CN114070636B - Security control method and device, switch, server and network system - Google Patents
Security control method and device, switch, server and network system Download PDFInfo
- Publication number
- CN114070636B CN114070636B CN202111388850.XA CN202111388850A CN114070636B CN 114070636 B CN114070636 B CN 114070636B CN 202111388850 A CN202111388850 A CN 202111388850A CN 114070636 B CN114070636 B CN 114070636B
- Authority
- CN
- China
- Prior art keywords
- switch
- lacpdu
- encryption
- message
- lacpdu message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The application provides a security control method, a security control device, a switch, a server and a network system. The method comprises the following steps: encrypting a system MAC address pre-configured by a first switch to obtain a first encrypted address; constructing a first LACPDU message carrying a first encryption address; and sending the first LACPDU message to the server, so that the server performs aggregation verification on the first LACPDU message and the second LACPDU message when receiving the first LACPDU message and the second LACPDU message sent by the second switch at different ports of the same aggregation link. By the method, even if an attacker acquires the original system MAC address in advance, the attacker cannot acquire the configured encryption mode, so that encryption counterfeiting cannot be performed by adopting the same encryption mode, and the security of aggregation between the two switches and the server can be improved by adopting the method.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a security control method, a security control device, a switch, a server, and a network system.
Background
MLAG-Lite (also known as lightweight MLAG) is a simpler pure de-stacking solution derived on the basis of the original cross-device link aggregation (Multi-Chassis Link Aggregation Group, MLAG) technology framework for the last two years. The scheme cancels the Peer-link control link between two switches of the MLAG on the basis of the original MLAG unstacking scheme. According to the scheme, the system MAC (Media Access Control ) addresses of the MLAG-Lite two switches are configured to be identical, the port IDs (Identity document, identity numbers) are configured to be differentiated at two sides, so that the effect that a peer server does not sense a plurality of devices at a home terminal and a heterogeneous aggregation group is formed is achieved.
However, the MLAG-Lite technology has a major hidden trouble, that is, there is no perception or interaction between the switches of the MLAG-Lite system, and the switches in the system are easily counterfeited by an attacker. Specifically, after an attacker intercepts a system MAC address configured by a switch of the MLAG-Lite system, the attacker configures the same system MAC address on the own switch, and then accesses the own switch through line switching or using redundant ports on a server of the MLAG-Lite system, and the server loads traffic to the switch of the attacker in the load mode, so that the purpose of intercepting traffic is achieved.
Disclosure of Invention
The embodiment of the application aims to provide a safety control method, a safety control device, a switch, a server and a network system, so as to improve the safety of network system communication.
The application is realized in the following way:
in a first aspect, an embodiment of the present application provides a security control method, which is applied to a first switch in a network system, where the network system further includes a second switch and a server, where the server is communicatively connected to the first switch and the second switch, respectively, and the method includes: encrypting a system MAC address pre-configured by the first switch to obtain a first encrypted address; constructing a first link convergence control protocol data unit LACPDU message carrying the first encryption address; and sending the first LACPDU message to the server, so that when the server receives the first LACPDU message and a second LACPDU message carrying a second encryption address and sent by the second switch at different ports of the same aggregation link, aggregation verification is carried out on the first LACPDU message and the second LACPDU message.
In the embodiment of the application, the first switch encrypts the pre-configured system MAC address, so that the encrypted system MAC address is transmitted in the message. By the method, even if an attacker acquires the original system MAC address in advance, the attacker cannot acquire the configured encryption mode, so that encryption counterfeiting cannot be performed by adopting the same encryption mode, and the security of aggregation between the two switches and the server can be improved by adopting the method.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, encrypting the system MAC address preconfigured by the first switch to obtain a first encrypted address includes: encrypting the system MAC address based on a first encryption algorithm and a first encryption key to obtain a first encryption address; the constructing a first LACPDU message carrying the first encryption address includes: filling the first encryption address into an actor_System field in the first LACPDU message; encrypting an actor_System field in the first LACPDU message based on a second encryption algorithm and a second encryption key to obtain an encrypted character string; and constructing the first LACPDU message based on the encryption character string.
In the embodiment of the application, after the first encryption address is obtained, the first switch encrypts the actor_system field based on the second encryption algorithm and the second encryption key to obtain the encryption character string, so that the transmission process of the first encryption address in the first LACPDU message is encryption transmission.
With reference to the foregoing technical solution provided in the first aspect, in some possible implementation manners, the constructing the first LACPDU packet based on the encrypted string includes: adjusting the encrypted string to a first byte length; constructing the first LACPDU message based on the encrypted character string with the byte length adjusted; or the constructing the first LACPDU message based on the encrypted string includes: constructing the first LACPDU message based on the encryption character string and a target field of filling identification information; the identification information characterizes information carried by an actor_System field in the first LACPDU message to be obtained after decryption.
In the embodiment of the application, the first switch can adjust the byte length of the encryption character string, thereby further reducing the possibility that an attacker grabs the packet in the link transmission process and then suffers from counterfeit attack. The first switch may also fill the target field with the identification information when constructing the first LACPDU packet, so as to inform the server that the information in the actor_system field needs to be decrypted and then obtained.
In a second aspect, an embodiment of the present application provides a security control method, which is applied to a server in a network system, where the network system further includes a first switch and a second switch, and the server is communicatively connected to the first switch and the second switch, respectively, and the method includes: when a first LACPDU message and a second LACPDU message are received through different ports of the same aggregation link, performing aggregation verification on the first LACPDU message and the second LACPDU message; the first LACPDU message is a message sent by the first switch, and an actor_system field in the first LACPDU message carries a first encryption address, where the first encryption address is obtained by encrypting a System MAC address by the first switch; the second LACPDU message is a message sent by the second switch; the actor_System field in the second LACPDU message carries a second encryption address, wherein the second encryption address is obtained by encrypting the System MAC address by the second switch; and when the information carried by the actor_system field in the first LACPDU message is consistent with the information carried by the actor_system field in the second LACPDU message, determining that the first switch and the second switch are successfully aggregated with the server.
In the embodiment of the application, the first switch and the second switch encrypt the pre-configured system MAC address, so that the encrypted system MAC address transmitted in the message can be used for improving the aggregation security between the two switches and the server. Meanwhile, after the server receives the message, whether the information carried by the actor_System field in the message is consistent or not can be directly compared according to the original flow, namely, the server does not need to be subjected to additional adaptation, so that the development difficulty of the System is simplified, and the method has high practical value.
With reference to the foregoing technical solution provided by the second aspect, in some possible implementation manners, before performing aggregation verification on the first LACPDU packet and the second LACPDU packet, the method further includes: decrypting the encrypted character string in the first LACPDU message and the encrypted character string in the second LACPDU message based on a second encryption algorithm and a second encryption key; the encryption string in the first LACPDU packet is an actor_system field in the first LACPDU packet filled with the first encryption address by the first switch; encrypting an actor_System field in the first LACPDU message based on the second encryption algorithm and the second encryption key to obtain the first LACPDU message; the first encryption address is obtained by encrypting the system MAC address by the first switch based on a first encryption algorithm and a first encryption key; the encrypted character string in the second LACPDU packet is an actor_system field in the second LACPDU packet filled with the second encrypted address by the second switch; encrypting an actor_System field in the second LACPDU message based on the second encryption algorithm and the second encryption key to obtain the encrypted actor_System field; the second encryption address is obtained by encrypting the system MAC address by the second switch based on the first encryption algorithm and the first encryption key; when the information carried by the actor_system field in the first LACPDU packet is consistent with the information carried by the actor_system field in the second LACPDU packet, determining that the aggregation of the first switch and the second switch with the server is successful includes: and when the information carried by the actor_System field obtained after the decryption of the first LACPDU message is consistent with the information carried by the actor_System field obtained after the decryption of the second LACPDU message, determining that the first switch and the second switch are successfully aggregated with the server.
With reference to the foregoing technical solution of the second aspect, in some possible implementation manners, before decrypting the encrypted string in the first LACPDU packet and the encrypted string in the second LACPDU packet based on the second encryption algorithm and the second encryption key, the method further includes: restoring the encrypted character string in the first LACPDU message and the encrypted character string in the second LACPDU message to a second byte length; the decrypting the encrypted string in the first LACPDU packet and the encrypted string in the second LACPDU packet based on the second encryption algorithm and the second encryption key includes: decrypting the encrypted character string restored to the second byte length in the first LACPDU message and the encrypted character string restored to the second byte length in the second LACPDU message based on the second encryption algorithm and the second encryption key; or before the encrypting character string in the first LACPDU message and the encrypting character string in the second LACPDU message are decrypted based on the second encrypting algorithm and the second encrypting key, the method further comprises: determining that a target field in the first LACPDU message contains identification information and a target field in the second LACPDU message contains the identification information; the identification information characterizes information carried by the actor_System field to be obtained after decryption.
In a third aspect, an embodiment of the present application provides a security control apparatus applied to a first switch in a network system, where the network system further includes a second switch and a server, where the server is communicatively connected to the first switch and the second switch, respectively, and the apparatus includes: the encryption module is used for encrypting the system MAC address preconfigured by the first switch to obtain a first encryption address; the construction module is used for constructing a first link convergence control protocol data unit LACPDU message carrying the first encryption address; and the sending module is used for sending the first LACPDU message to the server, so that the server performs aggregation verification on the first LACPDU message and the second LACPDU message when receiving the first LACPDU message and the second LACPDU message carrying the second encryption address sent by the second switch at different ports of the same aggregation link.
In a fourth aspect, an embodiment of the present application provides a security control apparatus applied to a server in a network system, where the network system further includes a first switch and a second switch, and the server is communicatively connected to the first switch and the second switch, respectively, and the apparatus includes: the verification module is used for carrying out aggregation verification on the first LACPDU message and the second LACPDU message when the first LACPDU message and the second LACPDU message are received through different ports of the same aggregation link; the first LACPDU message is a message sent by the first switch, and an actor_system field in the first LACPDU message carries a first encryption address, where the first encryption address is obtained by encrypting a System MAC address by the first switch; the second LACPDU message is a message sent by the second switch; the actor_System field in the second LACPDU message carries a second encryption address, wherein the second encryption address is obtained by encrypting the System MAC address by the second switch; and when the information carried by the actor_system field in the first LACPDU message is consistent with the information carried by the actor_system field in the second LACPDU message, determining that the first switch and the second switch are successfully aggregated with the server.
In a fifth aspect, an embodiment of the present application provides a switch, including: the device comprises a processor and a memory, wherein the processor is connected with the memory; the memory is used for storing programs; the processor is configured to run a program stored in the memory and to perform a method as provided by the embodiments of the first aspect and/or in combination with some possible implementations of the embodiments of the first aspect.
In a sixth aspect, an embodiment of the present application provides a server, including: the device comprises a processor and a memory, wherein the processor is connected with the memory; the memory is used for storing programs; the processor is configured to run a program stored in the memory and to perform a method as provided by the embodiments of the first aspect and/or in combination with some possible implementations of the embodiments of the first aspect.
In a seventh aspect, an embodiment of the present application provides a network system, including: the system comprises a server, a first switch and a second switch; the first switch is used for encrypting a preconfigured system MAC address to obtain a first encrypted address; constructing a first LACPDU message carrying the first encryption address; sending the first LACPDU message to the server; the second switch is used for encrypting the system MAC address to obtain a second encrypted address; constructing a second LACPDU message carrying the second encryption address; sending the second LACPDU message to the server; the server is configured to perform aggregation verification on the first LACPDU and the second LACPDU when different ports of the same aggregation link receive the first LACPDU and the second LACPDU.
In an eighth aspect, embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method as provided by the embodiments of the first aspect or the embodiments of the second aspect described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a system block diagram of a prior art MLAG system.
Fig. 2 is a system block diagram of a prior art MLAG-Lite system.
Fig. 3 is a system block diagram of a network system according to an embodiment of the present application.
Fig. 4 is a block diagram of a switch according to an embodiment of the present application.
Fig. 5 is a flowchart illustrating steps of a first security control method according to an embodiment of the present application.
Fig. 6 is a flowchart illustrating steps of a second security control method according to an embodiment of the present application.
Fig. 7 is a flowchart illustrating steps of a third security control method according to an embodiment of the present application.
Icon: 10-a network system; 100-server; 200-a first switch; 300-a second switch; 210-a processor; 220-memory.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
Referring to fig. 1, fig. 1 is a block diagram of an MLAG system, which is a non-standard protocol that enables two-layer multipath from a host to obtain additional bandwidth or link resilience. The MLAG system refers to a system formed by aggregating two or more switches across device links, which allows two or more physical switches to present a set of parallel links as a single aggregate link, and allows a server to uplink to both switches to achieve physical diversity, while the server only needs to manage one binding interface. The current MLAG system realizes binding (i.e. aggregation) through a Peer-link control link between all switches, thereby forming a heterogeneous aggregation group.
Referring to FIG. 2, FIG. 2 shows an improved MLAG-Lite system in the MLAG system. The MLAG-Lite system cancels the Peer-link control link between two switches of the MLAG on the basis of the original MLAG unstacking scheme. The MLAG-Lite technology achieves the effect that a peer server does not sense a plurality of devices at a local end and forms a heterogeneous aggregation group by configuring the system MAC addresses of two switches of the MLAG-Lite to be identical and configuring the port ID to be differentiated at two sides.
In the prior art, LACP (Link Aggregation Control Protocol ) is a protocol that implements link dynamic aggregation. The LACP protocol exchanges information with the peer through LACPDU (Link Aggregation Control Protocol Data Unit ). Specifically, when the two switches construct the LACPDU message, the same preset System MAC address is filled in an actor_system field in the message. When the server receives two messages from different ports of the same Trunk (aggregation link) of the local end and determines that the information filled in the actor_system fields in the two messages is consistent, the aggregation of the two switches is determined to be successful. It should be noted that, during the aggregation verification process, the server may also determine the actor_port field, the actor_key field, and the like in the message, and since the determination of such fields is not an improvement of the present application, the description will not be repeated here.
The MLAG-Lite technology has a great hidden trouble, namely, no perception or interaction exists between the switches of the MLAG-Lite system, and the switches in the system are easy to be counterfeited and deceived by an attacker. Specifically, an attacker can use own switch and configure intercepted system MAC address which is the same as that of the MLAG-Lite system, then access own switch through line switching or using redundant ports on a server of the MLAG-Lite system, and the server loads own traffic to the switch of the attacker in the load mode, so that the purpose of intercepting traffic is achieved.
In view of the above problems, the present inventors have long studied and have proposed the following examples to solve the above problems.
Referring to fig. 3, an embodiment of the present application provides a network system 10, including: server 100, first switch 200, and second switch 300.
The server 100 is communicatively coupled to the first switch 200 and the second switch 300.
It should be noted that the network system 10 may include more switches, and the present application uses only two switches to form a heterogeneous aggregation group as an example.
The first switch 200 is configured to encrypt a preconfigured system MAC address to obtain a first encrypted address; then constructing a first LACPDU message carrying a first encryption address (an actor_System field in the first LACPDU message carries the first encryption address); finally, the first LACPDU packet is sent to the server 100.
The second switch 300 is also configured to encrypt a preconfigured system MAC address to obtain a second encrypted address; then constructing a second LACPDU message carrying a second encryption address (an actor_System field in the second LACPDU message carries the second encryption address); and finally, sending the second LACPDU message to the server 100.
The system MAC addresses mentioned above are the same addresses and can be manually configured, and may be the MAC address of the first switch 200 or the MAC address of the second switch 300. For example, when the system MAC address is configured as the MAC address of the first switch 200, the first switch 200 is configured to encrypt the MAC address to obtain a first encrypted address, and construct a first LACPDU packet carrying the first encrypted address, and the second switch 300 is configured to encrypt the MAC address to obtain a second encrypted address, and construct a second LACPDU packet carrying the second encrypted address.
It should be noted that a switch (switch) is a network device for forwarding an electrical (optical) signal, and may improve the communication of an electrical signal that is shared independently for any two network nodes that access the switch. Referring to fig. 4, in architecture, the switch includes a processor 210 and a memory 220.
The processor 210 is electrically connected to the memory 220, either directly or indirectly, to enable data transmission or interaction, for example, the elements may be electrically connected to each other via one or more communication buses or signal lines. The security control means comprise at least one software module which may be stored in the memory 220 in the form of software or Firmware (Firmware) or which is solidified in the Operating System (OS) of the switch. The processor 210 is configured to execute executable modules stored in the memory 220, such as software functional modules and computer programs included in the security control apparatus, to implement a security control method. The processor 210 may execute the computer program after receiving the execution instructions.
The processor 210 may be an integrated circuit chip with signal processing capability. The processor 210 may also be a general purpose processor, such as a central processing unit (Central Processing Unit, CPU), digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), discrete gate or transistor logic, discrete hardware components, and may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. Further, the general purpose processor may be a microprocessor or any conventional processor or the like.
The Memory 220 may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable programmable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), and electrically erasable programmable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM). The memory 220 is used for storing a program, and the processor 210 executes the program after receiving an execution instruction.
It should be noted that the structure shown in fig. 4 is only illustrative, and the first switch 200 and the second switch 300 may both adopt the structure shown in fig. 4. And the first switch 200 and the second switch 300 provided by the embodiment of the present application may have fewer or more components than those shown in fig. 4, or may have a different configuration from that shown in fig. 4. In addition, the components shown in fig. 4 may be implemented by software, hardware, or a combination thereof.
When the server 100 receives the first LACPDU message and the second LACPDU message through different ports of the same aggregation link, aggregation verification is performed on the first LACPDU message and the second LACPDU message.
The first LACPDU packet is a packet sent by the first switch 200, the second LACPDU packet is a packet sent by the second switch 300, and the actor_system field in the packet is an encrypted address. By the method, even if an attacker acquires the original system MAC address in advance, the attacker cannot encrypt and forge by adopting the same encryption mode because the configured encryption mode cannot be acquired. At this time, the attacker fills the original MAC address in the actor_system field of the message, and after receiving the message sent by the first switch 200 or the second switch 300 and the message sent by the attacker switch, the server 100 determines that the actor_system field filling information in the two messages is inconsistent, so that the attacker switch and the first switch 200 or the second switch 300 cannot aggregate with the server 100 because the System MAC address in the message sent by the attacker switch is the encrypted address. In this way, the security of aggregation between the switch and the server can be improved.
In the MLAG-Lite technology, the server 100 is generally called Access. The server 100 may be, but is not limited to, a web server, a database server, a cloud server, a server integration made up of multiple sub-servers, or the like. Server 100 also includes a processor and memory in its structure. The processor is electrically connected to the memory, either directly or indirectly, for data transmission or interaction, and the components may be electrically connected to each other, for example, via one or more communication buses or signal lines. The security control means comprises at least one software module which may be stored in a memory in the form of software or Firmware (Firmware) or cured in an Operating System (OS) of the server 100. The processor is configured to execute executable modules stored in the memory, such as software functional modules and computer programs included in the security control apparatus, to implement the security control apparatus. The processor may execute the computer program after receiving the execution instruction. The structure of the server 100 may refer to the structure shown in fig. 4, and in order to avoid redundancy, details are not described herein.
Referring to fig. 5, fig. 5 is a flowchart illustrating steps of a security control method according to an embodiment of the present application. The method is applied to the network system 10 shown in fig. 3. It should be noted that, the safety control method provided by the embodiment of the present application is not limited by the sequence shown in fig. 5 and the following steps, and the method includes: step S101 to step S104.
Step S101: the first switch encrypts a preconfigured system MAC address to obtain a first encrypted address.
Prior to step S101, the first switch is configured (e.g., a system MAC address, a system port number, etc.).
Step S102: and constructing a first LACPDU message carrying the first encryption address.
The actor_system field in the first LACPDU packet is filled with a first encryption address.
Step S103: the first switch sends the first LACPDU message to the server.
Step S104: when the server receives the first LACPDU message and the second LACPDU message through different ports of the same aggregation link, aggregation verification is carried out on the first LACPDU message and the second LACPDU message.
The first LACPDU message is a message sent by the first switch, and the second LACPDU message is a message sent by the second switch. The actor_System field in the second LACPDU message carries a second encryption address, and the second encryption address is obtained by encrypting the System MAC address by the second switch.
The specific verification process is as follows: when the server determines that the information carried by the actor_system fields in the two messages is consistent (the encrypted addresses obtained by encrypting the System MAC address), the server indicates that the two switches are effective switches, and at the moment, the server determines that the aggregation between the two switches is successful. When the server determines that the information carried in the actor_system field in the two messages is inconsistent (i.e. one is an encrypted address obtained by encrypting the System MAC address, and the other is the System MAC address), it indicates that one of the switches is the switch of the attacker, and at this time, the server determines that aggregation between the two switches fails.
In summary, in the embodiment of the present application, the first switch encrypts the pre-configured system MAC address, so that the encrypted system MAC address is transmitted in the message. By the method, even if an attacker acquires the original system MAC address in advance, the attacker cannot acquire the configured encryption mode, so that encryption counterfeiting cannot be performed by adopting the same encryption mode, and the security of aggregation between the two switches and the server can be improved by adopting the method. Meanwhile, after the server receives the message, whether the information carried by the actor_System field in the message is consistent or not can be directly compared according to the original flow, namely, the server does not need to be subjected to additional adaptation, so that the development difficulty of the System is simplified, and the method has high practical value.
In an embodiment of the present application, the following encryption scheme is provided.
As an embodiment, the step S101 may specifically include: and encrypting the system MAC address based on the first encryption algorithm and the first encryption key to obtain a first encryption address.
The actor_system field in the first LACPDU packet carries a first encryption address.
Correspondingly, when the server receives the second LACPDU message sent by the first switch and the second switch at different ports of the same aggregation link, the server directly judges whether the filling information of the actor_System fields in the two messages is consistent. If the second switch is a non-attacker switch, the second switch encrypts the system MAC address based on the first encryption algorithm and the first encryption key to obtain a second encryption address, and then constructs a second LACPDU message. The actor_system field in the second LACPDU packet carries the second encrypted address. If the second switch is an attacker switch, the actor_system field in the second LACPDU packet will be filled with the original System MAC address. When the server determines that the information carried by the actor_system fields in the two messages is consistent (the encrypted addresses obtained by encrypting the System MAC address), the server indicates that the two switches are effective switches, and at the moment, the server determines that the aggregation between the two switches is successful. When the server determines that the information carried in the actor_system field in the two messages is inconsistent (i.e. one is an encrypted address obtained by encrypting the System MAC address, and the other is the System MAC address), it indicates that one of the switches is the switch of the attacker, and at this time, the server determines that aggregation between the two switches fails.
Through the method, the first switch can realize safer verification of the server only through one encryption, and the server can directly compare whether the information filled in the actor_System field in the message is consistent according to the original flow after receiving the message, namely, no additional adaptation is needed to be carried out on the server, so that the development difficulty of the System is simplified, and the method has a strong practical value.
Of course, in other embodiments, the System MAC address may be encrypted multiple times (e.g., by encrypting the System MAC address in different encryption manners), and then the encrypted address after multiple times is filled in the actor_system field, which is not limited by the present application.
In order to improve the security of the message in the communication transmission process, the process of constructing the first LACPDU message by the first switch may specifically include: filling the first encryption address into an actor_System field in a first LACPDU message; encrypting an actor_System field in the first LACPDU message based on a second encryption algorithm and a second encryption key to obtain an encrypted character string; and constructing a first LACPDU message based on the encryption character string.
In the process of constructing the message, the first switch encrypts an actor_system field in the first LACPDU message to obtain an encrypted character string. In this way, the transmission process of the first encryption address in the first LACPDU packet may be made encrypted. The actor_System field in the first LACPDU message after construction is an encrypted string.
When the server receives the first LACPDU message and the second LACPDU message sent by the second switch at different ports of the same aggregation link, the server firstly decrypts based on the second encryption algorithm and the second encryption key, and then performs aggregation verification based on the decrypted information.
It should be noted that, the server decrypts the first LACPDU packet based on the second encryption algorithm to obtain the first encryption address.
If the second switch is a non-attacker switch, the second switch encrypts the System MAC address based on the first encryption algorithm and the first encryption key to obtain a second encryption address, and then fills the second encryption address into an actor_System field in the second LACPDU message; encrypting an actor_System field in a second LACPDU message based on a second encryption algorithm and a second encryption key to obtain an encrypted character string; and constructing a second LACPDU message based on the encryption character string. If the second switch is an attacker switch, the actor_system field in the second LACPDU packet will be filled with the original System MAC address.
After receiving the two messages, the server decrypts the actor_system field (i.e. the encrypted character string) in the two messages. If both the messages can be decrypted and the decrypted information is consistent (the decrypted information is the encrypted address obtained by encrypting the system MAC address), the two switches are indicated to be effective switches, and at the moment, the server determines that the aggregation between the two switches is successful.
If the second switch is the switch of the attacker, the actor_System field in the second LACPDU message in the switch of the attacker can be filled with the original System MAC address, and the server can not decrypt the System MAC address, so that the switch is the switch of the attacker, and the server determines that aggregation between the two switches fails. In addition, because the decrypted information of the first LACPDU packet is the first encrypted address, which is different from the System MAC address filled in the actor_system field in the second LACPDU packet sent by the attacker's switch, it is also possible to determine that one of the switches is the attacker's switch by adopting this method.
Therefore, by adopting the mode, even if an attacker intercepts the message to acquire the encrypted character string, the encrypted character string cannot be cracked, the safety of the communication transmission process is improved (namely, the link layer is safer, the problem that the attacker grabs the packet to steal the counterfeit equipment is avoided), and the aggregation safety between the switch and the server is further improved.
Optionally, when the above embodiment is adopted for encryption verification, the information in the actor_system field needs to be decrypted and obtained in order to be convenient for informing the server. The first switch may also fill the target field with identification information to construct a first LACPDU message; the identifier information characterizes information carried in an actor_System field in the first LACPDU message to be decrypted and then obtained. Correspondingly, the second switch can also fill the identification information in the target field to construct a second LACPDU message; the identifier information characterizes information carried in an actor_System field in the second LACPDU message to be decrypted and then obtained.
After receiving the first LACPDU message, the server analyzes the first LACPDU message, and decrypts an actor_System field (namely an encrypted character string) in the first LACPDU message after identifying the identification information of a target field in the first LACPDU message; and/or after the server receives the second LACPDU message, resolving the second LACPDU message, and after identifying the identification information of the target field in the second LACPDU message, decrypting the actor_system field (i.e. the encrypted character string) in the second LACPDU message.
The target field may be other fields except for an actor_system field in the LACPDU packet, and the target field may be an unusual field. For example, the target field may be an actor_port field in the LACPDU message. Correspondingly, the identification information filled in the target field may be that the high bit of the actor_port field is set to 1.
In other embodiments, the target field may also be an actor_key field in the LACPDU packet, and correspondingly, the identification information may also be 0, which is not limited by the present application.
Optionally, to further reduce the possibility of the packet being caught by an attacker during the link transmission to cause a forgery attack, the constructing the first LACPDU packet based on the encrypted string may specifically include: adjusting the encrypted string to a first byte length; and constructing the first LACPDU message based on the encrypted character string with the byte length adjusted.
Correspondingly, before the server performs aggregation verification on the first LACPDU message and the second LACPDU message, the server restores the actor_system field (i.e. the encrypted string) in the first LACPDU message and the actor_system field (i.e. the encrypted string) in the second LACPDU message to the second byte length. And then decrypting the encrypted character string restored to the second byte length in the first LACPDU message and the encrypted character string restored to the second byte length in the second LACPDU message based on the second encryption algorithm, and finally performing aggregation verification based on the decrypted information.
It should be noted that, if the attacker intercepts the message to obtain the actor_system field, since the attacker does not know the rule of byte adjustment, the attacker cannot restore the message, and the actor_system field in the message sent in the switch of the attacker is configured as a MAC field with standard length. It can be seen that in this way the likelihood of a packet being grasped by an attacker during the link transmission, resulting in a forgery attack, can be further reduced.
The adjustment mode can be compression or expansion, but is not limited to compression or expansion. Taking compression as an example, the second byte length may be 6 bytes and the first byte length may be 4 bytes. The application is not limited to the numerical value and the adjustment mode.
It is to be understood that the first encryption algorithm and the second encryption algorithm may be the same encryption algorithm or different encryption algorithms, which are well known in the art (such as Base64 encryption algorithm and MD5 encryption algorithm). Accordingly, the encryption key may be selected according to different algorithms. Of course, the first encryption key and the first encryption key may be the same key, which is not limited by the present application.
The above-described security control method is described below in connection with a complete example. Firstly, a first switch encrypts a System MAC address based on a first encryption algorithm and a first encryption key to obtain a first encryption address, and then fills the first encryption address into an actor_System field in a first LACPDU message; and encrypting an actor_System field in the first LACPDU message based on a second encryption algorithm and a second encryption key to obtain an encrypted character string, and compressing the encrypted character string to 4 bytes. Then, the first switch sets the high bit of the actor_port field to 1, and then completes the construction of the first LACPDU message. Finally, the first switch sends the first LACPDU message to the server. When the server receives the first LACPDU message and the second LACPDU message sent by the second switch at different ports of the same aggregation link, the server analyzes the first LACPDU message and the second LACPDU message, and when the high bit of the actor_Port field in the first LACPDU message and the second LACPDU message is determined to be 1, a second encryption algorithm is adopted to decrypt the actor_Systemfield (namely an encryption character string) in the first LACPDU message and the second LACPDU message. The server before decryption restores the compressed actor_system field (i.e., the encrypted string) to 6 bytes. After restoration and decryption, the server performs aggregation verification, and if the information carried by the two decrypted actor_system fields is consistent, the two switches are represented as effective switches, and at the moment, the server determines that the aggregation between the two switches is successful. When the server determines that the information carried by the actor_system fields in the two messages is inconsistent, or one of the messages cannot be decrypted, one of the switches is characterized as the switch of the attacker, and the server determines that aggregation between the two switches fails.
Referring to fig. 6, based on the same inventive concept, an embodiment of the present application further provides a security control method, which is applied to a first switch in a network system. The method comprises the following steps: step S201 to step S203.
Step S201: and encrypting the system MAC address preconfigured by the first switch to obtain a first encrypted address.
Step S202: and constructing a first LACPDU message carrying the first encryption address.
Step S203: and sending the first LACPDU message to the server, so that when the server receives the first LACPDU message and the second LACPDU message carrying the second encryption address and sent by the second switch at different ports of the same aggregation link, the server aggregates and verifies the first LACPDU message and the second LACPDU message.
It should be noted that, since the above steps are already described in the foregoing embodiments, they are not repeated here, and the same parts are only needed to be referred to each other.
Referring to fig. 7, based on the same inventive concept, an embodiment of the present application further provides a security control method, which is applied to a server in a network system. The method comprises the following steps: step S301-step S302.
Step S301: when a first LACPDU message and a second LACPDU message are received through different ports of the same aggregation link, aggregation verification is carried out on the first LACPDU message and the second LACPDU message.
The first LACPDU message is a message sent by the first switch, and an actor_System field in the first LACPDU message carries a first encryption address, wherein the first encryption address is obtained by encrypting a System MAC address by the first switch; the second LACPDU message is a message sent by a second switch; the actor_System field in the second LACPDU message carries a second encryption address, and the second encryption address is obtained by encrypting the System MAC address by the second switch.
Step S302: and when the information carried by the actor_system field in the first LACPDU message is consistent with the information carried by the actor_system field in the second LACPDU message, determining that the first switch and the second switch are successfully aggregated with the server.
It should be noted that, since the above steps are already described in the foregoing embodiments, they are not repeated here, and the same parts are only needed to be referred to each other.
Based on the same inventive concept, the embodiment of the application also provides a safety control device, which is applied to the first switch in the network system. The device comprises:
and the encryption module is used for encrypting the system MAC address preconfigured by the first switch to obtain a first encryption address.
And the construction module is used for constructing a first LACPDU message carrying the first encryption address.
And the sending module is used for sending the first LACPDU message to the server, so that the server performs aggregation verification on the first LACPDU message and the second LACPDU message when receiving the first LACPDU message and the second LACPDU message carrying the second encryption address sent by the second switch at different ports of the same aggregation link.
Based on the same inventive concept, the embodiment of the application also provides a safety control device, which is applied to a server in a network system. The device comprises:
the verification module is used for carrying out aggregation verification on the first LACPDU message and the second LACPDU message when the first LACPDU message and the second LACPDU message are received through different ports of the same aggregation link; the first LACPDU message is a message sent by the first switch, and an actor_system field in the first LACPDU message carries a first encryption address, where the first encryption address is obtained by encrypting a System MAC address by the first switch; the second LACPDU message is a message sent by the second switch; the actor_System field in the second LACPDU message carries a second encryption address, wherein the second encryption address is obtained by encrypting the System MAC address by the second switch; and when the information carried by the actor_system field in the first LACPDU message is consistent with the information carried by the actor_system field in the second LACPDU message, determining that the first switch and the second switch are successfully aggregated with the server.
It should be noted that, since it will be clearly understood by those skilled in the art, for convenience and brevity of description, the specific working processes of the systems, apparatuses and units described above may refer to the corresponding processes in the foregoing method embodiments, which are not repeated herein.
Based on the same inventive concept, the embodiments of the present application also provide a computer-readable storage medium having stored thereon a computer program which, when executed, performs the method provided in the above embodiments.
The storage media may be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), etc.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Furthermore, functional modules in various embodiments of the present application may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (11)
1. A security control method, applied to a first switch in a network system, the network system further comprising a second switch and a server, the server being communicatively connected to the first switch and the second switch, respectively, the method comprising:
encrypting a system MAC address pre-configured by the first switch based on a first encryption algorithm and a first encryption key to obtain a first encryption address;
constructing a first link convergence control protocol data unit LACPDU message carrying the first encryption address;
the method comprises the steps that a first LACPDU message is sent to a server, so that when the server receives the first LACPDU message and a second LACPDU message carrying a second encryption address and sent by a second switch at different ports of the same aggregation link, aggregation verification is carried out on the first LACPDU message and the second LACPDU message; and when the information carried by the actor_system field in the first LACPDU message is consistent with the information carried by the actor_system field in the second LACPDU message, determining that the first switch and the second switch are successfully aggregated with the server.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the constructing a first LACPDU message carrying the first encryption address includes:
filling the first encryption address into an actor_System field in the first LACPDU message;
encrypting an actor_System field in the first LACPDU message based on a second encryption algorithm and a second encryption key to obtain an encrypted character string;
and constructing the first LACPDU message based on the encryption character string.
3. The method of claim 2, wherein constructing the first LACPDU message based on the ciphering string comprises:
adjusting the encrypted string to a first byte length;
constructing the first LACPDU message based on the encrypted character string with the byte length adjusted; or alternatively
The constructing the first LACPDU message based on the encrypted string includes:
constructing the first LACPDU message based on the encryption character string and a target field of filling identification information; the identification information characterizes information carried by an actor_System field in the first LACPDU message to be obtained after decryption.
4. A security control method, applied to a server in a network system, the network system further comprising a first switch and a second switch, the server being communicatively connected to the first switch and the second switch, respectively, the method comprising:
When a first LACPDU message and a second LACPDU message are received through different ports of the same aggregation link, performing aggregation verification on the first LACPDU message and the second LACPDU message; the first LACPDU message is a message sent by the first switch, and an actor_system field in the first LACPDU message carries a first encryption address, wherein the first encryption address is obtained by encrypting a System MAC address by the first switch based on a first encryption algorithm and a first encryption key; the second LACPDU message is a message sent by the second switch; the actor_System field in the second LACPDU message carries a second encryption address, wherein the second encryption address is obtained by encrypting the System MAC address by the second switch based on the first encryption algorithm and the first encryption key;
and when the information carried by the actor_system field in the first LACPDU message is consistent with the information carried by the actor_system field in the second LACPDU message, determining that the first switch and the second switch are successfully aggregated with the server.
5. The method of claim 4, wherein prior to the aggregate verification of the first LACPDU message and the second LACPDU message, the method further comprises:
Decrypting the encrypted character string in the first LACPDU message and the encrypted character string in the second LACPDU message based on a second encryption algorithm and a second encryption key; the encryption string in the first LACPDU packet is an actor_system field in the first LACPDU packet filled with the first encryption address by the first switch; encrypting an actor_System field in the first LACPDU message based on the second encryption algorithm and the second encryption key to obtain the first LACPDU message; the first encryption address is obtained by encrypting the system MAC address by the first switch based on a first encryption algorithm and a first encryption key; the encrypted character string in the second LACPDU packet is an actor_system field in the second LACPDU packet filled with the second encrypted address by the second switch; encrypting an actor_System field in the second LACPDU message based on the second encryption algorithm and the second encryption key to obtain the encrypted actor_System field; the second encryption address is obtained by encrypting the system MAC address by the second switch based on the first encryption algorithm and the first encryption key;
When the information carried by the actor_system field in the first LACPDU packet is consistent with the information carried by the actor_system field in the second LACPDU packet, determining that the aggregation of the first switch and the second switch with the server is successful includes:
and when the information carried by the actor_System field obtained after the decryption of the first LACPDU message is consistent with the information carried by the actor_System field obtained after the decryption of the second LACPDU message, determining that the first switch and the second switch are successfully aggregated with the server.
6. The method of claim 5, wherein prior to decrypting the encrypted string in the first LACPDU message and the encrypted string in the second LACPDU message based on the second encryption algorithm and a second encryption key, the method further comprises:
restoring the encrypted character string in the first LACPDU message and the encrypted character string in the second LACPDU message to a second byte length;
the decrypting the encrypted string in the first LACPDU packet and the encrypted string in the second LACPDU packet based on the second encryption algorithm and the second encryption key includes:
Decrypting the encrypted character string restored to the second byte length in the first LACPDU message and the encrypted character string restored to the second byte length in the second LACPDU message based on the second encryption algorithm and the second encryption key; or alternatively
Before the encrypting character string in the first LACPDU message and the encrypting character string in the second LACPDU message are decrypted based on the second encrypting algorithm and the second encrypting key, the method further comprises:
determining that a target field in the first LACPDU message contains identification information and a target field in the second LACPDU message contains the identification information; the identification information characterizes information carried by the actor_System field to be obtained after decryption.
7. A security control apparatus for use with a first switch in a network system, the network system further comprising a second switch and a server communicatively coupled to the first switch and the second switch, respectively, the apparatus comprising:
the encryption module is used for encrypting the system MAC address preconfigured by the first switch based on a first encryption algorithm and a first encryption key to obtain a first encryption address;
The construction module is used for constructing a first LACPDU message carrying the first encryption address;
a sending module, configured to send the first LACPDU packet to the server, so that when the server receives the first LACPDU packet and a second LACPDU packet carrying a second encryption address sent by the second switch at different ports of the same aggregation link, aggregation verification is performed on the first LACPDU packet and the second LACPDU packet; and when the information carried by the actor_system field in the first LACPDU message is consistent with the information carried by the actor_system field in the second LACPDU message, determining that the first switch and the second switch are successfully aggregated with the server.
8. A security control apparatus for use with a server in a network system, the network system further comprising a first switch and a second switch, the server being communicatively coupled to the first switch and the second switch, respectively, the apparatus comprising:
the verification module is used for carrying out aggregation verification on the first LACPDU message and the second LACPDU message when the first LACPDU message and the second LACPDU message are received through different ports of the same aggregation link; the first LACPDU message is a message sent by the first switch, and an actor_system field in the first LACPDU message carries a first encryption address, wherein the first encryption address is obtained by encrypting a System MAC address by the first switch based on a first encryption algorithm and a first encryption key; the second LACPDU message is a message sent by the second switch; the actor_System field in the second LACPDU message carries a second encryption address, wherein the second encryption address is obtained by encrypting the System MAC address by the second switch based on the first encryption algorithm and the first encryption key; and when the information carried by the actor_system field in the first LACPDU message is consistent with the information carried by the actor_system field in the second LACPDU message, determining that the first switch and the second switch are successfully aggregated with the server.
9. A switch, comprising: the device comprises a processor and a memory, wherein the processor is connected with the memory;
the memory is used for storing programs;
the processor being configured to execute a program stored in the memory, performing the method of any one of claims 1-3.
10. A server, comprising: the device comprises a processor and a memory, wherein the processor is connected with the memory;
the memory is used for storing programs;
the processor being configured to execute a program stored in the memory for performing the method of any one of claims 4-6.
11. A network system, comprising: the system comprises a server, a first switch and a second switch;
the first switch is used for encrypting a pre-configured system MAC address based on a first encryption algorithm and a first encryption key to obtain a first encryption address; constructing a first LACPDU message carrying the first encryption address; sending the first LACPDU message to the server;
the second switch is used for encrypting the system MAC address based on the first encryption algorithm and the first encryption key to obtain a second encryption address; constructing a second LACPDU message carrying the second encryption address; sending the second LACPDU message to the server;
The server is configured to perform aggregation verification on the first LACPDU and the second LACPDU when the first LACPDU and the second LACPDU are received at different ports of the same aggregation link;
and when the information carried by the actor_system field in the first LACPDU message is consistent with the information carried by the actor_system field in the second LACPDU message, determining that the first switch and the second switch are successfully aggregated with the server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111388850.XA CN114070636B (en) | 2021-11-22 | 2021-11-22 | Security control method and device, switch, server and network system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111388850.XA CN114070636B (en) | 2021-11-22 | 2021-11-22 | Security control method and device, switch, server and network system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114070636A CN114070636A (en) | 2022-02-18 |
| CN114070636B true CN114070636B (en) | 2023-08-11 |
Family
ID=80278970
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111388850.XA Active CN114070636B (en) | 2021-11-22 | 2021-11-22 | Security control method and device, switch, server and network system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114070636B (en) |
Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6084877A (en) * | 1997-12-18 | 2000-07-04 | Advanced Micro Devices, Inc. | Network switch port configured for generating an index key for a network switch routing table using a programmable hash function |
| CA2277265A1 (en) * | 1999-07-09 | 2001-01-09 | Pmc-Sierra Inc. | Link aggregation in ethernet frame switches |
| EP1989824A1 (en) * | 2006-02-27 | 2008-11-12 | Telefonaktiebolaget Lm Ericsson | Lawful access; stored data handover enhanced architecture |
| CN101610206A (en) * | 2008-06-17 | 2009-12-23 | 华为技术有限公司 | A kind of binding/separate processing method, system and the device of binding |
| CN101984606A (en) * | 2010-11-15 | 2011-03-09 | 中兴通讯股份有限公司 | Device-level redundancy protection method and system based on LACP |
| CN104283724A (en) * | 2014-10-31 | 2015-01-14 | 大唐移动通信设备有限公司 | Method and device for managing state of aggregation group |
| CN104488238A (en) * | 2012-07-23 | 2015-04-01 | 思科技术公司 | System and method for cluster link aggregation control in a network environment |
| CN104639464A (en) * | 2015-01-09 | 2015-05-20 | 盛科网络(苏州)有限公司 | System and method for realizing cross-interchanger link aggregation on OpenFlow interchanger |
| CN104735176A (en) * | 2015-03-27 | 2015-06-24 | 华为技术有限公司 | PXE booting method and device and server single board |
| CN105308912A (en) * | 2013-04-23 | 2016-02-03 | 瑞典爱立信有限公司 | A method and system for synchronizing with a neighbor in a distributed resilient network interconnect (DRNI) link aggregation group |
| CN108512739A (en) * | 2017-02-27 | 2018-09-07 | 丛林网络公司 | The multicast state between more host's routers in Ethernet Virtual Private Network |
| CN108718275A (en) * | 2018-04-18 | 2018-10-30 | 新华三技术有限公司 | Message forwarding method and device |
| CN109040124A (en) * | 2018-09-17 | 2018-12-18 | 盛科网络(苏州)有限公司 | The method and apparatus of processing message for interchanger |
| CN109495383A (en) * | 2018-12-13 | 2019-03-19 | 迈普通信技术股份有限公司 | A kind of data processing method, device, communication system and the network equipment |
| CN110839037A (en) * | 2019-11-19 | 2020-02-25 | 武汉思普崚技术有限公司 | Attack scene mining method and system for SDN network |
| CN111800525A (en) * | 2020-09-07 | 2020-10-20 | 广东睿江云计算股份有限公司 | Gateway redundancy method and system |
| CN112787913A (en) * | 2021-01-26 | 2021-05-11 | 北京百度网讯科技有限公司 | Intelligent network card assembly, physical machine, cloud service system and message sending method |
| CN112954064A (en) * | 2021-02-24 | 2021-06-11 | 紫光云技术有限公司 | Method for realizing high-availability networking under cloud network |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2371706B (en) * | 2001-01-30 | 2003-04-23 | 3Com Corp | Link aggregation control for network devices |
| US8996652B2 (en) * | 2012-06-15 | 2015-03-31 | Citrix Systems, Inc. | Systems and methods for cluster LAG |
| US11362935B2 (en) * | 2018-01-19 | 2022-06-14 | Super Micro Computer, Inc. | Automatic multi-chassis link aggregation configuration with link layer discovery |
-
2021
- 2021-11-22 CN CN202111388850.XA patent/CN114070636B/en active Active
Patent Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6084877A (en) * | 1997-12-18 | 2000-07-04 | Advanced Micro Devices, Inc. | Network switch port configured for generating an index key for a network switch routing table using a programmable hash function |
| CA2277265A1 (en) * | 1999-07-09 | 2001-01-09 | Pmc-Sierra Inc. | Link aggregation in ethernet frame switches |
| EP1989824A1 (en) * | 2006-02-27 | 2008-11-12 | Telefonaktiebolaget Lm Ericsson | Lawful access; stored data handover enhanced architecture |
| CN101610206A (en) * | 2008-06-17 | 2009-12-23 | 华为技术有限公司 | A kind of binding/separate processing method, system and the device of binding |
| CN101984606A (en) * | 2010-11-15 | 2011-03-09 | 中兴通讯股份有限公司 | Device-level redundancy protection method and system based on LACP |
| CN104488238A (en) * | 2012-07-23 | 2015-04-01 | 思科技术公司 | System and method for cluster link aggregation control in a network environment |
| CN105308912A (en) * | 2013-04-23 | 2016-02-03 | 瑞典爱立信有限公司 | A method and system for synchronizing with a neighbor in a distributed resilient network interconnect (DRNI) link aggregation group |
| CN104283724A (en) * | 2014-10-31 | 2015-01-14 | 大唐移动通信设备有限公司 | Method and device for managing state of aggregation group |
| CN104639464A (en) * | 2015-01-09 | 2015-05-20 | 盛科网络(苏州)有限公司 | System and method for realizing cross-interchanger link aggregation on OpenFlow interchanger |
| CN104735176A (en) * | 2015-03-27 | 2015-06-24 | 华为技术有限公司 | PXE booting method and device and server single board |
| CN108512739A (en) * | 2017-02-27 | 2018-09-07 | 丛林网络公司 | The multicast state between more host's routers in Ethernet Virtual Private Network |
| CN108718275A (en) * | 2018-04-18 | 2018-10-30 | 新华三技术有限公司 | Message forwarding method and device |
| CN109040124A (en) * | 2018-09-17 | 2018-12-18 | 盛科网络(苏州)有限公司 | The method and apparatus of processing message for interchanger |
| CN109495383A (en) * | 2018-12-13 | 2019-03-19 | 迈普通信技术股份有限公司 | A kind of data processing method, device, communication system and the network equipment |
| CN110839037A (en) * | 2019-11-19 | 2020-02-25 | 武汉思普崚技术有限公司 | Attack scene mining method and system for SDN network |
| CN111800525A (en) * | 2020-09-07 | 2020-10-20 | 广东睿江云计算股份有限公司 | Gateway redundancy method and system |
| CN112787913A (en) * | 2021-01-26 | 2021-05-11 | 北京百度网讯科技有限公司 | Intelligent network card assembly, physical machine, cloud service system and message sending method |
| CN112954064A (en) * | 2021-02-24 | 2021-06-11 | 紫光云技术有限公司 | Method for realizing high-availability networking under cloud network |
Non-Patent Citations (1)
| Title |
|---|
| "以太网链路聚合技术的研究与实现";王小玫;《中国优秀硕士学位论文全文数据库-信息科技辑》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114070636A (en) | 2022-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110024324B (en) | Safety transmission device for network communication service | |
| US10298595B2 (en) | Methods and apparatus for security over fibre channel | |
| US9106617B2 (en) | Methods, systems and computer program products for authenticating computer processing devices and transferring both encrypted and unencrypted data therebetween | |
| US8510549B2 (en) | Transmission of packet data over a network with security protocol | |
| EP2290895B1 (en) | Method, system and device for negotiating security association (sa) in ipv6 network | |
| US20150156025A1 (en) | Message sending and receiving method, apparatus, and system | |
| CN111447276B (en) | Encryption continuous transmission method with key agreement function | |
| JP6214088B2 (en) | Network control system and method | |
| US11552994B2 (en) | Methods and nodes for handling LLDP messages in a communication network | |
| KR101448866B1 (en) | Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof | |
| CN110943996B (en) | Management method, device and system for business encryption and decryption | |
| CN114070636B (en) | Security control method and device, switch, server and network system | |
| Unurkhaan et al. | Secure SCTP–a versatile secure transport protocol | |
| CN114679265B (en) | Flow acquisition method, device, electronic equipment and storage medium | |
| CN111147420A (en) | Data disaster tolerance method, device, system, equipment and computer readable storage medium | |
| CN104618211A (en) | Tunnel based message processing method and headquarters gateway device | |
| CN110995730B (en) | Data transmission method and device, proxy server and proxy server cluster | |
| CN115567195A (en) | Secure communication method, client, server, terminal and network side equipment | |
| CN113973000A (en) | Method and device for processing pre-shared key PSK | |
| WO2019200690A1 (en) | Data protection method, server and computer readable storage medium | |
| CN111212018A (en) | Multi-link transmission method and system based on link selection and fragmentation recombination | |
| CN115314262B (en) | Design method of trusted network card and networking method thereof | |
| WO2024027602A1 (en) | Global quantum security device, data sending method and data receiving method | |
| WO2023175705A1 (en) | Communication control device, communication device, communication control system, communication control method, and program | |
| CN117857120A (en) | Method and device for realizing network traffic safety transmission on cloud |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |