CN110061878A - A kind of channel failure processing method and processing device - Google Patents

A kind of channel failure processing method and processing device Download PDF

Info

Publication number
CN110061878A
CN110061878A CN201910331922.3A CN201910331922A CN110061878A CN 110061878 A CN110061878 A CN 110061878A CN 201910331922 A CN201910331922 A CN 201910331922A CN 110061878 A CN110061878 A CN 110061878A
Authority
CN
China
Prior art keywords
encrypted tunnel
network node
target network
value
peer node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910331922.3A
Other languages
Chinese (zh)
Inventor
张楠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201910331922.3A priority Critical patent/CN110061878A/en
Publication of CN110061878A publication Critical patent/CN110061878A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0659Management of faults, events, alarms or notifications using network fault recovery by isolating or reconfiguring faulty entities
    • H04L41/0661Management of faults, events, alarms or notifications using network fault recovery by isolating or reconfiguring faulty entities by reconfiguring faulty entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of channel failure processing method and processing device, which comprises periodically carries out fault detection to the encrypted tunnel between the target network node and peer node;When determining that the encrypted tunnel breaks down, the corresponding message numbering PN value of the encrypted tunnel is updated to default PN thresholding, and execute encrypted tunnel refresh operation.Encrypted tunnel automatically restoring fault may be implemented using the embodiment of the present invention, reduce the influence that encrypted tunnel failure forwards flow.

Description

A kind of channel failure processing method and processing device
Technical field
The present invention relates to network communication technology field more particularly to a kind of channel failure processing method and processing devices.
Background technique
MACsec (Media Access Control Security, media access control is safely) is defined based on IEEE 802 innings of (Institute of Electrical and Electronics Engineers, Institute of Electrical and Electric Engineers) The method of the data safety communication of domain network.MACsec can provide safe MAC layer data transmission and reception service for user, packet Include ciphering user data, data frame integrity checking and data origin authenticity verification.
MACsec is usually used cooperatively with 802.1X authentication framework, and work passes through after the success of 802.1X verification process It identifies the message that authenticating device is sent, and uses MKA (MACsec Key Agreement, MACsec key agreement) agreement The user data that the key pair for negotiating to generate has authenticated carries out encryption and integrity checking, avoids port processing unauthenticated device The message that message or unauthenticated device are distorted.
SAK (SecureAssociation Key, safety associated key) is by CAK (secureConnectivity Association Key, secure connection associated key) it is generated according to algorithmic derivation, the number for the transmission of encryption safe interchannel According to.MKA limits the message number that each SAK can be encrypted, when encrypted using certain SAK PN (Packet Number, Message numbering) it exhausts, which can be refreshed (corresponding encrypted tunnel can also refresh).
Refreshing encrypted tunnel when exhausting in view of PN may result in the flow interrupt before encrypted tunnel refreshes completion, because This, can set a PN and refresh thresholding (PN refreshes thresholding less than the maximum message segment quantity that a SAK can be encrypted), pass through PN Value reaches PN and refreshes thresholding triggering encrypted tunnel refreshing.
However practice discovery, current encrypted tunnel refresh in implementation, if reaching the prepass of refreshing thresholding just Failure is had already appeared, PN value, which can not be incremented to refreshing thresholding, can not just trigger encrypted tunnel refreshing, and failure will be unable to automatically at this time Restore, is normally forwarded to influence flow.
Summary of the invention
The present invention provides a kind of channel failure processing method and processing device, refreshes implementation to solve current encrypted tunnel In the problem of cannot achieve encrypted tunnel automatically restoring fault.
According to the first aspect of the invention, a kind of channel failure processing method is provided, applied to support MACSec agreement Target network node, which comprises
Timing carries out fault detection to the encrypted tunnel between the target network node and peer node;
When determining that the encrypted tunnel breaks down, the corresponding message numbering PN value of the encrypted tunnel is updated to pre- If PN thresholding, and execute encrypted tunnel refresh operation.
According to the second aspect of the invention, a kind of channel failure processing unit is provided, applied to support MACSec agreement Target network node, described device include:
Detection unit carries out failure inspection to the encrypted tunnel between the target network node and peer node for timing It surveys;
Updating unit, for when determining that the encrypted tunnel breaks down, the corresponding message of the encrypted tunnel to be compiled Number PN value is updated to default PN thresholding;
Processing unit, for executing encrypted tunnel refresh operation.
It is logical to the encryption between target network node and peer node by timing using technical solution disclosed by the invention Road carries out fault detection, and when determining that the encrypted tunnel breaks down, the corresponding PN value of the encrypted tunnel is updated to default PN Thresholding, and encrypted tunnel refresh operation is executed, encrypted tunnel automatically restoring fault is realized, encrypted tunnel failure convection current is reduced Measure the influence of forwarding.
Detailed description of the invention
Fig. 1 is a kind of flow diagram of channel failure processing method provided in an embodiment of the present invention;
Fig. 2 is a kind of configuration diagram of concrete application scene provided in an embodiment of the present invention;
Fig. 3 is the process signal of the channel failure processing method on a kind of network node 210 provided in an embodiment of the present invention Figure;
Fig. 4 is the process signal of the channel failure processing method on a kind of network node 220 provided in an embodiment of the present invention Figure;
Fig. 5 is a kind of structural schematic diagram of channel failure processing unit provided in an embodiment of the present invention;
Fig. 6 is the structural schematic diagram of another channel failure processing unit provided in an embodiment of the present invention.
Specific embodiment
Technical solution in embodiment in order to enable those skilled in the art to better understand the present invention, and make of the invention real The above objects, features, and advantages for applying example can be more obvious and easy to understand, with reference to the accompanying drawing to technical side in the embodiment of the present invention Case is described in further detail.
It referring to Figure 1, is a kind of flow diagram of channel failure processing method provided in an embodiment of the present invention, such as Fig. 1 Shown, which may comprise steps of:
It should be noted that channel failure processing method provided in an embodiment of the present invention can be applied to any support The network node (referred to herein as target network node) of MACSec agreement, such as the network equipment (such as switch or router) or Host (such as PC (Personal Computer)).
In addition, in embodiments of the present invention, if non-specified otherwise, mentioned encrypted tunnel refers both to adding for MACSec agreement Close channel.
Step 101 periodically carries out fault detection to the encrypted tunnel between target network node and peer node.
In the embodiment of the present invention, target network node can periodically the encrypted tunnel to itself between peer node be carried out Fault detection.
Illustratively, when target network node is SAK server (such as towards the access device in host mode), opposite end Node is SAK client (such as towards the host in host mode).
When target network node is SAK client, peer node is SAK server.
For example, can create one for trigger target network node to itself encrypted tunnel between peer node into Row fault detection timer (be properly termed as Air conduct measurement timer, timing length can be set according to actual scene, such as 1 Second), when the Air conduct measurement timer expiry, target network node can reset the Air conduct measurement timer, and to itself with Encrypted tunnel between peer node carries out fault detection.
The present invention in one embodiment, above-mentioned timing is logical to the encryption between target network node and peer node Road carries out fault detection, may include:
Whether the encrypted tunnel between timing detection network node and peer node is symmetrical.
In this embodiment, target network node can be by periodically detecting itself encrypted tunnel between peer node It is whether symmetrical, whether broken down with encrypted tunnel of the determination itself between peer node.
Illustratively, it if target network node detects itself encrypted tunnel asymmetry between peer node, such as receives The encrypted tunnel in direction be not present or originating party to encrypted tunnel be not present, then target network node can determine itself with it is right Encrypted tunnel between end node breaks down.
In another embodiment, above-mentioned timing is to the encrypted tunnel between target network node and peer node Fault detection is carried out, may include:
Corresponding consecutive hours of the PN value without growth of encrypted tunnel between timing detection target network node and peer node Between whether be more than preset time thresholding.
In this embodiment, it is contemplated that when the encrypted tunnel between target network node and peer node breaks down, For a long time whether the corresponding PN value of the encrypted tunnel will not increase, therefore, can be by the corresponding PN value of detection encrypted tunnel Determine whether encrypted tunnel breaks down without increasing.
Correspondingly, in this embodiment, target network node can count itself encrypted tunnel between peer node Corresponding continuous time of the PN value without growth.
Illustratively, target network node can create a timer for counting itself adding between peer node Close channel corresponding duration of the PN value without growth.Encrypted tunnel between target network node and peer node creates it Afterwards, it can star the timer, and when the corresponding PN value of the encrypted tunnel increases, the timing of the timer reset to initially It is worth (such as 0), and reclocking, in turn, target network node can determine encrypted tunnel pair by reading the timing of the timer The difference of the timing read and the initial value of timer (is determined as the consecutive hours by continuous time of the PN value answered without growth Between).
It should be noted that since the corresponding PN value of encrypted tunnel includes the encryption received for recording the encrypted tunnel The PN value (debit to encrypted tunnel) of message amount and PN value for recording the encryption message amount that the encrypted tunnel is sent (originating party to encrypted tunnel), therefore, can respectively to debit to and originating party to PN value unite without the duration of growth Meter, specific implementation do not repeat them here herein.
In this embodiment, if target network node detects the encrypted tunnel corresponding continuous time of the PN value without growth It (can be set according to actual scene, such as 5 seconds, 10 seconds etc.) more than preset time thresholding, then target network node can determine certainly Encrypted tunnel between body and peer node breaks down.
Step 102, when determining that encrypted tunnel breaks down, the corresponding PN value of encrypted tunnel is updated to default PN Limit, and execute encrypted tunnel refresh operation.
In the embodiment of the present invention, in order to realize the automatic recovery of encrypted tunnel failure, when target network node determines itself It, can be PN default by being updated to corresponding PN value by the encryption when encrypted tunnel between peer node breaks down It limits (such as 0xC0000000), to trigger the refreshing of encrypted tunnel.
Illustratively, target network node can be used to record by itself encrypted tunnel between peer node is corresponding The PN value of encryption message received quantity is updated to default PN thresholding, or/and, recording of encrypted report is used for by the encrypted tunnel is corresponding The PN value of literary quantity forwarded is updated to pre-determined threshold.
As it can be seen that in method flow shown in Fig. 1, by whether periodically detecting itself encrypted tunnel between peer node It breaks down, and when detecting that the encrypted tunnel breaks down, the corresponding PN value of the encrypted tunnel is updated to PN default Limit realizes the automatic recovery of encrypted tunnel failure to trigger encrypted tunnel refreshing, reduces encrypted tunnel failure and turns to flow The influence of hair.
The present invention in one embodiment, when determine between the target network node and the peer node plus It is above-mentioned that the corresponding PN value of the encrypted tunnel is updated to default PN thresholding when close channel is broken down, may include:
Increase the corresponding failure count of encrypted tunnel, and when the corresponding failure count of encrypted tunnel reaches preset failure number When thresholding, the corresponding PN value of encrypted tunnel is updated to default PN thresholding.
In this embodiment, in order to improve the reliability of detected encrypted tunnel failure, encrypted tunnel is avoided to refresh Excessively frequently, target network node can be with statistic mixed-state to the number of encrypted tunnel failure, and works as and detect encrypted tunnel failure Number when reaching preset failure number thresholding (can set according to actual scene, such as 5 times), triggering encrypted tunnel failure is automatic Restore.
Correspondingly, when target network node detects that encrypted tunnel breaks down, it is corresponding that the encrypted tunnel can be increased Failure count, and judge whether the corresponding failure count of the encrypted tunnel reaches preset failure number thresholding.
If the corresponding failure count of the encrypted tunnel reaches preset failure number thresholding, by the corresponding PN of the encrypted tunnel Value is updated to default PN thresholding, and triggering encrypted tunnel refreshes.
If the corresponding failure count of the encrypted tunnel is not up to preset failure number thresholding, continue to the encrypted tunnel into Row fault detection.
The present invention in one embodiment, above-mentioned execution encrypted tunnel refresh operation may include:
When target network node is SAK server, the new encrypted tunnel between peer node is created, deletes and occurs The encrypted tunnel of failure, and encrypted tunnel refresh notice message is sent to peer node.
In this embodiment, when target network node is SAK server, and detect that local PN value reaches default PN value door In limited time, target network node can create new between peer node (encrypted tunnel of failure corresponding peer node) plus Close channel, and delete the encrypted tunnel to break down.
It should be noted that when the target network node refreshing encryption as SAK server is logical, it is also necessary to generate new SAK, specific implementation may refer to the associated description in existing MACSec, and this will not be repeated here for the embodiment of the present invention.
In this embodiment, the target network node creation as SAK server and the encrypted tunnel between peer node, And after deleting the encrypted tunnel to break down, encrypted tunnel refresh notice message can be sent to peer node, to notify to make Encrypted tunnel refreshing is carried out for the peer node of SAK client.
As in another embodiment of the present invention, above-mentioned execution encrypted tunnel refresh operation may include:
When target network node is SAK client, the PN value that carrying value is default PN thresholding is sent to peer node MACSec protocol massages initiate encrypted tunnel refreshing to trigger peer node.
In this embodiment, when target network node is SAK client, and detect that the corresponding PN value of encrypted tunnel reaches When default PN thresholding, it is default PN thresholding that target network node can send carrying value to the peer node as SAK server PN value MACSec protocol massages.
When peer node as SAK server receives the MACSec protocol massages, can create with peer node it Between new encrypted tunnel, delete the encrypted tunnel to break down, and send encrypted tunnel refresh notification to target network node Message.
In order to make those skilled in the art more fully understand technical solution provided in an embodiment of the present invention, below with reference to specific Application scenarios are illustrated technical solution provided in an embodiment of the present invention.
Fig. 2 is referred to, is a kind of configuration diagram of concrete application scene provided in an embodiment of the present invention, as shown in Fig. 2, The application scenarios include network node 210 and network node 220 (support MACSec agreement), and network node 210 (is assumed to be SAK client) and network node 220 (being assumed to be SAK server) between establish and have encrypted tunnel (including debit is to encrypted tunnel With originating party to encrypted tunnel).
Wherein, the debit of network node 210 is to the originating party that encrypted tunnel is network node 220 to encrypted tunnel;Network section The originating party of point 210 is to the debit that encrypted tunnel is network node 220 to encrypted tunnel.
The channel failure processing on network node 210 and network node 220 is realized separately below and is illustrated.
Embodiment one
Fig. 3 is referred to, is the stream of the channel failure processing method on a kind of network node 210 provided in an embodiment of the present invention Journey schematic diagram, as shown in figure 3, may comprise steps of:
Step 301 judges whether Air conduct measurement timer is overtime.If so, going to step 302;Otherwise, step is gone to 301。
Step 302 judges whether itself encrypted tunnel between network node 220 is symmetrical.If so, going to step 303;Otherwise, step 304 is gone to.
Step 303 judges whether encrypted tunnel corresponding continuous time of the PN value without growth is more than preset time thresholding.If It is then to go to step 304.
In this embodiment, creation has Air conduct measurement timer (assuming that timing length is t) on network node 210, when this When Air conduct measurement timer expiry, network node 210 can reset the Air conduct measurement timer, and judge itself and network node Whether the encrypted tunnel between 220 is symmetrical.If asymmetric, it can determine that encrypted tunnel breaks down.If symmetrical, further Judge whether encrypted tunnel corresponding continuous time of the PN value without growth is more than that preset time thresholding (is assumed to be T, such as Air conduct measurement N times of the timing length of timer, i.e. T=n*t).If being more than, it is determined that encrypted tunnel sends failure;Otherwise, channel inspection is waited Above-mentioned steps are re-executed when surveying timer again time out.
Step 304 increases failure count, and judges whether failure count reaches preset failure number thresholding.If so, turning To step 305;Otherwise, step 301 is gone to.
In this embodiment, when network node 210 detects encrypted tunnel asymmetry, alternatively, the corresponding PN of encrypted tunnel The continuous time of value (debit to the corresponding PN value of encrypted tunnel or originating party to the corresponding PN value of encrypted tunnel) without growth is more than pre- If when time threshold, can determine that encrypted tunnel breaks down, and increase the encrypted tunnel corresponding failure count (such as failure meter Number+1), and judge whether failure count reaches pre-determined threshold.Encrypted tunnel refreshing is needed to be implemented if so, determining;Otherwise, etc. Above-mentioned steps are re-executed when Air conduct measurement timer again time out.
The corresponding PN value of encrypted tunnel is updated to default PN thresholding by step 305.
Step 306, the MACSec protocol massages that the PN value that carrying value is default PN thresholding is sent to network node 220, with It triggers network node 220 and initiates encrypted tunnel refreshing.
Embodiment two
Fig. 4 is referred to, is the stream of the channel failure processing method on a kind of network node 220 provided in an embodiment of the present invention Journey schematic diagram, as shown in figure 4, may comprise steps of:
Step 401 judges whether Air conduct measurement timer is overtime.If so, going to step 402;Otherwise, step is gone to 401。
Step 402 judges whether itself encrypted tunnel between network node 210 is symmetrical.If so, going to step 403;Otherwise, step 404 is gone to.
Step 403 judges whether encrypted tunnel corresponding continuous time of the PN value without growth is more than preset time thresholding.If It is then to go to step 404.
In this embodiment, creation has Air conduct measurement timer (assuming that timing length is t) on network node 220, when this When Air conduct measurement timer expiry, network node 220 can reset the Air conduct measurement timer, and judge itself and network node Whether the encrypted tunnel between 210 is symmetrical.If asymmetric, it can determine that encrypted tunnel breaks down.If symmetrical, further Judge whether encrypted tunnel corresponding continuous time of the PN value without growth is more than that preset time thresholding (is assumed to be T, such as Air conduct measurement N times of the timing length of timer, i.e. T=n*t).If being more than, it is determined that encrypted tunnel sends failure;Otherwise, channel inspection is waited Above-mentioned steps are re-executed when surveying timer again time out.
Step 404 increases failure count, and judges whether failure count reaches preset failure number thresholding.If so, turning To step 405;Otherwise, step 401 is gone to.
In this embodiment, when network node 220 detects encrypted tunnel asymmetry, alternatively, the corresponding PN of encrypted tunnel The continuous time of value (debit to the corresponding PN value of encrypted tunnel or originating party to the corresponding PN value of encrypted tunnel) without growth is more than pre- If when time threshold, can determine that encrypted tunnel breaks down, and increase the encrypted tunnel corresponding failure count (such as failure meter Number+1), and judge whether failure count reaches pre-determined threshold.Encrypted tunnel refreshing is needed to be implemented if so, determining;Otherwise, etc. Above-mentioned steps are re-executed when Air conduct measurement timer again time out.
The corresponding PN value of encrypted tunnel is updated to default PN thresholding by step 405.
New encrypted tunnel between step 406, creation and network node 210, deletes the encrypted tunnel of failure, and to net Network node 210 sends encrypted tunnel refresh notice message, refreshes encrypted tunnel to trigger network node 210.
Through above description as can be seen that in technical solution provided in an embodiment of the present invention, by timing to target network Encrypted tunnel between network node and peer node carries out fault detection, when determining that the encrypted tunnel breaks down, by this plus The corresponding PN value in close channel is updated to default PN thresholding, and executes encrypted tunnel refresh operation, realize encrypted tunnel failure from It is dynamic to restore, reduce the influence that encrypted tunnel failure forwards flow.
Fig. 5 is referred to, provides a kind of structural schematic diagram of channel failure processing unit for the embodiment of the present invention, wherein should Channel failure processing unit can be applied to the target network node in above method embodiment, as shown in figure 5, the channel failure Processing unit may include:
Detection unit 510 carries out event to the encrypted tunnel between the target network node and peer node for timing Barrier detection;
Updating unit 520, for when determining that the encrypted tunnel breaks down, by the corresponding message of the encrypted tunnel Number PN value is updated to default PN thresholding;
Processing unit 530, for executing encrypted tunnel refresh operation.
In an alternative embodiment, the detection unit 510, specifically for periodically detecting the network node and the opposite end Whether the encrypted tunnel between node is symmetrical;
Or/and
The detection unit 510, specifically for periodically detecting between the target network node and the peer node Whether encrypted tunnel corresponding continuous time of the PN value without growth is more than preset time thresholding.
It is the structural schematic diagram of another channel failure processing unit provided in an embodiment of the present invention please also refer to Fig. 6, As shown in fig. 6, on the basis of channel failure processing unit shown in Fig. 5, channel failure processing unit shown in fig. 6 further include:
Counting unit 540, for being sent out when the encrypted tunnel between the determining target network node and the peer node When raw failure, increase the corresponding failure count of the encrypted tunnel;
The refresh unit 520, specifically for the corresponding PN value of the encrypted tunnel is updated to default PN thresholding.
In an alternative embodiment, the processing unit 530 is specifically used for when the target network node being that security association is close When key SAK server, the new encrypted tunnel between the peer node is created, it is logical to delete the encryption broken down Road, and encrypted tunnel refresh notice message is sent to the peer node.
In an alternative embodiment, the processing unit 530 is specifically used for when the target network node being SAK client When, Xiang Suoshu peer node sends the MACSec protocol massages for the PN value that carrying value is the default PN thresholding, described in triggering Peer node is initiated encrypted tunnel and is refreshed.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual The purpose for needing to select some or all of the modules therein to realize the present invention program.Those of ordinary skill in the art are not paying Out in the case where creative work, it can understand and implement.
As seen from the above-described embodiment, event is carried out to the encrypted tunnel between target network node and peer node by timing The corresponding PN value of the encrypted tunnel is updated to default PN thresholding, and hold when determining that the encrypted tunnel breaks down by barrier detection Row encrypted tunnel refresh operation, realizes encrypted tunnel automatically restoring fault, reduces what encrypted tunnel failure forwarded flow It influences.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to of the invention its Its embodiment.This application is intended to cover any variations, uses, or adaptations of the invention, these modifications, purposes or Person's adaptive change follows general principle of the invention and including the undocumented common knowledge in the art of the present invention Or conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by following Claim is pointed out.
It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, and And various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is limited only by the attached claims.

Claims (10)

1. a kind of channel failure processing method, applied to the target network section for supporting the safe MACSec agreement of media access control Point, which is characterized in that the described method includes:
Timing carries out fault detection to the encrypted tunnel between the target network node and peer node;
When determining that the encrypted tunnel breaks down, the corresponding message numbering PN value of the encrypted tunnel is updated to default PN Thresholding, and execute encrypted tunnel refresh operation.
2. the method according to claim 1, wherein the timing is to the target network node and peer node Between encrypted tunnel carry out fault detection, comprising:
Whether the encrypted tunnel that timing detects between the network node and the peer node is symmetrical;
Or/and
Timing detects corresponding company of the PN value without growth of encrypted tunnel between the target network node and the peer node Whether the continuous time is more than preset time thresholding.
3. the method according to claim 1, wherein when determining the target network node and the peer node Between encrypted tunnel when breaking down, it is described that the corresponding PN value of the encrypted tunnel is updated to default PN thresholding, comprising:
Increase the corresponding failure count of the encrypted tunnel, and when the corresponding failure count of the encrypted tunnel reaches preset failure When number thresholding, the corresponding PN value of the encrypted tunnel is updated to default PN thresholding.
4. the method according to claim 1, wherein the execution encrypted tunnel refresh operation, comprising:
When the target network node is safety associated key SAK server, create it is new between the peer node Encrypted tunnel deletes the encrypted tunnel to break down, and sends encrypted tunnel refresh notice message to the peer node.
5. the method according to claim 1, wherein the execution encrypted tunnel refresh operation, comprising:
When the target network node is SAK client, it is the default PN thresholding that Xiang Suoshu peer node, which sends carrying value, PN value MACSec protocol massages, initiate encrypted tunnel to trigger the peer node and refresh.
6. a kind of channel failure processing unit, applied to the target network section for supporting the safe MACSec agreement of media access control Point, which is characterized in that described device includes:
Detection unit carries out fault detection to the encrypted tunnel between the target network node and peer node for timing;
Updating unit, for when determining that the encrypted tunnel breaks down, by the corresponding message numbering PN of the encrypted tunnel Value is updated to default PN thresholding;
Processing unit, for executing encrypted tunnel refresh operation.
7. device according to claim 6, which is characterized in that
The detection unit, specifically for whether periodically detecting the encrypted tunnel between the network node and the peer node Symmetrically;
Or/and
The detection unit, specifically for periodically detecting the encrypted tunnel between the target network node and the peer node Whether corresponding continuous time of the PN value without growth is more than preset time thresholding.
8. device according to claim 6, which is characterized in that described device further include:
Counting unit, for breaking down when the encrypted tunnel between the determining target network node and the peer node When, increase the corresponding failure count of the encrypted tunnel;
The refresh unit, specifically for the corresponding PN value of the encrypted tunnel is updated to default PN thresholding.
9. device according to claim 6, which is characterized in that
The processing unit is specifically used for when the target network node is safety associated key SAK server, creation and institute The new encrypted tunnel between peer node is stated, deletes the encrypted tunnel to break down, and send to the peer node Encrypted tunnel refresh notice message.
10. device according to claim 6, which is characterized in that
The processing unit is specifically used for when the target network node is SAK client, and the transmission of Xiang Suoshu peer node is taken MACSec protocol massages with the PN value that value is the default PN thresholding initiate encrypted tunnel brush to trigger the peer node Newly.
CN201910331922.3A 2019-04-24 2019-04-24 A kind of channel failure processing method and processing device Pending CN110061878A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910331922.3A CN110061878A (en) 2019-04-24 2019-04-24 A kind of channel failure processing method and processing device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910331922.3A CN110061878A (en) 2019-04-24 2019-04-24 A kind of channel failure processing method and processing device

Publications (1)

Publication Number Publication Date
CN110061878A true CN110061878A (en) 2019-07-26

Family

ID=67320438

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910331922.3A Pending CN110061878A (en) 2019-04-24 2019-04-24 A kind of channel failure processing method and processing device

Country Status (1)

Country Link
CN (1) CN110061878A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111049648A (en) * 2019-12-10 2020-04-21 杭州依赛通信有限公司 Method for ensuring reliable transmission by actively updating key of MACSec encrypted service data plane

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090307751A1 (en) * 2008-05-09 2009-12-10 Broadcom Corporation Preserving security assocation in macsec protected network through vlan mapping
CN103209072A (en) * 2013-04-27 2013-07-17 杭州华三通信技术有限公司 MACsec (Multi-Access Computer security) key updating method and equipment
CN104022867A (en) * 2014-06-10 2014-09-03 杭州华三通信技术有限公司 Method and equipment of preprocessing soft restart of ISSU (In-Service Software Upgrade)

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090307751A1 (en) * 2008-05-09 2009-12-10 Broadcom Corporation Preserving security assocation in macsec protected network through vlan mapping
CN103209072A (en) * 2013-04-27 2013-07-17 杭州华三通信技术有限公司 MACsec (Multi-Access Computer security) key updating method and equipment
CN104022867A (en) * 2014-06-10 2014-09-03 杭州华三通信技术有限公司 Method and equipment of preprocessing soft restart of ISSU (In-Service Software Upgrade)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111049648A (en) * 2019-12-10 2020-04-21 杭州依赛通信有限公司 Method for ensuring reliable transmission by actively updating key of MACSec encrypted service data plane
CN111049648B (en) * 2019-12-10 2022-08-12 杭州依赛通信有限公司 Method for ensuring reliable transmission by actively updating key of MACSec encrypted service data plane

Similar Documents

Publication Publication Date Title
US11176459B2 (en) Extracting encryption metadata and terminating malicious connections using machine learning
CN108737430B (en) Encryption communication method and system for block chain node
US20200169539A1 (en) System and method for a multi system trust chain
US8719938B2 (en) Detecting network intrusion using a decoy cryptographic key
KR101498323B1 (en) Secure communications in computer cluster systems
US10348755B1 (en) Systems and methods for detecting network security deficiencies on endpoint devices
US10157280B2 (en) System and method for identifying security breach attempts of a website
US10834170B2 (en) Cloud authenticated offline file sharing
WO2016006520A1 (en) Detection device, detection method and detection program
US10887307B1 (en) Systems and methods for identifying users
CN109510802B (en) Authentication method, device and system
CN111314381A (en) Safety isolation gateway
WO2009140889A1 (en) Data transmission control method and data transmission control apparatus
CN102638468A (en) Method, sending end, receiving end and system for protecting information transmission safety
CN104243452B (en) A kind of cloud computing access control method and system
KR102336605B1 (en) Method and apparatus for detecting malicious traffic
CN115396240B (en) Method, system and storage medium for detecting and detecting national secret SSL protocol
EP2507940B1 (en) Identity based network policy enablement
CN110602111B (en) Interface anti-brushing method and system based on long connection
CN104410580A (en) Trusted security WiFi (Wireless Fidelity) router and data processing method thereof
Chen et al. A full lifecycle authentication scheme for large-scale smart IoT applications
CN110061878A (en) A kind of channel failure processing method and processing device
CN115037537A (en) Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium
Wang et al. Detect stepping-stone intrusion by mining network traffic using k-means clustering
KR101375840B1 (en) Malicious code intrusion preventing system and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190726