[go: up one dir, main page]

WO2020134711A1 - Appareil et procédé de transfert de message - Google Patents

Appareil et procédé de transfert de message Download PDF

Info

Publication number
WO2020134711A1
WO2020134711A1 PCT/CN2019/119295 CN2019119295W WO2020134711A1 WO 2020134711 A1 WO2020134711 A1 WO 2020134711A1 CN 2019119295 W CN2019119295 W CN 2019119295W WO 2020134711 A1 WO2020134711 A1 WO 2020134711A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
message
value
forwarding
parameters
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2019/119295
Other languages
English (en)
Chinese (zh)
Inventor
杨庆昌
余庆华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2020134711A1 publication Critical patent/WO2020134711A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • This application relates to the field of communications, and in particular to a message forwarding method and device.
  • information transmission in data networks is particularly important. Messages are forwarded from the source through the forwarding device to the destination to complete the transmission. For example, the transmission of messages in a communication network or a computer network realizes information transfer.
  • Mainstream forwarding devices such as routers, switches, or software forwarding devices, adopt a structure in which the control plane and the forwarding plane are separated.
  • the control plane generates and delivers the forwarding entries, and the forwarding plane sends the packets hop by hop according to the forwarding entries.
  • the security during message transmission is related to the performance of the entire network. Therefore, the authentication link when forwarding messages is essential.
  • the control plane of the forwarding device has mature authentication methods, and the forwarding plane has end-to-end encryption and authentication methods (for example, Internet protocol security (IPSEC) authentication).
  • IPSEC Internet protocol security
  • the illegal node In the process of message forwarding, the illegal node is disguised as a legal forwarding device, and the address and message format of the communication between the legitimate nodes are obtained through packet capture, etc., and the same format of the message (illegal message) is sent to the legitimate node and Other forwarding devices communicate to attack the data network.
  • the end-to-end authentication method makes the legitimate forwarding node unable to identify illegal packets, and can only identify illegal packets by the final business node through the service.
  • the attack traffic When the attack traffic is large, it will consume a large amount of bandwidth and increase the load of the business node. Therefore, the section-by-section path authentication method urgently needs to be applied to data networks to improve network security.
  • Embodiments of the present application provide a message forwarding method, device, and system, which implement high-security, segment-by-segment path authentication during message forwarding in a data network.
  • a first aspect of the present application provides a message forwarding method, which is applied to a forwarding device.
  • the method may include: receiving a first authentication parameter and an authentication algorithm through a secure channel; receiving a first message, and a first message Including the first authentication value of one or more authentication positions; the first authentication parameter and the authentication reference information of each authentication position are subjected to the above authentication algorithm to obtain the second authentication of each authentication position Value; if the second authentication value at each authentication location is the same as the respective first authentication value, forward the first message.
  • the authentication parameters and authentication algorithms are centrally configured through the secure channel.
  • Each forwarding device according to the packet forwarding method provided in this application according to the received authentication parameters and authentication algorithm Packets are authenticated to achieve segment-by-segment path authentication when packets are forwarded. Due to the centralized configuration of authentication parameters and authentication algorithms through secure channels, illegal devices cannot capture packets to obtain authentication parameters and authentication algorithms, which improves the security of authentication.
  • the centralized configuration method can continuously update the authentication parameters to improve the security of the authentication, and the update process is simple and easy. Even if the routing node is added or changed, the centralized control architecture can be quickly configured.
  • the authentication position refers to the number of authentications in the message authentication process, and does not indicate a specific position.
  • An authentication location refers to a globally known authentication. Each authentication location has its own authentication reference information, and the content of the authentication reference information for different authentication locations is different. One or more authentications can be configured according to actual needs. Right position. When more authentication positions are configured, the security of authentication is higher, but the implementation will also be complicated.
  • the second authentication value of each authentication location is the same as the respective first authentication value, which means that the second authentication value of each authentication location is the same as the first authentication value of the authentication location .
  • the content before and after it belongs to the same authentication position that is, the second authentication value of an authentication position is compared with the first authentication value of the authentication position. The follow-up content will not explain them one by one.
  • the authentication parameters that satisfy the preset conditions may be saved as the authentication parameter set for Authentication.
  • the method for forwarding a message provided by the present application may further include: if the second authentication value in one or more authentication locations is different from the respective first authentication value, determine whether the second authentication exists in the authentication parameter set Parameters; wherein, the authentication parameter set includes one or more authentication parameters that satisfy the preset condition received before the first authentication parameter; the second authentication parameter is authenticated with the authentication reference information of each authentication position
  • the third authentication value of the weighting algorithm is the same as the respective first authentication value; if the second authentication parameter exists in the authentication parameter set, replace the first authentication value of each authentication position in the first packet with After the respective third authentication value is forwarded; if the second authentication parameter does not exist in the authentication parameter set, the first packet is discarded.
  • the authentication parameter set includes one or more authentication parameters configured centrally. The purpose is that if the authentication parameters are updated during the packet transmission process, both old and new authentication parameters can be used for successful authentication.
  • the second authentication parameter is included in the authentication parameter set, it means that the first packet is encrypted with the old authentication parameter, and then the authentication and update of the authentication value are used for subsequent node authentication.
  • the second authentication parameter is not included in the authentication parameter set, it means that the authentication failure of the first packet is confirmed as an illegal packet, and it is discarded.
  • the preset condition may include: the first N authentication parameters of the first authentication parameter; N is greater than or equal to 1.
  • the first N authentication parameters of the first authentication parameter refer to N authentication parameters that are counted from the previous authentication parameter of the first authentication parameter from the back to the front according to the receiving order.
  • the preset condition may include: the reception time is within a preset duration before receiving the first authentication parameter. By presetting the conditions, one or more old authentication parameters are retained, so that the packets transmitted in the new and old authentication parameters can be correctly authenticated.
  • this special scenario may include authentication parameters issued after the failure, including forwarding the request after the failure of the forwarding device, or actively issuing the security control device after the failure.
  • the second authentication value of one or more authentication locations is different from the respective first authentication value, it can be first judged whether it is a special scenario, if it is a special scenario, the authentication failure is determined to judge the first packet It is directly discarded as an illegal message. If it is judged that it is not a special scenario, it is judged whether the second authentication parameter exists in the authentication parameter set. In this way, the time of the authentication parameters is accelerated, the difficulty of obtaining authentication values by collision of illegal devices is increased, and the security of authentication is further improved.
  • the packet forwarding method provided by the present application further includes: when the forwarding device fails, after the failure is recovered, the forwarding device requests to obtain The latest authentication parameters are used for accurate authentication. Requesting to obtain the latest authentication parameters can be achieved by sending request information.
  • control plane and the forwarding plane in the forwarding device are separated.
  • control plane fails and recovers, the control plane requests the security control device to send the current latest authentication parameters;
  • forwarding plane fails and recovers, the forwarding plane Request the control plane to send the current latest authentication parameters.
  • control plane and the forwarding plane in the forwarding device are not separated.
  • the logic module inside the forwarding device communicates with the safety control device.
  • the forwarding device fails and recovers, the forwarding device sends the current latest through the logic module safety control device Authentication parameters.
  • the new authentication parameters are started when they are issued, regardless of the new and old authentication parameters. Transition, the message forwarding method provided in this application may further include: if the second authentication value of one or more authentication locations is different from the respective first authentication value, discard the first message.
  • the authentication parameter may include: a key, or, a random number, or a salt value.
  • the authentication parameter is a reference value used for authentication.
  • the embodiment of the present application does not specifically limit the actual content of the authentication parameter.
  • the authentication parameters may be generated by the security control device, or may be input by the administrator to the security control device.
  • the authentication algorithm may include: an encrypted hash HASH algorithm, or an unencrypted HASH algorithm.
  • the authentication algorithm may be generated by the security control device, or may be input by the administrator to the security control device.
  • the authentication algorithm when forwarding a message, the authentication algorithm can be kept unchanged, but the authentication parameter can be continuously updated, or both the authentication parameter and the authentication algorithm can be continuously updated, which is not specifically limited in this application.
  • the authentication reference information may include one or more of the following information: the source address of the first packet, the first The destination address of the packet, the incremented serial number, part or all of the data in the first packet, and the second authentication value of one or more other authentication locations.
  • the authentication reference information at different authentication positions may include different parts of the data in the first message.
  • the authentication reference information of different authentication positions may include the same part of the data in the first packet, and the second authentication value of one or more other authentication positions.
  • the increasing sequence number is a simple increasing field carried in the message, and the content of the increasing sequence number is not specifically limited in this application.
  • the forwarding device that executes the packet forwarding method of this application is used as the first forwarding device on the packet forwarding path
  • the method provided in the present application may further include: receiving a second message from the source device; filling the second report with the first authentication parameter and the authentication reference information of each authentication location, respectively, and performing the authentication value of the authentication algorithm Text; forward the second message filled with the authentication value.
  • Subsequent forwarding nodes can perform segment-by-segment path authentication on the second message according to the message forwarding method provided in this application.
  • the first packet forwarding may include: stripping the authentication packet header in the first packet and forwarding it to the service module to implement data processing.
  • the secure channel may include an IPSEC channel, or a transport layer security protocol (transport layer security, TLS) channel, or other, This application does not specifically limit this.
  • IPSEC transport layer security protocol
  • TLS transport layer security
  • forwarding the message described in this application refers to searching for the next hop based on the routing table entry.
  • the content, acquisition, and searching and forwarding process of the routing table entry will not be repeated in this article.
  • the second aspect of the present application provides another message forwarding method, which is applied to a security control device.
  • the method may include: obtaining authentication parameters of a current cycle, different authentication parameters of different cycles; obtaining an authentication algorithm of the current cycle ; Use a secure channel to send the current cycle of authentication parameters and authentication algorithms to each forwarding device under control for the forwarding device to forward the message.
  • the security control device centrally configures the authentication parameters and authentication algorithm through the secure channel, and each forwarding device performs authentication according to the configured authentication parameters and authentication algorithm when forwarding the message to achieve Segment-by-segment path authentication during packet forwarding. Due to the centralized configuration of authentication parameters and authentication algorithms through secure channels, illegal devices cannot capture packets to obtain authentication parameters and authentication algorithms, which improves the security of authentication. In addition, the centralized configuration method can continuously update the authentication parameters to improve the security of the authentication, and the update process is simple and easy. Even if the routing node is added or changed, the centralized control architecture can be quickly configured.
  • the safety control device may execute the method every cycle, or may execute the method after a fault occurs and the fault is recovered and restarted.
  • the application conditions of the method are not specifically limited in this application.
  • the duration of the cycle referred to in this article can be configured according to actual needs, and this application does not specifically limit this.
  • the authentication parameter may include: a key, or, a random number, or, a salt value.
  • the authentication algorithm may include: an encrypted HASH algorithm, or an unencrypted HASH algorithm.
  • an encrypted HASH algorithm By using the non-encrypted HASH algorithm, the performance consumption during authentication is reduced.
  • acquiring the authentication parameters of the current period may include: generating the authentication parameters of the current period; or, through a secure channel, receiving management The authentication parameters of the current period entered by the operator.
  • the packet forwarding method provided in this application may further include: receiving a request message sent by the first forwarding device, where the request message is used to To request the latest authentication parameters, the first forwarding device is any forwarding device controlled by the security control device; the latest authentication parameters are sent to the first forwarding device through the secure channel.
  • a third aspect of the present application provides a message forwarding device, including: a receiving unit, a processing unit, and a sending unit.
  • the receiving unit is used to receive the first authentication parameter and the authentication algorithm through the secure channel;
  • the receiving unit is also used to receive the first packet, the first packet includes the first authentication of one or more authentication positions Weight;
  • the processing unit is used to perform the authentication algorithm on the first authentication parameter received by the receiving unit and the authentication reference information of each authentication position to obtain the second authentication value of each authentication position;
  • the unit is also used to judge whether the second authentication value of each authentication position is the same as the respective first authentication value;
  • the sending unit is used if the processing unit judges the second authentication value of each authentication position Same as the respective first authentication value, forward the first message.
  • the authentication parameters and authentication algorithms are centrally configured through the secure channel, and each forwarding device according to the message forwarding method provided in this application, according to the received authentication parameters and authentication algorithm Packets are authenticated to achieve segment-by-segment path authentication when packets are forwarded. Due to the centralized configuration of authentication parameters and authentication algorithms through secure channels, illegal devices cannot capture packets to obtain authentication parameters and authentication algorithms, which improves the security of authentication. In addition, the centralized configuration method can continuously update the authentication parameters to improve the security of the authentication, and the update process is simple and easy. Even if the routing node is added or changed, the centralized control architecture can be quickly configured.
  • the message forwarding device provided in the third aspect of the present application is used to implement the message forwarding method provided in the first aspect and any possible implementation manner of the first aspect. Therefore, the third aspect of the present application
  • the specific implementation of the provided message forwarding apparatus reference may be made to the specific implementation of the message forwarding method provided in the first aspect and any possible implementation manner in the first aspect, and details are not described herein again.
  • another message forwarding device including: an acquiring unit and a sending unit; wherein, the acquiring unit is used to acquire the authentication parameters of the current period, and the authentication parameters of different periods are different; the acquiring unit also It is used to obtain an authentication algorithm; a sending unit is used to send a current channel authentication parameter and an authentication algorithm obtained by the obtaining unit to each forwarding device controlled by using a secure channel, and is used by each forwarding device to forward a message.
  • the security control device centrally configures the authentication parameters and authentication algorithm through the secure channel.
  • Each forwarding device performs authentication according to the configured authentication parameters and authentication algorithm when forwarding the message to achieve Segment-by-segment path authentication during packet forwarding. Due to the centralized configuration of authentication parameters and authentication algorithms through secure channels, illegal devices cannot capture packets to obtain authentication parameters and authentication algorithms, which improves the security of authentication.
  • the centralized configuration method can continuously update the authentication parameters to improve the security of the authentication, and the update process is simple and easy. Even if the routing node is added or changed, the centralized control architecture can be quickly configured.
  • the message forwarding device provided in the fourth aspect of the present application is used to implement the message forwarding method provided in the second aspect and any possible implementation manner of the second aspect. Therefore, the fourth aspect of the present application
  • the specific implementation of the provided message forwarding apparatus reference may be made to the specific implementation of the message forwarding method provided in the second aspect and any possible implementation manner in the second aspect, and details are not described herein again.
  • the present application provides a packet forwarding apparatus, which can implement the functions of the forwarding device in the above method example, and the functions can be implemented by hardware, or the corresponding Software Implementation.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the message forwarding device can exist in the form of a chip product.
  • the structure of the message forwarding device includes a processor and a transceiver, and the processor is configured to support the message forwarding device to perform the corresponding function in the foregoing method.
  • the transceiver is used to support communication between the message forwarding device and other equipment.
  • the message forwarding device may further include a memory for coupling with the processor, which stores necessary program instructions and data of the message forwarding device.
  • the present application provides a message forwarding device, which can implement the functions of the security control device in the above method example, and the functions can be implemented by hardware, or can be executed by hardware.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the message forwarding device can exist in the form of chip products.
  • the structure of the message forwarding device includes a processor and a transceiver, and the processor is configured to support the message forwarding device to perform the corresponding function in the foregoing method.
  • the transceiver is used to support communication between the message forwarding device and other equipment.
  • the message forwarding device may further include a memory for coupling with the processor, which stores necessary program instructions and data of the message forwarding device.
  • a forwarding device includes a message forwarding device that executes the message forwarding method provided in the first aspect or any possible implementation manner of the first aspect.
  • An eighth aspect of the present application provides a security control device including a message forwarding device that executes the message forwarding method provided in the second aspect or any possible implementation manner of the second aspect.
  • a ninth aspect of the present application provides a message forwarding system, including a security control device, and one or more forwarding devices.
  • a computer-readable storage medium including instructions which, when run on a computer, cause the computer to perform the message forwarding method provided by any one of the above aspects or any possible implementation manner.
  • An eleventh aspect of the present application provides a computer program product containing instructions that, when run on a computer, causes the computer to perform the message forwarding method provided by any one of the above aspects or any possible implementation manner.
  • FIG. 1 is a schematic diagram of a data network architecture provided by the prior art
  • FIG. 1a is a schematic structural diagram of a data network according to an embodiment of this application.
  • FIG. 2 is a schematic structural diagram of a forwarding device provided by an embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of a safety control device provided by an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of a packet forwarding method provided by an embodiment of the present application.
  • FIG. 5 is a schematic diagram of a message format provided by an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a packet forwarding device according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of another message forwarding device according to an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of yet another message forwarding device provided by an embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of yet another message forwarding device provided by an embodiment of the present application.
  • words such as “exemplary” or “for example” are used as examples, illustrations or explanations. Any embodiments or design solutions described as “exemplary” or “for example” in the embodiments of the present application should not be interpreted as being more preferred or more advantageous than other embodiments or design solutions. Rather, the use of words such as “exemplary” or “for example” is intended to present related concepts in a specific manner.
  • A, B, and C described in the embodiments of the present application are used to represent the following concepts: A, or B, or C, or A and B, or, A and C, or, B And C, or A, B and C.
  • This application proposes a message forwarding method and device, which implements high-security, segment-by-segment path authentication during message forwarding in a data network.
  • the basic principle is: deploy a security control device, which is configured by the security control device to the switching equipment Authentication parameters and authentication algorithms, and constantly update the authentication parameters, to avoid illegal host to capture packets or collision to obtain authentication reference information for disguise, improve the security of packet forwarding.
  • the message forwarding method provided in this application is applied to the data network 10 shown in FIG. 1.
  • the data network 10 may be a communication network or a computer network.
  • the type of data network is not specifically limited in this application.
  • the data network 10 includes a sending device 101, one or more forwarding devices 102, a receiving device 103, and a forwarding control device 104.
  • the forwarding control device 104 configures a routing table (also referred to as a forwarding entry) according to actual needs.
  • the routing table includes specific instructions for each hop in the transmission path, and is used by the forwarding device 102 to forward the message.
  • the sending device 101 sends a message to the receiving device 103 through the transmission path.
  • the transmission path includes one or more forwarding devices 102.
  • the specific transmission path is reflected in the routing table.
  • the forwarding device 102 queries the routing table for the next hop to forward. Message.
  • the forwarding device described in this application may be a router or a switch or other, and this application does not specifically limit the actual form of the forwarding device.
  • a security control device 105 is deployed to configure authentication parameters and authentication algorithms to the switching device.
  • the security control device 105 is connected to at least one forwarding device 102 controlled by the secure channel, and configures the forwarding device 102 with authentication parameters and an authentication algorithm.
  • the security control device 105 communicates with the network administrator using a secure channel.
  • the security control device 105 may be deployed separately from the forwarding control device 104 (shown in FIG. 1a), and the security control device 105 may be deployed in the forwarding control device 104 as a functional unit (not shown in the figure).
  • the deployment mode of the security control device 105 is not specifically limited.
  • FIG. 2 shows a forwarding device 20 related to various embodiments of the present application.
  • the forwarding device 20 may include a processor 201, a memory 202 and a transceiver 203.
  • the memory 202 may be a volatile memory (volatile memory), such as random-access memory (RAM); or a non-volatile memory (non-volatile memory), such as read-only memory (read-only) memory, ROM), flash memory (flash memory), hard disk (hard disk drive) or solid-state drive (SSD); or a combination of the above-mentioned types of memory for storing the method that can implement the application Program code, configuration file, routing table.
  • volatile memory such as random-access memory (RAM)
  • non-volatile memory such as read-only memory (read-only) memory, ROM), flash memory (flash memory), hard disk (hard disk drive) or solid-state drive (SSD)
  • SSD solid-state drive
  • the processor 201 is the control center of the forwarding device 20, and may be a central processing unit (CPU), an application specific integrated circuit (ASIC), or configured to implement the embodiments of the present application
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • One or more integrated circuits for example: one or more microprocessors (digital processor), or one or more field programmable gate arrays (FPGA).
  • the transceiver 203 is used for communication with other devices and data transmission.
  • the forwarding device 20 may be configured to separate the control plane and the forwarding plane (not shown in FIG. 2), the control plane generates a routing table, receives authentication parameters and authentication algorithms for authentication, and The routing table, authentication parameters and authentication algorithm are sent to the forwarding plane, and the forwarding plane performs authentication and message forwarding.
  • the forwarding device 20 may not be separated from the control plane and the forwarding plane. At this time, the forwarding device 20 may be configured with a logic module for receiving authentication parameters and authentication algorithms for authentication.
  • the processor 21 executes the following functions by running or executing the software programs and/or modules stored in the memory 202 and calling the data stored in the memory 202:
  • an embodiment of the present application provides a security control device 30.
  • the security control device 30 may be deployed in the forwarding control device 104 in the data network 10 illustrated in FIG. 1 as a functional module of the forwarding control device 104 or, the security control device 30 may also be independently deployed.
  • the deployment position of the device 30 is not specifically limited.
  • the security control device 30 is used to control the forwarding device and centrally configure authentication parameters and authentication algorithms to the forwarding device; the security control device 30 is also used to continuously update the authentication parameters to the controlled forwarding device.
  • FIG. 3 shows a safety control device 30 related to various embodiments of the present application.
  • the security control device 30 may include a processor 301, a memory 302, and a transceiver 303.
  • the memory 302 may be a volatile memory (volatile memory), such as RAM; or a non-volatile memory, such as read-only memory (ROM), flash memory (flash memory), HDD or SSD; or the above
  • volatile memory such as RAM
  • non-volatile memory such as read-only memory (ROM), flash memory (flash memory), HDD or SSD; or the above
  • the processor 301 is the control center of the security control device 30, and may be a CPU, an ASIC, or one or more integrated circuits configured to implement the embodiments of the present application, for example, one or more DSPs, or, One or more FPGAs.
  • the processor 301 can execute various functions of the safety control device 30 by running or executing software programs and/or modules stored in the memory 302 and calling data stored in the memory 302.
  • the transceiver 303 is used for the security control device 30 to interact with other units.
  • the transceiver 303 may be a transceiver port of the security control device 30.
  • the processor 301 performs the following functions by running or executing software programs and/or modules stored in the memory 302, and calling data stored in the memory 302:
  • the authentication parameters of different cycles are different; obtain the authentication algorithm of the current cycle; use the secure channel to send the authentication parameters of the current cycle and the authentication algorithm to each forwarding device controlled by the transceiver 303 , Used to forward packets by the forwarding device.
  • an embodiment of the present application provides a packet forwarding method. As shown in FIG. 4, the method may include:
  • the security control device obtains the authentication parameters of the current cycle, and the authentication parameters of different cycles are different.
  • the safety control device may periodically execute S401, and the period may be a time period, a message transmission stage, or other.
  • the embodiment of the present application does not specifically limit the length of the period.
  • the safety control device may also execute S401 after recovering from a failure.
  • the security control device may also execute S401 at other timings.
  • the embodiment of the present application does not specifically limit the triggering condition for the security control device to execute S401.
  • the authentication parameters of the current cycle refer to the latest authentication parameters. If the authentication parameters remain unchanged, the authentication parameters of the current cycle represent fixed authentication parameters. If the authentication parameters are continuously updated parameters, Then, the authentication parameters of the current cycle refer to the authentication parameters last updated when S401 is executed. Therefore, the current cycle does not limit the periodic execution of S401.
  • the authentication parameters are used for authentication by the forwarding device, and any parameters that can be used for authentication can be used as the authentication parameters described herein.
  • the embodiment of the present application does not specifically limit the types of authentication parameters.
  • the authentication parameter may include: a key, or a random number, or a salt value.
  • the authentication parameters may also be other types of parameters, which are not repeated here one by one, and the above examples do not constitute a specific limitation.
  • the security control device obtains the authentication parameters of the current cycle, which may be implemented as: generating the authentication parameters of the current cycle.
  • the embodiment of the present application does not limit the specific scheme for the security control device to generate the authentication parameter.
  • the security control device may randomly generate authentication parameters.
  • the security control device obtains the authentication parameters of the current cycle, which may be implemented as: receiving the authentication parameters of the current cycle input by the administrator through the secure channel.
  • the security control device provides an interactive interface to the network administrator. The administrator can enter the authentication parameters in the interactive interface, or the administrator can also periodically enter the authentication parameters on the interactive interface, so that the security control device obtains the authentication parameters.
  • the security control device obtains an authentication algorithm.
  • the authentication algorithm may include: an encrypted HASH algorithm, or an unencrypted HASH algorithm.
  • the HASH algorithm can also be called a hash algorithm.
  • the encrypted HASH algorithm has high security but high performance consumption
  • the non-encrypted HASH algorithm has low security but saves performance.
  • the type of authentication algorithm can be flexibly selected according to actual scenarios, which is not specifically limited in the embodiments of the present application. Further, the authentication parameters can be continuously updated to make up for the lack of security of the non-encrypted HASH algorithm.
  • the encrypted HASH algorithm may include a digest algorithm (MD) 5, a secure hash algorithm (SHA) 512, SHA1, and the like.
  • the non-encrypted HASH algorithm may include murmurHASH3, cyclic redundancy check (cyclic redundancy check, CRC) 32 and so on.
  • a fixed authentication algorithm may be used for a data network, then the security control device may execute S402 only once.
  • the authentication algorithm in a data network, can be continuously replaced, then the security control device needs to execute S402 multiple times to obtain the latest authentication algorithm.
  • S402 and S401 can be performed simultaneously or separately. Only in S403, the latest authentication parameters and authentication algorithm currently obtained are sent to the forwarding device, that is, can.
  • the security control device automatically selects an authentication algorithm in S402.
  • the embodiment of the present application does not specifically limit the selection method, and the type and number of the optional authentication algorithms.
  • an authentication algorithm library may be pre-configured, and the security control device selects it in S402.
  • the security control device obtains the authentication algorithm, which may be implemented as: receiving the authentication algorithm input by the administrator through the secure channel.
  • the security control device provides an interactive interface to the network administrator.
  • the administrator can enter the authentication algorithm in the interactive interface, or the administrator can also periodically input the authentication algorithm on the interactive interface, so that the security control device obtains the authentication algorithm.
  • the security control device uses a secure channel to send the current cycle authentication parameters and authentication algorithm to each forwarding device under control.
  • the security control device executes S403, and sends the authentication parameters obtained in S401 and the authentication algorithm obtained in S402 to each forwarding device it controls for each forwarding When the device forwards the message, it performs authentication according to the latest authentication parameters and authentication algorithm.
  • the secure channel refers to a channel where illegal nodes cannot obtain information
  • the type of the secure channel is not limited in this application.
  • the secure channel may be an IPSEC channel or a TLS channel or other.
  • the forwarding device is a security control device Any forwarding device controlled.
  • the forwarding device receives the first authentication parameter and the authentication algorithm through the secure channel.
  • the first authentication parameter is the current cycle authentication parameter sent by the security control device in S403.
  • the forwarding device is any forwarding device controlled by the security control device.
  • the forwarding device may be an intermediate forwarding device in the packet forwarding path, or may be the first forwarding device in the forwarding path, or may be the last forwarding device, which is not specifically limited in the embodiment of the present application.
  • the forwarding device After receiving the first authentication parameter and the authentication algorithm in S404, the forwarding device sends a response message to the centralized forwarding device.
  • the centralized forwarding device then notifies that the first authentication parameter and the authentication algorithm are enabled. After that, the forwarding device receives When the message arrives, the authentication is performed according to the first authentication parameter and the authentication algorithm.
  • the forwarding device may be an intermediate node in the forwarding path of the message, and the forwarding node performs S405 to S411 to authenticate the message.
  • the forwarding device may be the first forwarding device in the forwarding path of the message, and the forwarding device performs S412 to S414 to authenticate the message.
  • the forwarding device receives the first message, where the first message includes the first authentication value of one or more authentication locations.
  • the first packet is any one of the many packets received by the forwarding device. Since the forwarding device processes the same for each packet, the first packet is only used as an example for description here, and is not specifically limited. .
  • the authentication position refers to the number of authentications in the message authentication process, and does not indicate a specific position.
  • An authentication location refers to a globally known authentication. Each authentication location has its own authentication reference information, and the content of the authentication reference information for different authentication locations is different. One or more authentications can be configured according to actual needs. Right position. When more authentication positions are configured, the security of authentication is higher, but the implementation will also be complicated.
  • the first packet includes the first authentication value of one or more authentication locations, indicating that the forwarding device is an intermediate node of the forwarding path, and the first authentication value of each authentication location is the value of the first packet In the forwarding path, the field written by the forwarding device before the forwarding device.
  • the forwarding device performs S406 to authenticate the first message.
  • the first authentication value of each authentication position may be included in the authentication packet header in the first packet, and the position of the authentication packet header in the first packet may be configured according to actual needs. This embodiment of the present application does not specifically limit this.
  • the authentication packet header follows the transmission layer header in the first packet to avoid packet discarding due to the intermediate device not supporting authentication.
  • the message includes an internet protocol (IP) header + a user datagram protocol (user datagram protocol, UDP) header, an authentication message header, and a data part.
  • IP internet protocol
  • UDP user datagram protocol
  • the authentication packet header includes authentication-related information information (authentication version number, reserved field, authentication header length, authentication data length, and subsequent protocol) and the authentication value for each authentication location.
  • FIG. 5 only illustrates the internal structure of the message by way of example, and does not specifically limit the structure of the message.
  • the forwarding device performs an authentication algorithm on the first authentication parameter and the authentication reference information of each authentication location to obtain a second authentication value for each authentication location.
  • the authentication reference information is a configured reference quantity for authentication, and the content of the authentication reference information can be configured according to actual needs, which is not specifically limited in the embodiments of the present application.
  • the authentication reference information includes one or more of the following information: the source address of the first message, the destination address of the first message, the increasing sequence number, part or all of the data in the first message, one or A second authentication value for multiple other authentication locations.
  • the authentication reference information may also include other content.
  • different authentication reference information can be configured for different authentication positions, which is not specifically limited in the embodiment of the present application.
  • the authentication reference information at different authentication positions may include different parts of the data in the first message.
  • the authentication reference information of different authentication positions may include the same part of the data in the first packet, and the second authentication value of one or more other authentication positions.
  • the increasing sequence number is a simple increasing field carried in the message, and the content of the increasing sequence number is not specifically limited in this application.
  • Example 1 assuming that three authentication positions are configured, recorded as authentication position 1, authentication position 2, and authentication position 3; then assume that the authentication reference information of authentication position 1 is A, and authentication of authentication position 2 The reference information is B, and the authentication reference information of the authentication position 3 is C.
  • the forwarding device receives the first message, the first message includes the first authentication parameter, and the first authentication value X in authentication position 1, the first authentication value Y in authentication position 2, and the authentication position 3 The first authentication value Z.
  • the forwarding device performs the authentication algorithm with the first authentication parameter and A to obtain the second authentication value R of the authentication position 1, and performs the authentication algorithm with the first authentication parameter and B to obtain the second authentication of the authentication position 2
  • the weight S is an authentication algorithm between the first authentication parameter and C to obtain the second authentication value T in the authentication position 3.
  • Example 2 assuming that three authentication positions are configured, recorded as authentication position 4, authentication position 5, and authentication position 6; and then assume that the authentication reference information of authentication position 4 is J, and authentication of authentication position 5
  • the reference information is the second authentication value of the authentication position 4, and the authentication reference information of the authentication position 6 is the second authentication value of the authentication position 4 and the second authentication value of the authentication position 5.
  • the forwarding device receives the first message, the first message includes the first authentication parameter, and the first authentication value 7 in the authentication position 4, the first authentication value 8 in the authentication position 5, and the authentication position 6 'S first authentication value 9.
  • the forwarding device performs an authentication algorithm on the first authentication parameter and J to obtain the second authentication value U in the authentication position 4, and performs an authentication algorithm on the first authentication parameter and U to obtain the second authentication in the authentication position 5.
  • the weight value V performs an authentication algorithm on the first authentication parameter and U and V to obtain the second authentication value W in the authentication position 6.
  • the forwarding device determines whether the second authentication value of each authentication location is the same as the respective first authentication value.
  • the second authentication value of each authentication location is the same as the respective first authentication value, which means that the second authentication value of each authentication location is the same as the first authentication value of the authentication location .
  • the content before and after it belongs to the same authentication position that is, the second authentication value of an authentication position is compared with the first authentication value of the authentication position. The follow-up content will not explain them one by one.
  • judging that the second authentication value of each authentication position is the same as the respective first authentication value refers to: judging whether X and R are the same and Y and S Same, whether Z and Q are the same.
  • the second authentication value of each authentication position is the same as the respective first authentication value, which means that X is the same as R, Y is the same as S, and Z is the same as Q.
  • judging that the second authentication value of each authentication position is the same as the respective first authentication value refers to: judging whether 7 is the same as U and 8 is V Same, whether 9 and W are the same. Similarly, the second authentication value of each authentication position is the same as the respective first authentication value, which means that 7 is the same as U, 8 is the same as V, and 9 is the same as W.
  • the subsequent execution scheme can be configured or selected according to the actual situation if it is determined in S407 that the second authentication value of one or more authentication positions is different from the respective first authentication value.
  • This embodiment of the present application There is no specific limitation on this.
  • the update period of the authentication parameter is longer, or the forwarding path of the message is shorter, and the data network is not busy. After evaluation, the authentication parameter will not be updated during the transmission of the message. It can be configured at If it is determined in S407 that the second authentication value of one or more authentication locations is different from the respective first authentication value, S409 is directly executed to directly discard the first message.
  • the authentication parameters may be updated during message transmission.
  • the second authentication value and the respective When the first authentication value is different execute S410 to S411 to determine whether the old authentication parameter can be successfully authenticated.
  • the authentication failure judges that the first message is an illegal message.
  • This special scenario may include authentication parameters issued after the failure, including forwarding the request after the failure of the forwarding device, or actively issuing the security control device after the failure. Therefore, when it is judged in S407 that the second authentication value of one or more authentication positions is different from the respective first authentication value, it can be judged first whether it is a special scene. If it is a special scene, the authentication failure judgment is determined. If a packet is an illegal packet, perform S409 to directly discard it. If it is determined that it is not a special scenario, execute S410 to S411 to determine whether a second authentication parameter exists in the authentication parameter set.
  • the forwarding device forwards the first message.
  • the forwarding device queries the next hop information in the routing table, and forwards the first packet to the next hop device according to the information.
  • the application will not repeat the forwarding process.
  • the forwarding device discards the first message.
  • the forwarding device determines whether the second authentication parameter exists in the authentication parameter set.
  • the authentication parameter set includes one or more authentication parameters that meet the preset condition and are received before the first authentication parameter.
  • the third authentication value of the second authentication parameter and the authentication reference information of each authentication location for the authentication algorithm is the same as the respective first authentication value.
  • the preset condition may include: the first N authentication parameters of the first authentication parameter; N is greater than or equal to 1.
  • the first N authentication parameters of the first authentication parameter refer to N authentication parameters that are counted from the previous authentication parameter of the first authentication parameter from the back to the front according to the receiving order.
  • the authentication parameter set includes the previous authentication parameter of the first authentication parameter, that is, N equals 1.
  • the forwarding device saves the latest authentication parameters and the previous authentication parameters.
  • the preset condition may include: the receiving time is within a preset duration before receiving the first authentication parameter.
  • the value of the preset duration can be configured according to actual needs, which is not specifically limited in the embodiments of the present application.
  • the method provided in this embodiment of the present application may further include: the forwarding device deletes the authentication parameter in the authentication parameter set that does not satisfy the preset condition.
  • determining whether the second authentication parameter exists in the authentication parameter set in S410 can be specifically replaced by: the forwarding device compares each authentication parameter in the authentication parameter set with the authentication reference information of each authentication position The authentication algorithm obtains the third authentication value of each authentication parameter in each authentication position in the authentication parameter set, and determines whether there is a third authentication value of each authentication parameter at each authentication position and the respective The first authentication value is the same. If there is, it means that there is a second authentication parameter; otherwise, there is no second authentication parameter.
  • S411 If it is determined in S410 that the second authentication parameter exists in the authentication parameter set, it indicates that during the forwarding process of the first packet, S411 is executed; if in S410 it is determined that the second authentication parameter does not exist in the authentication parameter set, it indicates the first If the packet authentication fails, it is determined to be an illegal packet, and S409 is executed to discard the first packet.
  • the forwarding device queries the next hop information in the routing table, and forwards the first packet to the next hop device according to the information.
  • the application will not repeat the forwarding process.
  • the message forwarding method provided in the embodiment of the present application may further include S412 and S414.
  • the forwarding device receives the second message.
  • the second message is an original message sent by the source device to the forwarding device.
  • the forwarding device fills in the second packet with the first authentication parameter and the authentication reference information of each authentication location for the authentication value of the authentication algorithm.
  • the forwarding device fills the authentication value in the authentication packet header of the second packet.
  • the forwarding device forwards the second message filled with the authentication value.
  • the forwarding device queries the next hop information in the routing table, and forwards the first packet to the next hop device according to the information.
  • the application will not repeat the forwarding process.
  • the packet forwarding method provided by the embodiment of the present application also S415 to S417 may be included.
  • the forwarding device After the fault is recovered, the forwarding device sends a request message to the security control device to request to obtain the latest authentication parameters.
  • the forwarding device is a structure in which the control plane and the forwarding plane are separated.
  • the forwarding device sends a request message to the security control device after the fault is recovered, including: the control plane of the forwarding device returns to the security after the fault is recovered.
  • the control device sends a request message.
  • the forwarding device has a structure in which the control plane and the forwarding plane are separated. After the forwarding plane of the forwarding device recovers from the failure, the control plane is forwarded to request the latest authentication parameters, which is the internal interaction of the device and will not be repeated here. .
  • the forwarding device is an architecture in which the control plane and the forwarding plane are not separated.
  • the forwarding device sends a request message to the security control device after the fault is recovered, including: the forwarding device passes the forwarding device after the fault is recovered.
  • the logic module communicating with the safety control device sends a request message to the safety control device.
  • the security control apparatus receives the request message sent by the forwarding device.
  • the security control device sends the latest authentication parameters to the forwarding device through the security channel.
  • the security control device includes the latest authentication parameters.
  • the latest authentication parameters can be sent directly to the forwarding device that sends the request message through the secure channel.
  • the authentication parameters and authentication algorithms are centrally configured through the secure channel.
  • Each forwarding device according to the packet forwarding method provided in this application according to the received authentication parameters and authentication algorithm Packets are authenticated to achieve segment-by-segment path authentication when packets are forwarded. Due to the centralized configuration of authentication parameters and authentication algorithms through secure channels, illegal devices cannot capture packets to obtain authentication parameters and authentication algorithms, which improves the security of authentication.
  • the centralized configuration method can continuously update the authentication parameters to improve the security of the authentication, and the update process is simple and easy. Even if the routing node is added or changed, the centralized control architecture can be quickly configured.
  • packet forwarding paths that include forwarding devices that do not support segment-by-segment path authentication, that is, forwarding devices that do not support the packet forwarding method provided by this application.
  • forwarding devices that do not support the packet forwarding method provided by this application.
  • the forwarding device and the security control device include a hardware structure and/or a software module corresponding to each function.
  • the functional unit in the forwarding device and the security control device that implements the above message forwarding method is called a message forwarding device.
  • the embodiment of the present application may divide the function module of the message forwarding device according to the above method example.
  • each function module may be divided corresponding to each function, or two or more functions may be integrated into one processing module.
  • the above integrated modules can be implemented in the form of hardware or software function modules. It should be noted that the division of the modules in the embodiments of the present application is schematic, and is only a division of logical functions. In actual implementation, there may be another division manner.
  • FIG. 6 shows a possible structural schematic diagram of a message forwarding apparatus 60 deployed in the forwarding device involved in the foregoing embodiment.
  • the message forwarding device 60 may be the forwarding device itself, or a functional module or chip in the forwarding device.
  • the message forwarding device 60 may include a receiving unit 601, a processing unit 602, and a sending unit 603.
  • the receiving unit 601 is used to execute the processes S404 and S405 in FIG. 4;
  • the processing unit 602 is used to execute the processes S406, S407, S409, S410 and S411 in FIG. 4;
  • the sending module 603 is used to execute the processes S408 and S411 in FIG. , S415.
  • all relevant content of each step involved in the above method embodiments can be referred to the function description of the corresponding function module, which will not be repeated here.
  • FIG. 7 shows a possible structural schematic diagram of the message forwarding device 70 involved in the foregoing embodiment.
  • the message forwarding device 70 may include a processing module 701 and a communication module 702.
  • the processing module 701 is used to control and manage the operation of the message forwarding device 70.
  • the processing module 701 is used to execute the processes S406, S407, S409, S410, and S411 in FIG. 4;
  • the communication module 702 is used to execute the processes S404, S405, S408, S411, and S415 in FIG.
  • the message forwarding device 70 may further include a storage module 703 for storing the program code and data of the message forwarding device 70.
  • the processing module 701 may be the processor 201 in the physical structure of the forwarding device 20 shown in FIG. 2, and may be a processor or a controller. For example, it may be a CPU, general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It can implement or execute various exemplary logical blocks, modules, and circuits described in conjunction with the disclosure of the present application.
  • the processor 701 may also be a combination that realizes a computing function, for example, includes one or more microprocessor combinations, a combination of a DSP and a microprocessor, and so on.
  • the communication module 702 may be the transceiver 203 in the physical structure of the forwarding device 20 shown in FIG. 2.
  • the communication module 702 may be a communication port, or may be a transceiver, a transceiver circuit, or a communication interface. Alternatively, the above communication interface may implement communication with other devices through the above-mentioned elements having a transceiver function. The above-mentioned elements with a transceiver function can be realized by an antenna and/or a radio frequency device.
  • the storage module 703 may be the memory 202 in the physical structure of the forwarding device 20 shown in FIG. 2.
  • the processing module 701 is a processor
  • the communication module 702 is a transceiver
  • the storage module 703 is a memory
  • the message forwarding apparatus 70 involved in FIG. 7 in the embodiment of the present application may be the forwarding device 20 shown in FIG. 2.
  • the message forwarding device 60 or the message forwarding device 70 provided by the embodiments of the present application may be used to implement the functions of the forwarding device in the methods implemented by the embodiments of the present application.
  • the specific technical details are not disclosed, please refer to the embodiments of the present application.
  • FIG. 8 shows a possible structural schematic diagram of a message forwarding device 80 deployed in the security control device involved in the foregoing embodiment.
  • the message forwarding device 80 may be the safety control device itself, or a functional module or chip in the safety control device.
  • the message forwarding device 80 may include: an obtaining unit 801 and a sending unit 802.
  • the acquiring unit 801 is used to execute the processes S401 and S402 in FIG. 4; the sending module 802 is used to execute the processes S403 and S417 in FIG.
  • all relevant content of each step involved in the above method embodiment can be referred to the function description of the corresponding function module, which will not be repeated here.
  • the message forwarding device 80 may further include a receiving unit 803 for performing the process S416 in FIG. 4.
  • FIG. 9 shows a possible structural schematic diagram of a message forwarding device 90 deployed in the security control device involved in the foregoing embodiment.
  • the message forwarding device 90 may be the safety control device itself, or a functional module or chip in the safety control device.
  • the message forwarding device 90 may include a processing module 901 and a communication module 902.
  • the processing module 901 is used to control and manage the operation of the message forwarding device 90.
  • the processing module 901 is used to execute the processes S401 and S402 in FIG. 4;
  • the communication module 902 is used to execute the processes S403, S416 and S417 in FIG.
  • the message forwarding device 90 may further include a storage module 903 for storing the program code and data of the message forwarding device 90.
  • the processing module 901 may be the processor 301 in the physical structure of the security control device 30 shown in FIG. 3, and may be a processor or a controller. For example, it may be a CPU, general-purpose processor, DSP, ASIC, FPGA or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It can implement or execute various exemplary logical blocks, modules, and circuits described in conjunction with the disclosure of the present application.
  • the processor 901 may also be a combination that realizes a calculation function, for example, includes one or more microprocessor combinations, a combination of a DSP and a microprocessor, and so on.
  • the communication module 902 may be the transceiver 303 in the physical structure of the security control device 30 shown in FIG. 3.
  • the communication module 902 may be a communication port, or may be a transceiver, a transceiver circuit, or a communication interface. Alternatively, the above communication interface may implement communication with other devices through the above-mentioned elements having a transceiver function. The above-mentioned elements with a transceiver function can be realized by an antenna and/or a radio frequency device.
  • the storage module 903 may be the memory 302 in the physical structure of the security control device 30 shown in FIG. 3.
  • the processing module 901 is a processor
  • the communication module 902 is a transceiver
  • the storage module 903 is a memory
  • the message forwarding device 90 involved in FIG. 9 in the embodiment of the present application may be the security control device 30 shown in FIG. 3.
  • the message forwarding device 80 or the message forwarding device 90 provided by the embodiments of the present application may be used to implement the functions of the security control device in the method implemented by the embodiments of the present application.
  • the message forwarding device 80 or the message forwarding device 90 provided by the embodiments of the present application may be used to implement the functions of the security control device in the method implemented by the embodiments of the present application.
  • parts related to the embodiments of the application if specific technical details are not disclosed, please refer to the embodiments of the present application.
  • a computer-readable storage medium on which instructions are stored, and when the instructions are executed, the message forwarding method in the foregoing method embodiment is executed.
  • a computer program product containing instructions is provided, and when the instructions are executed, the message forwarding method in the foregoing method embodiment is performed.
  • Computer-readable media includes computer storage media and communication media, where communication media includes any medium that facilitates transfer of a computer program from one place to another.
  • the storage medium may be any available medium that can be accessed by a general-purpose or special-purpose computer.
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are only schematic.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may be physically included separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware, or in the form of hardware plus software functional units.
  • the above integrated unit implemented in the form of a software functional unit may be stored in a computer-readable storage medium.
  • the above software functional unit is stored in a storage medium, and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device, etc.) to perform some steps of the methods described in the embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or optical disk and other media that can store program code .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Des modes de réalisation de la présente invention se rapportent au domaine des communications, et concernent un procédé et un appareil de transfert de message, une authentification de trajet de segment par segment de haute sécurité étant obtenue lorsque des messages sont transmis dans un réseau de données ; le procédé comprend spécifiquement : au moyen d'un canal sécurisé, la réception de premiers paramètres d'authentification et d'un algorithme d'authentification ; la réception d'un premier message, le premier message comprenant une première valeur d'authentification de chaque position d'authentification ; l'exécution des premiers paramètres d'authentification et des informations de référence d'authentification de chaque position d'authentification par l'intermédiaire de l'algorithme d'authentification décrit afin d'obtenir une seconde valeur d'authentification de chaque position d'authentification ; si la seconde valeur d'authentification de chaque position d'authentification est identique à une première valeur d'authentification respective, il convient de transmettre le premier message. La présente invention est utilisée pour transférer des messages.
PCT/CN2019/119295 2018-12-29 2019-11-18 Appareil et procédé de transfert de message Ceased WO2020134711A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811652773.2A CN111385278B (zh) 2018-12-29 2018-12-29 一种报文转发方法及装置
CN201811652773.2 2018-12-29

Publications (1)

Publication Number Publication Date
WO2020134711A1 true WO2020134711A1 (fr) 2020-07-02

Family

ID=71129668

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/119295 Ceased WO2020134711A1 (fr) 2018-12-29 2019-11-18 Appareil et procédé de transfert de message

Country Status (2)

Country Link
CN (1) CN111385278B (fr)
WO (1) WO2020134711A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111770118B (zh) * 2020-09-01 2020-11-24 华芯生物科技(武汉)有限公司 一种检测设备的数据传输方法
CN117424712A (zh) * 2022-07-11 2024-01-19 中兴通讯股份有限公司 访问控制方法、电子设备及存储介质

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014034119A1 (fr) * 2012-08-30 2014-03-06 Nec Corporation Système de commande d'accès, procédé de commande d'accès et programme
CN106209835A (zh) * 2016-07-08 2016-12-07 北京众享比特科技有限公司 对等网络通讯系统和方法
CN108200078A (zh) * 2018-01-18 2018-06-22 中国建设银行股份有限公司 签名认证工具的下载安装方法及终端设备

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101808097B (zh) * 2010-03-25 2013-07-10 杭州华三通信技术有限公司 一种防arp攻击方法和设备
CN103237020B (zh) * 2013-04-07 2016-08-17 杭州华三通信技术有限公司 避免状态机被攻击的方法及服务器、交换机
US9130887B2 (en) * 2013-10-31 2015-09-08 Palo Alto Research Center Incorporated Hash-based forwarding of packets with hierarchically structured variable-length identifiers over ethernet
CN103746770A (zh) * 2013-12-20 2014-04-23 浙江工业大学 基于消息认证码和概率密钥分发的防污染网络编码方法
CN108632197B (zh) * 2017-03-15 2021-03-05 华为技术有限公司 一种内容验证方法及设备

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014034119A1 (fr) * 2012-08-30 2014-03-06 Nec Corporation Système de commande d'accès, procédé de commande d'accès et programme
CN106209835A (zh) * 2016-07-08 2016-12-07 北京众享比特科技有限公司 对等网络通讯系统和方法
CN108200078A (zh) * 2018-01-18 2018-06-22 中国建设银行股份有限公司 签名认证工具的下载安装方法及终端设备

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LEE, M.: "Protocols for IP Network Security to Support Itf-N", HTTP://WWW.3GPP.ORG, 21 May 2004 (2004-05-21), DOI: 20200214184119A *

Also Published As

Publication number Publication date
CN111385278A (zh) 2020-07-07
CN111385278B (zh) 2021-11-30

Similar Documents

Publication Publication Date Title
JP6928143B2 (ja) 暗号化されたクライアントデバイスコンテキストを用いたネットワークアーキテクチャおよびセキュリティ
US11792046B2 (en) Method for generating forwarding information, controller, and service forwarding entity
CN110650076B (zh) Vxlan的实现方法,网络设备和通信系统
JP6882255B2 (ja) ネットワークセキュリティアーキテクチャ
US20230007022A1 (en) Method and Device for Preventing Replay Attack on Srv6 HMAC Verification
CN103812770B (zh) 云业务报文重定向的方法、系统和云网关
US20180139191A1 (en) Method, Device, and System for Processing VXLAN Packet
US9516061B2 (en) Smart virtual private network
CN103023778B (zh) 路由选路方法及装置
JP7124206B2 (ja) パケット処理方法およびゲートウェイ・デバイス
CN112152923B (zh) 用户面重路由方法及装置
US10911581B2 (en) Packet parsing method and device
CN104852891B (zh) 一种密钥生成的方法、设备及系统
WO2022237693A1 (fr) Procédé d'authentification de service nswo, et dispositif et support de stockage
CN107204924B (zh) 链路发现方法及装置
CN111245740A (zh) 配置业务的服务质量策略方法、装置和计算设备
US20210195418A1 (en) A technique for authenticating data transmitted over a cellular network
US20250007833A1 (en) Secure data routing with channel resiliency
US20200028777A1 (en) Sdn, method for forwarding packet by sdn, and apparatus
WO2020134711A1 (fr) Appareil et procédé de transfert de message
WO2012041168A1 (fr) Procédé de traitement pour une connexion à distance destinée à un réseau ipv6 et dispositif associé
CN113615249B (zh) 基于时延的对漫游事件的动态优先级排序
CN105610599B (zh) 用户数据管理方法及装置
CN104871497B (zh) 流表处理方法和装置
US11902087B2 (en) Forwarding fault location determining method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19905243

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19905243

Country of ref document: EP

Kind code of ref document: A1