CN115189913B - Data message transmission method and device - Google Patents
Data message transmission method and device Download PDFInfo
- Publication number
- CN115189913B CN115189913B CN202210638671.5A CN202210638671A CN115189913B CN 115189913 B CN115189913 B CN 115189913B CN 202210638671 A CN202210638671 A CN 202210638671A CN 115189913 B CN115189913 B CN 115189913B
- Authority
- CN
- China
- Prior art keywords
- application
- information
- data message
- password
- password information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 230000005540 biological transmission Effects 0.000 title claims description 33
- 238000012545 processing Methods 0.000 claims abstract description 34
- 125000004122 cyclic group Chemical group 0.000 claims description 9
- 230000008447 perception Effects 0.000 claims description 6
- 230000001360 synchronised effect Effects 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000012795 verification Methods 0.000 description 7
- 238000009434 installation Methods 0.000 description 4
- 239000000470 constituent Substances 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000003190 augmentative effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- WQZGKKKJIJFFOK-GASJEMHNSA-N Glucose Natural products OC[C@H]1OC(O)[C@H](O)[C@@H](O)[C@@H]1O WQZGKKKJIJFFOK-GASJEMHNSA-N 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 239000008280 blood Substances 0.000 description 1
- 210000004369 blood Anatomy 0.000 description 1
- 230000036772 blood pressure Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000008103 glucose Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000004984 smart glass Substances 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application is a divisional application with application number 202011506176.6. The embodiment of the specification provides a method and a device for transmitting a data message. Firstly, an application client determines password information corresponding to network requirements according to the network requirements of application services, carries the password information in a message header of an IPv6 data message and sends the message header to an application sensing node; the message header of the IPv6 data message does not carry application information indicating network demand information, and then an application sensing node forwards the IPv6 data message by utilizing the network demand corresponding to the password information; the password information is generated by the operator server side after hash processing of the network demand information of the application or is selected from unoccupied password information in a password pool.
Description
The application is a divisional application, the application number of the original application is 202011506176.6, the application date is 2020, 12 months and 18 days, and the invention is named as a data message transmission method and a data message transmission device.
Technical Field
One or more embodiments of the present disclosure relate to the field of network communications technologies, and in particular, to a method and an apparatus for transmitting a message.
Background
With the rapid development of networks, the optimal configuration of Network resources becomes an urgent requirement for Network management, and APN6 (Application-aware IPv6 Network architecture based on IPv 6) is used to solve this pain.
In the layout scheme of the APN6, the service levels of the network can be divided, and different routing strategies are adopted according to different service levels, so that the network resources are optimized as a whole. However, if the header of the IPv6 (Internet Protocol Version, internet protocol version 6) data packet sent by the application client carries application information that reflects the network requirement, the application information may involve user privacy, so that the threat of disclosure of user privacy is faced in the network transmission process.
Disclosure of Invention
One or more embodiments of the present disclosure describe a method and apparatus for transmitting a data packet, so as to improve transmission security of an IPv6 data packet in an APN 6.
According to a first aspect, a data message transmission method is provided and applied to an application sensing node, wherein the application sensing node stores password information and corresponding network demand information which are synchronously given to the application sensing node by an operator server; comprising the following steps:
The application perception node receives an IPv6 data message from an application client; the message header of the IPv6 data message does not carry application information indicating network demand information;
acquiring password information carried in a message header of the IPv6 data message;
forwarding the IPv6 data message by utilizing the network requirement corresponding to the password information;
the password information is distributed to the application client by the operator server according to the network requirement of the application, and is generated after hash processing is carried out on the network requirement information of the application or is selected from unoccupied password information in a password pool.
Before forwarding the IPv6 data packet by using the network requirement corresponding to the password information, the method further includes:
acquiring a cyclic redundancy check code carried in the IPv6 data message;
and carrying out integrity check on the IPv6 data message by using a cyclic redundancy check code, if the check is passed, continuously executing network requirements corresponding to the password information, and carrying out forwarding processing on the IPv6 data message.
The method further comprises the steps of:
if the password information exceeds the validity period, deleting the corresponding relation between the password information and the network demand information;
Or,
and receiving the corresponding relation between the deleted password information and the network demand information synchronized by the service end of the operator, and deleting the corresponding relation between the deleted password information and the network demand information from the application sensing node.
The forwarding processing of the IPv6 data message comprises the following steps:
forwarding the IPv6 data message by adopting a routing strategy corresponding to the network demand;
and/or the number of the groups of groups,
and after the password information is removed from the IPv6 data message, forwarding the IPv6 data message from which the password information is removed.
According to a second aspect, there is provided a data packet transmission method, applied to an application client, including:
the application client determines password information corresponding to the network demand according to the network demand of the application service;
carrying the password information in a message header of an IPv6 data message;
sending the IPv6 data message to an application sensing node; the message header of the IPv6 data message does not carry application information indicating network demand information;
the password information is pre-distributed by the operator server according to the network requirement, and is generated after hash processing is carried out on the applied network requirement information or is selected from unoccupied password information in a password pool.
Before sending the IPv6 data packet to the application aware node, the method further includes:
generating a cyclic redundancy check code of the IPv6 data message;
and carrying the cyclic redundancy check code in the IPv6 data message.
According to a third aspect, there is provided a data packet transmission method, applied to an operator server, including:
the operator server distributes password information for the application client according to the network demand information registered by the application; the password information is generated after hash processing is carried out on the applied network demand information, or is selected from unoccupied password information in a password pool;
and synchronizing the password information and the corresponding network demand information to an application sensing node.
Further comprises: and if the password information reaches the preset effective time, deleting the corresponding relation between the password information and the network demand information by the operator server side, and synchronizing the corresponding relation to the application sensing node.
According to a fourth aspect, a transmission device of a data packet is provided, which is set in an application sensing node, where the application sensing node stores password information and corresponding network requirement information that are synchronized to the application sensing node by an operator server; the device comprises:
A first receiving unit configured to receive an IPv6 data message from an application client; the message header of the IPv6 data message does not carry application information indicating network demand information;
the password acquisition unit is configured to acquire password information carried in a message header of the IPv6 data message;
the forwarding processing unit is configured to forward the IPv6 data message by utilizing the network requirement corresponding to the password information;
the password information is distributed to the application client by the operator server according to the network requirement of the application, and is generated after hash processing is carried out on the network requirement information of the application or is selected from unoccupied password information in a password pool.
According to a fifth aspect, there is provided a transmission device of a data packet, provided at an application client, the device comprising:
a password determination unit configured to determine password information corresponding to a network requirement of an application service according to the network requirement;
the password carrying unit is configured to carry the password information in a message header of the IPv6 data message;
the message sending unit is configured to send the IPv6 data message to an application sensing node; the message header of the IPv6 data message does not carry application information indicating network demand information;
The password information is pre-distributed by the operator server according to the network requirement, and is generated after hash processing is carried out on the applied network requirement information or is selected from unoccupied password information in a password pool.
According to a sixth aspect, there is provided a data packet transmission device, provided at a service end of an operator, the device including:
the password distribution unit is configured to distribute password information to the application client according to the network demand information registered by the application; the password information is generated after hash processing is carried out on the applied network demand information, or is selected from unoccupied password information in a password pool;
and the information synchronization unit is configured to synchronize the password information and the corresponding network demand information to the application perception node.
According to a seventh aspect, there is provided a computing device comprising a memory having executable code stored therein and a processor which when executing the executable code implements the method of the first aspect.
According to the method and the device provided by the embodiment of the specification, the operator server distributes corresponding password information for the application client according to the network requirement of the application and synchronizes the password information to the application sensing node, and the application client can transmit the network requirement to the application sensing node only by carrying the password information in the message header of the IPv6 data message, thereby ensuring that the user privacy information is not leaked and improving the transmission security of the IPv6 data message in the APN 6.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a schematic diagram of a system architecture to which the present specification relates and which is applicable;
fig. 2 shows a flowchart of a method performed by an operator server according to an embodiment of the present disclosure;
FIG. 3 illustrates a flow chart of a method performed by an application client provided by an embodiment of the present disclosure;
FIG. 4 illustrates a flow chart of a method performed by an application aware node provided by an embodiment of the present description;
fig. 5 shows a specific interaction schematic diagram between network nodes provided in the embodiment of the present specification;
fig. 6 shows a schematic block diagram of a transmission device of a data message according to an embodiment;
fig. 7 shows a schematic block diagram of a transmission device of a data message according to an embodiment;
fig. 8 shows a schematic block diagram of a data message transmission device according to an embodiment.
Detailed Description
The following describes the scheme provided in the present specification with reference to the drawings.
For ease of understanding the methods provided in this specification, a description of the system architecture to which this specification relates and applies is first provided. As shown in fig. 1, the system architecture mainly includes three network nodes: the system comprises an application client, an application awareness node and an operator server.
Wherein the application client is installed and running in a terminal device, which may include, but is not limited to, such as: intelligent mobile terminals, intelligent home devices, network devices, wearable devices, intelligent medical devices, PCs (personal computers), etc. Wherein the smart mobile device may comprise a mobile phone, tablet, notebook, PDA (personal digital assistant), internet car, etc. The smart home devices may include smart home devices such as smart televisions, smart air conditioners, smart water heaters, smart refrigerators, smart air cleaners, etc., and may also include smart door locks, smart sockets, smart lights, smart cameras, etc. The network devices may include, for example, switches, wireless APs, servers, etc. Wearable devices may include devices such as smart watches, smart glasses, smart bracelets, virtual reality devices, augmented reality devices, mixed reality devices (i.e., devices that can support virtual reality and augmented reality), and so forth. Smart medical devices may include devices such as smart thermometers, smart blood pressure meters, smart blood glucose meters, and the like.
The application client may also be various types of applications including, but not limited to, applications such as payment type applications, multimedia play type applications, map type applications, text editing type applications, financial type applications, browser type applications, instant messaging type applications, and the like.
The operator server refers to a server device of a provider providing network services, and may be a single server or a server group formed by a plurality of servers. Is responsible for providing network services, such as security authentication, management of network service levels, etc., for various types of applications.
The application aware node is located at the edge of the operator network at the location of the gateway. It is responsible for providing an adaptive routing policy for the IPv6 data packet sent by the application client according to the information indicating the network requirement carried in the packet, and forwarding the routing policy to the corresponding application server.
It should be appreciated that the number of application clients, application aware nodes, operator servers in fig. 1 is merely illustrative. Any number may be selected and deployed as desired for implementation.
Fig. 2 is a flowchart of a method performed by an operator server according to an embodiment of the present disclosure, as shown in fig. 2, the method may include the following steps:
In step 201, the operator server allocates password information to the application client according to the network requirement information registered by the application.
In this specification, an application may provide network requirement information to an operator server during signing or registering of the application with the operator server. The network demand information may be embodied as content, type, etc. of an application service, such as video, audio, web pages, instant messaging, etc. But may also be embodied as network level information for the demand.
The operator server may distribute password information to the application client according to the network requirement information of the application. As a preferred embodiment, the operator server may hash the applied network requirement information to generate password information.
But other means than this preferred embodiment may be used, such as the carrier server maintaining a password pool. When the password information is distributed to the application client, one piece of currently unoccupied password information can be selected from the password pool to serve as the password information distributed to the application client, and the corresponding relation between the password information and the network demand information registered by the application client is maintained. In this way, the password information assigned to the client may be aged and reclaimed, i.e., the password information that is no longer used by the application client or that exceeds the expiration date may be reclaimed into the password pool.
The manner provided by the specification can be applied to contract users, namely registering network demand information in the process of signing contracts with an operator server side. In this case, password information assigned to the application may be preset in an installation package of the application client. After the application client is downloaded and installed by the terminal equipment, password information distributed by the operator server can be obtained from the installation package. The password information may also be sent by the operator server to the application client.
The manner provided by the present description is more applicable to non-contract temporary registration users. That is, the application does not sign a contract with the operator server, only performs temporary registration, and provides network demand information to the operator server in the registration process. In this case, the operator server may transmit the allocated password information to the application client of the application. And the password information in this case is typically a temporary password. I.e. the password assigned to the application client has a validity period beyond which the password information is invalidated. And deleting the corresponding relation between the maintained password information and the network demand information by the operator server.
In addition, for the same application, the operator server may assign it multiple pieces of password information. That is, when there is more than one network requirement for an application, the operator server may allocate different password information for different network requirements, respectively.
And step 203, synchronizing the password information and the corresponding network demand information to the application aware node.
The application perception node maintains the corresponding relation between the password information and the network demand information, and can determine the corresponding network demand information when receiving the password information from the application client.
In addition, it has been mentioned above that password information may exist for a validity period. If the password information exceeds the validity period, the application perception node can delete the corresponding relation between the password information and the network information which are maintained by the application perception node.
And the operator server side can delete the corresponding relation between the password information and the network demand information after the password information reaches the preset validity period, and synchronize the deleted information to the application sensing node, and the application sensing node synchronously deletes the deleted information.
As a preferred embodiment, when the operator server synchronizes the password information and the corresponding network requirement information to the application sensing node, the operator server may also synchronize the application identification information to the application sensing node, so that the application sensing node may also maintain the correspondence between the application identification information and the password information, thereby knowing the legal application of the password information.
Furthermore, the operator server may also allocate a shared key to the registered application client and synchronize the shared key to the application aware node.
As one embodiment, all registered applications may use the same shared key, in which case the application aware node only needs to record the shared key.
As a preferred embodiment, the operator server may allocate different shared keys for different applications. In this case, the operator server may maintain a correspondence between the shared key and the application identification information, and synchronize the correspondence to the application aware node.
Fig. 3 is a flowchart of a method performed by an application client according to an embodiment of the present disclosure, as shown in fig. 3, the method may include the following steps:
in step 301, the application client determines password information corresponding to the network requirement according to the network requirement of the application service.
The application client may obtain, in advance, password information allocated by the operator server according to the network requirement of the application client from the operator server. The password information may be obtained from the installation package by the application client or may be sent from the operator server. When the user client acquires the application service, the network requirement of the application service is determined, and password information corresponding to the network requirement is further determined.
If the application client registers only one network requirement with the operator server, only password information corresponding to the network requirement is provided. If the application client registers more than one network requirement with the operator server, the application client has different password information for different network requirements.
Step 303, carrying the password information in the header of the IPv6 data packet.
It can be seen that the present specification uses a completely different concept from the prior art. The application information indicating the network demand information is not carried in the message header of the IPv6 data message, and is replaced by password information. Because the password information does not relate to the user privacy, even leakage does not relate to leakage of the user privacy, and the transmission safety of the IPv6 data message is improved to a great extent.
For IPv6 data messages, it may carry the password information in an extension bit of the header. The message header of the IPv6 data message may be HBH (Hop-by-Hop option header), DOH (Destination Options Header, destination option header), SRH (Segment Routing Header ), etc., so that the password information may be carried in the at least one message header.
Step 305, sending an IPv6 data message carrying password information to the application aware node.
The destination node of the IPv6 data packet sent by the application client is the application server, that is, the destination address is the address of the application server. However, in the network transmission process, since the application awareness node is an edge node of the operator network and is located at the gateway position, the IPv6 data packet is forwarded to the application server side through the application awareness node.
Further, in order to prevent the password information from being tampered with or stolen by other applications, the application client may calculate an authentication code for the password information using a shared key obtained in advance from the operator server, and carry the authentication code in the IPv6 datagram.
As one of the embodiments, the manner of calculating the authentication code for the password information using the shared key may include, but is not limited to, SHA (Secure Hash Algorithm ) -1, SHA-2, SHA-3, MD (Message-Digest Algorithm) 5, and the like.
The authentication code may be carried in a header of an IPv6 data packet, for example, may be carried in the same header as the password information and located after the password information.
Furthermore, the application client can also carry verification information in the IPv6 data message, so that the application awareness node can verify the IPv6 data message by using the verification information.
As one implementation, the verification information may be a CRC (Cyclic Redundancy Check ) code. The application client generates CRC codes of the IPv6 data messages and carries the CRC codes in the IPv6 data messages, so that the application sensing nodes can utilize the CRC codes to carry out integrity check on the IPv6 data messages. The generation of CRC codes may utilize presently mature techniques, which are not described in detail herein.
As another implementation, the verification information may also be a timestamp. The application client can carry the current time stamp in the IPv6 data message and then send the IPv6 data message, so that the application sensing node can detect replay attack on the IPv6 data message by using the time stamp.
Fig. 4 is a flowchart of a method performed by an application aware node according to an embodiment of the present disclosure, as shown in fig. 4, the method may include the following steps:
in step 401, the application aware node receives an IPv6 data message from an application client.
Step 403, obtaining the password information carried in the header of the IPv6 data message.
The application aware node may obtain password information from HBH, DOH, SRH, or the like of the IPv6 data packet.
And step 405, forwarding the IPv6 data message by utilizing the network requirement corresponding to the password information.
The operator server side synchronizes password information and corresponding network demand information to the application sensing node in advance, and the application sensing node stores and maintains the corresponding relation between the password information and the network demand information. After receiving the IPv6 data message, obtaining the password information from the message header of the IPv6 data message, and determining the network requirement corresponding to the password information according to the maintained corresponding relation. And forwarding the IPv6 data message according to the routing strategy corresponding to the network demand.
Since the correspondence between the password information and the network requirements is generated at the operator server, the operator server determines what routing policy is adopted by the registered application under the corresponding network requirements.
For example, for applications such as video, instant messaging, etc., the real-time requirements for the network are high, and the network requirements for such applications to generate passwords at registration are high. The application aware node may employ a better routing policy to forward the IPv6 data message so that the IPv6 data message may be transmitted via, for example, a network node with a higher bandwidth and a higher processing capability.
For example, for web browsing applications, there is no need for so high network demands relative to video services, so the application aware node can employ lower level routing policies to forward IPv6 data messages.
The network resources can be optimized as much as possible on the basis of ensuring the quality of service acquired by the user through the routing strategy.
As a preferred embodiment, the IPv6 data message may further carry an authentication code, as already mentioned in the example shown in fig. 3. In this case, the application aware node may further obtain the authentication code carried in the header of the IPv6 data packet in the step 403, calculate the authentication code for the password information obtained in the step 403 using the shared key, and then compare the calculated authentication code with the obtained authentication code, and if they are consistent, continue to execute the step 405; otherwise, the password information may be tampered, and the IPv6 data message may be discarded.
As one implementation manner, the application aware node obtains the shared key and the application identification information from the operator server in advance, so that a correspondence relationship between the shared key and the application identification information is maintained in the application aware node. After receiving the IPv6 data message from the application client, the application aware node may obtain application identification information from the IPv6 data message, i.e. may learn about the application that is being sourced. A shared key corresponding to the application identification information is determined.
In addition to the above implementation, a unified shared key may be used for all applications registered at the operator, where the application aware node obtains the unified shared key.
As another preferred embodiment, the application aware node obtains in advance a correspondence between password information and application identification information from the operator server. Before the step 405, application identification information corresponding to password information carried in a header of the IPv6 data packet may be determined according to the correspondence; and judging whether the determined application identification information is consistent with application identification information carried by the IPv6 data message (generally, the application identification information from which the data message is carried in the IPv6 data message) or not, and if so, continuing to execute step 405. If not, the password information may be illegally used and the IPv6 data message may be discarded.
For example, assuming that the application awareness node obtains the correspondence between the password 1 and the application a from the operator server, but the application awareness node receives the IPv6 data packet from the application B and carries the password 1, the password 1 may be illegally used by the application B, and the application awareness node may discard the IPv6 data packet and does not perform forwarding processing on the IPv6 data packet.
As one implementation manner, since the password information is mainly used for determining the routing policy by the application sensing node, the application sensing node has little meaning to the application server, and therefore, before forwarding the IPv6 data message, the application sensing node can remove the password information from the IPv6 data message and then forward the IPv6 data message from which the password information is removed. After the password information is removed, the extension bit occupied by the original password information may be filled with preset meaningless data such as all set to 0.
For a more intuitive understanding of the above manner of the present description, the specific interactions between network nodes are described below by a preferred embodiment shown in fig. 5. As shown in fig. 5, the flow includes the steps of:
in step 501, the operator server allocates password information and a shared key to the application client according to the network requirement information registered by the application.
In step 503, the operator server provides the corresponding relationship between the password information and the application identification information and the corresponding relationship between the shared key and the application identification information to the application aware node.
In step 505, the application client determines password information corresponding to the network requirement according to the network requirement of the application service, and carries the password information in the header of the IPv6 data packet.
In step 507, the application client calculates the authentication code for the password information by using the shared key, and carries the authentication code after the password information in the header of the IPv6 data packet.
In step 509, the application client sends an IPv6 data packet to the application aware node.
Step 511, the application sensing node obtains the password information carried in the header of the IPv6 data packet, and authenticates the authentication code carried in the IPv6 data packet by using the shared key and the password information. Namely, generating an authentication code for the password information by using the shared key, comparing whether the generated authentication code is consistent with the acquired authentication code, and if so, executing 513; otherwise the IPv6 data packet is discarded (not shown in this case).
In step 513, the application aware node determines a network requirement corresponding to the password information, and forwards the IPv6 data packet using a routing policy corresponding to the network requirement.
The specific processing involved in each step in the above-mentioned flow may be referred to in the embodiments shown in fig. 2 to 4, and will not be described herein.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
According to another embodiment, a data message transmission device is provided. Fig. 6 shows a schematic block diagram of a transmission device of a data message according to an embodiment. The device can be arranged on the application sensing node to complete the functions of the application sensing node in the embodiment. As shown in fig. 6, the apparatus 600 includes: the first receiving unit 601, the password obtaining unit 602, and the forwarding processing unit 603 may further include a second receiving unit 604, an authentication code obtaining unit 605, an authentication processing unit 606, and a password verifying unit 607. Wherein the main functions of each constituent unit are as follows:
the first receiving unit 601 is configured to receive an IPv6 data packet from an application client.
The password obtaining unit 602 is configured to obtain password information carried in a header of the IPv6 data packet.
The application aware node may obtain password information from HBH, DOH, SRH, or the like of the IPv6 data packet.
The forwarding processing unit 603 is configured to forward the IPv6 data packet according to the network requirement corresponding to the password information.
In particular, forwarding processing unit 603 may be configured to forward IPv6 data packets using a routing policy corresponding to the network requirements.
The password information is distributed to the application client side by the operator server side according to the network requirements of the application and is synchronized to the application sensing node.
The second receiving unit 604 is configured to receive and store password information and corresponding network requirement information synchronized by the operator server to the application aware node.
As a preferred embodiment, the authentication code obtaining unit 605 is configured to obtain an authentication code carried in a header of the IPv6 data packet.
An authentication processing unit 606 configured to calculate an authentication code for the password information using the shared key, and determine whether the calculated authentication code is identical to the acquired authentication code;
the forwarding processing unit 603 is further configured to perform forwarding processing on the IPv6 data packet by using the network requirement corresponding to the password information if the authentication processing unit 606 determines that the calculated authentication code is consistent with the obtained authentication code; otherwise, discarding the IPv6 data message.
Still further, the authentication processing unit 606 may be configured to obtain a shared key preset in the application aware node, or obtain the shared key from the operator server.
Further, the second receiving unit 604 is configured to obtain, in advance, a correspondence between the password information and the application identification information from the operator server.
Accordingly, the password verification unit 607 is configured to determine, according to the correspondence between the password information and the application identification information, application identification information corresponding to the password information carried in the header of the IPv6 data packet; and judging whether the determined application identification information is consistent with the application identification information carried by the IPv6 data message.
The forwarding processing unit 603 is further configured to determine that the password information is illegally used and discard the IPv6 data packet if the password verification unit 607 determines that the password information is inconsistent; if the password verification unit 607 determines that the two data messages are consistent, the network requirements corresponding to the password information are continuously executed, and forwarding processing is performed on the IPv6 data messages.
As one implementation, the forwarding processing unit 603 may be configured to, after removing the password information from the IPv6 data packet, forward the IPv6 data packet from which the password information is removed.
According to another embodiment, a data message transmission device is provided. Fig. 7 shows a schematic block diagram of a transmission device of a data message according to an embodiment. The device can be arranged at the application client to complete the functions of the application client in the embodiment. As shown in fig. 7, the apparatus 700 includes: the password determination unit 701, the password carrying unit 702, and the message transmission unit 703 may further include a password receiving unit 704 and an authentication code carrying unit 705. Wherein the main functions of each constituent unit are as follows:
The password determination unit 701 is configured to determine password information corresponding to a network requirement of an application service according to the network requirement.
A password carrying unit 702 configured to carry password information in a header of an IPv6 data packet;
a message sending unit 703 configured to send an IPv6 data message to the application aware node;
the password information is pre-distributed by the operator server according to network requirements.
The password receiving unit 704 is configured to receive password information pre-allocated by the operator server according to the network requirement of the application client.
For IPv6 data messages, it may carry the password information in an extension bit of the header. The message header of the IPv6 data message may be HBH (Hop-by-Hop option header), DOH (Destination Options Header, destination option header), SRH (Segment Routing Header ), etc., so that the password information may be carried in the at least one message header.
Further, in order to prevent the password information from being tampered with or stolen by other applications, the authentication code carrying unit 705 is configured to calculate an authentication code for the password information using the shared key, and carry the authentication code in the header of the IPv6 data packet.
As one of the embodiments, the manner of calculating the authentication code for the password information using the shared key may include, but is not limited to, SHA (Secure Hash Algorithm ) -1, SHA-2, SHA-3, MD (Message-Digest Algorithm) 5, and the like.
The authentication code carrying unit 705 may be further configured to obtain a shared key preset in the application client, or obtain the shared key from the operator server.
As a preferred application scenario, the application client may temporarily register the user for non-contracts.
According to another embodiment, a data message transmission device is provided. Fig. 8 shows a schematic block diagram of a data message transmission device according to an embodiment. The device can be arranged at the service end of the operator and is used for completing the functions of the service end of the operator in the embodiment. As shown in fig. 8, the apparatus 800 includes: the password allocation unit 801 and the information synchronization unit 802 may further include a key transmission unit 803 and an information maintenance unit 804. Wherein the main functions of each constituent unit are as follows:
the password allocation unit 801 is configured to allocate password information to the application client according to the network demand information registered by the application.
As a preferred embodiment thereof, the password allocation unit 801 may hash the applied network demand information to generate password information.
But other ways than this preferred embodiment are possible, such as the password allocation unit 801 maintaining a password pool. When the password information is distributed to the application client, one piece of currently unoccupied password information can be selected from the password pool to serve as the password information distributed to the application client, and the corresponding relation between the password information and the network demand information registered by the application client is maintained. In this way, the password information assigned to the client may be aged and reclaimed, i.e., the password information that is no longer used by the application client or that exceeds the expiration date may be reclaimed into the password pool.
For the same application, the password assignment unit 801 may assign a plurality of password information thereto. That is, when there is more than one network requirement for an application, the password allocation unit 801 may allocate different password information for different network requirements, respectively.
An information synchronizing unit 802 configured to synchronize the password information and the corresponding network requirement information to the application aware node.
Wherein the password information is preset in an installation package of the application client, or is sent to the application client by the password allocation unit 801.
A key sending unit 803 configured to send the shared key to the application client and the application aware node.
As one embodiment, all registered applications may use the same shared key, in which case the application aware node only needs to record the shared key.
As a preferred embodiment, the key sending unit 803 may assign different shared keys for different applications. In this case, the key transmission unit 803 may maintain a correspondence between the shared key and the application identification information and transmit the correspondence to the application aware node. The information synchronization unit 802 is further configured to send the correspondence between the password information and the application identification information to the application aware node, so that the application aware node can also maintain the correspondence between the application identification information and the password information, thereby knowing the legal application of the password information.
The information maintenance unit 804 is configured to delete the corresponding relationship between the password information and the network requirement information if the password information reaches the preset valid time, and synchronize the corresponding relationship with the application aware node by the information synchronization unit 802.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 2-4.
According to an embodiment of yet another aspect, there is also provided a computing device including a memory having executable code stored therein and a processor that, when executing the executable code, implements the method described in connection with fig. 2-4.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.
Claims (12)
1. The transmission method of the data message is applied to the application sensing node, and the application sensing node stores password information and corresponding network demand information which are synchronously given to the application sensing node by the service end of an operator; comprising the following steps:
the application perception node receives an IPv6 data message from an application client; the message header of the IPv6 data message does not carry application information indicating network demand information;
acquiring password information carried in a message header of the IPv6 data message;
forwarding the IPv6 data message by utilizing the network requirement corresponding to the password information;
the password information is distributed to the application client by the operator server according to the network requirement of the application, and is generated after hash processing is carried out on the network requirement information of the application or is selected from unoccupied password information in a password pool.
2. The method of claim 1, wherein before forwarding the IPv6 data packet using the network requirement corresponding to the password information, further comprising:
acquiring a cyclic redundancy check code carried in the IPv6 data message;
and carrying out integrity check on the IPv6 data message by using a cyclic redundancy check code, if the check is passed, continuously executing network requirements corresponding to the password information, and carrying out forwarding processing on the IPv6 data message.
3. The method of claim 1, the method further comprising:
if the password information exceeds the validity period, deleting the corresponding relation between the password information and the network demand information;
or,
and receiving the corresponding relation between the deleted password information and the network demand information synchronized by the service end of the operator, and deleting the corresponding relation between the deleted password information and the network demand information from the application sensing node.
4. The method of claim 1, wherein forwarding the IPv6 data message comprises:
forwarding the IPv6 data message by adopting a routing strategy corresponding to the network demand;
And/or the number of the groups of groups,
and after the password information is removed from the IPv6 data message, forwarding the IPv6 data message from which the password information is removed.
5. The data message transmission method is applied to the application client and comprises the following steps:
the application client determines password information corresponding to the network demand according to the network demand of the application service;
carrying the password information in a message header of an IPv6 data message;
sending the IPv6 data message to an application sensing node; the message header of the IPv6 data message does not carry application information indicating network demand information;
the password information is pre-distributed by the operator server according to the network requirement, and is generated after hash processing is carried out on the applied network requirement information or is selected from unoccupied password information in a password pool.
6. The method of claim 5, further comprising, prior to sending the IPv6 data message to an application aware node:
generating a cyclic redundancy check code of the IPv6 data message;
and carrying the cyclic redundancy check code in the IPv6 data message.
7. The data message transmission method is applied to an operator server and comprises the following steps:
The operator server distributes password information for the application client according to the network demand information registered by the application; the password information is generated after hash processing is carried out on the applied network demand information, or is selected from unoccupied password information in a password pool;
synchronizing the password information and the corresponding network demand information to an application sensing node;
the application client determines password information corresponding to the network demand according to the network demand of the application service; carrying the password information in a message header of an IPv6 data message; sending the IPv6 data message to an application sensing node; and the message header of the IPv6 data message does not carry application information indicating network demand information.
8. The method of claim 7, further comprising: and if the password information reaches the preset effective time, deleting the corresponding relation between the password information and the network demand information by the operator server side, and synchronizing the corresponding relation to an application sensing node.
9. The transmission device of the data message is arranged at an application sensing node, and the application sensing node stores password information and corresponding network demand information which are synchronously given to the application sensing node by an operator server; the device comprises:
A first receiving unit configured to receive an IPv6 data message from an application client; the message header of the IPv6 data message does not carry application information indicating network demand information;
the password acquisition unit is configured to acquire password information carried in a message header of the IPv6 data message;
the forwarding processing unit is configured to forward the IPv6 data message by utilizing the network requirement corresponding to the password information;
the password information is distributed to the application client by the operator server according to the network requirement of the application, and is generated after hash processing is carried out on the network requirement information of the application or is selected from unoccupied password information in a password pool.
10. The data message transmission device is arranged at an application client, and comprises:
a password determination unit configured to determine password information corresponding to a network requirement of an application service according to the network requirement;
the password carrying unit is configured to carry the password information in a message header of the IPv6 data message;
the message sending unit is configured to send the IPv6 data message to an application sensing node; the message header of the IPv6 data message does not carry application information indicating network demand information;
The password information is pre-distributed by the operator server according to the network requirement, and is generated after hash processing is carried out on the applied network requirement information or is selected from unoccupied password information in a password pool.
11. The transmission device of the data message, set up in the service end of the operator, the device includes:
the password distribution unit is configured to distribute password information to the application client according to the network demand information registered by the application; the password information is generated after hash processing is carried out on the applied network demand information, or is selected from unoccupied password information in a password pool;
an information synchronization unit configured to synchronize the password information and the corresponding network demand information to an application aware node;
the application client determines password information corresponding to the network requirement according to the network requirement of the application service; carrying the password information in a message header of an IPv6 data message; sending the IPv6 data message to an application sensing node; and the message header of the IPv6 data message does not carry application information indicating network demand information.
12. A computing device comprising a memory and a processor, wherein the memory has executable code stored therein, which when executed by the processor, implements the method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210638671.5A CN115189913B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011506176.6A CN112637183B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
| CN202210638671.5A CN115189913B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011506176.6A Division CN112637183B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115189913A CN115189913A (en) | 2022-10-14 |
| CN115189913B true CN115189913B (en) | 2024-01-05 |
Family
ID=75317254
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011506176.6A Active CN112637183B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
| CN202210638671.5A Active CN115189913B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011506176.6A Active CN112637183B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN112637183B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115442298A (en) * | 2021-06-04 | 2022-12-06 | 华为技术有限公司 | Message forwarding method, device and communication network |
| CN114363196B (en) * | 2022-01-17 | 2023-09-19 | 中国人民解放军国防科技大学 | Network service quality guarantee method based on active application perception |
| CN116346492B (en) * | 2023-04-18 | 2024-05-14 | 浙江御安信息技术有限公司 | APNv 6-based data security management method |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007033542A1 (en) * | 2005-09-20 | 2007-03-29 | Huawei Technologies Co., Ltd. | A method for testing the network capability and the device thereof |
| WO2012139283A1 (en) * | 2011-04-12 | 2012-10-18 | 华为技术有限公司 | Method and appratus for address allocation |
| EP2887246A1 (en) * | 2013-12-20 | 2015-06-24 | Orange | Method to share content with an untrusted device |
| CN109905473A (en) * | 2019-02-21 | 2019-06-18 | 厦门理工学院 | It is a kind of that system and method is monitored based on the IPv6 and PM2.5 of context aware |
| CN109951297A (en) * | 2019-03-12 | 2019-06-28 | 中南民族大学 | A kind of identity authorization system and its register method, login method of the reservation privacy of user towards big data |
| CN111368232A (en) * | 2020-02-28 | 2020-07-03 | 北京达佳互联信息技术有限公司 | Password sharing reflux method and device, electronic equipment and storage medium |
| CN111835692A (en) * | 2019-04-22 | 2020-10-27 | 中国信息通信研究院 | Information distribution management system and method |
| CN112019433A (en) * | 2019-05-29 | 2020-12-01 | 华为技术有限公司 | Message forwarding method and device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1830537A1 (en) * | 2006-03-02 | 2007-09-05 | Agilent Technologies, Inc. | Communications system, mobile node apparatus, and method of performing a handover |
| US9847977B2 (en) * | 2007-06-29 | 2017-12-19 | Microsoft Technology Licensing, Llc | Confidential mail with tracking and authentication |
| CN102448145B (en) * | 2010-09-30 | 2014-06-25 | 华为技术有限公司 | Method, device and system for transmitting priority alarm information |
| US8832238B2 (en) * | 2011-09-12 | 2014-09-09 | Microsoft Corporation | Recording stateless IP addresses |
| US11153305B2 (en) * | 2018-06-15 | 2021-10-19 | Canon U.S.A., Inc. | Apparatus, system and method for managing authentication with a server |
-
2020
- 2020-12-18 CN CN202011506176.6A patent/CN112637183B/en active Active
- 2020-12-18 CN CN202210638671.5A patent/CN115189913B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007033542A1 (en) * | 2005-09-20 | 2007-03-29 | Huawei Technologies Co., Ltd. | A method for testing the network capability and the device thereof |
| WO2012139283A1 (en) * | 2011-04-12 | 2012-10-18 | 华为技术有限公司 | Method and appratus for address allocation |
| EP2887246A1 (en) * | 2013-12-20 | 2015-06-24 | Orange | Method to share content with an untrusted device |
| CN109905473A (en) * | 2019-02-21 | 2019-06-18 | 厦门理工学院 | It is a kind of that system and method is monitored based on the IPv6 and PM2.5 of context aware |
| CN109951297A (en) * | 2019-03-12 | 2019-06-28 | 中南民族大学 | A kind of identity authorization system and its register method, login method of the reservation privacy of user towards big data |
| CN111835692A (en) * | 2019-04-22 | 2020-10-27 | 中国信息通信研究院 | Information distribution management system and method |
| CN112019433A (en) * | 2019-05-29 | 2020-12-01 | 华为技术有限公司 | Message forwarding method and device |
| CN111368232A (en) * | 2020-02-28 | 2020-07-03 | 北京达佳互联信息技术有限公司 | Password sharing reflux method and device, electronic equipment and storage medium |
Non-Patent Citations (3)
| Title |
|---|
| Demo Abstract: APN6: Application-aware IPv6 Networking;Shuping Peng;IEEE INFOCOM 2020 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS);全文 * |
| 基于"IPv6+"的应用感知网络(APN6);何林;况鹏;王士诚;刘莹;李星;彭书萍;;电信科学(第08期);全文 * |
| 基于"IPV6+"的智能IP网络方案;王晨曦;电信科学,第08期;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112637183A (en) | 2021-04-09 |
| CN115189913A (en) | 2022-10-14 |
| CN112637183B (en) | 2022-07-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115189913B (en) | Data message transmission method and device | |
| US8195935B2 (en) | Systems, methods and computer-accessible media for acquiring and authenticating public key certificate status | |
| CN109039436B (en) | Method and system for satellite security access authentication | |
| CN111314056B (en) | Heaven and earth integrated network anonymous access authentication method based on identity encryption system | |
| JP4673364B2 (en) | Method for verifying first ID and second ID of entity | |
| US20120166803A1 (en) | Verification method, apparatus, and system for resource access control | |
| EP0942568A2 (en) | Centralized cerificate management system for two-way interactive communication devices in data networks | |
| US20130173920A1 (en) | System and method for automatically verifying storage of redundant contents into communication equipments, by data comparison | |
| US20080294891A1 (en) | Method for Authenticating a Mobile Node in a Communication Network | |
| CN110475249B (en) | Authentication method, related equipment and system | |
| TW200826582A (en) | System, method, apparatus, and computer program product for providing a social network diagram in a P2P network device | |
| CN108990062B (en) | Intelligent security Wi-Fi management method and system | |
| CN110719620B (en) | Terminal access method and system | |
| CN113507483B (en) | Instant messaging method, device, server and storage medium | |
| WO2018205148A1 (en) | Data packet checking method and device | |
| CN106790296A (en) | Domain name records verification method and device | |
| CN112769568A (en) | Security authentication communication system and method in fog computing environment and Internet of things equipment | |
| CN109818943A (en) | A kind of authentication method suitable for low orbit satellite Internet of Things | |
| CN112637069B (en) | Data message transmission method and device | |
| Liu et al. | Secure name resolution for identifier-to-locator mappings in the global internet | |
| CN106230860A (en) | The method and apparatus sending Streaming Media | |
| CN106027555A (en) | Method and system for improving network security of content delivery network by employing SDN (Software Defined Network) technology | |
| CN111866993B (en) | Wireless local area network connection management method, device, software program and storage medium | |
| CN107426452B (en) | Internet call method and device | |
| CN112437098A (en) | Data message transmission method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |