CN102469063B - Routing protocol security alliance management method, Apparatus and system - Google Patents
Routing protocol security alliance management method, Apparatus and system Download PDFInfo
- Publication number
- CN102469063B CN102469063B CN201010531229.XA CN201010531229A CN102469063B CN 102469063 B CN102469063 B CN 102469063B CN 201010531229 A CN201010531229 A CN 201010531229A CN 102469063 B CN102469063 B CN 102469063B
- Authority
- CN
- China
- Prior art keywords
- routing protocol
- protocol security
- alliance
- security alliance
- proxy module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of routing protocol security alliance management method, the proxy module for consulting routing protocol security alliance is set in network elements; Described method also comprises: the negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module sets up Security Association; Under the protection of set up described Security Association, the negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module consults routing protocol security alliance; By escape way that is preset or setting, the network element arranging described proxy module sends the described routing protocol security alliance consulting out.The present invention discloses a kind of routing protocol security alliance management devices and system.The present invention can realize the negotiation of Routing Protocol clean culture and security of multicast alliance, renewal and management, thus solve routing protocol security alliance can only manual configuration, problem that potential safety hazard is large, make the transmission of routing iinformation reliably safer.
Description
Technical field
The present invention relates to routing protocol security alliance's administrative skill, particularly relate to a kind of routing protocol security alliance management method, Apparatus and system.
Background technology
Along with the continuous expansion of computer network scale, the fast development of Large-Scale Interconnected network (as Internet), route technology becomes key technology gradually in network technology, and router becomes the most important network equipment.User constantly promotes the development of route technology to the demand of network data high-speed transfer, and people have been not content with and have only shared information on the home network, and wish to maximally utilise each area, the whole world, various types of Internet resources.Current network technology, any one has the computer network (as enterprise network, campus network, intelligent building net etc.) of certain scale, all be unable to do without router.Router is operated in third layer in open system interconnection (OSI, OpenSystemInterconnection) model and network layer.The IP address that router utilizes network layer to define, to distinguish different networks, realizes interconnection and the isolation of network, keeps the independence of each network.Router does not forward broadcast, but broadcast is limited in respective network internal.First the data being sent to other networks are sent to router, then are forwarded by router.
Have by utensil the ability turning transmitting IP packet in order to give way, between router, often need mutual routing iinformation.Router builds network topology structure according to the routing iinformation received, thus correctly turns transmitting IP packet.Between router, the agreement of mutual routing iinformation is called Routing Protocol.Routing Protocol is the basic agreement of Internet network.Whether routing iinformation mutual between router correctly directly affects route success.But Internet network is the network of an opening.A lot of assailants is always there is in network.These assailants can attempt to revise the mutual routing iinformation of Routing Protocol, or issue an expired routing iinformation to router.The router receiving wrong routing iinformation is caused can not normally to forward IP packet.
For ensureing the correctness of mutual routing iinformation, integrity protection must be provided to Routing Protocol.Existing routing protocol nearly all provides the security mechanism of this respect, and the Routing Protocols such as such as RIPv2 (RoutingInformationProtocolversion2), OSPFv2 (OpenShortestPathFirstversion2), IS-IS (IntermediateSystem-to-IntermediateSystem), BFD (BidirectionalForwardingDetection), BGP (BorderGatewayProtocol) use message authentication code to realize the integrity protection of routing protocol message.The safe material of generating message authentication code is defined by Security Association, and Security Association is manual configuration usually.Security Association is a set of key material, for providing security service.The Security Association of Routing Protocol comprises: for identifying the KeyID of Security Association, for identifying the AuthenticationAlgorithm of the key algorithm of generating message authentication code, for depositing the AuthenticationKey of the key of generating message authentication code, for identifying the SequenceNumber preventing Replay Attack, for identifying the LifeTime etc. of life span.
There are problems in the Security Association of manual configuration, especially when network size is very large, manually upgrades the efficiency of Security Association not only slowly, and easily make mistakes.Generally speaking, need in the following cases to upgrade Security Association: when the labor turnover of management router, being in safe consideration generally needs to upgrade Security Association; There is life cycle in each key, and when expiring life cycle, needs to upgrade; Multiple key can not be used well, when user wishes to use new cryptographic algorithm, need equally to upgrade Security Association.
IKEv2 is the Security Association agreement protocol provided for the Security Data Transmission mechanism (IPsec) of Internet protocol sixth version (IPv6) IP layer.This agreement also supports Internet protocol the 4th edition (IPv4).The Security Association negotiations process of IKEv2 altogether can relate to four classes and exchange, and namely IKE_SA_INIT exchanges, IKE_AUTH exchanges, CREATE_CHILD_SA exchanges and INFORMATIONAL exchanges.
Exchange (Exchange) in IKEv2 is made up of a request (request) and a response (response), occur between two network peer (peer), the peer wherein initiating to ask is called promoter (Initiator, usually represent with i), the peer responded is called response person's (Responder represents with r usually).IKE_SA_INIT exchanges and consults to carry out Diffie-Hellman (D-H) exchange by cryptographic algorithm (CrytographicAlgorithms), exchange random number (nonces) etc., be that two peer consult security parameter to generate IKE_SA, for exchange thereafter provides escape way.IKE_AUTH exchanges and carries out certification to peer identity, and consult generation first CHILD_SA, for the ESP (ESP, EncapsulatingSecurityPayload) of IPsec is or/and authentication header (AH, AuthenticationHeader) provides Security Association.CREATE_CHILD_SA exchanges the CHILD_SA for generating other, for upgrading the Security Association that above-mentioned exchange generates, or for ESP or/and AH.INFORMATIONAL exchanges and is used as control information transmission, comprises and reporting an error and event notice.
But IKEv2 does not provide negotiation and the generation of Security Association for Routing Protocol, again because the Security Association of Routing Protocol is different from the Security Association content of ESP and AH, can not directly use IKEv2 to come for Routing Protocol negotiating about security alliance; In addition, IKEv2 only provides the Security Association negotiation mechanism of end-to-end (or being called point-to-point, clean culture (unicast)), and multicast (multicast) mechanism cannot used for Routing Protocol provides Security Association; Therefore, IKEv2 both cannot provide unicast security alliance for Routing Protocol, also cannot provide security of multicast alliance for Routing Protocol.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of routing protocol security alliance management method, Apparatus and system, and the network element in network can be between network element under clean culture or multicast scenarios or multicast network element determines routing protocol security alliance automatically.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of routing protocol security alliance management method, arranges the proxy module for consulting routing protocol security alliance in network elements; Described method also comprises:
Proxy module for consulting routing protocol security alliance is set in network elements; Described method also comprises:
The negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module sets up Security Association;
Under the protection of set up described Security Association, the negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module consults routing protocol security alliance;
By escape way that is preset or setting, the network element arranging described proxy module sends the described routing protocol security alliance consulting out.
Preferably, described method also comprises:
After the negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module sets up Security Association, carry out authentication.
Preferably, described method also comprises:
All routing protocol security alliances that the network element arranging described proxy module is supported notify the negotiation initiator of described routing protocol security alliance; The routing protocol security alliance that the negotiation initiator that the network element arranging described proxy module receives described routing protocol security alliance is selected.
Preferably, described method also comprises:
The negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module is consulted first and described proxy module presets escape way time, the network element arranging described proxy module sends the described routing protocol security alliance consulting out by described escape way.
Preferably, described method also comprises:
When arranging that the negotiation initiator of the network element of described proxy module and routing protocol security alliance is non-consults first, by the last routing protocol security alliance consulting out with the negotiation initiator of this routing protocol security alliance, at described proxy module setting escape way, sent the described routing protocol security alliance consulting out by described escape way.
Preferably, described method also comprises:
Dedicated load for carrying routing protocol security alliance is set, for consulting the switch type of routing protocol security alliance; And for distributing the switch type of routing protocol security alliance.
Preferably, the routing protocol security alliance that described network element is supported is carried in described dedicated load by the network element arranging described proxy module, by the described switch type for consulting routing protocol security alliance, the negotiation initiator of notice routing protocol security alliance.
Preferably, described dedicated load is for carrying the following at least one item in routing protocol security alliance: Routing Protocol identifier, Security Association key identifier length, Security Association life span length, Security Association start sequence length, Security Association key identifier, Security Association life span, Security Association start sequence number, identifying algorithm identifier, authenticate key length, authenticate key.
A kind of routing protocol security alliance management system, comprising: arrange the network element of proxy module, the negotiation initiator of routing protocol security alliance;
The described network element arranging proxy module, for setting up Security Association with the negotiation initiator of routing protocol security alliance; Under the protection of set up described Security Association, consult routing protocol security alliance with the negotiation initiator of routing protocol security alliance; By escape way that is preset or setting, send the described routing protocol security alliance consulting out;
The negotiation initiator of described routing protocol security alliance, for setting up Security Association with the network element arranging proxy module; Under the protection of set up described Security Association, consult routing protocol security alliance with the network element arranging proxy module.
A kind of routing protocol security alliance management devices, arrange proxy module in described device, described proxy module comprises:
Set up Security Association module, consult routing protocol security alliance's module, sending module;
Describedly set up Security Association module, the negotiation initiator for the network element and routing protocol security alliance that arrange proxy module sets up Security Association;
Described negotiation routing protocol security alliance module, under the protection of set up described Security Association, the negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module consults routing protocol security alliance;
Described sending module, for passing through escape way that is preset or setting, the network element arranging described proxy module sends the described routing protocol security alliance consulting out.
In the present invention, by arranging the new load of carrying routing protocol security alliance, thus when consulting routing protocol security alliance, the negotiation of the routing protocol security alliance under unicast case and multicast scenarios can be realized by newly-installed load; The present invention, by arranging the switch type for consulting routing protocol security alliance, and arranges the switch type for distributing routing protocol security alliance, consults routing protocol security alliance and distribution routing protocol security alliance; Because the present invention is only the negotiation and the transmission that realize routing protocol security alliance by setting up associated load and switch type in IKEv2, therefore to existing infrastructure and protocol change little, have preferably versatility.In addition, the present invention by arranging proxy module in related network elements, the compatible negotiation to the routing protocol security alliance under multicast and unicast case.The present invention is based on the technical scheme of routing protocol security alliance's management of IKEv2 and agency mechanism, the negotiation of Routing Protocol clean culture and security of multicast alliance, renewal and management can be realized, thus solve routing protocol security alliance can only manual configuration, problem that potential safety hazard is large, make the transmission of routing iinformation reliably safer.
Accompanying drawing explanation
Fig. 1 is the scene graph that the present invention applies;
Fig. 2 is the schematic diagram that the present invention increases the proposal minor structure of routing protocol security alliance load RPInfo newly;
Fig. 3 is the flow chart of routing protocol security alliance management method of the present invention;
Fig. 4 is the function composition schematic diagram of proxy module of the present invention;
Fig. 5 is the composition structural representation of routing protocol security alliance of the present invention management devices.
Embodiment
Basic thought of the present invention is: the present invention mainly provides the implementation of the routing protocol security alliance's management based on IKEv2 and agency mechanism.The present invention carries routing protocol security alliance by increasing new load (payload), this newly-increased load is labeled as RPInfo (RoutingProtocolInformation), the structure of described RPInfo load mainly comprises proposes minor structure (ProposalSubstructure), and described proposal minor structure comprises proposes length (ProposalLength), propose number (Proposal#), Routing Protocol identifier (RoutingProtocolID), Security Association key identifier length (LengthofKeyID), Security Association life span length (LengthofLifeTime), Security Association start sequence length (LengthofSequenceNumber), Security Association key identifier (KeyID), Security Association life span (LifeTime), Security Association start sequence number (SequenceNumber), identifying algorithm identifier (AuthenticationAlgorithmID), authenticate key length (LengthofAuthenticationkey), authenticate key (Authenticationkey) etc.In order to the negotiation of routing protocol security alliance's clean culture and multicast application being unified in a system, introduce agency mechanism, Configuration Agent module (proxy module) on every platform router, described proxy module represents KMP respondent in unicast networks situation and KMP promoter consults routing protocol security alliance, described proxy module and KMP respondent's (network element, it is router under unicast case, it is gateway under multicast scenarios, server or setting tool have the router of multicast controlling functions) be positioned at same router, described proxy module represents KMP respondent in multicast network situation and KMP promoter consults routing protocol security alliance, described proxy module only at the router of specified configuration (as gateway, the router of server, or there is the router of multicast controlling functions) on work, in multicast network, the proxy module of other routers is inoperative, the described proxy module worked is the preset security of multicast passage of multicast network or sets up escape way, be mainly used for algorithm and the key of encryption and/or integrated authentication.Described proxy module passes through newly-increased load consult the IKE_SA protection generated at IKEv2 under, represent KMP respondent's (namely clean culture or multicast reception routing protocol security alliance consult the router of request) and consult routing protocol security alliance with KMP promoter by newly-increased switch type, described proxy module is equally by newly-increased load, by newly-increased switch type, the routing protocol security alliance consulted is sent to KMP respondent, when unicast networks, KMP respondent directly can be paid by described proxy module in the unicast security alliance consulted, do not need the protection of escape way, when multicast networking, the security of multicast alliance consulted is sent to all multicast members (multicast network element) at proxy module preset (when consulting first) or under setting up the security of multicast passage of (non-negotiation first) by described proxy module.
For making the object, technical solutions and advantages of the present invention clearly understand, by the following examples also with reference to accompanying drawing, the present invention is described in more detail.
Fig. 1 is the scene graph that the present invention applies, as shown in Figure 1, in the present invention, the load newly increased is used for carrying routing protocol security alliance, be labeled as RPInfo, getting its NextPayloadType value in the IANA retention (49-127) of the NextPayloadType in protocol security federation protocol frame is 51, and the general construction of described RPInfo as shown in Figure 1, mainly comprise the proposal minor structure Proposals of RPInfo, loaded length etc.In Fig. 1, other structures of newly-increased routing protocol security alliance load RPInfo are identical with load structure in existing protocol frame.
Fig. 2 is the schematic diagram that the present invention increases the proposal minor structure of routing protocol security alliance load RPInfo newly, and as shown in Figure 2, the present invention increases the proposal minor structure of routing protocol security alliance load RPInfo newly including but not limited to following content:
Routing Protocol identifier: concrete Routing Protocol, the RoutingProtocolID value of such as RIPv2, OSPFv2, IS-IS, BFD, BGP is respectively 1,2,3,4,5;
Security Association key identifier length: the length of KeyID, represents with byte number, and the RoutingProtocolID value of such as RIPv2, OSPFv2, IS-IS, BFD, BGPv4 is respectively 1,1,2,2,1;
Security Association life span length: the length of LifeTime, depends on expression format and the number of life span parameter, is also likely 0, such as ISIS and BFD, and these two Routing Protocols do not define life span in Security Association;
Security Association start sequence length: the length of SequenceNumber, represents with byte number, is generally 32 totally 4 bytes;
Security Association key identifier: KeyID value, can be determined by KMP;
Security Association life span: LifeTime, its life span parameter of different Routing Protocols is different, the life span of such as RIPv2 comprises StartTime and StopTime, and the life span parameter of OSPFv2 comprises KeyStartAccept, KeyStartGenerate, KeyStopGenerate and KeyStopAccept;
Security Association start sequence number: SequenceNumber, can be determined by KMP, for resisting Replay Attack;
Identifying algorithm identifier: AuthenticationAlgorithmID, for identifying the identifying algorithm that Routing Protocol uses, supports, the value of such as KEYED-MD5, KeyedSHA-1, HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, AES-128-CMAC-96 is respectively 1,2,3,4,5,6,7,8;
The length of authenticate key length: AuthenticationKey, represents with bit number, depends primarily on the identifying algorithm of employing;
Authenticate key: AuthenticationKey, the key value adopting pseudo-random function to generate by KMP.
Above-mentioned every IANA apportioning cost that relates to, just illustrate, last definite value is as the criterion to the allocation result of retention depending on IANA.
Below based on aforesaid routing protocol security alliance load, how to realize the automatic management of the routing protocol security alliance between router.
Fig. 3 is the flow chart of routing protocol security alliance management method of the present invention, as shown in Figure 3, KMP promoter (routing protocol security alliance's negotiation initiator), between proxy module and KMP respondent (routing protocol security alliance negotiate response person), the negotiation flow process of routing protocol security alliance specifically comprises the following steps:
Step 100, KMP promoter sends IKE_SA_INIT request to proxy module, carries HDR, SAi1, Kei, Ni in IKE_SA_INIT request; Namely the negotiation of routing protocol security alliance is initiated, here, namely the negotiation of routing protocol security alliance is applicable to unicast case, also multicast scenarios is applicable to, concrete, in the case of unicast, the negotiation of routing protocol security alliance is carried out between two routers, carries out between two network elements namely carrying out information interaction.Now, proxy module is arranged in KMP respondent; And in a multicast case, the negotiation of routing protocol security alliance is carried out between KMP promoter and multicast Controlling vertex (gateway as the aforementioned or server), now, proxy module is arranged in multicast Controlling vertex.
Step 102, proxy module replies IKE_SA_INIT response to KMP promoter, wherein, carries HDR, SAr1, KEr, Nr, [CERTREQ] in IKE_SA_INIT response;
Step 100 and step 102 mainly carry out the negotiation of IKE_SA, to obtain protection password IKE_SA when carrying out authentication between proxy module and KMP promoter.
Step 104, KMP promoter sends IKE_AUTH request to proxy module, and IKE_AUTH request message uses IKE_SA to be encrypted; Wherein, HDR, SK{IDi is comprised, [CERT ,] [CERTREQ ,] [IDr ,] AUTH, SAi2, TSi, TSr} in IKE_AUTH request.
Step 106, proxy module replies IKE_AUTH response to KMP promoter, carries HDR, SK{IDr, [CERT ,] AUTH, SAr2, TSi, TSr} in IKE_AUTH response.
Step 104 and step 106 mainly carry out authentication under the protection of the password IKE_SA negotiated.
Step 108, acts on behalf of merit block and sends RP_SA_PULL request (, RP_SA_PULL is the newly-increased switch type consulted for routing protocol security alliance) here to KMP promoter, carry HDR, SK{RPInfo} in RP_SA_PULL request; Namely under the protection of IKE_SA, carry out the negotiation of routing protocol security alliance, namely negotiate the related content in RPInfo, determine routing protocol security alliance.
Step 110, KMP promoter replies RP_SA_PULL response to agent function module, carries HDR, SK{RPInfo} in RP_SA_PULL response.
Step 112a, proxy module sends RP_SA_PUSH message (RP_SA_PUSH is the newly-increased one-way exchange type of consulting for routing protocol security alliance) to representative network element KMP respondent, HDR, RPInfo is carried in RP_SA_PUSH message, namely in the case of unicast, RPInfo is paid directly to KMP respondent, even if in a multicast case, proxy module still needs directly to pay RPInfo to representative network element KMP respondent.
Step 112b, in a multicast case, proxy module sends RP_SA_PUSH message to KMP respondent, carries HDR, SKp{RPInfo} in RP_SA_PUSH message.In the present invention, proxy module in multicast is if consult routing protocol security alliance with KMP promoter first, this situation includes the KMP promoter (referring to the network element newly added) newly added, when then sending RP_SA_PUSH message, because other network elements not yet receive the Security Association of Routing Protocol, therefore, under preset security of multicast path protection, RPInfo is distributed to the network element having neither part nor lot in Routing Protocol negotiation in multicast; If proxy module right and wrong consult routing protocol security alliance with KMP promoter first in multicast; this situation includes the renewal of the routing protocol security alliance for multicast; then in its RP_SA_PUSH message sent; carry HDR, SK1{RPInfo}; namely distribution in this case uses the last RPInfo consulted to set up escape way, under the protection of this escape way, distribute this new RPInfo consulted.For the situation of multicast, the network element running the Routing Protocols such as OSPF and ISIS has dual identity, and one is as the multicast message sender in multicast network, needs all group members in Routing Protocol security of multicast alliance group of notifications; Two is as the multicast message recipient in multicast network, needs to know Routing Protocol security of multicast alliance from multicast message sender there.
In the present invention, the information carried in the load of routing protocol security alliance is all the definition from IKEv2, and wherein HDR is IKE head, and SAi1 is first the SA load that KMP promoter sends, SAr1 represents first the SA load that respondent replies, for the negotiation of IKE_SA; KEi is cipher key change (the namely D-H exchanges) load of promoter, and KEr is cipher key change (the namely D-H exchanges) load of respondent; Ni is the random number load that promoter generates, and Nr is the random number load that respondent generates; IDi and IDr represents the identification load of promoter and respondent respectively, TSi and TSr represents stream chooser (trafficselector) load of promoter and respondent respectively; AUTH represents certification load, and the computational methods of being established rules by IKEv2 obtain; CERTREQ represents certificate request load; [] square brackets represent that the load in bracket is optional, optional; SK{} represents that the load in brace is all use the SA in this direction (in Fig. 3 arrow indication) to be encrypted with integrity protection.SKp represents the security of multicast passage that proxy module is preset, namely the content in { } is encrypted and/or certification, preset multicast Pre-sharedKey is such as used to be encrypted and/or certification, SK1 represents the escape way using last negotiation to generate the RPInfo foundation that also success is distributed, such as the authenticate key of RPInfo is used as encryption key, this sent RPInfo consulted is encrypted.The negotiate content needs preservation that preset escape way information is also at least last and renewal.
In the present invention, KMP promoter first sets up IKE_SA with the proxy module of KMP respondent, under the protection of IKE_SA, KMP promoter first carries out authentication with the proxy module of KMP respondent, continue under the protection of IKE_SA, the proxy module of KMP respondent represents KMP respondent and KMP promoter consults routing protocol security alliance, the Security Association scheme that KMP respondent can provide by the proxy module of KMP respondent is enumerated in RPInfo load, described RPInfo load is issued KMP promoter by RP_SA_PULL request by the proxy module of KMP respondent, KMP promoter selects a kind of Security Association scheme supported from list, selected Security Association scheme is loaded in RPInfo load by KMP promoter, KMP promoter sends RPInfo by RP_SA_PULL response and represents that confirmation accepts.
Technical scheme of the present invention makes routing protocol security alliance can realize the management such as negotiation, renewal based on IKEv2 and proxy module under clean culture and multicast network situation, meet the needs of the automatic key management of routing safety and renewal, thus meet the needs of route messages safe transmission.
Fig. 4 is the function composition schematic diagram of proxy module of the present invention, as shown in Figure 4, proxy module of the present invention mainly realizes setting up Security Association, consult routing protocol security alliance, set up escape way and send routing protocol security alliance four partial function, concrete, described proxy module is before carrying out routing protocol security alliance's negotiation, Security Association is set up with the negotiation initiator of routing protocol security alliance, under the protection of set up Security Association, the negotiation initiator of described proxy module and described routing protocol security alliance consults routing protocol security alliance, described proxy module adopts escape way that is preset or that set up, the routing protocol security alliance consulted is sent to other network elements in described network element and/or multicast group.
Fig. 5 is the composition structural representation of routing protocol security alliance of the present invention management devices, and as shown in Figure 5, routing protocol security alliance of the present invention management devices, arranges proxy module in described device, and described proxy module comprises:
Set up Security Association module, consult routing protocol security alliance's module, sending module;
Describedly set up Security Association module, the negotiation initiator for the network element and routing protocol security alliance that arrange proxy module sets up Security Association;
Described negotiation routing protocol security alliance module, under the protection of set up described Security Association, the negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module consults routing protocol security alliance;
Described sending module, for passing through escape way that is preset or setting, the network element arranging described proxy module sends the described routing protocol security alliance consulting out.
Described proxy module after the negotiation request receiving routing protocol security alliance, by the negotiation initiator of the scheme notification routing protocol security alliance of all routing protocol security alliances that network element belonging to this proxy module can provide; And, after routing protocol security alliance's scheme that the negotiation initiator receiving protocol security alliance is selected, notify other network elements in described network element and/or multicast group.
Routing protocol security alliance's scheme that described network element can provide by above-mentioned proxy module is carried in described dedicated load, the negotiation initiator of notice routing protocol security alliance;
Selected routing protocol security alliance's scheme is carried in described dedicated load by the negotiation initiator of described protocol security alliance, sends to proxy module.
Described dedicated load is for carrying the following at least one item in routing protocol security alliance: Routing Protocol identifier, Security Association key identifier length, Security Association life span length, Security Association start sequence length, Security Association key identifier, Security Association life span, Security Association start sequence number, identifying algorithm identifier, authenticate key length, authenticate key.
It will be appreciated by those skilled in the art that routing protocol security alliance of the present invention management devices designs for realizing aforesaid routing protocol security alliance management method, the practical function of above-mentioned each unit can refer to the associated description of preceding method and understands.The function of each processing unit in figure realizes by the program run on processor, also realizes by concrete logical circuit.
The present invention describes a kind of routing protocol security alliance management system simultaneously, comprising: arrange the network element of proxy module, the negotiation initiator of routing protocol security alliance;
The described network element arranging proxy module, for setting up Security Association with the negotiation initiator of routing protocol security alliance; Under the protection of set up described Security Association, consult routing protocol security alliance with the negotiation initiator of routing protocol security alliance; By escape way that is preset or setting, send the described routing protocol security alliance consulting out;
The negotiation initiator of described routing protocol security alliance, for setting up Security Association with the network element arranging proxy module; Under the protection of set up described Security Association, consult routing protocol security alliance with the network element arranging proxy module.
Structure and the existing network configuration of said system are similar, and just, the network element in network is provided with the proxy module with above-mentioned functions.
The above, be only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.
Claims (8)
1. a routing protocol security alliance management method, is characterized in that, arranges the proxy module for consulting routing protocol security alliance in network elements; Described method also comprises:
The negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module sets up Security Association;
Under the protection of set up described Security Association, the negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module consults routing protocol security alliance;
By escape way that is preset or setting, the network element arranging described proxy module sends the described routing protocol security alliance consulting out;
Described method also comprises:
All routing protocol security alliances that the network element arranging described proxy module is supported notify the negotiation initiator of described routing protocol security alliance; The routing protocol security alliance that the negotiation initiator that the network element arranging described proxy module receives described routing protocol security alliance is selected;
Described method also comprises:
Dedicated load for carrying routing protocol security alliance is set, for consulting the switch type of routing protocol security alliance; And for distributing the switch type of routing protocol security alliance.
2. method according to claim 1, is characterized in that, described method also comprises:
After the negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module sets up Security Association, carry out authentication.
3. method according to claim 1, is characterized in that, described method also comprises:
The negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module is consulted first and described proxy module presets escape way time, the network element arranging described proxy module sends the described routing protocol security alliance consulting out by described escape way.
4. method according to claim 1, is characterized in that, described method also comprises:
When arranging that the negotiation initiator of the network element of described proxy module and routing protocol security alliance is non-consults first, by the last routing protocol security alliance consulting out with the negotiation initiator of this routing protocol security alliance, at described proxy module setting escape way, sent the described routing protocol security alliance consulting out by described escape way.
5. method according to claim 1, is characterized in that,
The routing protocol security alliance that described network element is supported is carried in described dedicated load by the network element arranging described proxy module, by the described switch type for consulting routing protocol security alliance, and the negotiation initiator of notice routing protocol security alliance.
6. method according to claim 1, it is characterized in that, described dedicated load is for carrying the following at least one item in routing protocol security alliance: Routing Protocol identifier, Security Association key identifier length, Security Association life span length, Security Association start sequence length, Security Association key identifier, Security Association life span, Security Association start sequence number, identifying algorithm identifier, authenticate key length, authenticate key.
7. routing protocol security alliance's management system, is characterized in that, comprising: arrange the network element of proxy module, the negotiation initiator of routing protocol security alliance;
The described network element arranging proxy module, for setting up Security Association with the negotiation initiator of routing protocol security alliance; Under the protection of set up described Security Association, consult routing protocol security alliance with the negotiation initiator of routing protocol security alliance; By escape way that is preset or setting, send the described routing protocol security alliance consulting out;
The negotiation initiator of described routing protocol security alliance, for setting up Security Association with the network element arranging proxy module; Under the protection of set up described Security Association, consult routing protocol security alliance with the network element arranging proxy module;
The described all routing protocol security alliances of network element also for being supported arranging described proxy module notify the negotiation initiator of described routing protocol security alliance; Receive the routing protocol security alliance that the negotiation initiator of described routing protocol security alliance is selected;
The described network element that proxy module is set also for: the dedicated load for carrying routing protocol security alliance is set, for consulting the switch type of routing protocol security alliance; And for distributing the switch type of routing protocol security alliance.
8. routing protocol security alliance's management devices, is characterized in that, arranges proxy module in described device, and described proxy module comprises:
Set up Security Association module, consult routing protocol security alliance's module, sending module;
Describedly set up Security Association module, the negotiation initiator for the network element and routing protocol security alliance that arrange proxy module sets up Security Association;
Described negotiation routing protocol security alliance module, under the protection of set up described Security Association, the negotiation initiator of the network element and routing protocol security alliance that arrange described proxy module consults routing protocol security alliance;
Described sending module, for passing through escape way that is preset or setting, the network element arranging described proxy module sends the described routing protocol security alliance consulting out;
The all routing protocol security alliances of described routing protocol security alliance management devices also for being supported notify the negotiation initiator of described routing protocol security alliance; Receive the routing protocol security alliance that the negotiation initiator of described routing protocol security alliance is selected;
Described proxy module also for: the dedicated load for carrying routing protocol security alliance is set, for consulting the switch type of routing protocol security alliance; And for distributing the switch type of routing protocol security alliance.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010531229.XA CN102469063B (en) | 2010-11-03 | 2010-11-03 | Routing protocol security alliance management method, Apparatus and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010531229.XA CN102469063B (en) | 2010-11-03 | 2010-11-03 | Routing protocol security alliance management method, Apparatus and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102469063A CN102469063A (en) | 2012-05-23 |
| CN102469063B true CN102469063B (en) | 2016-03-30 |
Family
ID=46072242
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010531229.XA Expired - Fee Related CN102469063B (en) | 2010-11-03 | 2010-11-03 | Routing protocol security alliance management method, Apparatus and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102469063B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105991352B (en) * | 2015-07-22 | 2019-05-07 | 杭州迪普科技股份有限公司 | A kind of safety coalition backup method and device |
| CN109428868B (en) * | 2017-08-31 | 2021-10-12 | 中兴通讯股份有限公司 | Method, encryption device, encryption equipment and storage medium for encrypting OSPFv3 |
| US10637768B1 (en) * | 2018-11-02 | 2020-04-28 | Juniper Networks, Inc. | Enabling non-flexible-algorithm routers to participate in flexible-algorithm routing protocols |
| WO2023024540A1 (en) * | 2021-08-24 | 2023-03-02 | 华为技术有限公司 | Methods and apparatus for processing message and obtaining sa information, system, and medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101442402A (en) * | 2007-11-20 | 2009-05-27 | 华为技术有限公司 | Method, system and apparatus for authenticating access point equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101043411B (en) * | 2006-03-24 | 2012-05-23 | 华为技术有限公司 | Method and system for realizing mobile VPN service in hybrid network |
-
2010
- 2010-11-03 CN CN201010531229.XA patent/CN102469063B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101442402A (en) * | 2007-11-20 | 2009-05-27 | 华为技术有限公司 | Method, system and apparatus for authenticating access point equipment |
Non-Patent Citations (3)
| Title |
|---|
| "IPv6路由器中IKEv2协议的设计与实现";毛轶;《中国优秀硕士学位论文全文数据库 信息科技辑》;20070915;全文 * |
| "互联网密钥交换协议IKEv2的分析与改进";曾鹤;《中国优秀硕士学位论文全文数据库 信息科技辑》;20100315;正文第22页第2段-第23页第2段,第25页第1段-第26页第1段,第42页 * |
| "高性能路由器中IPSec协议研究及其实现";林海等;《计算机安全》;20080715;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102469063A (en) | 2012-05-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20130142336A1 (en) | Method of group key generation and management for generic object oriented substantiation events model | |
| US6931016B1 (en) | Virtual private network management system | |
| US11962685B2 (en) | High availability secure network including dual mode authentication | |
| CN110753327B (en) | Terminal object connection system based on wireless ad hoc network and LoRa | |
| WO2009082889A1 (en) | A method for internet key exchange negotiation and device, system thereof | |
| Tiloca et al. | Axiom: DTLS-based secure IoT group communication | |
| WO2009012670A1 (en) | Method, device and system for realizing a new group member registration in the multicast key management | |
| CA2703719A1 (en) | Method and system for secure session establishment using identity-based encryption (vdtls) | |
| JP2016051921A (en) | Communication system | |
| US20160080340A1 (en) | Communication control device | |
| US20220014553A1 (en) | Secure communications using secure sessions | |
| CN113726795B (en) | Message forwarding method and device, electronic equipment and readable storage medium | |
| Rossberg et al. | A survey on automatic configuration of virtual private networks | |
| CN102469063B (en) | Routing protocol security alliance management method, Apparatus and system | |
| CN109698791A (en) | A kind of anonymous cut-in method based on dynamic route | |
| EP1623527A1 (en) | A process for secure communication over a wireless network, related network and computer program product | |
| Crabbe et al. | Path computation element communication protocol (pcep) extensions for stateful pce | |
| CN103401751A (en) | Method and device for establishing IPSEC (Internet Protocol Security) tunnels | |
| Glebke et al. | Service-based forwarding via programmable dataplanes | |
| WO2012040971A1 (en) | Key management method and system for routing protocol | |
| CN107135226B (en) | Transport layer proxy communication method based on socks5 | |
| JP2018174550A (en) | Communication system | |
| Cisco | SNMP Support for VPNs | |
| CN110120907B (en) | Proposed group-based IPSec VPN tunnel communication method and device | |
| WO2011160390A1 (en) | Method and system for managing agent network equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160330 Termination date: 20201103 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |