CN100563148C - The MAC secure network communication method and the network equipment - Google Patents
The MAC secure network communication method and the network equipment Download PDFInfo
- Publication number
- CN100563148C CN100563148C CN200610154170.0A CN200610154170A CN100563148C CN 100563148 C CN100563148 C CN 100563148C CN 200610154170 A CN200610154170 A CN 200610154170A CN 100563148 C CN100563148 C CN 100563148C
- Authority
- CN
- China
- Prior art keywords
- mac
- frame
- network equipment
- safety
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000004891 communication Methods 0.000 title claims abstract description 49
- 238000000034 method Methods 0.000 title claims abstract description 40
- 230000006855 networking Effects 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 12
- 239000002699 waste material Substances 0.000 description 4
- 230000033228 biological regulation Effects 0.000 description 2
- 230000014759 maintenance of location Effects 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- BYACHAOCSIPLCM-UHFFFAOYSA-N 2-[2-[bis(2-hydroxyethyl)amino]ethyl-(2-hydroxyethyl)amino]ethanol Chemical compound OCCN(CCO)CCN(CCO)CCO BYACHAOCSIPLCM-UHFFFAOYSA-N 0.000 description 1
- 101100339475 Botryotinia fuckeliana (strain B05.10) hog1 gene Proteins 0.000 description 1
- 241000721047 Danaus plexippus Species 0.000 description 1
- 101150042742 SAK1 gene Proteins 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- WZHBYTVHUFURPY-UHFFFAOYSA-N ethyl 8'-methyl-2',5-dioxo-2-piperidin-1-ylspiro[cyclopentene-3,3'-imidazo[1,2-a]pyridine]-1-carboxylate Chemical compound N12C=CC=C(C)C2=NC(=O)C21CC(=O)C(C(=O)OCC)=C2N1CCCCC1 WZHBYTVHUFURPY-UHFFFAOYSA-N 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention discloses a kind of MAC secure network communication method and communication equipment, a kind of MAC secure network communication method comprises: the network equipment receives mac frame; If described mac frame is the MAC encrypted frame, then decipher described MAC encrypted frame, if the network equipment of next link that described MAC encrypted frame need be forwarded to does not support MAC safety or MAC safety unavailable, judge further then whether described link is reliable, if reliable, then adopt the non-encrypted frame of MAC to be forwarded to described link; Otherwise abandon described MAC encrypted frame.The present invention has realized having guaranteed the proper communication of network on the basis that the confidentiality at mac frame is protected.
Description
Technical field
The present invention relates to the communications field, the particularly a kind of MAC secure network communication method and the network equipment.
Background technology
The safe practice of network link layer is the great research topic of network service; IEEE 802.1.ae task groups is studied this problem; propose to use MAC safety (Media Access Control Security is called for short MAC safety) to protect the safety of double layered communication, take precautions against two layer attacks.This MAC safety method is exactly specifically, MAC secure entity (MAC Security Entity, be called for short SecY) associated key safe in utilization (Secure Association Key, be called for short SAK), the data that will send are encrypted, receive SecY after receiving data, use identical key to decipher, thereby the acquisition data are protected the confidentiality of having levied data like this.Simultaneously, receive SecY, judge the data consistent that the data that receive and transmitting terminal SecY send, guarantee the integrality of data by the checked for integrity check value, and correctness.
The MAC safety of stipulating in agreement at present in IEEE 802.1.ae task groups all is based on LAN's.Each SecY will carry out communication, just must belong to a safety and connect related (Secure ConnectivityAssociation, be called for short CA), each SecY among the same CA has identical security association master key (Secure Connectivity Association Key is called for short CAK).CAK can be a manual configuration, also can obtain from certificate server by after authenticating.Each SecY uses CAK to consult to produce a SAK, and SAK constantly changes to upgrade, and CAK then is changeless, even equipment is restarted, CAK also will remain unchanged.The continuous variation of SAK is upgraded, and has greatly improved safety of data.
Fig. 1 is media interviews control (the Media Access Control that is among the same shared medium LAN, abbreviation MAC) communication scheme of equipment, as shown, MAC device A 101, MAC equipment B 102, MAC equipment C103, MAC equipment D104 are in together sharing among the medium LAN, accessing communication mutually between each equipment.Suppose that MAC device A 101, MAC equipment B 102, MAC equipment C103 belong to a CA, have identical CAK, MAC equipment D104 then gets rid of outside this CA, so as shown in Figure 2, obviously, SecY on MAC device A 101, MAC equipment B 102, the MAC equipment C103 can carry out the MAC secure communication, and MAC equipment D104 is not owing to there is SAK, even caught the MAC encrypted frame that MAC device A 101, MAC equipment B 102 or MAC equipment C103 send, can not decipher, can not obtain the user data or the control protocol data of MAC encrypted frame.
At present, according to the IEEE 802.1.ae task groups regulation in agreement IEEE 802.1ae at present, the MAC safe practice is that link uses piecemeal in network, and each link is separate, and the encryption and decryption key SAK of each section link is not theed least concerned.As shown in Figure 3, there is a CA1 between the terminal A201 and first bridge 202, uses the SAK1 encryption and decryption; There is CA2 between first bridge 202 and second bridge 203, uses the SAK2 encryption and decryption; There is CA3 between second bridge 203 and the 3rd bridge 204, uses the SAK3 encryption and decryption; There is CA4 between the 3rd bridge 204 and the terminal B205, uses the SAK4 encryption and decryption.
In communication network, all devices on the link (comprising terminal), only know in this LAN and whether support MAC safety with the own adjacent network equipment, as shown in Figure 4, suppose that in communication network terminal B407, terminal D 409 and the 3rd customer bridge (Customer Bridge, be called for short PB) 410 do not support MAC safety or MAC safety unavailable, so, wherein second customer bridge 405 can know that terminal B407 does not support MAC safety or the disabled situation of MAC safety; Have only second operator's bridge (Provider Bridged, be called for short PB) 404 to know that the 3rd customer bridge 410 do not support MAC safety or the disabled situation of MAC safety.
For the above-mentioned situation that in communication network, has the network equipment of not supporting MAC safety, (present terminal equipment and two layers, three-tier switch are not support MAC safety, are to have very much the network equipment of not supporting MAC safety for the user network CN of situation complexity therefore.) processing of employing is when the network equipment of next bar link is not supported MAC safety, to take directly to abandon the MAC encrypted frame usually usually at present.This makes terminal A and terminal B can only use unencrypted common mac frame to communicate by letter, yet for UserA, select to encrypt the MAC encrypted frame, or the normal difficulty that judges between right and wrong of non-encrypted mac frame, so it may be a situation about can't communicate by letter between terminal A, the terminal B.
Therefore, in the prior art,, support communicating by letter between the network equipment of MAC safety and the network equipment of not supporting MAC safety to be obstructed so if in communication network, there is the network equipment do not support MAC safety.
Summary of the invention
The technical problem to be solved in the present invention provides a kind of MAC secure network communication method, to realize the data security communication when having the network equipment of not supporting MAC safety in the network service network.
The technical problem to be solved in the present invention provides a kind of network equipment, to realize the data security communication when having the network equipment of not supporting MAC safety in the network service network.
For solving above-mentioned first technical problem, the objective of the invention is to be achieved through the following technical solutions:
A kind of MAC secure network communication method comprises:
The network equipment receives mac frame;
If described mac frame is the MAC encrypted frame, then decipher described MAC encrypted frame, if the network equipment of next link that described MAC encrypted frame need be forwarded to does not support MAC safety or MAC safety unavailable, judge further then whether described link is reliable, if reliable, then adopt the non-encrypted frame of MAC to be forwarded to described link; Otherwise abandon described MAC encrypted frame.
Method of the present invention, alternatively, whether the described link of described judgement is reliable, specifically comprises:
According to networking information, in the described MAC safety of not supporting, the perhaps pre-configured reliability information that described link is arranged of the network port that is connected with the described network equipment of the disabled network equipment of MAC safety;
The described network equipment reads described reliability information, knows whether described link is reliable.
Method of the present invention alternatively, if described MAC encrypted frame comprises degree of secrecy information, then further according to described degree of secrecy information, is judged described MAC encrypted frame is abandoned, or is adopted non-encrypted frame to be forwarded to described link.
Method of the present invention, alternatively, described MAC encrypted frame comprises degree of secrecy information, realizes by the following steps mode:
The 7th, 8 bits of the safety label field in described MAC encrypted frame carry described degree of secrecy information.
Method of the present invention, alternatively, if described mac frame is the non-encrypted frame of MAC, and the non-encrypted frame of described MAC is then encrypted described mac frame, and transmit described mac frame after encryption need be forwarded to the available network equipment of MAC safety the time; Otherwise, directly transmit described mac frame.
Method of the present invention, whether alternatively, further preserving on the described network equipment needs sign that the non-encrypted frame of MAC that present networks equipment sends is encrypted,
If described mac frame is the non-encrypted frame of MAC, and the non-encrypted frame of described MAC need be forwarded to the available network equipment of MAC safety, and then before encrypting described mac frame, further according to described sign, whether need encrypt described mac frame, then encrypt if desired if judging.
For solving above-mentioned second technical problem, the objective of the invention is to be achieved through the following technical solutions:
A kind of network equipment, the described network equipment is connected with not supporting the MAC safety or the disabled network equipment of MAC safety, and the described network equipment comprises:
The link reliability identifying unit is used to judge the described network equipment and does not describedly support whether the link of the MAC safety or the disabled network equipment of MAC safety is reliable, and whether reliably configuration is used to identify described link sign;
Whether reliably link dependable identification memory cell is connected with described link reliability identifying unit, be used to store the described described link sign that is used to identify;
Control port is used for receiving, deciphering the MAC encrypted frame;
Retransmission unit is used to transmit described MAC encrypted frame;
Mac frame destination address acquiring unit is used to read the destination address of described MAC encrypted frame, judges whether next network equipment that described mac frame need be forwarded to is the described MAC safety or the disabled network equipment of MAC safety do not supported;
Decision package, be used for according to described link dependable identification cell stores be used to identify whether sign reliably of described link, decision abandons data, or described MAC encrypted frame is forwarded to described retransmission unit.
The network equipment of the present invention, alternatively, the described network equipment further comprises:
The degree of secrecy reading unit is used for reading described degree of secrecy information when described MAC encrypted frame is carried degree of secrecy information;
Described decision package is connected with described degree of secrecy reading unit, is used for further according to described degree of secrecy information, and decision abandons described MAC encrypted frame, perhaps described MAC encrypted frame is passed to described retransmission unit.
The network equipment of the present invention, alternatively, the described network equipment further comprises:
Non-control port is used to receive the non-encrypted frame of MAC;
Encrypt identifying unit, be used for judging whether need the non-encrypted frame of described MAC is encrypted, if when the non-encrypted frame of described MAC need be forwarded to the available network equipment of MAC safety, then judging needs to encrypt the non-encrypted frame of described MAC;
Ciphering unit be used to encrypt the non-encrypted frame of MAC that described needs are encrypted, and the mac frame after will encrypting is passed to described retransmission unit.
The network equipment of the present invention, alternatively, the described network equipment further comprises:
Encrypt the determination flag memory cell, be used to store user's sign that the pre-configured non-encrypted frame of MAC that whether present networks equipment is sent is encrypted on present networks equipment;
Second encrypts identifying unit, is used for described encryption identifying unit is judged the non-encrypted frame that needs are encrypted, and further the encryption indicator of being stored according to described encryption determination flag memory cell judges whether need encryption.
By above first technical scheme as can be seen, because when the network equipment receives need be forwarded to next MAC safety encipher frame of not supporting the MAC safety or the disabled network equipment of MAC safety the time, the network equipment is according to the reliable situation of this next link, when this next link is reliable, adopt non-encrypted frame to be forwarded to next link, otherwise, abandon this MAC encrypted frame.As long as rather than do not support MAC safety or MAC safety unavailable as next network equipment that need be forwarded in the prior art, the MAC encrypted frame is all made discard processing.This method has realized having guaranteed the proper communication of network on the basis that the confidentiality in the MAC encrypted frame is protected.
Further, when the network equipment receives need be forwarded to next MAC safety encipher frame of not supporting the MAC safety or the disabled network equipment of MAC safety the time, the degree of secrecy information that the network equipment further comprises according to this MAC encrypted frame, decision-making abandons described MAC encrypted frame, perhaps adopt non-encrypted frame to be forwarded to next link, but make MAC communication confidentiality communicativeness obtained better coordination and equilibrium, make the inventive method situation that conforms to the actual situation more.
Further, when the network equipment receives the non-encrypted frame of MAC, if the network equipment of next link that the non-encrypted frame of this MAC need be forwarded to is supported MAC safety, and MAC safety is available, be forwarded on the link after then this mac frame being encrypted, otherwise, directly be forwarded on the link.As seen this method is especially for by supporting MAC safety, and perhaps the non-encrypted frame of MAC transmitted of the disabled network equipment of MAC safety can use the MAC safe practice at follow-up link, farthest realize the MAC secure communication.
Further, the present invention is forwarded to the non-encrypted frame of MAC of the available network equipment of the MAC safety of next link for needs, further can be provided with according to the user, judge whether the non-encrypted frame of MAC that is forwarded to the available network equipment of MAC safety is encrypted, only when the user needs, just encrypt the non-encrypted frame of this MAC.The invention enables and to encrypt according to actual user's needs, help saving unnecessary network resources waste, accelerate the MAC communication speed.
By above second technical scheme as can be seen, the present invention for do not support MAC safety, or the network equipment that is connected of the disabled network equipment of MAC safety, on the network equipment, be provided with the link reliability identifying unit, link dependable identification memory cell, and decision package, when receiving the MAC safety encipher frame that need be forwarded to next network equipment of not supporting MAC safety when the network equipment, the reliable situation of this next link that the network equipment obtains according to the link reliability identifying unit, with this be used for identifying described link whether reliably sign be stored in link dependable identification memory cell, decision package is according to the record of link dependable identification memory cell, decision-making abandons described MAC encrypted frame, or adopt the non-encrypted frame of MAC to be forwarded to next link, rather than as not supporting MAC safety to what all were forwarded to next link in the prior art, or the MAC encrypted frame of the disabled network equipment of MAC safety is all made discard processing.This method has realized having guaranteed the proper communication of network on the basis that the confidentiality at mac frame is protected.
Further, the present invention is in the network equipment, also be provided with the degree of secrecy reading unit, and be connected with decision package, do not support MAC safety when what this transmitted next link, or the MAC encrypted frame on the disabled network equipment of MAC safety is when carrying degree of secrecy information, read this degree of secrecy information by the degree of secrecy reading unit, know the degree of secrecy of this mac frame, make that decision package further can be according to described degree of secrecy information, decision abandons this MAC encrypted frame, or adopt the non-encrypted frame mode of MAC, be forwarded to next link, but make the confidentiality and the communicativeness of MAC communication obtain better coordination and equilibrium.Make the inventive method situation that conforms to the actual situation more.
Further, on present networks equipment, also be provided with and encrypt identifying unit, ciphering unit, when receiving to be forwarded to, this network equipment supports MAC safety, and during the non-encrypted frame of the MAC of the network equipment that MAC safety is available, judge whether to need to encrypt this mac frame, then mac frame is forwarded to ciphering unit if desired and encrypts by encrypting identifying unit, otherwise, directly adopt non-encrypted frame to be forwarded on the link.As seen this method is especially for by supporting MAC safety, and perhaps the non-encrypted frame of MAC transmitted of the disabled network equipment of MAC safety can use the MAC safe practice at follow-up link, farthest realize the MAC secure communication.
Further, because the encryption determination flag memory cell that the present invention is provided with second identifying unit and is provided with for the user, make and to be provided with according to the user, judge whether encrypt to being forwarded to the non-encrypted frame of the available MAC of MAC safety, making can be according to actual user's needs, encrypt, help saving unnecessary network resources waste, accelerate the MAC communication speed.
Description of drawings
Fig. 1 is the communication scheme that is in the MAC equipment among the same LAN;
Fig. 2 is a MAC secure communication schematic diagram;
Fig. 3 adds, deciphers schematic diagram for the MAC safety in the communication network;
Fig. 4 is for existing the communication network architecture schematic diagram of the network equipment of not supporting MAC safety in network;
Fig. 5 is embodiment 1 a method flow schematic diagram;
Fig. 6 is the method flow schematic diagram of embodiment 2;
Fig. 7 is the method flow schematic diagram of embodiment 3;
Fig. 8 is the network equipment structural representation of embodiment 4;
Fig. 9 is a MAC encrypted frame form schematic diagram;
Figure 10 is the network equipment structural representation of embodiment 5;
Figure 11 is the network equipment structural representation of embodiment 6;
Figure 12 is the network equipment structural representation of enforcement 7.
Embodiment
Core concept of the present invention is, next equipment that is connected with the network equipment does not support MAC safety or MAC safety unavailable, when next link that promptly is connected with the network equipment does not support MAC safety or MAC safety unavailable, when the network equipment receives the MAC encrypted frame that need be forwarded to this next link, connection situation according to this next link, judge whether this next link is reliable, if it is unreliable, then abandon described MAC encrypted frame, if reliable, then adopt non-encrypted frame to be forwarded to next link.
In order to make those skilled in the art better understand content of the present invention,, content of the present invention is described in detail below in conjunction with embodiment and accompanying drawing.
Embodiment 1:
Present embodiment is at the reliable situation according to link, and whether decision-making abandons the MAC encrypted frame that is forwarded to the network equipment of not supporting MAC safety or disabled next link of MAC safety, or continues to adopt non-encrypted frame to transmit, and is elaborated.
Fig. 5 is a present embodiment method flow schematic diagram, and as shown, this method may further comprise the steps:
Step S501: the network equipment receives the MAC encrypted frame, is decrypted.
The network equipment receives the MAC encrypted frame that a link is sent to present networks equipment, and the network equipment is passed to control port with the MAC encrypted frame and is decrypted.The network equipment wherein of the present invention can be in the communication network except that terminal, support the MAC safety and the available any network equipment of MAC safety, such as each bridge among CBN, PBN, the PBBN.
Step S502: the network equipment is searched and is transmitted, and according to transmitting lookup result, knows this mac frame need send on which link.
The network equipment reads destination address and the vlan information that mac frame need arrive, and searches and transmits, and according to transmitting lookup result, know that this mac frame arrives next link that this destination address need pass through.
Step S503: whether the network equipment of judging this next link supports whether MAC safety or MAC safety is available, if do not support MAC safety or MAC safety unavailable, and execution in step S504 then; Otherwise, execution in step S508.
According to key voting protocol KSP information, or the networking information of network self, or other network information that prestores, know whether the MAC safety of this next link is available.If the MAC safety of next link is unavailable, execution in step S504 then, if the MAC safety of next link is available, execution in step S508 then.
Step S504: the network equipment obtains the network reliability situation of this next link.
The network equipment can be known the network reliability situation of this next link according to the networking information of itself storing.Can also obtain according to this link reliability information of storing at the port that inserts present networks equipment at this next link network equipment; such as: in the network as shown in Figure 4; suppose the 3rd customer bridge 410; terminal D 409; terminal B407; terminal C406 does not all support MAC safety; or MAC safety is unavailable; so; port b in second customer bridge 405; on the port a of the 3rd customer bridge 410; actual conditions according to link; whether configuration link reliably identifies; can guarantee just to be configured under the situation of link safety reliable as user oneself; the situation of having only a user under the port such as bridge; perhaps a plurality of users belong to one family together; a department; the situation of an enterprise; such as: the safety that can not guarantee link as the user; and when wishing to obtain higher safeguard protection, link configuration is unreliable.
The network equipment that receives the MAC encrypted frame knows according to the link reliability information that is provided with whether this link is reliable on network equipment port.
Step S505: if this next link is reliable, execution in step S506 then, otherwise, execution in step S507.
Step S506: the network equipment adopts the non-encrypted frame of MAC to transmit to next link.
If the network of this next link is reliable, can guarantee the safety of MAC encrypted frame, then the network equipment adopts non-encrypted frame to transmit to the network equipment of this next link.
Step S507: abandon this mac frame.
If the network of this next link is unreliable, can not guarantee the safety of MAC encrypted frame, then the network equipment directly abandons this mac frame, and does not transmit to the network equipment of this next link.
Step S508: adopt the non-encrypted frame of MAC to transmit to next link.
The network equipment is to the non-encrypted frame mode of this MAC encrypted frame The data MAC, transmits to the network equipment of next link, makes this network equipment can not need to use the MAC secure decryption techniques, just can obtain this mac frame data.
Therefore present embodiment, make and realized having guaranteed the proper communication of network on the basis that the confidentiality at mac frame is protected.
Embodiment 2:
Present embodiment further carries the situation of user to the requirement of MAC safety degree of secrecy at the user at mac frame, whether the mac frame that is forwarded to disabled next link of MAC safety is abandoned in network equipment decision-making, or when continue adopting non-encrypted frame to transmit, further combined with the user to the requirement of MAC safety degree of secrecy,, make the inventive method situation that conforms to the actual situation more so that but the confidentiality of MAC communication and communicativeness have obtained better coordination and equilibrium.
At first, how in the MAC encrypted frame, carry the information of user, describe the requirement of MAC safety degree of secrecy for the user.
Stipulate according to IEEE 802.1ae, the formation of the MAC safety label field of mac frame as shown in Table 1, short frame length (the Short Length that wherein in MAC safety label field, comprises 8 bits, in IEEE802.1ae, be called SL) field, when confidential data length less than 48 the time, the value of SL equals the length value of confidential data, and for confidential data length more than or equal to 48 o'clock, monarch's SL value is 0.In fact, SL has only used the 1st bit to the 6 bits to represent confidential data length, and the 7th, 8 bits do not use.
| Mac frame type (MAC Ethertype) | Tag control information (TCI) | Close chain store (AN) | Short frame length (SL) | Bale No. (PN) | Safe lane sign (SCI) |
Table one
In the present invention, the sender of MAC encrypted frame uses the 7th, 8 bits in the SL field to represent the confidentiality requirement of user to this frame, promptly use the 7th, 8 bits to represent the degree of secrecy of frame, as shown in Table 2, make the value sign of the 7th, 8 bits to the confidentiality requirement of this mac frame, use degree of secrecy to represent that degree of secrecy is high more at this, show that the data in the frame are secret more.
Such as: when the bit value of the 7th, 8 bits was " 00 ", the degree of secrecy of frame was 0 grade, represented no matter whether link reliably all adopts unencrypted mode to continue to transmit; When the bit value of the 7th, 8 bits was " 01 ", the degree of secrecy of frame was 1 grade, was illustrated under the reliable situation of link, adopted non-encrypted frame to continue to transmit; When the bit value of the 7th, 8 bits was " 10 ", the degree of secrecy of frame was 2 grades, expression no matter this link reliably whether, frame does not continue to transmit, and directly abandons; And wouldn't use for the situation of " 11 " for the bit value of the 7th, 8 bits.
| Bit8 | Bit7 | Degree of secrecy | Implication |
| 0 | 0 | 0 grade | No matter whether link reliably all adopts unencrypted mode to continue to transmit |
| 0 | 1 | 1 grade | Under the reliable situation of link, adopt non-encrypted frame to continue to transmit |
| 1 | 0 | 2 grades | No matter this link reliably whether, frame does not continue to transmit and directly abandons |
| 1 | 1 | Wouldn't use |
Table two
Certainly, except can carrying confidentiality requirement information at the 7th, 8 bits of the SL field in the MAC safety label to this mac frame, can also carry in other field of mac frame, as long as in communication network, make corresponding regulation, make the network equipment in the communication network receive this mac frame and can read this information and get final product.
More than in mac frame, carry the confidentiality requirement information of this mac frame done to describe in detail after, below in the MAC secure communication, when the network equipment receives the MAC encrypted frame that need be forwarded to disabled next link of MAC safety, how to tie further and require information according to confidentiality to this mac frame, decision-making abandons this mac frame, or continues to adopt non-encrypted frame forwarding to be elaborated.
As shown in Figure 6, be present embodiment method flow schematic diagram, as shown, the inventive method may further comprise the steps:
Step S601: the network equipment receives the MAC encrypted frame, is decrypted.
Step S602: the network equipment is searched and is transmitted, and according to transmitting lookup result, knows this mac frame need send on which link.
Step S603: whether the MAC safety of judging this next link is available, if MAC safety is unavailable, and execution in step S604 then, otherwise, execution in step S613.
Step S604: the network equipment obtains the reliability situation of this next link.
Above-mentioned steps respectively with embodiment 1 in step S501 to step S504 in like manner, do not give unnecessary details at this.
Step S605: the network equipment reads the confidentiality requirement information that the MAC encrypted frame is carried.
In the present embodiment, suppose that the confidentiality of taking the 7th, 8 bits in MAC safety label field to write down this mac frame requires information, adopts the value rule shown in table two in this hypothesis.
The confidentiality class requirement rule of network equipment associative list two, and this next link reliability information obtain decision rule as shown in Table 3, below make a strategic decision according to the rule of table two.
Step S606: whether the degree of secrecy of judging the MAC encrypted frame is 1 grade, if, then further execution in step S608; Otherwise, execution in step S607.
Step S607: when whether the degree of secrecy of judgement MAC encrypted frame is 0 grade, if then no matter whether link is reliable, equal execution in step S611; Otherwise, execution in step S608.
Step S608: whether next link that judgement need be sent to is reliable, if reliable, execution in step S611 then; Otherwise, execution in step S612;
Step S609: whether the degree of secrecy of judging the MAC encrypted frame is 2 grades, if, then no matter this link reliably whether, equal execution in step S612; Otherwise, execution in step S610.
The degree of secrecy of step S610:MAC encrypted frame is not 0,1 or 2, and promptly degree of secrecy is then judged this degree of secrecy information read error not in setting range, then according to only judging according to link reliability, judge whether this next stage link is reliable, if reliable, execution in step S611 then; Otherwise, execution in step S612.
Table three
Step S611: adopt unencrypted mode to continue to transmit.
The network equipment is to the non-encrypted frame mode of this MAC encrypted frame The data MAC, and promptly the mode of common mac frame is transmitted to the network equipment of next link, makes this network equipment can not need to use the MAC secure decryption techniques, just can obtain this mac frame data.
Step S612: do not continue to transmit this frame, and directly abandon.
Step S613: adopt the MAC encrypted frame to transmit to next link.
Because the network equipment of this next link support MAC safety and MAC safety are available, then this MAC encrypted frame are encrypted, and adopt the mode of MAC encrypted frame, transmit to next link
Wherein the MAC encrypted frame is shown in the frame format schematic diagram of the MAC encrypted frame of Fig. 9, the difference of MAC encrypted frame and common mac frame (being non-encrypted frame) is that data are encrypted, and before ciphered data, insert a lattice MAC safety label, and after the user data of encrypting, added integrity check value.
Embodiment 3:
When present embodiment receives the non-encrypted frame of MAC for this network equipment,, realize that secure communication of network is specifically described to the processing that the non-encrypted frame of this MAC carries out.
As shown in Figure 7, be present embodiment method flow schematic diagram, as shown, the present invention includes following steps:
Step S701: the network equipment receives the non-encrypted frame of MAC.
The non-encrypted frame of this MAC can be the mac frame of supporting that the available network equipment of MAC safety and MAC safety sends; Can also be the non-encrypted frame of MAC of not supporting that the disabled network equipment of MAC safety or MAC safety sends, and, realize that at follow-up link the MAC secure communication more is of practical significance for the non-encrypted frame of MAC of not supporting that the disabled network equipment of MAC safety or MAC safety sends.
Step S702: if next link network equipment supports MAC safety and MAC safety available, execution in step S703 then; Otherwise execution in step S705.
The network equipment is according to key voting protocol KSP information, or the networking of self configuration, judges whether the network equipment of next link supports the MAC safe practice, if, execution in step S703 then; Otherwise, execution in step S705.
Step S703: whether the encryption indicator that the user is provided with is: needs to encrypt, if, execution in step S704 then, otherwise, execution in step S705.
Step S704: encrypt the non-encrypted frame of this MAC, and transmit this MAC encrypted frame.
The non-encrypted frame of this MAC is encrypted, and the MAC encrypted frame after will encrypting is forwarded on the link.
Step S705: adopt the non-encrypted frame of MAC to transmit this mac frame.
Therefore the present invention if next link MAC safety is available, then can encrypt this mac frame when receiving the non-encrypted frame of MAC when the network equipment, otherwise, directly be forwarded on the link, farthest realized the MAC secure communication.
Whether therefore the present invention further is provided with according to the user, judge and the non-encrypted frame of MAC that is forwarded to the available network equipment of MAC safety is encrypted, making can be according to actual user's needs, encrypt, help saving unnecessary network resources waste, accelerate the MAC communication speed.
Embodiment 4:
Present embodiment pair describes with the network equipment of not supporting the MAC safety or the disabled network equipment of MAC safety to be connected.
Show that as Fig. 8 the network equipment comprises:
Link reliability identifying unit 802 is used to judge whether link is reliable, and whether reliably configuration is used to identify described link sign.
Link dependable identification memory cell 804 is connected with link reliability identifying unit 802, be used to store 802 configurations of link reliability decision unit be used to identify whether reliably sign of described link, be called the link dependable identification at this.
After the network equipment receives the MAC encrypted frame, be delivered to control port 806, and use, this MAC encrypted frame is decrypted SAK that should the MAC encrypted frame.
In the prior art, if this mac frame need be forwarded to the disabled link of MAC safety on the time, all directly abandon this mac frame; If when this mac frame need be forwarded on the available link of next MAC safety, then the network equipment further used another one SAK, after this mac frame encryption, send on the link.
Mac frame destination address acquiring unit 807 is used to read the destination address (being illustrated in figure 9 as MAC encrypted frame form schematic diagram) of MAC encrypted frame, according to this destination address, knows whether described mac frame needs to be forwarded on the disabled link of MAC safety.
By present embodiment as seen; the present invention for do not support MAC safety; or the network equipment that is connected of the disabled network equipment of MAC safety; on the network equipment, be provided with link reliability identifying unit 802; link dependable identification memory cell 804; and decision package 803; need be forwarded to next and do not support MAC safety for receiving when the network equipment 80; or during the MAC encrypted frame of the disabled network equipment of MAC safety; the reliable situation of this next link that the network equipment obtains according to link reliability identifying unit 802; with this be used for identifying described link whether reliably sign be stored in link dependable identification memory cell 804; decision package 803 is according to the stored record of link dependable identification memory cell 804; decision-making abandons described MAC encrypted frame; perhaps adopt non-encrypted frame to be forwarded to next link; rather than as in the prior art all mac frames all being made discard processing; this method; make and realized having guaranteed the proper communication of network on the basis that the confidentiality at mac frame is protected.
Embodiment 5:
Be the network equipment structural representation of present embodiment as shown in figure 10, as shown, different is present networks equipment with implementing the network equipment shown in 4, increased degree of secrecy reading unit 808 at equipment, be connected respectively with receiving element 805, decision package 803, be used for reading the degree of secrecy information that MAC encrypted frame that receiving element 805 receives is carried, for decision package 803 decision references.
Different is for decision package 803 and embodiment 4, in the present embodiment, decision package 803 is except making a strategic decision according to link dependable identification memory cell 804, also the MAC encrypted frame of further obtaining according to the degree of secrecy reading unit 808 degree of secrecy information decision of carrying abandons described MAC encrypted frame, perhaps be passed to retransmission unit 801, adopt non-encrypted frame to be forwarded to be attached thereto next that connect not support the MAC safety or the disabled network equipment of MAC safety by retransmission unit 801.
Therefore, because present embodiment increased degree of secrecy reading unit 808, making the degree of secrecy information that decision package 803 further comprises according to the MAC encrypted frame, decision-making abandons described MAC encrypted frame, or, adopt non-encrypted frame to be forwarded to next link.But make MAC communication confidentiality communicativeness obtained better coordination and equilibrium.Make the inventive method situation that conforms to the actual situation more.
Embodiment 6:
The network equipment structural representation of text embodiment as shown in figure 11, as shown, different is that present networks equipment further comprises to the network equipment among present networks equipment and the embodiment 5:
Encrypt identifying unit 810, be connected respectively, be used to adjudicate the non-encrypted frame of MAC that whether needs non-control port 809 receives and encrypt with non-control port 809, ciphering unit 811, retransmission unit 801.Destination address according to the non-encrypted frame of MAC that receives, adjudicate the non-encrypted frame of this MAC and need be forwarded to which bar link, and whether the MAC safety of judging this link is available, if it is available, then can be according to the whether needs information encrypted (if comprising in the non-encrypted frame of MAC) of carrying in the non-encrypted frame of MAC, perhaps adjudicate according to the configuration on the receiving port whether needs use the MAC encrypted frame to transmit, if desired, then mac frame being passed to ciphering unit 811 encrypts, otherwise mac frame is passed to retransmission unit 801, is forwarded to next link.
Therefore, owing to connected encryption identifying unit 809, be used to judge whether and need encrypt the non-encrypted frame of the MAC that receives at the non-control port of the network equipment.Especially do not support MAC safety for what be connected with this network equipment, the perhaps non-encrypted frame of MAC that sends over of the disabled network equipment of MAC safety, after the forwarding of this network equipment use MAC safety frame, make to be guaranteed on the data security link afterwards, farthest realized the secure communication of network.
Embodiment 7:
The network equipment structural representation of text embodiment as shown in figure 12, as shown, different is that present networks equipment further comprises to the network equipment among present networks equipment and the embodiment 6:
Encrypt determination flag memory cell 814, be used to store user's sign that the pre-configured non-encrypted frame of MAC that whether present networks equipment is sent is encrypted on present networks equipment.The user can be according to the MAC security needs, and whether the setting on the network equipment needs the non-encrypted frame of the MAC that is sent is encrypted, and if desired, then will indicate the value that value is encrypted for the sign needs, otherwise, do not need to be set to encrypt.Such as a flag bit is set, if when this flag bit value is " 0 ", expression does not need to encrypt, if when this flag bit value be " 1 ", expression needs encryption.
Second encrypts identifying unit 813, be connected and encrypt between identifying unit 810 and the ciphering unit 811, and be connected with encryption determination flag memory cell 814, be used for judging the non-encrypted frame that needs are encrypted to encrypting identifying unit 810, further the encryption indicator of being stored according to described encryption determination flag memory cell 814 judges whether need encryption.If this encryption indicator value sign need be encrypted just the non-encrypted frame of described MAC is passed to ciphering unit 811, encrypt, otherwise, directly the non-encrypted frame of this MAC is passed to retransmission unit 801, directly be forwarded to next link.
Therefore, the present invention further can be provided with according to the user with respect to embodiment 6, judge whether encrypt to being forwarded to the non-encrypted frame of the available MAC of MAC safety, making can be according to actual user's needs, encrypt, help saving unnecessary network resources waste, accelerate the MAC communication speed.
More than a kind of MAC secure network communication method provided by the present invention and the network equipment are described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (10)
1, a kind of MAC secure network communication method is characterized in that, comprising:
The network equipment receives mac frame;
If described mac frame is the MAC encrypted frame, then decipher described MAC encrypted frame, if the network equipment of next link that described MAC encrypted frame need be forwarded to does not support MAC safety or MAC safety unavailable, judge further then whether described link is reliable, if reliable, then adopt the non-encrypted frame of MAC to be forwarded to described link; Otherwise abandon described MAC encrypted frame.
According to the described MAC safety communicating method of claim 1, it is characterized in that 2, whether the described link of described judgement is reliable, specifically comprises:
According to networking information, in the described MAC safety of not supporting, the perhaps pre-configured reliability information that described link is arranged of the network port that is connected with the described network equipment of the disabled network equipment of MAC safety;
The described network equipment reads described reliability information, knows whether described link is reliable.
3, according to claim 1 or 2 described MAC safety communicating methods, it is characterized in that, if described MAC encrypted frame comprises degree of secrecy information, then further according to described degree of secrecy information, judgement abandons described MAC encrypted frame, or adopts non-encrypted frame to be forwarded to described link.
According to the described MAC safety communicating method of claim 3, it is characterized in that 4, described MAC encrypted frame comprises degree of secrecy information, realizes by the following steps mode:
The 7th, 8 bits of the safety label field in described MAC encrypted frame carry described degree of secrecy information.
5, according to claim 1 or 2 described MAC safety communicating methods, it is characterized in that if described mac frame is the non-encrypted frame of MAC, and the non-encrypted frame of described MAC is need be forwarded to the available network equipment of MAC safety the time, then encrypt described mac frame, and after encryption, transmit described mac frame; Otherwise, directly transmit described mac frame.
According to the described MAC safety communicating method of claim 5, it is characterized in that 6, whether further preserve needs sign that the non-encrypted frame of MAC that present networks equipment sends is encrypted on the described network equipment,
If described mac frame is the non-encrypted frame of MAC, and the non-encrypted frame of described MAC need be forwarded to the available network equipment of MAC safety, and then before encrypting described mac frame, further according to described sign, whether need encrypt described mac frame, then encrypt if desired if judging.
7, a kind of network equipment, the described network equipment is connected with not supporting the MAC safety or the disabled network equipment of MAC safety, it is characterized in that the described network equipment comprises:
The link reliability identifying unit is used to judge the described network equipment and does not describedly support whether the link of the MAC safety or the disabled network equipment of MAC safety is reliable, and whether reliably configuration is used to identify described link sign;
Whether reliably link dependable identification memory cell is connected with described link reliability identifying unit, be used to store the described described link sign that is used to identify;
Control port is used for receiving, deciphering the MAC encrypted frame;
Retransmission unit is used to transmit described MAC encrypted frame;
Mac frame destination address acquiring unit is used to read the destination address of described MAC encrypted frame, judges whether next network equipment that described mac frame need be forwarded to is the described MAC safety or the disabled network equipment of MAC safety do not supported;
Decision package, be used for according to described link dependable identification cell stores be used to identify whether sign reliably of described link, decision abandons data, or described MAC encrypted frame is forwarded to described retransmission unit.
8, the network equipment according to claim 7 is characterized in that, the described network equipment further comprises:
The degree of secrecy reading unit is used for reading described degree of secrecy information when described MAC encrypted frame is carried degree of secrecy information;
Described decision package is connected with described degree of secrecy reading unit, is used for further according to described degree of secrecy information, and decision abandons described MAC encrypted frame, perhaps described MAC encrypted frame is passed to described retransmission unit.
9, according to the claim 7 or the 8 described network equipments, it is characterized in that the described network equipment further comprises:
Non-control port is used to receive the non-encrypted frame of MAC;
Encrypt identifying unit, be used for judging whether need the non-encrypted frame of described MAC is encrypted, if when the non-encrypted frame of described MAC need be forwarded to the available network equipment of MAC safety, then judging needs to encrypt the non-encrypted frame of described MAC;
Ciphering unit be used to encrypt the non-encrypted frame of MAC that described needs are encrypted, and the mac frame after will encrypting is passed to described retransmission unit.
10, the network equipment according to claim 9 is characterized in that, the described network equipment further comprises:
Encrypt the determination flag memory cell, be used to store user's sign that the pre-configured non-encrypted frame of MAC that whether present networks equipment is sent is encrypted on present networks equipment;
Second encrypts identifying unit, is used for described encryption identifying unit is judged the non-encrypted frame that needs are encrypted, and further the encryption indicator of being stored according to described encryption determination flag memory cell judges whether need encryption.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610154170.0A CN100563148C (en) | 2006-09-15 | 2006-09-15 | The MAC secure network communication method and the network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200610154170.0A CN100563148C (en) | 2006-09-15 | 2006-09-15 | The MAC secure network communication method and the network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101145899A CN101145899A (en) | 2008-03-19 |
| CN100563148C true CN100563148C (en) | 2009-11-25 |
Family
ID=39208216
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200610154170.0A Expired - Fee Related CN100563148C (en) | 2006-09-15 | 2006-09-15 | The MAC secure network communication method and the network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100563148C (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102281261A (en) * | 2010-06-10 | 2011-12-14 | 杭州华三通信技术有限公司 | Data transmission method, system and apparatus |
| CN110226312A (en) * | 2017-02-03 | 2019-09-10 | 三菱电机株式会社 | Transmission device and communication network |
| CN108173769B (en) * | 2017-12-28 | 2021-01-05 | 盛科网络(苏州)有限公司 | Message transmission method and device and computer readable storage medium |
| CN109474707B (en) * | 2019-01-16 | 2021-02-02 | 浪潮集团有限公司 | Two-layer protocol design and data transmission method and system based on serial port protocol |
| CN111526108B (en) * | 2019-02-01 | 2021-08-20 | 华为技术有限公司 | Method and device for preventing network attack |
| CN110535956A (en) * | 2019-09-02 | 2019-12-03 | 珠海格力电器股份有限公司 | The two-way communication and system of smart machine and server cloud |
-
2006
- 2006-09-15 CN CN200610154170.0A patent/CN100563148C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN101145899A (en) | 2008-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101141241B (en) | Method and network appliance for implementing MAC safety | |
| US8112622B2 (en) | Chaining port scheme for network security | |
| JP4447463B2 (en) | Bridge crypto VLAN | |
| EP3254418B1 (en) | Packet obfuscation and packet forwarding | |
| US7979693B2 (en) | Relay apparatus for encrypting and relaying a frame | |
| US7774594B2 (en) | Method and system for providing strong security in insecure networks | |
| US7703132B2 (en) | Bridged cryptographic VLAN | |
| CA2941216C (en) | Method and apparatus for providing an adaptable security level in an electronic communication | |
| CN101309273B (en) | Method and device for generating safety alliance | |
| CN100563148C (en) | The MAC secure network communication method and the network equipment | |
| CN102035845B (en) | Switching equipment for supporting link layer secrecy transmission and data processing method thereof | |
| TW200307423A (en) | Password device and method, password system | |
| US9094375B2 (en) | WAN transport of frames with MAC security | |
| CN106301765B (en) | Encryption and decryption chip and method for realizing encryption and decryption | |
| CN104137508A (en) | Network node with network-attached stateless security offload device | |
| CN116112202A (en) | Method for realizing encryption and decryption of Ethernet data by adopting self-learning self-organizing mode | |
| CN116016529A (en) | Load balancing management method and device for IPSec VPN (Internet protocol security virtual private network) equipment | |
| Lee et al. | Design of secure arp on MACsec (802.1 Ae) | |
| US20240015009A1 (en) | AUTOMATIC IN-BAND MEDIA ACCESS CONTROL SECURITY (MACsec) KEY UPDATE FOR RETIMER DEVICE | |
| US11973700B2 (en) | Trusted remote management unit | |
| Wahid | Maximizing Ethernet security by switch-based single secure domain | |
| CN1322727C (en) | Method for filtering packets in wireless network system | |
| CN117834212A (en) | Security gateway and communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091125 Termination date: 20180915 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |