[go: up one dir, main page]

CN116980150A - Message transmission method and related equipment - Google Patents

Message transmission method and related equipment Download PDF

Info

Publication number
CN116980150A
CN116980150A CN202210434246.4A CN202210434246A CN116980150A CN 116980150 A CN116980150 A CN 116980150A CN 202210434246 A CN202210434246 A CN 202210434246A CN 116980150 A CN116980150 A CN 116980150A
Authority
CN
China
Prior art keywords
message
target message
sender
thread
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210434246.4A
Other languages
Chinese (zh)
Inventor
史玉林
韩涛
任广涛
赵凤华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huawei Digital Technologies Co Ltd
Original Assignee
Beijing Huawei Digital Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huawei Digital Technologies Co Ltd filed Critical Beijing Huawei Digital Technologies Co Ltd
Priority to CN202210434246.4A priority Critical patent/CN116980150A/en
Publication of CN116980150A publication Critical patent/CN116980150A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/82Miscellaneous aspects
    • H04L47/825Involving tunnels, e.g. MPLS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a message transmission method and related equipment. In the application, after the network equipment confirms that the received packet message needs to be encrypted, the network equipment encrypts the packet message to generate the target message. The network equipment encrypts the packet message to generate a target message, wherein the target message comprises a sender identifier, and the sender identifier is used for indicating identity information of the network equipment. Therefore, aiming at the scenes of many-to-one, many-to-many, one-to-many and the like, the equipment for receiving the target message can know the source of the target message according to the sender identification, can realize the ordered transmission of the service message without a complex deployment mode, and reduces the network overhead.

Description

一种报文传输方法以及相关设备A message transmission method and related equipment

技术领域Technical field

本申请涉及通信领域,尤其是一种报文传输方法以及相关设备。The present application relates to the field of communications, in particular to a message transmission method and related equipment.

背景技术Background technique

互联网安全协议(Internet Protocol Security,IPSec)是用来为网际协议第四版(Internet Protocol version 4,IPv4)和网际协议第六版(Internet ProtocolVersion,IPv6)提供可互操作的、高质量的、基于加密的安全服务的一套协议。IPSec提供的安全服务是在互联网记协议(Internet Protocol,IP)层提供的。IPSec以标准的方式,对IP层和承载在IP层上的所有协议提供保护。使用IPsec可以保护在一对主机之间、一对安全网关之间、一个安全网关与一个主机之间的一条或多条路径。Internet Protocol Security (IPSec) is used to provide interoperable, high-quality, IP-based security protocols for Internet Protocol version 4 (IPv4) and Internet Protocol Version 6 (IPv6). A set of protocols for cryptographic security services. The security services provided by IPSec are provided at the Internet Protocol (IP) layer. IPSec provides protection for the IP layer and all protocols carried on the IP layer in a standard way. IPsec can be used to protect one or more paths between a pair of hosts, a pair of security gateways, or a security gateway and a host.

IPSec支持隧道模式和传输模式,在隧道模式下,把需要保护的整个IP数据包封装在新的IP包中,作为新报文的载荷,然后再在外部增加一个新的IP头。在传输模式下,只是传输层数据被用来计算认证可选扩展头(Authentication option header,AH)或封装安全负载头,AH或封装安全负载头和被加密的传输层数据被放置在原IP包头后面。AH的传输模式会验证IP头,而封装安全负载的传输模式对封装安全负载头前的IP头和扩展头都不作保护。IPSec supports tunnel mode and transmission mode. In tunnel mode, the entire IP data packet that needs to be protected is encapsulated in a new IP packet as the payload of the new packet, and then a new IP header is added to the outside. In transport mode, only the transport layer data is used to calculate the Authentication option header (AH) or encapsulating security payload header. The AH or encapsulating security payload header and the encrypted transport layer data are placed behind the original IP header. . The AH transmission mode will verify the IP header, while the transmission mode of encapsulating the security payload will not protect the IP header and extension header before the encapsulated security payload header.

随着IPv6+业务的快速发展,出现了新的传输面加密诉求。而IPsec是一种一对一(peer-to-peer,P2P)加密隧道。针对多对一、多对多以及一对多等场景,只能通过建立FULLMESH IPsec Tunnel方式来实现面加密业务,部署方式复杂,且网络开销较大。With the rapid development of IPv6+ services, new transmission plane encryption requirements have emerged. IPsec is a one-to-one (peer-to-peer, P2P) encrypted tunnel. For many-to-one, many-to-many, and one-to-many scenarios, face-to-face encryption services can only be implemented by establishing a FULLMESH IPsec Tunnel. The deployment method is complex and the network overhead is large.

发明内容Contents of the invention

本申请提供了一种报文传输方法以及相关设备。本申请中,目标报文中包括发送者标识,发送者标识用于指示网络设备的身份信息。从而,针对多对一、多对多以及一对多等场景下,接收目标报文的设备可以根据发送者标识得知目标报文的来源,无需复杂的部署方式即可以实现报文的有序传输,降低了网络开销。This application provides a message transmission method and related equipment. In this application, the target message includes a sender identifier, and the sender identifier is used to indicate the identity information of the network device. Therefore, for scenarios such as many-to-one, many-to-many, and one-to-many, the device receiving the target message can know the source of the target message based on the sender identification, and the ordering of the messages can be achieved without the need for complicated deployment methods. transmission, reducing network overhead.

本申请第一方面提供了一种报文传输方法,该方法中:网络设备接收分组报文;所述网络设备确认所述分组报文需要加密;所述网络设备对所述分组报文加密生成目标报文,所述目标报文中包括发送者标识,所述发送者标识用于指示所述网络设备的身份信息。The first aspect of this application provides a message transmission method. In the method: a network device receives a group message; the network device confirms that the group message needs to be encrypted; the network device encrypts the group message to generate The target message includes a sender identifier, and the sender identifier is used to indicate the identity information of the network device.

本申请中,网络设备确认接收到的分组报文需要加密后,网络设备对分组报文加密生成目标报文。其中,网络设备对分组报文加密生成目标报文,目标报文中包括发送者标识,发送者标识用于指示网络设备的身份信息。从而,针对多对一、多对多以及一对多等场景下,接收目标报文的设备可以根据发送者标识得知目标报文的来源,无需复杂的部署方式即可以实现业务报文的有序传输,降低了网络开销。In this application, after the network device confirms that the received packet message needs to be encrypted, the network device encrypts the packet message to generate a target message. The network device encrypts the packet message to generate a target message. The target message includes a sender identifier, and the sender identifier is used to indicate the identity information of the network device. Therefore, for scenarios such as many-to-one, many-to-many, and one-to-many, the device receiving the target message can know the source of the target message based on the sender ID, and can achieve valid service packets without complicated deployment methods. sequential transmission, reducing network overhead.

在第一方面的一种可能的实现方式中,所述目标报文中还包括线程标识,所述线程标识用于指示接收所述目标报文的设备中处理所述目标报文的线程的标识。In a possible implementation of the first aspect, the target message further includes a thread identifier, and the thread identifier is used to indicate the identifier of the thread that processes the target message in the device that receives the target message. .

该种可能的实现方式中,目标报文中可以包括线程标识(window id),window id用于指示接收目标报文的设备中处理目标报文的线程的标识,即异构处理器核的id。假设分组报文中的5元组相同数据流称为一条流,可以通过不同的window id将多个目标报文分别分配至多个处理器核处理,可以解决针对一条大带宽流量单个异构处理器核的处理能力不足的问题,提升了目标报文的处理效率。In this possible implementation, the target message may include a thread identifier (window id). The window id is used to indicate the identifier of the thread that processes the target message in the device that receives the target message, that is, the ID of the heterogeneous processor core. . Assuming that the same 5-tuple data flow in a packet packet is called a flow, multiple target packets can be allocated to multiple processor cores through different window IDs, which can solve the problem of a single heterogeneous processor for a large-bandwidth traffic It solves the problem of insufficient processing capacity of the core and improves the processing efficiency of target packets.

在第一方面的一种可能的实现方式中,所述目标报文中包括安全负载封装头ESP,所述ESP中包括所述发送者标识和/或所述线程标识。In a possible implementation manner of the first aspect, the target message includes a security payload encapsulation header ESP, and the ESP includes the sender identification and/or the thread identification.

该种可能的实现方式中,提供了一种发送者标识和/或线程标识的具体存在方式,安全负载封装头(Encapsulating Security Payload,ESP)中包括发送者标识和/或线程标识时,在标准封装格式下携带了发送者标识和/或线程标识,更方便接收目标报文的设备与网络设备进行对接,提升了方案的可实现性。This possible implementation provides a specific way for the sender identification and/or thread identification to exist. When the security payload encapsulation header (Encapsulating Security Payload, ESP) includes the sender identification and/or the thread identification, in the standard The encapsulation format carries the sender identification and/or thread identification, which makes it easier for the device receiving the target message to connect with the network device, improving the achievability of the solution.

在第一方面的一种可能的实现方式中,所述目标报文中包括目的可选扩展头DOH,所述DOH中包括所述发送者标识和/或所述线程标识。In a possible implementation manner of the first aspect, the target message includes a destination optional extension header DOH, and the DOH includes the sender identification and/or the thread identification.

该种可能的实现方式中,提供了一种发送者标识和/或线程标识的具体存在方式,目的可选扩展头(Destination option header,DOH)是在末节点处理的,不需要额外的隧道信息指示加密末端,本身就可以作为加密隧道末端节点,提升了方案的可实现性。This possible implementation provides a specific way for the sender identification and/or thread identification to exist. The destination optional extension header (Destination option header, DOH) is processed at the end node and does not require additional tunnel information. Indicates the encryption end point and can itself be used as the end node of the encryption tunnel, which improves the achievability of the solution.

在第一方面的一种可能的实现方式中,所述DOH中包括所述发送者标识和/或所述线程标识,包括:所述DOH的可选类型长度值TLV中包括所述发送者标识和/或所述线程标识。In a possible implementation of the first aspect, the DOH includes the sender identification and/or the thread identification, including: the optional type length value TLV of the DOH includes the sender identification. and/or the thread ID.

该种可能的实现方式中,提供了一种发送者标识和/或线程标识的具体存在方式,提升了方案的可实现性。This possible implementation method provides a specific existence method of the sender identification and/or the thread identification, which improves the realizability of the solution.

在第一方面的一种可能的实现方式中,所述目标报文中包括序列号,所述序列号、所述发送者标识和/或所述线程标识共同用于构成IV值,所述IV值用于对所述分组报文加密。In a possible implementation of the first aspect, the target message includes a sequence number, and the sequence number, the sender identification and/or the thread identification are jointly used to form an IV value, and the IV The value is used to encrypt the packet message.

该种可能的实现方式中,假设目标报文中包括序列号(sequence number)、发送者标识(sender id)和线程标识(window id)。对于需要IV保证加密安全的加密算法,IV可以通过sender id||window id||sequence number组合进行转换得到。从而,无需在报文净荷中明文携带IV,可以减少报文封装所需要的开销。In this possible implementation, it is assumed that the target message includes a sequence number, a sender ID, and a thread ID (window ID). For encryption algorithms that require IV to ensure encryption security, the IV can be converted through the sender id||window id||sequence number combination. Therefore, there is no need to carry the IV in clear text in the message payload, which can reduce the overhead required for message encapsulation.

在第一方面的一种可能的实现方式中,所述目标报文中包括SPI和AN,所述SPI和AN共同用于指示安全参数。In a possible implementation manner of the first aspect, the target message includes SPI and AN, and the SPI and AN are jointly used to indicate security parameters.

该种可能的实现方式中,可选的,AN和SPI整体可以构成安全参数指示功能,占用2个比特,00/01/10/11用于SA除密钥更新其他参数不变情况下的轻量级更新机制。仅需要通过AN指示密钥,不需要控制面进行SA的新建和拆除处理,以便减轻整个网络的控制面负载,节约网络开销。In this possible implementation, optionally, AN and SPI can form a security parameter indication function as a whole, occupying 2 bits, 00/01/10/11 is used for light SA parameters except key update when other parameters remain unchanged. Magnitude update mechanism. Only the key needs to be indicated through the AN, and the control plane does not need to create or remove SAs, so as to reduce the control plane load of the entire network and save network overhead.

本申请第二方面提供了一种报文传输方法,该方法中包括:网络设备接收目标报文,所述目标报文中包括发送者标识,所述发送者标识用于指示发送所述目标报文的设备的身份信息;所述网络设备解密所述目标报文。A second aspect of the present application provides a message transmission method. The method includes: a network device receives a target message, the target message includes a sender identifier, and the sender identifier is used to instruct sending of the target message. The identity information of the device sending the message; the network device decrypts the target message.

本申请中,网络设备接收目标报文,其中,目标报文中包括发送者标识,所述发送者标识用于指示发送所述目标报文的设备的身份信息。从而,针对多对一、多对多以及一对多等场景下,接收目标报文的网络设备可以根据发送者标识得知目标报文的来源,无需复杂的部署方式即可以实现业务报文的有序传输,降低了网络开销。In this application, the network device receives the target message, where the target message includes a sender identifier, and the sender identifier is used to indicate the identity information of the device that sent the target message. Therefore, for many-to-one, many-to-many, and one-to-many scenarios, the network device that receives the target message can know the source of the target message based on the sender ID, and the service message can be authenticated without complicated deployment methods. Orderly transmission reduces network overhead.

在第二方面的一种可能的实现方式中,所述目标报文中还包括线程标识,所述线程标识用于指示接收所述目标报文的设备中处理所述目标报文的线程的标识。In a possible implementation of the second aspect, the target message further includes a thread identifier, and the thread identifier is used to indicate the identifier of the thread that processes the target message in the device that receives the target message. .

该种可能的实现方式中,目标报文中可以包括线程标识(window id),window id用于指示接收目标报文的设备中处理目标报文的线程的标识,即异构处理器核的id。假设分组报文中的5元组相同数据流称为一条流,可以通过不同的window id将多个目标报文分别分配至多个处理器核处理,可以解决针对一条大带宽流量单个异构处理器核的处理能力不足的问题,提升了目标报文的处理效率。In this possible implementation, the target message may include a thread identifier (window id). The window id is used to indicate the identifier of the thread that processes the target message in the device that receives the target message, that is, the ID of the heterogeneous processor core. . Assuming that the same 5-tuple data flow in a packet packet is called a flow, multiple target packets can be allocated to multiple processor cores through different window IDs, which can solve the problem of a single heterogeneous processor for a large-bandwidth traffic It solves the problem of insufficient processing capacity of the core and improves the processing efficiency of target packets.

在第二方面的一种可能的实现方式中,所述目标报文中包括安全负载封装头ESP,所述ESP中包括所述发送者标识和/或所述线程标识。In a possible implementation manner of the second aspect, the target message includes a security payload encapsulation header ESP, and the ESP includes the sender identification and/or the thread identification.

该种可能的实现方式中,提供了一种发送者标识和/或线程标识的具体存在方式,提升了方案的可实现性。This possible implementation method provides a specific existence method of the sender identification and/or the thread identification, which improves the realizability of the solution.

在第二方面的一种可能的实现方式中,所述目标报文中包括目的可选扩展头DOH,所述DOH中包括所述发送者标识和/或所述线程标识。In a possible implementation manner of the second aspect, the target message includes a destination optional extension header DOH, and the DOH includes the sender identification and/or the thread identification.

该种可能的实现方式中,提供了一种发送者标识和/或线程标识的具体存在方式,提升了方案的可实现性。This possible implementation method provides a specific existence method of the sender identification and/or the thread identification, which improves the realizability of the solution.

在第二方面的一种可能的实现方式中,所述DOH中包括所述发送者标识和/或所述线程标识,包括:所述DOH的可选TLV中包括所述发送者标识和/或所述线程标识。In a possible implementation of the second aspect, the DOH includes the sender identification and/or the thread identification, including: the optional TLV of the DOH includes the sender identification and/or The thread identifier.

该种可能的实现方式中,提供了一种发送者标识和/或线程标识的具体存在方式,提升了方案的可实现性。This possible implementation method provides a specific existence method of the sender identification and/or the thread identification, which improves the realizability of the solution.

在第二方面的一种可能的实现方式中,所述目标报文中包括序列号,所述序列号、所述发送者标识和/或所述线程标识共同用于构成IV值,所述IV值用于对所述分组报文加密。In a possible implementation of the second aspect, the target message includes a sequence number, and the sequence number, the sender identification and/or the thread identification are jointly used to form an IV value, and the IV The value is used to encrypt the packet message.

该种可能的实现方式中,假设目标报文中包括序列号(sequence number)、发送者标识(sender id)和线程标识(window id)。对于需要IV保证加密安全的加密算法,IV可以通过sender id||window id||sequence number组合进行转换得到。从而,无需再报文净荷中明文携带IV,可以减少报文封装所需要的开销。In this possible implementation, it is assumed that the target message includes a sequence number, a sender ID, and a thread ID (window ID). For encryption algorithms that require IV to ensure encryption security, the IV can be converted through the sender id||window id||sequence number combination. Therefore, there is no need to carry the IV in plain text in the message payload, which can reduce the overhead required for message encapsulation.

在第二方面的一种可能的实现方式中,所述目标报文中包括SPI和AN,所述SPI和AN共同用于指示安全参数。In a possible implementation manner of the second aspect, the target message includes SPI and AN, and the SPI and AN are jointly used to indicate security parameters.

该种可能的实现方式中,可选的,AN和SPI整体可以构成安全参数指示功能,占用2个比特,00/01/10/11用于SA除密钥更新其他参数不变情况下的轻量级更新机制。仅需要通过AN指示密钥,不需要控制面进行SA的新建和拆除处理,以便减轻整个网络的控制面负载,节约网络开销。In this possible implementation, optionally, AN and SPI can form a security parameter indication function as a whole, occupying 2 bits, 00/01/10/11 is used for light SA parameters except key update when other parameters remain unchanged. Magnitude update mechanism. Only the key needs to be indicated through the AN, and the control plane does not need to create or remove SAs, so as to reduce the control plane load of the entire network and save network overhead.

本申请第三方面提供了一种网络设备,该网络设备包括至少一个处理器、存储器和通信接口。处理器与存储器和通信接口耦合。存储器用于存储指令,处理器用于执行该指令,通信接口用于在处理器的控制下与其他网络设备进行通信。该指令在被处理器执行时,使得所述网络设备执行上述第一方面或第一方面的任意可能的实现方式中的方法,或者,使得所述网络设备执行上述第二方面或第二方面的任意可能的实现方式中的方法。A third aspect of the present application provides a network device, which includes at least one processor, a memory, and a communication interface. The processor is coupled to memory and communication interfaces. The memory is used to store instructions, the processor is used to execute the instructions, and the communication interface is used to communicate with other network devices under the control of the processor. When executed by the processor, the instruction causes the network device to perform the above-mentioned first aspect or the method in any possible implementation of the first aspect, or causes the network device to perform the above-mentioned second aspect or the method of the second aspect. Methods in any possible implementation.

本申请第四方面提供了一种计算机可读存储介质,该计算机可读存储介质存储有程序,该程序使得网络设备执行上述第一方面或第一方面的任意可能的实现方式中的方法,或者,使得所述网络设备执行上述第二方面或第二方面的任意可能的实现方式中的方法。The fourth aspect of the present application provides a computer-readable storage medium that stores a program that causes the network device to execute the method in the above-mentioned first aspect or any possible implementation of the first aspect, or , causing the network device to execute the method in the above second aspect or any possible implementation of the second aspect.

本申请第五方面提供了一种存储一个或多个计算机执行指令的计算机程序产品,当所述计算机执行指令被所述处理器执行时,所述处理器执行上述第一方面或第一方面任意一种可能实现方式的方法,或者,所述处理器执行上述第二方面或第二方面的任意可能的实现方式中的方法。The fifth aspect of the present application provides a computer program product that stores one or more computer-executable instructions. When the computer-executable instructions are executed by the processor, the processor executes the above-mentioned first aspect or any of the first aspects. A method of a possible implementation, or the processor executes the method of the above second aspect or any possible implementation of the second aspect.

本申请第六方面提供了一种芯片,该芯片包括处理器和通信接口,所述处理器与所述通信接口耦合,所述处理器用于读取指令执行上述第一方面或第一方面任意一种可能实现方式的方法,或者,所述处理器用于读取指令执行上述第二方面或第二方面的任意可能的实现方式中的方法。A sixth aspect of the present application provides a chip. The chip includes a processor and a communication interface. The processor is coupled to the communication interface. The processor is configured to read instructions to execute the above first aspect or any one of the first aspects. A method in a possible implementation manner, or the processor is used to read instructions to execute the above second aspect or the method in any possible implementation manner of the second aspect.

本申请第七方面一种网络系统,该网络系统包括网络设备,网络设备上可以执行上述第一方面或第一方面任意一种可能实现方式中所述的方法,或者,网络设备上可以执行上述第二方面或第二方面任意一种可能实现方式中所述的方法。A seventh aspect of the present application is a network system. The network system includes a network device. The network device can execute the method described in the above-mentioned first aspect or any possible implementation of the first aspect, or the network device can execute the above-mentioned method. The method described in the second aspect or any possible implementation manner of the second aspect.

附图说明Description of the drawings

图1为本申请提供的一种报文传输方法的应用场景的示意图;Figure 1 is a schematic diagram of an application scenario of a message transmission method provided by this application;

图2为本申请提供的一种报文传输方法的另一种应用场景的示意图;Figure 2 is a schematic diagram of another application scenario of a message transmission method provided by this application;

图3为本申请提供的一种报文传输方法的另一种应用场景的示意图;Figure 3 is a schematic diagram of another application scenario of a message transmission method provided by this application;

图4为本申请提供的一种报文传输方法的流程示意图;Figure 4 is a schematic flow chart of a message transmission method provided by this application;

图5为本申请提供的一种目标报文的一种示意图;Figure 5 is a schematic diagram of a target message provided by this application;

图6为本申请提供的一种ESP标准头的一种示意图;Figure 6 is a schematic diagram of an ESP standard header provided by this application;

图7为本申请提供的一种ESP扩展头的一种示意图;Figure 7 is a schematic diagram of an ESP extension header provided by this application;

图8为本申请提供的一种目标报文的另一种示意图;Figure 8 is another schematic diagram of a target message provided by this application;

图9为本申请提供的一种DOH头的一种示意图;Figure 9 is a schematic diagram of a DOH head provided by the present application;

图10为本申请提供的一种加密方式的一种流程图;Figure 10 is a flow chart of an encryption method provided by this application;

图11为本申请提供的一种加密方式的另一种流程图;Figure 11 is another flow chart of an encryption method provided by this application;

图12为本申请提供的一种解密方式的一种流程图;Figure 12 is a flow chart of a decryption method provided by this application;

图13为本申请提供的另一种解密方式的另一种流程图;Figure 13 is another flow chart of another decryption method provided by this application;

图14为本申请提供的另一种抗重放原理的一种示意图;Figure 14 is a schematic diagram of another anti-replay principle provided by this application;

图15为本申请提供的一种网络设备的一种示意图;Figure 15 is a schematic diagram of a network device provided by this application;

图16为本申请提供的一种网络设备的另一种示意图;Figure 16 is another schematic diagram of a network device provided by this application;

图17为本申请提供的一种网络设备的另一种示意图。Figure 17 is another schematic diagram of a network device provided by this application.

具体实施方式Detailed ways

下面结合附图,对本申请提供的示例进行描述,显然,所描述的示例仅仅是本申请一部分的示例,而不是全部的示例。本领域普通技术人员可知,随着技术的发展和新场景的出现,本申请提供的技术方案对于类似的技术问题,同样适用。The examples provided in this application are described below in conjunction with the accompanying drawings. Obviously, the described examples are only examples of a part of this application, not all examples. Persons of ordinary skill in the art know that with the development of technology and the emergence of new scenarios, the technical solutions provided in this application are also applicable to similar technical problems.

本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的示例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", etc. in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that data so used are interchangeable under appropriate circumstances so that the examples described herein can be practiced in sequences other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, e.g., a process, method, system, product, or apparatus that encompasses a series of steps or units and need not be limited to those explicitly listed. Those steps or elements may instead include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.

本申请中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,其中A,B可以是单数或者复数。并且,在本申请的描述中,除非另有说明,“多个”是指两个或多于两个。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。"And/or" in this application is just an association relationship describing related objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A exists alone, A and B exist simultaneously, and they exist alone. In the three cases of B, A and B can be singular or plural. Furthermore, in the description of this application, unless otherwise specified, "plurality" means two or more than two. "At least one of the following" or similar expressions thereof refers to any combination of these items, including any combination of a single item (items) or a plurality of items (items). For example, at least one of a, b, or c can mean: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .

互联网安全协议(Internet Protocol Security,IPSec)是用来为网际协议第四版(Internet Protocol version 4,IPv4)和网际协议第六版(Internet ProtocolVersion,IPv6)提供可互操作的、高质量的、基于加密的安全服务的一套协议。IPSec提供的安全服务是在互联网记协议(Internet Protocol,IP)层提供的。IPSec以标准的方式,对IP层和承载在IP层上的所有协议提供保护。使用IPsec可以保护在一对主机之间、一对安全网关之间、一个安全网关与一个主机之间的一条或多条路径。Internet Protocol Security (IPSec) is used to provide interoperable, high-quality, IP-based security protocols for Internet Protocol version 4 (IPv4) and Internet Protocol Version 6 (IPv6). A set of protocols for cryptographic security services. The security services provided by IPSec are provided at the Internet Protocol (IP) layer. IPSec provides protection for the IP layer and all protocols carried on the IP layer in a standard way. IPsec can be used to protect one or more paths between a pair of hosts, a pair of security gateways, or a security gateway and a host.

IPSec支持隧道模式和传输模式,在隧道模式下,把需要保护的整个IP数据包封装在新的IP包中,作为新报文的载荷,然后再在外部增加一个新的IP头。在传输模式下,只是传输层数据被用来计算认证可选扩展头(Authentication option header,AH)或封装安全负载头,AH或封装安全负载头和被加密的传输层数据被放置在原IP包头后面。AH的传输模式会验证IP头,而封装安全负载的传输模式对封装安全负载头前的IP头和扩展头都不作保护。IPSec supports tunnel mode and transmission mode. In tunnel mode, the entire IP data packet that needs to be protected is encapsulated in a new IP packet as the payload of the new packet, and then a new IP header is added to the outside. In transport mode, only the transport layer data is used to calculate the Authentication option header (AH) or encapsulating security payload header. The AH or encapsulating security payload header and the encrypted transport layer data are placed behind the original IP header. . The AH transmission mode will verify the IP header, while the transmission mode of encapsulating the security payload will not protect the IP header and extension header before the encapsulated security payload header.

随着IPv6+业务的快速发展,出现了新的传输面加密诉求。而IPsec是一种一对一(peer-to-peer,P2P)加密隧道。针对多对一、多对多以及一对多等场景,只能通过建立FULLMESH IPsec Tunnel方式来实现面加密业务,部署方式复杂,且网络开销较大。With the rapid development of IPv6+ services, new transmission plane encryption requirements have emerged. IPsec is a one-to-one (peer-to-peer, P2P) encrypted tunnel. For many-to-one, many-to-many, and one-to-many scenarios, face-to-face encryption services can only be implemented by establishing a FULLMESH IPsec Tunnel. The deployment method is complex and the network overhead is large.

为了解决上述方案中存在的问题,本申请提供了一种报文传输方法以及相关设备。本申请中,目标报文中包括发送者标识,发送者标识用于指示网络设备的身份信息。从而,针对多对一、多对多以及一对多等场景下,接收目标报文的设备可以根据发送者标识得知目标报文的来源,无需复杂的部署方式即可以实现报文的有序传输,降低了网络开销。In order to solve the problems existing in the above solution, this application provides a message transmission method and related equipment. In this application, the target message includes a sender identifier, and the sender identifier is used to indicate the identity information of the network device. Therefore, for scenarios such as many-to-one, many-to-many, and one-to-many, the device receiving the target message can know the source of the target message based on the sender identification, and the ordering of the messages can be achieved without the need for complicated deployment methods. transmission, reducing network overhead.

下面首先介绍本申请提供的一种报文传输方法的应用场景。The following first introduces the application scenario of a message transmission method provided by this application.

图1为本申请提供的一种报文传输方法的应用场景的示意图。Figure 1 is a schematic diagram of an application scenario of a message transmission method provided by this application.

本申请中,如图1所示,应用了本申请提供的报文传输方法的网络系统主要由客户网络节点和LAN网络组成。LAN网络主要通过PE设备承载客户网络节点的IP分组报文的转发。本申请中,可以理解的是IP分组报文的目的地并非固定不变,具体的目的地此处不做限定。如图1所示,假设某一时段内,从客户网络节点A发出的IP分组报文是发往客户网络节点C。在其他时间段内,从客户网络节点A发出的IP分组报文是发往客户网络节点B,具体发往哪个目的地是由IP分组报文中的目的MAC或目的IP决定的。In this application, as shown in Figure 1, the network system using the message transmission method provided by this application is mainly composed of customer network nodes and a LAN network. The LAN network mainly carries the forwarding of IP packets of customer network nodes through PE equipment. In this application, it can be understood that the destination of the IP packet message is not fixed, and the specific destination is not limited here. As shown in Figure 1, assume that within a certain period of time, the IP packets sent from customer network node A are sent to customer network node C. In other time periods, IP packets sent from customer network node A are sent to customer network node B. The specific destination is determined by the destination MAC or destination IP in the IP packet.

图2为本申请提供的一种报文传输方法的另一种应用场景的示意图。Figure 2 is a schematic diagram of another application scenario of a message transmission method provided by this application.

本申请中,如图2所示,PE1、PE2和PE3分别建立转发关系。可选的,转发关系的建立可以通过多协议标签交换(Multiprotocol Label Switching,MPLS)/标签分发协议(LabelDistribution Protocol,LDP)协议建成MPLS隧道,或者,通过边界网关协议(BorderGateway Protocol,BGP)/内部网关协议(Interior Gateway Protocol,IGP)路由形成路由转发关系,或者,控制器下发转发策略形成转发隧道,如SRV6 policy,或者可以通过其他协议建立的转发关系。转发关系的建立在本申请中不做具体限定,只要在PE1、PE2、PE3之间能够形成MP2P转发关系就可以了。In this application, as shown in Figure 2, PE1, PE2 and PE3 establish forwarding relationships respectively. Optionally, the forwarding relationship can be established through the Multiprotocol Label Switching (MPLS)/Label Distribution Protocol (LDP) protocol to build an MPLS tunnel, or through the Border Gateway Protocol (BorderGateway Protocol, BGP)/internal Gateway Protocol (Interior Gateway Protocol, IGP) routing forms a routing and forwarding relationship, or the controller issues a forwarding policy to form a forwarding tunnel, such as SRV6 policy, or a forwarding relationship can be established through other protocols. The establishment of the forwarding relationship is not specifically limited in this application, as long as an MP2P forwarding relationship can be formed between PE1, PE2, and PE3.

图3为本申请提供的一种报文传输方法的另一种应用场景的示意图。Figure 3 is a schematic diagram of another application scenario of a message transmission method provided by this application.

本申请中,如图3所示,PE1和PE3、PE4建立组播转发关系,PE2和PE3、PE4建立组播转发关系,转发关系的建立可以通过PIM协议,MPVPN等,转发关系的建立在本申请中不做限定,只要在PE1、PE2、PE3之间能够形成组播转发关系就可以了。In this application, as shown in Figure 3, PE1 establishes a multicast forwarding relationship with PE3 and PE4, and PE2 establishes a multicast forwarding relationship with PE3 and PE4. The forwarding relationship can be established through the PIM protocol, MVPPN, etc. The forwarding relationship is established in this application. There are no restrictions in the application, as long as a multicast forwarding relationship can be formed between PE1, PE2, and PE3.

本申请中,如图3所示,PE1和PE2的组播源节点形成互为保护,保证组播业务的网络可靠性。PE1、PE2、PE3、PE4形成组播加密组,保证组播数据在网络传输安全。PE1和PE2对于相同的组播频道使用发送者标识以标识不同的组播源,若两个不同组播源互为保护,系统可以分配两个组播源为不同的sender id。下述表一便说明了Key、组播源和Multi-core之间的映射关系。In this application, as shown in Figure 3, the multicast source nodes of PE1 and PE2 form mutual protection to ensure network reliability of multicast services. PE1, PE2, PE3, and PE4 form a multicast encryption group to ensure the security of multicast data transmission on the network. PE1 and PE2 use sender IDs for the same multicast channel to identify different multicast sources. If two different multicast sources protect each other, the system can assign different sender IDs to the two multicast sources. The following Table 1 illustrates the mapping relationship between Key, multicast source and Multi-core.

表1Table 1

本申请中,PE4或PE3可以建立组播序列号防重放检查机制。报文封装格式、加密和解密流程将在下文进行说明。In this application, PE4 or PE3 can establish a multicast sequence number anti-replay check mechanism. The message encapsulation format, encryption and decryption process will be explained below.

基于图1至图3所描述的应用场景,对本申请提供的报文传输方法进行介绍。Based on the application scenarios described in Figures 1 to 3, the message transmission method provided by this application is introduced.

图4为本申请提供的一种报文传输方法的流程示意图,该报文传输方法的一个方法示例中包括步骤101至步骤105。Figure 4 is a schematic flowchart of a message transmission method provided by this application. An example of the message transmission method includes steps 101 to 105.

101、网络设备A接收分组报文。101. Network device A receives the packet message.

102、网络设备A确认分组报文需要加密。102. Network device A confirms that the packet message needs to be encrypted.

本申请中,网络设备可以接收分组报文,进而根据确认分组报文是否需要加密。下面结合图2,示例性的说明这一过程。In this application, the network device can receive the group message and then confirm whether the group message needs to be encrypted. This process is exemplarily explained below with reference to Figure 2.

本申请中,如图2所示,PE1和PE3可以建立加密安全联盟(security association,SA)关系,PE2和PE3也可以建立加密SA关系,PE2和PE3之间的转发机制与PE1和PE3之间的转发机制相类似,下面对PE1和PE3之间的转发机制进行详细描述。In this application, as shown in Figure 2, PE1 and PE3 can establish an encrypted security association (SA) relationship, and PE2 and PE3 can also establish an encrypted SA relationship. The forwarding mechanism between PE2 and PE3 is the same as that between PE1 and PE3. The forwarding mechanism between PE1 and PE3 is similar. The forwarding mechanism between PE1 and PE3 is described in detail below.

本申请中,假设客户网络节点A从发出分组报文,目的地是客户网络节点C。PE1(网络设备)接收到来自客户网络节点A的分组报文。PE1根据PE1和PE3之间形成的SA关系,确认来自客户网络节点A的分组报文是否匹配加密流选择器规则,若匹配加密流选择器规则,则进行分组报文的加密处理。若未匹配加密流选择器规则,则不进行分组报文的加密处理。In this application, it is assumed that customer network node A sends a packet message and the destination is customer network node C. PE1 (network device) receives the packet message from customer network node A. Based on the SA relationship formed between PE1 and PE3, PE1 confirms whether the packet packet from customer network node A matches the encrypted flow selector rule. If it matches the encrypted flow selector rule, the packet packet is encrypted. If the encrypted flow selector rule does not match, the packet packet will not be encrypted.

103、网络设备A对分组报文加密生成目标报文。103. Network device A encrypts the packet message to generate a target message.

本申请中,目标报文中包括发送者标识(sender id),发送者标识用于指示所述网络设备的身份信息。In this application, the target message includes a sender ID, and the sender ID is used to indicate the identity information of the network device.

示例性的,如图2所示,若PE3接收到PE1转发的目标报文,该目标报文中包括的发送者标识便可以指示PE1的身份信息。若PE3接收到PE2转发的目标报文,该目标报文中包括的发送者标识便可以指示PE2的身份信息。For example, as shown in Figure 2, if PE3 receives a target message forwarded by PE1, the sender identifier included in the target message can indicate the identity information of PE1. If PE3 receives the target packet forwarded by PE2, the sender ID included in the target packet can indicate PE2's identity information.

104、网络设备B接收目标报文;104. Network device B receives the target message;

105、网络设备B解密目标报文。105. Network device B decrypts the target message.

本申请中,网络设备确认接收到的分组报文需要加密后,网络设备对分组报文加密生成目标报文。其中,网络设备对分组报文加密生成目标报文,目标报文中包括发送者标识,发送者标识用于指示网络设备的身份信息。从而,针对多对一、多对多以及一对多等场景下,接收目标报文的设备可以根据发送者标识得知目标报文的来源,无需复杂的部署方式即可以实现业务报文的有序传输,降低了网络开销。In this application, after the network device confirms that the received packet message needs to be encrypted, the network device encrypts the packet message to generate a target message. The network device encrypts the packet message to generate a target message. The target message includes a sender identifier, and the sender identifier is used to indicate the identity information of the network device. Therefore, for scenarios such as many-to-one, many-to-many, and one-to-many, the device receiving the target message can know the source of the target message based on the sender ID, and can achieve valid service packets without complicated deployment methods. sequential transmission, reducing network overhead.

本申请中,上述方法示例提及的目标报文中还可以包括线程标识,该线程标识用于指示接收所述目标报文的设备中处理所述目标报文的线程的标识。In this application, the target message mentioned in the above method example may also include a thread identifier, which is used to indicate the identifier of the thread that processes the target message in the device that receives the target message.

本申请中,网络设备可以通过不同的加密方式生成目标报文,采用不同的加密方式时,发送者标识和线程标识在目标报文中的位置不相同,具体的实现方式将在下面的示例中详细阐述。In this application, the network device can generate the target message through different encryption methods. When using different encryption methods, the positions of the sender identification and the thread identification in the target message are different. The specific implementation method will be in the following example. Elaborate.

方式一:使用ESP头对分组报文进行加密和完整性处理。Method 1: Use the ESP header to encrypt and integrity process the packet message.

图5为本申请提供的一种目标报文的一种示意图。Figure 5 is a schematic diagram of a target message provided by this application.

请参阅图5,图5表示一种ESP头加密IPv6分组报文的封装格式,使用ESP头指示报文加密和完整性功能。其中,ESP头可以使用标准封装格式或使用扩展封装头格式。Please refer to Figure 5. Figure 5 shows an encapsulation format of an ESP header encrypted IPv6 packet message, using the ESP header to indicate the message encryption and integrity functions. Among them, the ESP header can use the standard encapsulation format or the extended encapsulation header format.

本申请中,图5中的ESP头中便可以包括发送者标识和/或线程标识。可选的,发送者标识和/或线程标识可以包含于ESP头中的任意字段内,具体的包含位置本申请中不做限定。In this application, the ESP header in Figure 5 may include the sender identification and/or the thread identification. Optionally, the sender identification and/or thread identification may be included in any field in the ESP header, and the specific inclusion location is not limited in this application.

图6为本申请提供的一种ESP标准头的一种示意图。Figure 6 is a schematic diagram of an ESP standard header provided by this application.

如图6所示,图6表示一种ESP标准封装格式,其Next Header=50,其中ESP头包含SPI,Sequence Number等多种参数。为了通过目标报文识别发送目标报文的设备的身份,可选的,可以在ESP头中增加发送者标识。As shown in Figure 6, Figure 6 shows an ESP standard encapsulation format with Next Header=50, in which the ESP header contains SPI, Sequence Number and other parameters. In order to identify the identity of the device sending the target packet through the target packet, optionally, the sender identifier can be added to the ESP header.

图7为本申请提供的一种ESP扩展头的一种示意图。Figure 7 is a schematic diagram of an ESP extension header provided by this application.

如图7所示,图7表示另一种ESP标准封装格式,其Next Header=144,Next Header的确定值需要通过互联网号码分配机构(Internet Assigned Numbers Authority,IANA)分配。其中,ESP扩展头可以包含:As shown in Figure 7, Figure 7 shows another ESP standard encapsulation format, with Next Header=144, and the determined value of Next Header needs to be allocated by the Internet Assigned Numbers Authority (IANA). Among them, the ESP extension header can contain:

(1)SPI||S||AN。(1)SPI||S||AN.

本申请中,SPI||S||AN字段的长度为4octets。其中,SPI是安全参数indicator,占用28bits。可选的,ESP扩展头可以包括发送者标识(sender id),和/或,线程标识(windowid),假设ESP扩展头可以包括sender id和window id,S是sender id和window id使能指示位,占用2bit。示例性的,00可以表示sender id和window id不使能,01可以表示仅windowid使能,10可以表示仅sender id使能,11可以表示sender id和window id都使能。可选的,还可以设置其他的使能方式,具体此处不做限定。In this application, the length of the SPI||S||AN field is 4octets. Among them, SPI is the security parameter indicator, occupying 28 bits. Optionally, the ESP extension header can include the sender ID (sender id), and/or the thread ID (windowid). It is assumed that the ESP extension header can include the sender id and window id, and S is the sender id and window id enable indication bit. , occupying 2bit. For example, 00 can indicate that sender ID and window ID are not enabled, 01 can indicate that only window ID is enabled, 10 can indicate that only sender ID is enabled, and 11 can indicate that both sender ID and window ID are enabled. Optionally, other enabling methods can also be set, which are not limited here.

本申请中,可选的,AN和SPI整体可以构成安全参数指示功能,占用2个比特,00/01/10/11用于SA除密钥更新其他参数不变情况下的轻量级更新机制,仅需要通过AN指示密钥,不需要控制面进行SA的新建和拆除处理,以便减轻整个网络的控制面负载。In this application, optionally, AN and SPI can form a security parameter indication function as a whole, occupying 2 bits, 00/01/10/11 is used for lightweight update mechanism of SA when other parameters except key update remain unchanged. , only the key needs to be indicated through the AN, and the control plane does not need to perform SA creation and teardown processing, so as to reduce the control plane load of the entire network.

(2)Sender id||window id。(2)Sender id||window id.

本申请中,sender id占用2字节,window id占用2字节,sender id用于指示一个接收者的多个发送者id,window id用于指示异构处理器核id,若分组报文中的5元组相同数据流称为一条流,window id可以解决一条大带宽流量中单个异构处理器核处理能力不足的问题。可选的,ESP扩展头可以包括sender id,和/或,window id,即ESP扩展头可以只包括sender id,ESP也可以只包括window id,ESP也可以同时包括sender id和window id,具体此处不做限定。In this application, the sender id occupies 2 bytes, and the window id occupies 2 bytes. The sender id is used to indicate multiple sender IDs of a receiver, and the window id is used to indicate the heterogeneous processor core ID. If the packet message contains The same 5-tuple data stream is called a stream, and window ID can solve the problem of insufficient processing power of a single heterogeneous processor core in a large-bandwidth traffic. Optionally, the ESP extension header can include sender id, and/or window id, that is, the ESP extension header can only include sender id, ESP can also include only window id, and ESP can also include both sender id and window id. Specifically, this is There are no restrictions anywhere.

(3)Sequence Number。(3)Sequence Number.

本申请中,Sequence Number用于标识报文发送的序列号,用于报文抗重放功能,占用4字节或8字节。可选的,对于需要IV保证加密安全的加密算法,如,AES-GCM,IV通过sender id||window id||sequence number组合进行转换,不在报文净荷中明文携带,减少报文额外封装开销。In this application, Sequence Number is used to identify the sequence number of message transmission and is used for the message anti-replay function, occupying 4 bytes or 8 bytes. Optional, for encryption algorithms that require IV to ensure encryption security, such as AES-GCM, the IV is converted through the sender id||window id||sequence number combination and is not carried in clear text in the message payload, reducing additional packaging of the message overhead.

(4)Timestamp。(4)Timestamp.

本申请中,Timestamp可以用于抗重放的loose模式,即基于时间戳的抗重放能力,占4字节。可选的,编码格式可以按照IEEE 1588v2格式,最大可以支持4s抗重放能力。Timestamp需要发送者和接收者组实现NTP时间同步,NTP时间同步可以使用控制器作为server,也可以在发送者个接受者组中选择一个作为NTP server进行同步。In this application, Timestamp can be used in the anti-replay loose mode, that is, the anti-replay capability based on timestamp, which occupies 4 bytes. Optionally, the encoding format can be in accordance with the IEEE 1588v2 format, which can support up to 4s anti-replay capability. Timestamp requires the sender and receiver groups to implement NTP time synchronization. NTP time synchronization can use the controller as the server, or you can select one of the sender and receiver groups as the NTP server for synchronization.

本申请中,实际数据加密过程中的key,网元和核id关系如下表2所示。In this application, the relationship between key, network element and core ID in the actual data encryption process is shown in Table 2 below.

KeyKey 网元Network element Multi-CoreMulti-Core P2P单播P2P unicast SPI||S||ANSPI||S||AN <-1:1-><-1:1-> Sender idSender ID <-1:N-><-1:N-> Window idWindow id MP2P LANMP2P LAN SPI||S||ANSPI||S||AN <-1:N-><-1:N-> Sender idSender ID <-1:N-><-1:N-> Window idWindow id

表2Table 2

方式二:使用DOH头对分组报文进行加密和完整性处理。Method 2: Use the DOH header to encrypt and integrity process the packet message.

图8为本申请提供的一种目标报文的另一种示意图。Figure 8 is another schematic diagram of a target message provided by this application.

请参阅图8,图8表示一种DOH头加密IPv6分组报文的封装格式,使用DOH头指示报文加密和完整性功能。可选的,可以通过DOH中的可选TLV携带发送者标识,和/或,线程标识。Please refer to Figure 8. Figure 8 shows an encapsulation format of a DOH header encrypted IPv6 packet message, using the DOH header to indicate the message encryption and integrity functions. Optionally, the sender identification and/or thread identification can be carried through the optional TLV in the DOH.

图9为本申请提供的一种DOH头的一种示意图。Figure 9 is a schematic diagram of a DOH head provided by this application.

请参阅图9,图9表示一种携带加密ESP标准或扩展头的DOH封装格式,其中,加密ESP标准或扩展头的格式与上述图6、图7所示的格式相类似,具体此处不做赘述。此外,DOH中的可选TLV定义考虑现网设备兼容性。DOH扩展头可以包含如下参数:Please refer to Figure 9. Figure 9 shows a DOH encapsulation format carrying an encrypted ESP standard or extension header. The format of the encrypted ESP standard or extension header is similar to the formats shown in Figures 6 and 7 above. The details are not mentioned here. To elaborate. In addition, the optional TLV definition in DOH considers the compatibility of existing network equipment. The DOH extension header can contain the following parameters:

(1)Option Type。(1)Option Type.

本申请中,Option Type占据8bit,其中,高两个bit为00’b,表示设备若不认识此option Type,需要忽略此option TLV,继续处理剩下的报文内容。In this application, Option Type occupies 8 bits, of which the two highest bits are 00’b, which means that if the device does not recognize this option Type, it needs to ignore this option TLV and continue to process the remaining message content.

(2)Option Data Len。(2)Option Data Len.

本申请中,Option Data Len占据8bit,表示此option TLV的option DATA部分的长度。In this application, Option Data Len occupies 8 bits and represents the length of the option DATA part of this option TLV.

(3)Opt.DATA。(3)Opt.DATA.

本申请中,Opt.DATA可以包括ESP标准或扩展头信息。其中,ESP标准或扩展头的格式与上述图6、图7所示的格式相类似,具体此处不做赘述。In this application, Opt.DATA can include ESP standard or extended header information. Among them, the format of the ESP standard or extension header is similar to the format shown in Figure 6 and Figure 7 above, and the details will not be described here.

本申请中,图4对应的方法示例中提及的步骤103具有多种具体的实现方式,该具体的实现方式将在下面的示例中详细阐述。In this application, step 103 mentioned in the method example corresponding to Figure 4 has a variety of specific implementation methods, and the specific implementation methods will be elaborated in the following examples.

示例性的,如图2,PE1(网络设备)对IPv6分组报文的加密处理时,PE1接收到原始IPv6分组报文,基于trafic selector判断原始IPv6分组报文是否需要加密。若不需要加密,按照正常报文转发流程进行转发。若需要加密,根据SA协商信息选择加密封装方式。For example, as shown in Figure 2, when PE1 (network device) encrypts IPv6 packets, PE1 receives the original IPv6 packets and determines whether the original IPv6 packets need to be encrypted based on the traffic selector. If encryption is not required, forward the message according to the normal message forwarding process. If encryption is required, select the encryption encapsulation method based on SA negotiation information.

加密方式一:使用ESP头对分组报文进行加密和完整性处理。Encryption method 1: Use the ESP header to encrypt and integrity process the packet message.

本申请中,可选的,网络设备可以使用ESP头对分组报文进行加密和完整性处理,下面示例性的说明该处理过程。In this application, optionally, the network device can use the ESP header to perform encryption and integrity processing on the packet message. The following is an example of this processing process.

图10为本申请提供的一种加密方式的一种流程图。Figure 10 is a flow chart of an encryption method provided by this application.

请参阅图10,本申请中,PE1(网络设备)按照ESP标准封装格式(如图6),或者,按照ESP扩展封装格式(如图7)生成ESP头信息。PE1将生成ESP扩展头格式按照图5所示的格式插入到IPv6原始分组报文中,按照Ipv6分组报文payload部分8字节对齐要求,定义封装安全负载尾padding,padding length,以及记录原始IPv6扩展头Next header。按照SA指定的加密算法、KEY、报文加密长度对原始IPv6分组报文进行加密或完整性计算。若报文需要完整性保护,计算完整性值并将完整性校验值(the Integrity Check Value,ICV)值附在报文尾部。修改原始Ipv6分组报文Next Header值为ESP头类型值。重新计算并更新IPv6标准头部分字段:IPv6净荷长度。发送报文。Please refer to Figure 10. In this application, PE1 (network equipment) generates ESP header information according to the ESP standard encapsulation format (as shown in Figure 6), or according to the ESP extended encapsulation format (as shown in Figure 7). PE1 will generate the ESP extension header format and insert it into the original IPv6 packet message according to the format shown in Figure 5. According to the 8-byte alignment requirement of the payload part of the Ipv6 packet message, define the encapsulation security payload tail padding, padding length, and record the original IPv6 Extension headerNext header. Encrypt or calculate the integrity of the original IPv6 packet message according to the encryption algorithm, KEY, and message encryption length specified by the SA. If the message requires integrity protection, calculate the integrity value and attach the Integrity Check Value (ICV) value to the end of the message. Modify the Next Header value of the original IPv6 packet message to the ESP header type value. Recalculate and update the IPv6 standard header field: IPv6 payload length. Send message.

加密方式二:使用DOH头对分组报文进行加密和完整性处理。Encryption method two: Use the DOH header to encrypt and integrity process the packet message.

本申请中,可选的,网络设备可以使用DOH头对分组报文进行加密和完整性处理,下面示例性的说明该处理过程。In this application, optionally, the network device can use the DOH header to perform encryption and integrity processing on the packet message. The following is an example of this processing process.

图11为本申请提供的一种加密方式的一种流程图。Figure 11 is a flow chart of an encryption method provided by this application.

请参阅图11,本申请中,按照ESP标准封装格式(图6)或ESP扩展封装格式(图7)生成ESP头信息。按照图9生成DOH报文格式,并按照图8中的格式插入到IPv6原始分组报文。按照Ipv6分组报文payload部分8字节对齐要求,定义封装安全负载尾padding,paddinglength,以及记录原始IPv6扩展头Next header。按照SA指定的加密算法、KEY、报文加密长度对原始IPv6分组报文进行加密或完整性计算。若报文需要完整性保护,计算完整性值并将ICV值附在报文尾部。修改DOH next header值为No next header(59)。重新计算并更新IPv6标准头部分字段:IPv6净荷长度。发送报文。Please refer to Figure 11. In this application, ESP header information is generated according to the ESP standard encapsulation format (Figure 6) or the ESP extended encapsulation format (Figure 7). Generate the DOH message format according to Figure 9, and insert it into the IPv6 original packet message according to the format in Figure 8. According to the 8-byte alignment requirement of the payload part of the IPv6 packet message, define the encapsulation security payload tail padding, padding length, and record the original IPv6 extension header Next header. Encrypt or calculate the integrity of the original IPv6 packet message according to the encryption algorithm, KEY, and message encryption length specified by the SA. If the message requires integrity protection, calculate the integrity value and attach the ICV value to the end of the message. Modify the DOH next header value to No next header (59). Recalculate and update the IPv6 standard header field: IPv6 payload length. Send message.

本申请中,图4对应的方法示例中提及的步骤105具有多种具体的实现方式,该具体的实现方式将在下面的示例中详细阐述。In this application, step 105 mentioned in the method example corresponding to Figure 4 has a variety of specific implementation methods, and the specific implementation methods will be elaborated in the following examples.

示例性的,如图2,PE3(网络设备)对目标报文解密处理时,接收到目标报文。通过目标报文中ESP头的类型值确定ESP头边界Next Header=50/144,若是,则通过解密方式一对目标报文解密。若不是,进入下一步。解析DOH中的opt.Type,确定Type=DOH可选加密类型值。若是,则通过解密方式二对目标报文解密。若不是,按照正常报文转发流程进行转发。下面详细说明两种解密方式。For example, as shown in Figure 2, when PE3 (network device) decrypts the target packet, it receives the target packet. Determine the ESP header boundary Next Header=50/144 based on the type value of the ESP header in the target packet. If so, decrypt the target packet through decryption. If not, go to the next step. Parse opt.Type in DOH and determine Type=DOH optional encryption type value. If so, decrypt the target message through decryption method 2. If not, forward the packet according to the normal packet forwarding process. The two decryption methods are described in detail below.

解密方式一:通过ESP头对目标报文进行解密。Decryption method one: Decrypt the target message through the ESP header.

图12为本申请提供的一种解密方式的一种流程图。Figure 12 is a flow chart of a decryption method provided by this application.

请参阅图12,本申请中,按照ESP标准封装格式(图6)或ESP扩展封装格式(图7)解析出相关信息。使用sender id||window id||sequence Number进行抗重放处理。使用KEY和对应的算法对报文进行完整性计算。验证报文附加的ICV值和计算完整性值是否一致,若不一致,则丢弃报文。使用KEY和对应的算法对报文进行解密计算。根据SA属性,若报文携带timestamp抗重放Loose能力,获取报文净荷中的Timestamp和本地时间进行重放判断。修改原始Ipv6分组报文相关Next Header值为封装安全负载尾中的Next Header。报文剥离ICV尾部、封装安全负载尾和ESP头、抗重放Timestamp相关信息。重新计算并更新IPv6标准头部分字段:IPv6净荷长度。发送解密后的报文。Please refer to Figure 12. In this application, relevant information is parsed according to the ESP standard encapsulation format (Figure 6) or the ESP extended encapsulation format (Figure 7). Use sender id||window id||sequence Number for anti-replay processing. Use KEY and the corresponding algorithm to calculate the integrity of the message. Verify whether the ICV value attached to the packet is consistent with the calculated integrity value. If not, discard the packet. Use KEY and the corresponding algorithm to decrypt and calculate the message. According to the SA attribute, if the packet carries the timestamp anti-replay Loose capability, the Timestamp and local time in the packet payload are obtained for replay judgment. Modify the Next Header value related to the original IPv6 packet to the Next Header in the encapsulated security payload tail. The message strips off the ICV trailer, encapsulates the security payload trailer and ESP header, and anti-replay Timestamp related information. Recalculate and update the IPv6 standard header field: IPv6 payload length. Send the decrypted message.

图13为本申请提供的另一种解密方式的一种流程图。Figure 13 is a flow chart of another decryption method provided by this application.

请参阅图13,本申请中,通过DOH扩展可选头解密IPv6分组报文。按照ESP标准封装格式(图6)或ESP扩展封装格式(图7)解析出相关信息。使用sender id||window id||sequence Number进行抗重放处理。使用KEY和对应的算法对报文进行完整性计算。根据SA属性,若报文携带timestamp抗重放Loose能力,获取报文净荷中的Timestamp和本地时间进行重放判断。验证报文附加的ICV值和计算完整性值是否一致,若不一致,则丢弃报文。使用KEY和对应的算法对报文进行解密计算。报文剥离ICV尾部、封装安全负载尾和ESP头、抗重放Timestamp相关信息。判断DOH option TLV数目是否为0,若为0需要剥离DOH。修改相应扩展头Next Header=封装安全负载尾中的Next Header。重新计算并更新IPv6标准头部分字段:IPv6净荷长度。发送解密后报文。Please refer to Figure 13. In this application, the IPv6 packet message is decrypted through the DOH extension optional header. The relevant information is parsed according to the ESP standard encapsulation format (Figure 6) or the ESP extended encapsulation format (Figure 7). Use sender id||window id||sequence Number for anti-replay processing. Use KEY and the corresponding algorithm to calculate the integrity of the message. According to the SA attribute, if the packet carries the timestamp anti-replay Loose capability, the Timestamp and local time in the packet payload are obtained for replay judgment. Verify whether the ICV value attached to the packet is consistent with the calculated integrity value. If not, discard the packet. Use KEY and the corresponding algorithm to decrypt and calculate the message. The message strips off the ICV trailer, encapsulates the security payload trailer and ESP header, and anti-replay Timestamp related information. Determine whether the number of DOH option TLVs is 0. If it is 0, DOH needs to be stripped. Modify the corresponding extension header Next Header = Encapsulate the Next Header in the security payload tail. Recalculate and update the IPv6 standard header field: IPv6 payload length. Send the decrypted message.

本申请中,可选的,目标报文中可以包括序列号(sequence Number),序列号、发送者标识和/或线程标识共同可以构成IV值,该IV值可以用于对分组报文加密。In this application, optionally, the target message may include a sequence number, and the sequence number, sender identifier, and/or thread identifier may together constitute an IV value, and the IV value may be used to encrypt the packet message.

本申请中,假设目标报文中包括序列号、发送者标识和线程标识。对于需要IV保证加密安全的加密算法,如,AES-GCM,IV可以通过sender id||window id||sequence number组合进行转换,不在报文净荷中明文携带,从而减少报文封装所需要的开销。可以理解的是,还可以采用其他加密算法对分组报文进行加密,具体此处不做限定。下面以一个示例具体介绍这一过程。In this application, it is assumed that the target message includes a sequence number, sender identification and thread identification. For encryption algorithms that require IV to ensure encryption security, such as AES-GCM, IV can be converted through the sender id | overhead. It can be understood that other encryption algorithms can also be used to encrypt packet messages, and the details are not limited here. This process is introduced in detail below with an example.

图14为本申请提供的另一种抗重放原理的一种示意图。Figure 14 is a schematic diagram of another anti-replay principle provided by this application.

请参阅图14,本申请中,对于同一个SA,基于{SPI||S||AN||sender id||windowid}建立多个sequence Number状态空间。对于接收到的加密报文,使用报文中携带的{SPI||S||AN||sender id||window id}查找对应的sequence Number状态空间,根据设定的防重放窗口window_anti_replay大小进行防重放检查,若检查通过,则进行报文下一步处理,若检查不通过,直接丢弃报文。Please refer to Figure 14. In this application, for the same SA, multiple sequence number state spaces are established based on {SPI||S||AN||sender id||windowid}. For the received encrypted message, use {SPI||S||AN||sender id||window id} carried in the message to find the corresponding sequence number state space, and proceed according to the set anti-replay window window_anti_replay size Anti-replay check. If the check passes, the packet will be processed in the next step. If the check fails, the packet will be discarded directly.

防重放检查原理如下:The principle of anti-replay check is as follows:

packet_Sequence_Number<=Current_Sequence_Number,检查不通过;packet_Sequence_Number<=Current_Sequence_Number, the check fails;

packet_Sequence_Number>Current_Sequence_Number&&packet_Sequence_Number<=Current_Sequence_Number+window_anti_replay,检查通过;packet_Sequence_Number>Current_Sequence_Number&&packet_Sequence_Number<=Current_Sequence_Number+window_anti_replay, check passed;

packet_Sequence_Number>Current_Sequence_Number&&packet_Sequence_Number>Current_Sequence_Number+window_anti_replay,检查不通过。packet_Sequence_Number>Current_Sequence_Number&&packet_Sequence_Number>Current_Sequence_Number+window_anti_replay, the check fails.

更新对应的sequence Number状态空间的counter。Update the counter of the corresponding sequence Number state space.

Sequence Number空间随SA协商状态更新或删除。The Sequence Number space is updated or deleted according to the SA negotiation status.

本申请中,网络设备确认接收到的分组报文需要加密后,网络设备对分组报文加密生成目标报文。其中,网络设备对分组报文加密生成目标报文,目标报文中包括发送者标识,发送者标识用于指示网络设备的身份信息。从而,针对多对一、多对多以及一对多等场景下,接收目标报文的设备可以根据发送者标识得知目标报文的来源,无需复杂的部署方式即可以实现业务报文的有序传输,降低了网络开销。In this application, after the network device confirms that the received packet message needs to be encrypted, the network device encrypts the packet message to generate a target message. The network device encrypts the packet message to generate a target message. The target message includes a sender identifier, and the sender identifier is used to indicate the identity information of the network device. Therefore, for scenarios such as many-to-one, many-to-many, and one-to-many, the device receiving the target message can know the source of the target message based on the sender ID, and can achieve valid service packets without complicated deployment methods. sequential transmission, reducing network overhead.

上述示例提供了一种报文传输方法的不同的实施方式,下面提供了一种失网络设备20,如图15所示,该网络设备20用于执行上述示例中涉及的报文传输方法,该执行步骤以及相应的有益效果具体请参照上述相应的示例进行理解,此处不再赘述,包括:The above examples provide different implementations of a message transmission method. The following provides a network device 20, as shown in Figure 15. The network device 20 is used to perform the message transmission method involved in the above examples. Please refer to the corresponding examples above to understand the execution steps and corresponding beneficial effects, which will not be repeated here, including:

接收单元201,用于接收分组报文;The receiving unit 201 is used to receive packet messages;

处理单元202用于:The processing unit 202 is used for:

确认所述分组报文需要加密;Confirm that the packet message needs to be encrypted;

对所述分组报文加密生成目标报文,所述目标报文中包括发送者标识,所述发送者标识用于指示所述网络设备的身份信息。The packet message is encrypted to generate a target message, where the target message includes a sender identification, and the sender identification is used to indicate the identity information of the network device.

一种可能的实现方式中,所述目标报文中还包括线程标识,所述线程标识用于指示接收所述目标报文的设备中处理所述目标报文的线程的标识。In a possible implementation manner, the target message further includes a thread identifier, and the thread identifier is used to indicate the identifier of a thread that processes the target message in the device that receives the target message.

一种可能的实现方式中,所述目标报文中包括安全负载封装头ESP,所述ESP中包括所述发送者标识和/或所述线程标识。In a possible implementation manner, the target message includes a security payload encapsulation header ESP, and the ESP includes the sender identification and/or the thread identification.

一种可能的实现方式中,所述目标报文中包括目的可选扩展头DOH,所述DOH中包括所述发送者标识和/或所述线程标识。In a possible implementation manner, the target message includes a destination optional extension header DOH, and the DOH includes the sender identification and/or the thread identification.

一种可能的实现方式中,所述DOH中包括所述发送者标识和/或所述线程标识,包括:In a possible implementation, the DOH includes the sender identification and/or the thread identification, including:

所述DOH的可选类型长度值TLV中包括所述发送者标识和/或所述线程标识。The optional type length value TLV of the DOH includes the sender identification and/or the thread identification.

一种可能的实现方式中,所述目标报文中包括序列号,所述序列号、所述发送者标识和/或所述线程标识共同用于构成IV值,所述IV值用于对所述分组报文加密。In a possible implementation, the target message includes a sequence number, the sequence number, the sender identification and/or the thread identification are jointly used to form an IV value, and the IV value is used to The packet message is encrypted.

一种可能的实现方式中,所述目标报文中包括SPI和AN,所述SPI和AN共同用于指示安全参数。In a possible implementation manner, the target message includes SPI and AN, and the SPI and AN are jointly used to indicate security parameters.

需要说明的是,上述网络设备20的各模块之间的信息交互、执行过程等内容,由于与本申请方法示例基于同一构思,其执行步骤与上述方法步骤的详细内容一致,可参见上述方法示例处的描述。It should be noted that the information interaction, execution process, etc. between the modules of the network device 20 are based on the same concept as the method examples of this application, and the execution steps are consistent with the details of the above method steps. Please refer to the above method examples. description of the location.

上述示例提供了一种网络设备20的不同的实施方式,下面提供了一种失网络设备30,如图16所示,该网络设备30用于执行上述示例中涉及的报文传输方法,该执行步骤以及相应的有益效果具体请参照上述相应的示例进行理解,此处不再赘述,包括:The above examples provide different implementations of a network device 20. The following provides a network device 30, as shown in Figure 16. The network device 30 is used to execute the message transmission method involved in the above examples. The execution Please refer to the corresponding examples above to understand the specific steps and corresponding beneficial effects, which will not be repeated here, including:

接收单元301,用于接收目标报文,所述目标报文中包括发送者标识,所述发送者标识用于指示发送所述目标报文的设备的身份信息;The receiving unit 301 is configured to receive a target message, where the target message includes a sender identification, and the sender identification is used to indicate the identity information of the device that sends the target message;

处理单元302,用于解密所述目标报文。The processing unit 302 is used to decrypt the target message.

一种可能的实现方式中,所述目标报文中还包括线程标识,所述线程标识用于指示接收所述目标报文的设备中处理所述目标报文的线程的标识。In a possible implementation manner, the target message further includes a thread identifier, and the thread identifier is used to indicate the identifier of a thread that processes the target message in the device that receives the target message.

一种可能的实现方式中,所述目标报文中包括安全负载封装头ESP,所述ESP中包括所述发送者标识和/或所述线程标识。In a possible implementation manner, the target message includes a security payload encapsulation header ESP, and the ESP includes the sender identification and/or the thread identification.

一种可能的实现方式中,所述目标报文中包括目的可选扩展头DOH,所述DOH中包括所述发送者标识和/或所述线程标识。In a possible implementation manner, the target message includes a destination optional extension header DOH, and the DOH includes the sender identification and/or the thread identification.

一种可能的实现方式中,所述DOH中包括所述发送者标识和/或所述线程标识,包括:In a possible implementation, the DOH includes the sender identification and/or the thread identification, including:

所述DOH的可选TLV中包括所述发送者标识和/或所述线程标识。The optional TLV of the DOH includes the sender identification and/or the thread identification.

一种可能的实现方式中,所述目标报文中包括序列号,所述序列号、所述发送者标识和/或所述线程标识共同用于构成IV值,所述IV值用于对所述分组报文加密。In a possible implementation, the target message includes a sequence number, the sequence number, the sender identification and/or the thread identification are jointly used to form an IV value, and the IV value is used to The packet message is encrypted.

一种可能的实现方式中,所述目标报文中包括SPI和AN,所述SPI和AN共同用于指示安全参数。In a possible implementation manner, the target message includes SPI and AN, and the SPI and AN are jointly used to indicate security parameters.

需要说明的是,上述网络设备30的各模块之间的信息交互、执行过程等内容,由于与本申请方法示例基于同一构思,其执行步骤与上述方法步骤的详细内容一致,可参见上述方法示例处的描述。It should be noted that the information interaction and execution process between the modules of the network device 30 are based on the same concept as the method examples of this application, and the execution steps are consistent with the details of the above method steps. Please refer to the above method examples. description of the location.

需要说明的是,上述实施例提供的设备30的各模块之间的信息交互、执行过程等内容,由于与本申请方法实施例基于同一构思,其带来的技术效果与本发明方法实施例相同,具体内容可参见本申请前述所示的方法实施例中的叙述,此处不再赘述。It should be noted that the information interaction, execution process, and other contents between the modules of the device 30 provided in the above embodiments are based on the same concept as the method embodiments of the present application, and the technical effects they bring are the same as those of the method embodiments of the present invention. , for specific details, please refer to the descriptions in the method embodiments shown above in this application, and will not be described again here.

参阅图17所示,为本申请提供一种网络设备的结构示意图,该网络设备40包括:处理器402、通信接口403、存储器401。可选的,可以包括总线404。其中,通信接口403、处理器402以及存储器401可以通过总线404相互连接;总线404可以是外围部件互连标准(Peripheral Component Interconnect,PCI)总线或扩充工业标准体系结构(extendedindustry standard architecture,EISA)总线等。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图17中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。该网络设备40可以实现图15或图16所示的示例中的任意一个网络设备的功能。处理器402和通信接口403可以执行上述方法示例中网络设备相应的操作。Referring to FIG. 17 , a schematic structural diagram of a network device is provided for this application. The network device 40 includes: a processor 402 , a communication interface 403 , and a memory 401 . Optionally, bus 404 may be included. Among them, the communication interface 403, the processor 402 and the memory 401 can be connected to each other through the bus 404; the bus 404 can be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus. wait. The bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in Figure 17, but it does not mean that there is only one bus or one type of bus. The network device 40 can implement the functions of any network device in the examples shown in FIG. 15 or FIG. 16 . The processor 402 and the communication interface 403 can perform corresponding operations of the network device in the above method examples.

下面结合图17对网络设备的各个构成部件进行具体的介绍:The following is a detailed introduction to each component of the network equipment in conjunction with Figure 17:

其中,存储器401可以是易失性存储器(volatile memory),例如随机存取存储器(random-access memory,RAM);或者非易失性存储器(non-volatile memory),例如只读存储器(read-only memory,ROM),快闪存储器(flash memory),硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD);或者上述种类的存储器的组合,用于存储可实现本申请方法的程序代码、配置文件或其他内容。The memory 401 may be a volatile memory (volatile memory), such as a random-access memory (RAM); or a non-volatile memory (non-volatile memory), such as a read-only memory (read-only memory). memory (ROM), flash memory (flash memory), hard disk drive (HDD) or solid-state drive (SSD); or a combination of the above types of memories, used to store data that can implement the method of the present application. Program code, configuration files, or other content.

处理器402是控制器的控制中心,可以是一个中央处理器(central processingunit,CPU),也可以是特定集成电路(application specific integrated circuit,ASIC),或者是被配置成实施本申请提供的示例的一个或多个集成电路,例如:一个或多个数字信号处理器(digital signal processor,DSP),或,一个或者多个现场可编程门阵列(fieldprogrammable gate array,FPGA)。The processor 402 is the control center of the controller, which may be a central processing unit (CPU), an application specific integrated circuit (ASIC), or may be configured to implement the examples provided in this application. One or more integrated circuits, such as one or more digital signal processors (DSP), or one or more field programmable gate arrays (FPGA).

通信接口403用于与其他网络设备进行通信。Communication interface 403 is used to communicate with other network devices.

该处理器402可以执行前述图15或图16所示示例中任意一个网络设备所执行的操作,具体此处不再赘述。The processor 402 can perform operations performed by any of the network devices in the examples shown in FIG. 15 or FIG. 16 , and details will not be described again here.

需要说明的是,上述网络设备40的各模块之间的信息交互、执行过程等内容,由于与本申请方法示例基于同一构思,其执行步骤与上述方法步骤的详细内容一致,可参见上述方法示例处的描述。It should be noted that the information interaction, execution process, etc. between the modules of the network device 40 are based on the same concept as the method examples of this application, and the execution steps are consistent with the details of the above method steps. Please refer to the above method examples. description of the location.

本申请提供了一种芯片,该芯片包括处理器和通信接口,所述处理器与所述通信接口耦合,所述处理器用于读取指令执行上述图15至图17所述的实施例中网络设备所执行的操作。This application provides a chip. The chip includes a processor and a communication interface. The processor is coupled to the communication interface. The processor is used to read instructions and execute the network in the embodiments described in Figures 15 to 17. The operation performed by the device.

本申请提供了一种网络系统,该系统包括上述图15至图17所述的实施例中所述的网络设备。The present application provides a network system, which includes the network device described in the embodiments described in FIGS. 15 to 17 .

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述示例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the systems, devices and units described above can be referred to the corresponding processes in the foregoing examples, and will not be described again here.

在本申请所提供的几个示例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置示例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。Among the several examples provided in this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device examples described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or may be Integrated into another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.

所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本示例的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. You can select some or all of the units according to actual needs to achieve the purpose of this example.

另外,在本申请各个示例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each example of this application can be integrated into one processing unit, or each unit can exist physically alone, or two or more units can be integrated into one unit. The above integrated units can be implemented in the form of hardware or software functional units.

所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个示例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,read-onlymemory)、随机存取存储器(RAM,random access memory)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to cause a computer device (which can be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in each example of this application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, read-only memory), random access memory (RAM, random access memory), magnetic disk or optical disk and other media that can store program code.

以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,不同的示例可以进行组合,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的精神和原则之内,所做的任何组合、修改、等同替换、改进等,均应包含在本发明的保护范围之内。以上所述,以上示例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述示例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各示例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各示例技术方案的范围。The above-mentioned specific implementations further describe the purpose, technical solutions and beneficial effects of the present invention in detail. It should be understood that different examples can be combined, and the above are only specific implementations of the present invention. It is not intended to limit the protection scope of the present invention. Any combination, modification, equivalent substitution, improvement, etc. made within the spirit and principles of the present invention shall be included in the protection scope of the present invention. As mentioned above, the above examples are only used to illustrate the technical solution of the present application, but not to limit it; although the present application has been described in detail with reference to the foregoing examples, those of ordinary skill in the art should understand that they can still modify the foregoing examples. The recorded technical solutions may be modified, or some of the technical features thereof may be equivalently substituted; however, these modifications or substitutions shall not cause the essence of the corresponding technical solutions to depart from the scope of the exemplary technical solutions of this application.

Claims (31)

1. A method for transmitting a message, comprising:
the network equipment receives the packet message;
the network equipment confirms that the packet message needs to be encrypted;
the network equipment encrypts the packet message to generate a target message, wherein the target message comprises a sender identifier, and the sender identifier is used for indicating the identity information of the network equipment.
2. The method according to claim 1, wherein the target message further includes a thread identifier, and the thread identifier is used to indicate an identifier of a thread that processes the target message in a device that receives the target message.
3. The message transmission method according to claim 2, wherein the target message includes a security load encapsulation header ESP, and the ESP includes the sender identifier and/or the thread identifier.
4. The message transmission method according to claim 2, wherein the destination message includes a destination optional extension header DOH, and the DOH includes the sender identifier and/or the thread identifier.
5. The method according to claim 4, wherein the DOH includes the sender identifier and/or the thread identifier, and the method includes:
the optional type length value TLV of the DOH includes the sender identification and/or the thread identification.
6. The method according to any one of claims 1 to 5, wherein the target message includes a sequence number, and wherein the sequence number, the sender identifier and/or the thread identifier are used together to form an IV value, and wherein the IV value is used to encrypt the packet message.
7. The method according to any one of claims 1 to 6, wherein the target message includes AN SPI and AN, and the SPI and the AN are used together to indicate a security parameter.
8. A method for transmitting a message, comprising:
the network equipment receives a target message, wherein the target message comprises a sender identifier, and the sender identifier is used for indicating the identity information of equipment for sending the target message;
the network device decrypts the target message.
9. The method according to claim 8, wherein the target message further includes a thread identifier, and the thread identifier is used to indicate an identifier of a thread that processes the target message in a device that receives the target message.
10. The message transmission method according to claim 9, wherein the target message includes a security load encapsulation header ESP, and the ESP includes the sender identifier and/or the thread identifier.
11. The method according to claim 9, wherein the destination message includes a destination optional extension header DOH, and the DOH includes the sender identifier and/or the thread identifier.
12. The method for transmitting a message according to claim 11, wherein the DOH includes the sender identifier and/or the thread identifier, including:
the optional TLV of the DOH includes the sender identification and/or the thread identification.
13. The method according to any of claims 8 to 12, wherein the target message comprises a sequence number, and wherein the sequence number, the sender identification and/or the thread identification are used together to form an IV value, and wherein the IV value is used to encrypt the packet message.
14. The method according to any one of claims 8 to 13, wherein the target message includes AN SPI and AN, and the SPI and the AN are used together to indicate security parameters.
15. A network device, comprising:
a receiving unit, configured to receive a packet;
the processing unit is used for:
confirming that the packet message needs to be encrypted;
and encrypting the packet message to generate a target message, wherein the target message comprises a sender identifier, and the sender identifier is used for indicating the identity information of the network equipment.
16. The network device of claim 15, wherein the target message further comprises a thread identification, the thread identification indicating an identification of a thread processing the target message in the device receiving the target message.
17. Network device according to claim 16, characterized in that the target message comprises a security load encapsulation header ESP, which ESP comprises the sender identification and/or the thread identification.
18. Network device according to claim 16, characterized in that the destination optional extension header DOH is included in the destination message, and the sender identification and/or the thread identification is included in the DOH.
19. Network device according to claim 18, characterized in that said sender identification and/or said thread identification are included in said DOH, comprising:
the optional type length value TLV of the DOH includes the sender identification and/or the thread identification.
20. The network device according to any of claims 15 to 19, wherein the target message comprises a sequence number, the sender identification and/or the thread identification being used together to form an IV value, the IV value being used to encrypt the packet message.
21. A network device according to any one of claims 15 to 20, wherein the target message includes AN SPI and AN, which are used together to indicate security parameters.
22. A network device, comprising:
the receiving unit is used for receiving a target message, wherein the target message comprises a sender identifier, and the sender identifier is used for indicating the identity information of equipment for sending the target message;
and the processing unit is used for decrypting the target message.
23. The network device of claim 22, wherein the target message further comprises a thread identification, the thread identification indicating an identification of a thread processing the target message in the device receiving the target message.
24. Network device according to claim 23, characterized in that the target message comprises a security load encapsulation header ESP, which ESP comprises the sender identification and/or the thread identification.
25. The network device according to claim 23, wherein the destination optional extension header DOH is included in the destination message, and wherein the sender identifier and/or the thread identifier is included in the DOH.
26. Network device according to claim 25, characterized in that said sender identification and/or said thread identification are included in said DOH, comprising:
the optional TLV of the DOH includes the sender identification and/or the thread identification.
27. The network device according to any of claims 22 to 26, wherein the target message comprises a sequence number, the sender identification and/or the thread identification being used together to form an IV value, the IV value being used to encrypt the packet message.
28. A network device according to any one of claims 22 to 27, wherein the target message includes AN SPI and AN, which are used together to indicate security parameters.
29. A network device, comprising:
a processor and a memory;
the processor is configured to execute instructions stored in the memory such that the method of any one of claims 1 to 7 is performed or such that the method of any one of claims 8 to 14 is performed.
30. A computer readable storage medium storing a computer program, characterized in that the computer program, when executed on a computer or processor, causes the method of any one of claims 1 to 7 to be performed or causes the method of any one of claims 8 to 14 to be performed.
31. A computer program product, characterized in that it when run on a computer or processor causes the method of any one of claims 1 to 7 to be performed or causes the method of any one of claims 8 to 14 to be performed.
CN202210434246.4A 2022-04-24 2022-04-24 Message transmission method and related equipment Pending CN116980150A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210434246.4A CN116980150A (en) 2022-04-24 2022-04-24 Message transmission method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210434246.4A CN116980150A (en) 2022-04-24 2022-04-24 Message transmission method and related equipment

Publications (1)

Publication Number Publication Date
CN116980150A true CN116980150A (en) 2023-10-31

Family

ID=88480201

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210434246.4A Pending CN116980150A (en) 2022-04-24 2022-04-24 Message transmission method and related equipment

Country Status (1)

Country Link
CN (1) CN116980150A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119652795A (en) * 2025-02-11 2025-03-18 辽宁交投艾特斯技术股份有限公司 Network performance testing method, device, electronic device and medium based on VPP

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119652795A (en) * 2025-02-11 2025-03-18 辽宁交投艾特斯技术股份有限公司 Network performance testing method, device, electronic device and medium based on VPP
CN119652795B (en) * 2025-02-11 2025-04-18 辽宁交投艾特斯技术股份有限公司 Network performance testing method, device, electronic device and medium based on VPP

Similar Documents

Publication Publication Date Title
US11418434B2 (en) Securing MPLS network traffic
US9992310B2 (en) Multi-hop Wan MACsec over IP
US8555056B2 (en) Method and system for including security information with a packet
US9369550B2 (en) Protocol for layer two multiple network links tunnelling
CN102035814B (en) Method and device for guaranteeing service quality by VPN (Virtual Private Network) IPSEC (Internet Protocol Security) tunnel
CN101325557A (en) A method, system and device for tunnel load sharing
US10044841B2 (en) Methods and systems for creating protocol header for embedded layer two packets
US20220150058A1 (en) Forwarding device, key management server device, communication system, forwarding method, and computer program product
CN113141339B (en) A method, device and system for transmitting SR message
WO2013182061A1 (en) Network label distribution method, device and system
CN110663217A (en) Configurable traffic packet engine using frame attributes
WO2016150205A1 (en) Method, device and system for processing vxlan message
CN107819685A (en) The method and the network equipment of a kind of data processing
CN116980150A (en) Message transmission method and related equipment
WO2025124258A1 (en) System and method for supporting wireguard devices in port sharing and ip binding
CN109218176B (en) Method and device for processing message
US12238076B2 (en) In-line encryption of network data
CN118694515A (en) Key distribution over IP/UDP
EP4175228A1 (en) Encryption segments for security in communication networks
WO2023179174A1 (en) Message transmission method and related device
WO2024041064A1 (en) Quic packet transmission method and related device
CN115766063B (en) Data transmission method, device, equipment and medium
WO2025001496A1 (en) Method for securely transmitting packet, and related device
CN116418537A (en) Tunnel encryption, forwarding and decryption method and device
WO2025201100A1 (en) Packet transmission method and related device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination