CN115189913A - Data message transmission method and device - Google Patents
Data message transmission method and device Download PDFInfo
- Publication number
- CN115189913A CN115189913A CN202210638671.5A CN202210638671A CN115189913A CN 115189913 A CN115189913 A CN 115189913A CN 202210638671 A CN202210638671 A CN 202210638671A CN 115189913 A CN115189913 A CN 115189913A
- Authority
- CN
- China
- Prior art keywords
- application
- information
- password
- password information
- data message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 230000005540 biological transmission Effects 0.000 title claims abstract description 24
- 238000012545 processing Methods 0.000 claims abstract description 28
- 230000001360 synchronised effect Effects 0.000 claims abstract description 6
- 125000004122 cyclic group Chemical group 0.000 claims description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000012795 verification Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 238000009434 installation Methods 0.000 description 4
- 230000003190 augmentative effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- WQZGKKKJIJFFOK-GASJEMHNSA-N Glucose Natural products OC[C@H]1OC(O)[C@H](O)[C@@H](O)[C@@H]1O WQZGKKKJIJFFOK-GASJEMHNSA-N 0.000 description 1
- 239000008280 blood Substances 0.000 description 1
- 210000004369 blood Anatomy 0.000 description 1
- 230000036772 blood pressure Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000008103 glucose Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000004984 smart glass Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application is a divisional application with application number 202011506176.6. The embodiment of the specification provides a data message transmission method and device. In the method, an application client determines password information corresponding to network requirements according to the network requirements of application services, carries the password information in a message header of an IPv6 data message and sends the password information to an application sensing node; the message header of the IPv6 data message does not carry application information indicating network requirement information, and then an application sensing node forwards the IPv6 data message by using the network requirement corresponding to the password information; the password information is distributed to the application client side by the operator service side according to the network requirements of the application and is synchronized to the application sensing node, and the password information is generated after hash processing is carried out on the network requirement information of the application or is selected from unoccupied password information in a password pool.
Description
The application is a divisional application, the application number of the original application is 202011506176.6, the application date is 2020, 12 and 18, and the name of the invention is 'data message transmission method and device'.
Technical Field
One or more embodiments of the present disclosure relate to the field of network communication technologies, and in particular, to a method and an apparatus for transmitting a packet.
Background
With the rapid development of networks, the optimized configuration of Network resources becomes an urgent need for Network management, and APN6 (Application-aware IPv6 Network, IPv 6-based Application traffic aware Network architecture) is used to solve this pain point.
In the layout scheme of the APN6, the service levels of the network can be divided, and different routing strategies are adopted according to different service levels, so that the network resources are optimized integrally. However, if the application information reflecting the network requirement is carried in the header of an IPv6 (Internet Protocol Version 6, version 6 of the Internet Protocol) data packet sent by the application client, the application information may relate to the privacy of the user, and thus faces a threat of revealing the privacy of the user in the network transmission process.
Disclosure of Invention
One or more embodiments of the present specification describe a method and an apparatus for transmitting a data packet, so as to improve the transmission security of an IPv6 data packet in an APN 6.
According to a first aspect, a data message transmission method is provided, which is applied to an application sensing node, wherein the application sensing node stores password information and corresponding network demand information, which are synchronously provided to the application sensing node by an operator server; the method comprises the following steps:
an application sensing node receives an IPv6 data message from an application client; the message header of the IPv6 data message does not carry application information indicating network requirement information;
acquiring password information carried in a message header of the IPv6 data message;
forwarding the IPv6 data message by using the network requirement corresponding to the password information;
the password information is distributed to the application client side by the operator service side according to the network requirements of the application, and is generated after carrying out hash processing on the network requirement information of the application or is selected from unoccupied password information in a password pool.
Before forwarding the IPv6 data packet by using the network requirement corresponding to the password information, the method further includes:
acquiring a cyclic redundancy check code carried in the IPv6 data message;
and utilizing a cyclic redundancy check code to carry out integrity check on the IPv6 data message, and if the check is passed, continuing to execute the network requirement corresponding to the password information to forward the IPv6 data message.
The method further comprises the following steps:
if the password information exceeds the validity period, deleting the corresponding relation between the password information and the network demand information;
alternatively, the first and second liquid crystal display panels may be,
receiving the corresponding relation between the deleted password information and the network requirement information synchronized by the operator service end, and deleting the corresponding relation between the deleted password information and the network requirement information from the application sensing node.
Wherein, the forwarding process of the IPv6 data packet includes:
forwarding the IPv6 data message by adopting a routing strategy corresponding to the network requirement;
and/or the presence of a gas in the gas,
and after the password information is removed from the IPv6 data message, forwarding the IPv6 data message with the password information removed.
According to a second aspect, a method for transmitting a data packet is provided, which is applied to an application client, and includes:
the application client determines password information corresponding to the network requirement according to the network requirement of the application service;
carrying the password information in a message header of an IPv6 data message;
sending the IPv6 data message to an application sensing node; the message header of the IPv6 data message does not carry application information indicating network requirement information;
the password information is pre-distributed by the operator service terminal according to the network requirement, and is generated after carrying out hash processing on the applied network requirement information, or is selected from unoccupied password information in a password pool.
Before sending the IPv6 data packet to the application aware node, the method further includes:
generating a cyclic redundancy check code of the IPv6 data message;
and carrying a cyclic redundancy check code in the IPv6 data message.
According to a third aspect, a method for transmitting a data packet is provided, which is applied to an operator service end, and includes:
the operator service side distributes password information to the application client side according to the network demand information registered by the application; the password information is generated after Hash processing is carried out on the applied network requirement information, or is selected from unoccupied password information in a password pool;
and synchronizing the password information and the corresponding network requirement information to the application sensing node.
Further comprising: and if the password information reaches the preset effective time, the operator service terminal deletes the corresponding relation between the password information and the network demand information and synchronizes the password information and the network demand information to the application sensing node.
According to a fourth aspect, a data packet transmission apparatus is provided, where the apparatus is disposed in an application-aware node, and the application-aware node stores password information and corresponding network requirement information that an operator service end synchronizes to the application-aware node; the device includes:
the first receiving unit is configured to receive the IPv6 data message from the application client; the message header of the IPv6 data message does not carry application information indicating network requirement information;
the password acquisition unit is configured to acquire password information carried in a message header of the IPv6 data message;
the forwarding processing unit is configured to forward the IPv6 data message by using the network requirement corresponding to the password information;
the password information is distributed to the application client side by the operator service side according to the network requirements of the application, and is generated after carrying out hash processing on the network requirement information of the application, or is selected from unoccupied password information in a password pool.
According to a fifth aspect, there is provided a device for transmitting a data packet, where the device is disposed at an application client, and the device includes:
the password determining unit is configured to determine password information corresponding to the network requirement according to the network requirement of the application service;
the password carrying unit is configured to carry the password information in a message header of the IPv6 data message;
the message sending unit is configured to send the IPv6 data message to an application sensing node; the message header of the IPv6 data message does not carry application information indicating network requirement information;
the password information is pre-distributed by the operator service terminal according to the network requirement, and is generated after carrying out hash processing on the applied network requirement information, or is selected from unoccupied password information in a password pool.
According to a sixth aspect, there is provided a data packet transmission apparatus, disposed at an operator service end, the apparatus including:
the password distribution unit is configured to distribute password information for the application client according to the network demand information registered by the application; the password information is generated after Hash processing is carried out on the applied network requirement information, or is selected from unoccupied password information in a password pool;
and the information synchronization unit is configured to synchronize the password information and the corresponding network requirement information to the application-aware node.
According to a seventh aspect, there is provided a computing device comprising a memory having stored therein executable code and a processor that, when executing the executable code, implements the method of the first aspect.
According to the method and the device provided by the embodiment of the specification, the operator service side distributes corresponding password information to the application client side according to the network requirements of the application and synchronizes the password information to the application sensing node, and the application client side can transmit the network requirements to the application sensing node only by carrying the password information in the message header of the IPv6 data message, so that the privacy information of a user is ensured not to be leaked, and the transmission safety of the IPv6 data message in the APN6 is improved.
Drawings
In order to more clearly illustrate the embodiments or technical solutions of the present invention, the drawings used in the embodiments or technical solutions in the prior art are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 illustrates a system architecture diagram to which the present description relates and is applicable;
fig. 2 is a flowchart illustrating a method performed by a service provider according to an embodiment of the present disclosure;
FIG. 3 is a flow chart illustrating a method performed by an application client according to an embodiment of the present disclosure;
FIG. 4 is a flow chart of a method performed by an application-aware node provided by an embodiment of the present specification;
FIG. 5 illustrates a detailed interaction diagram between network nodes provided by embodiments of the present description;
FIG. 6 shows a schematic block diagram of a transmission apparatus of data packets according to one embodiment;
FIG. 7 shows a schematic block diagram of a transmission apparatus of data packets according to one embodiment;
fig. 8 shows a schematic block diagram of a transmission device for data packets according to an embodiment.
Detailed Description
The scheme provided by the specification is described in the following with reference to the attached drawings.
To facilitate an understanding of the methods provided herein, a description of system architectures referred to and applicable to the present specification will first be described. As shown in fig. 1, the system architecture mainly includes three network nodes: the system comprises an application client, an application sensing node and an operator server.
Where the application client is installed and running in a terminal device, the terminal device may include but is not limited to devices such as: an intelligent mobile terminal, an intelligent home device, a network device, a wearable device, an intelligent medical device, a PC (personal computer), and the like. Wherein the smart mobile device may include devices such as a cell phone, a tablet computer, a notebook computer, a PDA (personal digital assistant), an internet automobile, etc. The intelligent household equipment can comprise intelligent household equipment, such as an intelligent television, an intelligent air conditioner, an intelligent water heater, an intelligent refrigerator, an intelligent air purifier and the like, and the intelligent household equipment can further comprise an intelligent door lock, an intelligent socket, an intelligent electric lamp, an intelligent camera and the like. The network devices may include devices such as switches, wireless APs, servers, and the like. Wearable devices may include devices such as smart watches, smart glasses, smart bracelets, virtual reality devices, augmented reality devices, mixed reality devices (i.e., devices that can support virtual reality and augmented reality), and so forth. The intelligent medical device may include, for example, an intelligent thermometer, an intelligent blood pressure meter, an intelligent blood glucose meter, and the like.
The application client may also be various types of applications including, but not limited to, applications such as payment-type applications, multimedia play-type applications, map-type applications, text editing-type applications, financial-type applications, browser-type applications, instant messaging-type applications, and the like.
The operator server refers to a server device of a provider providing network services, and may be a single server or a server group consisting of a plurality of servers. And the network service management system is responsible for providing network services for various applications, such as security authentication, network service level management and the like.
The application-aware node is located at the edge of the operator network at the location of the gateway. The system is responsible for providing a suitable routing strategy for the IPv6 data message according to the information indicating the network requirement carried in the IPv6 data message sent by the application client, and forwarding the routing strategy to a corresponding application server.
It should be understood that the number of application clients, application aware nodes, operator servers in fig. 1 is merely illustrative. Any number may be selected and laid out as desired for the implementation.
Fig. 2 is a flowchart of a method performed by an operator service end provided in an embodiment of the present specification, and as shown in fig. 2, the method may include the following steps:
In this specification, the application may provide the network requirement information to the carrier service in a process in which the application signs a contract with the carrier service or registers. The network requirement information may be embodied as the content, type, etc. of the application service, such as video, audio, web page, instant messaging, etc. And may also be embodied as network level information on demand.
The operator service end can distribute password information for the application client according to the network demand information of the application. As a preferred embodiment, the operator service end may hash the network requirement information of the application to generate the password information.
But other ways than this preferred embodiment may be used, such as the operator service maintaining a password pool. When the password information is distributed to the application client, one current unoccupied password information can be selected from the password pool as the password information distributed to the application client, and the corresponding relation between the password information and the network requirement information registered by the application client is maintained. In this way, the password information allocated to the client can be aged and recycled, that is, the password information no longer used by the application client or the password information exceeding the validity period can be recycled into the password pool.
The mode provided by the specification can be applied to registering the network requirement information in the contract user process, namely, the application and the operator service end signing contract. In this case, the password information assigned to the application may be pre-set in the installation package of the application client. After the application client is downloaded by the terminal equipment, installed and operated, the password information distributed by the operator server can be obtained from the installation package. Password information can also be sent to the application client by the operator service side.
The manner provided by the present specification is more applicable to non-contract temporary registered users. That is, the application does not sign a contract with the operator service, only performs temporary registration, and provides the network requirement information to the operator service in the registration process. In this case, the operator service side may send the assigned password information to the application client of the application. And the password information in this case is usually a provisional password. I.e. the password assigned to the application client, has a validity period beyond which the password information is invalidated. And the operator service terminal deletes the maintained corresponding relation between the password information and the network requirement information.
In addition, the operator service side can distribute a plurality of password information for the same application. That is, when the application has more than one network requirement, the operator service end can respectively allocate different password information for different network requirements.
And step 203, synchronizing the password information and the corresponding network requirement information to the application sensing node.
Therefore, the application sensing node maintains the corresponding relation between the password information and the network demand information, and can determine the corresponding network demand information when receiving the password information from the application client.
In addition, it has been mentioned above that the password information may have a validity period. If the password information exceeds the validity period, the application sensing node can delete the corresponding relation between the password information and the network information which are maintained by the application sensing node.
Or the operator service end deletes the corresponding relation between the password information and the network requirement information after the password information reaches the preset effective period, synchronizes the deleted information to the application sensing node, and synchronously deletes the information by the application sensing node.
As a preferred embodiment, when synchronizing the password information and the corresponding network requirement information to the application-aware node, the operator service terminal may also synchronize the application identification information to the application-aware node, so that the application-aware node can also maintain the correspondence between the application identification information and the password information, thereby knowing the legitimate application of the password information.
Furthermore, the operator service side can also distribute a shared key for the registered application client side and synchronize the shared key to the application sensing node.
As one of the embodiments, all registered applications may use the same shared key, in which case the application-aware node only needs to record the shared key.
As a preferred embodiment, however, the operator service may assign different shared keys for different applications. In this case, the operator service end may maintain a correspondence between the shared secret key and the application identification information, and synchronize the correspondence to the application aware node.
Fig. 3 is a flowchart of a method performed by an application client according to an embodiment of the present disclosure, and as shown in fig. 3, the method may include the following steps:
The application client can acquire password information distributed by the operator server according to the network requirement of the application client from the operator server in advance. The password information may be obtained from the installation package by the application client, or may be sent from the operator server. When the user client side obtains the application service, the network requirement of the application service is determined, and password information corresponding to the network requirement is further determined.
If the application client only registers one network requirement with the operator service end, only password information corresponding to the network requirement is provided. If the application client registers more than one network requirement with the operator server, different password information is provided for different network requirements.
And 303, carrying the password information in a message header of the IPv6 data message.
It can be seen that this specification uses a completely different concept than the prior art. The message header of the IPv6 data message does not carry application information indicating network requirement information any more, but replaces the application information with password information. Because the password information does not relate to the user privacy, the leakage of the user privacy can not be related even if the password information is leaked, and the transmission safety of the IPv6 data message is improved to a great extent.
For an IPv6 data packet, it may carry this password information in an extension bit of the header. The extensible Header of the IPv6 data packet may be an HBH (Hop-by-Hop Options Header), a DOH (Destination Options Header), an SRH (Segment Routing Header), or the like, so that the password information may be carried in the at least one Header.
And 305, sending the IPv6 data message carrying the password information to an application sensing node.
The destination node of the IPv6 data packet sent by the application client is the application server side, that is, the destination address is the address of the application server side. However, in the network transmission process, since the application sensing node is an edge node of the operator network and is located at the gateway position, the IPv6 data packet is forwarded to the application server via the application sensing node.
Further, in order to prevent the password information from being tampered or stolen by other applications, the application client may calculate an authentication code for the password information by using a shared key acquired in advance from the operator server, and carry the authentication code in the IPv6 data packet.
As one of the embodiments, the manner of calculating the authentication code for the password information by using the shared key may include, but is not limited to, SHA (Secure Hash Algorithm) -1, SHA-2, SHA-3, MD (Message-Digest Algorithm) 5, and the like.
The authentication code may also be carried in a header of the IPv6 data packet, for example, the authentication code may be carried in the same header as the password information and located after the password information.
Furthermore, the application client may also carry verification information in the IPv6 data packet, so that the application-aware node can verify the IPv6 data packet by using the verification information.
As one implementation, the verification information may be a CRC (Cyclic Redundancy Check) code. Namely, the application client generates a CRC code of the IPv6 data message and carries the CRC code in the IPv6 data message, so that the application sensing node can perform integrity check on the IPv6 data message by using the CRC code. The CRC code generation can be implemented using the currently well-established techniques, and will not be described in detail here.
As another implementation, the verification information may also be a timestamp. Namely, the application client can carry the current timestamp in the IPv6 data message and then send the IPv6 data message, so that the application sensing node can detect replay attack on the IPv6 data message by using the timestamp.
Fig. 4 is a flowchart of a method performed by an application-aware node according to an embodiment of the present disclosure, and as shown in fig. 4, the method may include the following steps:
The application sensing node can acquire password information from HBH, DOH or SRH of the IPv6 data message.
And 405, forwarding the IPv6 data message by using the network requirement corresponding to the password information.
The operator server synchronizes password information and corresponding network demand information to the application sensing node in advance, and the application sensing node stores and maintains the corresponding relation between the password information and the network demand information. After the IPv6 data message is received, password information is obtained from the message header of the IPv6 data message, and the network requirement corresponding to the password information can be determined according to the maintained corresponding relation. And then forwarding the IPv6 data message according to a routing strategy corresponding to the network requirement.
Since the correspondence between the password information and the network requirements is generated at the operator service end, it is actually determined by the operator service end what routing policy the registered application adopts under the corresponding network requirements.
For example, for applications such as video and instant messaging, the real-time requirement on the network is high, and the network requirement corresponding to the generation of the password during registration of such applications is high. The application-aware node can forward the IPv6 data packet by using a better routing policy, so that the IPv6 data packet can be transmitted via network nodes with higher bandwidth and higher processing capability, for example.
For example, for a web browsing application, the application-aware node may use a lower-level routing policy to forward the IPv6 data packet, because the application-aware node does not need a high network requirement as compared to a video service.
By the routing strategy, network resources can be optimized as much as possible on the basis of ensuring the service quality acquired by the user.
As a preferred implementation, since already mentioned in the embodiment shown in fig. 3, the IPv6 data packet may further carry an authentication code. In this case, the application sensing node may further obtain the authentication code carried in the packet header of the IPv6 data packet in step 403, calculate the authentication code for the password information obtained in step 403 by using the shared key, then compare the calculated authentication code with the obtained authentication code, and if the two are consistent, continue to execute step 405; otherwise, the password information is shown to be possibly attacked and tampered, and the IPv6 data packet can be discarded.
As one implementation manner, the application-aware node obtains the shared key and the application identification information from the operator server in advance, so that the corresponding relationship between the shared key and the application identification information is maintained in the application-aware node. After receiving the IPv6 data packet from the application client, the application sensing node may obtain the application identification information from the IPv6 data packet, that is, may obtain the application from which the source is derived. A shared key corresponding to the application identification information is determined.
In addition to the above implementation, a unified shared key may be used for all applications registered in the operator, and the application aware node obtains the unified shared key.
As another preferred embodiment, the application-aware node obtains the correspondence between the password information and the application identification information from the operator service side in advance. Before the step 405, the application identification information corresponding to the password information carried in the header of the IPv6 data packet may be determined according to the correspondence; and judging whether the determined application identification information is consistent with the application identification information carried by the IPv6 data message (usually, the application identification information from which the data message originates will be carried in the IPv6 data message), and if so, continuing to execute step 405. If the password information is inconsistent, the password information can be illegally used, and the IPv6 data message can be discarded.
For example, assuming that the application-aware node obtains the correspondence between the password 1 and the application a from the operator server, but the application-aware node receives the IPv6 data packet from the application B carrying the password 1, the password 1 may be illegally falsely used by the application B, and the application-aware node may discard the IPv6 data packet and does not forward the IPv6 data packet.
As one implementation manner, since the password information is mainly used for the application-aware node to determine the routing policy, and has little meaning to the application server, the application-aware node may remove the password information from the IPv6 data packet before forwarding the IPv6 data packet, and then forward the IPv6 data packet with the password information removed. After the password information is removed, the extension bit occupied by the original password information may be filled with preset meaningless data such as data all set to 0.
In order to more intuitively understand the manner in which the description above is presented, a specific interaction between network nodes is described below by way of a preferred embodiment illustrated in fig. 5. As shown in fig. 5, the process includes the following steps:
step 501, the operator service terminal distributes password information and shared secret key to the application client according to the network requirement information registered by the application.
Step 503, the operator service end provides the correspondence between the password information and the application identification information and the correspondence between the shared key and the application identification information to the application-aware node.
And 505, the application client determines password information corresponding to the network requirement according to the network requirement of the application service, and carries the password information in a message header of the IPv6 data message.
Step 507, the application client calculates the authentication code by using the shared secret key to the password information, and the authentication code is carried in the message header of the IPv6 data message after the password information.
In step 509, the application client sends an IPv6 data packet to the application aware node.
And 511, the application sensing node acquires the password information carried in the message header of the IPv6 data message and authenticates the authentication code carried in the IPv6 data message by using the shared key and the password information. Generating an authentication code for the password information by using the shared key, comparing whether the generated authentication code is consistent with the acquired authentication code, and if so, executing 513; otherwise, the IPv6 datagram is discarded (this case is not shown in the figure).
And 513, determining a network requirement corresponding to the password information by the application sensing node, and forwarding the IPv6 data packet by using a routing policy corresponding to the network requirement.
Specific processing related to each step in the above-mentioned flow may refer to specific description in the embodiments shown in fig. 2 to fig. 4, which is not described herein again.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
According to another aspect, an apparatus for transmitting data packets is provided. Fig. 6 shows a schematic block diagram of a transmission device for data packets according to an embodiment. The apparatus may be disposed at the application sensing node, and configured to complete the function of the application sensing node in the foregoing embodiment. As shown in fig. 6, the apparatus 600 includes: the first receiving unit 601, the password obtaining unit 602, and the forwarding processing unit 603 may further include a second receiving unit 604, an authentication code obtaining unit 605, an authentication processing unit 606, and a password verifying unit 607. The main functions of each component unit are as follows:
the first receiving unit 601 is configured to receive an IPv6 data packet from an application client.
The password obtaining unit 602 is configured to obtain password information carried in a header of the IPv6 data packet.
The application sensing node can acquire password information from HBH, DOH or SRH of the IPv6 data message.
The forwarding processing unit 603 is configured to forward the IPv6 data packet according to the network requirement corresponding to the password information.
Specifically, the forwarding processing unit 603 may be configured to forward the IPv6 data packet by using a routing policy corresponding to the network requirement.
The password information is distributed to the application client side by the operator service side according to the network requirements of the application and is synchronized to the application sensing node.
A second receiving unit 604, configured to receive and store password information synchronized to the application-aware node by the operator service side and corresponding network requirement information.
As a preferred embodiment, the authentication code obtaining unit 605 is configured to obtain an authentication code carried in a header of the IPv6 data packet.
An authentication processing unit 606 configured to calculate an authentication code for the password information using the shared key, and determine whether the calculated authentication code is consistent with the acquired authentication code;
the forwarding processing unit 603 is further configured to, if the authentication processing unit 606 determines that the calculated authentication code is consistent with the acquired authentication code, execute a network requirement corresponding to the password information, and forward the IPv6 data packet; otherwise, discarding the IPv6 data message.
Further, the authentication processing unit 606 may be configured to obtain a shared key preset in the application-aware node, or obtain the shared key from the operator service side.
Further, the second receiving unit 604 is configured to obtain the correspondence between the password information and the application identification information from the operator service end in advance.
Correspondingly, the password verification unit 607 is configured to determine, according to the correspondence between the password information and the application identification information, the application identification information corresponding to the password information carried in the packet header of the IPv6 data packet; and judging whether the determined application identification information is consistent with the application identification information carried by the IPv6 data message.
The forwarding processing unit 603 is further configured to determine that the password information is illegally misused and discard the IPv6 data packet if the password verification unit 607 determines that the password information is inconsistent; if the password verification unit 607 determines that the network requests are consistent, the network requests corresponding to the password information are continuously executed, and the IPv6 data packet is forwarded.
As one implementation manner, the forwarding processing unit 603 may be configured to remove the password information from the IPv6 data packet, and then forward the IPv6 data packet with the password information removed.
According to another aspect, an apparatus for transmitting a data packet is provided. Fig. 7 shows a schematic block diagram of a transmission device for data packets according to an embodiment. The device can be arranged at an application client to complete the functions of the application client in the embodiment. As shown in fig. 7, the apparatus 700 includes: the password determining unit 701, the password carrying unit 702, and the message sending unit 703 may further include a password receiving unit 704 and an authentication code carrying unit 705. The main functions of each component unit are as follows:
a password determination unit 701 configured to determine password information corresponding to a network requirement of the application service according to the network requirement.
A password carrying unit 702 configured to carry password information in a header of the IPv6 data packet;
a message sending unit 703 configured to send an IPv6 data message to the application sensing node;
the password information is pre-distributed by the operator service terminal according to the network requirement.
A password receiving unit 704 configured to receive password information pre-assigned by the operator service side according to the network requirement of the application client.
For an IPv6 data packet, it may carry this password information in an extension bit of the header. The extensible Header of the IPv6 data packet may be an HBH (Hop-by-Hop Options Header), a DOH (Destination Options Header), an SRH (Segment Routing Header), or the like, so that the password information may be carried in the at least one Header.
Further, in order to prevent the password information from being tampered or stolen by other applications, the authentication code carrying unit 705 is configured to calculate the authentication code for the password information by using the shared secret key, and carry the authentication code in the header of the IPv6 data packet.
As one of the embodiments, the manner of calculating the authentication code for the password information by using the shared key may include, but is not limited to, SHA (Secure Hash Algorithm) -1, SHA-2, SHA-3, MD (Message-Digest Algorithm) 5, and the like.
The authentication code carrying unit 705 may be further configured to obtain a shared key preset at the application client, or obtain the shared key from the operator service end.
As a preferred application scenario, the application client may be a non-contract temporary registered user.
According to another aspect, an apparatus for transmitting data packets is provided. Fig. 8 shows a schematic block diagram of a transmission device for data messages according to an embodiment. The device can be arranged at the operator service end to complete the functions of the operator service end in the embodiment. As shown in fig. 8, the apparatus 800 includes: the password assigning unit 801 and the information synchronizing unit 802 may further include a key sending unit 803 and an information maintaining unit 804. The main functions of each component unit are as follows:
a password assigning unit 801 configured to assign password information to the application client according to the network requirement information registered by the application.
As a preferred embodiment thereof, the password assignment unit 801 may hash the applied network requirement information to generate password information.
But other ways than this preferred embodiment may be used, such as the password assignment unit 801 maintaining a pool of passwords. When the password information is distributed to the application client, one current unoccupied password information can be selected from the password pool as the password information distributed to the application client, and the corresponding relation between the password information and the network requirement information registered by the application client is maintained. In this way, the password information allocated to the client can be aged and recycled, that is, the password information no longer used by the application client or the password information exceeding the validity period can be recycled into the password pool.
The password assigning unit 801 may assign a plurality of password information thereto for the same application. That is, when the application has more than one network requirement, the password assigning unit 801 may assign different password information to the different network requirements, respectively.
An information synchronization unit 802 configured to synchronize the password information and the corresponding network requirement information to the application-aware nodes.
The password information is preset in the installation package of the application client, or is sent to the application client by the password allocation unit 801.
A key sending unit 803 configured to send the shared key to the application client and the application aware node.
As one of the embodiments, all registered applications may use the same shared key, in which case the application-aware node only needs to record the shared key.
As a preferred embodiment, the key sending unit 803 may assign different shared keys for different applications. In this case, the key sending unit 803 may maintain a correspondence between the shared key and the application identification information, and send the correspondence to the application aware node. The information synchronization unit 802 is further configured to send the correspondence between the password information and the application identification information to the application-aware node, so that the application-aware node can also maintain the correspondence between the application identification information and the password information, thereby knowing the legitimate application of the password information.
And the information maintenance unit 804 is configured to delete the corresponding relationship between the password information and the network requirement information if the password information reaches a preset valid time, and synchronize the password information and the network requirement information to the application sensing node by the information synchronization unit 802.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 2-4.
According to an embodiment of still another aspect, there is also provided a computing device including a memory and a processor, the memory having stored therein executable code, the processor implementing the method described in conjunction with fig. 2-4 when executing the executable code.
All the embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only examples of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.
Claims (12)
1. The transmission method of the data message is applied to an application sensing node, and the application sensing node stores password information and corresponding network demand information which are synchronized to the application sensing node by an operator service terminal; the method comprises the following steps:
an application sensing node receives an IPv6 data message from an application client; the message header of the IPv6 data message does not carry application information indicating network requirement information;
acquiring password information carried in a message header of the IPv6 data message;
forwarding the IPv6 data message by using the network requirement corresponding to the password information;
the password information is distributed to the application client side by the operator service side according to the network requirements of the application, and is generated after carrying out hash processing on the network requirement information of the application, or is selected from unoccupied password information in a password pool.
2. The method according to claim 1, wherein before forwarding the IPv6 data packet by using the network requirement corresponding to the password information, the method further includes:
acquiring a cyclic redundancy check code carried in the IPv6 data message;
and utilizing a cyclic redundancy check code to carry out integrity check on the IPv6 data message, and if the check is passed, continuing to execute the network requirement corresponding to the password information to forward the IPv6 data message.
3. The method of claim 1, further comprising:
if the password information exceeds the validity period, deleting the corresponding relation between the password information and the network demand information;
alternatively, the first and second electrodes may be,
receiving the corresponding relation between the deleted password information and the network requirement information synchronized by the operator service end, and deleting the corresponding relation between the deleted password information and the network requirement information from the application sensing node.
4. The method of claim 1, wherein forwarding the IPv6 data packet comprises:
forwarding the IPv6 data message by adopting a routing strategy corresponding to the network requirement;
and/or the presence of a gas in the gas,
and after removing the password information from the IPv6 data message, forwarding the IPv6 data message with the password information removed.
5. The transmission method of the data message is applied to an application client and comprises the following steps:
the application client determines password information corresponding to the network requirement according to the network requirement of the application service;
carrying the password information in a message header of an IPv6 data message;
sending the IPv6 data message to an application sensing node; the message header of the IPv6 data message does not carry application information indicating network requirement information;
the password information is pre-distributed by the operator service terminal according to the network requirement, and is generated after carrying out hash processing on the applied network requirement information, or is selected from unoccupied password information in a password pool.
6. The method of claim 5, further comprising, prior to sending the IPv6 datagram to an application aware node:
generating a cyclic redundancy check code of the IPv6 data message;
and carrying a cyclic redundancy check code in the IPv6 data message.
7. The transmission method of the data message is applied to an operator service end and comprises the following steps:
the operator service side distributes password information for the application client side according to the network demand information registered by the application; the password information is generated after Hash processing is carried out on the applied network requirement information, or is selected from unoccupied password information in a password pool;
and synchronizing the password information and the corresponding network requirement information to the application sensing node.
8. The method of claim 7, further comprising: and if the password information reaches the preset effective time, the operator server deletes the corresponding relation between the password information and the network demand information and synchronizes the password information and the network demand information to an application sensing node.
9. The transmission device of the data message is arranged at an application sensing node, and the application sensing node stores password information and corresponding network demand information which are synchronously sent to the application sensing node by an operator service terminal; the device includes:
the first receiving unit is configured to receive an IPv6 data message from an application client; the message header of the IPv6 data message does not carry application information indicating network requirement information;
the password acquisition unit is configured to acquire password information carried in a message header of the IPv6 data message;
the forwarding processing unit is configured to forward the IPv6 data message by using the network requirement corresponding to the password information;
the password information is distributed to the application client side by the operator service side according to the network requirements of the application, and is generated after carrying out hash processing on the network requirement information of the application, or is selected from unoccupied password information in a password pool.
10. The transmission device of the data message, set up in the application customer end, the apparatus includes:
the password determining unit is configured to determine password information corresponding to the network requirement according to the network requirement of the application service;
the password carrying unit is configured to carry the password information in a message header of the IPv6 data message;
the message sending unit is configured to send the IPv6 data message to an application sensing node; the message header of the IPv6 data message does not carry application information indicating network requirement information;
the password information is pre-distributed by the operator service side according to the network requirement, is generated after hash processing is carried out on the applied network requirement information, or is selected from unoccupied password information in a password pool.
11. The transmission device of the data message, set up in the operator's service end, the apparatus includes:
the password distribution unit is configured to distribute password information for the application client according to the network demand information registered by the application; the password information is generated after Hash processing is carried out on the applied network requirement information, or is selected from unoccupied password information in a password pool;
and the information synchronization unit is configured to synchronize the password information and the corresponding network requirement information to the application-aware node.
12. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that, when executed by the processor, performs the method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210638671.5A CN115189913B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011506176.6A CN112637183B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
| CN202210638671.5A CN115189913B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011506176.6A Division CN112637183B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115189913A true CN115189913A (en) | 2022-10-14 |
| CN115189913B CN115189913B (en) | 2024-01-05 |
Family
ID=75317254
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011506176.6A Active CN112637183B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
| CN202210638671.5A Active CN115189913B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011506176.6A Active CN112637183B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN112637183B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115442298A (en) * | 2021-06-04 | 2022-12-06 | 华为技术有限公司 | Message forwarding method, device and communication network |
| CN114363196B (en) * | 2022-01-17 | 2023-09-19 | 中国人民解放军国防科技大学 | Network service quality guarantee method based on active application perception |
| CN116346492B (en) * | 2023-04-18 | 2024-05-14 | 浙江御安信息技术有限公司 | APNv 6-based data security management method |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007033542A1 (en) * | 2005-09-20 | 2007-03-29 | Huawei Technologies Co., Ltd. | A method for testing the network capability and the device thereof |
| US20070268865A1 (en) * | 2006-03-02 | 2007-11-22 | Garcia Francisco J | Communications system, mobile node apparatus, and method of performing a handover |
| US20090006851A1 (en) * | 2007-06-29 | 2009-01-01 | Microsoft Corporation | Confidential mail with tracking and authentication |
| WO2012139283A1 (en) * | 2011-04-12 | 2012-10-18 | 华为技术有限公司 | Method and appratus for address allocation |
| EP2887246A1 (en) * | 2013-12-20 | 2015-06-24 | Orange | Method to share content with an untrusted device |
| CN109905473A (en) * | 2019-02-21 | 2019-06-18 | 厦门理工学院 | It is a kind of that system and method is monitored based on the IPv6 and PM2.5 of context aware |
| CN109951297A (en) * | 2019-03-12 | 2019-06-28 | 中南民族大学 | A kind of identity authorization system and its register method, login method of the reservation privacy of user towards big data |
| US20190386985A1 (en) * | 2018-06-15 | 2019-12-19 | Canon Information And Imaging Solutions, Inc. | Apparatus, system and method for managing authentication with a server |
| CN111368232A (en) * | 2020-02-28 | 2020-07-03 | 北京达佳互联信息技术有限公司 | Password sharing reflux method and device, electronic equipment and storage medium |
| CN111835692A (en) * | 2019-04-22 | 2020-10-27 | 中国信息通信研究院 | Information distribution management system and method |
| CN112019433A (en) * | 2019-05-29 | 2020-12-01 | 华为技术有限公司 | Message forwarding method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102448145B (en) * | 2010-09-30 | 2014-06-25 | 华为技术有限公司 | Method, device and system for transmitting priority alarm information |
| US8832238B2 (en) * | 2011-09-12 | 2014-09-09 | Microsoft Corporation | Recording stateless IP addresses |
-
2020
- 2020-12-18 CN CN202011506176.6A patent/CN112637183B/en active Active
- 2020-12-18 CN CN202210638671.5A patent/CN115189913B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007033542A1 (en) * | 2005-09-20 | 2007-03-29 | Huawei Technologies Co., Ltd. | A method for testing the network capability and the device thereof |
| US20070268865A1 (en) * | 2006-03-02 | 2007-11-22 | Garcia Francisco J | Communications system, mobile node apparatus, and method of performing a handover |
| US20090006851A1 (en) * | 2007-06-29 | 2009-01-01 | Microsoft Corporation | Confidential mail with tracking and authentication |
| WO2012139283A1 (en) * | 2011-04-12 | 2012-10-18 | 华为技术有限公司 | Method and appratus for address allocation |
| EP2887246A1 (en) * | 2013-12-20 | 2015-06-24 | Orange | Method to share content with an untrusted device |
| US20190386985A1 (en) * | 2018-06-15 | 2019-12-19 | Canon Information And Imaging Solutions, Inc. | Apparatus, system and method for managing authentication with a server |
| CN109905473A (en) * | 2019-02-21 | 2019-06-18 | 厦门理工学院 | It is a kind of that system and method is monitored based on the IPv6 and PM2.5 of context aware |
| CN109951297A (en) * | 2019-03-12 | 2019-06-28 | 中南民族大学 | A kind of identity authorization system and its register method, login method of the reservation privacy of user towards big data |
| CN111835692A (en) * | 2019-04-22 | 2020-10-27 | 中国信息通信研究院 | Information distribution management system and method |
| CN112019433A (en) * | 2019-05-29 | 2020-12-01 | 华为技术有限公司 | Message forwarding method and device |
| CN111368232A (en) * | 2020-02-28 | 2020-07-03 | 北京达佳互联信息技术有限公司 | Password sharing reflux method and device, electronic equipment and storage medium |
Non-Patent Citations (3)
| Title |
|---|
| SHUPING PENG: "Demo Abstract: APN6: Application-aware IPv6 Networking", IEEE INFOCOM 2020 - IEEE CONFERENCE ON COMPUTER COMMUNICATIONS WORKSHOPS (INFOCOM WKSHPS) * |
| 何林;况鹏;王士诚;刘莹;李星;彭书萍;: "基于"IPv6+"的应用感知网络(APN6)", 电信科学, no. 08 * |
| 王晨曦: "基于"IPV6+"的智能IP网络方案", 电信科学,第08期 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115189913B (en) | 2024-01-05 |
| CN112637183A (en) | 2021-04-09 |
| CN112637183B (en) | 2022-07-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112637183B (en) | Data message transmission method and device | |
| CN109039436B (en) | Method and system for satellite security access authentication | |
| US8195935B2 (en) | Systems, methods and computer-accessible media for acquiring and authenticating public key certificate status | |
| CN111314056B (en) | Heaven and earth integrated network anonymous access authentication method based on identity encryption system | |
| JP4804983B2 (en) | Wireless terminal, authentication device, and program | |
| EP1713289A1 (en) | A method for establishing security association between the roaming subscriber and the server of the visited network | |
| CN108990062B (en) | Intelligent security Wi-Fi management method and system | |
| WO2007106620A2 (en) | Method for authenticating a mobile node in a communication network | |
| CN111246474B (en) | Base station authentication method and device | |
| CN113382002B (en) | Data request method, request response method, data communication system, and storage medium | |
| CN112637069B (en) | Data message transmission method and device | |
| CN112769568A (en) | Security authentication communication system and method in fog computing environment and Internet of things equipment | |
| CN113993127B (en) | Method and device for realizing one-key login service | |
| CN114390524A (en) | Method and device for realizing one-key login service | |
| Liu et al. | Secure name resolution for identifier-to-locator mappings in the global internet | |
| CN106230860A (en) | The method and apparatus sending Streaming Media | |
| CN106027555A (en) | Method and system for improving network security of content delivery network by employing SDN (Software Defined Network) technology | |
| CN112437098A (en) | Data message transmission method and device | |
| CN114417309A (en) | Bidirectional identity authentication method, device, equipment and storage medium | |
| CN114158046A (en) | Method and device for realizing one-key login service | |
| CN113194471B (en) | Wireless network access method, device and terminal based on block chain network | |
| Vettorello et al. | Some notes on security in the service location protocol version 2 (slpv2) | |
| Meng et al. | Establish the intrinsic binding in naming space for future internet using combined public key | |
| CN114978741B (en) | Inter-system authentication method and system | |
| KR100463751B1 (en) | Method for generating packet-data in wireless-communication and method and apparatus for wireless-communication using that packet-data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |