CN110061878A - A kind of channel failure processing method and processing device - Google Patents
A kind of channel failure processing method and processing device Download PDFInfo
- Publication number
- CN110061878A CN110061878A CN201910331922.3A CN201910331922A CN110061878A CN 110061878 A CN110061878 A CN 110061878A CN 201910331922 A CN201910331922 A CN 201910331922A CN 110061878 A CN110061878 A CN 110061878A
- Authority
- CN
- China
- Prior art keywords
- encrypted tunnel
- network node
- target network
- value
- peer node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0659—Management of faults, events, alarms or notifications using network fault recovery by isolating or reconfiguring faulty entities
- H04L41/0661—Management of faults, events, alarms or notifications using network fault recovery by isolating or reconfiguring faulty entities by reconfiguring faulty entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of channel failure processing method and processing device, which comprises periodically carries out fault detection to the encrypted tunnel between the target network node and peer node;When determining that the encrypted tunnel breaks down, the corresponding message numbering PN value of the encrypted tunnel is updated to default PN thresholding, and execute encrypted tunnel refresh operation.Encrypted tunnel automatically restoring fault may be implemented using the embodiment of the present invention, reduce the influence that encrypted tunnel failure forwards flow.
Description
Technical field
The present invention relates to network communication technology field more particularly to a kind of channel failure processing method and processing devices.
Background technique
MACsec (Media Access Control Security, media access control is safely) is defined based on IEEE
802 innings of (Institute of Electrical and Electronics Engineers, Institute of Electrical and Electric Engineers)
The method of the data safety communication of domain network.MACsec can provide safe MAC layer data transmission and reception service for user, packet
Include ciphering user data, data frame integrity checking and data origin authenticity verification.
MACsec is usually used cooperatively with 802.1X authentication framework, and work passes through after the success of 802.1X verification process
It identifies the message that authenticating device is sent, and uses MKA (MACsec Key Agreement, MACsec key agreement) agreement
The user data that the key pair for negotiating to generate has authenticated carries out encryption and integrity checking, avoids port processing unauthenticated device
The message that message or unauthenticated device are distorted.
SAK (SecureAssociation Key, safety associated key) is by CAK (secureConnectivity
Association Key, secure connection associated key) it is generated according to algorithmic derivation, the number for the transmission of encryption safe interchannel
According to.MKA limits the message number that each SAK can be encrypted, when encrypted using certain SAK PN (Packet Number,
Message numbering) it exhausts, which can be refreshed (corresponding encrypted tunnel can also refresh).
Refreshing encrypted tunnel when exhausting in view of PN may result in the flow interrupt before encrypted tunnel refreshes completion, because
This, can set a PN and refresh thresholding (PN refreshes thresholding less than the maximum message segment quantity that a SAK can be encrypted), pass through PN
Value reaches PN and refreshes thresholding triggering encrypted tunnel refreshing.
However practice discovery, current encrypted tunnel refresh in implementation, if reaching the prepass of refreshing thresholding just
Failure is had already appeared, PN value, which can not be incremented to refreshing thresholding, can not just trigger encrypted tunnel refreshing, and failure will be unable to automatically at this time
Restore, is normally forwarded to influence flow.
Summary of the invention
The present invention provides a kind of channel failure processing method and processing device, refreshes implementation to solve current encrypted tunnel
In the problem of cannot achieve encrypted tunnel automatically restoring fault.
According to the first aspect of the invention, a kind of channel failure processing method is provided, applied to support MACSec agreement
Target network node, which comprises
Timing carries out fault detection to the encrypted tunnel between the target network node and peer node;
When determining that the encrypted tunnel breaks down, the corresponding message numbering PN value of the encrypted tunnel is updated to pre-
If PN thresholding, and execute encrypted tunnel refresh operation.
According to the second aspect of the invention, a kind of channel failure processing unit is provided, applied to support MACSec agreement
Target network node, described device include:
Detection unit carries out failure inspection to the encrypted tunnel between the target network node and peer node for timing
It surveys;
Updating unit, for when determining that the encrypted tunnel breaks down, the corresponding message of the encrypted tunnel to be compiled
Number PN value is updated to default PN thresholding;
Processing unit, for executing encrypted tunnel refresh operation.
It is logical to the encryption between target network node and peer node by timing using technical solution disclosed by the invention
Road carries out fault detection, and when determining that the encrypted tunnel breaks down, the corresponding PN value of the encrypted tunnel is updated to default PN
Thresholding, and encrypted tunnel refresh operation is executed, encrypted tunnel automatically restoring fault is realized, encrypted tunnel failure convection current is reduced
Measure the influence of forwarding.
Detailed description of the invention
Fig. 1 is a kind of flow diagram of channel failure processing method provided in an embodiment of the present invention;
Fig. 2 is a kind of configuration diagram of concrete application scene provided in an embodiment of the present invention;
Fig. 3 is the process signal of the channel failure processing method on a kind of network node 210 provided in an embodiment of the present invention
Figure;
Fig. 4 is the process signal of the channel failure processing method on a kind of network node 220 provided in an embodiment of the present invention
Figure;
Fig. 5 is a kind of structural schematic diagram of channel failure processing unit provided in an embodiment of the present invention;
Fig. 6 is the structural schematic diagram of another channel failure processing unit provided in an embodiment of the present invention.
Specific embodiment
Technical solution in embodiment in order to enable those skilled in the art to better understand the present invention, and make of the invention real
The above objects, features, and advantages for applying example can be more obvious and easy to understand, with reference to the accompanying drawing to technical side in the embodiment of the present invention
Case is described in further detail.
It referring to Figure 1, is a kind of flow diagram of channel failure processing method provided in an embodiment of the present invention, such as Fig. 1
Shown, which may comprise steps of:
It should be noted that channel failure processing method provided in an embodiment of the present invention can be applied to any support
The network node (referred to herein as target network node) of MACSec agreement, such as the network equipment (such as switch or router) or
Host (such as PC (Personal Computer)).
In addition, in embodiments of the present invention, if non-specified otherwise, mentioned encrypted tunnel refers both to adding for MACSec agreement
Close channel.
Step 101 periodically carries out fault detection to the encrypted tunnel between target network node and peer node.
In the embodiment of the present invention, target network node can periodically the encrypted tunnel to itself between peer node be carried out
Fault detection.
Illustratively, when target network node is SAK server (such as towards the access device in host mode), opposite end
Node is SAK client (such as towards the host in host mode).
When target network node is SAK client, peer node is SAK server.
For example, can create one for trigger target network node to itself encrypted tunnel between peer node into
Row fault detection timer (be properly termed as Air conduct measurement timer, timing length can be set according to actual scene, such as 1
Second), when the Air conduct measurement timer expiry, target network node can reset the Air conduct measurement timer, and to itself with
Encrypted tunnel between peer node carries out fault detection.
The present invention in one embodiment, above-mentioned timing is logical to the encryption between target network node and peer node
Road carries out fault detection, may include:
Whether the encrypted tunnel between timing detection network node and peer node is symmetrical.
In this embodiment, target network node can be by periodically detecting itself encrypted tunnel between peer node
It is whether symmetrical, whether broken down with encrypted tunnel of the determination itself between peer node.
Illustratively, it if target network node detects itself encrypted tunnel asymmetry between peer node, such as receives
The encrypted tunnel in direction be not present or originating party to encrypted tunnel be not present, then target network node can determine itself with it is right
Encrypted tunnel between end node breaks down.
In another embodiment, above-mentioned timing is to the encrypted tunnel between target network node and peer node
Fault detection is carried out, may include:
Corresponding consecutive hours of the PN value without growth of encrypted tunnel between timing detection target network node and peer node
Between whether be more than preset time thresholding.
In this embodiment, it is contemplated that when the encrypted tunnel between target network node and peer node breaks down,
For a long time whether the corresponding PN value of the encrypted tunnel will not increase, therefore, can be by the corresponding PN value of detection encrypted tunnel
Determine whether encrypted tunnel breaks down without increasing.
Correspondingly, in this embodiment, target network node can count itself encrypted tunnel between peer node
Corresponding continuous time of the PN value without growth.
Illustratively, target network node can create a timer for counting itself adding between peer node
Close channel corresponding duration of the PN value without growth.Encrypted tunnel between target network node and peer node creates it
Afterwards, it can star the timer, and when the corresponding PN value of the encrypted tunnel increases, the timing of the timer reset to initially
It is worth (such as 0), and reclocking, in turn, target network node can determine encrypted tunnel pair by reading the timing of the timer
The difference of the timing read and the initial value of timer (is determined as the consecutive hours by continuous time of the PN value answered without growth
Between).
It should be noted that since the corresponding PN value of encrypted tunnel includes the encryption received for recording the encrypted tunnel
The PN value (debit to encrypted tunnel) of message amount and PN value for recording the encryption message amount that the encrypted tunnel is sent
(originating party to encrypted tunnel), therefore, can respectively to debit to and originating party to PN value unite without the duration of growth
Meter, specific implementation do not repeat them here herein.
In this embodiment, if target network node detects the encrypted tunnel corresponding continuous time of the PN value without growth
It (can be set according to actual scene, such as 5 seconds, 10 seconds etc.) more than preset time thresholding, then target network node can determine certainly
Encrypted tunnel between body and peer node breaks down.
Step 102, when determining that encrypted tunnel breaks down, the corresponding PN value of encrypted tunnel is updated to default PN
Limit, and execute encrypted tunnel refresh operation.
In the embodiment of the present invention, in order to realize the automatic recovery of encrypted tunnel failure, when target network node determines itself
It, can be PN default by being updated to corresponding PN value by the encryption when encrypted tunnel between peer node breaks down
It limits (such as 0xC0000000), to trigger the refreshing of encrypted tunnel.
Illustratively, target network node can be used to record by itself encrypted tunnel between peer node is corresponding
The PN value of encryption message received quantity is updated to default PN thresholding, or/and, recording of encrypted report is used for by the encrypted tunnel is corresponding
The PN value of literary quantity forwarded is updated to pre-determined threshold.
As it can be seen that in method flow shown in Fig. 1, by whether periodically detecting itself encrypted tunnel between peer node
It breaks down, and when detecting that the encrypted tunnel breaks down, the corresponding PN value of the encrypted tunnel is updated to PN default
Limit realizes the automatic recovery of encrypted tunnel failure to trigger encrypted tunnel refreshing, reduces encrypted tunnel failure and turns to flow
The influence of hair.
The present invention in one embodiment, when determine between the target network node and the peer node plus
It is above-mentioned that the corresponding PN value of the encrypted tunnel is updated to default PN thresholding when close channel is broken down, may include:
Increase the corresponding failure count of encrypted tunnel, and when the corresponding failure count of encrypted tunnel reaches preset failure number
When thresholding, the corresponding PN value of encrypted tunnel is updated to default PN thresholding.
In this embodiment, in order to improve the reliability of detected encrypted tunnel failure, encrypted tunnel is avoided to refresh
Excessively frequently, target network node can be with statistic mixed-state to the number of encrypted tunnel failure, and works as and detect encrypted tunnel failure
Number when reaching preset failure number thresholding (can set according to actual scene, such as 5 times), triggering encrypted tunnel failure is automatic
Restore.
Correspondingly, when target network node detects that encrypted tunnel breaks down, it is corresponding that the encrypted tunnel can be increased
Failure count, and judge whether the corresponding failure count of the encrypted tunnel reaches preset failure number thresholding.
If the corresponding failure count of the encrypted tunnel reaches preset failure number thresholding, by the corresponding PN of the encrypted tunnel
Value is updated to default PN thresholding, and triggering encrypted tunnel refreshes.
If the corresponding failure count of the encrypted tunnel is not up to preset failure number thresholding, continue to the encrypted tunnel into
Row fault detection.
The present invention in one embodiment, above-mentioned execution encrypted tunnel refresh operation may include:
When target network node is SAK server, the new encrypted tunnel between peer node is created, deletes and occurs
The encrypted tunnel of failure, and encrypted tunnel refresh notice message is sent to peer node.
In this embodiment, when target network node is SAK server, and detect that local PN value reaches default PN value door
In limited time, target network node can create new between peer node (encrypted tunnel of failure corresponding peer node) plus
Close channel, and delete the encrypted tunnel to break down.
It should be noted that when the target network node refreshing encryption as SAK server is logical, it is also necessary to generate new
SAK, specific implementation may refer to the associated description in existing MACSec, and this will not be repeated here for the embodiment of the present invention.
In this embodiment, the target network node creation as SAK server and the encrypted tunnel between peer node,
And after deleting the encrypted tunnel to break down, encrypted tunnel refresh notice message can be sent to peer node, to notify to make
Encrypted tunnel refreshing is carried out for the peer node of SAK client.
As in another embodiment of the present invention, above-mentioned execution encrypted tunnel refresh operation may include:
When target network node is SAK client, the PN value that carrying value is default PN thresholding is sent to peer node
MACSec protocol massages initiate encrypted tunnel refreshing to trigger peer node.
In this embodiment, when target network node is SAK client, and detect that the corresponding PN value of encrypted tunnel reaches
When default PN thresholding, it is default PN thresholding that target network node can send carrying value to the peer node as SAK server
PN value MACSec protocol massages.
When peer node as SAK server receives the MACSec protocol massages, can create with peer node it
Between new encrypted tunnel, delete the encrypted tunnel to break down, and send encrypted tunnel refresh notification to target network node
Message.
In order to make those skilled in the art more fully understand technical solution provided in an embodiment of the present invention, below with reference to specific
Application scenarios are illustrated technical solution provided in an embodiment of the present invention.
Fig. 2 is referred to, is a kind of configuration diagram of concrete application scene provided in an embodiment of the present invention, as shown in Fig. 2,
The application scenarios include network node 210 and network node 220 (support MACSec agreement), and network node 210 (is assumed to be
SAK client) and network node 220 (being assumed to be SAK server) between establish and have encrypted tunnel (including debit is to encrypted tunnel
With originating party to encrypted tunnel).
Wherein, the debit of network node 210 is to the originating party that encrypted tunnel is network node 220 to encrypted tunnel;Network section
The originating party of point 210 is to the debit that encrypted tunnel is network node 220 to encrypted tunnel.
The channel failure processing on network node 210 and network node 220 is realized separately below and is illustrated.
Embodiment one
Fig. 3 is referred to, is the stream of the channel failure processing method on a kind of network node 210 provided in an embodiment of the present invention
Journey schematic diagram, as shown in figure 3, may comprise steps of:
Step 301 judges whether Air conduct measurement timer is overtime.If so, going to step 302;Otherwise, step is gone to
301。
Step 302 judges whether itself encrypted tunnel between network node 220 is symmetrical.If so, going to step
303;Otherwise, step 304 is gone to.
Step 303 judges whether encrypted tunnel corresponding continuous time of the PN value without growth is more than preset time thresholding.If
It is then to go to step 304.
In this embodiment, creation has Air conduct measurement timer (assuming that timing length is t) on network node 210, when this
When Air conduct measurement timer expiry, network node 210 can reset the Air conduct measurement timer, and judge itself and network node
Whether the encrypted tunnel between 220 is symmetrical.If asymmetric, it can determine that encrypted tunnel breaks down.If symmetrical, further
Judge whether encrypted tunnel corresponding continuous time of the PN value without growth is more than that preset time thresholding (is assumed to be T, such as Air conduct measurement
N times of the timing length of timer, i.e. T=n*t).If being more than, it is determined that encrypted tunnel sends failure;Otherwise, channel inspection is waited
Above-mentioned steps are re-executed when surveying timer again time out.
Step 304 increases failure count, and judges whether failure count reaches preset failure number thresholding.If so, turning
To step 305;Otherwise, step 301 is gone to.
In this embodiment, when network node 210 detects encrypted tunnel asymmetry, alternatively, the corresponding PN of encrypted tunnel
The continuous time of value (debit to the corresponding PN value of encrypted tunnel or originating party to the corresponding PN value of encrypted tunnel) without growth is more than pre-
If when time threshold, can determine that encrypted tunnel breaks down, and increase the encrypted tunnel corresponding failure count (such as failure meter
Number+1), and judge whether failure count reaches pre-determined threshold.Encrypted tunnel refreshing is needed to be implemented if so, determining;Otherwise, etc.
Above-mentioned steps are re-executed when Air conduct measurement timer again time out.
The corresponding PN value of encrypted tunnel is updated to default PN thresholding by step 305.
Step 306, the MACSec protocol massages that the PN value that carrying value is default PN thresholding is sent to network node 220, with
It triggers network node 220 and initiates encrypted tunnel refreshing.
Embodiment two
Fig. 4 is referred to, is the stream of the channel failure processing method on a kind of network node 220 provided in an embodiment of the present invention
Journey schematic diagram, as shown in figure 4, may comprise steps of:
Step 401 judges whether Air conduct measurement timer is overtime.If so, going to step 402;Otherwise, step is gone to
401。
Step 402 judges whether itself encrypted tunnel between network node 210 is symmetrical.If so, going to step
403;Otherwise, step 404 is gone to.
Step 403 judges whether encrypted tunnel corresponding continuous time of the PN value without growth is more than preset time thresholding.If
It is then to go to step 404.
In this embodiment, creation has Air conduct measurement timer (assuming that timing length is t) on network node 220, when this
When Air conduct measurement timer expiry, network node 220 can reset the Air conduct measurement timer, and judge itself and network node
Whether the encrypted tunnel between 210 is symmetrical.If asymmetric, it can determine that encrypted tunnel breaks down.If symmetrical, further
Judge whether encrypted tunnel corresponding continuous time of the PN value without growth is more than that preset time thresholding (is assumed to be T, such as Air conduct measurement
N times of the timing length of timer, i.e. T=n*t).If being more than, it is determined that encrypted tunnel sends failure;Otherwise, channel inspection is waited
Above-mentioned steps are re-executed when surveying timer again time out.
Step 404 increases failure count, and judges whether failure count reaches preset failure number thresholding.If so, turning
To step 405;Otherwise, step 401 is gone to.
In this embodiment, when network node 220 detects encrypted tunnel asymmetry, alternatively, the corresponding PN of encrypted tunnel
The continuous time of value (debit to the corresponding PN value of encrypted tunnel or originating party to the corresponding PN value of encrypted tunnel) without growth is more than pre-
If when time threshold, can determine that encrypted tunnel breaks down, and increase the encrypted tunnel corresponding failure count (such as failure meter
Number+1), and judge whether failure count reaches pre-determined threshold.Encrypted tunnel refreshing is needed to be implemented if so, determining;Otherwise, etc.
Above-mentioned steps are re-executed when Air conduct measurement timer again time out.
The corresponding PN value of encrypted tunnel is updated to default PN thresholding by step 405.
New encrypted tunnel between step 406, creation and network node 210, deletes the encrypted tunnel of failure, and to net
Network node 210 sends encrypted tunnel refresh notice message, refreshes encrypted tunnel to trigger network node 210.
Through above description as can be seen that in technical solution provided in an embodiment of the present invention, by timing to target network
Encrypted tunnel between network node and peer node carries out fault detection, when determining that the encrypted tunnel breaks down, by this plus
The corresponding PN value in close channel is updated to default PN thresholding, and executes encrypted tunnel refresh operation, realize encrypted tunnel failure from
It is dynamic to restore, reduce the influence that encrypted tunnel failure forwards flow.
Fig. 5 is referred to, provides a kind of structural schematic diagram of channel failure processing unit for the embodiment of the present invention, wherein should
Channel failure processing unit can be applied to the target network node in above method embodiment, as shown in figure 5, the channel failure
Processing unit may include:
Detection unit 510 carries out event to the encrypted tunnel between the target network node and peer node for timing
Barrier detection;
Updating unit 520, for when determining that the encrypted tunnel breaks down, by the corresponding message of the encrypted tunnel
Number PN value is updated to default PN thresholding;
Processing unit 530, for executing encrypted tunnel refresh operation.
In an alternative embodiment, the detection unit 510, specifically for periodically detecting the network node and the opposite end
Whether the encrypted tunnel between node is symmetrical;
Or/and
The detection unit 510, specifically for periodically detecting between the target network node and the peer node
Whether encrypted tunnel corresponding continuous time of the PN value without growth is more than preset time thresholding.
It is the structural schematic diagram of another channel failure processing unit provided in an embodiment of the present invention please also refer to Fig. 6,
As shown in fig. 6, on the basis of channel failure processing unit shown in Fig. 5, channel failure processing unit shown in fig. 6 further include:
Counting unit 540, for being sent out when the encrypted tunnel between the determining target network node and the peer node
When raw failure, increase the corresponding failure count of the encrypted tunnel;
The refresh unit 520, specifically for the corresponding PN value of the encrypted tunnel is updated to default PN thresholding.
In an alternative embodiment, the processing unit 530 is specifically used for when the target network node being that security association is close
When key SAK server, the new encrypted tunnel between the peer node is created, it is logical to delete the encryption broken down
Road, and encrypted tunnel refresh notice message is sent to the peer node.
In an alternative embodiment, the processing unit 530 is specifically used for when the target network node being SAK client
When, Xiang Suoshu peer node sends the MACSec protocol massages for the PN value that carrying value is the default PN thresholding, described in triggering
Peer node is initiated encrypted tunnel and is refreshed.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with
It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize the present invention program.Those of ordinary skill in the art are not paying
Out in the case where creative work, it can understand and implement.
As seen from the above-described embodiment, event is carried out to the encrypted tunnel between target network node and peer node by timing
The corresponding PN value of the encrypted tunnel is updated to default PN thresholding, and hold when determining that the encrypted tunnel breaks down by barrier detection
Row encrypted tunnel refresh operation, realizes encrypted tunnel automatically restoring fault, reduces what encrypted tunnel failure forwarded flow
It influences.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to of the invention its
Its embodiment.This application is intended to cover any variations, uses, or adaptations of the invention, these modifications, purposes or
Person's adaptive change follows general principle of the invention and including the undocumented common knowledge in the art of the present invention
Or conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by following
Claim is pointed out.
It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, and
And various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is limited only by the attached claims.
Claims (10)
1. a kind of channel failure processing method, applied to the target network section for supporting the safe MACSec agreement of media access control
Point, which is characterized in that the described method includes:
Timing carries out fault detection to the encrypted tunnel between the target network node and peer node;
When determining that the encrypted tunnel breaks down, the corresponding message numbering PN value of the encrypted tunnel is updated to default PN
Thresholding, and execute encrypted tunnel refresh operation.
2. the method according to claim 1, wherein the timing is to the target network node and peer node
Between encrypted tunnel carry out fault detection, comprising:
Whether the encrypted tunnel that timing detects between the network node and the peer node is symmetrical;
Or/and
Timing detects corresponding company of the PN value without growth of encrypted tunnel between the target network node and the peer node
Whether the continuous time is more than preset time thresholding.
3. the method according to claim 1, wherein when determining the target network node and the peer node
Between encrypted tunnel when breaking down, it is described that the corresponding PN value of the encrypted tunnel is updated to default PN thresholding, comprising:
Increase the corresponding failure count of the encrypted tunnel, and when the corresponding failure count of the encrypted tunnel reaches preset failure
When number thresholding, the corresponding PN value of the encrypted tunnel is updated to default PN thresholding.
4. the method according to claim 1, wherein the execution encrypted tunnel refresh operation, comprising:
When the target network node is safety associated key SAK server, create it is new between the peer node
Encrypted tunnel deletes the encrypted tunnel to break down, and sends encrypted tunnel refresh notice message to the peer node.
5. the method according to claim 1, wherein the execution encrypted tunnel refresh operation, comprising:
When the target network node is SAK client, it is the default PN thresholding that Xiang Suoshu peer node, which sends carrying value,
PN value MACSec protocol massages, initiate encrypted tunnel to trigger the peer node and refresh.
6. a kind of channel failure processing unit, applied to the target network section for supporting the safe MACSec agreement of media access control
Point, which is characterized in that described device includes:
Detection unit carries out fault detection to the encrypted tunnel between the target network node and peer node for timing;
Updating unit, for when determining that the encrypted tunnel breaks down, by the corresponding message numbering PN of the encrypted tunnel
Value is updated to default PN thresholding;
Processing unit, for executing encrypted tunnel refresh operation.
7. device according to claim 6, which is characterized in that
The detection unit, specifically for whether periodically detecting the encrypted tunnel between the network node and the peer node
Symmetrically;
Or/and
The detection unit, specifically for periodically detecting the encrypted tunnel between the target network node and the peer node
Whether corresponding continuous time of the PN value without growth is more than preset time thresholding.
8. device according to claim 6, which is characterized in that described device further include:
Counting unit, for breaking down when the encrypted tunnel between the determining target network node and the peer node
When, increase the corresponding failure count of the encrypted tunnel;
The refresh unit, specifically for the corresponding PN value of the encrypted tunnel is updated to default PN thresholding.
9. device according to claim 6, which is characterized in that
The processing unit is specifically used for when the target network node is safety associated key SAK server, creation and institute
The new encrypted tunnel between peer node is stated, deletes the encrypted tunnel to break down, and send to the peer node
Encrypted tunnel refresh notice message.
10. device according to claim 6, which is characterized in that
The processing unit is specifically used for when the target network node is SAK client, and the transmission of Xiang Suoshu peer node is taken
MACSec protocol massages with the PN value that value is the default PN thresholding initiate encrypted tunnel brush to trigger the peer node
Newly.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910331922.3A CN110061878A (en) | 2019-04-24 | 2019-04-24 | A kind of channel failure processing method and processing device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910331922.3A CN110061878A (en) | 2019-04-24 | 2019-04-24 | A kind of channel failure processing method and processing device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110061878A true CN110061878A (en) | 2019-07-26 |
Family
ID=67320438
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910331922.3A Pending CN110061878A (en) | 2019-04-24 | 2019-04-24 | A kind of channel failure processing method and processing device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110061878A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111049648A (en) * | 2019-12-10 | 2020-04-21 | 杭州依赛通信有限公司 | Method for ensuring reliable transmission by actively updating key of MACSec encrypted service data plane |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090307751A1 (en) * | 2008-05-09 | 2009-12-10 | Broadcom Corporation | Preserving security assocation in macsec protected network through vlan mapping |
CN103209072A (en) * | 2013-04-27 | 2013-07-17 | 杭州华三通信技术有限公司 | MACsec (Multi-Access Computer security) key updating method and equipment |
CN104022867A (en) * | 2014-06-10 | 2014-09-03 | 杭州华三通信技术有限公司 | Method and equipment of preprocessing soft restart of ISSU (In-Service Software Upgrade) |
-
2019
- 2019-04-24 CN CN201910331922.3A patent/CN110061878A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090307751A1 (en) * | 2008-05-09 | 2009-12-10 | Broadcom Corporation | Preserving security assocation in macsec protected network through vlan mapping |
CN103209072A (en) * | 2013-04-27 | 2013-07-17 | 杭州华三通信技术有限公司 | MACsec (Multi-Access Computer security) key updating method and equipment |
CN104022867A (en) * | 2014-06-10 | 2014-09-03 | 杭州华三通信技术有限公司 | Method and equipment of preprocessing soft restart of ISSU (In-Service Software Upgrade) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111049648A (en) * | 2019-12-10 | 2020-04-21 | 杭州依赛通信有限公司 | Method for ensuring reliable transmission by actively updating key of MACSec encrypted service data plane |
CN111049648B (en) * | 2019-12-10 | 2022-08-12 | 杭州依赛通信有限公司 | Method for ensuring reliable transmission by actively updating key of MACSec encrypted service data plane |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11176459B2 (en) | Extracting encryption metadata and terminating malicious connections using machine learning | |
CN108737430B (en) | Encryption communication method and system for block chain node | |
US20200169539A1 (en) | System and method for a multi system trust chain | |
US8719938B2 (en) | Detecting network intrusion using a decoy cryptographic key | |
KR101498323B1 (en) | Secure communications in computer cluster systems | |
US10348755B1 (en) | Systems and methods for detecting network security deficiencies on endpoint devices | |
US10157280B2 (en) | System and method for identifying security breach attempts of a website | |
US10834170B2 (en) | Cloud authenticated offline file sharing | |
WO2016006520A1 (en) | Detection device, detection method and detection program | |
US10887307B1 (en) | Systems and methods for identifying users | |
CN109510802B (en) | Authentication method, device and system | |
CN111314381A (en) | Safety isolation gateway | |
WO2009140889A1 (en) | Data transmission control method and data transmission control apparatus | |
CN102638468A (en) | Method, sending end, receiving end and system for protecting information transmission safety | |
CN104243452B (en) | A kind of cloud computing access control method and system | |
KR102336605B1 (en) | Method and apparatus for detecting malicious traffic | |
CN115396240B (en) | Method, system and storage medium for detecting and detecting national secret SSL protocol | |
EP2507940B1 (en) | Identity based network policy enablement | |
CN110602111B (en) | Interface anti-brushing method and system based on long connection | |
CN104410580A (en) | Trusted security WiFi (Wireless Fidelity) router and data processing method thereof | |
Chen et al. | A full lifecycle authentication scheme for large-scale smart IoT applications | |
CN110061878A (en) | A kind of channel failure processing method and processing device | |
CN115037537A (en) | Abnormal traffic interception and abnormal domain name identification method, device, equipment and medium | |
Wang et al. | Detect stepping-stone intrusion by mining network traffic using k-means clustering | |
KR101375840B1 (en) | Malicious code intrusion preventing system and method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190726 |