CN115225333B - TSN encryption method and system based on software definition - Google Patents
TSN encryption method and system based on software definition Download PDFInfo
- Publication number
- CN115225333B CN115225333B CN202210715890.9A CN202210715890A CN115225333B CN 115225333 B CN115225333 B CN 115225333B CN 202210715890 A CN202210715890 A CN 202210715890A CN 115225333 B CN115225333 B CN 115225333B
- Authority
- CN
- China
- Prior art keywords
- encryption
- tsn
- integrated
- switch
- service flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
Abstract
The invention discloses a TSN encryption method and system based on software definition, which belongs to the field of time sensitive networks and comprises the following steps: s1, establishing a secure tunnel connection between a software defined TSN controller and an integrated TSN encryption switch, and issuing planned service flow configuration parameters to the integrated TSN encryption switch by the software defined TSN controller; s2, the integrated TSN encryption switch receives the service flow configuration parameters issued by the software defined TSN controller, analyzes the service flow configuration parameters and configures the service flow configuration parameters to each functional module in the switch. The invention can ensure the certainty of time sensitive flow and low delay requirement while meeting the data security.
Description
Technical Field
The invention relates to the field of time sensitive networks, in particular to a TSN encryption method and system based on software definition.
Background
TSN (Time-Sensitive Networking) Time sensitive networks are widely used in industrial sites, intelligent driving and 5G forwarding networks because of the certainty of Time sensitive traffic and the low latency requirements that can be guaranteed. In order to protect the security of data, the current security measure is to use MACsec encryption mechanism at the link layer of the TSN network to provide the functions of confidentiality, integrity, authenticity and replay protection of data between the MAC layers of the device ports in the same lan.
The following problems exist in providing data security transmission by hop-by-hop encryption based on the Ethernet link MACsec encryption technology in a time-sensitive network:
(1) Based on a MACsec encryption mechanism, in the hop-by-hop encryption transmission process of a plurality of nodes (the number of the nodes is more than 2), hop-by-hop encryption accumulation time delay is brought to time sensitive flows, and meanwhile, the risk of sensitive information leakage can be brought to the plaintext after decryption of intermediate nodes;
(2) The MACsec-based encryption mechanism encrypts fixed ethernet load, and cannot flexibly define the encryption of IP load, TCP/UDP load or custom load of a message. And the time sensitive service flows cannot be distinguished in fine granularity and identified and classified, so that queue priority scheduling cannot be performed;
(3) Embedding SecTag security tags in ethernet heads based on MACsec encryption mechanisms will introduce additional overhead.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a TSN encryption method and system based on software definition, which can ensure the certainty of time-sensitive flow and low-delay requirements while meeting the data security.
The invention aims at realizing the following scheme:
a software-defined based TSN encryption method, comprising the steps of:
s1, establishing a secure tunnel connection between a software defined TSN controller and an integrated TSN encryption switch, and issuing planned service flow configuration parameters to the integrated TSN encryption switch by the software defined TSN controller;
s2, the integrated TSN encryption switch receives the service flow configuration parameters issued by the software defined TSN controller, analyzes the service flow configuration parameters and configures the service flow configuration parameters to each functional module in the switch.
Further, in step S1, the integrated TSN encryption switch integrally designs an encryption function and a communication function; in step S1, the software defined TSN controller communicates with the integrated TSN encryption switch via a southbound protocol.
Further, in step S1, the method includes the sub-steps of: collecting network topology structure, time sensitive service flow characteristics and network node port connection relation information of an application scene, and planning service flow identification, network paths, actions, a queue scheduling mechanism, queue priority, a gating list and encryption configuration parameters; the encryption configuration parameters include an encryption offset, an encryption algorithm, an encryption mode, an encryption key, an integrity algorithm, and an integrity key.
Further, the flow identifier is used for queue priority scheduling of the mapping service flow of the integrated TSN encryption switch and identification of encryption and decryption messages, and is uniformly planned by the software-defined TSN controller, and the fields comprise: ethernet MAC address, ethernet type, VLAN tag, IP header, TCP/UDP header, or custom multi-tuple information.
Further, in step S2, the method includes the sub-steps of:
protocol stream hop-by-hop encryption workflow: the protocol stream is based on the Ethernet type field as a stream identifier, the encryption offset length in the IEEE 802.3 standard is 14 bytes, and the encryption offset length in the IEEE 802.1Q standard is 18 bytes; firstly constructing a link layer protocol stream by utilizing the integrated TSN encryption switch, encrypting the protocol stream and then transmitting the encrypted protocol stream to a next node; the next node receives the protocol stream ciphertext and decrypts the protocol stream ciphertext to obtain a plaintext, and then constructs a response message to encrypt and sends the response message to the opposite terminal, or the response message is continuously forwarded after the plaintext is modified to encrypt.
Further, in step S2, the method includes the sub-steps of:
the end-to-end encryption workflow of the service flow: the integrated TSN encryption switch completes the encryption/decryption, the integrity calculation, the queue priority scheduling and the port forwarding of the load according to the flow identification attribute configured by the software defined TSN controller; in the process of traffic stream transmission, according to the traffic stream transmission direction, an integrated TSN encryption switch for receiving the plaintext of a terminal is defined as an input node, an integrated TSN encryption switch for receiving the ciphertext and decrypting the plaintext and transmitting the plaintext to the terminal is defined as an output node, and an integrated TSN encryption switch with both ends connected with TSN switching nodes is defined as an intermediate node.
Further, the workflow of the ingress node includes: the ingress node receives the plain text of the terminal service flow, encrypts the plain text and calculates an integrity value according to a configured encryption algorithm, encryption mode, integrity algorithm, an integrity key and encryption offset parameters, adds the integrity value to the tail of the frame, recalculates CRC encapsulation to obtain a new Ethernet frame cipher text, and sends the cipher text to an egress port queue for forwarding according to a planned service egress port path.
Further, the workflow of the outbound node includes: the intermediate node receives the ciphertext of the service flow, does not perform encryption and decryption processing based on the configured direct forwarding rule, and directly sends the ciphertext to the output port queue for forwarding according to the planned service outflow port path.
Further, the workflow of the intermediate node includes: the output node receives the service flow ciphertext, calculates the integrity of the ciphertext according to the configured encryption algorithm, encryption mode, integrity algorithm, integrity key and encryption offset parameter, removes the integrity value after comparing and concordance, decrypts to obtain a plaintext, recalculates CRC encapsulation to obtain a new Ethernet frame plaintext, and sends the plaintext to an output port queue of the connection terminal for forwarding according to the planned service outflow port path.
A TSN encryption system based on software definition, comprising the encryption method as set forth in any one of the above, further comprising a software-defined TSN controller, an integrated TSN encryption switch and a real-time terminal;
the software defined TSN controller is used as a centralized control center of the TSN network, establishes a secure tunnel with the integrated TSN encryption switch, sends configuration management information to the integrated TSN encryption switch through configuration security management protocol, and receives information reported by the integrated TSN encryption switch to perform real-time sensing and state presentation;
the integrated TSN encryption switch is a switch designed for integrating encryption and communication, receives configuration management information issued by a software defined TSN controller through a configuration management protocol agent and completes local configuration, realizes time synchronization, queue scheduling, flow control and data encryption and decryption among nodes, and reports equipment state, port statistics and network topology information of the nodes to the software defined TSN controller;
and the real-time terminal is in communication connection with the integrated TSN encryption switch.
The beneficial effects of the invention include:
the invention is based on the new thought of the TSN encryption method of software definition, and can flexibly realize network planning and encryption planning of coarse and fine granularity according to the need by the flexible networking and encryption characteristics; by the invention, the accumulated time delay introduced by the encryption of the service flow in the hop-by-hop transmission process is avoided based on the hop-by-hop encryption and the end-to-end encryption mechanism, and the scheduling based on the queue priority in the service flow transmission process is not influenced; the invention minimizes the encryption time delay introduced by the time sensitive service flow while realizing the security of the time sensitive network, and meets the requirements of security, certainty and low time delay of industrial scene application to the maximum extent.
Aiming at the problem of delay accumulation caused by encryption of a link layer load based on a MACsec hop-by-hop encryption mechanism in the current TSN network, the embodiment of the invention ensures the certainty of a time-sensitive service flow and low delay requirements by dividing the data flow into a protocol flow (a link layer protocol such as PTP, LLDP and the like) and a service flow, wherein the protocol flow adopts hop-by-hop encryption and the service flow adopts end-to-end encryption.
Aiming at the problem that the SecTag security tag overhead is increased by MACsec technology, the embodiment of the invention adopts a security tag-free mechanism for encryption.
Aiming at the problem of the MACsec mechanism fixed encryption Ethernet load, the embodiment of the invention flexibly defines the encryption load offset through software, thereby effectively ensuring that each node can still finish queue priority scheduling based on the service flow characteristics of fine granularity in the hop-by-hop transmission process of the service flow.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is a schematic diagram of a software-defined based TSN encryption system;
FIG. 2 is a schematic diagram of an IEEE 802.3 standard encryption package;
FIG. 3 is a schematic diagram of an IEEE 802.1Q standard encryption package;
FIG. 4 is a flow chart of steps of a method according to an embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the drawings and examples. All of the features disclosed in all of the embodiments of this specification, or all of the steps in any method or process disclosed implicitly, except for the mutually exclusive features and/or steps, may be combined and/or expanded and substituted in any way.
The embodiment of the invention provides a TSN encryption method and system based on software definition, which realize a flexible TSN encryption mechanism and system framework, and can ensure the certainty of time-sensitive flow and low delay requirements while meeting the data security.
In terms of system architecture composition, as shown in fig. 1, 1 and 2 in the figure represent 1-port and 2-port of the switch, respectively. The system of the embodiment of the invention mainly comprises a software-defined TSN controller and an integrated TSN encryption switch, wherein the software-defined TSN controller and the real-time terminal equipment are connected into a time-sensitive network through the integrated TSN encryption switch.
Software defined TSN controller: the software defined TSN controller is a centralized control center of the TSN network, establishes a secure tunnel with the integrated TSN encryption switch, and transmits configuration management information such as a flow identifier, a transmission queue, a password resource, an encryption algorithm, an encryption mode, an encryption offset, an action (encryption forwarding, decryption forwarding, direct forwarding, local, discarding) and the like to the integrated TSN encryption switch through configuration security management protocol (NetConf, restAPI and other protocols for expansion), and receives information reported by the integrated TSN encryption switch for real-time sensing and state presentation.
Integral TSN encryption switch: the integrated TSN encryption switch designs encryption and communication integration, receives configuration management information issued by the software defined TSN controller through a configuration management protocol agent, completes local configuration, achieves functions of time synchronization, queue scheduling, flow control, data encryption and decryption and the like among nodes, and reports information such as equipment state, port statistics, network topology and the like of the nodes to the software defined TSN controller.
Software defined flow identification: the flow identifier is used for queue priority scheduling of the mapping service flow of the integrated TSN encryption switch and identification of encryption and decryption messages, is uniformly planned by the software-defined TSN controller, and can be used as the flow identifier according to the following fields of the data message, wherein the fields comprise: ethernet MAC address (destination MAC, source MAC), ethernet type, VLAN tag (PRI, VID), IP header (TOS, protocol number, source IP address, destination IP address), TCP/UDP header (source port, destination port), or custom field.
Encryption encapsulation format: as shown in fig. 3, the encryption encapsulation format is based on the encryption offset of the software defined flow identifier, which determines the encryption start position of the payload, and is flexibly defined by the software defined TSN controller. The payload may be a link payload, an IP payload, a TCP/UDP payload, or a custom payload. And encrypting the load from the initial position after encryption offset, performing integrity calculation from the destination MAC, the source MAC, the Ethernet type and the like to the load ciphertext part, and putting the output integrity value ICV at the tail of the frame. The encryption package format is shown in fig. 2.
Encryption stream table: the encryption flow table is used for matching the operations of queue mapping, encryption and the like of the flow, and is the main configuration information content issued by the software defined TSN controller to the integrated TSN encryption switch. The encryption flow table contains flow identification label and action, and out-port, queue, GCL, and configuration parameters such as crypt-enable, crypt-offset, crypt-alg, crypt-key, integrity-alg, integrity-key cipher correlation, etc. The main parameters of the encryption stream table are as follows:
label: a flow identifier supporting the combination of multi-element information of fields such as Ethernet address, ethernet type, VLAN label, IP header, TCP/UDP header, user definition and the like;
action: the stream processing mode supports modes such as direct forwarding (encryption and decryption processing is not performed), encryption forwarding (a node receives a plaintext of a terminal for encryption), decryption forwarding (the node decrypts the ciphertext into the plaintext and sends the plaintext to the terminal), local, discarding and the like;
out-port: a stream output port;
queue-mode: a queue scheduling mechanism supporting different streams to use different scheduling mechanisms;
queue-priority: queue priority;
GCL: a gating list;
crypt-enable: encryption, verification, i.e., encryption and verification, is supported. The option is configured to encrypt forwarding, decrypt forwarding, and Local valid only for action;
crypt-offset: the encryption offset is used for representing a load encryption starting position, and the offset length is calculated from the Ethernet head starting position;
crypt-alg: an encryption algorithm;
crypt-key: an encryption key;
crypt-mode: an encryption mode;
integery-alg: an integrity algorithm;
integrity-key: an integrity key.
On the software-defined TSN-based encryption system workflow, the software-defined TSN-based encryption system work is divided into two parts, one part is in the software-defined TSN controller, and the other part is in the integrated TSN encryption switch. The specific working procedure is as follows:
(1) Software defined TSN controller workflow
Collecting information such as network topology structure, time sensitive service flow characteristics (sending period, message length, time delay upper bound and the like) of an application scene, network node port connection relation and the like;
a secure tunnel (SSL and other modes) is established between the software-defined TSN controller and the integrated TSN encryption switch, and communication is realized through a southbound protocol (Openflow, NETCONF and the like);
planning the identification of a service flow, a network path, an action, a queue scheduling mechanism, a queue priority, GCL, and encryption related configuration parameters such as encryption offset, an encryption algorithm, an encryption mode, an encryption key, an integrity algorithm, an integrity key and the like;
and issuing the planned service flow configuration parameters to the integrated TSN encryption switch.
(2) Integrated TSN encryption switch workflow
The integrated TSN encryption switch receives the configuration parameters issued by the software defined TSN controller, analyzes the configuration parameters and configures the configuration parameters to each functional module in the switch. The integrated TSN encryption switch works in two processing modes of hop-by-hop encryption of protocol streams and end-to-end encryption of service streams.
1) Protocol stream hop-by-hop encryption workflow
The protocol stream is based on the ethernet type field as a stream identification, and the encryption offset length in the IEEE 802.3 standard is 14 bytes, and the encryption offset length in the IEEE 802.1Q standard is 18 bytes.
The integrated TSN encryption switch firstly constructs a link layer protocol stream (LLDP, PTP, etc.), encrypts the protocol stream and transmits the encrypted protocol stream to the next node. The next node receives the protocol stream ciphertext and decrypts the protocol stream ciphertext to obtain a plaintext, and then constructs a response message to encrypt and sends the response message to the opposite terminal, or the response message is modified to encrypt and then is forwarded continuously.
2) End-to-end encryption workflow of service flow
The integrated TSN encryption switch finishes the processing of encryption/decryption, integrity calculation, queue priority scheduling and port forwarding (encryption forwarding, direct forwarding, decryption forwarding and the like) of the load according to the flow identification attribute configured by the software defined TSN controller. For convenience of description, in the process of traffic stream transmission, according to the traffic stream transmission direction, an integrated TSN encryption switch for receiving plaintext of a terminal is defined as an ingress node, an integrated TSN encryption switch for receiving ciphertext and decrypting the ciphertext and transmitting the plaintext to the terminal is defined as an egress node, and an integrated TSN encryption switch with both ends connected with TSN switching nodes is defined as an intermediate node.
The node entering work flow: the ingress node receives the plain text of the terminal service flow, encrypts and calculates an integrity value of the plain text according to parameters such as a configured encryption algorithm, an encryption mode, an integrity algorithm, an integrity key, an encryption offset and the like, adds the integrity value to the tail of the frame, recalculates CRC encapsulation to obtain a new Ethernet frame cipher text, and sends the cipher text to an egress port queue for forwarding according to a planned service egress port path.
The intermediate node workflow: the intermediate node receives the ciphertext of the service flow, does not perform encryption and decryption processing based on the configured direct forwarding rule, and directly sends the ciphertext to the output port queue for forwarding according to the planned service outflow port path.
Node outlet workflow: the output node receives the service flow ciphertext, calculates the integrity of the ciphertext according to the configured parameters such as encryption algorithm, encryption mode, integrity algorithm, integrity key, encryption offset and the like, removes the integrity value after comparing the integrity with the integrity value, decrypts the ciphertext to obtain a plaintext, recalculates CRC (cyclic redundancy check) encapsulation to obtain a new Ethernet frame plaintext, and sends the plaintext to an output port queue of the connecting terminal for forwarding according to the planned service outflow port path.
The embodiment of the invention designs the encryption and communication integrally, and reduces the interface conversion time delay introduced by the Ethernet interface conversion compared with independent encryption equipment.
The embodiment of the invention configures encryption parameters such as an encryption algorithm, an encryption mode, encryption offset and the like of the integrated TSN encryption switch based on the software defined TSN controller, and has good dynamic property, flexibility and orchestration.
The embodiment of the invention designs an encryption mechanism suitable for combining hop-by-hop encryption with end-to-end encryption of the TSN time-sensitive network, protocol flows adopt hop-by-hop encryption, service flows adopt end-to-end encryption, the accumulated time delay of the hop-by-hop encryption of the service flows can be reduced, and the sensitive information leakage risk caused by decrypting the service flows into plaintext at intermediate nodes can be reduced;
the embodiment of the invention takes the multi-element information such as an Ethernet MAC address (destination MAC, source MAC), an Ethernet type, a VLAN label (PRI, VID), an IP header (TOS, protocol number, source IP address, destination IP address), a TCP/UDP header (source port, destination port) or a custom field as a flow identifier, combines encryption offset parameters, realizes the division of the coarse granularity and the fine granularity of the service flow, and does not influence the queue priority scheduling of the encrypted service flow in the node transmission process in an end-to-end encryption mode.
Example 1
As shown in fig. 4, a TSN encryption method based on software definition is characterized by comprising the steps of:
s1, establishing a secure tunnel connection between a software defined TSN controller and an integrated TSN encryption switch, and issuing planned service flow configuration parameters to the integrated TSN encryption switch by the software defined TSN controller;
s2, the integrated TSN encryption switch receives the service flow configuration parameters issued by the software defined TSN controller, analyzes the service flow configuration parameters and configures the service flow configuration parameters to each functional module in the switch.
Example 2
On the basis of embodiment 1, in step S1, the integrated TSN encryption switch integrally designs an encryption function and a communication function; in step S1, the software defined TSN controller communicates with the integrated TSN encryption switch via a southbound protocol.
Example 3
On the basis of embodiment 1, in step S1, the sub-steps are included: collecting network topology structure, time sensitive service flow characteristics and network node port connection relation information of an application scene, and planning service flow identification, network paths, actions, a queue scheduling mechanism, queue priority, a gating list and encryption configuration parameters; the encryption configuration parameters include an encryption offset, an encryption algorithm, an encryption mode, an encryption key, an integrity algorithm, and an integrity key.
Example 4
Based on embodiment 3, the flow identifier is used for queue priority scheduling of the integrated TSN encryption switch mapping service flow and identification of encryption and decryption messages, and is uniformly planned by the software-defined TSN controller, and the fields include, according to the following fields of the data message as the flow identifier: ethernet MAC address, ethernet type, VLAN tag, IP header, TCP/UDP header, or custom multi-tuple information.
Example 5
On the basis of embodiment 1, in step S2, the sub-steps are included:
protocol stream hop-by-hop encryption workflow: the protocol stream is based on the Ethernet type field as a stream identifier, the encryption offset length in the IEEE 802.3 standard is 14 bytes, and the encryption offset length in the IEEE 802.1Q standard is 18 bytes; firstly constructing a link layer protocol stream by utilizing the integrated TSN encryption switch, encrypting the protocol stream and then transmitting the encrypted protocol stream to a next node; the next node receives the protocol stream ciphertext and decrypts the protocol stream ciphertext to obtain a plaintext, and then constructs a response message to encrypt and sends the response message to the opposite terminal, or the response message is continuously forwarded after the plaintext is modified to encrypt.
Example 6
On the basis of embodiment 1, in step S2, the sub-steps are included:
the end-to-end encryption workflow of the service flow: the integrated TSN encryption switch completes the encryption/decryption, the integrity calculation, the queue priority scheduling and the port forwarding of the load according to the flow identification attribute configured by the software defined TSN controller; in the process of traffic stream transmission, according to the traffic stream transmission direction, an integrated TSN encryption switch for receiving the plaintext of a terminal is defined as an input node, an integrated TSN encryption switch for receiving the ciphertext and decrypting the plaintext and transmitting the plaintext to the terminal is defined as an output node, and an integrated TSN encryption switch with both ends connected with TSN switching nodes is defined as an intermediate node.
Example 7
On the basis of embodiment 6, the workflow of the ingress node includes: the ingress node receives the plain text of the terminal service flow, encrypts the plain text and calculates an integrity value according to a configured encryption algorithm, encryption mode, integrity algorithm, an integrity key and encryption offset parameters, adds the integrity value to the tail of the frame, recalculates CRC encapsulation to obtain a new Ethernet frame cipher text, and sends the cipher text to an egress port queue for forwarding according to a planned service egress port path.
Example 8
On the basis of embodiment 6, the workflow of the outbound node includes: the intermediate node receives the ciphertext of the service flow, does not perform encryption and decryption processing based on the configured direct forwarding rule, and directly sends the ciphertext to the output port queue for forwarding according to the planned service outflow port path.
Example 9
On the basis of embodiment 6, the workflow of the intermediate node includes: the output node receives the service flow ciphertext, calculates the integrity of the ciphertext according to the configured encryption algorithm, encryption mode, integrity algorithm, integrity key and encryption offset parameter, removes the integrity value after comparing and concordance, decrypts to obtain a plaintext, recalculates CRC encapsulation to obtain a new Ethernet frame plaintext, and sends the plaintext to an output port queue of the connection terminal for forwarding according to the planned service outflow port path.
Example 10
A TSN encryption system based on software definition, comprising the encryption method of any one of embodiments 1 to 9, further comprising a software defined TSN controller, an integrated TSN encryption switch and a real-time terminal;
the software defined TSN controller is used as a centralized control center of the TSN network, establishes a secure tunnel with the integrated TSN encryption switch, sends configuration management information to the integrated TSN encryption switch through configuration security management protocol, and receives information reported by the integrated TSN encryption switch to perform real-time sensing and state presentation;
the integrated TSN encryption switch is a switch designed for integrating encryption and communication, receives configuration management information issued by a software defined TSN controller through a configuration management protocol agent and completes local configuration, realizes time synchronization, queue scheduling, flow control and data encryption and decryption among nodes, and reports equipment state, port statistics and network topology information of the nodes to the software defined TSN controller;
and the real-time terminal is in communication connection with the integrated TSN encryption switch.
The units involved in the embodiments of the present invention may be implemented by software, or may be implemented by hardware, and the described units may also be provided in a processor. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.
According to one aspect of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions are read from the computer-readable storage medium by a processor of a computer device, and executed by the processor, cause the computer device to perform the methods provided in the various alternative implementations described above.
As another aspect, the present application also provides a computer-readable medium that may be contained in the electronic device described in the above embodiment; or may exist alone without being incorporated into the electronic device. The computer-readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to implement the methods described in the above embodiments.
The invention is not related in part to the same as or can be practiced with the prior art.
The foregoing technical solution is only one embodiment of the present invention, and various modifications and variations can be easily made by those skilled in the art based on the application methods and principles disclosed in the present invention, not limited to the methods described in the foregoing specific embodiments of the present invention, so that the foregoing description is only preferred and not in a limiting sense.
In addition to the foregoing examples, those skilled in the art will recognize from the foregoing disclosure that other embodiments can be made and in which various features of the embodiments can be interchanged or substituted, and that such modifications and changes can be made without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (4)
1. A software-defined-based TSN encryption method, comprising the steps of:
s1, establishing a secure tunnel connection between a software defined TSN controller and an integrated TSN encryption switch, and issuing planned service flow configuration parameters to the integrated TSN encryption switch by the software defined TSN controller; in step S1, the sub-steps are included: collecting network topology structure, time sensitive service flow characteristics and network node port connection relation information of an application scene, and planning service flow identification, network paths, actions, a queue scheduling mechanism, queue priority, a gating list and encryption configuration parameters; the encryption configuration parameters comprise an encryption offset, an encryption algorithm, an encryption mode, an encryption key, an integrity algorithm and an integrity key;
s2, the integrated TSN encryption switch receives service flow configuration parameters issued by the software defined TSN controller, analyzes the service flow configuration parameters and configures the service flow configuration parameters to each functional module in the switch; in step S2, the sub-steps are included: protocol stream hop-by-hop encryption workflow: the protocol stream is based on the Ethernet type field as a stream identifier, the encryption offset length in the IEEE 802.3 standard is 14 bytes, and the encryption offset length in the IEEE 802.1Q standard is 18 bytes; firstly constructing a link layer protocol stream by utilizing the integrated TSN encryption switch, encrypting the protocol stream and then transmitting the encrypted protocol stream to a next node; the next node receives the protocol stream ciphertext and decrypts the protocol stream ciphertext to obtain a plaintext, and then constructs a response message to encrypt and sends the response message to the opposite end, or modifies the plaintext to encrypt and then forwards the response message continuously; in step S2, the sub-steps are included: the end-to-end encryption workflow of the service flow: the integrated TSN encryption switch completes the encryption/decryption, the integrity calculation, the queue priority scheduling and the port forwarding of the load according to the flow identification attribute configured by the software defined TSN controller; in the process of service flow transmission, according to the service flow transmission direction, an integrated TSN encryption switch for receiving a plaintext of a terminal is defined as an input node, an integrated TSN encryption switch for receiving a ciphertext and decrypting the ciphertext and transmitting the plaintext to the terminal is defined as an output node, and an integrated TSN encryption switch with both ends connected with TSN switching nodes is defined as an intermediate node;
the workflow of the ingress node comprises: the ingress node receives a terminal service flow plaintext, encrypts and calculates an integrity value of the plaintext according to a configured encryption algorithm, an encryption mode, an integrity algorithm, an integrity key and an encryption offset parameter, adds the integrity value to the tail of a frame, recalculates CRC (cyclic redundancy check) encapsulation to obtain a new Ethernet frame ciphertext, and sends the ciphertext to an egress port queue for forwarding according to a planned service egress port path;
the workflow of the intermediate node comprises: the intermediate node receives the ciphertext of the service flow, does not perform encryption and decryption processing based on the configured direct forwarding rule, and directly sends the ciphertext to an output port queue for forwarding according to the planned service outflow port path;
the work flow of the outbound node comprises the following steps: the output node receives the service flow ciphertext, calculates the integrity of the ciphertext according to the configured encryption algorithm, encryption mode, integrity algorithm, integrity key and encryption offset parameter, removes the integrity value after comparing and concordance, decrypts to obtain a plaintext, recalculates CRC encapsulation to obtain a new Ethernet frame plaintext, and sends the plaintext to an output port queue of the connection terminal for forwarding according to the planned service outflow port path.
2. The software-defined based TSN encryption method of claim 1, wherein in step S1, the integrated TSN encryption switch integrally designs an encryption function and a communication function; in step S1, the software defined TSN controller communicates with the integrated TSN encryption switch via a southbound protocol.
3. The TSN encryption method according to claim 1, wherein the flow identifier is used for queue priority scheduling of an integrated TSN encryption switch mapping service flow and identification of encrypted and decrypted messages, and is uniformly planned by the software-defined TSN controller, and the fields include, as the flow identifier, according to the following fields of the data message: ethernet MAC address, ethernet type, VLAN tag, IP header, TCP/UDP header, or custom multi-tuple information.
4. A TSN encryption system based on software definition, which is characterized by comprising the encryption method according to any one of claims 1-3, and further comprising a software-defined TSN controller, an integrated TSN encryption switch and a real-time terminal;
the software defined TSN controller is used as a centralized control center of the TSN network, establishes a secure tunnel with the integrated TSN encryption switch, sends configuration management information to the integrated TSN encryption switch through configuration security management protocol, and receives information reported by the integrated TSN encryption switch to perform real-time sensing and state presentation;
the integrated TSN encryption switch is a switch designed for integrating encryption and communication, receives configuration management information issued by a software defined TSN controller through a configuration management protocol agent and completes local configuration, realizes time synchronization, queue scheduling, flow control and data encryption and decryption among nodes, and reports equipment state, port statistics and network topology information of the nodes to the software defined TSN controller;
and the real-time terminal is in communication connection with the integrated TSN encryption switch.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210715890.9A CN115225333B (en) | 2022-06-23 | 2022-06-23 | TSN encryption method and system based on software definition |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210715890.9A CN115225333B (en) | 2022-06-23 | 2022-06-23 | TSN encryption method and system based on software definition |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115225333A CN115225333A (en) | 2022-10-21 |
| CN115225333B true CN115225333B (en) | 2023-05-12 |
Family
ID=83609295
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210715890.9A Active CN115225333B (en) | 2022-06-23 | 2022-06-23 | TSN encryption method and system based on software definition |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115225333B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104935593A (en) * | 2015-06-16 | 2015-09-23 | 杭州华三通信技术有限公司 | Data message transmitting method and device |
| CN104954226A (en) * | 2015-07-28 | 2015-09-30 | 上海斐讯数据通信技术有限公司 | SDN-based QoS-supported communication tunnel establishment method and system |
| CN105103490A (en) * | 2013-01-31 | 2015-11-25 | 惠普发展公司,有限责任合伙企业 | Network controller provisioned macsec keys |
| CN105409167A (en) * | 2013-08-05 | 2016-03-16 | 华为技术有限公司 | Method for packet tunneling through software defined network, method of intelligently controlling flow of a packet through software defined network and system |
| CN105721317A (en) * | 2016-02-25 | 2016-06-29 | 上海斐讯数据通信技术有限公司 | SDN-based data flow encryption method and system |
| CN105827665A (en) * | 2016-06-06 | 2016-08-03 | 南开大学 | Method for encrypting flow table information sensitive data between SDN network controller and interchanger |
| CN112332940A (en) * | 2020-11-06 | 2021-02-05 | 北京东土科技股份有限公司 | Data transmission method based on time synchronization network and related equipment |
| CN113676476A (en) * | 2021-08-18 | 2021-11-19 | 大连海事大学 | Encrypted jump method based on action programmable software defined network |
| CN114614984A (en) * | 2022-03-04 | 2022-06-10 | 重庆邮电大学 | Time-sensitive network secure communication method based on state cryptographic algorithm |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017053956A1 (en) * | 2015-09-25 | 2017-03-30 | Ubiquiti Networks, Inc. | Compact and integrated key controller apparatus for monitoring networks |
| US10728288B2 (en) * | 2017-11-21 | 2020-07-28 | Juniper Networks, Inc. | Policy-driven workload launching based on software defined networking encryption policies |
-
2022
- 2022-06-23 CN CN202210715890.9A patent/CN115225333B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105103490A (en) * | 2013-01-31 | 2015-11-25 | 惠普发展公司,有限责任合伙企业 | Network controller provisioned macsec keys |
| CN105409167A (en) * | 2013-08-05 | 2016-03-16 | 华为技术有限公司 | Method for packet tunneling through software defined network, method of intelligently controlling flow of a packet through software defined network and system |
| CN104935593A (en) * | 2015-06-16 | 2015-09-23 | 杭州华三通信技术有限公司 | Data message transmitting method and device |
| CN104954226A (en) * | 2015-07-28 | 2015-09-30 | 上海斐讯数据通信技术有限公司 | SDN-based QoS-supported communication tunnel establishment method and system |
| CN105721317A (en) * | 2016-02-25 | 2016-06-29 | 上海斐讯数据通信技术有限公司 | SDN-based data flow encryption method and system |
| CN105827665A (en) * | 2016-06-06 | 2016-08-03 | 南开大学 | Method for encrypting flow table information sensitive data between SDN network controller and interchanger |
| CN112332940A (en) * | 2020-11-06 | 2021-02-05 | 北京东土科技股份有限公司 | Data transmission method based on time synchronization network and related equipment |
| CN113676476A (en) * | 2021-08-18 | 2021-11-19 | 大连海事大学 | Encrypted jump method based on action programmable software defined network |
| CN114614984A (en) * | 2022-03-04 | 2022-06-10 | 重庆邮电大学 | Time-sensitive network secure communication method based on state cryptographic algorithm |
Non-Patent Citations (1)
| Title |
|---|
| 基于SDN服务链的云技术数据中心建设研究;娄峰;《电子元器件与信息技术》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115225333A (en) | 2022-10-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10079748B2 (en) | Supporting efficient and accurate sync/followup timestamps | |
| US7979693B2 (en) | Relay apparatus for encrypting and relaying a frame | |
| CN104283701A (en) | Method, system and device for issuing configuration information | |
| EP1556990B1 (en) | Bridged cryptographic vlan | |
| CN107181663A (en) | A kind of message processing method, relevant device and computer-readable recording medium | |
| CN101309273B (en) | Method and device for generating safety alliance | |
| US20040213232A1 (en) | Data mirroring in a service | |
| US8582468B2 (en) | System and method for providing packet proxy services across virtual private networks | |
| JP7032420B2 (en) | Methods and Devices for Providing Cyber Security for Time-Aware End-to-End Packet Flow Networks | |
| CN111010274B (en) | Safe and low-overhead SRv6 implementation method | |
| JP2008104040A (en) | Common key producing device, and common key producing method | |
| CN110858822B (en) | Media access control security protocol message transmission method and related device | |
| CN101572644B (en) | Data encapsulation method and equipment thereof | |
| WO2007071153A1 (en) | A method, a data network system and a network node for transmitting data packets | |
| US11171860B2 (en) | Method for obtaining target transmission route, related device, and system | |
| CN106385344A (en) | Message monitoring method and device | |
| CN110011939B (en) | Ethernet switch supporting quantum key to encrypt data | |
| CN112637237B (en) | Service encryption method, system, equipment and storage medium based on SRoU | |
| CN111885430B (en) | In-band telemetry method and system based on Ethernet frame | |
| CN115225333B (en) | TSN encryption method and system based on software definition | |
| CN103581034B (en) | Message mirroring and encrypted transmitting method | |
| CN115442121A (en) | Traffic transmission method, system, device and storage medium | |
| CN114172847B (en) | Multi-port bandwidth speed limiting method and system | |
| Saleh et al. | Adaptive security-aware scheduling using multi-agent system | |
| CN117062260A (en) | Novel networking control system based on Zigbee |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |