CN201479154U - BGP routing system and apparatus - Google Patents
BGP routing system and apparatus Download PDFInfo
- Publication number
- CN201479154U CN201479154U CN2009201612419U CN200920161241U CN201479154U CN 201479154 U CN201479154 U CN 201479154U CN 2009201612419 U CN2009201612419 U CN 2009201612419U CN 200920161241 U CN200920161241 U CN 200920161241U CN 201479154 U CN201479154 U CN 201479154U
- Authority
- CN
- China
- Prior art keywords
- bgp
- routing device
- message
- bgp routing
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The utility model discloses a border gateway protocol (BGP) routing apparatus. The apparatus comprises an authentication device for authenticating the identity of a target BGP routing apparatus; an encryption device connected with the authentication device for encrypting the BGP message after identity authentication by the authentication device; and a transmission device connected with the encryption device for transmitting the encrypted BGP message to the target BGP routing apparatus. The utility model also discloses a BGP routing system. The BGP routing system and apparatus can effectively enhance the safety of BGP message transmission.
Description
Technical field
The utility model relates to network communication field, relates in particular to a kind of BGP route system and equipment.
Background technology
Border Gateway Protocol (Exterior Gateway Protocol is a kind of Exterior Gateway Protocol BGP), be a kind of between autonomous system (AS) Routing Protocol of dynamic exchange routing iinformation.Autonomous system is meant the set of router under management organization's control, its use IGRP (Interior Gateway Protocol, IGP) and the common metric value E-Packet to other autonomous system.
The routing device of two operation bgp protocols is realized the mutual of routing iinformation by following process: at first, connect between routing device, promptly pass through the mutual of OPEN message, consult the ability that the two ends bgp protocol is supported; Then, exchanging routing information between routing device promptly passes through the mutual of UPDATE message, finishes the exchange of routing iinformation.(Transmission ControlProtocol TCP) transmits data to the bgp protocol bottom, and its reliability of data transmission is just guaranteed by Transmission Control Protocol by transmission control protocol.
Because Transmission Control Protocol only guarantees the reliable transmission of data, so it uses plaintext transmission in data transmission procedure, considers the transmission safety of data.
Because bgp protocol is directly by Transmission Control Protocol transmission route information, so the fail safe of Transmission Control Protocol directly has influence on bgp protocol.Because Transmission Control Protocol is a plaintext transmission, the routing iinformation that causes transmitting in the bgp protocol is directly exposed on the network.Like this, the disabled user can carry out following operation:
The first, according to the characteristics of BGP message, steal the routing iinformation that transmits between the BGP routing device;
The second, distort the BGP message, add or the modification routing iinformation, cause the recipient to receive wrong routing iinformation;
The 3rd, forge BGP recipient, send the routing iinformation of forging, cause whole networking by mistake.
In the face of top problem, RFC2385 has proposed a kind of scheme that strengthens bgp protocol safety, and for bgp protocol has been introduced a kind of signature mode: the MD5 signature mode of use Transmission Control Protocol authenticates the correctness of BGP message.Concrete, the BGP transmitting terminal uses the MD5 algorithm to obtain signing messages according to the data computation that the TCP message carries, and signing messages and TCP message together sent to the BGP receiving terminal, the BGP receiving terminal uses identical MD5 algorithm to calculate signing messages according to the TCP message that receives, the signing messages that this signing messages of calculating and BGP transmitting terminal are sent compares, if both unanimities, then can determine the TCP message correctly that receives, otherwise, determine that the data of the TCP message that receives are distorted.
Adopt the MD5 signature mode of Transmission Control Protocol can solve the problem that BGP message above-mentioned is distorted, illegally stolen but this scheme can not solve the BGP message, and the problem of forging BGP recipient.
The utility model content
The utility model provides a kind of BGP route system and equipment, the fail safe that is used to improve the BGP message transmissions.
The utility model provides a kind of Border Gateway Protocol (BGP) route system, and this system comprises:
Source BGP routing device links to each other with purpose BGP routing device, is used for purpose BGP routing device is carried out authentication, after authentication is passed through, the BGP message is carried out sending to purpose BGP routing device after the encryption;
Purpose BGP routing device links to each other with described source BGP routing device, is used for obtaining the routing iinformation that this BGP message carries after the described BGP message deciphering that receives.
The utility model provides a kind of Border Gateway Protocol (BGP) routing device, comprises the dispensing device that is used for sending to purpose BGP routing device the BGP message, and this equipment also comprises:
Authenticate device links to each other with encryption device, is used for purpose BGP routing device is carried out authentication;
Encryption device links to each other with dispensing device with authenticate device, is used for after the authentication of described authenticate device is passed through, and the BGP message is carried out transferring to described dispensing device after the encryption send.
In the scheme that the utility model provides, the BGP routing device carries out authentication to purpose BGP routing device, after authentication is passed through, the BGP message is carried out sending to purpose BGP routing device after the encryption, purpose BGP routing device obtains the routing iinformation that carries in this BGP message after the BGP message that receives is deciphered, owing to before sending the BGP message, the message receiving equipment has been carried out authentication, and the BGP message carried out encryption, thereby can avoid the routing iinformation in the BGP message to be stolen, distort, and prevent from the BGP message is sent to illegal receiving terminal, thereby strengthened the fail safe that the BGP message transmits.
Description of drawings
The BGP message transfer system structural representation that Fig. 1 provides for the utility model;
The BGP routing device structural representation that Fig. 2 provides for the utility model.
Embodiment
In order to improve the fail safe of BGP message transmissions, the utility model provides a kind of BGP route system, and in the native system, source BGP routing device is after passing through the authentication of purpose BGP routing device, just the BGP message after will encrypting sends purpose BGP routing device to.
Referring to Fig. 1, the BGP route system that the utility model provides specifically comprises source BGP routing device 10 and purpose BGP routing device 11, wherein:
Source BGP routing device 10 links to each other with purpose BGP routing device, is used for purpose BGP routing device is carried out authentication, after authentication is passed through, the BGP message is carried out sending to purpose BGP routing device after the encryption;
Purpose BGP routing device 11 links to each other with source BGP routing device, is used for the BGP message that the source BGP routing device that receives is sent is decrypted, and obtains the routing iinformation that carries in this BGP message.
Source BGP routing device 10 comprises first authenticate device, first encryption device and first dispensing device, wherein:
First authenticate device is used for purpose BGP routing device is carried out authentication;
First encryption device links to each other with described first authenticate device, is used for after the authentication of described first authenticate device is passed through the BGP message being carried out encryption;
First dispensing device links to each other with described first encryption device, is used for the BGP message after the described first encryption device encryption is sent to purpose BGP routing device;
Accordingly, purpose BGP routing device 11 comprises message decryption device and information acquisition device, wherein:
The message decryption device links to each other with described first dispensing device, is used for the BGP message that source BGP routing device is sent is decrypted;
Information acquisition device links to each other with described message decryption device, is used for obtaining the routing iinformation that described message decryption device deciphering back BGP message carries.
In order to realize the authentication of source BGP routing device to purpose BGP routing device, described first authenticate device comprises the first ciphertext sending module and first authentication module, wherein:
The first ciphertext sending module is used to obtain first encryption key, utilizes the first pre-configured PKI that first encryption key is encrypted, and first encryption key after encrypting is sent to purpose BGP routing device;
First authentication module, link to each other with the first ciphertext sending module, be used to receive the checking message that purpose BGP routing device is sent, utilize first encryption key that this checking message is decrypted, if successful decryption, then determine the authentication of purpose BGP routing device is passed through, otherwise, determine authentication failure to purpose BGP routing device;
Accordingly, purpose BGP routing device 11 also comprises second authenticate device, and this second authenticate device comprises the second decrypt ciphertext module and the second checking sending module, wherein:
The second decrypt ciphertext module links to each other with the described first ciphertext sending module, and first encryption key that is used to utilize the first pre-configured private key that the described first ciphertext sending module is sent is decrypted;
The second checking sending module links to each other with the second decrypt ciphertext module, and the encryption key that is used to utilize the described second decrypt ciphertext module decrypts to obtain is encrypted the checking message, and the checking message after will encrypting sends to source BGP routing device.
First encryption key can be produced at random by source BGP routing device, also can obtain pre-configured key as first encryption key.First PKI is pre-configured on the BGP routing device of source, first private key is corresponding with first PKI, be pre-configured on the legal purpose BGP routing device, if purpose BGP routing device is illegal receiving equipment, then because it does not have the first correct private key of configuration, thereby obtain the first correct encryption key and can't correctly decipher to first encryption key after encrypting, so, BGP routing device in source also just can not correctly be deciphered the checking message after the encryption keys of purpose BGP routing device utilization mistake.
In order to realize the authentication of purpose BGP routing device to source BGP routing device, described second authenticate device also comprises the second ciphertext sending module and second authentication module, wherein:
The second ciphertext sending module is used to obtain second encryption key, utilizes the second pre-configured PKI that second encryption key is encrypted, and second encryption key after encrypting is sent to described source BGP routing device;
Second authentication module, link to each other with the second ciphertext sending module, be used for the checking message that reception sources BGP routing device is sent, utilize second encryption key that this checking message is decrypted, if successful decryption, then determine the authentication of source BGP routing device is passed through, otherwise, determine authentication failure to source BGP routing device;
Accordingly, described first authenticate device also comprises the first decrypt ciphertext module and the first checking sending module, wherein:
The first decrypt ciphertext module links to each other with the described second ciphertext sending module, and second encryption key that is used to utilize the second pre-configured private key that the described second ciphertext sending module is sent is decrypted;
The first checking sending module links to each other with the first decrypt ciphertext module, and the encryption key that is used to utilize the first decrypt ciphertext module decrypts to obtain is encrypted the checking message, and the checking message after will encrypting sends to purpose BGP routing device.
After source BGP routing device passes through the authentication of purpose BGP routing device, utilize the encryption key that obtains behind second encryption key behind the enabling decryption of encrypted that the BGP message is carried out sending to purpose BGP routing device after the encryption, purpose BGP routing device utilizes second encryption key that the BGP message that receives is decrypted.Described first encryption device comprises:
The first message encryption module links to each other with the described first decrypt ciphertext module, is used to the encryption key that utilizes the described first decrypt ciphertext module decrypts to obtain, and the BGP message is carried out encryption.
After purpose BGP routing device passes through the authentication of source BGP routing device, utilize the encryption key that obtains behind first encryption key behind the enabling decryption of encrypted that the BGP message is carried out sending to source BGP routing device after the encryption, source BGP routing device utilizes first encryption key that the BGP message that receives is decrypted.Purpose BGP routing device 11 also comprises second encryption device and second dispensing device, wherein:
Second encryption device, link to each other with second authenticate device, this second encryption device comprises the second message encryption module that links to each other with the described second decrypt ciphertext module, and this module is used to the encryption key that utilizes the described second decrypt ciphertext module decrypts to obtain, and the BGP message is carried out encryption;
Second dispensing device links to each other with second encryption device, is used for the BGP message after the second encryption device encryption is sent to source BGP routing device.
Second encryption key can be produced at random by purpose BGP routing device, also can obtain pre-configured key as second encryption key.Second PKI is pre-configured on the purpose BGP routing device, second private key is corresponding with second PKI, be pre-configured on the legal source BGP routing device, if source BGP routing device is illegal receiving equipment, then because it does not have the second correct private key of configuration, thereby obtain the second correct encryption key and can't correctly decipher to second encryption key after encrypting, so, purpose BGP routing device also just can not correctly be deciphered the checking message after the encryption keys of source BGP routing device utilization mistake.
Certainly, identity identifying method between source BGP routing device and the purpose BGP routing device is not limited to the method for above-mentioned key authentication, can also adopt method of the digital certificate that uses in the method for the WEP/EAP encrypting and authenticating that uses in the wap protocol or the HTTPS agreement etc.
In order to realize the negotiation of the encrypting and authenticating ability between source BGP routing device and purpose BGP routing device, source BGP routing device 10 also comprises:
Consult apparatus for initiating, link to each other, be used for setting up TCP and be connected, send the capability negotiation message that carries expression self support encrypting and authenticating ability information to purpose BGP routing device with purpose BGP routing device with first authenticate device; Receive the capability negotiation response message that purpose BGP routing device is sent;
Accordingly, described first authenticate device also links to each other with described negotiation apparatus for initiating, first authenticate device is used for: when described capability negotiation response message carries the information of expression purpose BGP routing device support encrypting and authenticating ability, purpose BGP routing device is carried out authentication;
Accordingly, purpose BGP routing device 11 also comprises:
The negotiate response device, link to each other with described negotiation apparatus for initiating, be used for the capability negotiation message that reception sources BGP routing device is sent, to source BGP routing device resettability negotiate response message, carry this purpose of expression BGP routing device in this capability negotiation response message and whether support the information of encrypting and authenticating ability, concrete, read the capacity of equipment configuration information of input, if when comprising the information of this purpose of expression BGP routing device support encrypting and authenticating ability in this capacity of equipment configuration information, then send and carry the capability negotiation message that this purpose of expression BGP routing device is supported the encrypting and authenticating ability information to source BGP routing device, otherwise, carry the capability negotiation message that this purpose of expression BGP routing device is not supported the encrypting and authenticating ability information to the transmission of source BGP routing device.
Source BGP routing device 10 also comprises:
Consult the failure processing unit, link to each other with described negotiation apparatus for initiating, be used for when the capability negotiation response message does not carry the described purpose BGP routing device of expression and supports the information of encrypting and authenticating ability, disconnect with purpose BGP routing device that TCP is connected or rebulid with purpose BGP routing device and be connected according to existing bgp protocol.
Need to prove, source BGP routing device can carry in same message to the expression self that purpose BGP routing device sends and support the information of encrypting and authenticating ability and utilize first encryption key behind first public key encryption to what purpose BGP routing device sent that this message can be an existing OPEN message etc.Same, purpose BGP routing device can carry to the expression self that source BGP routing device sends whether support the information of encrypting and authenticating ability and utilize second encryption key behind second public key encryption to what source BGP routing device sent that this message can be an existing OPEN message etc. in same message.
Referring to Fig. 2, the utility model also provides a kind of BGP routing device, can be applied in the BGP message transfer system, and this equipment specifically comprises authenticate device 20, encryption device 21 and dispensing device 22, wherein:
This equipment also comprises inking device 23 and negotiation apparatus for initiating 24, wherein:
Inking device 23 links to each other with the negotiation apparatus for initiating, is used to read the capacity of equipment configuration information of input;
Consult apparatus for initiating 24, link to each other with authenticate device with inking device, when the capacity of equipment configuration information that is used for reading at described inking device comprises the information of this BGP of expression routing device support encrypting and authenticating ability, set up transmission control protocol TCP with described purpose BGP routing device and be connected, send the capability negotiation message that carries expression self support encrypting and authenticating ability information to described purpose BGP routing device; Receive the capability negotiation response message that described purpose BGP routing device is sent;
Accordingly, authenticate device 20 also links to each other with described negotiation apparatus for initiating 24, authenticate device 20 is used for: when described capability negotiation response message carries the information of the described purpose BGP routing device support of expression encrypting and authenticating ability, described purpose BGP routing device is carried out authentication.
This equipment also comprises:
Negotiate response device 25, link to each other with described inking device, be used to receive the capability negotiation message that described purpose BGP routing device is sent, when in the capacity of equipment configuration information that described inking device reads, comprising the information of this BGP of expression routing device support encrypting and authenticating ability, return the capability negotiation response message that carries described information to described purpose BGP routing device.
This equipment also comprises:
Consult failure processing unit 26, link to each other with described negotiation apparatus for initiating, be used for when described capability negotiation response message does not carry the described purpose BGP routing device of expression and supports the information of encrypting and authenticating ability, disconnect with described purpose BGP routing device that TCP is connected or rebulid with described purpose BGP routing device and be connected according to bgp protocol.
The ciphertext sending module is used to obtain first encryption key, utilizes the first pre-configured PKI that first encryption key is encrypted, and first encryption key after encrypting is sent to described purpose BGP routing device;
Authentication module, link to each other with described ciphertext sending module, be used to receive the checking message after the encryption that described purpose BGP routing device sends, utilize first encryption key that this checking message is decrypted, if successful decryption, then determine the authentication of described purpose BGP routing device is passed through, otherwise, determine authentication failure to described purpose BGP routing device; Described purpose BGP routing device encrypted authentication message comprises: first encryption key that utilizes the first pre-configured private key that described ciphertext sending module is sent is decrypted, and the encryption key that utilizes deciphering to obtain is encrypted the checking message.
The decrypt ciphertext module is used to utilize the second pre-configured private key, described purpose BGP routing device is sent, utilize the second pre-configured PKI that second encryption key is encrypted second encryption key that the back generates, be decrypted;
The checking sending module links to each other with described decrypt ciphertext module, and the encryption key that is used to utilize described decrypt ciphertext module decrypts to obtain will verify that sending to described purpose BGP routing device behind the message encryption carries out identity and recognize and levy.
The message encryption module links to each other with described decrypt ciphertext module, is used to the encryption key that utilizes described decrypt ciphertext module decrypts to obtain, the BGP message is carried out transferring to described dispensing device after the encryption send.
Operation to system in the utility model can comprise that roughly following three phases describes below:
The first, capability negotiation stage.
Source BGP routing device is set up TCP with purpose BGP routing device and is connected, and sends the OPEN message to BGP message receiving equipment then, carries expression self in this OPEN message and supports the information of encrypting and authenticating ability;
After purpose BGP routing device receives the OPEN message that source BGP routing device sends, judge by checking configuration information whether self has the encrypting and authenticating ability, if have, then return the OPEN message that carries expression self support encrypting and authenticating ability information to source BGP routing device, otherwise, return to source BGP routing device and to carry expression and self do not support the OPEN message of encrypting and authenticating ability information;
When source BGP routing device receives the OPEN message that purpose BGP routing device returns, support the information of encrypting and authenticating ability if carry expression self in this OPEN message, then encrypting and authenticating capability negotiation success, two ends can begin to set up escape way, otherwise the merit of failing to consultations, can disconnect TCP according to user's configuration and connect, perhaps use the method for existing bgp protocol to rebulid connection.
The second, the escape way establishment stage.
Source BGP routing device is to the authentication and the key exchange process of purpose BGP routing device:
Source BGP routing device produces first encryption key at random, utilizes first PKI of configuration that first encryption key is encrypted, and first encryption key after encrypting is sent to purpose BGP routing device by the OPEN message;
Purpose BGP routing device receives that source BGP routing device sends when carrying the OPEN message of first encryption key after the encryption, use first private key of preparation that first encryption key in the OPEN message is decrypted, the encryption key that the utilization deciphering obtains (a) encrypt the checking message, and the checking message after will encrypting sends to source BGP routing device by key;
After source BGP routing device receives the checking message that purpose BGP routing device sends, utilize first encryption key that this checking message is decrypted, if successful decryption, then determine the authentication of purpose BGP routing device is passed through, otherwise, determine authentication failure, be connected with the disconnection of purpose BGP routing device to purpose BGP routing device.
Carry out authentication and the key exchange process of following purpose BGP routing device simultaneously to source BGP routing device:
Purpose BGP routing device produces second encryption key at random, utilizes second PKI of configuration that second encryption key is encrypted, and second encryption key after encrypting is sent to source BGP routing device by the OPEN message;
Source BGP routing device receives that purpose BGP routing device sends when carrying the OPEN message of second encryption key after the encryption, use second private key of preparation that second encryption key in the OPEN message is decrypted, the encryption key (key b) that utilizes deciphering to obtain is encrypted the checking message, and the checking message after will encrypting sends to purpose BGP routing device;
After purpose BGP routing device receives the checking message that source BGP routing device sends, utilize second encryption key that this checking message is decrypted, if successful decryption, then determine the authentication of source BGP routing device is passed through, otherwise, determine authentication failure, be connected with the disconnection of source BGP routing device, to prevent to send the data to illegal receiving equipment to source BGP routing device.
The 3rd, the message switching stage.
After source BGP routing device passes through the authentication of purpose BGP routing device, utilize key b that the BGP message is carried out sending to purpose BGP routing device after the encryption, purpose BGP routing device utilizes second encryption key that the BGP message that receives is decrypted;
After purpose BGP routing device passes through the authentication of source BGP routing device, utilize key a that the BGP message is carried out sending to source BGP routing device after the encryption, source BGP routing device utilizes first encryption key that the BGP message that receives is decrypted.
To sum up, the beneficial effects of the utility model comprise:
In the scheme that the utility model provides, source BGP routing device carries out authentication to purpose BGP routing device, after authentication is passed through, send to purpose BGP routing device after the BGP message is encrypted processing, purpose BGP routing device obtains the routing iinformation that carries in this BGP message after the BGP message that receives is deciphered, owing to before sending the BGP message, the message receiving equipment has been carried out authentication, and the BGP message carried out encryption, thereby can avoid the routing iinformation in the BGP message to be stolen, distort, and prevent from the BGP message is sent to illegal receiving terminal, thereby strengthened the security of bgp protocol.
And the utility model has only increased the ability of encrypting and authenticating in bgp protocol, bgp protocol is changed little. Simultaneously, if BGP equipment is not supported the encrypting and authenticating ability, then can connect according to the method for existing bgp protocol, guaranteed like this backwards compatibility to bgp protocol.
Obviously, those skilled in the art can carry out various changes and modification to the utility model and not break away from spirit and scope of the present utility model. Like this, if of the present utility model these are revised and modification belongs to the range of the utility model claim and equivalent technologies thereof, then the utility model also is intended to comprise these changes and modification interior.
Claims (12)
1. a Border Gateway Protocol (BGP) routing device comprises the dispensing device that is used for sending to purpose BGP routing device the BGP message, it is characterized in that this equipment also comprises:
Authenticate device links to each other with encryption device, is used for purpose BGP routing device is carried out authentication;
Encryption device links to each other with dispensing device with authenticate device, is used for after the authentication of described authenticate device is passed through, and the BGP message is carried out transferring to described dispensing device after the encryption send.
2. equipment as claimed in claim 1 is characterized in that, this equipment also comprises:
Inking device links to each other with the negotiation apparatus for initiating, is used to read the capacity of equipment configuration information of input;
Consult apparatus for initiating, link to each other with authenticate device with inking device, when the capacity of equipment configuration information that is used for reading at described inking device comprises the information of this BGP of expression routing device support encrypting and authenticating ability, set up transmission control protocol TCP with described purpose BGP routing device and be connected, send the capability negotiation message that carries expression self support encrypting and authenticating ability information to described purpose BGP routing device; Receive the capability negotiation response message that described purpose BGP routing device is sent;
Described authenticate device also links to each other with described negotiation apparatus for initiating, and described authenticate device is used for:
When in described capability negotiation response message, carrying the information of the described purpose BGP routing device support of expression encrypting and authenticating ability, described purpose BGP routing device is carried out authentication.
3. equipment as claimed in claim 2 is characterized in that, this equipment also comprises:
The negotiate response device, link to each other with described inking device, be used to receive the capability negotiation message that described purpose BGP routing device is sent, when in the capacity of equipment configuration information that described inking device reads, comprising the information of this BGP of expression routing device support encrypting and authenticating ability, return the capability negotiation response message that carries described information to described purpose BGP routing device.
4. equipment as claimed in claim 2 is characterized in that, this equipment also comprises:
Consult the failure processing unit, link to each other with described negotiation apparatus for initiating, be used for when described capability negotiation response message does not carry the described purpose BGP routing device of expression and supports the information of encrypting and authenticating ability, disconnect with described purpose BGP routing device that TCP is connected or rebulid with described purpose BGP routing device and be connected according to bgp protocol.
5. equipment as claimed in claim 1 is characterized in that, described authenticate device comprises:
The ciphertext sending module is used to obtain first encryption key, utilizes the first pre-configured PKI that first encryption key is encrypted, and first encryption key after encrypting is sent to described purpose BGP routing device;
Authentication module, link to each other with described ciphertext sending module, be used to receive the checking message that described purpose BGP routing device is sent, utilize first encryption key that this checking message is decrypted, if successful decryption, then determine the authentication of described purpose BGP routing device is passed through, otherwise, determine authentication failure to described purpose BGP routing device.
6. equipment as claimed in claim 5 is characterized in that, described authenticate device also comprises:
The decrypt ciphertext module is used to utilize the second pre-configured private key, described purpose BGP routing device is sent, utilize the second pre-configured PKI that second encryption key is encrypted second encryption key that the back generates, be decrypted;
The checking sending module links to each other with described decrypt ciphertext module, and the encryption key that is used to utilize described decrypt ciphertext module decrypts to obtain will verify that sending to described purpose BGP routing device behind the message encryption carries out authentication.
7. equipment as claimed in claim 6 is characterized in that, described encryption device comprises:
The message encryption module links to each other with described decrypt ciphertext module, is used to the encryption key that utilizes described decrypt ciphertext module decrypts to obtain, the BGP message is carried out transferring to described dispensing device after the encryption send.
8. a Border Gateway Protocol (BGP) route system is characterized in that, this system comprises:
Source BGP routing device links to each other with purpose BGP routing device, is used for purpose BGP routing device is carried out authentication, after authentication is passed through, the BGP message is carried out sending to purpose BGP routing device after the encryption;
Purpose BGP routing device links to each other with described source BGP routing device, is used for obtaining the routing iinformation that this BGP message carries after the described BGP message deciphering that receives.
9. system as claimed in claim 8 is characterized in that, described source BGP routing device comprises:
First authenticate device is used for purpose BGP routing device is carried out authentication;
First encryption device links to each other with described first authenticate device, is used for after the authentication of described first authenticate device is passed through the BGP message being carried out encryption;
First dispensing device links to each other with described first encryption device, is used for the BGP message after the described first encryption device encryption is sent to purpose BGP routing device;
Described purpose BGP routing device comprises:
The message decryption device links to each other with described first dispensing device, is used for the BGP message that source BGP routing device is sent is decrypted;
Information acquisition device links to each other with described message decryption device, is used for obtaining the routing iinformation that described message decryption device deciphering back BGP message carries.
10. system as claimed in claim 9 is characterized in that, described first authenticate device comprises:
The first ciphertext sending module is used to obtain first encryption key, utilizes the first pre-configured PKI that first encryption key is encrypted, and first encryption key after encrypting is sent to described purpose BGP routing device;
First authentication module, link to each other with the described first ciphertext sending module, be used to receive the checking message that described purpose BGP routing device is sent, utilize first encryption key that this checking message is decrypted, if successful decryption, then determine the authentication of described purpose BGP routing device is passed through, otherwise, determine authentication failure to described purpose BGP routing device;
Described purpose BGP routing device also comprises second authenticate device, and this second authenticate device comprises:
The second decrypt ciphertext module links to each other with the described first ciphertext sending module, and first encryption key that is used to utilize the first pre-configured private key that the described first ciphertext sending module is sent is decrypted;
The second checking sending module links to each other with the described second decrypt ciphertext module, and the encryption key that is used to utilize the described second decrypt ciphertext module decrypts to obtain is encrypted the checking message, and the checking message after will encrypting sends to described source BGP routing device.
11. system as claimed in claim 10 is characterized in that, described second authenticate device also comprises:
The second ciphertext sending module is used to obtain second encryption key, utilizes the second pre-configured PKI that second encryption key is encrypted, and second encryption key after encrypting is sent to described source BGP routing device;
Described first authenticate device also comprises:
The first decrypt ciphertext module links to each other with the described second ciphertext sending module, and second encryption key that is used to utilize the second pre-configured private key that the described second ciphertext sending module is sent is decrypted;
Described first encryption device comprises:
The first message encryption module links to each other with the described first decrypt ciphertext module, is used to the encryption key that utilizes the described first decrypt ciphertext module decrypts to obtain, and the BGP message is carried out encryption.
12. system as claimed in claim 8 is characterized in that, described source BGP routing device also comprises:
Consult apparatus for initiating, link to each other, be used for setting up transmission control protocol TCP and be connected, send the capability negotiation message that carries expression self support encrypting and authenticating ability information to described purpose BGP routing device with described purpose BGP routing device with described first authenticate device; Receive the capability negotiation response message that described purpose BGP routing device is sent;
Described first authenticate device also links to each other with described negotiation apparatus for initiating, and described first authenticate device is used for:
When in described capability negotiation response message, carrying the information of the described purpose BGP routing device support of expression encrypting and authenticating ability, described purpose BGP routing device is carried out authentication;
Described purpose BGP routing device also comprises:
The negotiate response device links to each other with described negotiation apparatus for initiating, is used to receive described capability negotiation message, to described source BGP routing device resettability negotiate response message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009201612419U CN201479154U (en) | 2009-07-16 | 2009-07-16 | BGP routing system and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009201612419U CN201479154U (en) | 2009-07-16 | 2009-07-16 | BGP routing system and apparatus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN201479154U true CN201479154U (en) | 2010-05-19 |
Family
ID=42415409
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009201612419U Expired - Fee Related CN201479154U (en) | 2009-07-16 | 2009-07-16 | BGP routing system and apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN201479154U (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102148832A (en) * | 2011-04-07 | 2011-08-10 | 清华大学 | High-efficiency method for identifying border gateway routing protocol path |
| CN103036733A (en) * | 2011-10-09 | 2013-04-10 | 上海城际互通通信有限公司 | Unconventional network access behavior monitoring system and monitoring method |
| CN104486082A (en) * | 2014-12-15 | 2015-04-01 | 中电长城网际系统应用有限公司 | Authentication method and router |
-
2009
- 2009-07-16 CN CN2009201612419U patent/CN201479154U/en not_active Expired - Fee Related
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102148832A (en) * | 2011-04-07 | 2011-08-10 | 清华大学 | High-efficiency method for identifying border gateway routing protocol path |
| CN102148832B (en) * | 2011-04-07 | 2013-06-12 | 清华大学 | High-efficiency method for identifying border gateway routing protocol path |
| CN103036733A (en) * | 2011-10-09 | 2013-04-10 | 上海城际互通通信有限公司 | Unconventional network access behavior monitoring system and monitoring method |
| CN103036733B (en) * | 2011-10-09 | 2016-07-06 | 上海市南电信服务中心有限公司 | Unconventional network accesses monitoring system and the monitoring method of behavior |
| CN104486082A (en) * | 2014-12-15 | 2015-04-01 | 中电长城网际系统应用有限公司 | Authentication method and router |
| CN104486082B (en) * | 2014-12-15 | 2018-07-31 | 中电长城网际系统应用有限公司 | Authentication method and router |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111835752B (en) | Lightweight authentication method based on equipment identity and gateway | |
| CN108650227B (en) | Handshaking method and system based on datagram secure transmission protocol | |
| CN104158653B (en) | A kind of safety communicating method based on the close algorithm of business | |
| CN109347809A (en) | A kind of application virtualization safety communicating method towards under autonomous controllable environment | |
| EP3700124B1 (en) | Security authentication method, configuration method, and related device | |
| CN106850680B (en) | Intelligent identity authentication method and device for rail transit equipment | |
| CN103532713B (en) | Sensor authentication and shared key production method and system and sensor | |
| US11736304B2 (en) | Secure authentication of remote equipment | |
| CN105162599B (en) | A kind of data transmission system and its transmission method | |
| US20070083766A1 (en) | Data transmission links | |
| CN107800539A (en) | Authentication method, authentication device and Verification System | |
| CN108400867A (en) | A kind of authentication method based on public encryption system | |
| WO2003061190A1 (en) | Secure data transmission links | |
| CN102404347A (en) | Mobile internet access authentication method based on public key infrastructure | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| CA2579272A1 (en) | Method and apparatus for pseudo-secret key generation to generate a response to a challenge received from service provider | |
| WO2007028328A1 (en) | Method, system and device for negotiating about cipher key shared by ue and external equipment | |
| CN105119894A (en) | Communication system and communication method based on hardware safety module | |
| WO2010088812A1 (en) | Transmission method, system and wapi terminal for instant message | |
| CN114650173A (en) | Encryption communication method and system | |
| CN102413144A (en) | Secure access system for C/S architecture service and related access method | |
| CN201479154U (en) | BGP routing system and apparatus | |
| CN113676448A (en) | Off-line equipment bidirectional authentication method and system based on symmetric key | |
| CN105471896A (en) | Agent method, device and system based on SSL (Secure Sockets Layer) | |
| CN107276755B (en) | Security association method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100519 Termination date: 20140716 |
|
| EXPY | Termination of patent right or utility model |