IP Security (IPSec) is a layer-3 tunnel encryption protocol, designed for providing high-quality, interoperable, cryptographically-based security protection for packets transmitted between two points.
The two points transmitting packets are referred to as IPSec peers. The connection between the IPSec peers is referred to as an IPSec tunnel.
In particular, the security protection of the packets transmitted between the IPSec peers is implemented according to Security Association (SA). The SA is an agreement on parameters between two IPSec peers, e.g. which security protocol will be used between the IPSec peers, encapsulation mode of the protocol, encryption algorithm, shared key used for protecting packets in a specific flow and lifetime of the key, etc. The SA is unidirectional. Therefore, two associated SAs are required to be established on each endpoint of the IPSec peers to implement a bidirectional packet transmission via one IPSec tunnel. An ingress SA is used for packet encryption in an incoming direction. An egress SA is used for packet encryption in an outgoing direction.
In practical applications, the SA may be established in two manners, one is manual configuration, and the other is Internet Key Exchange (IKE).
FIG. 1 is a schematic diagram illustrating a conventional IPSec tunnel networking model. As shown in FIG. 1, two gateways R1 and R2 are taken as exemplary IPSec peers, and R1 and R2 are respectively a start-point and an end-point of the IPSec tunnel. An SA is established between R1 and R2 through manual configuration or IKE negotiation. Host A transmits an ingress packet destined for host B to R1. R1, acting as a transmitter, firstly performs ingress IPSec processing such as encryption to the ingress packet received from host A according to SA information of an ingress SA (also referred to as ingress SA information), and then transmits the processed ingress packet to R2 through an IPSec tunnel. R2, acting as a receiver, receives the encrypted packet from the IPSec tunnel and performs egress IPSec processing such as decryption and integrality check for the packet according to SA information of an egress SA (also referred to as egress SA information). At the same time, other egress IPSec processing such as determining validity of the transmitter and anti-replay may also be performed. Then, R2 transmits the processed packet to host B. Thus, R1 and R2, acting as apparatuses for ensuring packet transmission security, implement security protection for the packet transmission.
An existing apparatus for ensuring packet transmission security usually includes multiple interface units. The IPSec processing is performed by a processing board where the interface units are located, wherein the processing board where the interface units are located is generally referred to as an interface board. The interface board is equipped with a functional unit for implementing the IPSec processing. Different interface units correspond to different IPSec tunnels. And the IPSec processing to the packets transmitted through different IPSec tunnels are performed on different interface boards, i.e. a distributed security protection is implemented.