WO2016134631A1 - 一种OpenFlow报文的处理方法及网元 - Google Patents

一种OpenFlow报文的处理方法及网元 Download PDF

Info

Publication number
WO2016134631A1
WO2016134631A1 PCT/CN2016/073196 CN2016073196W WO2016134631A1 WO 2016134631 A1 WO2016134631 A1 WO 2016134631A1 CN 2016073196 W CN2016073196 W CN 2016073196W WO 2016134631 A1 WO2016134631 A1 WO 2016134631A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
openflow
key
controller
authentication
Prior art date
Application number
PCT/CN2016/073196
Other languages
English (en)
French (fr)
Inventor
李辉
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016134631A1 publication Critical patent/WO2016134631A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • This document relates to, but is not limited to, the field of Software Defined Network (SDN), and particularly relates to a method and a network element for processing OpenFlow packets.
  • SDN Software Defined Network
  • SDN is a brand-new network architecture. Its core design concept is to separate the control plane of the network from the data forwarding plane and implement programmable control through the open interface between the control plane and the forwarding plane.
  • the basic network elements of SDN include: SDN controller, which is responsible for maintaining the global network view, and provides a programmable interface for implementing network services (called "Northbound Interface") to the upper layer application; application service, running on the SDN controller Provide a variety of network services such as routing, security, access control, bandwidth management, traffic engineering, quality of service, etc. through the global network view provided by the SDN controller; forwarding abstraction (referred to as "south direction interface”), The SDN controller uses the network abstraction of the forwarding plane to construct a global network view through the interface.
  • OpenFlow is a standardized southbound interface used for communication between controllers and network devices, used by controllers to control network devices, and used by network devices to feed back information to controllers.
  • the OpenFlow protocol involves two network elements: an OpenFlow controller (Controller) and an OpenFlow switch (Switch). Part of the OpenFlow protocol runs on the controller and another part runs on the switch.
  • the protocol specifically defines the functional components of the switch forwarding plane, the interaction process between the controller and the switch, and the message type and message format of the communication between the two.
  • the switch and the controller can communicate using a Transport Layer Security (TLS) connection, or a simple Transmission Control Protocol (TCP) connection can be used for communication.
  • TLS protocol is a security protocol at the transport layer. The encryption algorithm, communication key negotiation, and server authentication work are completed before the application layer protocol communication. After that, the data transmitted by the application layer protocol will be encrypted to ensure the privacy of the communication.
  • the TLS protocol is optional. If you need to configure the client and server, there are two main ways to achieve this: one is to use the unified TLS protocol port number; the other is the client request server to connect to TLS Use a specific protocol mechanism. A secure connection cannot be created as long as one end does not support the TLS protocol.
  • OpenFlow protocol At the same time, it is recommended to use an alternative security measure to prevent eavesdropping and simulated attacks on the OpenFlow channel to ensure the integrity and security of OpenFlow packets. However, the OpenFlow protocol does not specify which alternative security measures to use.
  • the embodiment of the invention provides a method for processing an OpenFlow message and a network element to securely transmit an OpenFlow message on a simple TCP connection.
  • An embodiment of the present invention provides a method for processing an OpenFlow packet, including:
  • the first network element establishes an OpenFlow channel with the second network element based on the simple TCP connection;
  • the first network element and the second network element perform key authentication
  • the first network element encrypts or decrypts the OpenFlow message by using the session key established in the key authentication process in the OpenFlow channel.
  • performing key authentication by the first network element and the second network element includes:
  • the first network element performs key authentication with the second network element by using a shared key.
  • performing key authentication by the first network element and the second network element includes:
  • the first network element performs key authentication with the second network element by using a public key provided by the public key infrastructure directory server.
  • performing key authentication by the first network element and the second network element includes:
  • the first network element performs key authentication with the second network element by using a designated key distribution center.
  • the first network element includes an OpenFlow controller, and the second network element includes an OpenFlow switch; or
  • the first network element includes an OpenFlow switch
  • the second network element includes an OpenFlow controller
  • Embodiments of the present invention also provide a computer readable storage medium storing computer executable instructions for performing any of the methods described above.
  • the embodiment of the invention further provides a network element, including:
  • a key module configured to perform key authentication with the specified network element
  • the processing module is configured to encrypt or decrypt the OpenFlow message by using the session key established in the key authentication process in the OpenFlow channel.
  • the key module is configured to perform key authentication with the specified network element by using a shared key.
  • the key module is configured to perform key authentication with the specified network element by using a public key provided by the public key infrastructure directory server.
  • the key module is configured to perform key authentication with the specified network element by using a specified key distribution center.
  • the network element includes an OpenFlow controller, where the specified network element includes an OpenFlow switch; or
  • the network element includes an OpenFlow switch, and the designated network element includes an OpenFlow controller.
  • the embodiment of the present invention provides a method for processing an OpenFlow packet and a network element, which can ensure the security of the OpenFlow packet transmitted on a simple TCP connection.
  • FIG. 1 is a flowchart of a method for processing an OpenFlow packet according to an embodiment of the present invention
  • FIG. 2 is a schematic flow chart of a method according to an embodiment of the present invention.
  • FIG. 3 is a flow chart of Embodiment 1 of the present invention.
  • FIG. 5 is a flowchart of Embodiment 3 of the present invention.
  • FIG. 6 is a schematic diagram of a network element according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of a method for processing an OpenFlow packet according to an embodiment of the present invention, as shown in FIG. 1 As shown, the method of this embodiment includes the following steps:
  • Step 1 The first network element establishes an OpenFlow channel with the second network element based on the simple TCP connection.
  • Step 2 The first network element and the second network element perform key authentication.
  • Step 3 The first network element encrypts or decrypts the OpenFlow message by using the session key established in the key authentication process in the OpenFlow channel.
  • the first network element includes an OpenFlow controller, and the second network element includes an OpenFlow switch; or the first network element includes an OpenFlow switch, and the second network element includes an OpenFlow controller.
  • the method of this embodiment can securely transmit OpenFlow messages on a simple TCP connection.
  • the method is based on a simple TCP connection. After the OpenFlow channel between the controller and the switch is established, the key challenge and response are first performed for authentication; after the authentication is completed, the session key between the controller and the switch is established, and The session key is used in the OpenFlow channel to encrypt and decrypt the contents of the OpenFlow message. This ensures the security of OpenFlow packets transmitted over a simple TCP connection.
  • the method of the embodiment of the present invention includes the following steps:
  • Step 11 An OpenFlow channel is established between the OpenFlow switch and the OpenFlow controller based on a simple TCP connection. After the OpenFlow channel is established, the switch and the controller send Hello messages to each other. In the Hello message, the identifier (ID, Identifier) is carried in the Hello message. .
  • Step 12 After receiving the Hello message of the other party, the switch or the controller obtains the ID of the other party, and sends an Echo Request message to the other party, where the Echo Request message carries the challenge information of the key.
  • Step 13 After receiving the Echo Request message sent by the peer, the switch or the controller sends an Echo Replay message to the other party according to the policy of the key authentication, and carries the response information of the key in the Echo Replay message. .
  • the key authentication policy can be in any of the following ways:
  • Manner 1 The key is authenticated by the shared key between the switch and the controller, and the session key is established.
  • Method 2 Providing a public key certificate query through a public key infrastructure (PKI) directory server, using a public key to complete key authentication, and establishing a session key;
  • PKI public key infrastructure
  • the public key certificate contains the public key, that is, the public key exists in the form of a certificate in the PKI directory server.
  • Method 3 Use a trusted Key Distribution Center (KDC, Key Distribution Center) to complete the key authentication and establish a session key.
  • KDC Key Distribution Center
  • Step 14 After receiving the Echo Reply message carrying the response information of the key sent by the peer, the switch or the controller generates a session key K S and sends the session key K S to the other party through the Echo Request message.
  • the session key K s is randomly generated.
  • Step 15 After receiving the Echo Request message carrying the session key K S sent by the peer, the switch or the controller sends an Echo Replay message to the other party to confirm the session key and complete the authentication.
  • Step 16 After the key authentication is completed, the switch and the controller encrypt the content of the sent OpenFlow message by using the session key K S , and decrypt the received OpenFlow message according to the session key K S .
  • the method of the embodiment of the present invention can perform the process of encrypting and decrypting OpenFlow packets on a simple TCP connection to ensure the security of OpenFlow packets.
  • Embodiment 1 Authentication using a shared key.
  • Figure 3 shows the method for authenticating a shared key between an OpenFlow controller and an OpenFlow switch, including the following steps:
  • Step 101 An element management system (EMS, Element) or a network management system (NMS) configures the shared key K AB to the OpenFlow controller and the OpenFlow switch.
  • EMS element management system
  • NMS network management system
  • Step 102 After the OpenFlow channel is established, the OpenFlow switch sets its own identifier (ID: B). Carry in the Hello message and send it to the OpenFlow controller;
  • Step 103 After receiving the Hello message sent by the OpenFlow switch, the OpenFlow controller generates a random number R B as a challenge, which is carried in the Echo Request message and sent to the OpenFlow switch.
  • Step 104 After receiving the Echo Request message, the OpenFlow controller obtains the first ciphertext K AB (R B ) by using the shared key K AB to encrypt the R B , and sends the first ciphertext in the Echo Reply message.
  • the OpenFlow controller After receiving the Echo Request message, the OpenFlow controller obtains the first ciphertext K AB (R B ) by using the shared key K AB to encrypt the R B , and sends the first ciphertext in the Echo Reply message.
  • Step 105 After receiving the Echo Reply message sent by the OpenFlow switch, the OpenFlow controller performs key authentication, establishes a session key K S after the authentication is completed, and encrypts K S with the shared key K AB to obtain the second ciphertext K AB ( K S ), and then the second ciphertext is carried in the Echo Request message and sent to the OpenFlow switch;
  • key authentication includes:
  • the first ciphertext is decrypted by using the shared key K AB , and it is judged that the plaintext obtained by the decryption is the same as the R B , and the authentication is passed; if it is determined that the plaintext obtained by the decryption and the R B are different, the authentication fails.
  • the session key K S is randomly generated.
  • Step 106 After receiving the Echo Request message sent by the OpenFlow controller, the OpenFlow switch sends an Echo Reply message to confirm.
  • the OpenFlow switch decrypts the second ciphertext by using the shared key K AB to obtain the session key K S .
  • the Echo Reply message is sent to confirm, that is, the Echo Reply message carries an indication that the session key is successfully obtained.
  • Step 107 After the confirmation is completed, the message exchanged in the OpenFlow channel can be encrypted and decrypted by using the session key K S .
  • Embodiment 2 Query the public key to the PKI directory server and use the public key for authentication.
  • FIG. 4 shows the flow of the method for obtaining the public key and authenticating between the OpenFlow controller and the OpenFlow switch through the PKI directory server.
  • the PKI directory server is stored in Public key information of OpenFlow switches and OpenFlow controllers. Includes the following steps:
  • Step 201 After the OpenFlow channel is established, the OpenFlow controller carries its own identifier (ID: A) in the Hello message and sends it to the OpenFlow switch.
  • ID A
  • Step 202 After receiving the Hello message sent by the OpenFlow controller, the OpenFlow switch requests the public key E A of the OpenFlow controller from the PKI directory server.
  • Step 203 The PKI directory server sends the public key E A of the OpenFlow controller to the OpenFlow switch.
  • Step 204 The OpenFlow switch encrypts its own identifier (ID: B) and a random number R B using the public key E A to obtain a third ciphertext E A (B, R B ), and carries the third ciphertext in the Echo Request.
  • ID: B its own identifier
  • R B random number
  • Step 205 After receiving the Echo Request message of the OpenFlow switch, the OpenFlow controller requests the public key E B of the OpenFlow switch from the PKI directory server.
  • the OpenFlow controller decrypts the third ciphertext using the public key E A to obtain R B .
  • Step 206 The PKI directory server sends the public key E B of the OpenFlow switch to the OpenFlow controller.
  • Step 207 OpenFlow controller establishes a session key K S, and K S and sent over to a new random number R A, and OpenFlow switch random number R B E B using a public key encryption to give a fourth ciphertext E B (R B , R A , K S ), and carrying the fourth ciphertext in the Echo Reply message and sending it to the OpenFlow switch;
  • the session key K S is randomly generated.
  • Step 208 After receiving the Echo Reply message sent by the OpenFlow controller, the OpenFlow switch encrypts the random number R A using the session key K S to obtain the fifth ciphertext K S (R A ), and carries the fifth ciphertext in Echo.
  • the Request message is sent to the OpenFlow controller;
  • the OpenFlow switch decrypts the fourth ciphertext by using the public key E B to obtain R B , R A , K S .
  • Step 209 After receiving the Echo Request message sent by the OpenFlow switch, the OpenFlow controller sends an Echo Reply message to confirm.
  • the controller receives OpenFlow OpenFlow Echo Request message sent by the switch, using the session key K S to decrypt the ciphertext to obtain the fifth R A, it is determined that the decrypted R A and R A is the same as previously generated, Then, the authentication is passed, and it is determined that the decrypted R A is different from the previously generated R A , and the authentication fails.
  • the Echo Reply message is sent to confirm, that is, the Echo Reply message carries an indication that the session key is successfully obtained.
  • Step 210 After the confirmation is completed, the message exchanged in the OpenFlow channel can be encrypted and decrypted using the session key K S .
  • Embodiment 3 Authentication by a trusted key distribution center.
  • a method for authenticating between a OpenFlow controller and an OpenFlow switch through a key distribution center is provided in FIG. 5, and the key distribution center is trusted for both the OpenFlow controller and the OpenFlow switch. Including the following steps:
  • Step 301 After the OpenFlow channel is established, the OpenFlow switch carries its own identifier (ID: B) in the Hello message and sends it to the OpenFlow controller.
  • ID: B its own identifier
  • Step 302 The OpenFlow controller sends a random number R A , and the identifier A of the OpenFlow controller and the identifier B of the OpenFlow switch to the key distribution center.
  • Step 303 The key distribution center establishes a session key K S and encrypts the identifier A and the session key K S of the OpenFlow controller to obtain the sixth secret by using the shared key K B between the key distribution center and the OpenFlow switch.
  • the identifier B of the OpenFlow switch, the session key K S and the label K B (A, K S ) are encrypted to obtain the seventh ciphertext K A (R A , B, K S , K B (A, K S )), and Send the seventh ciphertext to the OpenFlow controller;
  • Step 304 The OpenFlow controller decrypts the seventh ciphertext using the shared key K A to obtain R A , B, K S , K B (A, K S ), and uses a session key K for a new random number R A2 .
  • S encrypts the eighth ciphertext K S (R A2 ), and carries the eighth ciphertext and the label K B (A, K S ) sent by the key distribution center in the Echo Request message and sends it to the OpenFlow switch;
  • Step 305 After receiving the Echo Request message sent by the OpenFlow controller, the OpenFlow switch decrypts the label K B (A, K S ) by using the shared key K B to obtain A, K S , and uses the decrypted K s pair to the eighth.
  • the ciphertext is decrypted to obtain R A2 , the random number R A2 is decremented by 1 using the session key K S and then encrypted to obtain the ninth ciphertext K S (R A2 -1), and the ninth ciphertext and a new random number are obtained.
  • R B is carried in the Echo Reply message and sent to the OpenFlow controller;
  • Step 306 After receiving the Echo Reply message sent by the OpenFlow switch, the OpenFlow controller decrypts the ninth ciphertext by using the session key K S (R A2 -1), adds 1 to obtain R A2 , and determines the decrypted message.
  • R A2 is the same as the previously generated R A2 .
  • the random number R B is decremented by 1 using the session key K S and then encrypted to obtain the tenth ciphertext K S (R B -1), and the tenth ciphertext is carried in the Echo Request message. Sent to the OpenFlow switch;
  • Step 307 After receiving the Echo Request message sent by the OpenFlow controller, the OpenFlow switch decrypts the tenth ciphertext by using the session key K S (R B -1), adds 1 to obtain R B , and determines that the decryption is obtained. the R B and R B is the same as previously generated, sending Echo Reply message for acknowledgment;
  • Step 308 After the confirmation is completed, the message exchanged in the OpenFlow channel can be encrypted and decrypted using the session key K S .
  • Embodiments of the present invention also provide a computer readable storage medium storing computer executable instructions for performing any of the methods described above.
  • FIG. 6 is a schematic diagram of a network element according to an embodiment of the present invention. As shown in FIG. 6, the network element in this embodiment includes:
  • OpenFlow open source
  • a key module configured to perform key authentication with the specified network element to establish a session key
  • the processing module is configured to encrypt or decrypt the OpenFlow message by using the session key in the OpenFlow channel.
  • the key module is configured to perform key authentication with the specified network element by using a shared key, and establish a session key after the authentication is completed.
  • the key module is configured to authenticate the key with the specified network element by using a public key provided by the public key infrastructure directory server, and establish a session key.
  • the key module is configured to establish a session key by using a specified key distribution center to authenticate the key with the specified network element.
  • the network element includes an OpenFlow controller, and the specified network element includes an OpenFlow switch; or the network element includes an OpenFlow switch, and the designated network element includes an OpenFlow controller.
  • each module/unit in the foregoing embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program in a storage and a memory by a processor. / instruction to achieve its corresponding function.
  • the invention is not limited to any specific form of combination of hardware and software.
  • the embodiment of the invention can ensure the security of transmitting OpenFlow packets over a simple TCP connection.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

一种开放流表(OpenFlow)报文的处理方法及网元,该方法包括:第一网元基于简单传输控制协议(TCP)连接与第二网元建立OpenFlow通道;所述第一网元与所述第二网元进行密钥认证;所述第一网元在所述OpenFlow通道中使用密钥认证过程中建立的会话密钥对OpenFlow报文进行加密或解密处理。

Description

一种OpenFlow报文的处理方法及网元 技术领域
本文涉及但不限于软件定义网络(SDN,Software Defined Network)技术领域,尤其涉及一种开放流表(OpenFlow)报文的处理方法及网元。
背景技术
SDN是一种全新的网络架构,其核心设计理念是将网络的控制平面与数据转发平面分离,并通过控制平面与转发平面之间的开放接口实现可编程化控制。SDN的基本网络要素包括:SDN控制器,负责维护全局网络视图,并且向上层应用提供用于实现网络服务的可编程接口(称为“北向接口”);应用服务,运行在SDN控制器之上,通过SDN控制器提供的全局网络视图,为用户提供多种网络服务,如路由、安全、接入控制、带宽管理、流量工程、服务质量等;转发抽象(称为“南向接口”),SDN控制器通过该接口利用转发平面的网络抽象来构建全局网络视图。
OpenFlow是一种用于控制器和网络设备之间通信,被控制器用来控制网络设备,被网络设备用来反馈信息给控制器的标准化南向接口。OpenFlow协议涉及两个网络元素:OpenFlow控制器(Controller)和OpenFlow交换机(Switch)。OpenFlow协议一部分运行在控制器上,另一部分运行在交换机上。协议具体定义了交换机转发面的功能部件,控制器与交换机之间的交互过程以及两者之间通信的消息类型和消息格式。
在OpenFlow协议中,交换机与控制器之间可以采用安全传输层协议(TLS,Transport Layer Security)连接进行通信,也可以采用简单的传输控制协议(TCP,Transmission Control Protocol)连接进行通信。TLS协议是位于传输层的安全协议,在应用层协议通信之前就已经完成加密算法、通信密钥的协商以及服务器认证工作。在此之后应用层协议所传送的数据都会被加密,从而保证通信的私密性。但是,TLS协议是可选的,如果需要使用就必须配置客户端和服务器,有两种主要方式实现这一目标:一个是使用统一的TLS协议端口号;另一个是客户端请求服务器连接到TLS时使用特定的协议机制。只要有一端不支持TLS协议,就无法创建安全连接。OpenFlow协议 同时建议采用简单TCP连接时,应使用替代的安全措施,防止对OpenFlow通道进行的窃听、模拟攻击等,以保证OpenFlow报文的完整性和安全性。但OpenFlow协议并未规定采用何种替代安全措施。
发明内容
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。
本发明实施例提供一种OpenFlow报文的处理方法及网元,以在简单TCP连接上安全传输OpenFlow报文。
本发明实施例提供了一种OpenFlow报文的处理方法,包括:
第一网元基于简单TCP连接与第二网元建立OpenFlow通道;
所述第一网元与所述第二网元进行密钥认证;
所述第一网元在所述OpenFlow通道中使用密钥认证过程中建立的会话密钥对OpenFlow报文进行加密或解密处理。
可选地,所述第一网元与所述第二网元进行密钥认证包括:
所述第一网元通过共享密钥与所述第二网元进行密钥认证。
可选地,所述第一网元与所述第二网元进行密钥认证包括:
所述第一网元通过公开密钥基础设施目录服务器提供的公钥与所述第二网元进行密钥认证。
可选地,所述第一网元与所述第二网元进行密钥认证包括:
所述第一网元使用指定的密钥分发中心与所述第二网元进行密钥认证。
可选地,所述第一网元包括OpenFlow控制器,所述第二网元包括OpenFlow交换机;或者
所述第一网元包括OpenFlow交换机,所述第二网元包括OpenFlow控制器。
本发明实施例还提出了一种计算机可读存储介质,存储有计算机可执行指令,计算机可执行指令用于执行上述描述的任意一个方法。
本发明实施例还提供了一种网元,包括:
建立模块,设置为基于简单TCP连接与指定网元建立OpenFlow通道;
密钥模块,设置为与所述指定网元进行密钥认证;
处理模块,设置为在所述OpenFlow通道中使用密钥认证过程中建立的会话密钥对OpenFlow报文进行加密或解密处理。
可选地,所述密钥模块是设置为:通过共享密钥与所述指定网元进行密钥认证。
可选地,所述密钥模块是设置为:通过公开密钥基础设施目录服务器提供的公钥与所述指定网元进行密钥认证。
可选地,所述密钥模块是设置为:使用指定的密钥分发中心与所述指定网元进行密钥认证。
可选地,所述网元包括OpenFlow控制器,所述指定网元包括OpenFlow交换机;或者
所述网元包括OpenFlow交换机,所述指定网元包括OpenFlow控制器。
综上,本发明实施例提供一种OpenFlow报文的处理方法及网元,能够保证OpenFlow报文在简单TCP连接上传输的安全性。
在阅读并理解了附图和详细描述后,可以明白其他方面。
附图概述
图1为本发明实施例的一种OpenFlow报文的处理方法的流程图;
图2是本发明实施例的方法流程示意图;
图3是本发明实施例一的流程图;
图4是本发明实施例二的流程图;
图5是本发明实施例三的流程图;
图6是本发明实施例的网元的示意图。
本发明的实施方式
图1为本发明实施例的一种OpenFlow报文的处理方法的流程图,如图1 所示,本实施例的方法包括以下步骤:
步骤1、第一网元基于简单TCP连接与第二网元建立OpenFlow通道;
步骤2、第一网元与第二网元进行密钥认证;
步骤3、第一网元在OpenFlow通道中使用密钥认证过程中建立的会话密钥对OpenFlow报文进行加密或解密处理。
其中,所述第一网元包括OpenFlow控制器,所述第二网元包括OpenFlow交换机;或者所述第一网元包括OpenFlow交换机,所述第二网元包括OpenFlow控制器。
本实施例的方法能够在简单TCP连接上安全传输OpenFlow报文。该方法基于简单TCP连接,在控制器和交换机之间的OpenFlow通道建立后,首先进行密钥的质询及回应以进行认证;认证完成后,建立控制器与交换机之间的会话密钥,并在OpenFlow通道中使用该会话密钥对OpenFlow报文的内容进行加密与解密处理。从而保证OpenFlow报文在简单TCP连接上传输的安全性。
如图2所示,本发明实施例的方法包括如下步骤:
步骤11:OpenFlow交换机与OpenFlow控制器之间基于简单TCP连接建立一条OpenFlow通道;OpenFlow通道建立后,交换机与控制器互相向对方发送Hello消息,在Hello消息中,携带自身的标识(ID,Identifier)。
步骤12:当交换机或控制器接收到对方的Hello消息后,获取对方的ID,并向对方发送回应请求(Echo Request)消息,在Echo Request消息中,携带密钥的质询(Challenge)信息。
步骤13:交换机或控制器接收到对方发送的Echo Request消息后,根据密钥认证的策略,向对方发送回应回复(Echo Replay)消息,在Echo Replay消息中,携带密钥的响应(Response)信息。
密钥认证策略可采用如下任意一种方式:
方式一:交换机和控制器之间通过共享密钥完成密钥的认证,并建立会话密钥;
方式二:通过公开密钥基础设施(PKI,Public Key Infrastructure)目录服务器提供公钥证书的查询,使用公钥完成密钥的认证,并建立会话密钥;
其中,公钥证书中包含有公钥,也就是说,公钥在PKI目录服务器中是以证书的形式存在。
方式三:使用一个可信的密钥分发中心(KDC,Key Distribution Center)完成密钥的认证,并建立会话密钥。
步骤14:交换机或控制器接收到对方发送的携带密钥的响应信息的Echo Reply消息后,生成会话密钥KS,并通过Echo Request消息发送给对方。
其中,会话密钥Ks是随机生成的。
步骤15:交换机或控制器接收到对方发送的携带会话密钥KS的Echo Request消息后,向对方发送Echo Replay消息确认该会话密钥,完成认证;
步骤16:完成密钥认证后,交换机和控制器使用会话密钥KS对发送的OpenFlow报文内容进行加密,并根据会话密钥KS解密接收到的OpenFlow报文。
使用本发明实施例的方法,可以在简单TCP连接上对OpenFlow报文进行加密和解密的处理,以保证OpenFlow报文的安全性。
下文中将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。
实施例一:使用共享密钥进行认证。
图3中给出了OpenFlow控制器和OpenFlow交换机之间通过共享密钥进行认证的方法,包括如下步骤:
步骤101、网元管理系统(EMS,Element)或网络管理系统(NMS,Network Management System)把共享密钥KAB配置给OpenFlow控制器和OpenFlow交换机;
步骤102、OpenFlow通道建立后,OpenFlow交换机把自身的标识(ID:B) 携带在Hello消息中发送给OpenFlow控制器;
步骤103、OpenFlow控制器接收到OpenFlow交换机发送的Hello消息后,生成一个随机数RB作为质询,携带在Echo Request消息中发送给OpenFlow交换机;
步骤104、OpenFlow交换机接收到OpenFlow控制器发送Echo Request消息后,使用共享密钥KAB加密RB得到第一密文KAB(RB),并把第一密文携带在Echo Reply消息中发送给OpenFlow控制器;
步骤105、OpenFlow控制器接收到OpenFlow交换机发送的Echo Reply消息后,进行密钥认证,认证完成后建立一个会话密钥KS,并用共享密钥KAB加密KS得到第二密文KAB(KS),再把第二密文携带在Echo Request消息中发送给OpenFlow交换机;
本步骤中,进行密钥认证包括:
使用共享密钥KAB对第一密文进行解密,判断出解密得到的明文和RB相同,则认证通过;判断出解密得到的明文和RB不相同,则认证不通过。
本步骤中,会话密钥KS是随机生成的。
步骤106、OpenFlow交换机接收到OpenFlow控制器发送的Echo Request消息后,发送Echo Reply消息进行确认;
本步骤中,OpenFlow交换机接收到Echo Request消息后,采用共享密钥KAB对第二密文进行解密进行解密得到会话密钥KS
本步骤中,发送Echo Reply消息进行确认,即在Echo Reply消息中携带标识获取会话密钥成功的指示。
步骤107、确认完成后,OpenFlow通道内交互的报文即可使用会话密钥KS进行加密和解密处理。
实施例二:向PKI目录服务器查询公钥,并使用公钥进行认证。
图4中给出了OpenFlow控制器和OpenFlow交换机之间通过PKI目录服务器获取公钥并进行认证的方法流程。其中,PKI目录服务器中保存有 OpenFlow交换机和OpenFlow控制器的公钥信息。包括以下步骤:
步骤201、OpenFlow通道建立后,OpenFlow控制器把自己的标识(ID:A)携带在Hello消息中发送给OpenFlow交换机;
步骤202、OpenFlow交换机接收到OpenFlow控制器发送的Hello消息后,向PKI目录服务器请求OpenFlow控制器的公钥EA
步骤203、PKI目录服务器把OpenFlow控制器的公钥EA发送给OpenFlow交换机;
步骤204、OpenFlow交换机把自身的标识(ID:B)以及一个随机数RB使用公钥EA加密得到第三密文EA(B,RB),并把第三密文携带在Echo Request消息中发送给OpenFlow控制器;
步骤205、OpenFlow控制器接收到OpenFlow交换机的Echo Request消息后,向PKI目录服务器请求OpenFlow交换机的公钥EB
本步骤中,OpenFlow控制器接收到Echo Request消息后,使用公钥EA对第三密文进行解密得到RB
步骤206、PKI目录服务器把OpenFlow交换机的公钥EB发送给OpenFlow控制器;
步骤207、OpenFlow控制器建立一个会话密钥KS,并把KS和一个新的随机数RA,以及OpenFlow交换机发送过来的随机数RB使用公钥EB加密得到第四密文EB(RB,RA,KS),并把第四密文携带在Echo Reply消息中发送给OpenFlow交换机;
本步骤中,会话密钥KS是随机生成的。
步骤208、OpenFlow交换机接收到OpenFlow控制器发送的Echo Reply消息后,把随机数RA使用会话密钥KS加密得到第五密文KS(RA),并把第五密文携带在Echo Request消息中发送给OpenFlow控制器;
本步骤中,OpenFlow交换机接收到Echo Reply消息后,使用公钥EB对第四密文进行解密得到RB,RA,KS
步骤209、OpenFlow控制器接收到OpenFlow交换机发送的Echo Request消息后,发送Echo Reply消息进行确认;
本步骤中,OpenFlow控制器接收到OpenFlow交换机发送的Echo Request消息后,使用会话密钥KS对第五密文进行解密得到RA,判断出解密得到的RA和之前生成的RA相同,则认证通过,判断出解密得到的RA和之前生成的RA不相同,则认证不通过。
本步骤中,发送Echo Reply消息进行确认,即在Echo Reply消息中携带标识获取会话密钥成功的指示。
步骤210、确认完成后,OpenFlow通道内交互的报文即可使用会话密钥KS进行加密和解密处理。
实施例三:通过可信的密钥分发中心进行认证。
图5中给出了OpenFlow控制器和OpenFlow交换机之间通过密钥分发中心进行认证的方法,该密钥分发中心对OpenFlow控制器和OpenFlow交换机均是可信的。包括如下步骤:
步骤301、OpenFlow通道建立后,OpenFlow交换机把自己的标识(ID:B)携带在Hello消息中发送给OpenFlow控制器;
步骤302、OpenFlow控制器把一个随机数RA,以及OpenFlow控制器的标识A和OpenFlow交换机的标识B发送给密钥分发中心;
步骤303、密钥分发中心建立一个会话密钥KS,并使用密钥分发中心和OpenFlow交换机之间的共享密钥KB把OpenFlow控制器的标识A和会话密钥KS加密得到第六密文KB(A,KS),并把第六密文作为可以发送给OpenFlow交换机的标签;然后,再使用密钥分发中心和OpenFlow控制器之间的共享密钥KA把随机数RA、OpenFlow交换机的标识B、会话密钥KS以及标签KB(A,KS)加密得到第七密文KA(RA,B,KS,KB(A,KS)),并把第七密文发送给OpenFlow控制器;
步骤304、OpenFlow控制器使用共享密钥KA对第七密文进行解密得到RA,B,KS,KB(A,KS),把一个新的随机数RA2使用会话密钥KS加密得到第八密文KS(RA2),并把第八密文和密钥分发中心发送过来的标签KB(A,KS)携带在Echo Request消息中发送给OpenFlow交换机;
步骤305、OpenFlow交换机接收到OpenFlow控制器发送的Echo Request消息后,使用共享密钥KB对标签KB(A,KS)进行解密得到A,KS,使用解密得到的Ks对第八密文进行解密得到RA2,使用会话密钥KS把随机数RA2减1后进行加密得到第九密文KS(RA2-1),并把第九密文和一个新的随机数RB携带在Echo Reply消息中发送给OpenFlow控制器;
步骤306、OpenFlow控制器接收到OpenFlow交换机发送的Echo Reply消息后,使用会话密钥KS对第九密文进行解密得到(RA2-1),加1后得到RA2,判断出解密得到的RA2和之前生成的RA2相同,使用会话密钥KS把随机数RB减1后进行加密得到第十密文KS(RB-1),并发第十密文携带在Echo Request消息中发送给OpenFlow交换机;
步骤307、OpenFlow交换机接收到OpenFlow控制器发送的Echo Request消息后,使用会话密钥KS对第十密文进行解密得到(RB-1),加1后得到RB,判断出解密后得到的RB和之前生成的RB相同,发送Echo Reply消息进行确认;
步骤308、确认完成后,OpenFlow通道内交互的报文即可使用会话密钥KS进行加密和解密处理。
本发明实施例还提出了一种计算机可读存储介质,存储有计算机可执行指令,计算机可执行指令用于执行上述描述的任意一个方法。
图6为本发明实施例的网元的示意图,如图6所示,本实施例的网元包括:
建立模块,设置为基于简单传输控制协议连接与指定网元建立开源(OpenFlow)通道;
密钥模块,设置为与所述指定网元进行密钥认证,建立会话密钥;
处理模块,设置为在所述OpenFlow通道中使用所述会话密钥对OpenFlow报文进行加密或解密处理。
在一可选实施例中,所述密钥模块,是设置为通过共享密钥与所述指定网元进行密钥认证,认证完成后建立会话密钥。
在一可选实施例中,所述密钥模块,是设置为通过公开密钥基础设施目录服务器提供的公钥与所述指定网元进行密钥的认证,并建立会话密钥。
在一可选实施例中,所述密钥模块,是设置为使用指定的密钥分发中心与所述指定网元完成密钥的认证,建立会话密钥。
其中,所述网元包括OpenFlow控制器,所述指定网元包括OpenFlow交换机;或者所述网元包括OpenFlow交换机,所述指定网元包括OpenFlow控制器。
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件(例如处理器)完成,所述程序可以存储于计算机可读存储介质中,如只读存储器、磁盘或光盘等。可选地,上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地,上述实施例中的各模块/单元可以采用硬件的形式实现,例如通过集成电路来实现其相应功能,也可以采用软件功能模块的形式实现,例如通过处理器执行存储与存储器中的程序/指令来实现其相应功能。本发明不限制于任何特定形式的硬件和软件的结合。
以上仅为本发明的优选实施例,当然,本发明还可有其他多种实施例,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员当可根据本发明作出各种相应的改变和变形,但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。
工业实用性
本发明实施例能够保证OpenFlow报文在简单TCP连接上传输的安全性。

Claims (11)

  1. 一种开放流表OpenFlow报文的处理方法,包括:
    第一网元基于简单传输控制协议TCP连接与第二网元建立OpenFlow通道;
    所述第一网元与所述第二网元进行密钥认证;
    所述第一网元在所述OpenFlow通道中使用密钥认证过程中建立的会话密钥对OpenFlow报文进行加密或解密处理。
  2. 如权利要求1所述的方法,其中,所述第一网元与所述第二网元进行密钥认证包括:
    所述第一网元通过共享密钥与所述第二网元进行密钥认证。
  3. 如权利要求1所述的方法,其中,所述第一网元与所述第二网元进行密钥认证包括:
    所述第一网元通过公开密钥基础设施目录服务器提供的公钥与所述第二网元进行密钥认证。
  4. 如权利要求1所述的方法,其中,所述第一网元与所述第二网元进行密钥认证包括:
    所述第一网元使用指定的密钥分发中心与所述第二网元进行密钥认证。
  5. 如权利要求1-4任一项所述的方法,其中,所述第一网元包括OpenFlow控制器,所述第二网元包括OpenFlow交换机;或者
    所述第一网元包括OpenFlow交换机,所述第二网元包括OpenFlow控制器。
  6. 一种网元,包括:
    建立模块,设置为基于简单传输控制协议TCP连接与指定网元建立开放流表OpenFlow通道;
    密钥模块,设置为与所述指定网元进行密钥认证;
    处理模块,设置为在所述OpenFlow通道中使用密钥认证过程中建立的会话密钥对OpenFlow报文进行加密或解密处理。
  7. 如权利要求6所述的网元,其中,
    所述密钥模块,是设置为通过共享密钥与所述指定网元进行密钥认证。
  8. 如权利要求6所述的网元,其中,
    所述密钥模块,是设置为通过公开密钥基础设施目录服务器提供的公钥与所述指定网元进行密钥认证。
  9. 如权利要求6所述的网元,其中,
    所述密钥模块,是设置为使用指定的密钥分发中心与所述指定网元进行密钥认证。
  10. 如权利要求6-9任一项所述的网元,其中,
    所述网元包括OpenFlow控制器,所述指定网元包括OpenFlow交换机;或者
    所述网元包括OpenFlow交换机,所述指定网元包括OpenFlow控制器。
  11. 一种计算机可读存储介质,存储有计算机可执行指令,计算机可执行指令用于执行权利要求1~5任意一项所述的方法。
PCT/CN2016/073196 2015-02-27 2016-02-02 一种OpenFlow报文的处理方法及网元 WO2016134631A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510090227.4A CN105991606A (zh) 2015-02-27 2015-02-27 一种OpenFlow报文的处理方法及网元
CN201510090227.4 2015-02-27

Publications (1)

Publication Number Publication Date
WO2016134631A1 true WO2016134631A1 (zh) 2016-09-01

Family

ID=56787929

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/073196 WO2016134631A1 (zh) 2015-02-27 2016-02-02 一种OpenFlow报文的处理方法及网元

Country Status (2)

Country Link
CN (1) CN105991606A (zh)
WO (1) WO2016134631A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109617886A (zh) * 2018-12-21 2019-04-12 广州市宏大欣电子科技有限公司 基于tcp通信的客户端数据加密方法和服务端数据加密方法

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107342856A (zh) * 2017-06-28 2017-11-10 中南民族大学 一种sdn网络控制器安全认证方法及系统
CN109391650B (zh) * 2017-08-04 2020-09-29 华为技术有限公司 一种建立会话的方法及装置
CN111404947B (zh) * 2020-03-19 2023-04-18 李子钦 一种OpenFlow网络中的轻量级控制通道通信保护方法及系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103391296A (zh) * 2013-07-29 2013-11-13 北京华为数字技术有限公司 一种控制器、转发器及通道建立方法和系统
CN103763367A (zh) * 2014-01-17 2014-04-30 浪潮(北京)电子信息产业有限公司 一种云计算数据中心分布式虚拟网络设计方法及系统
CN104202364A (zh) * 2014-08-15 2014-12-10 杭州华三通信技术有限公司 一种控制器的自动发现和配置方法和设备

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9130869B2 (en) * 2012-02-09 2015-09-08 Telefonaktiebolaget L M Ericsson (Publ) Methods of redirecting network forwarding elements and related forwarding elements and controllers
CN103259728B (zh) * 2013-05-24 2016-03-30 华为技术有限公司 一种ofs带内通信方法及ofs
CN104283701A (zh) * 2013-07-03 2015-01-14 中兴通讯股份有限公司 配置信息的下发方法、系统及装置
CN103944756A (zh) * 2014-04-04 2014-07-23 陈桂芳 一种基于OpenFlow协议实现无线接入点设备的控制方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103391296A (zh) * 2013-07-29 2013-11-13 北京华为数字技术有限公司 一种控制器、转发器及通道建立方法和系统
CN103763367A (zh) * 2014-01-17 2014-04-30 浪潮(北京)电子信息产业有限公司 一种云计算数据中心分布式虚拟网络设计方法及系统
CN104202364A (zh) * 2014-08-15 2014-12-10 杭州华三通信技术有限公司 一种控制器的自动发现和配置方法和设备

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WEI, XINGJUN: "Research and Implementation of Model and Pivotal Technology for Openflow Switch", CHINA MASTERS' THESES FULL-TEXT DATABASE, ELECTRONIC TECHNOLOGY & INFORMATION SCIENCE SUBJECT, 15 May 2010 (2010-05-15), pages 64 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109617886A (zh) * 2018-12-21 2019-04-12 广州市宏大欣电子科技有限公司 基于tcp通信的客户端数据加密方法和服务端数据加密方法
CN109617886B (zh) * 2018-12-21 2021-07-27 广东宏大欣电子科技有限公司 基于tcp通信的客户端数据加密方法和服务端数据加密方法

Also Published As

Publication number Publication date
CN105991606A (zh) 2016-10-05

Similar Documents

Publication Publication Date Title
US11477037B2 (en) Providing forward secrecy in a terminating SSL/TLS connection proxy using ephemeral Diffie-Hellman key exchange
US20210385201A1 (en) Systems and methods for secure multi-party communications using aproxy
US8788805B2 (en) Application-level service access to encrypted data streams
US9094206B2 (en) Method and system for secure session establishment using identity-based encryption (VDTLS)
KR101394730B1 (ko) Id 기반 인증 키 동의 프로토콜을 수행하기 위한 방법 및 장치
US10938554B2 (en) Managing private key access in multiple nodes
WO2017185999A1 (zh) 密钥分发、认证方法,装置及系统
US8559640B2 (en) Method of integrating quantum key distribution with internet key exchange protocol
US20170201382A1 (en) Secure Endpoint Devices
US11736304B2 (en) Secure authentication of remote equipment
JP2009510978A (ja) 制約された暗号キー
CN101997679A (zh) 加密信息协商方法、设备及网络系统
US20170126623A1 (en) Protected Subnet Interconnect
WO2018202109A1 (zh) 一种证书请求消息发送方法、接收方法和装置
CN110493272B (zh) 使用多重密钥的通信方法和通信系统
Lam et al. Securing SDN southbound and data plane communication with IBC
WO2017075134A1 (en) Key management for privacy-ensured conferencing
KR20180130203A (ko) 사물인터넷 디바이스 인증 장치 및 방법
WO2016134631A1 (zh) 一种OpenFlow报文的处理方法及网元
EP3216163B1 (en) Providing forward secrecy in a terminating ssl/tls connection proxy using ephemeral diffie-hellman key exchange
KR20070006913A (ko) 이동 노드에 대한 고속 및 보안 접속성
JP2006262425A (ja) 公開鍵暗号方式によるネットワーク上での相互認証および公開鍵の相互交換システム
CA3219175A1 (en) Protocol translation for encrypted data traffic
Huda et al. A Proposed Cryptography Key Management in Software-Defined Networking (SDN)
Hjelm Security and Privacy for Modern and Emerging Mobile Systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16754740

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16754740

Country of ref document: EP

Kind code of ref document: A1