CN101197662A - Method, network appliance and network system for generating safety associated key SAK - Google Patents
Method, network appliance and network system for generating safety associated key SAK Download PDFInfo
- Publication number
- CN101197662A CN101197662A CNA2006101621461A CN200610162146A CN101197662A CN 101197662 A CN101197662 A CN 101197662A CN A2006101621461 A CNA2006101621461 A CN A2006101621461A CN 200610162146 A CN200610162146 A CN 200610162146A CN 101197662 A CN101197662 A CN 101197662A
- Authority
- CN
- China
- Prior art keywords
- message
- maintenance
- maintenance association
- mkpdu
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention relates to the communication field and discloses a SAK generating method, network equipment and a network system. The method of the invention comprises the following steps that: a maintenance alliance node on a sending terminal sends a message with an MAC MKPDU to a maintenance alliance node inside the maintenance alliance; an MAC KaY corresponding to a maintenance node on a receiving terminal generates an SAK according to the KaY corresponding to the MKPDU and the maintenance node on the sending terminal. The invention realizes the flexible application of the MKP in the network.
Description
Technical field
The present invention relates to the communications field, relate to a kind of method, the network equipment, the network system that generates safety associated key SAK in the field of communication security especially.
Background technology
The safe practice of network link layer is the great research topic of network service; IEEE 802.1.ae task groups is studied this problem; propose to use MAC safety (Media Access Control Security is called for short MACsec) to protect the safety of double layered communication, take precautions against two layer attacks.This MACsec method is exactly MACsec entity (MAC Security Entity specifically, be called for short SecY) associated key safe in utilization (Secure Association Key, be called for short SAK), the data that will send are encrypted, receive SecY after receiving data, use identical key to decipher, thereby obtain data, guaranteed the confidentiality of data like this.Simultaneously, receive SecY by the checked for integrity check value, judge the data that receive and send the data consistent that SecY sends, guarantee the integrality of data, and correctness.
The MACsec that stipulates in agreement at present in IEEE 802.1.ae task groups is based on LAN's.Each SecY will carry out communication, just must belong to a safety and connect related (Secure ConnectivityAssociation, be called for short CA), each SecY among the same CA has identical security association master key (Secure Connectivity Association Key is called for short CAK).CAK can be a manual configuration, also can obtain from certificate server by after authenticating.Each SecY uses CAK to consult to produce a SAK, and SAK constantly changes to upgrade, and CAK then is changeless, even equipment is restarted, CAK also will remain unchanged.The continuous variation of SAK is upgraded, and has greatly improved safety of data.
Fig. 1 is media interviews control (the Media Access Control that is among the same shared medium LAN, abbreviation MAC) communication scheme of equipment, as shown, MAC device A, B, C, D are in together sharing among the medium LAN, accessing communication mutually between each equipment.Suppose that MAC device A, B, C belong to a CA, have identical SAK, MAC equipment D then forecloses, so as shown in Figure 2, obviously, the SecY on MAC device A, B, the C can carry out the MACsec secure communication, and MAC equipment D is because this SAK not, even caught the MACsec frame that A, B or C send, can not decipher.
SAK specifically is to use MAC safe key agreement protocol (MAC Key AgreementProtocol, be called for short MKP), interactive communication by key voting protocol data cell (MAC Key AgreementProtocol Data Units, be called for short MKPDU) produces.Be illustrated in figure 3 as the frame format schematic diagram of MKPDU, stipulate in agreement IEEE902.1af, the target MAC (Media Access Control) address of MKPDU frame (Destination Address) uses multicast address, makes that all the MAC equipment in the same LAN can both receive MKPDU.Bridge is not transmitted MKPDU, but filters out MKPDU, so just MKPDU is confined in the same LAN.Realized the MACsec safe key negotiation in the LAN.
Yet because existing MACsec technology is all at LAN, MKPDU is during through any bridge, to be filtered out by bridge, so MKPDU is limited in the LAN, key agreement also can only carry out at adjacent LA Management Room, so the range of application of MKP is subjected to great restriction.
Development along with the MAC safety communication technology, a kind of SAK negotiation method had been proposed afterwards, this method specifically is to have redefined a kind of EAPOL type of message (being designated as EAPOL-MKP message) in agreement IEEE.802.1af, thereby, place Extensible Authentication Protocol between local area network (LAN) (EAPOver LAN is called for short EAPOL) frame to carry realization MKPDU.But, the transmission scope of MKPDU just is decided by the transmission scope of EAPOL-MKP message like this, and port authentication entity (the Port Access Entity of the default employing of EAPOL 802.X, be called for short PAE) multicast address: 01-80-C2-00-03, this multicast address can only be by the MAC bridge, the VLAN bridge filters and delivers MAC safe key negotiation entities (MAC Security Key Agreement Entity, abbreviation KAY) carries out key agreement and generate SAK, so the corresponding meeting of MKPDU is by the MAC bridge, the VLAN bridge terminates, and is only limited between the MAC bridge MKP application or the network between the VLAN bridge.
In order further to enlarge the application of MKP, increased operator bridge address (Provider Bridge Address): 01-80-C2-00-08 in agreement 802.1af-D0.9, this address can be filtered and deliver corresponding KAY and carry out key agreement generation SAK by MAC bridge, VLAN bridge, operator's bridge (Provider Bridge) and provider backbone bridging (ProviderBackbone Bridge); In addition, in agreement 802.1af-D0.9, further increase link discovery multicast address (Link Layer DiscoveryProtocol multicast address), this address can be filtered and deliver corresponding KAY and carry out key agreement generation SAK by MAC bridge, VLAN bridge, operator's bridge, provider backbone bridging and dual-port relaying (Two-Port Media Access Control (MAC) Relay is called for short TPMR).Revised that agreement 802.1af-D0.9 can make that MKP can be applied between two operator's bridges, carried out between customer bridge and the operation Access Network and between the TPMR equipment adjacent with it.Expansion to a certain degree the range of application of MKP.
Therefore, the corresponding respectively spread scope of determining of three multicast address of above agreement regulation, can only select one of them destination address for use the multicast address from these three regulations (being respectively: PAE multicast address, operator bridge address, link discovery multicast address) of machinery in conjunction with the MKP range of application in actual applications as MKPDU.Therefore, corresponding M KP range of application can only be arbitrary among following three kinds of scopes: the first, when selecting the PAE multicast address for use, the MKP range of application is: between network in LAN or the MAC bridge or the network between the VLAN bridge; The second, when selecting operator bridge address for use, the MKP range of application is: between two operator's bridges, between customer bridge and the operation Access Network; The 3rd, when using the link discovery multicast address, the MKP range of application is: the network between the TPMR equipment adjacent with it.Though as seen this method can enlarge the range of application of MKP relatively,, can not satisfy the flexible deployment needs that MKP uses for the too mechanization of scope dictates that MKP uses.
Summary of the invention
The technical problem to be solved in the present invention provides a kind of method that generates safety associated key SAK, is implemented in and uses MKP in the network flexibly.
The technical problem to be solved in the present invention is that a kind of network equipment also is provided, and is implemented in and uses MKP in the network flexibly.
The technical problem to be solved in the present invention is that a kind of network system also is provided, and is implemented in and uses MKP in the network flexibly.
The method of the generation safety associated key SAK that invention provides comprises:
The Maintenance Association node of the Maintenance Association node of transmitting terminal in this Maintenance Association sends the message of carrying MAC safe key agreement protocol data cell MKPDU;
The MAC safe key negotiation entities KaY of the Maintenance Association node correspondence of receiving terminal consults to generate SAK according to the described MKPDU KaY corresponding with the Maintenance Association node of described transmitting terminal.
The network equipment that invention provides is the Maintenance Association node in the Maintenance Association of determining, comprising:
Transmitting element, the Maintenance Association node that is used in this Maintenance Association sends the message of carrying MAC safe key agreement protocol data cell MKPDU;
Receiving element is used to receive the message of carrying MKPDU that sends on the present networks equipment;
MAC safe key negotiation entities is used for the MKPDU that carries according to the message that described receiving element receives, and the MAC safe key negotiation entities corresponding with the Maintenance Association node of described message sending end consults to generate SAK.
The network system that invention provides comprises at least one Maintenance Association node, and described each Maintenance Association node respectively belongs to definite Maintenance Association,
Described each Maintenance Association node, the message of MAC safe key agreement protocol data cell MKPDU is carried in the Maintenance Association node transmission that is used in this Maintenance Association, and receives the message of carrying MKPDU that other Maintenance Association nodes in this Maintenance Association are sent;
Described network system also comprises:
Distinguish MAC safe key negotiation entities one to one with described each Maintenance Association node, be used for consulting to generate SAK according to the message of carrying MKPDU of the described Maintenance Association node KaY corresponding with the Maintenance Association node of described message sending end.
Therefore, because the embodiment of the invention is arranged to Maintenance Association node (Maintenance Association Point in the same MA with the MKP participant among the CA, be called for short MP), the MP of the MP of transmitting terminal in this MA sends the message of carrying MKPDU, make the transmission scope of MKPDU in the transmission scope of MA, in MA, carry out the mutual of MKPDU, generate CA and corresponding SAK.Thereby can utilize the characteristic that MA can dispose as required in the network, dispose CA flexibly, accordingly can be in network flexible Application MKP, realize that SAK consults flexibly.
Description of drawings
Fig. 1 is the communication scheme that is in the MAC equipment among the same LAN;
Fig. 2 is a MAC secure communication schematic diagram;
Fig. 3 is the frame format schematic diagram of MKPDU;
Fig. 4 is the schematic flow sheet of the method for the generation SAK in the embodiment of the invention 1;
Fig. 5 is the MD structural representation in the embodiment of the invention 1;
Fig. 6 is the MA structural representation in the embodiment of the invention 1;
The MA structural representation of Fig. 7 for seeing from user's angle in the embodiment of the invention 1;
Fig. 8 is that MD Level divides schematic diagram in the embodiment of the invention 1;
When Fig. 9 carried the message of MKPDU for the multicast address that uses CCM in the embodiment of the invention 1 sends, the network equipment was to the handling process schematic diagram of this message;
A kind of network equipment structural representation of Figure 10 for providing in the embodiment of the invention 2;
The another kind of network equipment structural representation of Figure 11 for providing in the embodiment of the invention 2;
The network architecture schematic diagram of Figure 12 for providing in the embodiment of the invention 3.
Embodiment
Maintenance Association (the Maintenance Association of the embodiment of the invention by utilizing Ethernet, abbreviation MA) characteristic, MKP participant among the CA is arranged to MP in the same MA, the MP of the MP of transmitting terminal in this MA sends the message of carrying MKPDU, make the transmission scope of MKPDU in the transmission scope of MA, in MA, carry out the mutual of MKPDU, generate CA and corresponding SAK.
In order to make those skilled in the art better understand the content of technical solution of the present invention, technical solution of the present invention is described in detail below in conjunction with accompanying drawing and embodiment.
Embodiment 1:
Fig. 4 is the schematic flow sheet of method of the generation SAK of present embodiment, and as shown, the present embodiment method may further comprise the steps:
Step 401: the MP of the MP of transmitting terminal in this MA sends the message of carrying MKPDU.
In Ethernet, operation and maintenance management (the Operation and Maintenance of Ethernet, abbreviation OAM) pith of function is a fault management, fault management be by regularly or the mode of manually setting out send the connectivity that continuity detect-message (Continuity Check Message is called for short CCM) is come detection network; Also provide simultaneously loopback message (Loopback Message is called for short LBM) and corresponding loopback response message (Loopback Reply is called for short LBR) to test connection fault between point-to-point; And follow the tracks of response message (Linktrace Reply is called for short LTR) by link trace message (Linktrace Message is called for short LTM) and corresponding link Ethernet is carried out fault location.
Network or certain part in the network that agreement 802.1ag regulation is involved with OAM(Operation Administration Maintenance) are called maintenance field (Maintenance Domain, be called for short MD), MD distinguishes by the MD title, the MD scope is by a series of territory Service Access Point (Domain Service Access Point, be called for short DSAP) define, the DSAP easily that wherein is positioned at MD provides connectivity services to the outside in territory, be specifically as follows certain port of bridge, simultaneously also may have an intermediary service access point (IntermediateService Access Point in MD inside, be called for short IPAP), IPAP is the intermediate node from a DSAP to another DSAP.Fig. 5 is the structural representation of a MD, shows as Fig. 5, and there are 5 bridge devices in this MD, and wherein the scope of zone 5 coverings of DSAP51, DSAP52, DSAP53, DSAP54, DSAP55, DSAP56 formation is the scope of MD, also has a plurality of ISAP in MD inside.
In MD, the alliance that sets up between the DSAP by the specified services example concerns, this alliance's relation is commonly referred to as Maintenance Association (Maitenance Association, be called for short MA), the corresponding MA of every Service Instance, each Service Instance identifies by ID, and a Service Instance is made up of a plurality of DSAP, and each MA identifies by unique MA name.Each DSAP and the ISAP that belong to MA are called as alliance's node (Maintenance Association Point, be called for short MP), the MP that is in the MA border is called Maintenance Association end points (Maintenance Association End Point, be called for short MEP), the MP of this MA inside is called Maintenance Association intermediate node (Maintenance Association IntermediatePoint, be called for short MIP), MEP is positioned at corresponding D SAP place, and MIP is positioned at corresponding ISAP place.
Fig. 6 is the MA structural representation, as shown in Figure 6, for MD as shown in Figure 5, DSAP51, DSAP53, DSAP55, DSAP56, ISAP57, ISAP58, ISAP559, ISAP510, ISAP512, ISAP513 are configured to the DSAP that certain user can use, thereby set up this user-dependent Service Instance and corresponding M A, and owing to DSAP52, DSAP54 are not used, so do not belong to this Service Instance and MA.See the MA that can obtain as shown in Figure 7 from user's angle, this MA60 is made of four MEP and 6 MIP of belonging to a Service Instance.
Another characteristics of the OAM of Ethernet are stratification, network layer according to the OAM place is divided into 8 grades with OAM, be called maintenance field grade (MD Level), and from application, according to more excellent scheme these 8 grades are distributed to respectively: user class connection management (Customer), service level connection management (Service), Virtual network operator level tube connector reason (Operator) and physical level connection management (Physical) wait the MA of each level.Promptly in Ethernet, each MA belongs to different MD Level.Table one is a kind of MD Level allocative decision of present embodiment suggestion.
Table one: MD Level allocation table
Distribution with reference to MD Level, when application MKP carries out the SAK negotiation in Ethernet, MKP participant among each CA is arranged to MP (MEP or MIP) among the MA, simultaneously, because MA belongs to specific MD Level in Ethernet, thereby make MA also corresponding with corresponding M D Level, the feasible corresponding high more CA of MD Level, the span that its MKPDU penetrates network is big more.Such as:
When if current MKP application need provides SAK to consult for each terminal use, make that SAK consults only to carry out in terminal use's side, be current CA need provide the service of a kind of CBN of penetrating, PBN, PBBN for the MKPDU that the terminal use consults in order to SAK the time, then each the MKP participant among the CA can be arranged to the user class connection management in each MEP point.
When if current MKP application need provides the SAK negotiation for being in user same service network (S-VLAN) in, making SAK only consult the network equipment side in same S-VLAN carries out, be the service that MKPDU that current CA need consult in order to SAK for the terminal use of same service network provides a kind of PBN of penetrating, PBBN, then the MKP participant among the CA can be arranged to each MEP among the MD Level of service level connection management.
When if current MKP application need provides SAK to consult respectively for each link between the terminal use in each LAN in the communication network and adjacent bridge and bridge that each is adjacent, be that SAK consults only to carry out between the neighbouring device in same LAN, SAK between each link consults separate, except by the MKP participant among the CA being arranged to each MEP mode in the physical link level tube connector reason realizes; Can also realize by the MKP participant among the CA being arranged to MP (MEP or MIP) among the MA (can belong to each MDLevel) and adjacent with it MP (MIP or MEP) mode.
The CA of She Zhiing according to actual needs belongs in the MA of each MP under this MP in the CA and belongs to other MP of current C A, sends the message of carrying MKPDU.Concrete which destination address that adopts CFM message (as: CCM, LTM, LBM etc.) can be determined according to actual needs, such as:
When if current MKP application need provides SAK to consult for each terminal use, be used to detect the multicast destination address of the CCM that connects fault in then can MA with reference to the MD Level that belongs to the user class connection management, the multicast address of this CCM is carried the destination address of the message of MKPDU as this, this message of carrying MKPDU is sent to each MEP in this MA, and making user's cascade take over each MEP among the MA of reason becomes MKP participant among this CA.
When if current MKP application need provides SAK to consult for being in user in the same S-VLAN, the purpose multicast address that then in like manner can corresponding reference belongs to the CCM in the MA of MD Level of service level connection management, with the multicast address of this CCM destination address as the message of carrying MKPDU, this message is sent to each MEP in this MA, is about to MD Level and is each MEP among the MA of service level connection management as the MKP participant among this CA.
When if current MKP application need provides SAK to consult respectively for each link between the terminal in each LAN in the communication network and adjacent bridge and bridge that each is adjacent, then both can be with reference to the purpose multicast address of the CCM in the MA of the MD Level that belongs to the physical level connection management, with the multicast address of this CCM destination address as the message of carrying MKPDU, this message is sent to each MEP in this MA, and the MEP that with MD Level is the two ends among the MA of physical level connection management is as the MKP participant among this CA; In addition, can also path topology be found and the multicast destination address of the LTM of fault location with reference to being used in any MD Level of the network layer at this CA place, with the destination address of this LTM multicast destination address as the message of carrying MKPDU, this message is sent on the MP adjacent with transmitting terminal MP that belongs in the same MA, with the adjacent MP among the MA in each MD Level as the MKP participant among this CA.
Certainly, if current MACsec need provide MACsec service for the communication between point-to-point, then corresponding, each transmitting terminal can be with reference to the mode of unicast of LBM, the address of opposite end is sent the destination address that this carries the message of MKPDU as destination address, adopt point-to-point communication mode to send to other interior MP of this MA.Make this transmission that this message is sent on the MP of opposite end.Promptly this two MP becomes the MKP participant among this CA.
Therefore, in each MA, use the multicast destination address of CCM, can satisfy most MKP application need.Therefore, present embodiment recommends to use the multicast address of CCM as carrying the destination address of the message of MKPDU.
General, in order to make SAK regularly to change, this carries the message of MKPDU our general periodic transmission.
Simultaneously, for can be so that present embodiment method and existing C FM compatibility mutually, present embodiment can adopt following method:
Use the basic structure of used connectivity fault management data cell (CFMPDU) to construct the message of carrying MKPDU.The frame format of CFMPDU is as shown in Table 2:
The frame format of table two: CFMPDU
Wherein, MD Level uses 3 bits to identify, be the version number of 5 bits afterwards, the message type information of a byte, the value of this type of message is specially CCM, LTR etc. (span of this type of message is distributed as shown in Table 3) in order to represent current CFMPDU, flag bit and concrete type of message are used in combination, and First TLV Offset represents the byte number that exists between first TLV among the CFMPDU and the First TLVOffset territory, and CFMPDU ends up with End TLV (0).
Table three: the span of type of message is distributed
| The CFMPDU type of message | The span of type of message |
| For agreement IEEE802.2.1 keeps | 0 |
| Continuity detect- |
1 |
| Loopback response message LBR | 2 |
| |
3 |
| Link trace response message LTR | 4 |
| Link |
5 |
| For agreement IEEE802.2.1 keeps | 6 to 31 |
| Define by agreement ITU-TY.1732 | 32 to 63 |
| For agreement IEEE802.2.1 keeps | 64 to 255 |
In order to make present embodiment method and existing C PM compatibility, adopt the frame structure of connectivity fault management message to make up the message that this carries MKPDU.Concrete mode is: type of message of redetermination, the type of message that carries the message of MKPDU is designated as: CFM-MKP, for this type of message distributes a value of message types separately, such as value of message types: 0x10 being used for identifying this information for having carried MKPDU, so that receiving terminal is according to this message, the MKP that this message is carried delivers to corresponding KaY, is handled through consultation accordingly to generate SAK by this KaY.A kind of frame format of carrying the message of MKPDU of recommending as shown in Table 4 for present embodiment.
Table four: the frame format of carrying the message of MKPDU
Wherein, X can be the parameter to be expanded of message, n is the byte number of MKPDU, the particular content of MKPDU can be with reference to the information content relevant with MKP that does not comprise destination address and source address in the MKPDU frame of the prior art shown in Figure 3, below specifically introduces each parameter information and effect in the MKPDU:
As shown in Figure 3, MKP protocol type (MKP Ether Type) is to be used for identifying the MKP agreement; Version is the version number of MKP; Ensuing one group of up-to-date pass chain store effectively identifies is, up-to-date pass chain store LAN, send and use sign tx, receive and use sign rx to be used for representing up-to-date key information, is represents whether up-to-date key information is arranged in the MKPDU, if be true, the LAN of back (Latest AssociationNumber then, up-to-date pass chain store), LKI (Latest Key Identifier, up-to-date key identification), LLPNLLPN (Latest Lowest acceptable Packet Number, up-to-date minimum receives Bale No.) meaningful, LAN is the pass chain store AN of up-to-date key SAK correspondence, tx is that true respresentation uses up-to-date SAK to encrypt the transmission data, for vacation is not then used, rx deciphers the transmission data for very then using up-to-date SAK, for vacation is not then used; Ensuing up-to-date pass chain store effectively identifies is, up-to-date pass chain store OAN (the old pass of Old AssociationNumber chain store), sends and use sign tx, reception to use sign rx to represent the information of old key, if is is true, then the OAN of back, OKI (the old key identification of Old Key Identifier), OLPN (the old minimum of OldLowest acceptable Packet Number receives Bale No.) are meaningful, and OAN is the associated characters AN of old key SAK correspondence.Because in a SC, SAK requires constantly to change, so a SC need safeguard Geju City SAK, when a new SAK has installed when bringing into use, old SAK also must keep, and also is present at present among the reception buffering buffer, perhaps also on network because may use old SAK to encrypt the encrypted frame of sending, keep old SAK, just can use it to decipher these frames.CKI is the safety connection incident master key as well sign, and it is used for distinguishing a CA.SCI is the safe lane sign.It is a random number that the member identifies MI, is used for identifying a MKP participant, and it is unique in a CA, if MKP participant's MI itself and others' conflict then can regenerate one.MN is a message number, and it is since 1, and MKPDU of every transmission just adds up 1, and when MI changed, it reset to 1, and when MN overflowed, MI can change.Each MKP participant has the MI/MN of oneself, except the MI/MN of oneself, it also will safeguard the MI/MN of opposite end, if finding MKP participant has and own identical CAK, then the MI/MN of opposite end is put into Live peer list, do not have and own identical CAK if also prove opposite end MKP participant, then the MI/MN of opposite end is put into potential peerlist.When MKP participant sent MKPDU, the MI/MN of oneself, and all MI/MN put into MKPDU and send among Live peer list, the potential peer list, and use the CMAC pattern of Advanced Encryption Standard AES to calculate ICV:
ICV=AES-CMAC(K,M,128);
Wherein M begins all bytes till the ICV from target MAC (Media Access Control) address; K generates by the code book pattern ECB of AES, and K=AES-ECB (CAK, 0X1).
As seen, the ICV value is to use CAK to generate, and reception MKP participant must have identical CAK and just can carry out verification.
Accordingly, receive MKP participant and can take same algorithm, all bytes that begin from target MAC (Media Access Control) address till the ICV are carried out identical calculating, think if the ICV value is identical that MKPDU is not held to change; If send the different CAK that MKP participant uses, if MKPDU completeness check success, then receive MKP participant and in the local Live peer list, the local potential peer list that oneself safeguard, search the MI that sends MKP participant among the MKPDU, if do not find, then the MI/MN that sends MKP participant is put into local potential peer list; If find, then whether the MN that compares in the MKPDU is bigger than the MN of local record, if greatly then upgrade local record, if MN is less than or equal to the MN of local record in the MKPDU, show that then this MKPDU is the frame of incorrect order or Replay Attack, directly abandon that verification simultaneously also can be failed, the failure of MKPDU completeness check then directly abandons, and is not for further processing.
Among the MKPDU except carrying the MI/MN that sends MKP participant oneself, also carry and send the Live peer list that MKP participant safeguards, all MI/MN among the potential peer list, receive the MI that searches oneself in MKP participant's these two tabulations in MKPDU, if find, then prove and oneself once sent MKPDU to the opposite end, and correct verification can be carried out in the opposite end, illustrate that the opposite end has and own identical CAK, so receiving MKP participant just puts into MKP participant's MI/MN among the local Live peer list of oneself, if sending MKP participant's MI exists in local Livepeer list, then only upgrade MN, if sending MKP participant's MI exists in local potential peer list, then this record is moved on among the local Live peer list, upgrade MN simultaneously, delete the record of local potential peer list.
Key material KC is a more important territory in the MKPDU, and it produces a random number as KC when a MKP participant generates.
When using MKPDU to consult with generation SAK, no matter adopt computing method or distribution method, be divided in the same MA in the current C A each MP all the MP in other get this CA send the message of carrying MKPDU, receive the MKPDU that other MKP participants send simultaneously, obtain other all MKP participants the most at last and send over ground MKPDU so be in MKP participant in the same CA.
What deserves to be explained is, except using the present embodiment method, adopt outside above-mentioned directly the method for a value of message types of the special definition of the message of carrying MKPDU, also can adopt existing message, carry MKPDU such as CCM message, adopt a kind of method in back, message of the common use of the information of two kinds of communication protocols is transmitted, help reducing accordingly the message transmission quantity of network.
Step 402: the KaY of the MP correspondence of receiving terminal consults to generate SAK according to the MKPDU KaY corresponding with the MP of transmitting terminal.
After this message of carrying MKPDU is sent from the MP of transmitting terminal, arrive the receiving terminal MP of the destination address correspondence of this message, if this carries the frame format shown in the message employing table four of MKPDU, then the MP of receiving terminal reads the value of type of message, comprise MKPDU if the value of this type of message identifies this message, then read the MKPDU in this message, and this MKPDU is delivered corresponding KaY, by computing method or the distribution method of this KaY with reference to prior art, the KaY corresponding with transmitting terminal MP consults to generate SAK; Otherwise, carry out other corresponding processing according to the value of type of message.
If current negotiation generates SAK and adopts computing method, the KaY that respectively receives this message extracts KC from received MKPDU, and all KC are conspired to create a big random number M according to the size order of sender's MI, use the CMAC pattern of Advanced Encryption Standard AES to calculate SAK:
SAK=AES-CMAC(K,M,128)。
The big random number of M wherein for all KC are conspired to create according to the size order of sender's MI, K generates by the code book pattern of AES, K=AES-ECB (CAK, 0X2).
When each MKP participant has identical CAK, M, so the SAK that each MKP participant calculates is identical, when certain MKP participant wants to apply for new SAK, it only needs to change the KC of oneself, all MKP participants will recomputate SAK, a SAK uses a key identification KI to identify, and KI is the XOR value of all KC.
If current negotiation generates SAK and adopts the distribution method, also need in this CA, choose a MP as key server.Each MP (MKP participant) is after receiving the message of carrying MKPDU that other MP (MKP participant) sends over, this MKPDU is delivered corresponding KaY, extract this MKPDU by this KaY, the KC of the MP of the transmitting terminal among MI of oneself and the MKPDU is carried out XOR or other calculate the back as KI, and select a random number as SAK, use KEK that SAK is encrypted, wherein KEK can use the code book pattern ECB of AES to calculate:
KEK=AES-ECB(CAK,0X0);
SAK and KI after this KaY (corresponding MP) that is chosen for key server will encrypt put into the message of carrying MKPDU, send to each MP in this CA, the message of carrying MKPDU that each MP sends according to the MP that is chosen for key server, extract MKPDU, and use KEK to be decrypted and obtain SAK.
From easy to use, applied widely, present embodiment recommends to use the multicast destination address of CCM as carrying the destination address of the message of MKPDU, below be example with the multicast address that uses CCM as the message of carrying MKPDU, labor is carried out in the concrete processing in this message transmitting procedure:
Shown in Figure 9, be the Message Processing schematic flow sheet, as shown, flow process comprises:
Step 901: the MEP of transmitting terminal adopts the multicast address of CCM, and the MEP in this MA sends the message of carrying MKPDU.
This step is described with the appropriate section in the step 401.
Step 902: whether the node that this message arrives is MEP, if execution in step 903, otherwise execution in step 906 are transmitted this message.
Step 903: the MEP that receives this message judges the relation of the affiliated MD LEVEL of MEP of the transmitting terminal that MD LEVEL and the message under this MEP is comprised, if the MDLEVEL under this MEP is higher than the affiliated MD LEVEL of the MEP of transmitting terminal, then execution in step 905, abandon this message; Otherwise, execution in step 904.
Step 904: if the MD LEVEL under this MEP is lower than the affiliated MDLEVEL of the MEP of transmitting terminal, then execution in step 906; Otherwise the MD LEVEL under this MEP equals the affiliated MD LEVEL of MEP of transmitting terminal, execution in step 907.
Step 905: abandon this message.
According to the division of MD Level shown in Figure 8 as seen, the MA span that MD Level is high more is big more, if the MD LEVEL under the MP that this message arrives is higher than the affiliated MD LEVEL of the MP of transmitting terminal, the MEP of the corresponding MD Level that obvious this message will reach can not be in follow-up network, so abandon this message, and stop continuing to transmit this message, avoid causing redundancy message too much in the network.In Fig. 8, bridge device 802, bridge device 803, bridge device 805, bridge device 805 respectively have two MP, and terminal 801, terminal 806 respectively have a MEP.
Step 906: transmit this message.
If receive the node of this message and be non-MP point or be the MIP in certain MA, node is not handled this message, and transmits according to the destination address of message.
Step 907: the KaY of the MEP correspondence of receiving terminal consults to generate SAK according to the MKPDU KaY corresponding with transmitting terminal MEP.
If the receiving node of this message is MEP, and, MD Level under the MEP of the transmitting terminal that comprises in the MD Level under this MEP and the message is consistent, and then this MEP delivers this MKPDU to corresponding KaY, by this KaY KaY negotiation generation SAK corresponding with transmitting terminal MEP according to MKPDU.Concrete and step 402 in like manner.
Embodiment 2:
Figure 10 is the network equipment structural representation of present embodiment, shows as Figure 10, and this network equipment is the Maintenance Association node of the MA that belongs to definite, and this Maintenance Association node is designated as Maintenance Association node 101, and this Maintenance Association node both can be MEP, also can be MIP.
General, store the attribute information of present networks equipment on the network equipment, such as: the information such as maintenance field level that the Maintenance Association that Maintenance Association node 101 belongs to, this Maintenance Association belong to, we are designated as the memory module of the attribute information of this storage networking device at this: network equipment property store unit 108.
Transmitting element 102 is used for according to network equipment property store unit 108 canned datas, and the MP of (to call this MA in the following text) sends the message of carrying MKPDU in Maintenance Association node 101 same MA.
When setting up CA between need be in this MA adjacent each MP (comprising alliance's node 101) with alliance's node 101, transmitting element 102 can also use the multicast address of unicast address or LTM, and other Maintenance Association nodes adjacent with Maintenance Association node 101 send described this and carry the message of MKPDU in this MA.
In addition, when Maintenance Association node 101 when being MEP, and need use between to the MEP in this MA that MKP consults to generate SAK and when setting up CA, transmitting element 102 can adopt the multicast address of CCM, other MEP in this MA send the message that this carries MKPDU.
Concrete multicast address or the unicast address that adopts CCM, LTM determines that according to actual needs selection scheme is referring to the specific descriptions in the step 401 among the embodiment in detail.
Receiving element 103 is used to receive the message of carrying MKPDU that sends on the present networks equipment.
MAC safe key negotiation entities 104 is used for the MKPDU that carries according to the message that described receiving element receives, and the KaY corresponding with the Maintenance Association node of described message sending end consults to generate SAK.
When the transmitting terminal of this information of MA message identification that comprises when the message that receives belonged to a MA together with Maintenance Association node 101, the MKPDU that the message that receives according to receiving element 103 is carried consulted generation SAK with the corresponding KaYMP of described transmitting terminal.The concrete negotiation of MAC safe key negotiation entities 104 generates the corresponding description of the method for SAK referring to embodiment 1.
For the ability of the support MACsec of the network equipment that further improves present embodiment, as shown in figure 11, the network equipment can also comprise:
Message coding unit 107 is used to generate the message of the described MKPDU of carrying for transmitting element 102 transmissions.This message coding unit 107 both can be used to adopt the frame structure of connectivity fault management message, encapsulated described message of carrying MKPDU; Simultaneously, message coding unit 107 can also make value identify described message and whether comprise MKPDU by the value that the message type information territory of described connectivity fault management message is carried out; Message coding unit 107 conveniently sets out based on using, and also is used for the address of the connectivity fault management message destination address as the message of the described MKPDU of carrying.Certain, also can adopt other mode in CFM message, to identify this CFM message and carry MKPDU, perhaps adopt other mode to generate the message that this carries MKPDU.Message coding unit simultaneously 107 adopts the multicast destination address of CCM, LTM or unicast address specifically to determine according to reality as the destination address that this carries the message of MKPDU.
Maintenance field level judging unit 105 is used for the maintenance field hierarchical information according to network equipment property store unit 108 storage, determines the relation of the MD Level that maintenance field level that message that receiving element 103 receives comprises and Maintenance Association node 101 are affiliated.
Retransmission unit 106 is used for the definite result according to maintenance field level judging unit 105, transmits the message that receiving element 103 receives.
When Maintenance Association node 101 is MIP, when MD Level under the MP of the transmitting terminal that the message that retransmission unit 106 receives when maintenance field level judging unit 105 definite receiving elements 103 comprises and the MD Level under the Maintenance Association node 101 are inconsistent, transmit the message of receiving element 103 receptions.
When the Maintenance Association node is MEP, when the MD Level of retransmission unit 106 under maintenance field level judging unit is determined the MP of the transmitting terminal that message that receiving element 103 receives comprises is higher than MD Level under the Maintenance Association node 101, transmit the message that receiving element 103 receives.
Embodiment 3:
Figure 12 is a present embodiment network architecture schematic diagram, as shown, native system comprises at least one Maintenance Association node, see Maintenance Association node 121 among the figure, Maintenance Association node 122, Maintenance Association node 123, wherein, each Maintenance Association node respectively belongs to definite Maintenance Association, suppose that Maintenance Association node 121 Maintenance Association nodes 122, Maintenance Association node 123 all belong to Maintenance Association 1.
Each Maintenance Association node, have Maintenance Association node in this Maintenance Association and send and to carry the message of MAC safe key agreement protocol data cell MKPDU, and the function that receives the message of carrying MKPDU that other Maintenance Association nodes in this Maintenance Association are sent.Can either send this to the Maintenance Association node 122 in the Maintenance Association 1, Maintenance Association node 123 such as Maintenance Association node 121 and carry the message of MKPDU, can receive the message of carrying MKPDU that sends from the Maintenance Association node 122 in the Maintenance Association 1, Maintenance Association node 123 again.Concrete transmission and method of reseptance are referring to describing among the embodiment 1,2.
Distinguish a corresponding one by one MAC safe key negotiation entities (as shown with described each Maintenance Association node, the corresponding MAC safe key of Maintenance Association node negotiation entities 1211,121 Maintenance Association nodes 122 corresponding MAC safe key negotiation entities 1221, Maintenance Association node 123 corresponding MAC safe key negotiation entities 1231)
Each MAC safe key negotiation entities is used for consulting to generate SAK according to the message of carrying MKPDU that receives between the corresponding Maintenance Association node KaY corresponding with the Maintenance Association node of described message sending end.Receive the message of carrying MKPDU of Maintenance Association node 122,123 transmissions of Maintenance Association node according to Maintenance Association node 121 such as MAC safe key negotiation entities 1211, carry out MKP with MAC safe key negotiation entities 1212, MAC safe key negotiation entities 1213 and consult, to generate SAK.Concrete SAK machinery of consultation is referring to the associated description among the embodiment 1.
In the practical application, the communication system of present embodiment can be made up of the network equipment among the embodiment 2.
More than a kind of method, the network equipment, network system that generates safety associated key SAK that the embodiment of the invention is provided be described in detail, used specific case herein the principle and the execution mode of the embodiment of the invention are set forth, the explanation of above embodiment just is used to help to understand the method and the core concept thereof of the embodiment of the invention; Simultaneously, for one of ordinary skill in the art, according to the thought of the embodiment of the invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (15)
1. a method that generates safety associated key SAK is characterized in that, comprising:
The Maintenance Association node of the Maintenance Association node of transmitting terminal in this Maintenance Association sends the message of carrying MAC safe key agreement protocol data cell MKPDU;
The MAC safe key negotiation entities KaY of the Maintenance Association node correspondence of receiving terminal consults to generate SAK according to the described MKPDU KaY corresponding with the Maintenance Association node of described transmitting terminal.
2. method according to claim 1 is characterized in that, described message of carrying MKPDU adopts the frame structure of connectivity fault management message.
3. method according to claim 2 is characterized in that, described connectivity fault management message comprises message type information, and the value by described message type information identifies described message and comprises described MKPDU.
4. according to claim 1,2 or 3 described methods, it is characterized in that, the Maintenance Association node of described transmitting terminal with the address of connectivity fault management message as the described destination address that carries the message of MKPDU.
5. according to claim 1,2 or 3 described methods, it is characterized in that the Maintenance Association node of described transmitting terminal is the Maintenance Association end points, described Maintenance Association end points is the Maintenance Association of other in this Maintenance Association end points specifically, sends described message of carrying MKPDU.
6. method according to claim 5 is characterized in that, the message of the described MKPDU of carrying further comprises the affiliated maintenance field hierarchical information of Maintenance Association end points of described transmitting terminal,
After the Maintenance Association end points of described transmitting terminal sent described message of carrying MKPDU, the KaY of described receiving terminal and the KaY of described transmitting terminal generated before the described SAK, further comprise:
The Maintenance Association end points that described message arrives judges whether the maintenance field level under this Maintenance Association end points is higher than the affiliated maintenance field level of Maintenance Association end points of described transmitting terminal, if then abandon described message;
The Maintenance Association end points that described message arrives judges whether the maintenance field level under this Maintenance Association end points is lower than the affiliated maintenance field level of Maintenance Association end points of described transmitting terminal, if then abandon described message.
7. according to claim 1,2 or 3 described methods, it is characterized in that the Maintenance Association node of described transmitting terminal specifically is to the Maintenance Association node adjacent with this Maintenance Association node, sends described message of carrying MKPDU.
8. network equipment, the described network equipment is characterized in that for the Maintenance Association node in the Maintenance Association of determining, comprising:
Transmitting element, the Maintenance Association node that is used in this Maintenance Association sends the message of carrying MAC safe key agreement protocol data cell MKPDU;
Receiving element is used to receive the message of carrying MKPDU that sends on the present networks equipment;
MAC safe key negotiation entities is used for the MKPDU that carries according to the message that described receiving element receives, and the MAC safe key negotiation entities corresponding with the Maintenance Association node of described message sending end consults to generate SAK.
9. method according to claim 8 is characterized in that, the described network equipment further comprises:
The message coding unit is used to adopt the frame structure of connectivity fault management message, encapsulates described message of carrying MKPDU;
Described transmitting element specifically is used to send the message of described message coding unit package.
10. method according to claim 9 is characterized in that, described message coding unit also is used for value that the message type information territory of described connectivity fault management message is carried out, whether comprises MKPDU to identify described message.
11. according to Claim 8,9 or 10 described methods, it is characterized in that described message coding unit also is used for the address of the connectivity fault management message destination address as the message of the described MKPDU of carrying.
12. according to Claim 8, the 9 or 10 described network equipments, it is characterized in that,
Described Maintenance Association node is the Maintenance Association end points;
Described transmitting element specifically is used for the message of the described MKPDU of carrying of Maintenance Association end points transmission in this Maintenance Association.
13. according to Claim 8, the 9 or 10 described network equipments, it is characterized in that the described Maintenance Association of safeguarding belongs to definite maintenance field level, described Maintenance Association node is the Maintenance Association intermediate node, and described Maintenance Association node also comprises:
Maintenance field level judging unit is used for determining that message that described receiving element receives comprises the relation of the affiliated maintenance field level of maintenance field level and this Maintenance Association node under the Maintenance Association node of transmitting terminal;
Retransmission unit when being used for maintenance field level under maintenance field level judging unit is determined the Maintenance Association node of the transmitting terminal that described message comprises for the maintenance field level under this Maintenance Association node, is transmitted described message.
14. according to Claim 8, the 9 or 10 described network equipments, it is characterized in that described Maintenance Association belongs to definite maintenance field level, described Maintenance Association node is the Maintenance Association end points, and described Maintenance Association node also comprises:
Maintenance field level judging unit is used for determining the relation of the maintenance field level that maintenance field level and this Maintenance Association node under the Maintenance Association node of the transmitting terminal that message that described receiving element receives comprises is affiliated;
Retransmission unit when being used for maintenance field level under maintenance field level judging unit is determined the Maintenance Association node of the transmitting terminal that described message comprises and being lower than maintenance field level under this Maintenance Association node, is transmitted described message.
15. a network system, described network system comprise at least one Maintenance Association node, described each Maintenance Association node respectively belongs to definite Maintenance Association, it is characterized in that,
Described each Maintenance Association node, the message of MAC safe key agreement protocol data cell MKPDU is carried in the Maintenance Association node transmission that is used in this Maintenance Association, and receives the message of carrying MKPDU that other Maintenance Association nodes in this Maintenance Association are sent;
Described network system also comprises:
Distinguish MAC safe key negotiation entities one to one with described each Maintenance Association node, the message of the carrying MKPDU KaY corresponding with the Maintenance Association node of described message sending end that is used for receiving according to described Maintenance Association node consults to generate SAK.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006101621461A CN101197662B (en) | 2006-12-06 | 2006-12-06 | Method, network appliance and network system for generating safety associated key SAK |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006101621461A CN101197662B (en) | 2006-12-06 | 2006-12-06 | Method, network appliance and network system for generating safety associated key SAK |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101197662A true CN101197662A (en) | 2008-06-11 |
| CN101197662B CN101197662B (en) | 2010-08-18 |
Family
ID=39547832
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006101621461A Expired - Fee Related CN101197662B (en) | 2006-12-06 | 2006-12-06 | Method, network appliance and network system for generating safety associated key SAK |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101197662B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103209072A (en) * | 2013-04-27 | 2013-07-17 | 杭州华三通信技术有限公司 | MACsec (Multi-Access Computer security) key updating method and equipment |
| CN103475465B (en) * | 2013-09-10 | 2017-02-08 | 杭州华三通信技术有限公司 | MACsec key update method and device in ISSU process |
| CN107769914A (en) * | 2016-08-17 | 2018-03-06 | 华为技术有限公司 | Protect the method and the network equipment of data transmission security |
| CN109587030A (en) * | 2018-12-03 | 2019-04-05 | 盛科网络(苏州)有限公司 | Safeguard the lookup method and device, storage medium of endpoint MEP |
| CN114760093A (en) * | 2022-03-07 | 2022-07-15 | 新华三技术有限公司合肥分公司 | Communication method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100382501C (en) * | 2005-04-15 | 2008-04-16 | 华为技术有限公司 | Three-layer VPN operation maintenance system and method in communication network |
-
2006
- 2006-12-06 CN CN2006101621461A patent/CN101197662B/en not_active Expired - Fee Related
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103209072A (en) * | 2013-04-27 | 2013-07-17 | 杭州华三通信技术有限公司 | MACsec (Multi-Access Computer security) key updating method and equipment |
| CN103209072B (en) * | 2013-04-27 | 2017-08-22 | 新华三技术有限公司 | A kind of MACsec key updating methods and equipment |
| CN103475465B (en) * | 2013-09-10 | 2017-02-08 | 杭州华三通信技术有限公司 | MACsec key update method and device in ISSU process |
| CN107769914A (en) * | 2016-08-17 | 2018-03-06 | 华为技术有限公司 | Protect the method and the network equipment of data transmission security |
| CN107769914B (en) * | 2016-08-17 | 2021-02-12 | 华为技术有限公司 | Method and network device for protecting data transmission security |
| US11146952B2 (en) | 2016-08-17 | 2021-10-12 | Huawei Technologies Co., Ltd. | Data transmission security protection method and network device |
| CN109587030A (en) * | 2018-12-03 | 2019-04-05 | 盛科网络(苏州)有限公司 | Safeguard the lookup method and device, storage medium of endpoint MEP |
| WO2020114230A1 (en) * | 2018-12-03 | 2020-06-11 | 盛科网络(苏州)有限公司 | Method and apparatus for searching for maintenance end point (mep), and storage medium |
| US11695639B2 (en) | 2018-12-03 | 2023-07-04 | Suzhou Centec Communications Co., Ltd. | Method and apparatus for searching for maintenance end point (MEP), and storage medium |
| CN114760093A (en) * | 2022-03-07 | 2022-07-15 | 新华三技术有限公司合肥分公司 | Communication method and device |
| CN114760093B (en) * | 2022-03-07 | 2024-02-09 | 新华三技术有限公司合肥分公司 | Communication method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101197662B (en) | 2010-08-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101141241B (en) | Method and network appliance for implementing MAC safety | |
| CN103236941B (en) | A kind of link discovery method and device | |
| CN102137173B (en) | Routing information distributing method, equipment, virtual special network system | |
| US9154330B2 (en) | Method and device of link aggregation and method and system for transceiving MAC frames | |
| KR100594153B1 (en) | Formation of Logical Link and Its Secure Communication Method in Network of Point-to-Manage Topology | |
| US20120066764A1 (en) | Method and apparatus for enhancing security in a zigbee wireless communication protocol | |
| CN112367163B (en) | Quantum network virtualization method and device | |
| CN105554907A (en) | General method for configuring WiFi device to make same to connect WiFi router | |
| CN101197662B (en) | Method, network appliance and network system for generating safety associated key SAK | |
| CN110690962B (en) | Application method and device of service node | |
| CN110048986B (en) | Method and device for ensuring ring network protocol operation safety | |
| US9647876B2 (en) | Linked identifiers for multiple domains | |
| CN110690960A (en) | Routing service method and device of relay node | |
| CN100563148C (en) | The MAC secure network communication method and the network equipment | |
| CN112291072B (en) | Secure video communication method, device, equipment and medium based on management plane protocol | |
| Geng et al. | A software defined networking-oriented security scheme for vehicle networks | |
| US8200970B2 (en) | Method and apparatus for preventing replay attack in wireless network environment | |
| CN115277200B (en) | Multi-node key auto-negotiation management method for link layer transparent encryption system | |
| CN115473729A (en) | Data transmission method, gateway, SDN controller and storage medium | |
| Walid et al. | Trust security mechanism for maritime wireless sensor networks | |
| CN102487386B (en) | The blocking-up method of identity position separation network and system | |
| Parmar et al. | Secure data aggregation protocol using AES in wireless sensor network | |
| CN112839009B (en) | Method, device and system for processing message | |
| Beyah et al. | Security in Ad-hoc and Sensor Networks | |
| Paek et al. | Energy-Efficient Key-Management (EEKM) Protocol for Large-Scale Distributed Sensor Networks. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100818 Termination date: 20181206 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |