CN112437098A - Data message transmission method and device - Google Patents
Data message transmission method and device Download PDFInfo
- Publication number
- CN112437098A CN112437098A CN202011506165.8A CN202011506165A CN112437098A CN 112437098 A CN112437098 A CN 112437098A CN 202011506165 A CN202011506165 A CN 202011506165A CN 112437098 A CN112437098 A CN 112437098A
- Authority
- CN
- China
- Prior art keywords
- application
- data message
- ipv6 data
- information
- privacy information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the specification provides a data message transmission method and device. According to the method of the embodiment, the application client carries the application privacy information in the IPv6 data message and carries the first fingerprint information generated according to the application privacy information, so that after the application sensing node receives the IPv6 data message from the application client, the first fingerprint information carried in the IPv6 data message can be acquired; meanwhile, second fingerprint information is generated by using the application privacy information in the message; if the first fingerprint information is consistent with the second fingerprint information, forwarding the IPv6 data message by using the application privacy information, otherwise, determining that the application privacy information is tampered.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of network communication technologies, and in particular, to a method and an apparatus for transmitting a packet.
Background
With the rapid development of networks, the optimal configuration of Network resources becomes an urgent need for Network management, and the APN6(Application-aware IPv6 Network, IPv 6-based Application traffic aware Network architecture) is being used to solve this pain point.
In the layout scheme of the APN6, the network may be classified into service classes, and different routing strategies may be adopted according to different service classes, so as to optimize network resources as a whole. In the layout scheme of the APN6, an application client needs to carry information reflecting the application requirements of the client in a sent IPv6(Internet Protocol Version 6, Version 6 of the Internet Protocol) data packet, and therefore faces a threat of user privacy disclosure in a network transmission process.
Disclosure of Invention
One or more embodiments of the present specification describe a method and an apparatus for transmitting a data packet, so as to improve the transmission security of an IPv6 data packet in an APN 6.
According to a first aspect, a method for transmitting a data packet is provided, the method comprising:
carrying application privacy information in a message header of the IPv6 data message;
generating first fingerprint information according to the application privacy information;
carrying the first fingerprint information in the IPv6 data message;
and sending the IPv6 data message carrying the first fingerprint information to an application sensing node.
In one embodiment, the generating first fingerprint information according to application privacy information includes: and carrying out Hash calculation on the application privacy information to obtain the first fingerprint information.
In an embodiment, before sending the IPv6 data packet carrying the first fingerprint information to the application sensing node, the method further includes:
calculating the first fingerprint information by using a pre-acquired shared key to obtain a first authentication code; carrying the first authentication code in a message header of the IPv6 data message;
and/or the presence of a gas in the gas,
and carrying a Cyclic Redundancy Check (CRC) code and/or a timestamp in the IPv6 data message so that the application sensing node can verify the IPv6 data message by using the CRC code and/or the timestamp.
In one embodiment, the carrying of the first fingerprint information in the IPv6 data packet includes: carrying the first fingerprint information in a message header of the IPv6 data message and behind the application privacy information;
and/or the presence of a gas in the gas,
the message header comprises: hop-by-hop option header HBH, destination option header DOH or segment routing header SRH.
In one embodiment, the application privacy information includes: at least one of an application identification and network demand information.
In one embodiment, the application client is an unprivileged non-registered user.
According to a second aspect, a method for transmitting a data packet is provided, which is applied to an application-aware node, and includes:
receiving an IPv6 data message from an application client;
analyzing application privacy information from a message header of the IPv6 data message;
acquiring first fingerprint information carried in the IPv6 data message;
generating second fingerprint information by using the application privacy information;
if the first fingerprint information is consistent with the second fingerprint information, forwarding the IPv6 data message by using the application privacy information, otherwise, determining that the application privacy information is tampered.
In one embodiment, the first fingerprint information is: the application client performs hash calculation on the application privacy information to obtain the application privacy information, and the application privacy information is added into the IPv6 data message;
the generating of the second fingerprint information by using the application privacy information includes: and carrying out hash calculation on the received application privacy information in the IPv6 data message to obtain the second fingerprint information.
In one embodiment, before forwarding the IPv6 datagram using the application privacy information, the method further includes:
acquiring a first authentication code carried in a message header of the IPv6 data message;
calculating the first fingerprint information by using a pre-acquired shared key to obtain a second authentication code;
if the first authentication code is consistent with the second authentication code, continuing to execute forwarding processing on the IPv6 data message by using the application privacy information; otherwise, discarding the IPv6 data message.
In an embodiment, the shared secret key is preset in the application-aware node, or is obtained by the application-aware node from the operator service end.
In one embodiment, before forwarding the IPv6 datagram using the application privacy information, the method further includes:
verifying the IPv6 data message by using a Cyclic Redundancy Check (CRC) code and/or a timestamp carried in the IPv6 data message;
if the verification is successful, executing forwarding processing on the IPv6 data message by using the application privacy information; otherwise, discarding the IPv6 data message.
In one embodiment, the first fingerprint information is carried in the header after the application privacy information;
and/or the presence of a gas in the gas,
the message header comprises: hop-by-hop option header HBH, destination option header DOH or segment routing header SRH.
In one embodiment, the application privacy information includes: at least one of an application identification and network demand information.
According to a third aspect, there is provided a device for transmitting a data packet, where the device is disposed at an application client, and the device includes:
a fingerprint generating unit configured to generate first fingerprint information according to the application privacy information;
the message generating unit is configured to carry application privacy information in a message header of the IPv6 data message; carrying the first fingerprint information in the IPv6 data message;
and the sending processing unit is configured to send the IPv6 data message carrying the first fingerprint information to the application sensing node.
In one embodiment, the fingerprint generation unit is configured to perform a hash calculation on the application privacy information to obtain the first fingerprint information;
and/or the presence of a gas in the gas,
the message generation unit is configured to carry the first fingerprint information in the message header and is located behind the application privacy information.
In one embodiment, the message generating unit is further configured to: calculating the first fingerprint information by using a pre-acquired shared key to obtain a first authentication code; and carrying the first authentication code in a message header of the IPv6 data message.
In one embodiment, the message generating unit is further configured to: and carrying Cyclic Redundancy Check (CRC) codes and/or time stamps in the IPv6 data messages.
In one embodiment, the header includes: hop-by-hop option header HBH, destination option header DOH or segment routing header SRH;
and/or the presence of a gas in the gas,
the application privacy information includes: at least one of an application identification and network demand information.
In one embodiment, the application client is an unprivileged non-registered user.
According to a fourth aspect, there is provided a data packet transmission apparatus, disposed in an application-aware node, the apparatus including:
the receiving unit is configured to receive the IPv6 data message from the application client;
the message analysis unit is configured to analyze application privacy information from a message header of the IPv6 data message;
the fingerprint processing unit is configured to acquire first fingerprint information carried in the IPv6 data message and generate second fingerprint information by using the application privacy information;
and the forwarding processing unit is configured to judge whether the first fingerprint information and the second fingerprint information are consistent, if so, forward the IPv6 data packet by using the application privacy information, and otherwise, determine that the application privacy information is tampered.
In one embodiment, the first fingerprint information is: the application client performs hash calculation on the application privacy information to obtain the application privacy information, and the application privacy information is added into the IPv6 data message;
the fingerprint processing unit is configured to: and carrying out Hash calculation on the application privacy information to obtain the second fingerprint information.
In one embodiment, the forwarding processing unit is further configured to: before forwarding the IPv6 data message by using the application privacy information, acquiring a first authentication code carried in a message header of the IPv6 data message; calculating the first fingerprint information by using a shared secret key to obtain a second authentication code; if the first authentication code is consistent with the second authentication code, continuing to execute forwarding processing on the IPv6 data message by using the application privacy information; otherwise, discarding the IPv6 data message.
In one embodiment, the forwarding processing unit is further configured to: before forwarding the IPv6 data message by using the application privacy information, verifying the IPv6 data message by using a Cyclic Redundancy Check (CRC) code and/or a timestamp carried by the IPv6 data message; if the verification is successful, continuing to execute forwarding processing on the IPv6 data message by using the application privacy information; otherwise, discarding the IPv6 data message.
In one embodiment, the first fingerprint information is carried in the message header and located after the application privacy information;
and/or the presence of a gas in the gas,
the message header comprises: hop-by-hop option header HBH, destination option header DOH or segment routing header SRH.
In one embodiment, the application privacy information includes: at least one of an application identification and network demand information.
According to a fifth aspect, there is provided a computing device comprising a memory having stored therein executable code, and a processor which, when executing the executable code, implements the method of the first or second aspect.
According to the method and the device provided by the embodiment of the specification, the application client not only carries the application privacy information in the IPv6 data message, but also carries the fingerprint information capable of representing the application privacy information, so that after the application sensing node receives the IPv6 data message, the application sensing node can generate the fingerprint information according to the application privacy information currently carried in the message, and the fingerprint information carried in the message is compared with the generated fingerprint information, so that whether the application privacy information is tampered or not can be verified, and the corresponding forwarding processing is performed on the IPv6 data message. Therefore, the transmission security of the IPv6 data message in the APN6 can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 illustrates a system architecture diagram to which the present description relates and is applicable;
FIG. 2 is a flow chart illustrating a method performed by an application client according to an embodiment of the present disclosure;
FIG. 3 illustrates a flowchart of a method performed by an application-aware node provided by an embodiment of the present specification;
fig. 4 is a schematic structural diagram of an application client provided in an embodiment of the present specification;
fig. 5 shows a schematic structural diagram of an application-aware node provided in an embodiment of this specification.
Detailed Description
The scheme provided by the specification is described below with reference to the accompanying drawings.
To facilitate an understanding of the methods provided herein, a description of system architectures referred to and applicable to the present specification will first be described. As shown in fig. 1, the system architecture mainly includes three network nodes: the system comprises an application client, an application sensing node and an operator server.
Where the application client is installed and running in a terminal device, the terminal device may include but is not limited to devices such as: intelligent mobile terminals, intelligent home devices, network devices, wearable devices, intelligent medical devices, PCs (personal computers), and the like. Wherein the smart mobile device may include devices such as a cell phone, a tablet computer, a notebook computer, a PDA (personal digital assistant), an internet automobile, etc. The intelligent household equipment can comprise intelligent household equipment, such as an intelligent television, an intelligent air conditioner, an intelligent water heater, an intelligent refrigerator, an intelligent air purifier and the like, and the intelligent household equipment can further comprise an intelligent door lock, an intelligent socket, an intelligent electric lamp, an intelligent camera and the like. The network devices may include devices such as switches, wireless APs, servers, and the like. Wearable devices may include devices such as smart watches, smart glasses, smart bracelets, virtual reality devices, augmented reality devices, mixed reality devices (i.e., devices that can support virtual reality and augmented reality), and so forth. The intelligent medical device may include, for example, an intelligent thermometer, an intelligent blood pressure meter, an intelligent blood glucose meter, and the like.
The application client may also be various types of applications including, but not limited to, applications such as payment-type applications, multimedia play-type applications, map-type applications, text editing-type applications, financial-type applications, browser-type applications, instant messaging-type applications, and the like.
The operator server refers to a server device of a provider providing network services, and may be a single server or a server group consisting of a plurality of servers. And the system is responsible for providing network services for various applications, such as security authentication, management of network service levels and the like.
The application-aware node is located at the edge of the operator network at the location of the gateway. The method is responsible for providing a suitable routing strategy for the IPv6 data according to the information indicating the network requirement carried in the data message sent by the application client, and forwarding the routing strategy to the corresponding application server.
It should be understood that the number of application clients, application aware nodes, operator servers in fig. 1 is merely illustrative. Any number may be selected and laid out as desired for the implementation.
As described above, in the layout scheme of the APN6, an application client needs to carry privacy information reflecting application requirements of the client in a sent IPv6 data packet, and thus faces a threat of user privacy disclosure in a network transmission process. Therefore, it is necessary to provide a scheme for verifying whether the application privacy information is tampered. Based on this idea, corresponding processing should be performed in the application client and the application aware node, respectively, so that the application aware node can verify whether the application privacy information is tampered, and thus perform corresponding forwarding processing on the IPv6 data packet.
The following describes processing performed in the application client and the application-aware node, respectively, based on the above-described ideas.
Fig. 2 is a flowchart of a method performed by an application client according to an embodiment of the present disclosure, and as shown in fig. 2, the method may include the following steps:
step 201: carrying application privacy information in a message header of the IPv6 data message;
step 203: generating first fingerprint information according to the application privacy information;
step 205: carrying the first fingerprint information in the IPv6 data message;
step 207: and sending the IPv6 data message carrying the first fingerprint information to an application sensing node.
The steps shown in FIG. 2 are explained below one by one.
First, in step 201, the application client may carry plaintext application privacy information in an IPv6 data packet. The application privacy information includes: at least one of an application identification and network demand information. That is, in step 201, the application identifier carrying plaintext, or the network requirement information carrying plaintext, or the application identifier carrying plaintext and the network requirement information carrying plaintext may be used.
The mode of carrying the clear application privacy information is more suitable for the situation that the application client is a non-contract non-registered user. For an uncongested non-registered user, the operator does not know the requirement of the application on the network in advance, and the application can choose to extend the application identity and the network configuration requirement by itself according to the rule extended by the APN 6.
In an embodiment of the present specification, in step 201, application privacy information may be carried in an extension bit of a header. The IPv6 data packet extensible Header may be an HBH (Hop-by-Hop Options Header), a DOH (Destination Options Header), an SRH (Segment Routing Header), and the like, so that the application privacy information may be carried in at least one packet Header.
The application privacy information is mainly application use information of some users, and the part of information can reflect the requirement of one application on a network. First, different applications have different requirements for networks, and even if different types of applications use different requirements for networks, for example, users use one application to perform different operations such as page browsing, music playing, video playing, and the like, the requirements for networks are different. But what specific content the user specifically uses is related to the user's privacy and should be avoided from tampering or disclosure.
Next, in step 203, fingerprint information may be generated according to the application privacy information carried in the header, and recorded as the first fingerprint information.
Since the plaintext application privacy information needs to be carried in the packet header of the IPv6 data packet, when the IPv6 data packet is transmitted in a network, the application privacy information may be tampered, and then, in order to enable a node that subsequently receives the IPv6 data packet to verify whether the application privacy information is tampered, fingerprint information that can represent the application privacy information may be generated.
In an embodiment of the present specification, a specific implementation manner of generating the first fingerprint information according to the application privacy information in step 203 may be that hash calculation is performed on the application privacy information to obtain the first fingerprint information.
Next, in step 205, the generated first fingerprint information is carried in the IPv6 data message.
Therefore, the IPv6 data packet simultaneously carries the plaintext application privacy information and the first fingerprint information representing the application privacy information.
In an embodiment of the present specification, a specific implementation manner of carrying the first fingerprint information in the IPv6 data message may include: and carrying the first fingerprint information in a message header of the IPv6 data message and behind the application privacy information.
Furthermore, in order to improve the security of message transmission, at least one of the following processes may be further included between step 205 and step 207:
treatment 1: in order to further prevent the fingerprint information carried in the message from being tampered or stolen by other applications, the application client may calculate the first fingerprint information by using a shared key obtained in advance from the operator server, obtain an authentication code (denoted as a first authentication code), and carry the first authentication code in the IPv6 data message.
As one of the embodiments, the manner of calculating the authentication code for the first fingerprint information by using the shared key may include, but is not limited to, SHA (Secure Hash Algorithm) -1, SHA-2, SHA-3, MD (Message-Digest Algorithm) 5, and the like.
The first authentication code may also be carried in a header of the IPv6 data packet, and for example, may be carried in the same header as the first fingerprint information and located after the first fingerprint information.
In the above process of obtaining the first authentication code, a shared key is utilized. The shared key may be preset in the application client, or may be obtained by the application client from the operator server.
And (3) treatment 2: the application client can also carry verification information in the IPv6 data message, so that the application sensing node can verify the IPv6 data message by using the verification information.
As one implementation, the verification information may be a CRC (Cyclic Redundancy Check) code. Namely, the application client generates the CRC code of the IPv6 data packet and carries the CRC code in the IPv6 data packet, so that the application-aware node can perform integrity check on the IPv6 data packet by using the CRC code. The CRC code generation can be implemented using the currently well-established techniques, and will not be described in detail here.
As another implementation, the verification information may also be a timestamp. Namely, the application client can carry the current timestamp in the IPv6 data message and then send the IPv6 data message, so that the application sensing node can detect replay attack on the IPv6 data message by using the timestamp.
Next, in step 207, sending an IPv6 data packet carrying the first fingerprint information to the application sensing node.
The destination node of the IPv6 data packet sent by the application client is the application server side, that is, the destination address is the address of the application server side. However, in the network transmission process, since the application-aware node is an edge node of the operator network and is located at the gateway location, the IPv6 data packet is forwarded to the application server via the application-aware node.
For an uncongested non-registered user, the operator service end does not know the identity of the user in advance and does not know the requirement of the user, so that clear application privacy information needs to be carried in an IPv6 data message. Then, by using the process shown in fig. 2, the transmission security of the IPv6 data packet for the non-contracted non-registered user can be improved.
Fig. 3 is a flowchart of a method performed by an application-aware node according to an embodiment of the present disclosure, and as shown in fig. 3, the method may include the following steps:
step 301: receiving an IPv6 data message from an application client;
step 303: analyzing application privacy information from a message header of the IPv6 data message;
step 305: acquiring first fingerprint information carried in the IPv6 data message;
step 307: generating second fingerprint information by using the application privacy information;
And 311, forwarding the IPv6 data packet by using the application privacy information, and ending the current process.
The steps in fig. 3 are explained below.
In step 303, the application sensing node may obtain the application privacy information from the packet headers of the IPv6 data packet, such as HBH, DOH, or SRH.
In step 305, the application-aware node may obtain the first fingerprint information from a byte position located after the application privacy information in a header of the IPv6 data packet, such as HBH, DOH, or SRH.
As shown in fig. 2, the first fingerprint information may be obtained by the application client performing hash calculation on application privacy information in the node, and is added in the IPv6 data message; therefore, in step 307, the application-aware node may perform hash calculation on the application privacy information in the received IPv6 data message to obtain second fingerprint information.
The application aware node may perform the following verification process:
and verifying whether the application privacy information is tampered.
During network transmission, before an IPv6 data message sent by an application client reaches an application-aware node, application privacy information in the message may be tampered. Therefore, in step 309, verification may be performed using the calculated second fingerprint information, that is, whether the first fingerprint information and the second fingerprint information match. Because the first fingerprint information is calculated by the application client by using the application privacy information in the node, and the second fingerprint information is calculated by the application sensing node by using the application privacy information in the packet received by the node, if the two fingerprint information are the same, it indicates that the application privacy information obtained by the application sensing node is the same as the application privacy information in the application client, and the application privacy information is not tampered, therefore, the application sensing node may forward the IPv6 data packet by using the application privacy information in step 311, otherwise, if the two fingerprint information are different, it may be determined that the application privacy information is tampered.
And secondly, verifying whether the fingerprint information is tampered.
As a preferred embodiment, the application-aware node may further verify whether the first fingerprint information carried in the IPv6 data message is tampered or stolen by other applications. As already mentioned in the embodiment shown in fig. 2, the IPv6 data message may further carry the first authentication code through the above-mentioned process 1. In this case, the application sensing node may further obtain an authentication code (denoted as a first authentication code) carried in a packet header of the IPv6 data packet, calculate, using the shared key, the first fingerprint information obtained in step 305 to obtain an authentication code (denoted as a second authentication code), compare the calculated second authentication code with the first authentication code obtained in the packet, if the two authentication codes are consistent, it is determined that the first fingerprint information is not modified, then the forwarding processing may be continuously performed on the IPv6 data packet using the application privacy information in step 311, otherwise, if the two authentication codes are not consistent, it may be determined that the first fingerprint information is tampered, and the IPv6 data packet may be discarded.
In the above process of obtaining the second authentication code, a shared key is utilized. The shared secret key may be preset in the application-aware node, or may be obtained by the application-aware node from the operator server.
And thirdly, verifying whether the IPv6 data message is tampered.
As a preferred implementation, since it is mentioned in the embodiment shown in fig. 2, the IPv6 data message may further carry authentication information through the above-mentioned process 2. In this case, the application sensing node may further obtain the verification information carried in the IPv6 data packet, and verify the IPv6 data packet by using the verification information. Specifically, before the step 311, forwarding the IPv6 data packet by using the application privacy information, the following processing procedures are further included: verifying the IPv6 data message by using a Cyclic Redundancy Check (CRC) code and/or a timestamp carried in the IPv6 data message; if the verification is successful, executing forwarding processing on the IPv6 data message by using the application privacy information; otherwise, discarding the IPv6 data message.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
According to another aspect, an apparatus for transmitting data packets is provided. Fig. 4 shows a schematic block diagram of a transmission device for data packets according to an embodiment. The device can be arranged at an application client to complete the functions of the application client in the embodiment. As shown in fig. 4, the apparatus includes:
a fingerprint generation unit 401 configured to generate first fingerprint information according to the application privacy information;
a message generating unit 402, configured to carry application privacy information in a message header of the IPv6 data message; carrying the first fingerprint information in the IPv6 data message;
and the sending processing unit 403 is configured to send the IPv6 data packet carrying the first fingerprint information to the application sensing node.
In an embodiment of the apparatus described above in this specification, the fingerprint generation unit 401 is specifically configured to perform a hash calculation on the application privacy information to obtain the first fingerprint information.
In an embodiment of the apparatus described above in this specification, the packet generating unit 402 is configured to carry the first fingerprint information in a header of the IPv6 data packet, and is located after the application privacy information.
In an embodiment of the foregoing apparatus in this specification, the message generating unit 402 is further configured to: calculating the first fingerprint information by using a pre-acquired shared key to obtain a first authentication code; and carrying the first authentication code in the message header of the IPv6 data message.
In an embodiment of the foregoing apparatus in this specification, the message generating unit 402 is further configured to: before sending the IPv6 data message carrying the first fingerprint information to the application sensing node, the IPv6 data message carries a CRC code and/or a timestamp.
In an embodiment of the foregoing apparatus in this specification, the header includes: hop-by-hop option header HBH, destination option header DOH or segment routing header SRH.
In one embodiment of the apparatus described above in this specification, applying the privacy information includes: at least one of an application identification and network demand information.
In one embodiment of the present description, an application client is an un-contracted un-registered user.
According to another aspect, an apparatus for transmitting a data packet is provided. Fig. 5 shows a schematic block diagram of a transmission device for data packets according to an embodiment. The apparatus may be disposed in the application sensing node, and configured to complete the function of the application sensing node in the foregoing embodiment. As shown in fig. 5, the apparatus includes:
a receiving unit 501, configured to receive an IPv6 data packet from an application client;
a message parsing unit 502 configured to parse application privacy information from a message header of the IPv6 data message;
a fingerprint processing unit 503 configured to acquire first fingerprint information carried in the IPv6 data message, and generate second fingerprint information using the application privacy information;
and the forwarding processing unit 504 is configured to determine whether the first fingerprint information and the second fingerprint information are consistent, if so, perform forwarding processing on the IPv6 data packet by using the application privacy information, and otherwise, determine that the application privacy information is tampered.
In one embodiment of the apparatus shown in fig. 5, the first fingerprint information is: the application client performs hash calculation on the application privacy information to obtain the application privacy information, and the application privacy information is added into the IPv6 data message;
the fingerprint processing unit 503 is configured to: and carrying out Hash calculation on the application privacy information to obtain second fingerprint information.
In one embodiment of the apparatus shown in fig. 5, the forwarding processing unit 504 is further configured to: before forwarding the IPv6 data message by using the application privacy information, acquiring a first authentication code carried in a message header of the IPv6 data message; calculating the first fingerprint information by using a shared secret key to obtain a second authentication code; if the first authentication code is consistent with the second authentication code, continuing to execute forwarding processing on the IPv6 data message by using the application privacy information; otherwise, discarding the IPv6 data message.
In an embodiment of the apparatus shown in fig. 5, the shared secret key is preset in the application-aware node or is obtained by the application-aware node from the operator service.
In one embodiment of the apparatus shown in fig. 5, the forwarding processing unit 504 is further configured to: before forwarding the IPv6 data message by using the application privacy information, verifying the IPv6 data message by using a CRC (cyclic redundancy check) code and/or a timestamp carried by the IPv6 data message; if the verification is successful, executing forwarding processing on the IPv6 data message by using the application privacy information; otherwise, discarding the IPv6 data message.
In one embodiment of the apparatus shown in fig. 5, the first fingerprint information is carried in the header and is located after the application privacy information.
In one embodiment of the apparatus shown in fig. 5, the header includes: hop-by-hop option header HBH, destination option header DOH or segment routing header SRH.
In one embodiment of the apparatus shown in FIG. 5, applying the privacy information comprises: at least one of an application identification and network demand information.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 2-3.
According to an embodiment of still another aspect, there is also provided a computing device including a memory and a processor, the memory having stored therein executable code, the processor implementing the method described in conjunction with fig. 2-3 when executing the executable code.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.
Claims (26)
1. The transmission method of the data message is applied to an application client and comprises the following steps:
carrying application privacy information in a message header of the IPv6 data message;
generating first fingerprint information according to the application privacy information;
carrying the first fingerprint information in the IPv6 data message;
and sending the IPv6 data message carrying the first fingerprint information to an application sensing node.
2. The method of claim 1, wherein,
the generating of the first fingerprint information according to the application privacy information comprises: and carrying out Hash calculation on the application privacy information to obtain the first fingerprint information.
3. The method according to claim 1, before said sending the IPv6 data packet carrying the first fingerprint information to the application aware node, further comprising:
calculating the first fingerprint information by using a pre-acquired shared key to obtain a first authentication code; carrying the first authentication code in a message header of the IPv6 data message;
and/or the presence of a gas in the gas,
and carrying a Cyclic Redundancy Check (CRC) code and/or a timestamp in the IPv6 data message so that the application sensing node can verify the IPv6 data message by using the CRC code and/or the timestamp.
4. The method of claim 1, wherein the carrying of the first fingerprint information in the IPv6 data packet comprises: carrying the first fingerprint information in a message header of the IPv6 data message and behind the application privacy information;
and/or the presence of a gas in the gas,
the message header comprises: hop-by-hop option header HBH, destination option header DOH or segment routing header SRH.
5. The method of any of claims 1-4, wherein the applying privacy information comprises: at least one of an application identification and network demand information.
6. The method of any of claims 1-4, wherein the application client is an unprivileged non-registered user.
7. The transmission method of the data message is applied to an application sensing node and comprises the following steps:
receiving an IPv6 data message from an application client;
analyzing application privacy information from a message header of the IPv6 data message;
acquiring first fingerprint information carried in the IPv6 data message;
generating second fingerprint information by using the application privacy information;
if the first fingerprint information is consistent with the second fingerprint information, forwarding the IPv6 data message by using the application privacy information, otherwise, determining that the application privacy information is tampered.
8. The method of claim 7, wherein the first fingerprint information is: the application client performs hash calculation on the application privacy information to obtain the application privacy information, and the application privacy information is added into the IPv6 data message;
the generating of the second fingerprint information by using the application privacy information includes: and carrying out hash calculation on the received application privacy information in the IPv6 data message to obtain the second fingerprint information.
9. The method of claim 7, further comprising, before forwarding the IPv6 datagram using the application privacy information, the following:
acquiring a first authentication code carried in a message header of the IPv6 data message;
calculating the first fingerprint information by using a pre-acquired shared key to obtain a second authentication code;
if the first authentication code is consistent with the second authentication code, continuing to execute forwarding processing on the IPv6 data message by using the application privacy information; otherwise, discarding the IPv6 data message.
10. The method of claim 9, wherein the shared secret key is pre-provisioned in the application-aware node or obtained by the application-aware node from the operator service.
11. The method of claim 7, further comprising, before forwarding the IPv6 datagram using the application privacy information, the following:
verifying the IPv6 data message by using a Cyclic Redundancy Check (CRC) code and/or a timestamp carried in the IPv6 data message;
if the verification is successful, executing forwarding processing on the IPv6 data message by using the application privacy information; otherwise, discarding the IPv6 data message.
12. The method of claim 7, wherein,
the first fingerprint information is carried in the message header after the application privacy information;
and/or the presence of a gas in the gas,
the message header comprises: hop-by-hop option header HBH, destination option header DOH or segment routing header SRH.
13. The method of any of claims 7 to 12, wherein the applying privacy information comprises: at least one of an application identification and network demand information.
14. The transmission device of the data message, set up in the application customer end, the apparatus includes:
a fingerprint generating unit configured to generate first fingerprint information according to the application privacy information;
the message generating unit is configured to carry application privacy information in a message header of the IPv6 data message; carrying the first fingerprint information in the IPv6 data message;
and the sending processing unit is configured to send the IPv6 data message carrying the first fingerprint information to the application sensing node.
15. The apparatus according to claim 14, wherein the fingerprint generation unit is configured to hash the application privacy information, resulting in the first fingerprint information;
and/or the presence of a gas in the gas,
the message generation unit is configured to carry the first fingerprint information in the message header and is located behind the application privacy information.
16. The apparatus of claim 14, wherein the packet generation unit is further configured to: calculating the first fingerprint information by using a pre-acquired shared key to obtain a first authentication code; and carrying the first authentication code in a message header of the IPv6 data message.
17. The apparatus of claim 14, wherein the packet generation unit is further configured to: and carrying Cyclic Redundancy Check (CRC) codes and/or time stamps in the IPv6 data messages.
18. The apparatus of any of claims 14 to 17, wherein the header comprises: hop-by-hop option header HBH, destination option header DOH or segment routing header SRH;
and/or the presence of a gas in the gas,
the application privacy information includes: at least one of an application identification and network demand information.
19. The apparatus of any of claims 14 to 17, wherein the application client is an unprivileged non-registered user.
20. A transmission device of data message is arranged at an application sensing node, and the device comprises:
the receiving unit is configured to receive the IPv6 data message from the application client;
the message analysis unit is configured to analyze application privacy information from a message header of the IPv6 data message;
the fingerprint processing unit is configured to acquire first fingerprint information carried in the IPv6 data message and generate second fingerprint information by using the application privacy information;
and the forwarding processing unit is configured to judge whether the first fingerprint information and the second fingerprint information are consistent, if so, forward the IPv6 data packet by using the application privacy information, and otherwise, determine that the application privacy information is tampered.
21. The apparatus of claim 20, wherein,
the first fingerprint information is: the application client performs hash calculation on the application privacy information to obtain the application privacy information, and the application privacy information is added into the IPv6 data message;
the fingerprint processing unit is configured to: and carrying out Hash calculation on the application privacy information to obtain the second fingerprint information.
22. The apparatus of claim 20, wherein the forwarding processing unit is further configured to: before forwarding the IPv6 data message by using the application privacy information, acquiring a first authentication code carried in a message header of the IPv6 data message; calculating the first fingerprint information by using a shared secret key to obtain a second authentication code; if the first authentication code is consistent with the second authentication code, continuing to execute forwarding processing on the IPv6 data message by using the application privacy information; otherwise, discarding the IPv6 data message.
23. The apparatus of claim 20, wherein the forwarding processing unit is further configured to: before forwarding the IPv6 data message by using the application privacy information, verifying the IPv6 data message by using a Cyclic Redundancy Check (CRC) code and/or a timestamp carried by the IPv6 data message; if the verification is successful, continuing to execute forwarding processing on the IPv6 data message by using the application privacy information; otherwise, discarding the IPv6 data message.
24. The apparatus of claim 20, wherein the first fingerprint information is carried in the message header and located after the application privacy information;
and/or the presence of a gas in the gas,
the message header comprises: hop-by-hop option header HBH, destination option header DOH or segment routing header SRH.
25. The apparatus of any of claims 20-24, wherein the application privacy information comprises: at least one of an application identification and network demand information.
26. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that, when executed by the processor, performs the method of any of claims 1-13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011506165.8A CN112437098A (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011506165.8A CN112437098A (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112437098A true CN112437098A (en) | 2021-03-02 |
Family
ID=74696776
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011506165.8A Pending CN112437098A (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112437098A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114650536A (en) * | 2022-03-31 | 2022-06-21 | 重庆长安新能源汽车科技有限公司 | Intrusion detection method, system, vehicle and storage medium based on message fingerprint |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105591754A (en) * | 2016-02-26 | 2016-05-18 | 上海斐讯数据通信技术有限公司 | Authentication header authentication method and authentication header authentication system based on SDN |
| CN110166474A (en) * | 2019-05-29 | 2019-08-23 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
| CN110620729A (en) * | 2019-10-25 | 2019-12-27 | 新华三信息安全技术有限公司 | Message forwarding method and device and message forwarding equipment |
-
2020
- 2020-12-18 CN CN202011506165.8A patent/CN112437098A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105591754A (en) * | 2016-02-26 | 2016-05-18 | 上海斐讯数据通信技术有限公司 | Authentication header authentication method and authentication header authentication system based on SDN |
| CN110166474A (en) * | 2019-05-29 | 2019-08-23 | 新华三信息安全技术有限公司 | A kind of message processing method and device |
| CN110620729A (en) * | 2019-10-25 | 2019-12-27 | 新华三信息安全技术有限公司 | Message forwarding method and device and message forwarding equipment |
Non-Patent Citations (1)
| Title |
|---|
| 何林 等: "《基于"IPv6+"的应用感知网络(APN6)》", 《电信科学》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114650536A (en) * | 2022-03-31 | 2022-06-21 | 重庆长安新能源汽车科技有限公司 | Intrusion detection method, system, vehicle and storage medium based on message fingerprint |
| CN114650536B (en) * | 2022-03-31 | 2023-06-02 | 重庆长安新能源汽车科技有限公司 | Intrusion detection method, system, vehicle and storage medium based on message fingerprint |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104320377B (en) | The anti-stealing link method and equipment of a kind of files in stream media | |
| CN111585890B (en) | SRv 6-based network path verification method and system | |
| CN112637183B (en) | Data message transmission method and device | |
| CN111327583B (en) | Identity authentication method, intelligent equipment and authentication server | |
| US11418951B2 (en) | Method for identifying encrypted data stream, device, storage medium and system | |
| WO2007106620A2 (en) | Method for authenticating a mobile node in a communication network | |
| TW200826582A (en) | System, method, apparatus, and computer program product for providing a social network diagram in a P2P network device | |
| CN113507483B (en) | Instant messaging method, device, server and storage medium | |
| CN111246474B (en) | Base station authentication method and device | |
| CN109729000B (en) | Instant messaging method and device | |
| CN109996229B (en) | Data transmission method and device based on DHT network, electronic equipment and storage medium | |
| WO2017185978A1 (en) | Method and device for parsing packet | |
| CN114389835A (en) | IPv6 option explicit source address encryption security verification gateway and verification method | |
| CN110392128A (en) | The quasi- zero-address IPv6 method and system for disclosing web services are provided | |
| Singh et al. | Cryptanalysis and improvement in user authentication and key agreement scheme for wireless sensor network | |
| CN113938474B (en) | Virtual machine access method and device, electronic equipment and storage medium | |
| Chen et al. | A full lifecycle authentication scheme for large-scale smart IoT applications | |
| CN104967527A (en) | Recovering method of communication recording, recovering device of communication recording and server | |
| CN112637069B (en) | Data message transmission method and device | |
| CN112087412B (en) | Service access processing method and device based on unique token | |
| CN111654481A (en) | Identity authentication method, identity authentication device and storage medium | |
| CN112437098A (en) | Data message transmission method and device | |
| WO2007147354A1 (en) | Method and system for retrieving service key | |
| CN101610509B (en) | Method, device and system for protecting communication security | |
| CN113132323B (en) | Communication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40047375 Country of ref document: HK |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210302 |