Search

EP-4136816-B1 - METHOD AND APPARATUS FOR SECURITY COMMUNICATION

EP4136816B1EP 4136816 B1EP4136816 B1EP 4136816B1EP-4136816-B1

Inventors

  • LIU, Renwang
  • WANG, JUN
  • LIU, Daiying

Dates

Publication Date
20260506
Application Date
20200417

Claims (13)

  1. A method (300) performed by a first communication device, comprising the steps of determining (304) whether a length of an Internet protocol, IP, datagram is larger than at least one threshold, wherein the threshold comprises two or more different thresholds; when the length of the IP datagram is larger than the at least one threshold, fragmenting (306) the IP datagram into two or more IP packets, wherein the length of each of two or more IP packets are not larger than the at least one threshold and an IP header of each of the two or more IP packets is filled with fragmentation information, the fragmentation information comprises a flag in a first IP packet of the two or more IP packets, the flag indicating the IP datagram has been fragmented into at least one other IP packet; processing (308) the two or more IP packets to generate two or more corresponding IP security, IPsec, packets, wherein the two or more corresponding IPsec packets are encapsulate security payload, ESP, packets; and sending (310) the two or more corresponding IPsec packets to a second communication device, wherein the two or more different thresholds comprises: a value of a path maximum transmission unit, PMTU, subtracting an IPsec packet encapsulation overhead; and a max data length value supported by a hardware of the first communication device, wherein the hardware is used for packet encryption and decryption when processing the two or more IP packets to generate two or more corresponding IPsec packets.
  2. The method according to claim 1, wherein the IPsec packet encapsulation overhead includes at least one of an encapsulate security payload, ESP, header length, a tunnel IP header length, an ESP trailer length and an algorithm integrity check value, ICV, length.
  3. The method according to any of claims 1-2, wherein a minimum of the two or more different thresholds is selected as the threshold.
  4. The method according to any one of claims 1-3, further comprising the steps of : when the length of the IP datagram is not larger than the at least one threshold, processing (606) the IP datagram to generate the two or more corresponding IPsec packets; and sending (608) the two or more corresponding IPsec packets to the second communication device.
  5. The method according to any one of claims 1-4, further comprising a step of obtaining (302) the at least one threshold.
  6. A method (700) performed by a second communication device, comprising the steps of receiving (702) two or more Internet protocol, IP, security, IPsec, packets from a first communication device, wherein the two or more IPsec packets are encapsulate security payload, ESP, packets; and processing (704) the two or more IPsec packets to obtain two or more corresponding IP packets, wherein the two or more corresponding IP packets are fragments of an IP datagram and are generated by fragmenting the IP datagram into the two or more corresponding IP packets when a length of the IP datagram is larger than at least one threshold, wherein the length of each of the two or more corresponding IP packets are not larger than the at least one threshold and an IP header of each of the two or more corresponding IP packets is filled with fragmentation information, the fragmentation information comprises a flag in a first IP packet of the two or more IP packets, the flag indicating the IP datagram has been fragmented into at least one other IP packet, wherein the threshold comprises two or more different thresholds, wherein the two or more thresholds comprises: a value of a path maximum transmission unit, PMTU, subtracting an IPsec packet encapsulation overhead; and a max data length value supported by a hardware of the first communication device, wherein the hardware is used for packet encryption and decryption when processing the two or more corresponding IP packets to generate the two or more IPsec packets.
  7. The method according to claim 6, wherein the IPsec packet encapsulation overhead includes at least one of an encapsulate security payload, ESP, header length, a tunnel IP header length, an ESP trailer length and an algorithm integrity check value, ICV, length.
  8. The method according to any of claims 6-7, wherein a minimum of the two or more different thresholds is selected as the threshold.
  9. The method according to any one of claims 6-8, wherein the second communication device is an end point of an IPsec tunnel.
  10. A first communication device (1000), comprising: a processor (1021); and a memory (1022) coupled to the processor (1021), said memory (1022) containing instructions executable by said processor (1021), instructions which when executed by said processor (1021) cause said first communication device (1000) to : determine whether a length of an Internet protocol, IP, datagram is larger than at least one threshold, wherein the threshold comprises two or more different thresholds; when the length of the IP datagram is larger than the at least one threshold, fragment the IP datagram into two or more IP packets, wherein the length of each of two or more IP packets is not larger than the at least one threshold and an IP header of each of the two or more IP packets is filled with fragmentation information, the fragmentation information comprises a flag in a first IP packet of the two or more IP packets, the flag indicating the IP datagram has been fragmented into at least one other IP packet; process the two or more IP packets to generate two or more corresponding IP security, IPsec, packets, wherein the two or more corresponding IPsec packets are encapsulate security payload, ESP, packets; and send the two or more corresponding IPsec packets to a second communication device, wherein the two or more different thresholds comprises: a value of a path maximum transmission unit, PMTU, subtracting an IPsec packet encapsulation overhead; and a max data length value supported by a hardware of the first communication device, wherein the hardware is used for packet encryption and decryption when processing the two or more IP packets to generate two or more corresponding IPsec packets.
  11. The first communication device according to claim 10, wherein said processor (1021), when executing said instructions, causes said first communication device (1000) to perform all the steps of a method of any one of claims 2 to 5.
  12. A second communication device (1000), comprising: a processor (1021); and a memory (1022) coupled to the processor (1021), said memory (1022) containing instructions executable by said processor (1021), instructions which when executed by said processor (1021) cause said second communication device (1000) to : receive two or more Internet protocol, IP, security, IPsec, packets from a first communication device; and process the two or more IPsec packets to obtain two or more corresponding IP packets, wherein the two or more corresponding IPsec packets are encapsulate security payload, ESP, packets, wherein the two or more corresponding IP packets are fragments of an IP datagram and are generated by fragmenting the IP datagram into the two or more corresponding IP packets when a length of the IP datagram is larger than at least one threshold, wherein the length of each of the two or more corresponding IP packets is not larger than the threshold and an IP header of each of the two or more corresponding IP packets is filled with fragmentation information, the fragmentation information comprises a flag in a first IP packet of the two or more IP packets, the flag indicating the IP datagram has been fragmented into at least one other IP packet, wherein the threshold comprises two or more different thresholds; wherein the two or more different thresholds comprise: a value of a path maximum transmission unit, PMTU, subtracting an IPsec packet encapsulation overhead; and a max data length value supported by a hardware of the first communication device, wherein the hardware is used for packet encryption and decryption when processing the two or more IP packets to generate two or more corresponding IPsec packets.
  13. The second communication device according to claim 12, wherein said processor (1021), when executing said instructions, causes said second communication device (1000) to perform all the steps of a method of any one of claims 7 to 9.

Description

TECHNICAL FIELD The present disclosure generally relate to the technical field of communications, and specifically to methods and apparatuses for security communication. BACKGROUND This section introduces aspects that may facilitate a better understanding of the disclosure. Accordingly, the statements of this section are to be read in this light and are not to be understood as admissions about what is in the prior art or what is not in the prior art. In a communication network, a security communication between two communication devices may be provided according to various communication protocols. For example, Internet protocol (IP) security (IPsec) protocol can provide security services for IP packets such as encrypting sensitive data, authentication, protection against replay and data confidentiality. Encapsulating Security Payload (ESP) and Authentication Header (AH) are two IPsec security protocols used to provide these security services. IPsec can be configured to operate in two different modes: tunnel mode and transport mode. Use of each mode may depend on requirements and implementation of IPsec. IPsec tunnel mode may be a default mode. With the tunnel mode, the entire original IP packet may be protected by IPsec. This means IPsec wraps the original packet, encrypts it, adds a new IP header and sends it to the other side of the VPN (Virtual Private Network) tunnel (e.g., IPsec peer). Tunnel mode may be used between gateways, or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it. Tunnel mode is used to encrypt traffic between secure IPsec Gateways. IPsec transport mode may be used for end-to-end communications, for example, for communication between a client and a server or between a workstation and a gateway (if the gateway is being treated as a host). Transport mode provides the protection of IP payload which may include TCP/UDP (Transmission Control Protocol/User Datagram Protocol) header + data, through an AH or ESP header. The payload is encapsulated by the IPsec headers and trailers. The original IP headers remain intact, except that the IP protocol field is changed to ESP (50) or AH (51), and the original protocol value is saved in the IPsec trailer to be restored when the packet is decrypted. Request for Comments (RFC) 4303 (December 2005), defines IP Encapsulating Security Payload (ESP). RFC 4303 (December 2005) describes how to handle big size data packets. For example, If necessary, fragmentation is performed after ESP processing within an IPsec implementation. Thus, transport mode ESP is applied only to whole IP datagrams (not to IP fragments). An IP packet to which ESP has been applied may itself be fragmented by routers en route, and such fragments must be reassembled prior to ESP processing at a receiver. In tunnel mode, ESP is applied to an IP packet, which may be a fragment of an IP datagram. An ESP implementation may choose to not support fragmentation and may mark transmitted packets with the Don't Fragment (DF) bit, to facilitate PMTU (Path MTU (maximum transmission unit) ) discovery. Piriyath et al: "Path Maximum Transmission Unit Discovery (PMTUD) For IPsec Tunnels Using The Internet Key Exchange Protocol (IKE) Version 2", January 17, 2018, discloses a PMTUD procedure that leverage the IKE version 2. US 2009/249059 discloses a packet encryption method for encrypting an IP packet communicated based on an internet protocol. US 2008/075073 discloses security encapsulation of Ethernet frames. Kent S et al: "IP Encapsulating Security Payload (ESP)", November 1998 discloses IP ESP. Kent S et al: "Security Architecture for the Internet Protocol", November 1998 discloses security architecture for IP. Ericsson: "IP Fragmentation", 3GPP, TSG RAN, Working Group 3 (WG3) #55, vol. R3-070616, 27 March 2007 discloses IP fragmentation. US 2002/188871 discloses a system and method for managing security packet processing. CN 104 283 854 discloses an IPsec based method for transmitting large data volume in VPN. SUMMARY The present invention is defined in the appended independent claims to which reference should be made. Advantageous features are set out in the appended dependent claims. This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. However RFC 4303 (December 2005) does not define what and how to do for big size packets to adapt to some scenarios. For example, in IPsec tunnel mode, the ESP packets may be fragmented by a communication device such as router on a way to an IPsec peer in an untrusted network. Moreover, it is hard to know the MTU of every communication device such as router in the untrusted network, even if those communication devices don't support PMTU protocol. In additio