CN113300998A

CN113300998A - Method and device for realizing data encryption transmission and communication system

Info

Publication number: CN113300998A
Application number: CN202010107864.9A
Authority: CN
Inventors: 陆达
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-02-21
Filing date: 2020-02-21
Publication date: 2021-08-24

Abstract

The application discloses a method and a device for realizing data encryption transmission and a communication system. A first network device in a communication network receives a first message sent by a reflection device, where the first message includes first SA information and an identifier of a second network device in the communication network, and the identifier of the second network device is used to identify the second network device. The first network device generates a first outbound direction SA entry based on the first SA information, where the first outbound direction SA entry is used for the first network device to encrypt data sent to the second network device. According to the method and the device, the SA information does not need to be manually configured in the network equipment, and the IKE negotiation does not need to be carried out between the network equipment, so that the efficiency of data encryption transmission can be improved, and the network overhead is reduced.

Description

Method and device for realizing data encryption transmission and communication system

Technical Field

The present application relates to the field of network technologies, and in particular, to a method and an apparatus for implementing data encryption transmission, and a communication system.

Background

In a software defined wide area network (SD-WAN) architecture, an underlying (underlay) transmission network is generally formed by an internet (internet), a multi-protocol label switching (MPLS) network, and/or a Long Term Evolution (LTE) network, and an overlay tunnel is constructed on the underlying transmission network to form an overlay service network, so as to implement data transmission through the overlay service network. Wherein the overlay tunnel is a virtual or logical link. Each overlay tunnel corresponds to a path in the underlying transport network, which is typically made up of multiple links that are concatenated back and forth in the underlying transport network. In order to ensure the Security of data transmission, an Internet Protocol Security (IPSec) needs to be configured on the overlay tunnel to implement data encryption.

The premise behind IPSec secure transfer of data is that a Security Association (SA) is successfully established between IPSec peers (i.e., the two endpoints running IPSec). The security alliance is used to agree on a number of elements between IPSec peers, including: what security protocols are used between IPSec peers, the characteristics of the data stream that needs to be protected, the encapsulation mode of the data transmitted between IPSec peers, the encryption algorithm, the authentication algorithm, the encryption key, the authentication key, the lifetime of the security association, and the like. The security alliance is a unidirectional logical connection, and the IPSec peer established with the security alliance comprises an initiating end and a destination end. The security alliance specifies the protection mode adopted by data transmitted from an initiating end to a destination end. Therefore, for bidirectional communication between two IPSec peers, at least two security associations need to be established to secure data transmitted in two directions.

Currently, a security association between IPSec peers may be established manually, or alternatively, a security association may be established between IPSec peers through Internet Key Exchange (IKE) auto-negotiation. However, establishing the security association between the IPSec peers manually requires manually configuring all the parameters for establishing the security association at each endpoint, so that the efficiency of IPSec secure data transmission is low. A security alliance is established among IPSec peers in an IKE automatic negotiation mode, IKE automatic negotiation needs to be carried out among each group of IPSec peers, transmission resources consumed in the negotiation process are more, and network overhead is larger.

Disclosure of Invention

The application provides a method and a device for realizing data encryption transmission and a communication system, which can solve the problems of low efficiency and high network overhead of IPSec safety data transmission at present.

In a first aspect, a method for implementing encrypted data transmission is provided. A first network device in a communication network receives a first message sent by a reflection device, where the first message includes first SA information and an identifier of a second network device in the communication network, and the identifier of the second network device is used to identify the second network device. The first network device generates a first outbound direction SA entry based on the first SA information, where the first outbound direction SA entry is used for the first network device to encrypt data sent to the second network device.

The second network device may generate an entry to the SA entry based on the first SA information, where the entry is used for the second network device to decrypt the received data sent by the first network device.

Optionally, the first SA information includes a security protocol used, a security parameter index, and an SA attribute. The SA attributes include one or more of an aging type, an aging value, an encapsulation mode, an encryption algorithm, an authentication algorithm, an encryption key, and an authentication key.

In the application, the SA entry in the outgoing direction is used for the first network device to encrypt data sent to the second network device, and the SA entry in the incoming direction is used for the second network device to decrypt received data sent by the first network device, so that encrypted data transmission in the direction from the first network device to the second network device can be realized. In the process of realizing data encryption transmission between network devices, only the network devices need to send messages containing SA information through a target tunnel, and the SA information does not need to be manually configured in the network devices, and IKE negotiation does not need to be carried out between the network devices, so that the efficiency of realizing data encryption transmission is higher, less transmission resources are consumed in the process of realizing data encryption transmission, and the network overhead is lower.

Optionally, the first packet is sent to the reflection device by the second network device, or the first packet is generated by the reflection device.

In the application, the message containing the SA information is sent to the network equipment through the reflection equipment, the SA information does not need to be manually configured in the network equipment, and IKE negotiation does not need to be carried out between the network equipment, so that the efficiency of realizing data encryption transmission is higher, transmission resources consumed in the data encryption transmission process are less, and the network overhead is lower.

Optionally, the first packet is a BGP update message, and the first SA information is carried in a routing attribute list field in the BGP update message.

In the application, the SA information is carried in the routing attribute list field of the BGP updating message for transmission, the existing transmission protocol does not need to be changed, and the implementation compatibility of the scheme is ensured.

In one implementation, the first message is generated by a reflection device. After the reflection device acquires the first SA information, it generates a first message including the first SA information. After the first network device receives the first packet sent by the reflection device, the first network device generates a first entry direction SA table entry based on the first SA information, where the first entry direction SA table entry is used for the first network device to decrypt the received data sent by the second network device.

In the application, the message containing the SA information is sent to the network equipment through the reflection equipment, the network equipment can generate the SA table entry in the incoming direction and/or the SA table entry in the outgoing direction according to the SA information, and then data encryption transmission is realized, the SA information does not need to be manually configured in the network equipment, and IKE negotiation does not need to be carried out between the network equipment, so that the efficiency of realizing the data encryption transmission is higher, less transmission resources are consumed in the data encryption transmission process, and the network overhead is lower.

Optionally, the implementation process of the first network device generating the first outgoing direction SA entry based on the first SA information includes: when the first network device receives an outbound direction SA table entry generation instruction sent by the reflection device, the first network device generates a first outbound direction SA table entry based on the first SA information.

In another implementation, the first message is sent by the second network device to the reflection device. The first network device may acquire the second SA information. The first network device generates a second entering direction SA table entry based on the second SA information. The first network device sends a second message to the second network device, the second message includes second SA information and an identifier of the first network device, the second SA information is used for the second network device to generate a second outgoing direction SA entry, and the identifier of the first network device is used for identifying the first network device. The second outgoing direction SA entry is used by the second network device to encrypt data sent to the first network device, and the second incoming direction SA entry is used by the first network device to decrypt received data sent by the second network device.

In the application, the second outgoing direction SA entry is used for the second network device to encrypt data sent to the first network device, and the second incoming direction SA entry is used for the first network device to decrypt received data sent by the second network device, so that encrypted transmission of data in the direction from the second network device to the first network device can be achieved. In the process of realizing data encryption transmission between network devices, only the network devices need to send messages containing SA information through a target tunnel, and the SA information does not need to be manually configured in the network devices, and IKE negotiation does not need to be carried out between the network devices, so that the efficiency of realizing data encryption transmission is higher, less transmission resources are consumed in the process of realizing data encryption transmission, and the network overhead is lower.

Optionally, the implementation process of the first network device acquiring the second SA information includes: and the first network equipment receives the second SA information sent by the control equipment.

In a second aspect, a method for implementing encrypted data transmission is provided. A reflection device in the communication network acquires the first SA information. The reflection device sends a first message to a first network device in the communication network, wherein the first message comprises first SA information and an identifier of a second network device in the communication network. The first SA information is used by the first network device to generate a first egress SA entry, the identifier of the second network device is used to identify the second network device, and the first egress SA entry is used by the first network device to encrypt data sent to the second network device.

In one implementation, the implementation process of the reflection device acquiring the first SA information includes: the reflection device receives a first message sent by a second network device. Correspondingly, the implementation process of the reflection device sending the first packet to the first network device includes: the reflection device forwards the first message to the first network device.

In another implementation manner, the implementation process of the reflection device acquiring the first SA information includes: the reflection device receives the first SA information sent by the control device.

Optionally, after the reflection device sends the first packet to the first network device, the reflection device may further send an outgoing direction SA entry generation instruction to the first network device, where the outgoing direction SA entry generation instruction is used to instruct the first network device to generate a first outgoing direction SA entry based on the first SA information.

In a third aspect, an apparatus for implementing encrypted data transmission is provided. The apparatus comprises a plurality of functional modules that interact to implement the method of the first aspect and its embodiments described above. The functional modules can be implemented based on software, hardware or a combination of software and hardware, and the functional modules can be combined or divided arbitrarily based on specific implementation.

In a fourth aspect, an apparatus for implementing encrypted data transmission is provided. The apparatus comprises a plurality of functional modules, which interact to implement the method of the second aspect and its embodiments described above. The functional modules can be implemented based on software, hardware or a combination of software and hardware, and the functional modules can be combined or divided arbitrarily based on specific implementation.

In a fifth aspect, a network device is provided, which includes: a processor and a memory;

the memory for storing a computer program, the computer program comprising program instructions;

the processor is configured to invoke the computer program to implement the method for implementing data encryption transmission according to any one of the first aspect.

In a sixth aspect, there is provided a reflective device comprising: a processor and a memory;

the processor is configured to invoke the computer program to implement the method for implementing data encryption transmission according to any one of the second aspect.

In a seventh aspect, a communication system is provided, including: a reflection device and a plurality of network devices, wherein the reflection device comprises the apparatus for realizing data encryption transmission according to the fourth aspect or is the reflection device according to the sixth aspect; the network device comprises the apparatus for implementing data encryption transmission according to the third aspect and the network device according to the fifth aspect.

In an eighth aspect, a computer storage medium is provided, which stores instructions that, when executed by a processor, implement the method for implementing encrypted transmission of data according to any one of the first or second aspects.

In a ninth aspect, a chip is provided, which comprises programmable logic circuits and/or program instructions, and when the chip is run, the method in the first aspect and its embodiments or the second aspect and its embodiments is implemented.

The beneficial effect that technical scheme that this application provided brought includes at least:

in the process of realizing data encryption transmission among network devices, the network devices can generate the SA table items in the incoming direction and/or the SA table items in the outgoing direction only by receiving the messages containing the SA information sent by the reflection devices, the SA information does not need to be manually configured in the network devices, and IKE negotiation does not need to be carried out among the network devices, so that the efficiency of realizing data encryption transmission is higher, less transmission resources are consumed in the process of realizing data encryption transmission, and the network overhead is lower.

Drawings

Fig. 1 is a schematic structural diagram of a communication system according to an embodiment of the present application;

fig. 2 is a schematic structural diagram of another communication system provided in an embodiment of the present application;

fig. 3 is a schematic flowchart of a method for implementing encrypted data transmission according to an embodiment of the present application;

fig. 4 is a schematic diagram illustrating a correspondence relationship between TNP and SA information according to an embodiment of the present application;

fig. 5 is a schematic flowchart of another method for implementing encrypted data transmission according to an embodiment of the present application;

fig. 6 is a schematic flowchart of another method for implementing encrypted data transmission according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a message including SA information obtained based on BGP update message extension according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a routing attribute list field in the packet shown in fig. 7;

FIG. 9 is a schematic structural diagram of an SA sub-TLV provided by an embodiment of the present application;

fig. 10 is a schematic structural diagram of the NLRI field in the message shown in fig. 7;

fig. 11 is a schematic flowchart of another method for implementing encrypted data transmission according to an embodiment of the present application;

fig. 12 is a schematic flowchart of a further method for implementing encrypted data transmission according to an embodiment of the present application;

fig. 13 is a schematic structural diagram of an apparatus for implementing encrypted data transmission according to an embodiment of the present application;

fig. 14 is a schematic structural diagram of another apparatus for implementing encrypted data transmission according to an embodiment of the present application;

fig. 15 is a schematic structural diagram of another apparatus for implementing encrypted data transmission according to an embodiment of the present application;

fig. 16 is a schematic structural diagram of a network device according to an embodiment of the present application;

FIG. 17 is a schematic structural diagram of a reflective device according to an embodiment of the present disclosure;

fig. 18 is a schematic structural diagram of another communication system according to an embodiment of the present application.

Detailed Description

To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.

Fig. 1 is a schematic structural diagram of a communication system according to an embodiment of the present application. As shown in FIG. 1, the communication system includes a plurality of network devices 101A-101C (collectively referred to as network devices 101). The network device 101 may be a Customer Premise Equipment (CPE), a universal CPE (uppe) or a virtual CPE (vCPE), a router or a switch, etc. The uppe refers to a general computing platform based on Network Function Virtualization (NFV), supports a virtualization function, and can install a virtual network function of a third party. The vCPE may be deployed on a kernel-based virtual machine (KVM), a cloud computing platform, or a virtualization platform. The number of network devices in fig. 1 is merely used as an exemplary illustration and is not a limitation of the communication system according to the embodiments of the present application.

Alternatively, the communication system may be applied to a communication network such as a metropolitan area network, a wide area network, or a campus network. The wide area network may be an SD-WAN. In the communication system provided in the embodiment of the present application, a connection is established through an internet, an MPLS network, and/or an LTE network to form a bottom layer transmission network, and an overlay service network is established using a dynamic intelligent virtual private network (DSVPN) technology or an automatic virtual private network (Auto VPN) technology, where the overlay service network includes a plurality of overlay tunnels. Of course, an overlay tunnel between network devices may also be established by using a Generic Routing Encapsulation (GRE) protocol or a virtual extensible local area network (VXLAN) protocol, which is not limited in this embodiment of the present application.

Alternatively, the communication system may employ Hub-and-Spoke (Hub-and-Spoke) networking. The Hub-and-Spoke networking comprises Hub devices and Spoke devices, and the Spoke devices can also be called branch routing devices. The Hub device is a central device (also called core layer device) in the Hub-and-Spoke networking and is connected with a plurality of Spoke devices; the Spoke device is an edge device (also called an access layer device) in the Hub-and-Spoke networking and is connected with the user equipment. Of course, the communication system may also adopt other networking manners, and the networking manner of the communication system is not limited in the embodiment of the present application. The embodiment of the present application takes a network configuration mode in which a Hub-and-Spoke is adopted in a communication system as an example.

The DSVPN technology is a solution for establishing a VPN tunnel between Spoke devices with public network addresses dynamically changing in a Hub-and-Spoke networking mode. A static VPN tunnel is established between the Spoke equipment and the Hub equipment by adopting a DSVPN technology; and the Spoke equipment acquires the public network addresses of other Spoke equipment through the Hub equipment, so that a dynamic VPN tunnel is established between the Spoke equipment and other Spoke equipment. And the Spoke devices directly access each other through a dynamic VPN (virtual private network) tunnel, so that the data transmission time delay can be reduced.

Illustratively, in the communication system shown in fig. 1, the network device 101A is a Hub device, and the

network devices

101B and 101C are Spoke devices, respectively. A static VPN tunnel is established between network device 101A and network device 101B and network device 101C, and a dynamic VPN tunnel is established between network device 101B and network device 101C. Network device 101B communicates directly with network device 101C through a dynamic VPN tunnel.

The Auto VPN technology is a VPN technology for overlay service network and underlying transport network separation, and service network routing and transport network routing separation. By extending Border Gateway Protocol (BGP), the underlying transport networks between different Spoke devices are intercommunicated, thereby implementing data forwarding of the overlay service network. The communication system for constructing the overlay service network by adopting the Auto VPN technology further comprises a reflection device, wherein the reflection device is used for reflecting bottom layer transmission network information between the Spoke devices and routing information (service routing for short) of the overlay service network so as to reduce the performance pressure of Hub devices. The Spoke devices learn the bottom layer transmission network information and the service route of each other through the reflection action of the reflection device, and then establish a data channel (namely a tunnel) according to the data to realize the mutual access among the Spoke devices.

Optionally, fig. 2 is a schematic structural diagram of another communication system provided in the embodiment of the present application. As shown in fig. 2, the communication system includes a network device 101D, a network device 101E, and a reflection device 102. The reflecting device 102 may be a Route Reflector (RR).

Illustratively, in the communication system shown in fig. 2, network device 101D and network device 101E are both Spoke devices. The process of implementing mutual access between network device 101D and network device 101E includes: network device 101D and network device 101E respectively establish a BGP peer relationship with reflection device 102, that is, network device 101D and network device 101E respectively form a BGP control channel with reflection device 102, so that reflection device 102 can reflect underlying network transmission information and a service route of network device 101D to network device 101E, and can also reflect underlying network transmission information and a service route of network device 101E to network device 101D, so that a data channel is established between network device 101D and network device 101E, thereby implementing communication between network device 101D and network device 101E.

Optionally, the process of establishing a BGP peering relationship between the network device and the reflection device may include: establishing a datagram security level security (DTLS) management channel between the network device and the reflection device; the network device and the reflection device exchange bottom layer transmission network information through the DTLS management channel to establish a VPN tunnel between the network device and the reflection device, so that a BGP control channel between the network device and the reflection device is successfully established based on the VPN tunnel, namely, the BGP peer-to-peer relationship between the network device and the reflection device is successfully established. In the embodiment of the application, a DTLS management channel is established between the network device and the reflection device, so that the safety and reliability of data transmission between the network device and the reflection device can be ensured.

The network device provided by the embodiment of the present application has one or more Transport Network Ports (TNPs). The TNP is a wide area network interface for a network device to access a transport network (transport network), and the TNP is a logical interface and can uniquely correspond to a physical interface on the network device. And the TNP of the network equipment is configured by adopting the corresponding TNP configuration information. The TNP configuration information includes a site identifier (site ID), an Internet Protocol (IP) address of the site (i.e., an IP address of a currently used loopback (loopback) interface), a TNP identifier, a TNP binding interface name, a tunnel encapsulation type (tunnel encapsulation type) (e.g., GRE or V6GRE, etc.), a Network Address Translation (NAT) type, a routing domain (NAT) name (e.g., MPLS or Internet, etc.), a routing domain ID, a transport network name (e.g., MPLS1 or MPLS2, etc.), a transport network identifier, a TNP weight, whether SA (IPSec p2mp SA) is enabled, a NAT address translation (NAT address ) flag (indicating whether TNP intermediate TNP is traversing through a TNP device), a TNP binding public network IP address, a TNP binding public network port identifier, a TNP private network IP address, or a TNP binding private network identifier. Optionally, the TNP configuration information may further include a security association index (SA index).

Optionally, the TNP configuration information may be sent from the control device to the network device, and each network device in the communication system registers with the control device, and then the control device sends corresponding TNP configuration information to each network device. Alternatively, the TNP configuration information may be manually entered into the network device. The control device may be a network controller, a network management device, a gateway or other devices with control functions. The control device may be one or more devices.

In order to ensure the security of data transmission between network devices, data encryption transmission needs to be performed between the network devices. The embodiment of the present application provides a method for implementing data encryption transmission, where a first network device in a communication system may generate an outbound direction SA entry 1 based on first SA information in a received first message, and a second network device in the communication system may generate an inbound direction SA entry 1 based on the first SA information. Since the out-direction SA entry 1 is used for the first network device to encrypt data sent to the second network device, and the in-direction SA entry 1 is used for the second network device to decrypt received data sent by the first network device, encrypted data transmission in the direction from the first network device to the second network device can be achieved. In addition, the first network device may generate the ingress direction SA entry 2 based on the obtained second SA information, and send a second packet including the second SA information to the second network device, so that the second network device generates the egress direction SA entry 2 based on the second SA information. Since the out-direction SA entry 2 is used by the second network device to encrypt data sent to the first network device, and the in-direction SA entry 2 is used by the first network device to decrypt received data sent by the second network device, encrypted data transmission from the second network device to the first network device can be achieved.

In the embodiment of the application, the SA information does not need to be manually configured in the network equipment, and the IKE negotiation does not need to be carried out between the network equipment, so that the efficiency of realizing the data encryption transmission is higher, the transmission resources consumed in the process of realizing the data encryption transmission are less, and the network overhead is lower.

The first network device and the second network device may be any two network devices in the communication system that need to perform encrypted data transmission. Optionally, the messages (the first message and the second message) containing the SA information may be directly sent to the home network device by the peer network device, may also be forwarded to the home network device by the peer network device through the reflection device, and may also be sent to the network device after being generated by the reflection device. In the embodiment of the present application, a process of implementing data encryption transmission between network devices under the three conditions is described by the following three embodiments, respectively.

In a first optional embodiment of the present application, a target tunnel is established between a first network device and a second network device. The message containing the SA information is directly sent to the local terminal network equipment by the opposite terminal network equipment. Alternatively, the target tunnel may be a DSVPN tunnel, Auto VPN tunnel, GRE tunnel, VXLAN tunnel, or the like. Referring to fig. 3, fig. 3 is a schematic flowchart illustrating a method for implementing data encryption transmission according to an embodiment of the present disclosure. The method may be applied in a communication system as shown in fig. 1. As shown in fig. 3, the method includes:

step 301, the second network device obtains the first SA information.

In this embodiment of the application, the SA information may be managed based on TNP, and the TNP corresponds to the SA information one to one. The TNP configuration information may include an SA index, where the SA index is used to indicate that corresponding SA information is acquired, and the SA index is substantially a number of the SA information to be queried. Optionally, the SA information includes a security protocol used, a Security Parameter Index (SPI), and an SA attribute. The SA attributes include one or more of an aging type, an aging value, an encapsulation mode, an encryption algorithm, an authentication algorithm, an encryption key, and an authentication key. Wherein the aging types include time aging and flow aging. The encapsulation mode includes a tunnel mode and a transport mode. The encryption algorithm may be a symmetric encryption algorithm, including a Data Encryption Standard (DES) algorithm, a triple data encryption standard (3 DES) algorithm, an Advanced Encryption Standard (AES) algorithm, a domestic cryptographic algorithm (SM1), or the like. The authentication algorithm may be a Secure Hash Algorithm (SHA) or an RSA algorithm, etc.

The security protocols include an Authentication Header (AH) protocol and an Encapsulating Security Payload (ESP) protocol, both of which are IP-based transport layer protocols. The AH protocol is used to provide authentication services and the ESP protocol is used to provide encryption services. Alternatively, SA information using the AH protocol and/or SA information using the ESP protocol may be configured in the network device.

Fig. 4 is a schematic diagram illustrating a correspondence relationship between TNP and SA information according to an embodiment of the present application. As shown in fig. 4, an SA index 1 in the TNP configuration information is used to indicate to acquire SA information corresponding to an ESP protocol, the SA information corresponding to the ESP protocol further includes an SA index 2 (next SA index), and the SA index 2 is used to indicate to acquire SA information corresponding to an AH, that is, the network device can simultaneously configure SA information using the AH protocol and SA information using the ESP protocol based on the SA index in the TNP configuration information, so as to implement encryption before authentication of a packet.

Optionally, the implementation process of step 301 includes: and the second network equipment receives the first SA information sent by the control equipment. Alternatively, the first SA information may be manually configured on the second network device.

Step 302, the second network device generates an entry direction SA entry 1 based on the first SA information.

The entry 1 is used by the second network device to decrypt the received data sent by the first network device.

Step 303, the second network device sends the first packet to the first network device through the target tunnel.

The first packet includes first SA information and an identifier of a second network device, where the identifier of the second network device is used to identify the second network device, that is, the identifier of the second network device is used to uniquely identify the second network device in the communication system. Alternatively, the identifier of the second network device may be information that can uniquely identify the second network device, such as an IP address, a Media Access Control (MAC) address, or a hardware address of the second network device.

Step 304, the first network device generates a directional SA entry 1 based on the first SA information.

The out-direction SA entry 1 is used for the first network device to encrypt data sent to the second network device.

In this embodiment of the present application, the first network device may generate the outbound direction SA entry 1 based on the first SA information in the received first message, and the second network device may generate the inbound direction SA entry 1 based on the first SA information. Since the out-direction SA entry 1 is used for the first network device to encrypt data sent to the second network device, and the in-direction SA entry 1 is used for the second network device to decrypt received data sent by the first network device, encrypted data transmission in the direction from the first network device to the second network device can be achieved. In addition, since the second network device generates the entry direction SA table item 1 first and the first network device generates the exit direction SA table item 1 again, it can be ensured that the second network device can decrypt the encrypted message normally when receiving the encrypted message sent by the first network device, thereby ensuring the validity of message transmission.

Step 305, the first network device acquires the second SA information.

For the explanation of this step, reference may be made to the related explanation in step 301, and details of the embodiment of the present application are not repeated herein.

Step 306, the first network device generates an entry direction SA entry 2 based on the second SA information.

The entry 2 is used for the first network device to decrypt the received data sent by the second network device.

Step 307, the first network device sends the second packet to the second network device through the target tunnel.

The second packet includes second SA information and an identifier of the first network device, where the identifier of the first network device is used to identify the first network device, that is, the identifier of the first network device is used to uniquely identify the first network device in the communication system. Alternatively, the identifier of the first network device may be information that can uniquely identify the first network device, such as an IP address, a MAC address, or a hardware address of the first network device.

In this embodiment of the present application, a target tunnel between a first network device and a second network device is a bidirectional tunnel, or the target tunnel includes two unidirectional tunnels. The directions of the two unidirectional tunnels are the direction from the first network device to the second network device and the direction from the second network device to the first network device respectively.

Step 308, the second network device generates a directional SA entry 2 based on the second SA information.

The out-direction SA entry 2 is used for the second network device to encrypt data sent to the first network device.

In this embodiment, the first network device may generate the entering-direction SA entry 2 based on the obtained second SA information, and send a second packet including the second SA information to the second network device, so that the second network device generates the entering-direction SA entry 2 based on the second SA information. Since the out-direction SA entry 2 is used by the second network device to encrypt data sent to the first network device, and the in-direction SA entry 2 is used by the first network device to decrypt received data sent by the second network device, encrypted data transmission from the second network device to the first network device can be achieved. In addition, because the first network device generates the entering direction SA table entry 2 first and the second network device generates the exiting direction SA table entry 2 again, it can be ensured that the first network device can decrypt the encrypted message normally when receiving the encrypted message sent by the second network device, thereby ensuring the validity of message transmission.

Of course, after acquiring the first SA information, the second network device may also send the first packet to the first network device first, and then generate the SA entry 1, that is, step 303 may be executed before step 302. After acquiring the second SA information, the first network device may also send a second message to the second network device first, and then generate the SA entry 2, that is, step 307 may be executed before step 306. Steps 301 to 304 and steps 305 to 308 may be performed simultaneously, or steps 305 to 308 may be performed before steps 301 to 304. The execution sequence of the steps is not limited in the embodiment of the application.

To sum up, in the process of implementing data encryption transmission between network devices, the embodiments of the present application only need to send messages containing SA information through a target tunnel between network devices, and do not need to manually configure SA information in the network devices, nor need to perform IKE negotiation between the network devices, so that the efficiency of implementing data encryption transmission is high, and less transmission resources are consumed in the process of implementing data encryption transmission, and the network overhead is low.

In a second alternative embodiment of the present application, the first network device and the second network device each establish a BGP peering relationship with the reflecting device. And the message containing the SA information is forwarded to the local terminal network equipment by the opposite terminal network equipment through the reflection equipment. Referring to fig. 5, fig. 5 is a schematic flowchart illustrating another method for implementing data encryption transmission according to an embodiment of the present application. The method may be applied in a communication system as shown in fig. 2. As shown in fig. 5, the method includes:

step 501, the second network device obtains first SA information.

Step 502, the second network device generates an entry direction SA entry 1 based on the first SA information.

Step 503, the second network device sends the first packet to the reflection device.

The first packet includes first SA information and an identifier of a second network device, where the identifier of the second network device is used to identify the second network device. For the explanation of the identifier of the second network device, reference may be made to step 303 above, and details of the embodiment of the present application are not described herein again.

In this embodiment of the present application, a tunnel may be established between the first network device and the second network device, or a tunnel may not be established between the first network device and the second network device. Optionally, when no tunnel is established in a direction from the first network device to the second network device, the first packet may further include a service route of the second network device, where the service route is used for the first network device to establish a tunnel in the direction from the first network device to the second network device. Certainly, the first message may further include other TNP configuration information, which is not limited in this embodiment of the present application.

Step 504, the reflection device forwards the first packet to the first network device.

Optionally, the first message may further include an identifier of a network device that needs to transmit the encrypted message to the second network device. After receiving the first message sent by the second network device, the reflection device transmits the identifier of the network device of the encrypted message to the second network device according to the requirement, and forwards the first message to the corresponding network device.

Optionally, when there are multiple network devices that need to transmit the encrypted packet to the second network device, the reflection device may forward the first packet to the multiple network devices, so as to implement data encryption transmission from the multiple network devices to the second network device in batch, thereby improving the efficiency of implementing data encryption transmission among the multiple network devices in the communication system.

Step 505, the first network device generates a directional SA entry 1 based on the first SA information.

For the explanation of this step, reference may be made to the related explanation in step 304, and the description of the embodiments of the present application is omitted here.

Step 506, the first network device acquires the second SA information.

For the explanation of this step, reference may be made to the related explanation in step 305, and the description of the embodiment of the present application is not repeated herein.

Step 507, the first network device generates an entry direction SA entry 2 based on the second SA information.

Step 508, the first network device sends the second message to the reflection device.

The second packet includes second SA information and an identifier of the first network device, where the identifier of the first network device is used to identify the first network device. For the explanation of the identifier of the first network device, reference may be made to step 307 described above, and details of the embodiment of the present application are not described herein again.

Optionally, when no tunnel is established in a direction from the second network device to the first network device, the second packet may further include a service route of the first network device, where the service route is used for the first network device to establish a tunnel in the direction from the second network device.

Step 509, the reflection device forwards the second packet to the second network device.

For the explanation of this step, reference may be made to the related explanation in step 504 above, and details of the embodiment of this application are not repeated herein.

Step 510, the second network device generates a directional SA entry 2 based on the second SA information.

For the explanation of this step, reference may be made to the related explanation in step 308, and the description of the embodiment of this application is not repeated here.

Of course, after acquiring the first SA information, the second network device may also send the first packet to the first network device first, and then generate the SA entry 1, that is, step 503 may be executed before step 502. After acquiring the second SA information, the first network device may also send a second message to the second network device first, and then generate the SA entry 2, that is, step 508 may be executed before step 507. Step 501 to step 505 and step 506 to step 510 may be executed simultaneously, or step 506 to step 510 may be executed before step 501 to step 505. The execution sequence of the steps is not limited in the embodiment of the application.

To sum up, in the process of implementing data encryption transmission between network devices, the embodiments of the present application only need to forward the packet containing the SA information through the reflection device between the network devices, and do not need to manually configure the SA information in the network devices, and do not need to perform IKE negotiation between the network devices, so that the efficiency of implementing data encryption transmission is higher, and less transmission resources are consumed in the process of implementing data encryption transmission, and the network overhead is lower. In addition, the reflection device can forward the message containing the SA information sent by one network device to a plurality of network devices that need to transmit the encrypted message to the network device, and implement data encryption transmission from the plurality of network devices to the network device in batch, thereby improving the efficiency of implementing data encryption transmission among the plurality of network devices in the communication system.

In a third optional embodiment of the present application, the first network device and the second network device respectively establish a BGP peering relationship with the reflection device. The message including the SA information is generated by the reflection device and then sent to the network device, and in this case, the TNP configuration information of the first network device and the second network device may not include the SA index. Referring to fig. 6, fig. 6 is a schematic flowchart illustrating another method for implementing data encryption transmission according to an embodiment of the present disclosure. The method may be applied in a communication system as shown in fig. 2. As shown in fig. 6, the method includes:

step 601, the reflection device acquires first SA information.

For the explanation of this step, reference may be made to the related explanation of step 301, and details of the embodiment of this application are not repeated herein.

Optionally, the reflecting device performs the following steps 602 to 608 after determining that the data encryption transmission between the first network device and the second network device is required.

Step 602, the reflection device sends a first packet to the first network device.

Step 603, the reflection device sends a second message to the second network device.

The second packet includes the first SA information and the identifier of the first network device, which identifies the first network device. For the explanation of the identifier of the first network device, reference may be made to step 307 described above, and details of the embodiment of the present application are not described herein again.

Step 604, the first network device generates an entry direction SA entry 2 based on the first SA information.

Step 605, the second network device generates an entry SA entry 1 based on the first SA information.

Step 606, the reflection device sends out a direction SA entry generation instruction to the first network device.

The outbound direction SA table entry generation instruction is used to instruct the first network device to generate an outbound direction SA table entry 1 based on the first SA information.

Step 607, the reflection device sends out the SA table entry generation instruction to the second network device.

The outbound direction SA entry generation instruction is used to instruct the second network device to generate an outbound direction SA entry 2 based on the first SA information.

Step 608, the first network device generates a directional SA entry 1 based on the first SA information.

Step 609, the second network device generates a directional SA entry 2 based on the first SA information.

In the embodiment of the application, after receiving the message containing the SA information sent by the reflection device, the network device generates the entering-direction SA entry based on the SA information, and then generates the exiting-direction SA entry according to the SA information, so that the network device can ensure that the encrypted message can be normally decrypted when receiving the encrypted message sent by the network device at the opposite end, and further ensure the validity of message transmission.

In an alternative embodiment of the present application, the step 605 may not be executed, and after the first network device receives the first packet, the first network device generates the entry direction SA entry 2 and the exit direction SA entry 1 based on the first SA information; and after the second network equipment receives the second message, generating an entering direction SA table item 1 and an exiting direction SA table item 2 based on the first SA information.

In another alternative embodiment of the present application, after performing step 602, the reflection device may further send an incoming direction SA entry generation instruction to the first network device, and then the implementation process of step 604 includes: when the first network device receives an entry generation instruction of the entry SA, an entry SA entry 2 is generated based on the first SA information. Similarly, after step 603 is executed, the reflection device may further send an entry direction SA entry generation instruction to the second network device, and then the implementation process of step 605 includes: when the second network device receives the entry generation instruction of the entry SA, the entry SA 1 is generated based on the first SA information.

In the embodiment of the application, the reflection device sends the entering direction SA table item generation instruction to the network device to control the network device to generate the entering direction SA table item, and sends the exiting direction SA table item generation instruction to control the network device to generate the exiting direction SA table item, so that unidirectional data encryption transmission between two network devices can be realized, and the flexibility of data encryption transmission between the network devices is improved. For example, the reflection device sends a first message and an out-direction SA entry generation instruction to the first network device, and sends a second message and an in-direction SA entry generation instruction to the second network device, so that the first network device may generate an out-direction SA entry 1, and the second network device may generate an in-direction SA entry 1, thereby implementing data encryption transmission in the direction from the first network device to the second network device.

To sum up, in the process of implementing data encryption transmission between network devices, only the reflection device needs to send a message containing SA information to the network devices, and there is no need to manually configure the SA information in the network devices, and there is no need to perform IKE negotiation between the network devices, so that the efficiency of implementing data encryption transmission is high, and less transmission resources are consumed in the process of implementing data encryption transmission, and the network overhead is low. In addition, management of SA information is realized through the reflection device, the reflection device can distribute the SA information for one tunnel connection and can also distribute the SA information for a plurality of tunnel connections, and the flexibility of managing the SA information is improved.

Optionally, in the embodiment of the present application, both the first message and the second message may be BGP messages, and the SA information is carried in an extensible field of the BGP message. Or, the first message and the second message may also be self-defined messages or other extended messages capable of carrying SA information, and the message types are not limited in this embodiment.

Optionally, the type of the BGP message is a BGP update (update) message, and the SA information is carried in a routing attribute list field in the BGP update message. For example, fig. 7 is a schematic structural diagram of a packet containing SA information obtained based on BGP update message extension according to an embodiment of the present application. As shown in fig. 7, the message includes an Ethernet header (Ethernet header), an IP header (IP header), a Transmission Control Protocol (TCP) header (TCP header), a BGP data packet, and a Frame Check Sequence (FCS). The BGP data packet comprises a BGP header and a BGP message field. The BGP header includes a flag (maker) field, a length (length) field, and a type (type) field (not shown in the figure). The payload field includes an unreachable route length field, an unreachable route list field, a route attribute total length field, a route attribute list (path attributes) field, and a Network Layer Reachability Information (NLRI) field. The SA information may be carried in the route attribute list field after being encoded using TLV (type-length-value) or TV (type-value).

The routing attribute list defines a tunnel encapsulation attribute (tunnel encapsulation attribute), and the routing attribute list field is used for carrying tunnel encapsulation information. Optionally, fig. 8 is a schematic structural diagram of a routing attribute list field in the packet shown in fig. 7. As shown in fig. 8, the routing attribute list field includes a tunnel type field, a length field, and a payload field. The length of the tunnel type field is 2 bytes, and the length of the length field is 2 bytes. Since the tunnel type with a value of 18-65535 is not defined in request for comments (RFC) 5512, in this embodiment of the present application, the tunnel type may take any value of 18-65535, for example, take a value of 23, which indicates that the load field carries the SA information. N groups of sub-TLVs can be defined in the load field, each group of sub-TLVs carries tunnel encapsulation information, and n is a positive integer. In the embodiment of the present application, at least one set of SA sub-TLVs (e.g., sub-TLV1 in fig. 8) is defined in the payload field, and includes an SA sub-TLV type, an SA sub-TLV length, and an SA sub-TLV value, where the SA sub-TLV value is used for carrying SA information. Load types with values of 14-127 and 129-255 are not defined in an Internet Assigned Number Authority (IANA), and in this embodiment of the present application, an SA sub-TLV type may take any value of 14-127 and 129-255, for example, take a value of 200, which indicates that the SA sub-TLV value carries SA information.

Optionally, fig. 9 is a schematic structural diagram of an SA sub-TLV provided in an embodiment of the present application. As shown in fig. 9, the SA sub-TLV includes an SA sub-TLV type field, an SA sub-TLV length field, and an SA sub-TLV value field. The SA sub-TLV value field includes an interpretation domain (domain), a security protocol type, a sequence number, an SPI size, an SPI, and an SA attribute. Wherein, the SA attribute adopts TLV or TV coding. For example, the aging type, the encapsulation mode, the encryption algorithm, and the authentication algorithm are TV-encoded, and the aging value, the encryption key, and the authentication key are TLV-encoded. Illustratively, the value of the interpretation field is 1, indicating that IPSec is corresponded. The value of the security protocol type is 1, which indicates that the ESP protocol is used, and the value of the security protocol type is 2, which indicates that the AH protocol is used. The encoding of the SA attribute is shown in table 1.

TABLE 1

The NLRI field of the message containing the SA information, which is obtained based on the extension of the BGP update message, can be used for carrying an address prefix. Optionally, fig. 10 is a schematic structural diagram of the NLRI field in the message shown in fig. 7. As shown in fig. 10, the NLRI field includes an address prefix length (NLRI length), a tunnel type, a tunnel service identifier (TNP ID), a station identifier, and a tunnel destination node (endpoint) identifier (i.e., a system IP address of a station). Illustratively, the tunnel type may take the value 200. The station ID refers to a station ID of the home network device. The tunnel service identification of 0 indicates a reserved field for transferring SA information. If the address allocation mechanism and Address Format (AFI) is IPv4, the system IP address of the station is an IPv4 address; if the AFI is IPv6, the system IP address of the site is IPv6 address. Wherein, the address prefix length can occupy 1 byte; the tunnel type may occupy 2 bytes; the tunnel service identifier may occupy 4 bytes; the station identity may occupy 4 bytes; the tunnel destination node identification may take 4 or 16 bytes.

Fig. 11 is a schematic flowchart of another method for implementing encrypted data transmission according to an embodiment of the present application, where a network architecture to which the method is applied includes at least a first network device, a second network device, and a reflection device. For example, the first network device may be the network device 101D in the communication system shown in fig. 2, the second network device may be the network device 101E in the communication system shown in fig. 2, and the reflection device may be the reflection device 102 in the communication system shown in fig. 2. The method may be specifically used to implement the method shown in the corresponding embodiment of fig. 5 or fig. 6. As shown in fig. 11, the method includes:

step 1101, the first network device receives a first message sent by the reflection device, where the first message includes first SA information and an identifier of the second network device, and the identifier of the second network device is used to identify the second network device.

Step 1102, the first network device generates a first egress SA entry based on the first SA information, where the first egress SA entry is used for the first network device to encrypt data sent to the second network device.

When the method is specifically used to implement the method embodiment shown in fig. 5 or fig. 6, the first outbound direction SA entry may be, for example, an outbound direction SA entry 1. For a specific implementation process of step 1101 to step 1102, reference may be made to the relevant description in the embodiment shown in fig. 5 or fig. 6, and details are not repeated here.

In a possible implementation manner, the first packet is generated by the reflection device, and after the first network device receives the first packet sent by the reflection device, the method further includes: the first network device generates a first entry direction SA table entry based on the first SA information, where the first entry direction SA table entry is used for the first network device to decrypt the received data sent by the second network device. When the method is specifically used to implement the method embodiment shown in fig. 6, the first entry direction SA entry may be, for example, entry direction SA entry 1.

Optionally, the process of the first network device generating the first outgoing direction SA entry based on the first SA information includes: when the first network device receives an outbound direction SA table entry generation instruction sent by the reflection device, the first network device generates a first outbound direction SA table entry based on the first SA information. When the method is specifically used to implement the method embodiment shown in fig. 6, the first outbound direction SA entry may be, for example, an outbound direction SA entry 1.

In another possible implementation manner, the first packet is sent to the reflection device by the second network device, and the method further includes: the first network device acquires the second SA information. And the first network equipment generates a second entering direction SA table item based on the second SA information. The first network device sends a second message to the second network device, the second message includes second SA information and an identifier of the first network device, the second SA information is used for the second network device to generate a second outgoing direction SA entry, and the identifier of the first network device is used for identifying the first network device. The second outgoing direction SA entry is used by the second network device to encrypt data sent to the first network device, and the second incoming direction SA entry is used by the first network device to decrypt received data sent by the second network device. When the method is specifically used to implement the method embodiment shown in fig. 5, the second entry direction SA entry may be, for example, entry direction SA entry 2, and the second exit direction SA entry may be, for example, exit direction SA entry 2.

Optionally, the process of acquiring, by the first network device, the second SA information includes: and the first network equipment receives the second SA information sent by the control equipment.

Fig. 12 is a flowchart of a further method for implementing encrypted data transmission according to an embodiment of the present application, where a network architecture to which the method is applied includes at least a first network device, a second network device, and a reflection device. For example, the first network device may be the network device 101D in the communication system shown in fig. 2, the second network device may be the network device 101E in the communication system shown in fig. 2, and the reflection device may be the reflection device 102 in the communication system shown in fig. 2. The method may be specifically used to implement the method shown in the corresponding embodiment of fig. 5 or fig. 6. As shown in fig. 12, the method includes:

step 1201, the reflection device acquires first SA information.

Step 1202, the reflection device sends a first packet to the first network device, where the first packet includes first SA information and an identifier of the second network device, the first SA information is used by the first network device to generate a first outgoing direction SA entry, the identifier of the second network device is used to identify the second network device, and the first outgoing direction SA entry is used by the first network device to encrypt data sent to the second network device.

In a possible implementation manner, the process of the reflection device acquiring the first SA information includes: the reflection equipment receives the first message sent by the second network equipment; the process of the reflection device sending the first packet to the first network device includes: the reflection device forwards the first message to the first network device.

In another possible implementation manner, the process of the reflection device acquiring the SA information of the first security association includes: the reflection device receives the first SA information sent by the control device.

Optionally, after the reflection device sends the first packet to the first network device, the method further includes: the reflection device sends an out-direction SA table entry generation instruction to the first network device, wherein the out-direction SA table entry generation instruction is used for instructing the first network device to generate a first out-direction SA table entry based on the first SA information. When the method is specifically used to implement the method embodiment shown in fig. 6, the first outbound direction SA entry may be, for example, an outbound direction SA entry 1.

Fig. 13 is a schematic structural diagram of an apparatus for implementing encrypted data transmission according to an embodiment of the present application. The first network device used in the communication system may be, for example, network device 101D or network device 101E in the communication system shown in fig. 2. As shown in fig. 13, the apparatus 130 includes:

a receiving module 1301, configured to receive a first message sent by a reflection device, where the first message includes first SA information and an identifier of a second network device in a communication system, and the identifier of the second network device is used to identify the second network device.

A processing module 1302, configured to generate a first outgoing direction SA entry based on the first SA information, where the first outgoing direction SA entry is used for the first network device to encrypt data sent to the second network device.

Alternatively, the apparatus for implementing data encryption transmission shown in fig. 13 may be used in the first network device or the second network device in the method shown in fig. 5 or fig. 6, and specific operations performed by the respective modules may refer to relevant steps, and reference may be made to the detailed description in the method for implementing data encryption transmission shown in fig. 5 or fig. 6 for details, which are not described herein. With specific reference to the descriptions of steps 501 to 503, steps 505 to 508, and step 510; alternatively, reference is made to the relevant description in step 604, step 605, step 608 and step 609.

In summary, in the apparatus for implementing data encryption transmission provided in this embodiment of the present application, after receiving a first message sent by a reflection device through a receiving module, a first network device may generate a directional SA entry through a processing module, so as to implement data encryption transmission in a direction from the first network device to a second network device, and there is no need to manually configure SA information in the network devices, and there is no need to perform IKE negotiation between the network devices, so that efficiency of implementing data encryption transmission is high, and transmission resources consumed in a data encryption transmission process are less, and network overhead is lower.

Optionally, the first packet is generated by a reflection device, and the processing module 1302 is further configured to: and generating a first entering direction SA table item based on the first SA information, wherein the first entering direction SA table item is used for the first network equipment to decrypt the received data sent by the second network equipment.

Optionally, the processing module 1302 is configured to, when the first network device receives an outbound direction SA entry generation instruction sent by the reflection device, the first network device generates a first outbound direction SA entry based on the first SA information.

Optionally, the first packet is sent to the reflection device by the second network device, as shown in fig. 14, the apparatus 130 further includes:

an obtaining module 1303, configured to obtain second SA information;

the processing module 1302 is further configured to generate a second entry direction SA entry based on the second SA information;

a sending module 1304, configured to send a second message to the second network device, where the second message includes second SA information and an identifier of the first network device, the second SA information is used by the second network device to generate a second outgoing direction SA entry, and the identifier of the first network device is used to identify the first network device;

the second outgoing direction SA entry is used by the second network device to encrypt data sent to the first network device, and the second incoming direction SA entry is used by the first network device to decrypt received data sent by the second network device.

Optionally, the obtaining module 1303 is configured to receive the second SA information sent by the control device.

Fig. 15 is a schematic structural diagram of another apparatus for implementing encrypted data transmission according to an embodiment of the present application. A reflective device for use in a communication system, such as reflective device 102 which may be used in a communication system as shown in fig. 2. As shown in fig. 15, the apparatus 150 includes:

an obtaining module 1501 is configured to obtain the first SA information.

A sending module 1502, configured to send a first packet to a first network device, where the first packet includes first SA information and an identifier of a second network device in the communication system, where the first SA information is used by the first network device to generate a first outbound SA entry, the identifier of the second network device is used to identify the second network device, and the first outbound SA entry is used by the first network device to encrypt data sent to the second network device.

Alternatively, the apparatus for implementing data encryption transmission shown in fig. 15 may be used in the reflection device in the method shown in fig. 5 or fig. 6, and the specific operations performed by the respective modules may refer to the relevant steps, and reference may be made to the detailed description in the method for implementing data encryption transmission shown in fig. 5 or fig. 6 for details not described herein. With specific reference to the relevant description in step 504 and step 509; alternatively, reference is made to the relevant descriptions in step 601 to step 603, step 606, and step 607.

In summary, in the apparatus for implementing data encryption transmission provided in the embodiment of the present application, after the reflection device obtains the first SA information through the obtaining module, the sending module sends the first packet including the first SA information to the first network device, and after receiving the first packet, the first network device may generate the SA table entry in the direction based on the first SA information, thereby implementing data encryption transmission in the direction from the first network device to the second network device.

Optionally, the obtaining module 1501 is configured to receive a first message sent by a second network device; and the sending module is used for forwarding the first message to the first network equipment.

Optionally, the obtaining module 1501 is configured to receive first SA information sent by the control device.

Optionally, the sending module 1502 is further configured to send an out-direction SA entry generation instruction to the first network device, where the out-direction SA entry generation instruction is used to instruct the first network device to generate a first out-direction SA entry based on the first SA information.

With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.

Fig. 16 is a schematic structural diagram of a network device according to an embodiment of the present application. The network device 1600 includes: a processor 1601, and a memory 1602.

A memory 1602 for storing a computer program comprising program instructions;

a processor 1601 for invoking a computer program for implementing the steps performed by the first network device or the second network device in the method shown in fig. 3, for example, implementing steps 301 to 303 and 308, or implementing steps 304 to 307. Alternatively, steps performed by the first network device or the second network device in the method shown in fig. 5 are implemented, for example, steps 501 to 503 and 510 are implemented, or steps 505 to 508 are implemented. Alternatively, steps performed by the first network device or the second network device in the method shown in fig. 6 are implemented, for example, step 605 and step 609, or step 604 and step 608.

Optionally, network device 1600 may also include a communication bus 1603 and a communication interface 1604. The processor 1601 and the memory 1602 are connected by a communication bus 1603. The communication interface 1604 is used for communicating with other devices, such as other network devices or reflective devices.

Fig. 17 is a schematic structural diagram of a reflection apparatus according to an embodiment of the present application. The reflection apparatus 1700 includes: a processor 1701 and a memory 1702.

A memory 1702 for storing a computer program, the computer program comprising program instructions;

the processor 1701 is arranged to invoke a computer program for carrying out the steps performed by the reflection device in the method as shown in fig. 5, for example for carrying out the steps 504 and 509. Alternatively, the steps performed by the reflection device in the method shown in fig. 6 are implemented, for example, step 601 to step 603 and step 606 to step 607 are implemented.

Optionally, the reflective device 1700 may also include a communication bus 1703 and a communication interface 1704. The processor 1701 and the memory 1702 are connected by a communication bus 1703. Communication interface 1704 is used for communicating with other devices, such as a first network device and a second network device.

In the embodiment of the present application, the processor may be a Central Processing Unit (CPU). The processor may include one or more processing cores, which execute various functional applications and data processing by running a computer program. The processor and the memory are connected by the communication bus.

The processor may further include a hardware chip. The hardware chip may be an Application Specific Integrated Circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. In one embodiment, the hardware chip may be used to implement encryption/decryption operations.

The memory may include volatile memory (RAM), such as Random Access Memory (RAM); the memory may also include a non-volatile memory (such as a flash memory), a hard disk (HDD) or a solid-state drive (SSD); the memory may also comprise a combination of memories of the kind described above.

The communication interface may be plural, and the communication interface is used for communication with other devices. The communication interface may include a wired communication interface, a wireless communication interface, or a combination thereof. The wired communication interface may be an ethernet interface, for example. The ethernet interface may be an optical interface, an electrical interface, or a combination thereof. The wireless communication interface may be a Wireless Local Area Network (WLAN) interface, a cellular network communication interface, or a combination thereof.

Fig. 18 is a schematic structural diagram of another communication system according to an embodiment of the present application. As shown in fig. 18, the system includes: a reflection device 1801, a first network device 1802, and a second network device 1803, where the reflection device 1801 includes an apparatus for implementing data encryption transmission as shown in fig. 15 or a structure in the reflection device as shown in fig. 17; the first network device 1802 and the second network device 1803 may include an apparatus for implementing encrypted data transmission as shown in fig. 13 or fig. 14 or a structure in a network device as shown in fig. 16.

Embodiments of the present application further provide a computer storage medium, which stores instructions that, when executed by a processor, implement the steps performed by any one of the apparatuses in the method for implementing data encryption transmission shown in fig. 3, fig. 5, or fig. 6.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

In the embodiments of the present application, the terms "first", "second", and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.

The term "and/or" in this application is only one kind of association relationship describing the associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.

The above description is only exemplary of the present application and is not intended to limit the present application, and any modifications, equivalents, improvements, etc. made within the spirit and principles of the present application are intended to be included within the scope of the present application.

Claims

1. A method for implementing encrypted transmission of data, the method comprising:

a first network device in a communication network receives a first message sent by a reflection device, wherein the first message comprises first Security Association (SA) information and an identifier of a second network device in the communication network, and the identifier of the second network device is used for identifying the second network device;

the first network device generates a first outbound direction SA entry based on the first SA information, where the first outbound direction SA entry is used for the first network device to encrypt data sent to the second network device.

2. The method of claim 1, wherein the first packet is sent to the reflecting device by the second network device or the first packet is generated by the reflecting device.

3. The method according to claim 1 or 2, wherein the first packet is a BGP update message, and the first SA information is carried in a routing attribute list field in the BGP update message.

4. The method according to any of claims 1 to 3, wherein the first message is generated by the reflection device, and after the first network device receives the first message sent by the reflection device, the method further comprises:

the first network device generates a first access direction SA entry based on the first SA information, where the first access direction SA entry is used for the first network device to decrypt the received data sent by the second network device.

5. The method of claim 4, wherein the first network device generating a first outbound SA entry based on the first SA information comprises:

when the first network device receives an outbound direction SA entry generation instruction sent by the reflection device, the first network device generates the first outbound direction SA entry based on the first SA information.

6. The method of any of claims 1 to 3, wherein the first message is sent by the second network device to the reflection device, the method further comprising:

the first network equipment acquires second SA information;

the first network equipment generates a second entering direction SA list item based on the second SA information;

the first network device sends a second message to the second network device, where the second message includes the second SA information and an identifier of the first network device, the second SA information is used by the second network device to generate a second outgoing direction SA entry, and the identifier of the first network device is used to identify the first network device;

7. The method of claim 6, wherein the first network device obtaining second SA information comprises:

and the first network equipment receives the second SA information sent by the control equipment.

8. A method for implementing encrypted transmission of data, the method comprising:

a reflection device in a communication network acquires first Security Association (SA) information;

the reflection device sends a first message to a first network device in the communication network, where the first message includes first SA information and an identifier of a second network device in the communication network, the first SA information is used by the first network device to generate a first outgoing direction SA entry, the identifier of the second network device is used to identify the second network device, and the first outgoing direction SA entry is used by the first network device to encrypt data sent to the second network device.

9. The method of claim 8, wherein obtaining, by a reflection device in the communication network, first Security Association (SA) information comprises:

the reflection equipment receives the first message sent by the second network equipment;

the method for transmitting a first packet to a first network device in the communication network by the reflection device includes:

and the reflection equipment forwards the first message to the first network equipment.

10. The method of claim 8, wherein obtaining, by a reflection device in the communication network, first Security Association (SA) information comprises:

and the reflection equipment receives the first SA information sent by the control equipment.

11. The method of claim 10, wherein after the reflecting device sends the first packet to the first network device in the communication network, the method further comprises:

the reflection device sends an outgoing direction SA table entry generation instruction to the first network device, where the outgoing direction SA table entry generation instruction is used to instruct the first network device to generate the first outgoing direction SA table entry based on the first SA information.

12. The method according to any of claims 8 to 11, wherein said first packet is a BGP update message, and said first SA information is carried in a routing attribute list field in said BGP update message.

13. An apparatus for implementing encrypted transmission of data, the apparatus being configured to be used in a first network device in a communication network, the apparatus comprising:

a receiving module, configured to receive a first packet sent by a reflection device, where the first packet includes first security association SA information and an identifier of a second network device in the communication network, and the identifier of the second network device is used to identify the second network device;

and the processing module is configured to generate a first outgoing direction SA entry based on the first SA information, where the first outgoing direction SA entry is used to encrypt data sent to the second network device.

14. The apparatus of claim 13, wherein the first packet is sent to the reflecting device by the second network device, or wherein the first packet is generated by the reflecting device.

15. The apparatus according to claim 13 or 14, wherein the first packet is a BGP update message, and the first SA information is carried in a routing attribute list field in the BGP update message.

16. The apparatus according to any one of claims 13 to 15, wherein the first packet is generated by the reflection device, and the processing module is further configured to:

and generating a first access direction (SA) table entry based on the first SA information, wherein the first SA table entry is used for the first network equipment to decrypt the received data sent by the second network equipment.

17. The apparatus of claim 16, wherein the processing module is configured to:

when receiving an outbound direction SA table entry generation instruction sent by the reflection device, the first network device generates the first outbound direction SA table entry based on the first SA information.

18. The apparatus according to any of claims 13 to 15, wherein the first packet is sent by the second network device to the reflection device, the apparatus further comprising:

the acquisition module is used for acquiring second SA information;

the processing module is further configured to generate a second entry direction SA table entry based on the second SA information;

a sending module, configured to send a second packet to the second network device, where the second packet includes the second SA information and an identifier of the first network device, the second SA information is used by the second network device to generate a second outgoing direction SA entry, and the identifier of the first network device is used to identify the first network device;

19. The apparatus of claim 18, wherein the obtaining module is configured to:

and receiving the second SA information sent by the control equipment.

20. An apparatus for implementing encrypted transmission of data, for use in a reflective device in a communication network, the apparatus comprising:

the acquisition module is used for acquiring the SA information of the first security alliance;

a sending module, configured to send a first packet to a first network device in the communication network, where the first packet includes first SA information and an identifier of a second network device in the communication network, where the first SA information is used by the first network device to generate a first outgoing direction SA entry, the identifier of the second network device is used to identify the second network device, and the first outgoing direction SA entry is used by the first network device to encrypt data sent to the second network device.

21. The apparatus of claim 20,

the obtaining module is configured to receive the first packet sent by the second network device;

the sending module is configured to forward the first packet to the first network device.

22. The apparatus of claim 20,

the acquisition module is used for receiving the first SA information sent by the control equipment.

23. The apparatus of claim 22,

the sending module is further configured to send an outgoing direction SA entry generation instruction to the first network device, where the outgoing direction SA entry generation instruction is used to instruct the first network device to generate the first outgoing direction SA entry based on the first SA information.

24. The apparatus according to any of claims 20 to 23, wherein the first packet is a BGP update message, and the first SA information is carried in a routing attribute list field in the BGP update message.

25. A network device, comprising: a processor and a memory;

the processor is used for calling the computer program to realize the method for realizing the data encryption transmission according to any one of claims 1 to 7.

26. A reflective device, comprising: a processor and a memory;

the processor is used for calling the computer program to realize the method for realizing the data encryption transmission according to any one of claims 8 to 12.

27. A communication system, comprising: a reflection device and a plurality of network devices, the reflection device comprising the apparatus for realizing data encryption transmission according to any one of claims 20 to 24 or claim 26; the network device comprises an apparatus for implementing encrypted transmission of data according to any one of claims 13 to 19 or claim 25.

28. A computer storage medium having stored thereon instructions which, when executed by a processor, carry out a method of carrying out encrypted transmission of data according to any one of claims 1 to 12.