CN102469063A - Routing protocol security alliance management method, device and system - Google Patents
Routing protocol security alliance management method, device and system Download PDFInfo
- Publication number
- CN102469063A CN102469063A CN201010531229XA CN201010531229A CN102469063A CN 102469063 A CN102469063 A CN 102469063A CN 201010531229X A CN201010531229X A CN 201010531229XA CN 201010531229 A CN201010531229 A CN 201010531229A CN 102469063 A CN102469063 A CN 102469063A
- Authority
- CN
- China
- Prior art keywords
- security association
- routing protocol
- protocol security
- proxy module
- network element
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a routing protocol security alliance management method, which comprises the following steps that: an agent module for negotiating a routing protocol security alliance is arranged in a network element; the element provided with the agent module and a negotiation initiator of the routing protocol security alliance establish a security alliance; under the protection of the established security alliance, the element provided with the agent module and the negotiation initiator of the routing protocol security alliance negotiate the routing protocol security alliance; and the network element provided with the agent module transmits the negotiated routing protocol security alliance through a preset or set security channel. The invention also discloses a routing protocol security alliance management device and a routing protocol security alliance management system. By the invention, the routing protocol unicast and multicast security alliance can be negotiated, updated and managed, so that the problems that the routing protocol security alliance only can be configured manually and potential safety hazards are large are solved, and routing information is transmitted more safely and reliably.
Description
Technical field
The present invention relates to Routing Protocol Security Association administrative skill, relate in particular to a kind of Routing Protocol Security Association management method, Apparatus and system.
Background technology
Along with the continuous expansion of computer network scale, the fast development of large-scale internet (like Internet), route technology becomes key technology gradually in network technology, and router becomes the most important network equipment.The user is constantly promoting the development of route technology to the demand of network data high-speed transfer, and people have been not content with the information of only on local network, sharing, and hope to maximally utilise each area, the whole world, various types of Internet resources.Present network technology, the computer network (like enterprise network, campus network, intelligent building net etc.) that any one has certain scale all be unable to do without router.The 3rd layer of being operated in open system interconnected (OSI, the Open System Interconnection) model of router is network layer.Router utilizes the IP address of network layer definition to distinguish various network, realizes the interconnection and the isolation of network, keeps the independence of each network.Router is not transmitted broadcast, but broadcast is limited in network internal separately.The data that send to other networks at first are sent to router, are forwarded by router again.
By utensil the ability of transmitting the IP message to be arranged in order giving way, often to need mutual routing iinformation between the router.The routing iinformation building network topological structure that the router basis is received, thus correctly transmit the IP message.The agreement of mutual routing iinformation is called Routing Protocol between the router.Routing Protocol is the basic agreement of Internet network.Between the router mutual routing iinformation whether correctly directly affect route can be successful.Yet the Internet network is the network of an opening.Always exist a lot of assailants in the network.These assailants can attempt to revise the mutual routing iinformation of Routing Protocol, perhaps to expired routing iinformation of router issue.The router that causes receiving wrong routing iinformation can not normally be transmitted the IP packet.
For guaranteeing the correctness of mutual routing iinformation, must integrity protection be provided to the route agreement.Existing routing protocol nearly all provides the security mechanism of this respect, and for example RIPv2 (Routing InformationProtocol version 2), OSPFv2 (Open Shortest Path First version 2), IS-IS (Intermediate System-to-Intermediate System), BFD (Bidirectional ForwardingDetection), BGP Routing Protocols such as (Border Gateway Protocol) use message authentication code to realize the integrity protection of routing protocol message.The safe material that generates message authentication code is defined by Security Association, and Security Association is manual configuration usually.Security Association is a cover key material, is used to provide security service.The Security Association of Routing Protocol comprises: the Key ID that is used to identify Security Association; Be used to identify the Authentication Algorithm of the key algorithm that generates message authentication code; Be used to deposit the Authentication Key of the key that generates message authentication code; Be used to identify the Sequence Number that prevents Replay Attack, be used to Life Time that identifies life span etc.
There are problems in the Security Association of manual configuration, and especially when network size was very big, the efficient of manually upgrading Security Association was not only very slow, and easy error.Generally speaking, need to upgrade Security Association under the following situation: when the labor turnover of management router, be in safe consideration and generally need upgrade Security Association; All there is life cycle in each key, and when expire life cycle, needs to upgrade; Can not use multiple key well, when the user hopes to use new cryptographic algorithm, need to upgrade Security Association equally.
IKEv2 is the Security Association agreement protocol that the data security transmission mechanism (IPsec) for Internet protocol sixth version (IPv6) IP layer provides.This agreement is also supported Internet protocol the 4th edition (IPv4).The Security Association negotiations process of IKEv2 can relate to four types of exchanges altogether, i.e. IKE_SA_INIT exchange, IKE_AUTH exchange, CREATE_CHILD_SA exchange and INFORMATIONAL exchange.
Exchange among the IKEv2 (Exchange) is made up of a request (request) and a response (response); Occur between two network peer (peer); Wherein the peer of initiation request is called promoter (Initiator; Usually represent with i), the peer of response is called response person's (Responder representes with r usually).The IKE_SA_INIT exchange is consulted to carry out Diffie-Hellman (D-H) exchange through cryptographic algorithm (Crytographic Algorithms), exchange random number (nonces) etc.; Be that two peer consult security parameters generating IKE_SA, for thereafter exchange provides escape way.The IKE_AUTH exchange is carried out authentication to the peer identity; And negotiation generates first CHILD_SA; For the ESP (ESP, Encapsulating Security Payload) of IPsec or/and authentication header (AH, Authentication Header) provides Security Association.The CREATE_CHILD_SA exchange is used to generate other CHILD_SA, is used to upgrade the Security Association that above-mentioned exchange generates, or supplies ESP or/and AH uses.The INFORMATIONAL exchange comprises reporting an error and event notice as control information transmission.
But IKEv2 does not provide the negotiation and the generation of Security Association to Routing Protocol, because the Security Association of Routing Protocol is different with the Security Association content of ESP and AH, can not directly use IKEv2 to come to be the Routing Protocol negotiating about security alliance again; In addition, the Security Association negotiation mechanism that IKEv2 only provides end-to-end (or being called point-to-point, clean culture (unicast)) can't provide Security Association for multicast (multicast) mechanism that Routing Protocol is used; Therefore, IKEv2 both can't also can't provide security of multicast alliance for Routing Protocol for Routing Protocol provides the clean culture Security Association.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of Routing Protocol Security Association management method, Apparatus and system, and the network element in the network can be between network element under clean culture or the multicast scenarios or the definite automatically Routing Protocol Security Association of multicast network element.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of Routing Protocol Security Association management method is provided for consulting the proxy module of Routing Protocol Security Association in network element; Said method also comprises:
In network element, be provided for consulting the proxy module of Routing Protocol Security Association; Said method also comprises:
The network element of said proxy module and the negotiation initiator of Routing Protocol Security Association are set set up Security Association;
Under the protection of the said Security Association of being set up, the network element of said proxy module and the negotiation initiator of Routing Protocol Security Association are set consult the Routing Protocol Security Association;
Through the escape way that presets or set, the network element that said proxy module is set sends the said Routing Protocol Security Association of consulting out.
Preferably, said method also comprises:
After the negotiation initiator that network element and the Routing Protocol Security Association of said proxy module be set is set up Security Association, carry out authentication.
Preferably, said method also comprises:
The network element that said proxy module is set is notified all Routing Protocol Security Associations of its support the negotiation initiator of said Routing Protocol Security Association; The network element that said proxy module is set receives the selected Routing Protocol Security Association of negotiation initiator of said Routing Protocol Security Association.
Preferably, said method also comprises:
The negotiation initiator that network element and the Routing Protocol Security Association of said proxy module be set is consulted and said proxy module when presetting escape way first, and the network element that said proxy module is set sends the said Routing Protocol Security Association of consulting out through said escape way.
Preferably, said method also comprises:
Be provided with when the negotiation initiator of network element and Routing Protocol Security Association of said proxy module is non-consults first; Through the last Routing Protocol Security Association of consulting out with the negotiation initiator of this Routing Protocol Security Association; Set escape way at said proxy module, send the said Routing Protocol Security Association of consulting out through said escape way.
Preferably, said method also comprises:
Be provided for carrying the Routing Protocol Security Association special-purpose load, be used to consult the switch type of Routing Protocol Security Association; And the switch type that is used to distribute the Routing Protocol Security Association.
Preferably; The network element that said proxy module is set is carried on the Routing Protocol Security Association of said network element support in the said special-purpose load; Through the described switch type that is used to consult the Routing Protocol Security Association, the negotiation initiator of notice Routing Protocol Security Association.
Preferably, said special-purpose load be used for carrying the Routing Protocol Security Association below at least one: Routing Protocol identifier, Security Association key identifier length, Security Association life span length, the initial serial number length of Security Association, Security Association key identifier, Security Association life span, the initial serial number of Security Association, identifying algorithm identifier, authenticate key length, authenticate key.
A kind of Routing Protocol Security Association management system comprises: the network element of proxy module, the negotiation initiator of Routing Protocol Security Association are set;
The said network element that proxy module is set is used for setting up Security Association with the negotiation initiator of Routing Protocol Security Association; Under the protection of the said Security Association of being set up, consult the Routing Protocol Security Association with the negotiation initiator of Routing Protocol Security Association; Through the escape way that presets or set, send the said Routing Protocol Security Association of consulting out;
The negotiation initiator of said Routing Protocol Security Association is used for setting up Security Association with the network element that proxy module is set; Under the protection of the said Security Association of being set up, consult the Routing Protocol Security Association with the network element that proxy module is set.
A kind of Routing Protocol Security Association management devices is provided with proxy module in the said device, and said proxy module comprises:
Set up the Security Association module, consult Routing Protocol Security Association module, sending module;
The said Security Association module of setting up is used to that the network element of proxy module is set and the negotiation initiator of Routing Protocol Security Association is set up Security Association;
Said negotiation Routing Protocol Security Association module is used under the protection of the said Security Association of being set up, and the network element of said proxy module and the negotiation initiator of Routing Protocol Security Association is set consults the Routing Protocol Security Association;
Said sending module is used for the escape way through presetting or setting, and the network element that said proxy module is set sends the said Routing Protocol Security Association of consulting out.
Among the present invention, through the new load of carrying the Routing Protocol Security Association is set, thereby when consulting the Routing Protocol Security Association, can realize the negotiation of the Routing Protocol Security Association under unicast case and the multicast scenarios through newly-installed load; The present invention through the switch type that is provided for consulting the switch type of Routing Protocol Security Association and is provided for distributing the Routing Protocol Security Association, consults Routing Protocol Security Association and distribution Routing Protocol Security Association; Because the present invention realizes the negotiation and the transmission of Routing Protocol Security Association through in IKEv2, setting up associated load and switch type, therefore existing infrastructure and agreement are changed not quite, preferable versatility is arranged.In addition, the present invention is through being provided with proxy module in related network elements, compatible negotiation to the Routing Protocol Security Association under multicast and the unicast case.The present invention is based on the technical scheme of the Routing Protocol Security Association management of IKEv2 and agency mechanism; Can realize negotiation, renewal and the management of Routing Protocol clean culture and security of multicast alliance; Can only manual configuration thereby solved the Routing Protocol Security Association, problem that potential safety hazard is big, make that the transmission of routing iinformation is safer reliable.
Description of drawings
Fig. 1 is applied scene figure of the present invention;
Fig. 2 is the sketch map of the proposal minor structure of the newly-increased Routing Protocol Security Association load RPInfo of the present invention;
Fig. 3 is the flow chart of Routing Protocol Security Association management method of the present invention;
Fig. 4 forms sketch map for the function of proxy module of the present invention;
Fig. 5 is the composition structural representation of Routing Protocol Security Association management devices of the present invention.
Embodiment
Basic thought of the present invention is: the present invention mainly provides the implementation based on the Routing Protocol Security Association management of IKEv2 and agency mechanism.The present invention is carried the Routing Protocol Security Association through increasing new load (payload); Should newly-increased load be labeled as RPInfo (Routing Protocol Information); The structure of said RPInfo load mainly comprises proposes that minor structure (Proposal Substructure), said proposal minor structure comprise proposal length (Proposal Length), propose number (Proposal#), Routing Protocol identifier (Routing Protocol ID), Security Association key identifier length (Length of Key ID), Security Association life span length (Length of Life Time), the initial serial number length of Security Association (Length ofSequence Number), Security Association key identifier (Key ID), Security Association life span (LifeTime), the initial serial number of Security Association (Sequence Number), identifying algorithm identifier (Authentication Algorithm ID), authenticate key length (Length of Authentication key), authenticate key (Authentication key) etc.For the negotiation with clean culture of Routing Protocol Security Association and multicast application is unified in the system; Introduce agency mechanism; Configuration Agent module (proxy module) on every router; On behalf of KMP respondent and KMP promoter, said proxy module under the unicast networks situation consult the Routing Protocol Security Association; Said proxy module and KMP respondent (network element is a router under the unicast case, under the multicast scenarios for gateway, server or establish router with multicast controlled function) be positioned at same router; On behalf of KMP respondent and KMP promoter, said proxy module under the multicast network situation consult the Routing Protocol Security Association; Said proxy module only works on the router of specified configuration (as the router of gateway, server, or the router with multicast controlled function), and the proxy module of other routers is inoperative in the multicast network; Said acting proxy module is that multicast network presets the security of multicast passage or sets up escape way, mainly is to be used to encrypt and/or the algorithm and the key of integrated authentication.The IKE_SA protection that said proxy module consult to generate at IKEv2 down through newly-increased load, represent KMP respondent's (being the router that clean culture or multicast receive Routing Protocol Security Association agreement request) and KMP promoter to pass through the switch type negotiation Routing Protocol Security Association that increases newly; Said proxy module is equally through newly-increased load; Switch type through newly-increased sends to KMP respondent with the Routing Protocol Security Association that consults; Under the situation of unicast networks; Said proxy module can directly be paid KMP respondent with the clean culture Security Association that consults; Do not need the protection of escape way, under the situation at multicast networking, said proxy module presets (when consulting first) with the security of multicast alliance that consults or sets up under the security of multicast passage of (non-first consult) and sends to all multicast members (multicast network element) at proxy module.
For making the object of the invention, technical scheme and advantage clearer, below lift embodiment and with reference to accompanying drawing, to further explain of the present invention.
Fig. 1 is applied scene figure of the present invention, and is as shown in Figure 1, among the present invention; The load that increases newly is used for carrying the Routing Protocol Security Association; Be labeled as RPInfo, getting its Next Payload Type value in the IANA retention (49-127) of the NextPayload Type in protocol security federation protocol frame is 51, and the general construction of said RPInfo is as shown in Figure 1; The proposal minor structure Proposals that mainly comprises RPInfo, loaded length etc.Among Fig. 1, the load structure is identical in other structures of newly-increased Routing Protocol Security Association load RPInfo and the prior protocols frame.
Fig. 2 is for the sketch map of the proposal minor structure of the newly-increased Routing Protocol Security Association load RPInfo of the present invention, and is as shown in Figure 2, and the proposal minor structure of the newly-increased Routing Protocol Security Association load RPInfo of the present invention comprises but is not limited to following content:
The Routing Protocol identifier: concrete Routing Protocol, for example the Routing Protocol ID value of RIPv2, OSPFv2, IS-IS, BFD, BGP is respectively 1,2,3,4,5;
Security Association key identifier length: the length of Key ID, represent that with byte number for example the Routing Protocol ID value of RIPv2, OSPFv2, IS-IS, BFD, BGPv4 is respectively 1,1,2,2,1;
Security Association life span length: the length of Life Time, depend on the expression format and the number of life span parameter, also might be 0, such as ISIS and BFD, these two Routing Protocols define life span in Security Association;
The initial serial number length of Security Association: the length of Sequence Number, represent with byte number, be generally 32 totally 4 bytes;
The Security Association key identifier: Key ID value can be determined by KMP;
Security Association life span: Life Time; Its life span parameter of different Routing Protocols is different; Life span such as RIPv2 comprises Start Time and Stop Time, and the life span parameter of OSPFv2 comprises Key Start Accept, Key Start Generate, Key Stop Generate and Key Stop Accept;
The initial serial number of Security Association: Sequence Number, can determine by KMP,, be used to resist Replay Attack;
Identifying algorithm identifier: Authentication Algorithm ID; Be used to identify the identifying algorithm that Routing Protocol uses, supports, for example the value of KEYED-MD5, Keyed SHA-1, HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, AES-128-CMAC-96 is respectively 1,2,3,4,5,6,7,8;
Authenticate key length: the length of Authentication Key, represent with bit number, depend primarily on the identifying algorithm of employing;
Authenticate key: Authentication Key, by the key value of KMP employing pseudo-random function generation.
Above-mentioned every IANA apportioning cost that relates to just illustrates, and last definite value is looked IANA the allocation result of retention is as the criterion.
Below based on aforesaid Routing Protocol Security Association load, how to realize the automatic management of the Routing Protocol Security Association between the router.
Fig. 3 is the flow chart of Routing Protocol Security Association management method of the present invention; As shown in Figure 3, the negotiation flow process of Routing Protocol Security Association specifically may further comprise the steps between KMP promoter (Routing Protocol Security Association negotiation initiator), proxy module and the KMP respondent (Routing Protocol Security Association negotiate response person):
Step 100, the KMP promoter sends the IKE_SA_INIT request to proxy module, carries HDR, SAi1, Kei, Ni in the IKE_SA_INIT request; Promptly initiate the negotiation of Routing Protocol Security Association; Here, the negotiation of Routing Protocol Security Association promptly is applicable to unicast case, also is applicable to multicast scenarios; Concrete; Under unicast case, the negotiation of Routing Protocol Security Association is carried out between two routers, promptly carries out carrying out between two network elements of information interaction.At this moment, proxy module is arranged in KMP respondent; And under multicast scenarios, the negotiation of Routing Protocol Security Association is carried out between KMP promoter and multicast Control Node (like aforesaid gateway or server), and at this moment, proxy module is arranged in the multicast Control Node.
Step 102, proxy module is answered the IKE_SA_INIT response to the KMP promoter, wherein, carries HDR, SAr1, KEr, Nr, [CERTREQ] in the IKE_SA_INIT response;
Step 100 and step 102 mainly are the negotiations of carrying out IKE_SA, and password IKE_SA is used in the protection when obtaining carrying out authentication between proxy module and the KMP promoter.
Step 104, the KMP promoter sends the IKE_AUTH request to proxy module, and the IKE_AUTH request message uses IKE_SA to encrypt; Wherein, comprise HDR, SK{IDi, [CERT ,] [CERTREQ ,] [IDr ,] AUTH, SAi2, TSi, TSr} in the IKE_AUTH request.
Step 106, proxy module is answered the IKE_AUTH response to the KMP promoter, carries HDR, SK{IDr, [CERT ,] AUTH, SAr2, TSi, TSr} in the IKE_AUTH response.
Step 104 and step 106 mainly are under the protection of the password IKE_SA that negotiates, to carry out authentication.
Step 108 is acted on behalf of the merit piece and is sent RP_SA_PULL request (, RP_SA_PULL is the switch type that the Routing Protocol Security Association is consulted that is used for that increases newly) here to the KMP promoter, carries HDR, SK{RPInfo} in the RP_SA_PULL request; Promptly under the protection of IKE_SA, carry out the negotiation of Routing Protocol Security Association, promptly negotiate the related content among the RPInfo, determine the Routing Protocol Security Association.
Step 112a; Proxy module sends RP_SA_PUSH message (RP_SA_PUSH is the one-way exchange type that the Routing Protocol Security Association is consulted that is used for that increases newly) to representative network element KMP respondent; Carry HDR, RPInfo in the RP_SA_PUSH message, promptly under unicast case, directly pay RPInfo to KMP respondent; Even under multicast scenarios, proxy module still need directly be paid RPInfo to representative network element KMP respondent.
Step 112b, under multicast scenarios, proxy module sends RP_SA_PUSH message to KMP respondent, carries HDR, SKp{RPInfo} in the RP_SA_PUSH message.Among the present invention; Proxy module in multicast is if consult the Routing Protocol Security Association with the KMP promoter first; This situation has comprised initiate KMP promoter (referring to initiate network element), when then sending RP_SA_PUSH message, because other network elements do not receive the Security Association of Routing Protocol as yet; Therefore, the network element distribution RPInfo that has neither part nor lot in the Routing Protocol negotiation in multicast under the security of multicast path protection that presets; If the proxy module right and wrong are consulted the Routing Protocol Security Association with the KMP promoter first in multicast; This situation has comprised the renewal of the Routing Protocol Security Association that is used for multicast; Then in the RP_SA_PUSH message of its transmission; Carry HDR, SK1{RPInfo}, i.e. in this case distribution uses the last RPInfo that consults to set up escape way, distributes this new RPInfo that consults down in this escape way protection.For the situation of multicast, the network element of Routing Protocols such as operation OSPF and ISIS has dual identity, and the one, as the multicast message sender in the multicast network, need be with all group members in the Routing Protocol security of multicast alliance group of notifications; The 2nd, as the multicast message recipient in the multicast network, need know Routing Protocol security of multicast alliance there from the multicast message sender.
Among the present invention; Institute's loaded information all is the definition from IKEv2 in the load of Routing Protocol Security Association, and wherein HDR is the IKE head, and SAi1 is first SA load that the KMP promoter sends; SAr1 representes first SA load that the respondent answers, and is used for the negotiation of IKE_SA; KEi is promoter's key change (being a D-H exchange) load, and KEr is respondent's key change (being a D-H exchange) load; Ni is the random number load that the promoter generates, and Nr is the random number load that the respondent generates; IDi and IDr represent promoter and respondent's identification load respectively, and TSi and TSr represent promoter and respondent's stream chooser (traffic selector) load respectively; AUTH representes authentication load, and the computational methods of being established rules by IKEv2 obtain; CERTREQ representes certificate request load; [] square brackets represent that the load in the bracket is optional, and are optional; SK{} representes that the load in the brace all is to use the SA of this direction (arrow indication among Fig. 3) to encrypt with integrity protection.SKp representes the security of multicast passage that proxy module presets; Promptly the content in { } is encrypted and/or authentication; The multicast Pre-shared Key that presets such as use encrypts and/or authentication; SK1 representes to use the last escape way that the also successful RPInfo that distributes sets up of consulting to generate, and uses as encryption key such as the authenticate key with RPInfo, and this RPInfo that consults that is sent is encrypted.Escape way information that presets and last at least negotiate content need be preserved and upgrade.
Among the present invention; The KMP promoter sets up IKE_SA with KMP respondent's proxy module earlier; Under the protection of IKE_SA, KMP promoter elder generation carries out authentication with KMP respondent's proxy module, continues under the protection of IKE_SA; On behalf of KMP respondent and KMP promoter, KMP respondent's proxy module consult the Routing Protocol Security Association; The Security Association scheme that KMP respondent's proxy module can provide KMP respondent is enumerated in RPInfo load, and KMP respondent's proxy module is issued the KMP promoter through the RP_SA_PULL request with said RPInfo load, and the KMP promoter selects a kind of Security Association scheme of supporting from tabulation; The KMP promoter is loaded into selected Security Association scheme in the RPInfo load, and the KMP promoter sends RPInfo through the RP_SA_PULL response and representes to confirm to accept.
Technical scheme of the present invention makes the Routing Protocol Security Association under clean culture and multicast network situation, to realize management such as negotiation, renewal based on IKEv2 and proxy module; Satisfy the needs of automatic key management of routing safety and renewal, thereby satisfied the needs of route messages safe transmission.
Fig. 4 forms sketch map for the function of proxy module of the present invention; As shown in Figure 4; Proxy module of the present invention is mainly realized setting up Security Association, consults the Routing Protocol Security Association, sets up escape way and is sent Routing Protocol Security Association four partial functions; Concrete, said proxy module was set up Security Association with the negotiation initiator of Routing Protocol Security Association before carrying out the negotiation of Routing Protocol Security Association; Under the protection of the Security Association of being set up; The negotiation initiator of said proxy module and said Routing Protocol Security Association is consulted the Routing Protocol Security Association, and said proxy module adopts the escape way that presets or set up, and the Routing Protocol Security Association that consults is sent to other network elements in said network element and/or the multicast group.
Fig. 5 is the composition structural representation of Routing Protocol Security Association management devices of the present invention, and as shown in Figure 5, Routing Protocol Security Association management devices of the present invention is provided with proxy module in the said device, and said proxy module comprises:
Set up the Security Association module, consult Routing Protocol Security Association module, sending module;
The said Security Association module of setting up is used to that the network element of proxy module is set and the negotiation initiator of Routing Protocol Security Association is set up Security Association;
Said negotiation Routing Protocol Security Association module is used under the protection of the said Security Association of being set up, and the network element of said proxy module and the negotiation initiator of Routing Protocol Security Association is set consults the Routing Protocol Security Association;
Said sending module is used for the escape way through presetting or setting, and the network element that said proxy module is set sends the said Routing Protocol Security Association of consulting out.
Said proxy module after the agreement request that receives the Routing Protocol Security Association, the negotiation initiator of all Routing Protocol Security Association schemes notice Routing Protocol Security Associations that network element under this proxy module can be provided; And, after the Routing Protocol Security Association scheme that the negotiation initiator that receives protocol security alliance is selected, notify other network elements in said network element and/or the multicast group.
The Routing Protocol Security Association scheme that above-mentioned proxy module can provide said network element is carried in the said special-purpose load, the negotiation initiator of notice Routing Protocol Security Association;
The negotiation initiator of said protocol security alliance is carried on selected Routing Protocol Security Association scheme in the said special-purpose load, sends to proxy module.
Said special-purpose load be used for carrying the Routing Protocol Security Association below at least one: Routing Protocol identifier, Security Association key identifier length, Security Association life span length, the initial serial number length of Security Association, Security Association key identifier, Security Association life span, the initial serial number of Security Association, identifying algorithm identifier, authenticate key length, authenticate key.
It will be appreciated by those skilled in the art that Routing Protocol Security Association management devices of the present invention designs for realizing aforesaid Routing Protocol Security Association management method, the realization function of above-mentioned each unit can be with reference to the associated description of preceding method and is understood.The function of each processing unit among the figure can realize through the program that runs on the processor, also can realize through concrete logical circuit.
The present invention has put down in writing a kind of Routing Protocol Security Association management system simultaneously, comprising: the network element of proxy module, the negotiation initiator of Routing Protocol Security Association are set;
The said network element that proxy module is set is used for setting up Security Association with the negotiation initiator of Routing Protocol Security Association; Under the protection of the said Security Association of being set up, consult the Routing Protocol Security Association with the negotiation initiator of Routing Protocol Security Association; Through the escape way that presets or set, send the said Routing Protocol Security Association of consulting out;
The negotiation initiator of said Routing Protocol Security Association is used for setting up Security Association with the network element that proxy module is set; Under the protection of the said Security Association of being set up, consult the Routing Protocol Security Association with the network element that proxy module is set.
The structure of said system and existing network configuration are similar, and just, the network element in the network is provided with the proxy module with above-mentioned functions.
The above is merely preferred embodiment of the present invention, is not to be used to limit protection scope of the present invention.
Claims (10)
1. a Routing Protocol Security Association management method is characterized in that, in network element, is provided for consulting the proxy module of Routing Protocol Security Association; Said method also comprises:
The network element of said proxy module and the negotiation initiator of Routing Protocol Security Association are set set up Security Association;
Under the protection of the said Security Association of being set up, the network element of said proxy module and the negotiation initiator of Routing Protocol Security Association are set consult the Routing Protocol Security Association;
Through the escape way that presets or set, the network element that said proxy module is set sends the said Routing Protocol Security Association of consulting out.
2. method according to claim 1 is characterized in that, said method also comprises:
After the negotiation initiator that network element and the Routing Protocol Security Association of said proxy module be set is set up Security Association, carry out authentication.
3. method according to claim 1 is characterized in that, said method also comprises:
The network element that said proxy module is set is notified all Routing Protocol Security Associations of its support the negotiation initiator of said Routing Protocol Security Association; The network element that said proxy module is set receives the selected Routing Protocol Security Association of negotiation initiator of said Routing Protocol Security Association.
4. method according to claim 1 is characterized in that, said method also comprises:
The negotiation initiator that network element and the Routing Protocol Security Association of said proxy module be set is consulted and said proxy module when presetting escape way first, and the network element that said proxy module is set sends the said Routing Protocol Security Association of consulting out through said escape way.
5. method according to claim 1 is characterized in that, said method also comprises:
Be provided with when the negotiation initiator of network element and Routing Protocol Security Association of said proxy module is non-consults first; Through the last Routing Protocol Security Association of consulting out with the negotiation initiator of this Routing Protocol Security Association; Set escape way at said proxy module, send the said Routing Protocol Security Association of consulting out through said escape way.
6. method according to claim 1 is characterized in that, said method also comprises:
Be provided for carrying the Routing Protocol Security Association special-purpose load, be used to consult the switch type of Routing Protocol Security Association; And the switch type that is used to distribute the Routing Protocol Security Association.
7. method according to claim 6 is characterized in that,
The network element that said proxy module is set is carried on the Routing Protocol Security Association of said network element support in the said special-purpose load, through the described switch type that is used to consult the Routing Protocol Security Association, and the negotiation initiator of notice Routing Protocol Security Association.
8. method according to claim 6; It is characterized in that, said special-purpose load be used for carrying the Routing Protocol Security Association below at least one: Routing Protocol identifier, Security Association key identifier length, Security Association life span length, the initial serial number length of Security Association, Security Association key identifier, Security Association life span, the initial serial number of Security Association, identifying algorithm identifier, authenticate key length, authenticate key.
9. a Routing Protocol Security Association management system is characterized in that, comprising: the network element of proxy module, the negotiation initiator of Routing Protocol Security Association are set;
The said network element that proxy module is set is used for setting up Security Association with the negotiation initiator of Routing Protocol Security Association; Under the protection of the said Security Association of being set up, consult the Routing Protocol Security Association with the negotiation initiator of Routing Protocol Security Association; Through the escape way that presets or set, send the said Routing Protocol Security Association of consulting out;
The negotiation initiator of said Routing Protocol Security Association is used for setting up Security Association with the network element that proxy module is set; Under the protection of the said Security Association of being set up, consult the Routing Protocol Security Association with the network element that proxy module is set.
10. a Routing Protocol Security Association management devices is characterized in that, in the said device proxy module is set, said proxy module comprises:
Set up the Security Association module, consult Routing Protocol Security Association module, sending module;
The said Security Association module of setting up is used to that the network element of proxy module is set and the negotiation initiator of Routing Protocol Security Association is set up Security Association;
Said negotiation Routing Protocol Security Association module is used under the protection of the said Security Association of being set up, and the network element of said proxy module and the negotiation initiator of Routing Protocol Security Association is set consults the Routing Protocol Security Association;
Said sending module is used for the escape way through presetting or setting, and the network element that said proxy module is set sends the said Routing Protocol Security Association of consulting out.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010531229.XA CN102469063B (en) | 2010-11-03 | 2010-11-03 | Routing protocol security alliance management method, Apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010531229.XA CN102469063B (en) | 2010-11-03 | 2010-11-03 | Routing protocol security alliance management method, Apparatus and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102469063A true CN102469063A (en) | 2012-05-23 |
| CN102469063B CN102469063B (en) | 2016-03-30 |
Family
ID=46072242
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010531229.XA Expired - Fee Related CN102469063B (en) | 2010-11-03 | 2010-11-03 | Routing protocol security alliance management method, Apparatus and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102469063B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105991352A (en) * | 2015-07-22 | 2016-10-05 | 杭州迪普科技有限公司 | Security alliance backup method and security alliance backup apparatus |
| CN109428868A (en) * | 2017-08-31 | 2019-03-05 | 中兴通讯股份有限公司 | Method, encryption device, encryption equipment and the storage medium that OSPFv3 is encrypted |
| CN111147373A (en) * | 2018-11-02 | 2020-05-12 | 瞻博网络公司 | Method for realizing participation of non-flexible algorithm router in flexible algorithm routing protocol |
| WO2023024540A1 (en) * | 2021-08-24 | 2023-03-02 | 华为技术有限公司 | Methods and apparatus for processing message and obtaining sa information, system, and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007109963A1 (en) * | 2006-03-24 | 2007-10-04 | Huawei Technologies Co., Ltd. | A vpn gateway and an ipv6 network system and a system for realizing mobile vpn in hybrid network and the method |
| CN101442402A (en) * | 2007-11-20 | 2009-05-27 | 华为技术有限公司 | Method, system and apparatus for authenticating access point equipment |
-
2010
- 2010-11-03 CN CN201010531229.XA patent/CN102469063B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007109963A1 (en) * | 2006-03-24 | 2007-10-04 | Huawei Technologies Co., Ltd. | A vpn gateway and an ipv6 network system and a system for realizing mobile vpn in hybrid network and the method |
| CN101442402A (en) * | 2007-11-20 | 2009-05-27 | 华为技术有限公司 | Method, system and apparatus for authenticating access point equipment |
Non-Patent Citations (3)
| Title |
|---|
| 曾鹤: ""互联网密钥交换协议IKEv2的分析与改进"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 林海等: ""高性能路由器中IPSec协议研究及其实现"", 《计算机安全》 * |
| 毛轶: ""IPv6路由器中IKEv2协议的设计与实现"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105991352A (en) * | 2015-07-22 | 2016-10-05 | 杭州迪普科技有限公司 | Security alliance backup method and security alliance backup apparatus |
| CN109428868A (en) * | 2017-08-31 | 2019-03-05 | 中兴通讯股份有限公司 | Method, encryption device, encryption equipment and the storage medium that OSPFv3 is encrypted |
| CN109428868B (en) * | 2017-08-31 | 2021-10-12 | 中兴通讯股份有限公司 | Method, encryption device, encryption equipment and storage medium for encrypting OSPFv3 |
| CN111147373A (en) * | 2018-11-02 | 2020-05-12 | 瞻博网络公司 | Method for realizing participation of non-flexible algorithm router in flexible algorithm routing protocol |
| CN111147373B (en) * | 2018-11-02 | 2021-04-13 | 瞻博网络公司 | Method for realizing participation of non-flexible algorithm router in flexible algorithm routing protocol |
| WO2023024540A1 (en) * | 2021-08-24 | 2023-03-02 | 华为技术有限公司 | Methods and apparatus for processing message and obtaining sa information, system, and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102469063B (en) | 2016-03-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10880294B2 (en) | End-to-end authentication at the service layer using public keying mechanisms | |
| JP5288210B2 (en) | Unicast key management method and multicast key management method in network | |
| US9094206B2 (en) | Method and system for secure session establishment using identity-based encryption (VDTLS) | |
| US8510549B2 (en) | Transmission of packet data over a network with security protocol | |
| CN110753327B (en) | Terminal object connection system based on wireless ad hoc network and LoRa | |
| JP5364796B2 (en) | Encryption information transmission terminal | |
| US11962685B2 (en) | High availability secure network including dual mode authentication | |
| KR20090051268A (en) | Method and apparatus for establishing security associations between nodes of an ad hoc wireless network | |
| WO2009082889A1 (en) | A method for internet key exchange negotiation and device, system thereof | |
| KR20120105507A (en) | Method and system for establishing secure connection between user terminals | |
| WO2009012670A1 (en) | Method, device and system for realizing a new group member registration in the multicast key management | |
| JP2016051921A (en) | Communication system | |
| JP2016063233A (en) | Communication control device | |
| CN102469063B (en) | Routing protocol security alliance management method, Apparatus and system | |
| WO2009109133A1 (en) | Method and apparatus for recovering the connection | |
| EP1623527A1 (en) | A process for secure communication over a wireless network, related network and computer program product | |
| Park et al. | Survey for secure IoT group communication | |
| WO2012040971A1 (en) | Key management method and system for routing protocol | |
| CN108900584B (en) | Data transmission method and system for content distribution network | |
| WO2011064858A1 (en) | Wireless authentication terminal | |
| Sigholt et al. | Keeping connected when the mobile social network goes offline | |
| JP2018174550A (en) | Communication system | |
| WO2011134293A1 (en) | Method and system for establishing secure connection between local area network nodes | |
| JP2004266516A (en) | Network management server, communication terminal, edge switch device, program for communication, and network system | |
| EP3082207A1 (en) | Method for transmitting a teleprotection command using sequence number |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160330 Termination date: 20201103 |