the virtual switch through an encrypted connection; or

If it is determined that the security association information is destroyed, an instruction to delete the security association information is sent to the virtual switch through an encrypted connection.

In a second aspect, according to one or more embodiments of the present disclosure, a packet processing method is provided, the method including:

According to the encryption strategy in the security-related information of the Internet security protocol, it is judged whether the data packet to be sent needs to be encrypted, and if it is determined that encryption is required, the data packet to be sent is encrypted according to the key in the security-related information, An encrypted data packet is obtained; wherein, the security association information is pre-sent by the virtual private network gateway based on the Internet security protocol in the cloud;

Sending the encrypted data packet to the virtual private network gateway, so that the virtual private network gateway fills the encrypted data packet with message information, encapsulates it into a complete target message, and sends it to the target customer gateway.

According to one or more embodiments of the present disclosure, the method further includes:

An encrypted connection is established with the virtual private network gateway, and the security association information sent by the virtual private network gateway is received through the encrypted connection.

According to one or more embodiments of the present disclosure, encrypting the data packet to be sent according to the key in the security association information, and after obtaining the encrypted data packet, further includes:

Adding an identifier to the encrypted data packet, where the identifier is used to indicate that the data packet has been encrypted according to the security association information; and/or

Adding the length of the encrypted data and the identification information of the security association information to the encrypted data packet; and/or

Encapsulate the encrypted data packet.

According to one or more embodiments of the present disclosure, the method further includes:

receiving the updated security association information sent by the virtual private network gateway through an encrypted connection, and updating the current security association information to the updated security association information; or

An instruction to delete the security association information sent by the virtual private network gateway is received through an encrypted connection, and the current security association information is deleted.

In a third aspect, according to one or more embodiments of the present disclosure, a packet processing device is provided, including:

The receiving unit is used to receive the encrypted data packet sent by the virtual switch of the cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to the security association information of the Internet security protocol; the security association information is pre-sent to of the virtual switch;

A processing unit, configured to fill the encrypted data packet with message information and encapsulate it into a complete target message;

A sending unit, configured to send the target message to the target customer gateway.

According to one or more embodiments of the present disclosure, before receiving the encrypted data packet sent by the virtual switch of the cloud computing node, the processing unit is further configured to perform a negotiation process with the target customer gateway to determine the security association information;

The sending unit is further configured to establish an encrypted connection with the virtual switch, and send the security association information to the virtual switch through the encrypted connection.

According to one or more embodiments of the present disclosure, the sending unit is further configured to receive the data packet to be encrypted sent by the virtual switch;

The processing unit is further configured to encrypt and encapsulate the data packet to be encrypted into a complete target message according to the security association information; the sending unit is also configured to send the target message to the target customer gateway;

The processing unit is further configured to, based on the data packet to be encrypted, query the information of the virtual switch;

The sending unit is further configured to establish an encrypted connection with the virtual switch according to the virtual switch information, and send the security association information to the virtual switch through the encrypted connection.

According to one or more embodiments of the present disclosure, the encrypted data packet carries an identifier, and the identifier is added by the virtual switch to indicate that the data packet has been encrypted according to the security association information;

When the processing unit fills the encrypted data packet with message information and encapsulates it into a complete target message, it is used for:

If it is identified that the encrypted data packet carries the identifier, the encryption process is skipped, header information and trailer information encapsulating a security payload are added to the encrypted data packet, and encapsulated into a complete target message.

According to one or more embodiments of the present disclosure, the encrypted data packet carries the length of the encrypted data and identification information of the security association information;

Before the processing unit fills the encrypted data packet with message information and encapsulates it into a complete target message, it is also used for:

Accumulate the length of the encrypted data carried in the encrypted data packet encrypted by using the security association information to obtain the accumulated length of the encrypted data;

Comparing the cumulative length of the encrypted data with a preset encryption length threshold corresponding to the security association information;

If the accumulated length of the encrypted data exceeds the preset encryption length threshold corresponding to the security association information, re-negotiate with the target customer gateway to determine the updated security association information.

According to one or more embodiments of the present disclosure, the encrypted data packet is encapsulated by the virtual switch after being encrypted;

Before filling the encrypted data packet with message information, the processing unit is further configured to:

Decapsulate the encrypted data packet.

According to one or more embodiments of the present disclosure, the sending unit is further configured to:

If it is determined that the security association information is updated, sending the updated security association information to the virtual switch through an encrypted connection; or

If it is determined that the security association information is destroyed, an instruction to delete the security association information is sent to the virtual switch through an encrypted connection.

In a fourth aspect, according to one or more embodiments of the present disclosure, a packet processing device is provided, including:

A receiving unit, configured to receive the data packet to be sent sent by the virtual machine of the cloud computing node;

The processing unit is configured to judge whether the data packet to be sent needs to be encrypted according to the encryption strategy in the security-related information of the Internet security protocol, and if it is determined that encryption is required, then encrypt the data packet to be sent according to the key in the security-related information The data packet is encrypted to obtain an encrypted data packet; wherein, the security-related information is sent in advance by the virtual private network gateway based on the Internet security protocol in the cloud;

A sending unit, configured to send the encrypted data packet to the virtual private network gateway, so that the virtual private network gateway fills the encrypted data packet with message information, encapsulates it into a complete target message, and sends it to the target customer gateway.

According to one or more embodiments of the present disclosure, the receiving unit is further configured to:

An encrypted connection is established with the virtual private network gateway, and the security association information sent by the virtual private network gateway is received through the encrypted connection.

According to one or more embodiments of the present disclosure, after the processing unit encrypts the data packet to be sent according to the key in the security association information, and obtains the encrypted data packet, it is further configured to:

Adding an identifier to the encrypted data packet, where the identifier is used to indicate that the data packet has been encrypted according to the security association information; and/or

Adding the length of the encrypted data and the identification information of the security association information to the encrypted data packet; and/or

Encapsulate the encrypted data packet.

According to one or more embodiments of the present disclosure, the receiving unit is further configured to receive the updated security association information sent by the virtual private network gateway through an encrypted connection;

The processing unit is further configured to update the current security association information to the updated security association information; or

The receiving unit is further configured to receive an instruction to delete the security association information sent by the virtual private network gateway through an encrypted connection;

The processing unit is further configured to delete the current security association information.

According to a fifth aspect, according to one or more embodiments of the present disclosure, an electronic device is provided, including: at least one processor and a memory;

the memory stores computer-executable instructions;

The at least one processor executes the computer-executed instructions stored in the memory, so that the at least one processor executes the message processing method described in the above first aspect and various possible designs of the first aspect, or the second aspect and Various possible designs of the message processing method in the second aspect.

In a sixth aspect, according to one or more embodiments of the present disclosure, a computer-readable storage medium is provided, the computer-readable storage medium stores computer-executable instructions, and when a processor executes the computer-executable instructions, Realize the packet processing method described in the first aspect and various possible designs of the first aspect, or the packet processing method described in the second aspect and various possible designs of the second aspect.

In the seventh aspect, according to one or more embodiments of the present disclosure, there is provided a computer program product, including computer-executable instructions, when the processor executes the computer-executable instructions, the above first aspect and various aspects of the first aspect can be realized. A possible design of the packet processing method, or the second aspect and various possible designs of the packet processing method of the second aspect.

The above description is only a preferred embodiment of the present disclosure and an illustration of the applied technical principles. Those skilled in the art should understand that the disclosure scope involved in this disclosure is not limited to the technical solution formed by the specific combination of the above-mentioned technical features, but also covers the technical solutions formed by the above-mentioned technical features or Other technical solutions formed by any combination of equivalent features. For example, a technical solution formed by replacing the above-mentioned features with (but not limited to) technical features with similar functions disclosed in this disclosure.

In addition, while operations are depicted in a particular order, this should not be understood as requiring that the operations be performed in the particular order shown or performed in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while the above discussion contains several specific implementation details, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.

Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are merely example forms of implementing the claims.

Claims (16)

1. A message processing method, characterized in that, comprising: receiving the encrypted data packet sent by the virtual switch of the cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to the security association information of the Internet security protocol; the security association information is sent to the virtual switch in advance ; Filling the encrypted data packet with message information and encapsulating it into a complete target message; Send the target message to the target customer gateway. 2. The method according to claim 1, wherein before receiving the encrypted data packet sent by the virtual switch of the cloud computing node, further comprising: Carrying out a negotiation process with the target customer gateway to determine the security association information; An encrypted connection is established with the virtual switch, and the security association information is sent to the virtual switch through the encrypted connection. 3. The method according to claim 2, wherein the establishing an encrypted connection with the virtual switch, and sending the security association information to the virtual switch through the encrypted connection comprises: Receiving the data packet to be encrypted sent by the virtual switch, encrypting the data packet to be encrypted according to the security association information and encapsulating it into a complete target message, and sending it to the target customer gateway; Querying the information of the virtual switch based on the data packet to be encrypted; An encrypted connection is established with the virtual switch according to the virtual switch information, and the security association information is sent to the virtual switch through the encrypted connection. 4. The method according to any one of claims 1-3, wherein the encrypted data packet carries an identifier, and the identifier is added by the virtual switch to indicate that the data packet has been encrypted according to the Security association information encryption; Filling the encrypted data packet with message information and encapsulating it into a complete target message includes: If it is identified that the encrypted data packet carries the identifier, the encryption process is skipped, header information and trailer information encapsulating a security payload are added to the encrypted data packet, and encapsulated into a complete target message. 5. The method according to claim 2 or 3, wherein the encrypted data packet carries the length of the encrypted data and identification information of the security-related information; Before the filling message information of the encrypted data packet is encapsulated into a complete target message, it also includes: Accumulate the length of the encrypted data carried in the encrypted data packet encrypted by using the security association information to obtain the accumulated length of the encrypted data; Comparing the cumulative length of the encrypted data with a preset encryption length threshold corresponding to the security association information; If the accumulated length of the encrypted data exceeds the preset encryption length threshold corresponding to the security association information, re-negotiate with the target customer gateway to determine the updated security association information. 6. The method according to any one of claims 1-3, wherein the encrypted data packet is encapsulated by the virtual switch after being encrypted; Before the said encrypted data packet is filled with message information, it also includes: Decapsulate the encrypted data packet. 7. The method according to any one of claims 1-3, characterized in that the method further comprises: If it is determined that the security association information is updated, sending the updated security association information to the virtual switch through an encrypted connection; or If it is determined that the security association information is destroyed, an instruction to delete the security association information is sent to the virtual switch through an encrypted connection. 8. A message processing method, characterized in that, comprising: Receive the data packet to be sent sent by the virtual machine of the cloud computing node; According to the encryption strategy in the security-related information of the Internet security protocol, it is judged whether the data packet to be sent needs to be encrypted, and if it is determined that encryption is required, the data packet to be sent is encrypted according to the key in the security-related information, An encrypted data packet is obtained; wherein, the security association information is pre-sent by the virtual private network gateway based on the Internet security protocol in the cloud; Sending the encrypted data packet to the virtual private network gateway, so that the virtual private network gateway fills the encrypted data packet with message information, encapsulates it into a complete target message, and sends it to the target customer gateway. 9. The method of claim 8, further comprising: An encrypted connection is established with the virtual private network gateway, and the security association information sent by the virtual private network gateway is received through the encrypted connection. 10. The method according to claim 8 or 9, characterized in that, encrypting the data packet to be sent according to the key in the security association information, and after obtaining the encrypted data packet, further comprising: Adding an identifier to the encrypted data packet, where the identifier is used to indicate that the data packet has been encrypted according to the security association information; and/or Adding the length of the encrypted data and the identification information of the security association information to the encrypted data packet; and/or Encapsulate the encrypted data packet. 11. The method according to claim 8 or 9, further comprising: receiving the updated security association information sent by the virtual private network gateway through an encrypted connection, and updating the current security association information to the updated security association information; or An instruction to delete the security association information sent by the virtual private network gateway is received through an encrypted connection, and the current security association information is deleted. 12. A packet processing device, comprising: The receiving unit is used to receive the encrypted data packet sent by the virtual switch of the cloud computing node, wherein the encrypted data packet is encrypted by the virtual switch according to the security association information of the Internet security protocol; the security association information is sent to of the virtual switch; A processing unit, configured to fill the encrypted data packet with message information and encapsulate it into a complete target message; A sending unit, configured to send the target message to the target customer gateway. 13. A packet processing device, comprising: The receiving unit is used to receive the data packet to be sent sent by the virtual machine of the cloud computing node; The processing unit is configured to judge whether the data packet to be sent needs to be encrypted according to the encryption strategy in the security-related information of the Internet security protocol, and if it is determined that encryption is required, then encrypt the data packet to be sent according to the key in the security-related information The data packet is encrypted to obtain an encrypted data packet; wherein, the security-associated information is sent in advance by the virtual private network gateway based on the Internet security protocol in the cloud; A sending unit, configured to send the encrypted data packet to the virtual private network gateway, so that the virtual private network gateway fills the encrypted data packet with message information, encapsulates it into a complete target message, and sends it to the target customer gateway. 14. An electronic device, comprising: at least one processor and a memory; the memory stores computer-executable instructions; The at least one processor executes the computer-implemented instructions stored in the memory, so that the at least one processor performs the method according to any one of claims 1-7 or 8-11. 15. A computer-readable storage medium, wherein computer-readable instructions are stored in the computer-readable storage medium, and when the processor executes the computer-executable instructions, claims 1-7 or 8-11 are realized any one of the methods described. 16. A computer program product, characterized by comprising computer-executable instructions, and when the processor executes the computer-executable instructions, the method according to any one of claims 1-7 or 8-11 is realized.

Images