CN117201075A - Message transmission method and device and message verification method and device - Google Patents
Message transmission method and device and message verification method and device Download PDFInfo
- Publication number
- CN117201075A CN117201075A CN202310956912.5A CN202310956912A CN117201075A CN 117201075 A CN117201075 A CN 117201075A CN 202310956912 A CN202310956912 A CN 202310956912A CN 117201075 A CN117201075 A CN 117201075A
- Authority
- CN
- China
- Prior art keywords
- message
- vxlan
- information
- mac
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 87
- 230000005540 biological transmission Effects 0.000 title claims abstract description 39
- 238000012795 verification Methods 0.000 title claims abstract description 20
- 238000005538 encapsulation Methods 0.000 claims abstract description 37
- 238000012545 processing Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 10
- 238000013461 design Methods 0.000 abstract description 3
- 238000004891 communication Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 8
- 230000000694 effects Effects 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000008520 organization Effects 0.000 description 4
- 235000019800 disodium phosphate Nutrition 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000013478 data encryption standard Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000004549 pulsed laser deposition Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A message transmission method and device, and a message verification method and device are disclosed. The method comprises the following steps: acquiring protection information, wherein the protection information is used for verifying the safety of a message; obtaining a virtual extensible local area network (VXLAN) message based on the protection information, wherein the VXLAN message comprises a VXLAN package and a media control access (MAC) message, and the protection information is positioned in at least one of the VXLAN package and the MAC message; and sending the VXLAN message. The security protection capability which is originally required to be enhanced by using the IPsec tunnel is put into the VXLAN encapsulation and/or the MAC message of the VXLAN message through the simplified design, so that the IPsec message header is simplified, the length of the VXLAN message is prevented from being increased by the IPsec message header, the transmission resource overhead of the VXLAN message is reduced, and the transmission efficiency of information carried in the VXLAN message is improved.
Description
Technical Field
The present application relates to the field of network technologies, and in particular, to a method and apparatus for transmitting a message, and a method and apparatus for verifying a message.
Background
The virtual extensible local area network (virtual extensible local area network, VXLAN) is a protocol for building an overlay network in a cloud and internet data center (Internet data center, IDC) environment, and VXLAN can be extended to an open network, but brings security problems.
In the related art, an internet security protocol (Internet protocol security, IPSec) header (i.e., VXLAN over IPSec) is added to a VXLAN packet, and the VXLAN packet is encapsulated in an IPSec tunnel for transmission. The IPSec message header carries protection information, and message verification is carried out through the protection information in the IPSec message header so as to solve the safety problem.
However, adding the IPSec header increases the length of the packet, increases the overhead of transmission resources, and reduces the transmission efficiency of the information carried in the VXLAN packet.
Disclosure of Invention
The application provides a message transmission method and device, and a message verification method and device, which can reduce the overhead of VXLAN message transmission resources and improve the information transmission efficiency.
In a first aspect, the present application provides a method for transmitting a message. The method comprises the following steps: acquiring protection information, wherein the protection information is used for verifying the safety of a message; obtaining a virtual extensible local area network (VXLAN) message based on the protection information, wherein the VXLAN message comprises a VXLAN encapsulation and a media control access (media access control, MAC) message, and the protection information is positioned in at least one of the VXLAN encapsulation and the MAC message; and sending the VXLAN message.
In the implementation mode, the security protection capability which is originally required to be enhanced by using the IPsec tunnel is put into the VXLAN encapsulation and/or the MAC message of the VXLAN message through the simplified design, so that the IPsec message header is simplified, the increase of the length of the VXLAN message by the IPsec message header is avoided, the transmission resource cost of the VXLAN message is reduced, and the transmission efficiency of information carried in the VXLAN message is improved.
In an implementation of the present application, the guard information includes at least one of the following information: hash value of address information, timestamp, random number and device identification.
Wherein, the protection information carries a time stamp and adds a random number, which can prevent replay attack.
The device identifier is carried in the protection information, so that terminal identity spoofing can be prevented.
The address information comprises a VXLAN tunnel source address, a VXLAN tunnel destination address, an MAC message source address and an MAC message destination address. By adopting the address information to calculate the hash value, internal address spoofing, external address spoofing and man-in-the-middle attack can be prevented.
Illustratively, the guard information includes a hash value of the address information, a timestamp, a random number, and a device identification. Meanwhile, all the information is carried in the protection information, so that the effects of preventing replay attack, preventing terminal identity spoofing, preventing internal address spoofing, preventing external address spoofing and preventing man-in-the-middle attack can be achieved simultaneously.
In other examples, the guard information may also include only one, two, or three of the above information.
In an implementation of the present application, the above method is implemented by a VXLAN tunnel endpoint device, such as an access switch of a VXLAN tunnel.
After receiving the MAC message of the terminal, the VXLAN tunnel endpoint equipment performs VXLAN encapsulation on the MAC message to obtain the VXLAN message, and writes the protection information into the VXLAN message during encapsulation.
In an implementation of the application, the VXLAN encapsulation includes an external MAC header, an external internet protocol (Internet protocol, IP) header, an external user datagram protocol (user datagram protocol, UDP) header, and a VXLAN header, the MAC packet including an internal MAC header, an internal IP header, and a payload. The MAC header is also referred to as an Ethernet (Ethernet) header.
Wherein, the VXLAN tunnel source address, the VXLAN tunnel destination address, the MAC message source address and the MAC message destination address refer to a source IP address and a destination IP address.
VXLAN packets based on VXLAN encapsulation are typically applied in implementing a cross-domain service interconnection scenario, that is, implementing the construction of a three-layer virtual private network (virtual private network, VPN), instead of a two-layer VPN. Therefore, the present application can redefine some of the two-layer protocol fields to carry the protection information of the present application.
In some possible implementations of the present application, the protection information is located entirely in the internal MAC header.
The internal MAC header includes a 2-byte protocol type field and a 12-byte address field, where the 2-byte protocol type field cannot be used to carry protection information, and the 12-byte address field can be used to carry protection information.
Illustratively, 12 bytes of the address field are used to populate the guard information. The hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 1 byte, and the device identification is 5 bytes.
In the implementation mode, the protection information is carried by adopting the address field of 12 bytes in the internal MAC message header, so that the effect of carrying the protection information by adopting the field in the VXLAN message is realized.
In other possible implementations of the application, a portion of the guard information is located in the internal MAC header and another portion of the guard information is located in a reserved field of the VXLAN header of the VXLAN encapsulation.
Illustratively, 12 bytes of the address field are used to populate one portion of the guard information, and 4 bytes of the field are reserved for populating another portion of the guard information.
The hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 2 bytes, and the device identification is 8 bytes.
In the implementation mode, the protection information is carried by adopting an address field of 12 bytes in the internal MAC message header and a reserved field of 4 bytes in the VXLAN message header, so that the effect of carrying the protection information by adopting the field in the VXLAN message is realized.
In some scenarios, the reserved field in the VXLAN header is redefined for other purposes, for example, redefined for identifying a different tenant type in a cloud scenario, where the reserved field in the VXLAN header cannot be used to carry protection information, and only the address field in the internal MAC header can be used to carry protection information. In other scenarios, the reserved field in the VXLAN header is not redefined, and at this time, the address field in the internal MAC header and the reserved field in the VXLAN header may be used to carry protection information together. In this scenario, the reserved field in the VXLAN header may be used alone to carry the protection information, but the length of the protection information is shorter at this time, so that less information can be carried.
In some examples, the guard information is encrypted data, i.e., ciphertext data; for example, the guard information is encrypted and then written into VXLAN messages. In other examples, the guard information may also be plaintext data.
In some examples, the guard information may be encrypted using a block cipher algorithm. In other examples, other encryption algorithms may be employed to encrypt the guard information.
For the aforementioned 12-byte guard information, a 4-byte block cipher algorithm may be used to encrypt the hash value, the timestamp, the random number, and the device identifier of the address information, to obtain the guard information.
For the aforementioned 16-byte guard information, a 4-byte block cipher algorithm may be used to encrypt the hash value, the timestamp, the random number, and the device identifier of the address information, to obtain the guard information. Or, encrypting the hash value, the time stamp, the random number and the equipment identifier of the address information by adopting an 8-byte block cipher algorithm to obtain the protection information.
When the protection information is encrypted, the encryption end and the decryption end need to be ensured to use the same secret key, and in the implementation mode of the application, the secret key can be uniformly distributed by the network control center.
Illustratively, the method further comprises:
and receiving a key sent by the network control center, wherein the key is used for encryption.
By adopting the secret key distributed by the network control center, the consistency of the secret key for encryption and decryption is ensured, and the protection information of the ciphertext can be verified at the receiving end.
In an implementation of the present application, the network control center is responsible for time synchronization in addition to distributing keys.
Illustratively, the method further comprises:
and receiving the synchronization information sent by the network control center, wherein the synchronization information comprises a time stamp and a random number.
The consistency of the time stamps used by the sending end and the receiving end is ensured by adopting the time stamps distributed by the network control center, and the verification of the protection information at the receiving end can be ensured.
In a second aspect, the present application provides a method for message authentication. The method comprises the following steps: receiving a virtual extensible local area network (VXLAN) message, wherein the VXLAN message comprises a VXLAN encapsulation and a media control access (MAC) message, and at least one of the VXLAN encapsulation and the MAC message comprises protection information which is used for verifying the safety of the message; acquiring protection information in a VXLAN message; and verifying the VXLAN message based on the protection information.
In an implementation of the present application, the above method is implemented by a VXLAN tunnel endpoint device, such as an access switch of a VXLAN tunnel.
Illustratively, the guard information includes at least one of the following:
hash value of address information, timestamp, random number and equipment identification;
the address information comprises a VXLAN tunnel source address, a VXLAN tunnel destination address, an MAC message source address and an MAC message destination address.
In one possible implementation, the MAC message includes an internal MAC message header in which the protection information is located entirely.
Illustratively, the internal MAC header includes a 2-byte protocol type field and a 12-byte address field, with 12 bytes of the address field being used to populate the guard information;
the hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 1 byte, and the device identification is 5 bytes.
Illustratively, obtaining the protection information in the VXLAN message includes:
and acquiring the encrypted protection information from the VXLAN message, and decrypting the encrypted protection information by adopting a 4-byte block cipher algorithm to obtain the protection information.
In another possible implementation, the MAC message includes an internal MAC header, a portion of the guard information is located in the internal MAC header, and another portion of the guard information is located in a reserved field of the VXLAN header of the VXLAN encapsulation.
Illustratively, the internal MAC header includes a 2-byte protocol type field and a 12-byte address field, with 12 bytes of the address field being used to populate a portion of the guard information and 4 bytes of the field being reserved for populating another portion of the guard information;
The hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 2 bytes, and the device identification is 8 bytes.
Illustratively, obtaining the protection information in the VXLAN message includes:
and acquiring the encrypted protection information from the VXLAN message, and decrypting the encrypted protection information by adopting a 4-byte block cipher algorithm or an 8-byte block cipher algorithm to obtain the protection information.
Optionally, the method further comprises:
and receiving a key sent by the network control center, wherein the key is used for decryption.
Optionally, the method further comprises:
and receiving the synchronization information sent by the network control center, wherein the synchronization information comprises a time stamp and a random number.
In a third aspect, the present application provides a message transmission apparatus. The device comprises:
the acquisition unit is used for acquiring protection information, wherein the protection information is used for verifying the safety of the message;
the processing unit is used for obtaining a virtual extensible local area network (VXLAN) message based on the protection information, wherein the VXLAN message comprises a VXLAN package and a media control access (MAC) message, and the protection information is positioned in at least one of the VXLAN package and the MAC message;
and the sending unit is used for sending the VXLAN message.
Illustratively, the guard information includes at least one of the following:
Hash value of address information, timestamp, random number and equipment identification;
the address information comprises a VXLAN tunnel source address, a VXLAN tunnel destination address, an MAC message source address and an MAC message destination address.
In one possible implementation, the MAC message includes an internal MAC message header in which the protection information is located entirely.
Illustratively, the internal MAC header includes a 2-byte protocol type field and a 12-byte address field, with 12 bytes of the address field being used to populate the guard information;
the hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 1 byte, and the device identification is 5 bytes.
Illustratively, the obtaining unit is configured to encrypt the hash value, the timestamp, the random number and the device identifier of the address information by using a 4-byte block cipher algorithm, so as to obtain the protection information.
In another possible implementation, the MAC message includes an internal MAC header, a portion of the guard information is located in the internal MAC header, and another portion of the guard information is located in a reserved field of the VXLAN header of the VXLAN encapsulation.
Illustratively, the internal MAC header includes a 2-byte protocol type field and a 12-byte address field, with 12 bytes of the address field being used to populate a portion of the guard information and 4 bytes of the field being reserved for populating another portion of the guard information;
The hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 2 bytes, and the device identification is 8 bytes.
Illustratively, the obtaining unit is configured to encrypt the hash value, the timestamp, the random number and the device identifier of the address information by using a 4-byte block cipher algorithm or an 8-byte block cipher algorithm, so as to obtain the protection information.
Optionally, the apparatus further comprises:
and the receiving unit is used for receiving the key sent by the network control center, and the key is used for encryption.
Optionally, the apparatus further comprises:
and the receiving unit is used for receiving the synchronous information sent by the network control center, wherein the synchronous information comprises a time stamp and a random number.
In a fourth aspect, the present application provides a message authentication apparatus. The device comprises:
the receiving unit is used for receiving a virtual extensible local area network (VXLAN) message, wherein the VXLAN message comprises a VXLAN encapsulation and a media control access (MAC) message, and at least one of the VXLAN encapsulation and the MAC message comprises protection information which is used for verifying the safety of the message;
the acquisition unit is used for acquiring the protection information in the VXLAN message;
and the processing unit is used for verifying the VXLAN message based on the protection information.
Illustratively, the guard information includes at least one of the following:
hash value of address information, timestamp, random number and equipment identification;
the address information comprises a VXLAN tunnel source address, a VXLAN tunnel destination address, an MAC message source address and an MAC message destination address.
