WO2017140199A1 - Operations, administration and maintenance message authentication method and apparatus - Google Patents

Operations, administration and maintenance message authentication method and apparatus Download PDF

Info

Publication number
WO2017140199A1
WO2017140199A1 PCT/CN2017/071512 CN2017071512W WO2017140199A1 WO 2017140199 A1 WO2017140199 A1 WO 2017140199A1 CN 2017071512 W CN2017071512 W CN 2017071512W WO 2017140199 A1 WO2017140199 A1 WO 2017140199A1
Authority
WO
WIPO (PCT)
Prior art keywords
network element
authentication information
identifier
oam
packet
Prior art date
Application number
PCT/CN2017/071512
Other languages
French (fr)
Chinese (zh)
Inventor
李士雷
徐芳瑞
晋全福
易科
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017140199A1 publication Critical patent/WO2017140199A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present application relates to the field of communications, and in particular, to a method and an apparatus for operating management and maintenance message authentication.
  • the operation management and maintenance (English: operations, administration and maintenance, OAM for short) technology is a technology for providing link defect detection and defect correction for the network.
  • the network device that communicates with each other sends an OAM packet to check whether the channel for communication (English: channel) is in a normal state, and triggers protection switching by sending OAM packets to each other when an abnormality occurs in the channel for communication.
  • the mechanism switches the communication to the preset protection channel, thereby reducing the packet loss caused by the abnormality of the working channel and ensuring the stability of the service transmission.
  • the automatic protection switching (APS) packet is an OAM packet.
  • the network node sends APS packets to each other to negotiate and jointly switch to the protection channel communication when an abnormality occurs in the communication channel.
  • the network device receiving the OAM packet may obtain an incorrect switching request when the OAM packet is maliciously falsified by another device, or the OAM packet is forged by another network element, or the network administrator incorrectly configures the parameter.
  • the network node is caused to make an incorrect switching according to an incorrect switching request, which causes serious communication to be seriously affected.
  • the present invention provides a method and a device for performing operation management and maintenance OAM packet authentication, which is used to reduce the risk of the network device making an incorrect switching according to an incorrect OAM packet, and improve the stability of the communication.
  • the first aspect provides a method for authenticating OAM packets, the method includes: receiving, by a first network element, a first OAM packet, where the first OAM packet carries a first identifier and first authentication information; Determining, by the first network element, the second authentication information according to the mapping of the first identifier to the second authentication information; the first network element determining whether the first authentication information and the second authentication information match; The first authentication information does not match the second authentication information, and the first network element determines that the first OAM packet is an illegal packet.
  • the first network element may determine the first authentication information and the first The authentication information is not matched, so that the information in the first OAM packet is erroneous, and the erroneous instruction is executed according to the information in the first OAM packet, thereby improving the security and stability of the communication.
  • the method further includes: the first network element saves the first OAM packet.
  • the first network element saves the illegal first OAM packet, and the network administrator can provide more information for analyzing the reason for receiving the illegal packet. For example, if the first authentication information and the second authentication information do not match, the first OAM packet is saved due to the configuration of the first identifier, which may provide information for the network administrator to analyze the configuration error. , thus correcting the wrong configuration. For example, if the first authentication information and the second authentication information do not match, if the first OAM packet is maliciously falsified or forged by other network elements, the first OAM packet may be saved. Improve the security of the network by providing network administrators with more information to find the network element.
  • the first authentication information is the encrypted information
  • the first network element determines whether the first authentication information matches the second authentication information, including: the first network Determining, according to the mapping of the first identifier to the decryption algorithm, the decryption algorithm; the first network element performing a decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information; A network element determines whether the third authentication information and the second authentication information are equal.
  • the first network element and the second network element communicate by using a first label switching path (English: label switch path, LSP for short), and the first identifier is the first
  • the second network element encapsulates the multi-protocol label switching MPLS label
  • the second authentication information includes at least one of the following information: an identifier of the label switching router (English: label switch router, LSR for short) of the second network element An identifier of the LSR of the first network element; and an identifier of the first LSP.
  • the method further includes: the first network element acquiring the fourth authentication information according to the mapping of the third network element to the fourth authentication information; the first network element to the third network element Sending a second OAM packet, where the second OAM packet carries the fourth authentication information, where the fourth authentication information is used to indicate the third network element, and the second OAM packet is a legal packet.
  • the first network element obtains the fourth authentication information according to the mapping of the third network element to the fourth authentication information, and includes: mapping, by the first network element, the third network element to an encryption algorithm. Determining the encryption algorithm; the first network element determining the fifth authentication information according to the mapping of the third network element to the fifth authentication information; the first network element is configured according to the encryption algorithm The fifth authentication information performs an encryption operation to obtain the fourth authentication information.
  • the first network element communicates with the third network element by using a second LSP, where the fourth authentication information includes at least one of the following information: an identifier of an LSR of the third network element; An identifier of the LSR of the first network element; and an identifier of the second LSP.
  • a first network element including: a processor and a network interface, where the processor is configured to: receive, by using the network interface, a first OAM packet, where the first OAM packet carries a first identifier And determining the second authentication information according to the mapping of the first identifier to the second authentication information; determining whether the first authentication information matches the second authentication information; The authentication information does not match the second authentication information, and the first OAM packet is determined to be an illegal packet.
  • the processor is further configured to save the first OAM packet after determining that the first OAM packet is an illegal packet.
  • the first authentication information is the encrypted information
  • the determining whether the first authentication information matches the second authentication information includes: determining, according to the mapping of the first identifier to the decryption algorithm, Decrypting algorithm; performing decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information; determining the third identification Whether the certificate information is equal to the second authentication information.
  • the first network element and the second network element communicate by using a first label switching path LSP, where the first identifier is a multi-protocol label switching MPLS label encapsulated by the second network element, and the second authentication
  • the information includes at least one of the following: an identifier of the label switching router LSR of the second network element; an identifier of the LSR of the first network element; and an identifier of the first LSP.
  • the processor is further configured to: obtain the fourth authentication information according to the mapping of the third network element to the fourth authentication information, and send the second OAM to the third network element by using the network interface
  • the packet, the second OAM packet carries the fourth authentication information, where the fourth authentication information is used to indicate the third network element, and the second OAM packet is a legal packet.
  • the obtaining, according to the mapping of the third network element to the fourth authentication information, the fourth authentication information including: determining, according to the mapping of the third network element to an encryption algorithm, the encryption algorithm; And mapping the third network element to the fifth authentication information to determine the fifth authentication information; performing an encryption operation on the fifth authentication information according to the encryption algorithm to obtain the fourth authentication information.
  • the first network element communicates with the third network element by using a second LSP, where the fourth authentication information includes at least one of the following information: an identifier of an LSR of the third network element; An identifier of the LSR of the first network element; and an identifier of the second LSP.
  • FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present application.
  • FIG. 2 is a schematic flowchart of a method for authenticating an OAM packet according to an embodiment of the present disclosure.
  • FIG. 3 is a schematic diagram of an OAM packet format according to an embodiment of the present disclosure.
  • FIG. 3b is a schematic diagram of another OAM packet format provided by an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of another OAM packet authentication method according to an embodiment of the present disclosure.
  • FIG. 5 is a schematic structural diagram of a first network element according to an embodiment of the present disclosure.
  • FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present application.
  • the channel for communication between the first network element 101 and the second network element 102 includes a working channel and a protection channel.
  • the first network element 101 can be a router, a network switch, a firewall, a wavelength division multiplexing device, a packet transport network device, a base station, a base station controller, or a data center.
  • the second network element 102 can be a router, Network switches, firewalls, wavelength division multiplexing devices, packet transport network devices, base stations, base station controllers, or data centers.
  • the working channel or the protection channel may be a pseudo wire (English: pseudo wire, referred to as PW) or a tunnel (English: tunnel).
  • the first network element 101 and the second network element 102 are configured to perform operation management and maintenance (English: operations, administration and maintenance, or OAM) messages to detect whether the channel used for communication is in a normal state, and is detected.
  • OAM operations, administration and maintenance
  • Ethernet (English: Ethernet) communication is used between the first network element 101 and the second network element 102, and the OAM message may be an OAM message specified in ITU-T Y.1731.
  • the OAM packet may be an automatic protection switching (APS) message, for example, an APS packet specified in ITU-T G8031/Y.1342.
  • APS automatic protection switching
  • a multi-protocol label switching (MPLS) tunnel communication is used between the first network element 101 and the second network element 102.
  • the OAM message may be ITU-T Y.
  • the OAM packet may be an APS packet.
  • the first network element 101 receives the OAM packet, and determines the OAM packet from the information in the OAM packet header, for example, an MPLS label in the MPLS header.
  • the second network element 102, and the OAM state machine corresponding to the channel used for communication between the first network element 101 and the second network element 102, and according to the request carried in the OAM message, the OAM state machine The state is configured accordingly, and the corresponding operation is further performed according to the state of the OAM state machine.
  • the first network element 101 does not authenticate the authenticity or correctness of the OAM packet when receiving the OAM packet. Therefore, if the OAM packet received by the first network element 101 is forged or falsified by another network device, or in the example where the first network element 101 uses an MPLS label to identify the source of the OAM packet, If the configuration of the network administrator is incorrect, the MPLS label of the OAM packet sent by the third network element (not shown in FIG. 1) communicated with the first network element 101 to the first network element 101 is forwarded to the second network element 102.
  • the first network element 101 may receive the OAM packet from the third network element when receiving the OAM packet from the third network element. It is identified as an OAM message from the second network element 102.
  • the source of the OAM packet received by the first network element 101 or the command carried in the OAM packet may be incorrect.
  • the first network element 101 performs an erroneous operation according to the incorrect OAM message, for example, switching to the wrong channel to communicate with the second network element 102, causing normal communication to be affected.
  • the embodiment of the present invention provides a method for authenticating an OAM packet, which is used to reduce the risk of the network device performing an incorrect switching according to an incorrect OAM packet, and improve the stability of the communication.
  • FIG. 2 shows a method for OAM packet authentication provided by an embodiment of the present application.
  • the method can be applied to the scenario shown in FIG.
  • the first network element in the method shown in FIG. 2 the first network element 101 shown in FIG. 1 can be used.
  • the second network element in the method shown in FIG. 2 the second network element 102 shown in FIG. 1 can be used.
  • the method includes the following steps.
  • the first network element receives the first OAM message, where the first OAM message carries the first identifier and the first authentication information.
  • the first OAM message may adopt the OAM message described in FIG. 1.
  • the first An OAM message may be the APS message described in FIG.
  • the first identifier is carried in the header of the first OAM packet, and is used to indicate the source of the first OAM packet.
  • the first OAM packet includes an MPLS header, and the first identifier is a label (English: Label) field in the MPLS header.
  • the first OAM packet includes a virtual local area network (English: virtual area network) label (English: VLAN tag), and the first identifier is a VLAN identifier in the VLAN tag. : VLAN identifier, referred to as: VID) field.
  • the first authentication information is carried in a payload (English: payload) of the first OAM packet.
  • the first authentication information may be implemented by defining a type-length-value (English: Type-Length-Value, TLV) in the payload of the first OAM packet, that is, defining one
  • TLV Type-Length-Value
  • the first OAM message is an OAM message that allows an extension field to be added
  • the first OAM is an APS message specified in ITU-T G8031/Y.1342.
  • the first authentication information may be carried in an extension field of the APS packet.
  • FIG. 3a is a schematic diagram showing the format of the payload of an APS message that does not carry the first authentication information in the ITU-T G8031/Y.1342 standard.
  • FIG. 3b is a schematic diagram showing the format of a payload of an APS message carrying the first authentication information by adding a TLV in the extension field.
  • the length of the Value field shown in FIG. 3b is only exemplary. The specific length of the Value field is not limited in this embodiment of the present application.
  • the first authentication information may be carried in other fields not used by the protocol.
  • the first authentication information may be carried in a padding field.
  • the first network element determines the second authentication information according to the mapping of the first identifier to the second authentication information.
  • a mapping of the first identifier to the second authentication information is stored in the first network element.
  • the second authentication information is information that the network administrator pre-configured in the first network element and the second network element.
  • the mapping of the first identifier and the second authentication information may be directly stored in an entry of a mapping table of the identification and authentication information.
  • the first network element stores a mapping of the first identifier to an OAM state machine, and the first network element determines, according to the first identifier, an OAM state corresponding to the first OAM packet.
  • the OAM state machine is configured to monitor an working state of the working channel and the protection channel between the first network element and the second network element.
  • the state machine may also be an APS state machine.
  • the first network element further stores the mapping of the OAM state machine to the authentication information, and the first network element searches for the second authentication information according to the OAM state machine corresponding to the first OAM packet. .
  • the first network element determines whether the first authentication information and the second authentication information match.
  • the first authentication information is the encrypted information
  • the first network element determines whether the first authentication information matches the second authentication information, including: Determining, by the network element, the decryption algorithm according to the mapping of the first identifier to the decryption algorithm; the first network element decrypting the first authentication information according to the decryption algorithm to obtain third authentication information; The first network element determines whether the third authentication information and the second authentication information are equal. If the third authentication information is equal to the second authentication information, the first network element determines that the first authentication information matches the second authentication information.
  • the first network element and the second network element are jointly configured with an encryption algorithm and a corresponding decryption algorithm.
  • the first network element and the second network element further store the second authentication information in advance.
  • the second network element performs an encryption operation on the second authentication information according to the encryption algorithm to obtain the first authentication information.
  • the specific process for the second network element to perform the encryption operation on the second authentication information includes: the second network element generates a random number, where the second network element uses the encryption algorithm to perform the random number The number and the second authentication information are subjected to an encryption operation to obtain an encryption parameter.
  • the first authentication information includes the random number and the encryption parameter.
  • the TLV may include a first sub-TLV and a second sub-TLV, where the first sub-TLV is in the middle. Value is the value of the random number, and Value in the second sub-TLV is the value of the encryption parameter.
  • the first network element acquires the random number and the encryption parameter, and performs decryption operation on the random number and the encryption parameter according to the decryption algorithm to obtain a third authentication. information. If the third authentication information is equal to the second authentication information, the first network element determines that the first OAM packet is a legal packet. If the third authentication information is not equal to the second authentication information, the first network element determines that the first OAM packet is an illegal packet.
  • the first network element and the second network element communicate by using a first label switching path LSP, where the first identifier is that the second network element is encapsulated.
  • the protocol label exchanges an MPLS label
  • the second authentication information includes at least one of the following: an identifier of the label switching router LSR of the second network element (English: identifier); and an identifier of the LSR of the first network element And an identification of the first LSP.
  • the identifier of the LSR of the first network element is unique throughout the MPLS network.
  • the identifier of the LSR of the second network element is unique throughout the MPLS network.
  • the identity of the first LSP is unique throughout the MPLS network.
  • the identifiers of the LSRs of the second network element are stored in the first network element and the second network element.
  • the second network element writes the identifier of the LSR of the second network element as the first authentication information into the first OAM packet before sending the first OAM packet to the first network element.
  • the second network element also writes a preset MPLS label as the first identifier into the MPLS header of the first OAM message.
  • the first network element acquires the second authentication information according to the mapping between the MPLS label and the second authentication information.
  • the second authentication information is an identifier of an LSR of the second network element stored in the first network element.
  • the first network element compares the first authentication information with the second authentication information, and if the first authentication information and the second authentication information are equal, determining the first authentication information and the second The authentication information matches.
  • the first network element performs S204.
  • the first network element determines that the first OAM packet is an illegal packet.
  • the first network element does not perform a corresponding operation according to the indication information in the first OAM packet.
  • the first network element saves the first OAM packet.
  • the first network element can provide the network administrator with the information of the illegal packet, so that the network administrator can determine the source of the illegal packet.
  • the first OAM packet is discarded.
  • the first network element performs S205.
  • the first network element determines that the first OAM packet is a legal packet.
  • the first network element is further based on The indication information in the first OAM message performs a corresponding operation.
  • the first OAM packet is used to instruct the first network element to switch communication from the working channel to the protection channel, and the first network element performs communication from the working channel according to the indication of the first OAM packet. Switch to the protection channel.
  • the first network element may also write the authentication information in the OAM packet when the OAM packet is sent to the other network element, where the authentication information is used to indicate the network element that receives the OAM packet.
  • the OAM packet is a legal packet.
  • the method further includes S401 and S402.
  • the first network element acquires the fourth authentication information according to the mapping of the third network element to the fourth authentication information.
  • the first network element obtains the fourth authentication information according to the mapping from the third network element to the fourth authentication information, where the first network element is configured according to the third network Determining the encryption algorithm by mapping the element to the encryption algorithm; the first network element determining the fifth authentication information according to the mapping of the third network element to the fifth authentication information; the first network element according to the The encryption algorithm performs an encryption operation on the fifth authentication information to obtain the fourth authentication information.
  • the first network element performs an encryption operation on the fifth authentication information to obtain a specific implementation manner of the fourth authentication information
  • the second network element in S203 may perform encryption operation on the second authentication information. Obtaining a specific implementation manner of the first authentication information.
  • the first network element communicates with the third network element by using a second LSP, where the fourth authentication information includes at least one of the following information: the third The identifier of the LSR of the network element; the identifier of the LSR of the first network element; and the identifier of the second LSP.
  • the first network element sends a second OAM message to the third network element, where the second OAM message carries the fourth authentication information.
  • the format of the fourth authentication information in the second OAM packet may be in the same format as the first authentication information in the first OAM packet.
  • the third network element may determine, according to the fourth authentication information, whether the second OAM packet is a legal packet, and the first network may be adopted in the method described in FIG. And determining, according to the first authentication information, a specific manner of whether the first OAM packet is a legal packet.
  • FIG. 5 is a schematic structural diagram of a first network element according to an embodiment of the present application.
  • the first network element 500 includes a processor 501 and a network interface 502.
  • a memory 503 is also included.
  • the processor 501 includes, but is not limited to, a central processing unit (English: central processing unit, CPU for short), a network processor (English: network processor, referred to as NP), and an application-specific integrated circuit (English: application-specific integrated circuit, referred to as: ASIC) or one or more of programmable logic devices (English: programmable logic device, abbreviation: PLD).
  • the above PLD can be a complex programmable logic device (English: complex programmable logic device, abbreviation: CPLD), field-programmable gate array (English: field-programmable gate array, abbreviation: FPGA), general array logic (English: generic array Logic, abbreviation: GAL) or any combination thereof.
  • the network interface 502 can be a wired interface, such as a Fiber Distributed Data Interface (FDDI) or an Ethernet (English) interface.
  • Network interface 502 is also available So it is a wireless interface, such as a wireless LAN interface.
  • the memory 503 is used to store program instructions executed by the processor 501.
  • the memory 503 includes, but is not limited to, a content-addressable memory (English: content-addressable memory, CAM for short), such as a tri-state content-addressable memory (English: ternary CAM, TCAM for short), and a random access memory (English: random- Access memory, referred to as: RAM).
  • a content-addressable memory English: content-addressable memory, CAM for short
  • CAM tri-state content-addressable memory
  • RAM random access memory
  • the memory 503 can also be integrated in the processor 501. If the memory 503 and the processor 501 are mutually independent devices, the memory 503 is associated with the processor 501, for example, the memory 503 and the processor 501 can communicate via a bus. The network interface 503 and the processor 501 can communicate via a bus, and the network interface 503 can also be directly connected to the processor 501.
  • the processor 501 is configured to: receive, by the network interface 502, a first OAM packet, where the first OAM packet carries the first identifier and the first authentication information; and the first identifier to the second authentication information according to the first identifier Mapping, determining the second authentication information; determining whether the first authentication information matches the second authentication information; if the first authentication information does not match the second authentication information, determining the first
  • the OAM packet is an illegal packet.
  • the processor 501 is further configured to: after determining that the first OAM packet is an illegal packet, save the first OAM packet.
  • the first authentication information is the encrypted information
  • the determining whether the first authentication information matches the second authentication information includes: determining, according to the mapping of the first identifier to the decryption algorithm, a decryption algorithm; performing a decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information; and determining whether the third authentication information and the second authentication information are equal.
  • the first network element 500 communicates with the second network element by using a first label switching path LSP, where the first identifier is a multi-protocol label switching MPLS label encapsulated by the second network element, and the second
  • the authentication information includes at least one of the following information: an identifier of the label switching router LSR of the second network element; an identifier of the LSR of the first network element 500; and an identifier of the first LSP.
  • the processor 501 is further configured to: obtain the fourth authentication information according to the mapping of the third network element to the fourth authentication information, and send the second information to the third network element by using the network interface.
  • the second OAM packet carries the fourth authentication information, where the fourth authentication information is used to indicate the third network element, and the second OAM packet is a legal packet.
  • the obtaining, according to the mapping of the third network element to the fourth authentication information, the fourth authentication information including: determining, according to the mapping of the third network element to an encryption algorithm, the encryption algorithm; And mapping the third network element to the fifth authentication information to determine the fifth authentication information; performing an encryption operation on the fifth authentication information according to the encryption algorithm to obtain the fourth authentication information.
  • the first network element 500 communicates with the third network element by using a second LSP, where the fourth authentication information includes at least one of the following information: an identifier of the LSR of the third network element. An identifier of the LSR of the first network element; and an identifier of the second LSP.
  • the first network element 500 provided in this embodiment may be applied to the method in the embodiment of FIG. 2 or FIG. 4 to implement the function of the first network element.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to the field of communications, in particular to an operations, administration and maintenance (OAM) message authentication method and a first network element. The OAM message authentication method comprises: a first network element receives a first OAM message, wherein the first OAM message carries a first identifier and first authentication information; the first network element determines, according to a mapping of the first identifier to second authentication information, the second authentication information; the first network element determines whether the first authentication information matches the second authentication information; and if the first authentication information does not match the second authentication information, the first network element determines the first OAM message to be an illegal message. By determining whether the first authentication information matches the second authentication information, the first network element can identify whether the first OAM message is a legitimate message, thereby avoiding the execution of an incorrect instruction in an illegal OAM message, and helping to improve the stability and security of communications.

Description

操作管理维护报文认证的方法及装置Method and device for operating management and maintenance message authentication
本申请要求于2016年02月16日提交中国专利局、申请号为201610088118.3、发明名称为“操作管理维护报文认证的方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201610088118.3, entitled "Method and Apparatus for Operation Management and Maintenance Message Authentication", filed on February 16, 2016, the entire contents of which are incorporated by reference. In this application.
技术领域Technical field
本申请涉及通信领域,尤其涉及一种操作管理维护报文认证的方法及装置。The present application relates to the field of communications, and in particular, to a method and an apparatus for operating management and maintenance message authentication.
背景技术Background technique
操作管理维护(英文:operations,administration and maintenance,简称:OAM)技术,是一种为网络提供链路缺陷检测以及缺陷纠正的技术。相互通信的网络设备,通过发送OAM报文,检测用于通信的通道(英文:channel)是否处于正常状态,并且在检测到用于通信的通道出现异常时,通过相互发送OAM报文触发保护倒换机制,将通信倒换到预先设置的保护通道,从而降低由于工作通道异常而造成的丢包,保障业务传输的稳定性。例如,自动保护倒换(英文:automatic protection switching,简称:APS)报文是一种OAM报文。网络节点通过相互发送APS报文,在通信的通道出现异常时协商并共同倒换到保护通道通信。The operation management and maintenance (English: operations, administration and maintenance, OAM for short) technology is a technology for providing link defect detection and defect correction for the network. The network device that communicates with each other sends an OAM packet to check whether the channel for communication (English: channel) is in a normal state, and triggers protection switching by sending OAM packets to each other when an abnormality occurs in the channel for communication. The mechanism switches the communication to the preset protection channel, thereby reducing the packet loss caused by the abnormality of the working channel and ensuring the stability of the service transmission. For example, the automatic protection switching (APS) packet is an OAM packet. The network node sends APS packets to each other to negotiate and jointly switch to the protection channel communication when an abnormality occurs in the communication channel.
当OAM报文受到其他设备的恶意篡改,或者OAM报文是其他网元伪造的,或者网络管理员对参数的配置错误时,接收OAM报文的网络设备可能获取到不正确的倒换请求,从而使得该网络节点根据不正确的倒换请求,做出错误的倒换,导致正常通信受到严重影响。The network device receiving the OAM packet may obtain an incorrect switching request when the OAM packet is maliciously falsified by another device, or the OAM packet is forged by another network element, or the network administrator incorrectly configures the parameter. The network node is caused to make an incorrect switching according to an incorrect switching request, which causes serious communication to be seriously affected.
发明内容Summary of the invention
本申请提供了一种操作管理维护OAM报文认证的方法及装置,用于降低网络设备根据不正确的OAM报文做出错误的倒换的风险,提高通信的稳定性。The present invention provides a method and a device for performing operation management and maintenance OAM packet authentication, which is used to reduce the risk of the network device making an incorrect switching according to an incorrect OAM packet, and improve the stability of the communication.
第一方面,提供了一种OAM报文认证的方法,所述方法包括:第一网元接收第一OAM报文,所述第一OAM报文携带第一标识和第一认证信息;所述第一网元根据所述第一标识到第二认证信息的映射,确定所述第二认证信息;所述第一网元判断所述第一认证信息与所述第二认证信息是否匹配;如果所述第一认证信息与所述第二认证信息不匹配,所述第一网元确定所述第一OAM报文为非法报文。The first aspect provides a method for authenticating OAM packets, the method includes: receiving, by a first network element, a first OAM packet, where the first OAM packet carries a first identifier and first authentication information; Determining, by the first network element, the second authentication information according to the mapping of the first identifier to the second authentication information; the first network element determining whether the first authentication information and the second authentication information match; The first authentication information does not match the second authentication information, and the first network element determines that the first OAM packet is an illegal packet.
所述第一网元通过根据第一标识确定第二认证信息,并判断所述第二认证信息与第一OAM报文中的第一认证信息是否匹配,判断所述第一OAM报文是否为合法报文。因此,在网络管理员配置第一标识错误的情况下,或者第一标识被其他网元恶意篡改或伪造的情况下,所述第一网元可以通过确定所述第一认证信息与所述第二认证信息不匹配,从而识别出所述第一OAM报文中的信息是错误的,并避免按照所述第一OAM报文中的信息执行错误的指令,提高通信的安全性和稳定性。 Determining, by the first network element, whether the first OAM packet is determined by determining the second authentication information according to the first identifier, and determining whether the second authentication information matches the first authentication information in the first OAM packet. Legal message. Therefore, in a case where the network administrator configures the first identifier error, or the first identifier is maliciously falsified or forged by other network elements, the first network element may determine the first authentication information and the first The authentication information is not matched, so that the information in the first OAM packet is erroneous, and the erroneous instruction is executed according to the information in the first OAM packet, thereby improving the security and stability of the communication.
可选的,所述第一网元确定所述第一OAM报文为非法报文之后,还包括:所述第一网元保存所述第一OAM报文。所述第一网元保存非法的第一OAM报文,可以为网络管理员分析接收该非法报文的原因提供更多的信息。例如,在所述第一认证信息和所述第二认证信息不匹配,是由于第一标识配置错误导致的情况下,保存所述第一OAM报文,可以为网络管理员分析配置错误提供信息,从而改正该错误的配置。例如,在所述第一认证信息和所述第二认证信息不匹配,是由于所述第一OAM报文是其他网元恶意篡改或伪造的情况下,保存所述第一OAM报文,可以为网络管理员查找该网元提供更多的信息,从而提高网络的安全性。Optionally, after the first network element determines that the first OAM packet is an illegal packet, the method further includes: the first network element saves the first OAM packet. The first network element saves the illegal first OAM packet, and the network administrator can provide more information for analyzing the reason for receiving the illegal packet. For example, if the first authentication information and the second authentication information do not match, the first OAM packet is saved due to the configuration of the first identifier, which may provide information for the network administrator to analyze the configuration error. , thus correcting the wrong configuration. For example, if the first authentication information and the second authentication information do not match, if the first OAM packet is maliciously falsified or forged by other network elements, the first OAM packet may be saved. Improve the security of the network by providing network administrators with more information to find the network element.
可选的,在一种示例中,所述第一认证信息为加密信息,所述第一网元判断所述第一认证信息与所述第二认证信息是否匹配,包括:所述第一网元根据所述第一标识到解密算法的映射,确定所述解密算法;所述第一网元根据所述解密算法对所述第一认证信息做解密运算,获得第三认证信息;所述第一网元判断所述第三认证信息与所述第二认证信息是否相等。Optionally, in an example, the first authentication information is the encrypted information, and the first network element determines whether the first authentication information matches the second authentication information, including: the first network Determining, according to the mapping of the first identifier to the decryption algorithm, the decryption algorithm; the first network element performing a decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information; A network element determines whether the third authentication information and the second authentication information are equal.
可选的,在另一种示例中,所述第一网元与第二网元通过第一标签交换路径(英文:label switch path,简称:LSP)通信,所述第一标识为所述第二网元封装的多协议标签交换MPLS标签,所述第二认证信息包括以下信息中的至少一项:所述第二网元的标签交换路由器(英文:label switch router,简称:LSR)的标识;所述第一网元的LSR的标识;以及所述第一LSP的标识。Optionally, in another example, the first network element and the second network element communicate by using a first label switching path (English: label switch path, LSP for short), and the first identifier is the first The second network element encapsulates the multi-protocol label switching MPLS label, the second authentication information includes at least one of the following information: an identifier of the label switching router (English: label switch router, LSR for short) of the second network element An identifier of the LSR of the first network element; and an identifier of the first LSP.
可选的,所述方法还包括:所述第一网元根据第三网元到第四认证信息的映射,获取所述第四认证信息;所述第一网元向所述第三网元发送第二OAM报文,所述第二OAM报文携带所述第四认证信息,所述第四认证信息用于指示所述第三网元,所述第二OAM报文为合法报文。Optionally, the method further includes: the first network element acquiring the fourth authentication information according to the mapping of the third network element to the fourth authentication information; the first network element to the third network element Sending a second OAM packet, where the second OAM packet carries the fourth authentication information, where the fourth authentication information is used to indicate the third network element, and the second OAM packet is a legal packet.
可选的,所述第一网元根据第三网元到第四认证信息的映射获取所述第四认证信息,包括:所述第一网元根据所述第三网元到加密算法的映射,确定所述加密算法;所述第一网元根据所述第三网元到第五认证信息的映射,确定所述第五认证信息;所述第一网元根据所述加密算法对所述第五认证信息进行加密运算,获得所述第四认证信息。Optionally, the first network element obtains the fourth authentication information according to the mapping of the third network element to the fourth authentication information, and includes: mapping, by the first network element, the third network element to an encryption algorithm. Determining the encryption algorithm; the first network element determining the fifth authentication information according to the mapping of the third network element to the fifth authentication information; the first network element is configured according to the encryption algorithm The fifth authentication information performs an encryption operation to obtain the fourth authentication information.
可选的,所述第一网元与所述第三网元通过第二LSP通信,所述第四认证信息包括以下信息中的至少一项信息:所述第三网元的LSR的标识;所述第一网元的LSR的标识;以及所述第二LSP的标识。Optionally, the first network element communicates with the third network element by using a second LSP, where the fourth authentication information includes at least one of the following information: an identifier of an LSR of the third network element; An identifier of the LSR of the first network element; and an identifier of the second LSP.
第二方面,提供了一种第一网元,包括:处理器和网络接口,所述处理器用于:通过所述网络接口接收第一OAM报文,所述第一OAM报文携带第一标识和第一认证信息;根据所述第一标识到第二认证信息的映射,确定所述第二认证信息;判断所述第一认证信息与所述第二认证信息是否匹配;如果所述第一认证信息与所述第二认证信息不匹配,确定所述第一OAM报文为非法报文。In a second aspect, a first network element is provided, including: a processor and a network interface, where the processor is configured to: receive, by using the network interface, a first OAM packet, where the first OAM packet carries a first identifier And determining the second authentication information according to the mapping of the first identifier to the second authentication information; determining whether the first authentication information matches the second authentication information; The authentication information does not match the second authentication information, and the first OAM packet is determined to be an illegal packet.
可选的,所述处理器还用于,在确定所述第一OAM报文为非法报文之后,保存所述第一OAM报文。Optionally, the processor is further configured to save the first OAM packet after determining that the first OAM packet is an illegal packet.
可选的,所述第一认证信息为加密信息,所述判断所述第一认证信息与所述第二认证信息是否匹配,包括:根据所述第一标识到解密算法的映射,确定所述解密算法;根据所述解密算法对所述第一认证信息做解密运算,获得第三认证信息;判断所述第三认 证信息与所述第二认证信息是否相等。Optionally, the first authentication information is the encrypted information, and the determining whether the first authentication information matches the second authentication information includes: determining, according to the mapping of the first identifier to the decryption algorithm, Decrypting algorithm; performing decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information; determining the third identification Whether the certificate information is equal to the second authentication information.
可选的,所述第一网元与第二网元通过第一标签交换路径LSP通信,所述第一标识为所述第二网元封装的多协议标签交换MPLS标签,所述第二认证信息包括以下信息中的至少一项:所述第二网元的标签交换路由器LSR的标识;所述第一网元的LSR的标识;以及所述第一LSP的标识。Optionally, the first network element and the second network element communicate by using a first label switching path LSP, where the first identifier is a multi-protocol label switching MPLS label encapsulated by the second network element, and the second authentication The information includes at least one of the following: an identifier of the label switching router LSR of the second network element; an identifier of the LSR of the first network element; and an identifier of the first LSP.
可选的,所述处理器还用于:根据第三网元到第四认证信息的映射,获取所述第四认证信息;通过所述网络接口,向所述第三网元发送第二OAM报文,所述第二OAM报文携带所述第四认证信息,所述第四认证信息用于指示所述第三网元,所述第二OAM报文为合法报文。Optionally, the processor is further configured to: obtain the fourth authentication information according to the mapping of the third network element to the fourth authentication information, and send the second OAM to the third network element by using the network interface The packet, the second OAM packet carries the fourth authentication information, where the fourth authentication information is used to indicate the third network element, and the second OAM packet is a legal packet.
可选的,所述根据第三网元到第四认证信息的映射获取所述第四认证信息,包括:根据所述第三网元到加密算法的映射,确定所述加密算法;根据所述第三网元到第五认证信息的映射,确定所述第五认证信息;根据所述加密算法对所述第五认证信息进行加密运算,获得所述第四认证信息。Optionally, the obtaining, according to the mapping of the third network element to the fourth authentication information, the fourth authentication information, including: determining, according to the mapping of the third network element to an encryption algorithm, the encryption algorithm; And mapping the third network element to the fifth authentication information to determine the fifth authentication information; performing an encryption operation on the fifth authentication information according to the encryption algorithm to obtain the fourth authentication information.
可选的,所述第一网元与所述第三网元通过第二LSP通信,所述第四认证信息包括以下信息中的至少一项信息:所述第三网元的LSR的标识;所述第一网元的LSR的标识;以及所述第二LSP的标识。Optionally, the first network element communicates with the third network element by using a second LSP, where the fourth authentication information includes at least one of the following information: an identifier of an LSR of the third network element; An identifier of the LSR of the first network element; and an identifier of the second LSP.
附图说明DRAWINGS
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, a brief description of the drawings to be used in the description of the embodiments will be briefly made. It is obvious that the drawings in the following description are some embodiments of the present application. Other drawings may also be obtained from those of ordinary skill in the art in view of the drawings.
图1为本申请实施例提供的一种应用场景示意图。FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present application.
图2为本申请实施例提供的一种OAM报文的认证方法流程示意图。FIG. 2 is a schematic flowchart of a method for authenticating an OAM packet according to an embodiment of the present disclosure.
图3a为本申请实施例提供的一种OAM报文格式的示意图。FIG. 3 is a schematic diagram of an OAM packet format according to an embodiment of the present disclosure.
图3b为本申请实施例提供的另一种OAM报文格式的示意图。FIG. 3b is a schematic diagram of another OAM packet format provided by an embodiment of the present application.
图4为本申请实施例提供的另一种OAM报文的认证方法流程示意图。FIG. 4 is a schematic flowchart of another OAM packet authentication method according to an embodiment of the present disclosure.
图5为本申请实施例提供的一种第一网元的结构示意图。FIG. 5 is a schematic structural diagram of a first network element according to an embodiment of the present disclosure.
具体实施方式detailed description
本申请实施例描述的应用场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着网络架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。The application scenarios described in the embodiments of the present application are for the purpose of more clearly illustrating the technical solutions of the embodiments of the present application, and do not constitute a limitation of the technical solutions provided by the embodiments of the present application. The technical solutions provided by the embodiments of the present application are equally applicable to similar technical problems.
图1为本申请实施例提供的一种应用场景示意图。如图1所示,第一网元101和第二网元102之间的用于通信的通道包括工作通道和保护通道。FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present application. As shown in FIG. 1, the channel for communication between the first network element 101 and the second network element 102 includes a working channel and a protection channel.
举例来说,所述第一网元101可以是路由器、网络交换机、防火墙、波分复用设备、分组传送网设备、基站、基站控制器或者数据中心等。所述第二网元102可以是路由器、 网络交换机、防火墙、波分复用设备、分组传送网设备、基站、基站控制器或者数据中心等。工作通道或保护通道可以是伪线(英文:pseudo wire,简称:PW)或隧道(英文:tunnel)。For example, the first network element 101 can be a router, a network switch, a firewall, a wavelength division multiplexing device, a packet transport network device, a base station, a base station controller, or a data center. The second network element 102 can be a router, Network switches, firewalls, wavelength division multiplexing devices, packet transport network devices, base stations, base station controllers, or data centers. The working channel or the protection channel may be a pseudo wire (English: pseudo wire, referred to as PW) or a tunnel (English: tunnel).
第一网元101和第二网元102之间通过相互发送操作管理维护(英文:operations,administration and maintenance,简称:OAM)报文,检测用于通信的通道是否处于正常状态,并且在检测到当前用于通信的通道出现异常时,通过发送OAM报文触发保护倒换。The first network element 101 and the second network element 102 are configured to perform operation management and maintenance (English: operations, administration and maintenance, or OAM) messages to detect whether the channel used for communication is in a normal state, and is detected. When the current channel used for communication is abnormal, the protection switching is triggered by sending an OAM packet.
在一种示例中,第一网元101和第二网元102之间采用以太网(英文:Ethernet)通信,所述OAM报文可以是ITU-T Y.1731中规定的OAM报文。具体来说,所述OAM报文可以是自动保护倒换(英文:automatic protection switching,简称:APS)报文,例如可以是ITU-T G8031/Y.1342中规定的APS报文。In an example, Ethernet (English: Ethernet) communication is used between the first network element 101 and the second network element 102, and the OAM message may be an OAM message specified in ITU-T Y.1731. Specifically, the OAM packet may be an automatic protection switching (APS) message, for example, an APS packet specified in ITU-T G8031/Y.1342.
在另一种示例中,第一网元101和第二网元102之间采用多协议标签交换(英文:Multiprotocol Label Switching,简称:MPLS)隧道通信,所述OAM报文可以是ITU-T Y.1711规定的报文。具体来说,所述OAM报文可以是APS报文。In another example, a multi-protocol label switching (MPLS) tunnel communication is used between the first network element 101 and the second network element 102. The OAM message may be ITU-T Y. The message specified in .1711. Specifically, the OAM packet may be an APS packet.
在通常的通信过程中,第一网元101接收到OAM报文,通过所述OAM报文首部中的信息,例如MPLS首部中的MPLS标签(英文:label),确定所述OAM报文来自第二网元102,并查找第一网元101和第二网元102之间用于通信的通道对应的OAM状态机,并根据所述OAM报文中携带的请求,对所述OAM状态机的状态进行相应的配置,并进一步根据所述OAM状态机的状态执行相应的操作。In the normal communication process, the first network element 101 receives the OAM packet, and determines the OAM packet from the information in the OAM packet header, for example, an MPLS label in the MPLS header. The second network element 102, and the OAM state machine corresponding to the channel used for communication between the first network element 101 and the second network element 102, and according to the request carried in the OAM message, the OAM state machine The state is configured accordingly, and the corresponding operation is further performed according to the state of the OAM state machine.
上述方案中,第一网元101在接收到OAM报文时,不对所述OAM报文的真实性或正确性进行认证。因此,如果所述第一网元101接收到的OAM报文是其他网络设备伪造或篡改的,或者,在所述第一网元101使用MPLS标签识别所述OAM报文的来源的示例中,如果网络管理员配置错误,导致与第一网元101通信的第三网元(图1中未示出)向第一网元101发送的OAM报文的MPLS标签,与第二网元102向第一网元101发送的OAM报文的MPLS标签的标签值相同,则第一网元101在接收到来自第三网元的OAM报文时,可能会将来自第三网元的OAM报文识别为来自第二网元102的OAM报文。在出现上述情况时,第一网元101接收到的OAM报文的来源或者OAM报文中携带的指令可能是不正确的。第一网元101会根据不正确的OAM报文执行错误的操作,例如倒换到错误的通道与第二网元102进行通信,导致正常的通信受到影响。In the foregoing solution, the first network element 101 does not authenticate the authenticity or correctness of the OAM packet when receiving the OAM packet. Therefore, if the OAM packet received by the first network element 101 is forged or falsified by another network device, or in the example where the first network element 101 uses an MPLS label to identify the source of the OAM packet, If the configuration of the network administrator is incorrect, the MPLS label of the OAM packet sent by the third network element (not shown in FIG. 1) communicated with the first network element 101 to the first network element 101 is forwarded to the second network element 102. When the label value of the MPLS label of the OAM packet sent by the first network element 101 is the same, the first network element 101 may receive the OAM packet from the third network element when receiving the OAM packet from the third network element. It is identified as an OAM message from the second network element 102. When the above situation occurs, the source of the OAM packet received by the first network element 101 or the command carried in the OAM packet may be incorrect. The first network element 101 performs an erroneous operation according to the incorrect OAM message, for example, switching to the wrong channel to communicate with the second network element 102, causing normal communication to be affected.
本申请实施例提供一种OAM报文认证的方法,用于降低网络设备根据不正确的OAM报文做出错误的倒换的风险,提高通信的稳定性。The embodiment of the present invention provides a method for authenticating an OAM packet, which is used to reduce the risk of the network device performing an incorrect switching according to an incorrect OAM packet, and improve the stability of the communication.
图2示出了本申请实施例提供的一种OAM报文认证的方法。举例来说,所述方法可以应用于图1所示的场景中。图2所示的方法中的第一网元,可以采用图1中所示的第一网元101。图2所示的方法中的第二网元,可以采用图1中所示的第二网元102。所述方法包括以下步骤。FIG. 2 shows a method for OAM packet authentication provided by an embodiment of the present application. For example, the method can be applied to the scenario shown in FIG. For the first network element in the method shown in FIG. 2, the first network element 101 shown in FIG. 1 can be used. For the second network element in the method shown in FIG. 2, the second network element 102 shown in FIG. 1 can be used. The method includes the following steps.
S201,第一网元接收第一OAM报文,所述第一OAM报文携带第一标识和第一认证信息。S201: The first network element receives the first OAM message, where the first OAM message carries the first identifier and the first authentication information.
举例来说,所述第一OAM报文可以采用图1中所述的OAM报文。进一步地,所述第 一OAM报文可以是图1中所述的APS报文。For example, the first OAM message may adopt the OAM message described in FIG. 1. Further, the first An OAM message may be the APS message described in FIG.
所述第一标识携带在所述第一OAM报文的首部中,用于指示所述第一OAM报文的来源。例如,所述第一OAM报文中包括MPLS首部,所述第一标识为所述MPLS首部中的标签(英文:Label)字段。又例如,所述第一OAM报文中包括虚拟局域网(英文:virtual local area network,简称:VLAN)标签(英文:VLAN tag),所述第一标识为所述VLAN tag中的VLAN标识(英文:VLAN identifier,简称:VID)字段。The first identifier is carried in the header of the first OAM packet, and is used to indicate the source of the first OAM packet. For example, the first OAM packet includes an MPLS header, and the first identifier is a label (English: Label) field in the MPLS header. For example, the first OAM packet includes a virtual local area network (English: virtual area network) label (English: VLAN tag), and the first identifier is a VLAN identifier in the VLAN tag. : VLAN identifier, referred to as: VID) field.
所述第一认证信息携带在所述第一OAM报文的净荷(英文:payload)中。举例来说,所述第一认证信息可以通过在所述第一OAM报文的净荷中定义一个类型-长度-取值(英文:Type-Length-Value,简称:TLV)实现,即定义一个Type用于指示所述TLV中的Value为所述第一认证信息的值。The first authentication information is carried in a payload (English: payload) of the first OAM packet. For example, the first authentication information may be implemented by defining a type-length-value (English: Type-Length-Value, TLV) in the payload of the first OAM packet, that is, defining one The Type is used to indicate that the value in the TLV is the value of the first authentication information.
在一种示例中,在所述第一OAM报文是允许增加扩展字段的OAM报文的情况下,例如所述第一OAM是ITU-T G8031/Y.1342中规定的APS报文的情况下,所述第一认证信息可以携带在所述APS报文的扩展字段中。图3a示出了ITU-T G8031/Y.1342标准中,不携带所述第一认证信息的APS报文的净荷的格式示意图。图3b示出了通过在扩展字段增加一个TLV携带所述第一认证信息的APS报文的净荷的格式示意图。需要说明的是,图3b所示的Value字段的长度仅仅是示意性的,本申请实施例对于Value字段具体的长度不做限制。In an example, in a case where the first OAM message is an OAM message that allows an extension field to be added, for example, the first OAM is an APS message specified in ITU-T G8031/Y.1342. The first authentication information may be carried in an extension field of the APS packet. FIG. 3a is a schematic diagram showing the format of the payload of an APS message that does not carry the first authentication information in the ITU-T G8031/Y.1342 standard. FIG. 3b is a schematic diagram showing the format of a payload of an APS message carrying the first authentication information by adding a TLV in the extension field. It should be noted that the length of the Value field shown in FIG. 3b is only exemplary. The specific length of the Value field is not limited in this embodiment of the present application.
在另一种示例中,在所述第一OAM报文是不允许增加扩展字段的OAM报文的情况下,所述第一认证信息可以携带在协议未使用的其他字段中。例如,所述第一OAM报文是ITU-T Y.1711规定的报文的情况下,所述第一认证信息可以携带在填充(英文:Padding)字段中。In another example, in a case where the first OAM message is an OAM message that does not allow an extension field to be added, the first authentication information may be carried in other fields not used by the protocol. For example, in a case where the first OAM message is a message specified by ITU-T Y.1711, the first authentication information may be carried in a padding field.
S202,所述第一网元根据所述第一标识到第二认证信息的映射,确定所述第二认证信息。S202. The first network element determines the second authentication information according to the mapping of the first identifier to the second authentication information.
所述第一网元中存储了所述第一标识到所述第二认证信息的映射。所述第二认证信息为网络管理员预先在所述第一网元和所述第二网元中配置的信息。在一种示例中,所述第一标识和所述第二认证信息的映射可以直接存储在标识和认证信息的映射表的一个表项中。在另一种示例中,所述第一网元存储了所述第一标识到OAM状态机的映射,所述第一网元根据第一标识,确定所述第一OAM报文对应的OAM状态机,所述OAM状态机用于监控所述第一网元和所述第二网元之间的工作通道和保护通道的工作状态。在所述第一OAM报文是APS报文的示例中,所述状态机也可以是APS状态机。进一步地,所述第一网元中还存储了OAM状态机到认证信息的映射,所述第一网元根据所述第一OAM报文对应的OAM状态机,查找到所述第二认证信息。A mapping of the first identifier to the second authentication information is stored in the first network element. The second authentication information is information that the network administrator pre-configured in the first network element and the second network element. In an example, the mapping of the first identifier and the second authentication information may be directly stored in an entry of a mapping table of the identification and authentication information. In another example, the first network element stores a mapping of the first identifier to an OAM state machine, and the first network element determines, according to the first identifier, an OAM state corresponding to the first OAM packet. The OAM state machine is configured to monitor an working state of the working channel and the protection channel between the first network element and the second network element. In the example where the first OAM message is an APS message, the state machine may also be an APS state machine. Further, the first network element further stores the mapping of the OAM state machine to the authentication information, and the first network element searches for the second authentication information according to the OAM state machine corresponding to the first OAM packet. .
S203,所述第一网元判断所述第一认证信息与所述第二认证信息是否匹配。S203. The first network element determines whether the first authentication information and the second authentication information match.
可选的,在一种可能的示例中,所述第一认证信息为加密信息,所述第一网元判断所述第一认证信息与所述第二认证信息是否匹配,包括:所述第一网元根据所述第一标识到解密算法的映射,确定所述解密算法;所述第一网元根据所述解密算法对所述第一认证信息做解密运算,获得第三认证信息;所述第一网元判断所述第三认证信息与所述第二认证信息是否相等。如果所述第三认证信息与所述第二认证信息相等,则所述第一网元确定所述第一认证信息与所述第二认证信息匹配。 Optionally, in a possible example, the first authentication information is the encrypted information, and the first network element determines whether the first authentication information matches the second authentication information, including: Determining, by the network element, the decryption algorithm according to the mapping of the first identifier to the decryption algorithm; the first network element decrypting the first authentication information according to the decryption algorithm to obtain third authentication information; The first network element determines whether the third authentication information and the second authentication information are equal. If the third authentication information is equal to the second authentication information, the first network element determines that the first authentication information matches the second authentication information.
举例来说,所述第一网元和所述第二网元被共同配置了加密算法和相应的解密算法。所述第一网元和所述第二网元还预先存储了所述第二认证信息。所述第二网元在向所述第一网元发送所述第一OAM报文之前,根据所述加密算法,对所述第二认证信息进行加密运算,获得所述第一认证信息。可选的,所述第二网元对所述第二认证信息进行加密运算的具体过程包括:所述第二网元生成随机数,所述第二网元使用所述加密算法对所述随机数和所述第二认证信息做加密运算,获得加密参数。所述第一认证信息中包括所述随机数和所述加密参数。例如,在所述第一认证信息通过自定义的TLV携带在第一OAM报文中的情况下,所述TLV可以包括第一子TLV和第二子TLV,所述第一子TLV为中的Value为所述随机数的值,所述第二子TLV中的Value为所述加密参数的值。所述第一网元接收到所述第一认证信息后,获取所述随机数和所述加密参数,根据所述解密算法对所述随机数和所述加密参数进行解密运算,获得第三认证信息。如果所述第三认证信息与所述第二认证信息相等,则所述第一网元确定所述第一OAM报文为合法报文。如果所述第三认证信息与所述第二认证信息不相等,则所述第一网元确定所述第一OAM报文为非法报文。For example, the first network element and the second network element are jointly configured with an encryption algorithm and a corresponding decryption algorithm. The first network element and the second network element further store the second authentication information in advance. Before the first network element sends the first OAM packet to the first network element, the second network element performs an encryption operation on the second authentication information according to the encryption algorithm to obtain the first authentication information. Optionally, the specific process for the second network element to perform the encryption operation on the second authentication information includes: the second network element generates a random number, where the second network element uses the encryption algorithm to perform the random number The number and the second authentication information are subjected to an encryption operation to obtain an encryption parameter. The first authentication information includes the random number and the encryption parameter. For example, in a case where the first authentication information is carried in a first OAM packet by using a customized TLV, the TLV may include a first sub-TLV and a second sub-TLV, where the first sub-TLV is in the middle. Value is the value of the random number, and Value in the second sub-TLV is the value of the encryption parameter. After receiving the first authentication information, the first network element acquires the random number and the encryption parameter, and performs decryption operation on the random number and the encryption parameter according to the decryption algorithm to obtain a third authentication. information. If the third authentication information is equal to the second authentication information, the first network element determines that the first OAM packet is a legal packet. If the third authentication information is not equal to the second authentication information, the first network element determines that the first OAM packet is an illegal packet.
可选的,在另一种可能的示例中,所述第一网元与所述第二网元通过第一标签交换路径LSP通信,所述第一标识为所述第二网元封装的多协议标签交换MPLS标签,所述第二认证信息包括以下信息中的至少一项:所述第二网元的标签交换路由器LSR的标识(英文:identifier);所述第一网元的LSR的标识;以及所述第一LSP的标识。所述第一网元的LSR的标识在整个MPLS网络中是唯一的。所述第二网元的LSR的标识在整个MPLS网络中是唯一的。所述第一LSP的标识在整个MPLS网络中是唯一的。Optionally, in another possible example, the first network element and the second network element communicate by using a first label switching path LSP, where the first identifier is that the second network element is encapsulated. The protocol label exchanges an MPLS label, and the second authentication information includes at least one of the following: an identifier of the label switching router LSR of the second network element (English: identifier); and an identifier of the LSR of the first network element And an identification of the first LSP. The identifier of the LSR of the first network element is unique throughout the MPLS network. The identifier of the LSR of the second network element is unique throughout the MPLS network. The identity of the first LSP is unique throughout the MPLS network.
举例来说,所述第一网元和所述第二网元中均存储了所述第二网元的LSR的标识。所述第二网元在向第一网元发送所述第一OAM报文之前,将所述第二网元的LSR的标识作为所述第一认证信息,写入所述第一OAM报文。此外,所述第二网元还将预先设定的MPLS标签作为所述第一标识写入所述第一OAM报文的MPLS首部。所述第一网元在接收到所述第一OAM报文之后,根据所述MPLS标签与所述第二认证信息的映射,获取所述第二认证信息。所述第二认证信息为所述第一网元中存储的第二网元的LSR的标识。所述第一网元比较所述第一认证信息和所述第二认证信息,如果所述第一认证信息和所述第二认证信息相等,则确定所述第一认证信息与所述第二认证信息匹配。For example, the identifiers of the LSRs of the second network element are stored in the first network element and the second network element. The second network element writes the identifier of the LSR of the second network element as the first authentication information into the first OAM packet before sending the first OAM packet to the first network element. . In addition, the second network element also writes a preset MPLS label as the first identifier into the MPLS header of the first OAM message. After receiving the first OAM packet, the first network element acquires the second authentication information according to the mapping between the MPLS label and the second authentication information. The second authentication information is an identifier of an LSR of the second network element stored in the first network element. The first network element compares the first authentication information with the second authentication information, and if the first authentication information and the second authentication information are equal, determining the first authentication information and the second The authentication information matches.
如果所述第一认证信息与所述第二认证信息不匹配,所述第一网元执行S204。If the first authentication information does not match the second authentication information, the first network element performs S204.
S204,所述第一网元确定所述第一OAM报文为非法报文。S204. The first network element determines that the first OAM packet is an illegal packet.
所述第一网元不根据所述第一OAM报文中的指示信息执行相应的操作。The first network element does not perform a corresponding operation according to the indication information in the first OAM packet.
可选的,所述第一网元确定所述第一OAM报文为非法报文后,所述第一网元保存所述第一OAM报文。Optionally, after the first network element determines that the first OAM packet is an illegal packet, the first network element saves the first OAM packet.
通过保存非法报文,所述第一网元可以为网络管理员提供非法报文的信息,以便网络管理员确定所述非法报文的来源。By saving the illegal packet, the first network element can provide the network administrator with the information of the illegal packet, so that the network administrator can determine the source of the illegal packet.
可选的,所述第一网元确定所述第一OAM报文为非法报文后,丢弃所述第一OAM报文。Optionally, after the first network element determines that the first OAM packet is an illegal packet, the first OAM packet is discarded.
可选的,如果所述第一认证信息与所述第二认证信息匹配,所述第一网元执行S205。Optionally, if the first authentication information matches the second authentication information, the first network element performs S205.
S205,所述第一网元确定所述第一OAM报文为合法报文。所述第一网元进一步根据 所述第一OAM报文中的指示信息执行相应的操作。例如,所述第一OAM报文用于指示所述第一网元将通信从工作通道倒换到保护通道,所述第一网元根据所述第一OAM报文的指示,将通信从工作通道倒换到保护通道。S205. The first network element determines that the first OAM packet is a legal packet. The first network element is further based on The indication information in the first OAM message performs a corresponding operation. For example, the first OAM packet is used to instruct the first network element to switch communication from the working channel to the protection channel, and the first network element performs communication from the working channel according to the indication of the first OAM packet. Switch to the protection channel.
可选地,第一网元也可以在向其他网元发送OAM报文时,在所述OAM报文中写入认证信息,所述认证信息用于指示接收该OAM报文的网元,所述OAM报文为合法报文。例如,所述第一网元向第三网元发送第二OAM报文时,如图4所示,所述方法进一步包括S401和S402。Optionally, the first network element may also write the authentication information in the OAM packet when the OAM packet is sent to the other network element, where the authentication information is used to indicate the network element that receives the OAM packet. The OAM packet is a legal packet. For example, when the first network element sends a second OAM message to the third network element, as shown in FIG. 4, the method further includes S401 and S402.
S401,所述第一网元根据第三网元到第四认证信息的映射,获取所述第四认证信息。S401. The first network element acquires the fourth authentication information according to the mapping of the third network element to the fourth authentication information.
可选的,在一种示例中,所述第一网元根据第三网元到第四认证信息的映射获取所述第四认证信息,包括:所述第一网元根据所述第三网元到加密算法的映射,确定所述加密算法;所述第一网元根据所述第三网元到第五认证信息的映射,确定所述第五认证信息;所述第一网元根据所述加密算法对所述第五认证信息进行加密运算,获得所述第四认证信息。Optionally, in an example, the first network element obtains the fourth authentication information according to the mapping from the third network element to the fourth authentication information, where the first network element is configured according to the third network Determining the encryption algorithm by mapping the element to the encryption algorithm; the first network element determining the fifth authentication information according to the mapping of the third network element to the fifth authentication information; the first network element according to the The encryption algorithm performs an encryption operation on the fifth authentication information to obtain the fourth authentication information.
举例来说,所述第一网元对所述第五认证信息进行加密运算获得所述第四认证信息的具体实现方式,可以采用S203中第二网元对所述第二认证信息进行加密运算获得所述第一认证信息的具体实现方式。For example, the first network element performs an encryption operation on the fifth authentication information to obtain a specific implementation manner of the fourth authentication information, and the second network element in S203 may perform encryption operation on the second authentication information. Obtaining a specific implementation manner of the first authentication information.
可选的,在另一种示例中,所述第一网元与所述第三网元通过第二LSP通信,所述第四认证信息包括以下信息中的至少一项信息:所述第三网元的LSR的标识;所述第一网元的LSR的标识;以及所述第二LSP的标识。Optionally, in another example, the first network element communicates with the third network element by using a second LSP, where the fourth authentication information includes at least one of the following information: the third The identifier of the LSR of the network element; the identifier of the LSR of the first network element; and the identifier of the second LSP.
S402,所述第一网元向所述第三网元发送第二OAM报文,所述第二OAM报文携带所述第四认证信息。S402, the first network element sends a second OAM message to the third network element, where the second OAM message carries the fourth authentication information.
举例来说,所述第四认证信息在所述第二OAM报文中的格式,可以采用与所述第一认证信息在所述第一OAM报文中相同的格式。For example, the format of the fourth authentication information in the second OAM packet may be in the same format as the first authentication information in the first OAM packet.
举例来说,所述第三网元根据所述第四认证信息,判断所述第二OAM报文是否为合法报文的具体方式,可以采用图2所述的方法中,所述第一网元根据所述第一认证信息,判断所述第一OAM报文是否为合法报文的具体方式。For example, the third network element may determine, according to the fourth authentication information, whether the second OAM packet is a legal packet, and the first network may be adopted in the method described in FIG. And determining, according to the first authentication information, a specific manner of whether the first OAM packet is a legal packet.
图5是本申请实施例提供的一种第一网元的结构示意图。如图5所示,第一网元500包括处理器501以及网络接口502。可选的,还包括存储器503。FIG. 5 is a schematic structural diagram of a first network element according to an embodiment of the present application. As shown in FIG. 5, the first network element 500 includes a processor 501 and a network interface 502. Optionally, a memory 503 is also included.
处理器501包括但不限于中央处理器(英文:central processing unit,简称:CPU),网络处理器(英文:network processor,简称:NP),专用集成电路(英文:application-specific integrated circuit,简称:ASIC)或者可编程逻辑器件(英文:programmable logic device,缩写:PLD)中的一个或多个。上述PLD可以是复杂可编程逻辑器件(英文:complex programmable logic device,缩写:CPLD),现场可编程逻辑门阵列(英文:field-programmable gate array,缩写:FPGA),通用阵列逻辑(英文:generic array logic,缩写:GAL)或其任意组合。The processor 501 includes, but is not limited to, a central processing unit (English: central processing unit, CPU for short), a network processor (English: network processor, referred to as NP), and an application-specific integrated circuit (English: application-specific integrated circuit, referred to as: ASIC) or one or more of programmable logic devices (English: programmable logic device, abbreviation: PLD). The above PLD can be a complex programmable logic device (English: complex programmable logic device, abbreviation: CPLD), field-programmable gate array (English: field-programmable gate array, abbreviation: FPGA), general array logic (English: generic array Logic, abbreviation: GAL) or any combination thereof.
网络接口502可以是有线接口,例如光纤分布式数据接口(英文:Fiber Distributed Data Interface,简称:FDDI)、以太网(英文:Ethernet)接口。网络接口502也可 以是无线接口,例如无线局域网接口。The network interface 502 can be a wired interface, such as a Fiber Distributed Data Interface (FDDI) or an Ethernet (English) interface. Network interface 502 is also available So it is a wireless interface, such as a wireless LAN interface.
存储器503用于存储处理器501执行的程序指令。存储器503包括但不限于内容寻址存储器(英文:content-addressable memory,简称:CAM),例如三态内容寻址存储器(英文:ternary CAM,简称:TCAM),随机存取存储器(英文:random-access memory,简称:RAM)。The memory 503 is used to store program instructions executed by the processor 501. The memory 503 includes, but is not limited to, a content-addressable memory (English: content-addressable memory, CAM for short), such as a tri-state content-addressable memory (English: ternary CAM, TCAM for short), and a random access memory (English: random- Access memory, referred to as: RAM).
存储器503也可以集成在处理器501中。如果存储器503和处理器501是相互独立的器件,存储器503和处理器501相联,例如存储器503和处理器501可以通过总线通信。网络接口503和处理器501可以通过总线通信,网络接口503也可以与处理器501直连。The memory 503 can also be integrated in the processor 501. If the memory 503 and the processor 501 are mutually independent devices, the memory 503 is associated with the processor 501, for example, the memory 503 and the processor 501 can communicate via a bus. The network interface 503 and the processor 501 can communicate via a bus, and the network interface 503 can also be directly connected to the processor 501.
处理器501用于执行以下操作:通过所述网络接口502接收第一OAM报文,所述第一OAM报文携带第一标识和第一认证信息;根据所述第一标识到第二认证信息的映射,确定所述第二认证信息;判断所述第一认证信息与所述第二认证信息是否匹配;如果所述第一认证信息与所述第二认证信息不匹配,确定所述第一OAM报文为非法报文。The processor 501 is configured to: receive, by the network interface 502, a first OAM packet, where the first OAM packet carries the first identifier and the first authentication information; and the first identifier to the second authentication information according to the first identifier Mapping, determining the second authentication information; determining whether the first authentication information matches the second authentication information; if the first authentication information does not match the second authentication information, determining the first The OAM packet is an illegal packet.
可选的,所述处理器501还用于,在确定所述第一OAM报文为非法报文之后,保存所述第一OAM报文。Optionally, the processor 501 is further configured to: after determining that the first OAM packet is an illegal packet, save the first OAM packet.
可选的,所述第一认证信息为加密信息,所述判断所述第一认证信息与所述第二认证信息是否匹配,包括:根据所述第一标识到解密算法的映射,确定所述解密算法;根据所述解密算法对所述第一认证信息做解密运算,获得第三认证信息;判断所述第三认证信息与所述第二认证信息是否相等。Optionally, the first authentication information is the encrypted information, and the determining whether the first authentication information matches the second authentication information includes: determining, according to the mapping of the first identifier to the decryption algorithm, a decryption algorithm; performing a decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information; and determining whether the third authentication information and the second authentication information are equal.
可选的,所述第一网元500与第二网元通过第一标签交换路径LSP通信,所述第一标识为所述第二网元封装的多协议标签交换MPLS标签,所述第二认证信息包括以下信息中的至少一项:所述第二网元的标签交换路由器LSR的标识;所述第一网元500的LSR的标识;以及所述第一LSP的标识。Optionally, the first network element 500 communicates with the second network element by using a first label switching path LSP, where the first identifier is a multi-protocol label switching MPLS label encapsulated by the second network element, and the second The authentication information includes at least one of the following information: an identifier of the label switching router LSR of the second network element; an identifier of the LSR of the first network element 500; and an identifier of the first LSP.
可选的,所述处理器501还用于:根据第三网元到第四认证信息的映射,获取所述第四认证信息;通过所述网络接口,向所述第三网元发送第二OAM报文,所述第二OAM报文携带所述第四认证信息,所述第四认证信息用于指示所述第三网元,所述第二OAM报文为合法报文。Optionally, the processor 501 is further configured to: obtain the fourth authentication information according to the mapping of the third network element to the fourth authentication information, and send the second information to the third network element by using the network interface. In the OAM packet, the second OAM packet carries the fourth authentication information, where the fourth authentication information is used to indicate the third network element, and the second OAM packet is a legal packet.
可选的,所述根据第三网元到第四认证信息的映射获取所述第四认证信息,包括:根据所述第三网元到加密算法的映射,确定所述加密算法;根据所述第三网元到第五认证信息的映射,确定所述第五认证信息;根据所述加密算法对所述第五认证信息进行加密运算,获得所述第四认证信息。Optionally, the obtaining, according to the mapping of the third network element to the fourth authentication information, the fourth authentication information, including: determining, according to the mapping of the third network element to an encryption algorithm, the encryption algorithm; And mapping the third network element to the fifth authentication information to determine the fifth authentication information; performing an encryption operation on the fifth authentication information according to the encryption algorithm to obtain the fourth authentication information.
可选的,所述第一网元500与所述第三网元通过第二LSP通信,所述第四认证信息包括以下信息中的至少一项信息:所述第三网元的LSR的标识;所述第一网元的LSR的标识;以及所述第二LSP的标识。Optionally, the first network element 500 communicates with the third network element by using a second LSP, where the fourth authentication information includes at least one of the following information: an identifier of the LSR of the third network element. An identifier of the LSR of the first network element; and an identifier of the second LSP.
本实施例提供的第一网元500可以应用于图2或图4实施例的方法中,实现其第一网元的功能。所述第一网元可以实现的其他附加功能,以及与其他网元的交互过程,请参照方法实施例中对第一网元的描述,在这里不再赘述。The first network element 500 provided in this embodiment may be applied to the method in the embodiment of FIG. 2 or FIG. 4 to implement the function of the first network element. For the other functions that can be implemented by the first network element and the interaction process with other network elements, refer to the description of the first network element in the method embodiment, and details are not described herein again.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统 实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。The various embodiments in the specification are described in a progressive manner, and the same or similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. Especially for the system In the embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。 It will be apparent to those skilled in the art that various modifications and changes can be made in the present application without departing from the scope of the application. Thus, it is intended that the present invention cover the modifications and variations of the present invention.

Claims (14)

  1. 一种操作管理维护OAM报文的认证方法,其特征在于,所述方法包括:An authentication method for managing and maintaining OAM packets, wherein the method includes:
    第一网元接收第一OAM报文,所述第一OAM报文携带第一标识和第一认证信息;Receiving, by the first network element, the first OAM packet, where the first OAM packet carries the first identifier and the first authentication information;
    所述第一网元根据所述第一标识到第二认证信息的映射,确定所述第二认证信息;Determining, by the first network element, the second authentication information according to the mapping of the first identifier to the second authentication information;
    所述第一网元判断所述第一认证信息与所述第二认证信息是否匹配;Determining, by the first network element, whether the first authentication information and the second authentication information match;
    如果所述第一认证信息与所述第二认证信息不匹配,所述第一网元确定所述第一OAM报文为非法报文。If the first authentication information does not match the second authentication information, the first network element determines that the first OAM packet is an illegal packet.
  2. 根据权利要求1所述的方法,其特征在于,所述第一网元确定所述第一OAM报文为非法报文之后,还包括:The method according to claim 1, wherein after the first network element determines that the first OAM message is an illegal message, the method further includes:
    所述第一网元保存所述第一OAM报文。The first network element saves the first OAM message.
  3. 根据权利要求1或2所述的方法,其特征在于,所述第一认证信息为加密信息,所述第一网元判断所述第一认证信息与所述第二认证信息是否匹配,包括:The method according to claim 1 or 2, wherein the first authentication information is encrypted information, and the first network element determines whether the first authentication information matches the second authentication information, including:
    所述第一网元根据所述第一标识到解密算法的映射,确定所述解密算法;Determining, by the first network element, the decryption algorithm according to the mapping of the first identifier to a decryption algorithm;
    所述第一网元根据所述解密算法对所述第一认证信息做解密运算,获得第三认证信息;Decrypting the first authentication information according to the decryption algorithm to obtain third authentication information;
    所述第一网元判断所述第三认证信息与所述第二认证信息是否相等。The first network element determines whether the third authentication information and the second authentication information are equal.
  4. 根据权利要求1或2所述的方法,其特征在于,所述第一网元与第二网元通过第一标签交换路径LSP通信,所述第一标识为所述第二网元封装的多协议标签交换MPLS标签,所述第二认证信息包括以下信息中的至少一项:The method according to claim 1 or 2, wherein the first network element and the second network element communicate through the first label switching path LSP, and the first identifier is the second network element packaged The protocol label exchanges an MPLS label, and the second authentication information includes at least one of the following information:
    所述第二网元的标签交换路由器LSR的标识;The identifier of the label switching router LSR of the second network element;
    所述第一网元的LSR的标识;以及The identifier of the LSR of the first network element;
    所述第一LSP的标识。The identifier of the first LSP.
  5. 根据权利要求1至4任一所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 4, wherein the method further comprises:
    所述第一网元根据第三网元到第四认证信息的映射,获取所述第四认证信息;Obtaining, by the first network element, the fourth authentication information according to the mapping of the third network element to the fourth authentication information;
    所述第一网元向所述第三网元发送第二OAM报文,所述第二OAM报文携带所述第四认证信息,所述第四认证信息用于指示所述第三网元,所述第二OAM报文为合法报文。Transmitting, by the first network element, a second OAM packet to the third network element, where the second OAM packet carries the fourth authentication information, where the fourth authentication information is used to indicate the third network element The second OAM packet is a legal packet.
  6. 根据权利要求5所述的方法,其特征在于,所述第一网元根据第三网元到第四认证信息的映射获取所述第四认证信息,包括:The method according to claim 5, wherein the obtaining, by the first network element, the fourth authentication information according to the mapping of the third network element to the fourth authentication information comprises:
    所述第一网元根据所述第三网元到加密算法的映射,确定所述加密算法;Determining, by the first network element, the encryption algorithm according to the mapping of the third network element to an encryption algorithm;
    所述第一网元根据所述第三网元到第五认证信息的映射,确定所述第五认证信息;Determining, by the first network element, the fifth authentication information according to the mapping of the third network element to the fifth authentication information;
    所述第一网元根据所述加密算法对所述第五认证信息进行加密运算,获得所述第四认证信息。The first network element performs an encryption operation on the fifth authentication information according to the encryption algorithm to obtain the fourth authentication information.
  7. 根据权利要求5所述的方法,其特征在于,所述第一网元与所述第三网元通过第二LSP通信,所述第四认证信息包括以下信息中的至少一项信息:The method according to claim 5, wherein the first network element communicates with the third network element by using a second LSP, and the fourth authentication information includes at least one of the following information:
    所述第三网元的LSR的标识;The identifier of the LSR of the third network element;
    所述第一网元的LSR的标识;以及The identifier of the LSR of the first network element;
    所述第二LSP的标识。The identifier of the second LSP.
  8. 一种第一网元,其特征在于,包括:处理器和网络接口,所述处理器用于:A first network element, comprising: a processor and a network interface, the processor is configured to:
    通过所述网络接口接收第一OAM报文,所述第一OAM报文携带第一标识和第一认证 信息;Receiving, by the network interface, a first OAM packet, where the first OAM packet carries the first identifier and the first authentication information;
    根据所述第一标识到第二认证信息的映射,确定所述第二认证信息;Determining, according to the mapping of the first identifier to the second authentication information, the second authentication information;
    判断所述第一认证信息与所述第二认证信息是否匹配;Determining whether the first authentication information matches the second authentication information;
    如果所述第一认证信息与所述第二认证信息不匹配,确定所述第一OAM报文为非法报文。If the first authentication information does not match the second authentication information, the first OAM packet is determined to be an illegal packet.
  9. 根据权利要求8所述的第一网元,其特征在于,所述处理器还用于,在确定所述第一OAM报文为非法报文之后,保存所述第一OAM报文。The first network element according to claim 8, wherein the processor is further configured to save the first OAM message after determining that the first OAM message is an illegal message.
  10. 根据权利要求8或9所述的第一网元,其特征在于,所述第一认证信息为加密信息,所述判断所述第一认证信息与所述第二认证信息是否匹配,包括:The first network element according to claim 8 or 9, wherein the first authentication information is encrypted information, and the determining whether the first authentication information matches the second authentication information comprises:
    根据所述第一标识到解密算法的映射,确定所述解密算法;Determining the decryption algorithm according to the mapping of the first identifier to the decryption algorithm;
    根据所述解密算法对所述第一认证信息做解密运算,获得第三认证信息;Performing a decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information;
    判断所述第三认证信息与所述第二认证信息是否相等。Determining whether the third authentication information and the second authentication information are equal.
  11. 根据权利要求8或9所述的第一网元,其特征在于,所述第一网元与第二网元通过第一标签交换路径LSP通信,所述第一标识为所述第二网元封装的多协议标签交换MPLS标签,所述第二认证信息包括以下信息中的至少一项:The first network element according to claim 8 or 9, wherein the first network element and the second network element communicate by using a first label switching path LSP, and the first identifier is the second network element The encapsulated multi-protocol label exchange MPLS label, the second authentication information including at least one of the following information:
    所述第二网元的标签交换路由器LSR的标识;The identifier of the label switching router LSR of the second network element;
    所述第一网元的LSR的标识;以及The identifier of the LSR of the first network element;
    所述第一LSP的标识。The identifier of the first LSP.
  12. 根据权利要求8至11任一所述的第一网元,其特征在于,所述处理器还用于:The first network element according to any one of claims 8 to 11, wherein the processor is further configured to:
    根据第三网元到第四认证信息的映射,获取所述第四认证信息;Acquiring the fourth authentication information according to the mapping of the third network element to the fourth authentication information;
    通过所述网络接口,向所述第三网元发送第二OAM报文,所述第二OAM报文携带所述第四认证信息,所述第四认证信息用于指示所述第三网元,所述第二OAM报文为合法报文。Transmitting, by the network interface, a second OAM packet to the third network element, where the second OAM packet carries the fourth authentication information, where the fourth authentication information is used to indicate the third network element The second OAM packet is a legal packet.
  13. 根据权利要求12所述的第一网元,其特征在于,所述根据第三网元到第四认证信息的映射获取所述第四认证信息,包括:The first network element according to claim 12, wherein the obtaining the fourth authentication information according to the mapping from the third network element to the fourth authentication information comprises:
    根据所述第三网元到加密算法的映射,确定所述加密算法;Determining the encryption algorithm according to the mapping of the third network element to the encryption algorithm;
    根据所述第三网元到第五认证信息的映射,确定所述第五认证信息;Determining, according to the mapping of the third network element to the fifth authentication information, the fifth authentication information;
    根据所述加密算法对所述第五认证信息进行加密运算,获得所述第四认证信息。Encrypting the fifth authentication information according to the encryption algorithm to obtain the fourth authentication information.
  14. 根据权利要求12所述的第一网元,其特征在于,所述第一网元与所述第三网元通过第二LSP通信,所述第四认证信息包括以下信息中的至少一项信息:The first network element according to claim 12, wherein the first network element communicates with the third network element by using a second LSP, and the fourth authentication information includes at least one of the following information: :
    所述第三网元的LSR的标识;The identifier of the LSR of the third network element;
    所述第一网元的LSR的标识;以及The identifier of the LSR of the first network element;
    所述第二LSP的标识。 The identifier of the second LSP.
PCT/CN2017/071512 2016-02-16 2017-01-18 Operations, administration and maintenance message authentication method and apparatus WO2017140199A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610088118.3 2016-02-16
CN201610088118.3A CN107086959B (en) 2016-02-16 2016-02-16 Method and device for authenticating operation management maintenance message

Publications (1)

Publication Number Publication Date
WO2017140199A1 true WO2017140199A1 (en) 2017-08-24

Family

ID=59614549

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/071512 WO2017140199A1 (en) 2016-02-16 2017-01-18 Operations, administration and maintenance message authentication method and apparatus

Country Status (2)

Country Link
CN (1) CN107086959B (en)
WO (1) WO2017140199A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112839009B (en) * 2019-11-22 2023-09-01 华为技术有限公司 Method, device and system for processing message

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102857521A (en) * 2012-10-12 2013-01-02 盛科网络(苏州)有限公司 Method and device for setting operation, administration and maintenance (OAM) security authentication
CN103684792A (en) * 2013-12-23 2014-03-26 加弘科技咨询(上海)有限公司 Safety authentication method for OAM (Operation, Administration and Maintenance) and OAM message sending/receiving device
US8830841B1 (en) * 2010-03-23 2014-09-09 Marvell Israel (M.I.S.L) Ltd. Operations, administration, and maintenance (OAM) processing engine

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7478167B2 (en) * 2002-03-18 2009-01-13 Nortel Networks Limited Resource allocation using an auto-discovery mechanism for provider-provisioned layer-2 and layer-3 virtual private networks
CN101651670B (en) * 2008-10-29 2012-08-15 中国科学院声学研究所 Integrated management method for services and users in Ethernet service operation and system thereof
CN103428009B (en) * 2012-05-14 2018-09-11 中兴通讯股份有限公司 Realize Operation, Administration and Maintenance (OAM) method and device of packet synchronization net
CN103780420B (en) * 2012-10-25 2017-07-28 中国电信股份有限公司 The method of automatic configuration and system of Ethernet detection of connectivity under VPLS environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8830841B1 (en) * 2010-03-23 2014-09-09 Marvell Israel (M.I.S.L) Ltd. Operations, administration, and maintenance (OAM) processing engine
CN102857521A (en) * 2012-10-12 2013-01-02 盛科网络(苏州)有限公司 Method and device for setting operation, administration and maintenance (OAM) security authentication
CN103684792A (en) * 2013-12-23 2014-03-26 加弘科技咨询(上海)有限公司 Safety authentication method for OAM (Operation, Administration and Maintenance) and OAM message sending/receiving device

Also Published As

Publication number Publication date
CN107086959A (en) 2017-08-22
CN107086959B (en) 2020-11-06

Similar Documents

Publication Publication Date Title
US10972391B2 (en) Full-path validation in segment routing
US11277391B2 (en) Packet sending method and apparatus
US10868697B2 (en) Packet processing method, device, and packet processing system
US8370921B2 (en) Ensuring quality of service over VPN IPsec tunnels
EP4089981B1 (en) Bit-forwarding ingress router and operation, administration and maintenance detection method
US11979322B2 (en) Method and apparatus for providing service for traffic flow
US20110113236A1 (en) Methods, systems, and computer readable media for offloading internet protocol security (ipsec) processing using an ipsec proxy mechanism
US20230102984A1 (en) METHOD AND APPARATUS FOR VERIFYING SRv6 PACKET
EP3861690B1 (en) Securing mpls network traffic
US20150295909A1 (en) Integrity check optimization systems and methods in live connectivity frames
KR102066978B1 (en) Method and apparatus for data plane for monitoring differentiated service code point (DSCP) and explicit congestion notification (ECN)
US11888904B2 (en) Packet sending method, packet receiving method, and network device
JP2020510337A (en) Method and apparatus for providing cyber security in a time-aware end-to-end packet flow network
US20190068762A1 (en) Packet Parsing Method and Device
US20230007022A1 (en) Method and Device for Preventing Replay Attack on Srv6 HMAC Verification
CN110868362B (en) Method and device for processing MACsec uncontrolled port message
WO2017140199A1 (en) Operations, administration and maintenance message authentication method and apparatus
WO2022001937A1 (en) Service transmission method and apparatus, network device, and storage medium
US20210092103A1 (en) In-line encryption of network data
CN111130756B (en) Node routing safety management and control system
US20220286469A1 (en) Packet processing method, apparatus, and system
US20230133729A1 (en) Security for communication protocols
WO2023179174A1 (en) Message transmission method and related device
CN115277190B (en) Method for realizing neighbor discovery on network by link layer transparent encryption system
CN116918299A (en) Managing playback windows in a multi-path connection between gateways

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17752631

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17752631

Country of ref document: EP

Kind code of ref document: A1