CN105635154A - Flexible MACSec message encryption and authentication implementation method and device on chip - Google Patents

Flexible MACSec message encryption and authentication implementation method and device on chip Download PDF

Info

Publication number
CN105635154A
CN105635154A CN201610003390.7A CN201610003390A CN105635154A CN 105635154 A CN105635154 A CN 105635154A CN 201610003390 A CN201610003390 A CN 201610003390A CN 105635154 A CN105635154 A CN 105635154A
Authority
CN
China
Prior art keywords
message
macsec
field
module
offset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610003390.7A
Other languages
Chinese (zh)
Inventor
单哲
马千里
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Centec Networks Suzhou Co Ltd
Original Assignee
Centec Networks Suzhou Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Centec Networks Suzhou Co Ltd filed Critical Centec Networks Suzhou Co Ltd
Priority to CN201610003390.7A priority Critical patent/CN105635154A/en
Publication of CN105635154A publication Critical patent/CN105635154A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a flexible MACSec message encryption and authentication implementation method and device on a chip. In the implementation method, on the basis of a standard MACSec message format, an MACSec frame header field is added after the VLAN Tag field of a message, so as to enable the message to be forwarded at a layer-2 network under a condition that intermediate equipment does not support an MACSec function; and in addition, the MACSec frame header field is added after an IP/MPLS Tunnel header field, so as to enable the message to be forwarded at a layer-3 network or an MPLS network further. According to the method and the device, not only are MACSec standard functions implemented on the chip, but also more flexibility is provided, and encryption and authentication data segments and edit modes of the message can be configured to users in accordance with application requirements so as to adapt to the use of data encryption in WAN applications and to support various tunnel message encapsulation formats.

Description

The chip implementing method of MACSec message encryption certification flexibly and realize device
Technical field
The present invention relates to a kind of MACSec and encrypt authentication techniques, especially relate to the chip implementing method of a kind of message encryption certification of MACSec flexibly and realize device.
Background technology
Ethernet technology is the communication protocol standard that current LAN commonly uses, and is a kind of two layers of Media Access Controlled technology, and accesses after mediums are combined with other and form multiple broadband access technology, including EPON WLAN etc. In ethernet technology is applied, so computer is connected by coaxial cable, adopts competition mechanism to share media, be most widely used local area network technology, be also the mainstream technology in broadband access network. Although constantly perfect along with technology and standard, ethernet technology application obtains huge development, but ethernet technology originates from enterprise's wind portion net, being built upon all-network user is all on the premise trusted mutually, more weak in the consideration of secure context, it is applied in the public network of mutual mistrust and there are a large amount of security breaches, causing the safety problems such as information leakage, corrupt, invalid information propagation, Internet resources mistake use, the communication protocol of this broadcast type must take the safety measure of brute force to construct safe environment.
2005; the proposition of IEEE802.1ae media interviews control safety (MACsec) agreement effectively raises the level of security of Ethernet; safeguard protection is integrated in wired ethernet by this agreement; LAN can be made to avoid being subject to the security implications such as passive wiring, personation, go-between, Denial of Service attack, reduce the attack suffered by 2 layer protocols.
The MACSec of standard, only for LAN (LocalAreaNetwork, LAN) application, the data segment of encryption and certification, and the edit mode of message is fixing, it is not suitable with in the application of wide area network (WideAreaNetwork, WAN) and uses data encryption, and do not support multiple channel message encapsulation format, motility is on the low side.
Summary of the invention
It is an object of the invention to overcome the defect of prior art, it is provided that the chip implementing method of a kind of message encryption certification of MACSec flexibly and realize device, by improving the method for packing of MACSec message, to improve the motility of message encryption and certification.
For achieving the above object, the present invention proposes following technical scheme: the chip implementing method of a kind of message encryption certification of MACSec flexibly, described MACSec message format includes mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field, and the chip implementing method of described MACSec message encryption certification includes:
Chip receives and parses through message, judge whether message having, whether MACSec frame header fields and chip inbound port enable MACSec function, if all meeting, then continue to determine whether as WAN pattern, if so, the Offset of message authentication is then set, then carries out message deciphering, and use the Offset of described message authentication to carry out calculating and the verification of described ICV field, carry out message forwarding afterwards;
When message arrival chip goes out port transmission, first judge whether port enables MACSec function, if, then continue to determine whether as WAN pattern, if, the Offset of message authentication is then set and MACSec frame head Offset is set, carry out message encryption again, Offset according to described message authentication carries out calculating and the message editing of described ICV field, according to described MACSec frame head Offset described MACSec frame header fields added to the VLANTag field of message simultaneously after, finally the message after encryption is sent.
Preferably, described VLANTag field includes VLANID field, cos field and CFI field.
Preferably, described MACSec message format includes IPTunnel frame header fields, mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field, when going out port, after adding MACSec frame header fields to IPTunnel frame header fields, and when message is decrypted, it is also carried out the decapsulation of IPTunnel frame head.
Preferably, described MACSec message format includes MPLSTunnel frame header fields, mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field, when going out port, after adding MACSec frame header fields to MPLSTunnel frame header fields, and when message is decrypted, it is also carried out the decapsulation of MPLSTunnel frame head.
Present invention further teaches another technical scheme, the chip of a kind of message encryption certification of MACSec flexibly realizes device, including inbound port message processing module (MPM) and go out port message processing module (MPM), described MACSec message format includes mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field
Described inbound port message processing module (MPM) is used for receiving and parsing through message, judge whether message having, whether MACSec frame header fields and chip inbound port enable MACSec function, if all meeting, then continue to determine whether as WAN pattern, if so, the Offset of message authentication is then set, then carries out message deciphering, and use the Offset of described message authentication to carry out calculating and the verification of described ICV field, carry out message forwarding afterwards;
Described go out port message processing module (MPM) for when message arrive chip go out port send time, first judge whether port enables MACSec function, if, then continue to determine whether as WAN pattern, if, the Offset of message authentication is then set and MACSec frame head Offset is set, carry out message encryption again, Offset according to described message authentication carries out calculating and the message editing of described ICV field, according to described MACSec frame head Offset described MACSec frame header fields added to the VLANTag field of message simultaneously after, finally the message after encryption is sent.
Preferably, described inbound port message processing module (MPM) includes message receiver module, packet parsing module, MACSec frame head and MACSec enable judge module, oneth WAN mode decision module, message authentication Offset arrange module, deciphering module and forwarding module, and described message receiver module is used for receiving message and message being given packet parsing module resolving; Described MACSec frame head and MACSec enable judge module is used for judging whether have in message whether MACSec frame header fields and chip inbound port enable MACSec function, if all meeting, then message are given a WAN mode decision module; A described WAN mode decision module is used for judging whether chip enables WAN pattern, if so, message is then given message authentication Offset and arranges module; Described message authentication Offset arranges module for arranging the Offset of message authentication and giving deciphering module by message and be decrypted; Described deciphering module carries out calculating and the verification of described ICV field according to the Offset using described message authentication, afterwards message is sent to forwarding module and forwards;
Described go out port message processing module (MPM) include that MACSec enables judge module, the 2nd WAN mode decision module, message authentication Offset and MACSec frame head Offset arrange module, encrypting module, message sending module, described MACSec enables judge module for when message arrival chip goes out port transmission, judge whether port enables MACSec function, if so, then message is given the 2nd WAN mode decision module; Described 2nd WAN mode decision module is used for determining whether WAN pattern, if so, message is then given message authentication Offset and MACSec frame head Offset and arranges module and arrange the Offset of message authentication and arrange MACSec frame head Offset; Described encrypting module is used for carrying out message encryption, Offset according to described message authentication carries out calculating and the message editing of described ICV field, after described MACSec frame header fields is added to according to described MACSec frame head Offset the VLANTag field of message simultaneously; Described message sending module is for sending the message after encryption.
Preferably, described MACSec message format includes IPTunnel frame header fields, mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field, described deciphering module, when message is decrypted, is also carried out the decapsulation of IPTunnel frame head; After described encrypting module adds MACSec frame header fields to IPTunnel frame header fields.
Preferably, described MACSec message format includes MPLSTunnel frame header fields, mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field, described deciphering module, when message is decrypted, is also carried out the decapsulation of MPLSTunnel frame head; After described encrypting module adds MACSec frame header fields to MPLSTunnel frame header fields.
The invention has the beneficial effects as follows: the present invention realizes outside the standard feature of MACSec at chip, add more motility, the data segment of encryption and certification, the edit mode of message can need to carry out user's configuration according to application, to adapt to use data encryption in the application of WAN, and support multiple channel message encapsulation format.
Accompanying drawing explanation
Fig. 1 is the message format schematic diagram of existing MACSec standard definition;
Fig. 2 is the chip handling process schematic diagram of existing MACSec message;
Fig. 3 is the form schematic diagram of embodiment of the present invention 1MACSec message;
Fig. 4 is the chip handling process schematic diagram of embodiment of the present invention 1MACSec message;
Fig. 5 is the form schematic diagram of embodiment of the present invention 2MACSec message;
Fig. 6 is the form schematic diagram of embodiment of the present invention 3MACSec message.
Detailed description of the invention
Below in conjunction with the accompanying drawing of the present invention, the technical scheme of the embodiment of the present invention is carried out clear, complete description.
Fig. 1 is the message format of MACSec standard definition, ethernet type (EtherType) is had to be denoted as MACSec frame header fields (MACSecHeader) after mac frame head field (MACHeader), afterwards for the data field (Payload) of encryption, it is integrity check value (the IntergrityCheckValue as cryptographic check after data field, ICV) field, its ICV authentication content is whole message, it is CRC value (CyclicalRedundancyCheck, the CRC) field of whole message afterwards.
For this MACSec message format traditional, that press standard completely, adopt the flow process such as Fig. 2 that message is processed. Specifically, message receiver module receives message, and message is delivered to packet parsing module carry out packet parsing, after resolving, judging to obtain whether having in message MACSecHeader field, if existing, and inbound port enables the function of MACSec, then message is sent into deciphering module, the inspection that message is decrypted by foundation relevant configuration and ICV verifies in deciphering module. Deciphering enters normal forwarding process after terminating. If being absent from MACSecHeader in message, then message is directly entered normal forwarding process.
When message arrives out port transmission, first, it is determined that go out whether port enables MACSec function, if enabling, then message being sent into encrypting module, according to relevant configuration, message being encrypted in encrypting module, being then sent to message sending module; If going out port to be not enabled on MACSec function, then by common message mode, message is fed directly to message sending module and is transmitted away.
MACSec message for standard, as it is shown in figure 1, MACHeader field followed by be exactly MACSecHeader field, make MACSec message in this way, require that each switch in network must support MACSec, just can ensure that the safety of point-to-point. If wherein there being a switch not support MACSec, then this message cannot forward on this equipment, because two layers of forwarding of switch need MAC Address and vlan information, and vlan information is after MACSecHeader field, encrypted, the equipment not supporting MACSec is to learn vlan information below, and be used for message is forwarded.
Therefore, the present invention proposes the chip implementing method of a kind of message encryption certification of MACSec flexibly, by optimizing the packaged type of MACSec message, it is achieved thereby that when intermediate equipment does not support MACSec function, equally possible realize message forwarding in other networks such as double layer network, three-layer network or MPLS network.
First carry out forwarding in double layer network for MACSec message of the present invention below, illustrate the chip implementing method of present invention MACSec message encryption certification flexibly and realize the operation principle of device.
As shown in Figure 3, the embodiment of the present invention 1 optimizes the packaged type of MACSec message, MACSecHeader field is placed on after virtual local area network tags (VLANTag), and the data field of the bearing message content after VLANTag field is encrypted, the MACSec message after namely improving includes mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field. So, owing to VLANTag is used in intermediary switch to carry out to forward, VLANTag field content therein includes the mark (VLANID) of VLAN, the grade of service (Classofservice, CoS), reference format indicating bit (CanonicalFormatIndicator, CFI), it is change content that these fields all likely forward in intermediary switch, cannot be used for doing certification, therefore the data being used for calculating ICV can only be counted after MACSecHeader, namely only comprises the Payload of encryption. By this method, even if intermediary switch does not support MACSec, it is also possible to carry out two layers of forwarding by VLANTag.
Owing to message packaged type there occurs change, so corresponding change also can be there is in chip structure, specifically, the present invention adds a WAN mode decision module in chip, message authentication Offset arranges module, the 2nd WAN mode decision module, message authentication Offset and MACSec frame head Offset arrange module. As shown in Figure 4, chip of the present invention is as follows to the processing procedure of the MACSec message after optimizing:
Message receiver module receives message, and message is delivered to packet parsing module carry out packet parsing, after resolving, judge to obtain whether message has MACSecHeader field, if existing, and inbound port enables the function of MACSec, if, then message is sent into a WAN mode decision module judges whether it is WAN pattern, if WAN pattern, message is then delivered to message authentication Offset arrange module and arrange the Offset of message authentication, again message is delivered to deciphering module afterwards to be decrypted, if not, then directly message is delivered in deciphering module and be decrypted. message is decrypted and use the Offset of message authentication to carry out calculating and the verification of ICV field according to relevant configuration by deciphering module. after deciphering terminates, message enters normal forwarding process. if being absent from MACSecHeader in message, then message is directly entered normal forwarding process.
When message arrives out port transmission, first, judge whether port enables MACSec function, if enabling, then message is sent into the 2nd WLAN mode decision module and determine whether WAN pattern, if, then message is delivered to encrypting module, message is encrypted according to relevant configuration and carries out according to the Offset of message authentication calculating and the message editing of ICV field by encrypting module, according to MACSec frame head Offset MACSec frame header fields added to the VLANTag field of message simultaneously after, to realize the MACSec of WAN pattern, it is then sent to message sending module, if not WLAN pattern, then directly message is delivered to message sending module to send, if going out port to be not enabled on MACSec function, then by common message mode, message is fed directly to message sending module and is transmitted away.
The scheme of above example is for double layer network, and intermediate equipment does not support situation during MACSec. For three-layer network or MPLS network, same, it is possible to use similar method and identical chip structure.
Namely, specifically, when message forwards in three-layer network, corresponding message authentication Offset and MACSecHeaderOffset is set equally, when going out port, MACSecHeader is edited after IPTunnel by encrypting module so that message can pass through IP network, is decrypted in the opposite end enabling MACSec. During deciphering, deciphering module is also carried out the decapsulation of IPTunnel, and message is decrypted, and with message authentication Offset, the ICV of message is calculated and is verified. Chip treatment method is similar, does not repeat here. Message encapsulation format is as it is shown in figure 5, be that MACSec message format includes IPTunnel frame header fields, mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field.
When message forwards in an mpls network, arranging corresponding message authentication Offset and MACSecHeaderOffset equally, when going out port, MACSecHeader is edited after MPLSTunnel by encrypting module, make message can pass through IP network, be decrypted in the opposite end enabling MACSec. During deciphering, deciphering module is also carried out the decapsulation of MPLSTunnel, and message is decrypted, and with message authentication Offset, the ICV of message is calculated and is verified. Chip treatment method is similar, does not repeat here. As shown in Figure 6, namely MACSec message format includes MPLSTunnel frame header fields, mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field to message encapsulation format.
The technology contents of the present invention and technical characteristic have revealed that as above; but those of ordinary skill in the art are still potentially based on teachings of the present invention and announcement and do all replacements without departing substantially from spirit of the present invention and modification; therefore; scope should be not limited to the content that embodiment is disclosed; and the various replacement without departing substantially from the present invention and modification should be included, and contained by present patent application claim.

Claims (10)

1. the chip implementing method of a MACSec message encryption certification flexibly, it is characterized in that: described MACSec message format includes mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field, and the chip implementing method of described MACSec message encryption certification includes:
Chip receives and parses through message, judge whether message having, whether MACSec frame header fields and chip inbound port enable MACSec function, if all meeting, then continue to determine whether as WAN pattern, if so, the Offset of message authentication is then set, then carries out message deciphering, and use the Offset of described message authentication to carry out calculating and the verification of described ICV field, carry out message forwarding afterwards;
When message arrival chip goes out port transmission, first judge whether port enables MACSec function, if, then continue to determine whether as WAN pattern, if, the Offset of message authentication is then set and MACSec frame head Offset is set, carry out message encryption again, Offset according to described message authentication carries out calculating and the message editing of described ICV field, according to described MACSec frame head Offset described MACSec frame header fields added to the VLANTag field of message simultaneously after, finally the message after encryption is sent.
2. chip implementing method according to claim 1, it is characterised in that described VLANTag field includes VLANID field, cos field and CFI field.
3. chip implementing method according to claim 1, it is characterised in that described MACSec message format includes IPTunnel frame header fields, mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field.
4. chip implementing method according to claim 3, it is characterised in that when going out port, after adding MACSec frame header fields to IPTunnel frame header fields, and when message is decrypted, is also carried out the decapsulation of IPTunnel frame head.
5. chip implementing method according to claim 1, it is characterised in that described MACSec message format includes MPLSTunnel frame header fields, mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field.
6. chip implementing method according to claim 5, it is characterised in that when going out port, after adding MACSec frame header fields to MPLSTunnel frame header fields, and when message is decrypted, is also carried out the decapsulation of MPLSTunnel frame head.
7. the chip of a MACSec message encryption certification flexibly realizes device, it is characterized in that, including inbound port message processing module (MPM) and go out port message processing module (MPM), described MACSec message format includes mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field
Described inbound port message processing module (MPM) is used for receiving and parsing through message, judge whether message having, whether MACSec frame header fields and chip inbound port enable MACSec function, if all meeting, then continue to determine whether as WAN pattern, if so, the Offset of message authentication is then set, then carries out message deciphering, and use the Offset of described message authentication to carry out calculating and the verification of described ICV field, carry out message forwarding afterwards;
Described go out port message processing module (MPM) for when message arrive chip go out port send time, first judge whether port enables MACSec function, if, then continue to determine whether as WAN pattern, if, the Offset of message authentication is then set and MACSec frame head Offset is set, carry out message encryption again, Offset according to described message authentication carries out calculating and the message editing of described ICV field, according to described MACSec frame head Offset described MACSec frame header fields added to the VLANTag field of message simultaneously after, finally the message after encryption is sent.
8. chip according to claim 7 realizes device, it is characterized in that, described inbound port message processing module (MPM) includes message receiver module, packet parsing module, MACSec frame head and MACSec enable judge module, oneth WAN mode decision module, message authentication Offset arrange module, deciphering module and forwarding module, and described message receiver module is used for receiving message and message being given packet parsing module resolving; Described MACSec frame head and MACSec enable judge module is used for judging whether have in message whether MACSec frame header fields and chip inbound port enable MACSec function, if all meeting, then message are given a WAN mode decision module; A described WAN mode decision module is used for judging whether chip enables WAN pattern, if so, message is then given message authentication Offset and arranges module; Described message authentication Offset arranges module for arranging the Offset of message authentication and giving deciphering module by message and be decrypted; Described deciphering module carries out calculating and the verification of described ICV field according to the Offset using described message authentication, afterwards message is sent to forwarding module and forwards;
Described go out port message processing module (MPM) include that MACSec enables judge module, the 2nd WAN mode decision module, message authentication Offset and MACSec frame head Offset arrange module, encrypting module, message sending module, described MACSec enables judge module for when message arrival chip goes out port transmission, judge whether port enables MACSec function, if so, then message is given the 2nd WAN mode decision module; Described 2nd WAN mode decision module is used for determining whether WAN pattern, if so, message is then given message authentication Offset and MACSec frame head Offset and arranges module and arrange the Offset of message authentication and arrange MACSec frame head Offset; Described encrypting module is used for carrying out message encryption, Offset according to described message authentication carries out calculating and the message editing of described ICV field, after described MACSec frame header fields is added to according to described MACSec frame head Offset the VLANTag field of message simultaneously; Described message sending module is for sending the message after encryption.
9. chip according to claim 7 realizes device, it is characterized in that, described MACSec message format includes IPTunnel frame header fields, mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field, described deciphering module, when message is decrypted, is also carried out the decapsulation of IPTunnel frame head; After described encrypting module adds MACSec frame header fields to IPTunnel frame header fields.
10. chip according to claim 7 realizes device, it is characterized in that, described MACSec message format includes MPLSTunnel frame header fields, mac frame head field, VLANTag field, MACSec frame header fields, data field, ICV field and crc field, described deciphering module, when message is decrypted, is also carried out the decapsulation of MPLSTunnel frame head; After described encrypting module adds MACSec frame header fields to MPLSTunnel frame header fields.
CN201610003390.7A 2016-01-05 2016-01-05 Flexible MACSec message encryption and authentication implementation method and device on chip Pending CN105635154A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610003390.7A CN105635154A (en) 2016-01-05 2016-01-05 Flexible MACSec message encryption and authentication implementation method and device on chip

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610003390.7A CN105635154A (en) 2016-01-05 2016-01-05 Flexible MACSec message encryption and authentication implementation method and device on chip

Publications (1)

Publication Number Publication Date
CN105635154A true CN105635154A (en) 2016-06-01

Family

ID=56049644

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610003390.7A Pending CN105635154A (en) 2016-01-05 2016-01-05 Flexible MACSec message encryption and authentication implementation method and device on chip

Country Status (1)

Country Link
CN (1) CN105635154A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040124A (en) * 2018-09-17 2018-12-18 盛科网络(苏州)有限公司 The method and apparatus of processing message for interchanger
CN110830393A (en) * 2019-10-22 2020-02-21 苏州盛科科技有限公司 Method and device for realizing MACsec in chip stacking mode
CN110858822A (en) * 2018-08-23 2020-03-03 北京华为数字技术有限公司 Media access control security protocol message transmission method and related device
CN112600802A (en) * 2020-12-04 2021-04-02 盛科网络(苏州)有限公司 SRv6 encrypted message and SRv6 message encryption and decryption methods and devices
CN114244626A (en) * 2021-12-31 2022-03-25 苏州盛科通信股份有限公司 Message processing method and device based on MACSec network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141241A (en) * 2006-09-06 2008-03-12 华为技术有限公司 Method and network appliance for implementing MAC safety
US20080123652A1 (en) * 2006-11-29 2008-05-29 Bora Akyol Method and system for tunneling macsec packets through non-macsec nodes
US8707020B1 (en) * 2010-05-13 2014-04-22 ClearCrypt, Inc. Selective exposure of feature tags in a MACSec packet
WO2014120190A1 (en) * 2013-01-31 2014-08-07 Hewlett-Packard Development Company, L.P. Network controller provisioned macsec keys

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101141241A (en) * 2006-09-06 2008-03-12 华为技术有限公司 Method and network appliance for implementing MAC safety
US20080123652A1 (en) * 2006-11-29 2008-05-29 Bora Akyol Method and system for tunneling macsec packets through non-macsec nodes
US8707020B1 (en) * 2010-05-13 2014-04-22 ClearCrypt, Inc. Selective exposure of feature tags in a MACSec packet
WO2014120190A1 (en) * 2013-01-31 2014-08-07 Hewlett-Packard Development Company, L.P. Network controller provisioned macsec keys

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CISCO: "Configuring MACsec Encryption", 《CATALYST 3750-X AND 3560-X SWITCH SOFTWARE CONFIGURATION GUIDE》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110858822A (en) * 2018-08-23 2020-03-03 北京华为数字技术有限公司 Media access control security protocol message transmission method and related device
CN109040124A (en) * 2018-09-17 2018-12-18 盛科网络(苏州)有限公司 The method and apparatus of processing message for interchanger
CN110830393A (en) * 2019-10-22 2020-02-21 苏州盛科科技有限公司 Method and device for realizing MACsec in chip stacking mode
CN110830393B (en) * 2019-10-22 2021-07-30 苏州盛科科技有限公司 Method and device for realizing MACsec in chip stacking mode
CN112600802A (en) * 2020-12-04 2021-04-02 盛科网络(苏州)有限公司 SRv6 encrypted message and SRv6 message encryption and decryption methods and devices
CN112600802B (en) * 2020-12-04 2022-04-15 苏州盛科通信股份有限公司 SRv6 encrypted message and SRv6 message encryption and decryption methods and devices
CN114244626A (en) * 2021-12-31 2022-03-25 苏州盛科通信股份有限公司 Message processing method and device based on MACSec network
WO2023124880A1 (en) * 2021-12-31 2023-07-06 苏州盛科通信股份有限公司 Packet processing method and device based on macsec network
CN114244626B (en) * 2021-12-31 2024-03-15 苏州盛科通信股份有限公司 Message processing method and device based on MACSec network

Similar Documents

Publication Publication Date Title
CN102882789B (en) A kind of data message processing method, system and equipment
CN103905180B (en) Method for enabling classical application to have access to quantum communication network
US7703132B2 (en) Bridged cryptographic VLAN
US8347377B2 (en) Bridged cryptographic VLAN
US8379638B2 (en) Security encapsulation of ethernet frames
CN105635154A (en) Flexible MACSec message encryption and authentication implementation method and device on chip
US9369550B2 (en) Protocol for layer two multiple network links tunnelling
US20090217032A1 (en) Method for generating sak, method for realizing mac security, and network device
US9806886B2 (en) Service plane encryption in IP/MPLS networks
KR20080048972A (en) Method and system for tunneling macsec packets through non-macsec nodes
CN102136987B (en) Message forwarding method and provider edge (PE) equipment for multi-protocol label switching virtual private network (MPLS VPN)
CN101572644B (en) Data encapsulation method and equipment thereof
EP3905623A1 (en) Data transmission method and apparatus, related device, and storage medium
CN114050921B (en) UDP-based high-speed encryption data transmission system realized by FPGA
CN110858822B (en) Media access control security protocol message transmission method and related device
US9106618B2 (en) Control plane encryption in IP/MPLS networks
CN107911212A (en) One kind bridge joint transmits encrypted method
CN106161386A (en) A kind of method and apparatus realizing that IPsec shunts
CN112600802B (en) SRv6 encrypted message and SRv6 message encryption and decryption methods and devices
CN113676391A (en) Data transmission method, device, communication node and storage medium
CN107135152A (en) The safety encryption of key message is transmitted in a kind of Packet Transport Network
CN115733683A (en) Method for realizing Ethernet link self-organizing encryption tunnel by adopting quantum key distribution
CN103581034B (en) Message mirroring and encrypted transmitting method
WO2022001937A1 (en) Service transmission method and apparatus, network device, and storage medium
CN116015943A (en) Privacy protection method based on multi-level tunnel confusion

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160601

WD01 Invention patent application deemed withdrawn after publication