In one possible implementation, the MAC message includes an internal MAC message header in which the protection information is located entirely.
Illustratively, the internal MAC header includes a 2-byte protocol type field and a 12-byte address field, with 12 bytes of the address field being used to populate the guard information;
the hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 1 byte, and the device identification is 5 bytes.
The obtaining unit is configured to obtain the encrypted protection information from the VXLAN message, and decrypt the encrypted protection information by using a 4-byte block cipher algorithm, to obtain the protection information.
In another possible implementation, the MAC message includes an internal MAC header, a portion of the guard information is located in the internal MAC header, and another portion of the guard information is located in a reserved field of the VXLAN header of the VXLAN encapsulation.
Illustratively, the internal MAC header includes a 2-byte protocol type field and a 12-byte address field, with 12 bytes of the address field being used to populate a portion of the guard information and 4 bytes of the field being reserved for populating another portion of the guard information;
the hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 2 bytes, and the device identification is 8 bytes.
The obtaining unit is configured to obtain the encrypted protection information from the VXLAN message, and decrypt the encrypted protection information by using a 4-byte block cipher algorithm or an 8-byte block cipher algorithm to obtain the protection information.
Optionally, the receiving unit is further configured to receive a key sent by the network control center, where the key is used for decryption.
Optionally, the receiving unit is further configured to receive synchronization information sent by the network control center, where the synchronization information includes a timestamp and a random number.
In a fifth aspect, a network device is provided. The network device includes a processor and a memory. The memory is used for storing software programs and modules. The processor implements the method of the first aspect or any of the possible implementation manners of the first aspect, or implements the method of the second aspect or any of the possible implementation manners of the second aspect, by running or executing a software program and/or a module stored in the memory.
Optionally, the processor is one or more, and the memory is one or more.
Alternatively, the memory may be integrated with the processor or the memory may be separate from the processor.
In a specific implementation process, the memory may be a non-transient (non-transitory) memory, for example, a Read Only Memory (ROM), which may be integrated on the same chip as the processor, or may be separately disposed on different chips.
In a sixth aspect, a computer program product is provided. The computer program product comprises computer program code which, when run by a computer, causes the computer to perform the method of the first aspect or any of the possible implementations of the first aspect or the method of the second aspect or any of the possible implementations of the second aspect.
In a seventh aspect, the present application provides a computer readable storage medium for storing program code for execution by a processor, the program code comprising instructions for implementing the method of any one of the possible embodiments of the first aspect, or implementing the method of any one of the possible embodiments of the second aspect or the second aspect.
In an eighth aspect, a chip is provided, comprising a processor for calling from a memory and executing instructions stored in said memory, so that a network device on which said chip is installed performs the method of any of the possible embodiments of the first aspect or performs the method of any of the possible embodiments of the second aspect or of the second aspect.
In a ninth aspect, another chip is provided. The other chip comprises an input interface, an output interface, a processor and a memory. The input interface, the output interface, the processor and the memory are connected through an internal connection path. The processor is configured to execute code in the memory, which when executed is configured to perform the method of any one of the possible implementations of the first aspect or to perform the method of the second aspect or any one of the possible implementations of the second aspect.
In a tenth aspect, a messaging system is provided, the system comprising an apparatus as in any of the possible implementations of the third aspect or the third aspect and an apparatus as in any of the possible implementations of the fourth aspect or the fourth aspect.
Drawings
FIG. 1 is a schematic diagram of a system architecture according to an embodiment of the present application;
fig. 2 is a flowchart of a message transmission method provided in an embodiment of the present application;
FIG. 3 is a flowchart of a message authentication method according to an embodiment of the present application;
fig. 4 is a flowchart of a message transmission method provided in an embodiment of the present application;
FIG. 5 is a schematic diagram of a protection information processing procedure according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a protection information processing procedure according to an embodiment of the present application;
fig. 7 is a block diagram of a message transmission device according to an embodiment of the present application;
FIG. 8 is a block diagram of a message authentication device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a network device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.
In order to facilitate understanding of the technical solution provided by the embodiments of the present application, first, a system structure of the present application is described.
Fig. 1 is a schematic diagram of a system architecture according to an embodiment of the present application. Referring to fig. 1, the system architecture includes an organization 10 and a network 20.
Illustratively, the organization 10 may be a virtual machine, a server, a virtualized server, other devices, or virtualized devices, and the organization 10 may also be a virtual local area network (virtual local area network, VLAN) or other network.
Illustratively, the network 20 may be an IP network, and the network 20 is an underlying (infrastructure) network in the system architecture. The network 20 comprises a service access component 21 and a network control component 22. A VXLAN tunnel is established between the service access components 21, and the service access components 21 are connected to the organization 10 and the network control component 22.
In some possible implementations, the service access component 21 may be a VXLAN tunnel endpoint (VXLAN tunnel endpoint, VTEP) device, i.e., an access switch for VXLAN tunnels, which may be a top of rack (TOR) switch. The VTEP device is an edge device of the VXLAN network, and is a start point and an end point of the VXLAN tunnel, for example, an original data frame sent by the source device is encapsulated into a VXLAN format packet on the VTEP, and is transferred to another VTEP in the IP network, and the original data frame is restored through decapsulation and is finally forwarded to the destination device. In this implementation manner, the VTEP device performs the functions of encrypting and decrypting the protection information, writing the protection information into the VXLAN message, checking the integrity of the VXLAN message, and performing security verification of the VXLAN message based on the protection information, in addition to the functions described above.
In other possible implementations, the service access component 21 may be a newly added network device, where the newly added network device is connected to and interacted with the VTEP device, to implement functions of encrypting and decrypting the protection information, writing the protection information into the VXLAN message, checking the integrity of the VXLAN message, and performing security verification of the VXLAN message based on the protection information.
The network control component 22 may be a network control center, i.e., a network controller (controller), which is a full-network management center deployed in the cloud. The network control component is a control medium between the service management system and the network infrastructure (VTEP equipment) and implements unified management and control of the whole overlay (overlay) network. In an implementation of the present application, the network control component 22 is also responsible for periodic synchronization of time stamps and keys to the service access components 21 distributed throughout.
Illustratively, the network 20 may employ a three-tier network architecture, or a leaf spine (leaf spine) network architecture, as the application is not limited in this regard.
The system architecture provided by the embodiment of the application can be an overlay network constructed by the VXLAN protocol in an untrusted environment, for example, a cross-regional network constructed on the Internet or a cloud backbone. The embodiment of the application solves the security risk faced by VXLAN in an open network under the condition that the extra message length is not increased and the normal interaction of protocols is not affected.
Fig. 2 is a flowchart of a message transmission method according to an embodiment of the present application. The method may be performed by the service access component 21 shown in fig. 1. As shown in fig. 2, the method includes the following steps.
S101: and obtaining protection information.
The protection information is used for verifying the safety of the message.
S102: and obtaining the virtual extensible local area network VXLAN message based on the protection information.
The VXLAN message comprises a VXLAN encapsulation and a media control access MAC message, and the protection information is located in at least one of the VXLAN encapsulation and the MAC message.
S103: and sending the VXLAN message.
According to the method provided by the embodiment of the application, the VXLAN encapsulation and/or the MAC message of the VXLAN message is put into the VXLAN encapsulation and/or the MAC message of the VXLAN message through the simplified design, so that the IPsec message header is simplified, the length of the VXLAN message is prevented from being increased by the IPsec message header, the transmission resource cost of the VXLAN message is reduced, and the transmission efficiency of information carried in the VXLAN message is improved.
Fig. 3 is a flowchart of a message authentication method according to an embodiment of the present application. The method may be performed by the service access component 21 shown in fig. 1. As shown in fig. 3, the method includes the following steps.
S201: and receiving the virtual extensible local area network VXLAN message.
The VXLAN message comprises a VXLAN encapsulation and a media control access MAC message, and at least one of the VXLAN encapsulation and the MAC message comprises protection information which is used for verifying the safety of the message.
S202: and obtaining the protection information in the VXLAN message.
S203: and verifying the VXLAN message based on the protection information.
According to the method provided by the embodiment of the application, the protection information is carried in the VXLAN encapsulation and/or the MAC message of the VXLAN message, so that the IPsec message header is simplified, the increase of the length of the VXLAN message by the IPsec message header is avoided, the transmission resource overhead of the VXLAN message is reduced, and the transmission efficiency of the information carried in the VXLAN message is improved.
Fig. 4 is a flowchart of a message transmission method according to an embodiment of the present application. The method may be performed by the service access component 21 and the network control component 22 shown in fig. 1, for example, by a first VTEP device, which is a tunnel ingress device, a second VTEP device, which is a tunnel egress device, and the network control center in one packet transmission direction. As shown in fig. 4, the method includes the following steps.
S300: the first VTEP device receives the MAC message.
For example, the first VTEP device receives a MAC message sent by the connected virtual machine.
S301: the network control center transmits the key and the synchronization information. The first VTEP device and the second VTEP device receive the key and the synchronization information.
Wherein the synchronization information includes a time stamp and a random number.
In one implementation, the key and the synchronization information are transmitted simultaneously. In another implementation, the key and the synchronization information are transmitted separately.
The step S301 is performed periodically, and the step S301 and the step S300 are not sequential, and the step S300 may be performed first and then the step S301 may be performed, or the step S301 may be performed first and then the step S300 may be performed.
S302: the first VTEP device acquires the protection information based on the MAC message and the synchronization information.
In an implementation of the present application, the guard information includes at least one of the following information: hash value of address information, timestamp, random number and device identification.
Wherein, the protection information carries a time stamp and adds a random number, which can prevent replay attack.
The device identifier is carried in the protection information, so that terminal identity spoofing can be prevented.
The address information comprises a VXLAN tunnel source address, a VXLAN tunnel destination address, an MAC message source address and an MAC message destination address. By adopting the address information to calculate the hash value, internal address spoofing, external address spoofing and man-in-the-middle attack can be prevented.
Wherein, the VXLAN tunnel source address, the VXLAN tunnel destination address, the MAC message source address and the MAC message destination address refer to a source IP address and a destination IP address.
Illustratively, the guard information includes a hash value of the address information, a timestamp, a random number, and a device identification. Meanwhile, all the information is carried in the protection information, so that the effects of preventing replay attack, preventing terminal identity spoofing, preventing internal address spoofing, preventing external address spoofing and preventing man-in-the-middle attack can be achieved simultaneously.
In other examples, the guard information may also include only one, two, or three of the above information.
In the implementation mode of the application, the first VTEP equipment acquires a time stamp based on the synchronous information and adds a random number; the first VTEP device obtains a device sequence code or other terminal identifiers based on the MAC message as a device identifier, or the first VTEP device obtains a local software certificate identifier or other local hardware identifiers as a device identifier; the first VTEP device obtains a source address and a destination address of the MAC message based on the MAC message, obtains a source address and a destination address of the VXLAN tunnel based on the VXLAN tunnel, and performs hash algorithm operation on the source address, the destination address, the source address and the destination address of the MAC message to obtain address information.
S303: the first VTEP device encrypts the guard information based on the key.
In one example, the hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 1 byte, and the device identification is 5 bytes.
Wherein, the code definition of the 12-byte protection information is as follows:
struct{
uint32 address hashcode;
uint16 timestamp;
uint8 random;
char device id[5];
}
wherein, address hash code: =hash [ (] hash
outer.srcip,outer.dstip,
inner.srcip,inner.dstip
)
In another example, the hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 2 bytes, and the device identification is 8 bytes.
The code definition of the 16-byte protection information is as follows:
struct{
uint32 address hashcode;
uint16 timestamp;
uint16 random;
char device id[8];
}
wherein, address hash code: =hash [ (] hash
outer.srcip,outer.dstip,
inner.srcip,inner.dstip
)
In some examples, the guard information may be encrypted using a block cipher algorithm. The block cipher algorithm divides the plaintext into a plurality of equal-length blocks (blocks) and encrypts and decrypts each group using a determined algorithm and a symmetric key. The block cipher algorithm can adopt advanced encryption standard (advanced encryption standard, AES) and triple data encryption standard (tripledata encryption standard,3 DES) algorithms.
In other examples, other encryption algorithms may be employed to encrypt the guard information.
For the aforementioned 12-byte guard information, a 4-byte block cipher algorithm may be used to encrypt the hash value, the timestamp, the random number, and the device identifier of the address information, to obtain the guard information.
For the aforementioned 16-byte guard information, a 4-byte block cipher algorithm may be used to encrypt the hash value, the timestamp, the random number, and the device identifier of the address information, to obtain the guard information. Or, encrypting the hash value, the time stamp, the random number and the equipment identifier of the address information by adopting an 8-byte block cipher algorithm to obtain the protection information.
S304: the first VTEP device obtains the VXLAN message based on the encrypted protection information and the MAC message.
In order to understand the VXLAN message of the present application, the structure of the VXLAN message is described first:
the structure of the VXLAN message is shown in table 1 below, and the VXLAN encapsulation includes an external MAC Header (Outer MAC Header), an external IP Header (Outer IP Header), an external UDP Header (Outer UDP Header), and a VXLAN Header (VXLAN Header), and the MAC message includes an internal MAC Header (Inner MAC Header), an internal IP Header (Inner IP Header), and a Payload (Payload). The MAC header is also referred to as an Ethernet (Ethernet) header.
TABLE 1
Table 2 shows an external MAC header including a destination MAC address (MAC DA), a source MAC address (MAC SA), an 802.1Q Tag (802.1Q Tag), and an Ethernet Type (Ethernet Type).
TABLE 2
| MAC DA | MAC SA | 802.1Q Tag | Ethernet Type |
The first VTEP device searches a routing table according to the destination VTEP address, and the next hop IP address in the routing table corresponds to the MAC address. The MAC SA is the MAC address of the first VTEP device. 802.1Q Tag optional field, this field is VLAN Tag carried in the message.
Table 3 shows an external IP header, which includes at least a Protocol (Protocol), a source IP address (IP SA), and a destination IP address (IP DA).
TABLE 3 Table 3
| …… | Protocol | …… | IP SA | IP DA |
Wherein the source IP address is the IP address of the VXLAN tunnel home VTEP (first VTEP device). The destination IP address is the IP address of the VXLAN tunnel remote VTEP (second VTEP device). If the underway network is an IPv4 network, the IP address is of an IPv4 type; if the underway network is an IPv6 network, the IP address is of the IPv6 type.
Table 4 shows an external UDP header, including a Source Port number (Source Port), a destination Port number (Dest Port), a UDP Length (UDP Length), and a UDP Checksum (UDP Checksum).
TABLE 4 Table 4
| Source Port | Dest Port | UDP Length | UDP Checksum |
The source port number is a value calculated by the hash algorithm of the inner layer message. The destination port number is 4789.
Table 5 shows VXLAN headers including VXLAN identifications (VXLAN flags), reservations (Reserved), and VXLAN Network Identifications (VNIs).
TABLE 5
| VXLAN flags | Reserved | VNI | Reserved |
Wherein the VXLAN identifier has a length of 8 bits and a value of 00001000. The VXLAN network identity is 24 bits long to distinguish VXLAN segments. The VXLAN header includes 2 reserved fields, 24 bits and 8 bits in length, i.e., 4 bytes in length, with a default value of 0.
Table 6 shows an internal MAC header including a destination MAC address (Dest MAC), a source MAC address (Src MAC), and a protocol Type (Type).
TABLE 6
| Dest MAC | Src MAC | Type |
The length of the destination MAC address and the source MAC address is 6 bytes, and the total length is 12 bytes. The protocol type is 2 bytes in length.
VXLAN packets based on VXLAN encapsulation are typically applied in implementing a cross-domain service interconnection scenario, that is, implementing the construction of a three-layer VPN, instead of a two-layer VPN. Therefore, the present application can redefine some of the two-layer protocol fields to carry the protection information of the present application.
In some possible implementations of the present application, the protection information is located entirely in the internal MAC header.
The internal MAC header includes a 2-byte protocol type field and a 12-byte address field (including two parts of a destination MAC address and a source MAC address), where the 2-byte protocol type field cannot be used to carry guard information, and the 12-byte address field can be used to carry 12-byte guard information.
As shown in fig. 5, the hash value of the 32-bit address information, the 16-bit time stamp, the 8-bit random number, and the 40-bit device identification are encrypted by a block cipher algorithm to obtain 96-bit encrypted guard information, and are filled into a 48-bit destination MAC address (MAC DA) and a 48-bit source MAC address (MAC SA) field.
In the implementation mode, the protection information is carried by adopting the address field of 12 bytes in the internal MAC message header, so that the effect of carrying the protection information by adopting the field in the VXLAN message is realized.
In other possible implementations of the application, a portion of the guard information is located in the internal MAC header and another portion of the guard information is located in a reserved field of the VXLAN header of the VXLAN encapsulation.
Illustratively, 12 bytes of the address field are used to populate one portion of the guard information, and 4 bytes of the field are reserved for populating another portion of the guard information. That is, the address field and the reserved field together carry 16 bytes of guard information.
As shown in fig. 6, the hash value of the 32-bit address information, the 16-bit time stamp, the 16-bit random number, and the 64-bit device identification are encrypted by a block cipher algorithm to obtain 128-bit encrypted guard information, which is filled into a 32-bit reserved field, a 48-bit destination MAC address (MAC DA), and a 48-bit source MAC address (MAC SA) field.
In the implementation mode, the protection information is carried by adopting an address field of 12 bytes in the internal MAC message header and a reserved field of 4 bytes in the VXLAN message header, so that the effect of carrying the protection information by adopting the field in the VXLAN message is realized.
In some scenarios, the reserved field in the VXLAN header is redefined for other purposes, for example, redefined for identifying a different tenant type in a cloud scenario, where the reserved field in the VXLAN header cannot be used to carry protection information, and only the address field in the internal MAC header can be used to carry protection information. In other scenarios, the reserved field in the VXLAN header is not redefined, and at this time, the address field in the internal MAC header and the reserved field in the VXLAN header may be used to carry protection information together. In this scenario, the reserved field in the VXLAN header may be used alone to carry the protection information, but the length of the protection information is shorter at this time, so that less information can be carried.
S305: the first VTEP device sends VXLAN messages. The second VTEP device receives VXLAN messages.
S306: the second VTEP device obtains the encrypted protection information in the VXLAN message.
The second VTEP device obtains encrypted protection information from a preset field in the VXLAN message.
In one case, the second VTEP device obtains 12 bytes of encrypted guard information from the address field of the internal MAC header in the VXLAN message.
In another case, the second VTEP device obtains 12 bytes of encrypted guard information from an address field of an internal MAC header in the VXLAN message, and obtains 4 bytes of encrypted guard information from a reserved field of the VXLAN header in the VXLAN message, to obtain a total of 16 bytes of encrypted guard information.
S307: the second VTEP device decrypts the encrypted guard information based on the key.
In one case, the encrypted guard information is 12 bytes, and the 4-byte block cipher algorithm is adopted to decrypt the encrypted guard information to obtain the guard information.
In another case, the encrypted guard information is 16 bytes, and the 4-byte block cipher algorithm or the 8-byte block cipher algorithm is adopted to decrypt the encrypted guard information, so as to obtain the guard information.
S308: the second VTEP device validates the VXLAN message based on the protection information.
When the protection information simultaneously comprises the hash value, the time stamp, the random number and the equipment identifier of the address information, the second VTEP equipment respectively verifies the hash value, the time stamp, the random number and the equipment identifier, when all the verification passes, the message verification is determined to pass, and otherwise, the message verification is determined not to pass.
Wherein, timestamp, random number: and comparing whether the time stamp (random number) received from the network control center is consistent with the time stamp (random number) in the protection information, if so, verifying to pass, otherwise, verifying to fail. Replay attacks can be prevented by verifying the time stamp and adding a random number.
And (3) equipment identification: and verifying whether the equipment identifier is a legal equipment identifier, if so, verifying to pass, otherwise, verifying to fail. Terminal authentication and authentication are realized through verifying the equipment identifier, so that terminal identity spoofing can be prevented.
Hash value of address information: and acquiring the VXLAN tunnel source address, the VXLAN tunnel destination address, the MAC message source address and the MAC message destination address in the same way as the first VTEP equipment, then calculating a hash value, comparing whether the calculated hash value is consistent with the hash value in the protection information, if so, verifying to pass, otherwise, verifying to fail. By verifying the hash value of the address information, internal address spoofing, external address spoofing, and man-in-the-middle attacks can be prevented.
By verifying the content, the effects of preventing replay attack, preventing terminal identity spoofing, preventing internal address spoofing, preventing external address spoofing and preventing man-in-the-middle attack can be achieved simultaneously. In addition, when the protection information passes the verification, the message integrity is verified.
S309: and when the verification is passed, the second VTEP equipment transmits the MAC message in the VXLAN message.
For example, the second VTEP device decapsulates the VXLAN message to obtain an MAC message, and then forwards the MAC message according to the internal IP header thereof.
And when the verification fails, the second VTEP device discards the VXLAN message.
The VXLAN message from the first VTEP device to the second VTEP device needs to be securely verified, and correspondingly, the VXLAN message from the second VTEP device to the first VTEP device needs to be securely verified, and the transmission and verification processes are the same.
In the embodiment of the application, when the VXLAN message is adopted for service interaction, the protection information is carried from the initial endpoint of the tunnel to the final endpoint of the tunnel, the VXLAN message is subjected to security check at the final endpoint of the tunnel, and only the message passing the security check can be continuously subjected to service processing, otherwise, the message is directly discarded, so that the purpose of secure transmission is achieved.
In the embodiment of the application, when the method is executed by adopting the tunnel endpoint equipment, the purpose of realizing cross-region safe and efficient transmission in an open or unreliable network can be eliminated by redefining simple protocol fields in the tunnel endpoint without modifying other infrastructures of the existing network except the tunnel endpoint. The functions of replay attack prevention, terminal authentication, authentication and the like are realized.
Fig. 7 is a block diagram of a message transmission device according to an embodiment of the present application. The message transmitting means may be implemented as all or part of a network device (e.g. a VTEP device) by software, hardware or a combination of both. The message transmission device may include: an acquisition unit 401, a processing unit 402, and a transmission unit 403.
The acquiring unit 401 is configured to acquire protection information, where the protection information is used to verify security of the message;
A processing unit 402, configured to obtain a virtual extensible local area network VXLAN packet based on protection information, where the VXLAN packet includes a VXLAN encapsulation and a media control access MAC packet, where the protection information is located in at least one of the VXLAN encapsulation and the MAC packet;
and a sending unit 403, configured to send the VXLAN message.
Illustratively, the guard information includes at least one of the following:
hash value of address information, timestamp, random number and equipment identification;
the address information comprises a VXLAN tunnel source address, a VXLAN tunnel destination address, an MAC message source address and an MAC message destination address.
In one possible implementation, the MAC message includes an internal MAC message header in which the protection information is located entirely.
Illustratively, the internal MAC header includes a 2-byte protocol type field and a 12-byte address field, with 12 bytes of the address field being used to populate the guard information;
the hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 1 byte, and the device identification is 5 bytes.
Illustratively, the obtaining unit 401 is configured to encrypt the hash value, the timestamp, the random number and the device identifier of the address information by using a 4-byte block cipher algorithm, so as to obtain the protection information.
In another possible implementation, the MAC message includes an internal MAC header, a portion of the guard information is located in the internal MAC header, and another portion of the guard information is located in a reserved field of the VXLAN header of the VXLAN encapsulation.
Illustratively, the internal MAC header includes a 2-byte protocol type field and a 12-byte address field, with 12 bytes of the address field being used to populate a portion of the guard information and 4 bytes of the field being reserved for populating another portion of the guard information;
the hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 2 bytes, and the device identification is 8 bytes.
Illustratively, the obtaining unit 401 is configured to encrypt the hash value, the timestamp, the random number and the device identifier of the address information by using a 4-byte block cipher algorithm or an 8-byte block cipher algorithm, so as to obtain the protection information.
Optionally, the apparatus further comprises:
and the receiving unit 404 is configured to receive a key sent by the network control center, where the key is used for encryption.
Optionally, the receiving unit 404 is configured to receive synchronization information sent by the network control center, where the synchronization information includes a timestamp and a random number.
It should be noted that, in the packet transmission device provided in the foregoing embodiment, only the division of the functional units is used for illustration, and in practical application, the foregoing functional allocation may be performed by different functional units according to needs, that is, the internal structure of the device is divided into different functional units, so as to complete all or part of the functions described above. In addition, the message transmission device and the message transmission method provided in the foregoing embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not repeated herein.
Fig. 8 is a block diagram of a message authentication device according to an embodiment of the present application. The message authentication means may be implemented as all or part of a network device (e.g. a VTEP device) by software, hardware or a combination of both. The message authentication device may include: a receiving unit 501, an acquiring unit 502, and a processing unit 503.
The receiving unit 501 is configured to receive a VXLAN packet of a virtual extensible local area network, where the VXLAN packet includes a VXLAN encapsulation and a media control access MAC packet, and at least one of the VXLAN encapsulation and the MAC packet includes protection information, where the protection information is used to verify security of the packet;
An obtaining unit 502, configured to obtain protection information in a VXLAN packet;
and a processing unit 503, configured to verify the VXLAN message based on the protection information.
Illustratively, the guard information includes at least one of the following:
hash value of address information, timestamp, random number and equipment identification;
the address information comprises a VXLAN tunnel source address, a VXLAN tunnel destination address, an MAC message source address and an MAC message destination address.
In one possible implementation, the MAC message includes an internal MAC message header in which the protection information is located entirely.
Illustratively, the internal MAC header includes a 2-byte protocol type field and a 12-byte address field, with 12 bytes of the address field being used to populate the guard information;
the hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 1 byte, and the device identification is 5 bytes.
Illustratively, the obtaining unit 502 is configured to obtain the encrypted protection information from the VXLAN message, and decrypt the encrypted protection information by using a 4-byte block cipher algorithm to obtain the protection information.
In another possible implementation, the MAC message includes an internal MAC header, a portion of the guard information is located in the internal MAC header, and another portion of the guard information is located in a reserved field of the VXLAN header of the VXLAN encapsulation.
Illustratively, the internal MAC header includes a 2-byte protocol type field and a 12-byte address field, with 12 bytes of the address field being used to populate a portion of the guard information and 4 bytes of the field being reserved for populating another portion of the guard information;
the hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 2 bytes, and the device identification is 8 bytes.
Illustratively, the obtaining unit 502 is configured to obtain the encrypted protection information from the VXLAN message, and decrypt the encrypted protection information by using a 4-byte block cipher algorithm or an 8-byte block cipher algorithm to obtain the protection information.
Optionally, the receiving unit 501 is further configured to receive a key sent by the network control center, where the key is used for decryption.
Optionally, the receiving unit 501 is further configured to receive synchronization information sent by the network control center, where the synchronization information includes a timestamp and a random number.
It should be noted that, in the packet verification device provided in the foregoing embodiment, only the division of the functional units is used for illustration, and in practical application, the foregoing functional allocation may be completed by different functional units according to needs, that is, the internal structure of the device is divided into different functional units, so as to complete all or part of the functions described above. In addition, the message authentication device and the message authentication method provided in the foregoing embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not repeated herein.
Fig. 9 shows a schematic structural diagram of a network device 150 according to an embodiment of the present application. The network device 150 shown in fig. 9 is used to perform the operations related to the packet transmission method or the packet verification method shown in any one of fig. 2 to 6, and may be the VTEP device. The network device 150 may be implemented by a general bus architecture.
As shown in fig. 9, network device 150 includes at least one processor 151, memory 153, and at least one communication interface 154.
Processor 151 is, for example, a general purpose central processing unit (central processing unit, CPU), digital signal processor (digital signal processor, DSP), network processor (network processer, NP), data processing unit (Data Processing Unit, DPU), microprocessor or one or more integrated circuits for implementing aspects of the present application. For example, processor 151 includes an application-specific integrated circuit (ASIC), a programmable logic device (programmable logic device, PLD) or other programmable logic device, a transistor logic device, a hardware component, or any combination thereof. PLDs are, for example, complex programmable logic devices (complex programmable logic device, CPLD), field-programmable gate arrays (field-programmable gate array, FPGA), general-purpose array logic (generic array logic, GAL), or any combination thereof. Which may implement or perform the various logical blocks, modules, and circuits described in connection with the disclosure of embodiments of the application. A processor may also be a combination of computing functions, including for example, one or more microprocessor combinations, a combination of DSPs and microprocessors, and the like.
Optionally, the network device 150 further comprises a bus. A bus is used to transfer information between the components of network device 150. The bus may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The buses may be divided into address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in fig. 9, but not only one bus or one type of bus.
The Memory 153 is, for example, but not limited to, a read-only Memory (ROM) or other type of static storage device that can store static information and instructions, as well as a random access Memory (random access Memory, RAM) or other type of dynamic storage device that can store information and instructions, as well as an electrically erasable programmable read-only Memory (electrically erasable programmable read-only Memory, EEPROM), compact disc read-only Memory (compact disc read-only Memory) or other optical disc storage, optical disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media, or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 153 is, for example, independent and is connected to the processor 151 via a bus. Memory 153 may also be integrated with processor 151.
The communication interface 154 uses any transceiver-like device for communicating with other devices or communication networks, which may be ethernet, radio Access Network (RAN) or wireless local area network (wireless local area networks, WLAN), etc. Communication interface 154 may include a wired communication interface and may also include a wireless communication interface. Specifically, the communication interface 154 may be an Ethernet (Fast Ethernet) interface, a Fast Ethernet (FE) interface, a Gigabit Ethernet (GE) interface, an asynchronous transfer mode (Asynchronous Transfer Mode, ATM) interface, a wireless local area network (wireless local area networks, WLAN) interface, a cellular network communication interface, or a combination thereof. The ethernet interface may be an optical interface, an electrical interface, or a combination thereof. In an embodiment of the present application, the communication interface 154 may be used for the network device 150 to communicate with other devices.
In a specific implementation, processor 151 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 9, as an embodiment. Each of these processors may be a single-core (single-CPU) processor or may be a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
In a specific implementation, as one embodiment, network device 150 may include multiple processors, such as processor 151 and processor 155 shown in fig. 9. Each of these processors may be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
In a specific implementation, the network device 150 may also include an output device and an input device, as one embodiment. The output device communicates with the processor 151 and information may be displayed in a variety of ways. For example, the output device may be a liquid crystal display (liquid crystal display, LCD), a light emitting diode (light emitting diode, LED) display device, a Cathode Ray Tube (CRT) display device, or a projector (projector), or the like. The input device(s) are in communication with the processor 151 and may receive user input in a variety of ways. For example, the input device may be a mouse, a keyboard, a touch screen device, a sensing device, or the like.
In some embodiments, memory 153 is used to store program code 1510 that performs aspects of the present application, and processor 151 may execute program code 1510 stored in memory 153. That is, the network device 150 can implement the data processing method provided by the method embodiment by the processor 151 executing the program code 1510 in the memory 153. One or more software modules may be included in the program code 1510. Alternatively, processor 151 itself may store program code or instructions for performing the inventive arrangements.
In a specific embodiment, the network device 150 of the embodiment of the present application may correspond to the controller in the above-described method embodiments, where the processor 151 in the network device 150 reads the instructions in the memory 153, so that the network device 150 shown in fig. 9 can perform all or part of the operations performed by the controller.
Specifically, the processor 151 is configured to obtain protection information, where the protection information is used to verify security of the message; obtaining a virtual extensible local area network (VXLAN) message based on the protection information, wherein the VXLAN message comprises a VXLAN encapsulation and a media control access (MAC) message, and the protection information is positioned in at least one of the VXLAN encapsulation and the MAC message; and sending the VXLAN message.
Or, the processor 151 is configured to receive a VXLAN packet of the virtual extensible local area network, where the VXLAN packet includes a VXLAN encapsulation and a media control access MAC packet, and at least one of the VXLAN encapsulation and the MAC packet includes protection information, where the protection information is used to verify security of the packet; acquiring protection information in a VXLAN message; and verifying the VXLAN message based on the protection information.
Other optional embodiments are not described here again for brevity.
The steps of the message transmission method or the message authentication method shown in any one of fig. 2 to 6 are completed by an integrated logic circuit of hardware or an instruction in a software form in a processor of the network device 150. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads information in the memory, and in combination with its hardware, performs the steps of the above method, which will not be described in detail here to avoid repetition.
The embodiment of the application also provides a chip, which comprises: input interface, output interface, processor and memory. The input interface, the output interface, the processor and the memory are connected through an internal connection path. The processor is configured to execute the code in the memory, and when the code is executed, the processor is configured to perform any one of the message transmission method or the message authentication method described above.
It is to be appreciated that the processor described above may be a CPU, but may also be other general purpose processors, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or any conventional processor or the like. It should be noted that the processor may be a processor supporting the ARM architecture.
Further, in an alternative embodiment, the processor is one or more, and the memory is one or more. Alternatively, the memory may be integrated with the processor or the memory may be separate from the processor. The memory may include read only memory and random access memory and provide instructions and data to the processor. The memory may also include non-volatile random access memory. For example, the memory may also store a reference block and a target block.
The memory may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be ROM, PROM, EPROM, EEPROM or flash memory, among others. The volatile memory may be RAM, which acts as external cache. By way of example, and not limitation, many forms of RAM are available. For example SRAM, DRAM, SDRAM, DDR SDRAM, ESDRAM, SLDRAM and DR RAM.
In an embodiment of the present application, there is further provided a computer readable storage medium, where computer instructions are stored, and when the computer instructions stored in the computer readable storage medium are executed by a network device, the network device is caused to execute the above provided message transmission method or the message verification method.
In an embodiment of the present application, there is further provided a computer program product containing instructions that, when executed on a network device, cause the network device to perform the above-provided message transmission method or message verification method.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions in accordance with the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk), etc.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The foregoing is merely an alternative embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that may be easily contemplated by those skilled in the art within the scope of the present application should be included in the scope of the present application. Therefore, the protection scope of the present application should be subject to the protection scope of the claims.
Unless defined otherwise, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs. The terms "first," "second," "third," and the like in the description and in the claims, are not used for any order, quantity, or importance, but are used for distinguishing between different elements. Likewise, the terms "a" or "an" and the like do not denote a limitation of quantity, but rather denote the presence of at least one. The word "comprising" or "comprises", and the like, is intended to mean that elements or items that are present in front of "comprising" or "comprising" are included in the word "comprising" or "comprising", and equivalents thereof, without excluding other elements or items.
The above embodiments are merely examples of the present application, and the present application is not limited thereto, but any modifications, equivalents, improvements and the like made within the spirit and principle of the present application should be included in the scope of the present application.
Claims (17)
1. A method for transmitting a message, the method comprising:
acquiring protection information, wherein the protection information is used for verifying the safety of a message;
obtaining a virtual extensible local area network (VXLAN) message based on the protection information, wherein the VXLAN message comprises a VXLAN package and a media control access (MAC) message, and the protection information is positioned in at least one of the VXLAN package and the MAC message;
and sending the VXLAN message.
2. The method of claim 1, wherein the guard information comprises at least one of:
hash value of address information, timestamp, random number and equipment identification;
the address information comprises a VXLAN tunnel source address, a VXLAN tunnel destination address, an MAC message source address and an MAC message destination address.
3. The method of claim 2, wherein the MAC message comprises an internal MAC message header, and wherein the guard information is located entirely within the internal MAC message header.
4. A method according to claim 3, wherein the internal MAC header comprises a protocol type field of 2 bytes and an address field of 12 bytes, the 12 bytes of the address field being used to populate the guard information;
the hash value of the address information is 4 bytes, the timestamp is 2 bytes, the random number is 1 byte, and the device identifier is 5 bytes.
5. The method of claim 4, wherein the obtaining the protection information comprises:
and encrypting the hash value of the address information, the timestamp, the random number and the equipment identifier by adopting a 4-byte block cipher algorithm to obtain the protection information.
6. The method of claim 2, wherein the MAC message comprises an internal MAC header, a portion of the guard information is located in the internal MAC header, and another portion of the guard information is located in a reserved field of the VXLAN header of the VXLAN encapsulation.
7. The method of claim 6, wherein the internal MAC header includes a 2-byte protocol type field and a 12-byte address field, the 12 bytes of the address field being used to populate a portion of the guard information and the 4 bytes of the reserved field being used to populate another portion of the guard information;
The hash value of the address information is 4 bytes, the time stamp is 2 bytes, the random number is 2 bytes, and the device identifier is 8 bytes.
8. The method of claim 7, wherein the obtaining the protection information comprises:
and encrypting the hash value of the address information, the time stamp, the random number and the equipment identifier by adopting a 4-byte block cipher algorithm or an 8-byte block cipher algorithm to obtain the protection information.
9. The method according to claim 5 or 8, characterized in that the method further comprises:
and receiving a key sent by the network control center, wherein the key is used for encryption.
10. The method according to any one of claims 2 to 9, further comprising:
and receiving synchronization information sent by a network control center, wherein the synchronization information comprises the time stamp and the random number.
11. The message verification method is characterized by comprising the following steps:
receiving a virtual extensible local area network (VXLAN) message, wherein the VXLAN message comprises a VXLAN package and a media control access (MAC) message, and at least one of the VXLAN package and the MAC message comprises protection information which is used for verifying the safety of the message;
Acquiring the protection information in the VXLAN message;
and verifying the VXLAN message based on the protection information.
12. A message transmission apparatus, the apparatus comprising:
the device comprises an acquisition unit, a message sending unit and a message sending unit, wherein the acquisition unit is used for acquiring protection information, and the protection information is used for verifying the safety of the message;
the processing unit is used for obtaining a virtual extensible local area network (VXLAN) message based on the protection information, wherein the VXLAN message comprises a VXLAN package and a media control access (MAC) message, and the protection information is positioned in at least one of the VXLAN package and the MAC message;
and the sending unit is used for sending the VXLAN message.
13. A message authentication apparatus, the apparatus comprising:
the receiving unit is used for receiving a virtual extensible local area network (VXLAN) message, wherein the VXLAN message comprises a VXLAN package and a media control access (MAC) message, at least one of the VXLAN package and the MAC message comprises protection information, and the protection information is used for verifying the safety of the message;
an obtaining unit, configured to obtain the protection information in the VXLAN packet;
and the processing unit is used for verifying the VXLAN message based on the protection information.
14. A network device comprising a processor and a memory for storing a software program, the processor causing the network device to implement the method of any one of claims 1 to 11 by running or executing the software program stored in the memory.
15. A messaging system comprising messaging means as claimed in claim 12 and message authentication means as claimed in claim 13.
16. A computer readable storage medium for storing program code for execution by a processor, the program code comprising instructions for implementing the method of any one of claims 1 to 11.
17. A computer program product comprising program code which, when run on a computer, causes the computer to perform the method of any of claims 1 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310956912.5A CN117201075A (en) | 2023-07-31 | 2023-07-31 | Message transmission method and device and message verification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310956912.5A CN117201075A (en) | 2023-07-31 | 2023-07-31 | Message transmission method and device and message verification method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117201075A true CN117201075A (en) | 2023-12-08 |
Family
ID=88998671
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310956912.5A Pending CN117201075A (en) | 2023-07-31 | 2023-07-31 | Message transmission method and device and message verification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201075A (en) |
-
2023
- 2023-07-31 CN CN202310956912.5A patent/CN117201075A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10708245B2 (en) | MACsec for encrypting tunnel data packets | |
| US9015467B2 (en) | Tagging mechanism for data path security processing | |
| US20200045023A1 (en) | Network guard unit for industrial embedded system and guard method | |
| US7843910B2 (en) | Deciphering encapsulated and enciphered UDP datagrams | |
| US11418434B2 (en) | Securing MPLS network traffic | |
| CN111385259B (en) | Data transmission method, device, related equipment and storage medium | |
| WO2020063528A1 (en) | Method, apparatus and system for communication between virtual machines in data center | |
| US10699031B2 (en) | Secure transactions in a memory fabric | |
| CN108173769B (en) | Message transmission method and device and computer readable storage medium | |
| CN110912859B (en) | Method for sending message, method for receiving message and network equipment | |
| US9473466B2 (en) | System and method for internet protocol security processing | |
| US20240146728A1 (en) | Access control method, access control system, and related device | |
| US20180176230A1 (en) | Data packet transmission method, apparatus, and system, and node device | |
| CN108989342B (en) | Data transmission method and device | |
| US11418354B2 (en) | Authentication method, device, and system | |
| US11431730B2 (en) | Systems and methods for extending authentication in IP packets | |
| WO2020140842A1 (en) | Data transmission method, device and system | |
| US20230113138A1 (en) | Application Information Verification Method, Packet Processing Method, And Apparatuses Thereof | |
| CN113810173A (en) | Method for checking application information, message processing method and device | |
| WO2023030160A1 (en) | Packet sending method, network device, storage medium, and program product | |
| CN117201075A (en) | Message transmission method and device and message verification method and device | |
| CN107454116A (en) | The optimization method and device of IPsec ESP agreements under single tunnel mode | |
| CN117254976B (en) | National standard IPsec VPN realization method, device and system based on VPP and electronic equipment | |
| US20210092103A1 (en) | In-line encryption of network data | |
| CN114338116B (en) | Encryption transmission method and device and SD-WAN network system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |