CN101145904A - A method, device and system for data packet transmission - Google Patents
A method, device and system for data packet transmission Download PDFInfo
- Publication number
- CN101145904A CN101145904A CN200710176961.8A CN200710176961A CN101145904A CN 101145904 A CN101145904 A CN 101145904A CN 200710176961 A CN200710176961 A CN 200710176961A CN 101145904 A CN101145904 A CN 101145904A
- Authority
- CN
- China
- Prior art keywords
- data message
- vpn
- entry
- outlet
- correspondence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for transmitting a data message in MPLS VPN, which includes that inlet provider equipment (PE) acquires the encrypted algorithm and the encrypted key corresponding to each virtual private network (VPN), and outlet PE acquires the decrypted algorithm and the decrypted key corresponding to each VPN; after receiving the data message, the inlet PE encrypts the data message by means of the encrypted algorithm and the encrypted key corresponding to the VPN that the data message belongs to, and then deliver; after receiving data message, the outlet PE decrypts the data message by means of the decrypted algorithm and the decrypted key corresponding to the VPN that the data message belongs to. The invention also discloses an inlet PE, an outlet PE and a system for transmitting data message in MPLS VPN. The invention enhances the security of data message transmission in MPLS VPN.
Description
Technical field
The present invention relates to Virtual Private Network (VPN) technology, particularly relate to a kind of method, apparatus and system of data message transmission.
Background technology
Multiprotocol label switching-Virtual Private Network (MPLS VPN) technology is a kind of IP VPN technologies, is applied to usually in operator or the trade network network.Fig. 1 is the networking structure schematic diagram of MPLS VPN.Referring to Fig. 1, in MPLS VPN, different VPN link together by carrier network, particularly, each VPN is by the operator edge device (PE) in inner user's edge device (CE) connection carrier network, in carrier network, may there be operator (P) equipment between the different PE equipment.
Fig. 2 is the flow chart of prior art data message transmission in MPLS VPN.Referring to Fig. 1 and Fig. 2, sending datagram with the user terminal 2 of the user terminal among the VPN1 1 in VPN2 is example, and this flow process specifically may further comprise the steps:
Step 201: user terminal 1 sends to CE1 with data message, and CE1 will receive data message, and to send to entry PE be PE1.
Step 202:PE1 is according to the inbound port and the vlan information of data message, the VPN under the specified data message.
Step 203:PE1 obtains the forwarding information corresponding with determined VPN (FIB) table.
Step 204:PE1 finds outbound port, ARP(Address Resolution Protocol) and encapsulates required information such as MPLS label from the fib table that is obtained.
Step 205:PE1 sends from outbound port after utilizing the information of obtaining such as MPLS label that the data message is carried out encapsulation of VPN head and the encapsulation of tunnel head.
Step 206: it is PE2 that the data message after the encapsulation sends to outlet PE.
After step 207:PE2 carries out tunnel head decapsulation and VPN decapsulation to the data message that receives, determine the VPN under the message.
Step 208:PE2 obtains the fib table corresponding with determined VPN.
Step 209:PE2 finds outbound port and ARP from the fib table that is obtained.
Step 210:PE2 sends from outbound port after the data message is carried out corresponding VPN encapsulation.
After step 211:CE2 receives data message, data message is sent to user terminal 2.
In MPLS VPN, existing safety guarantee can only guarantee that customer service can obtain safe transmission process under the normal situation of MPLS VPN network, such as, address space and route are provided independently, have transmitted; MPLS core network as public network keeps transparent, unknown to VPN user; Prevent label deception etc.
But, from flow process shown in Figure 2 as can be seen, at present in the process of data message transmission, also do not guarantee the method for the fail safe of data message own, like this, transmission medium or equipment fault occur in case the carrier network in the MPLS VPN network is the MPLS core net, revealing then appears in original user data probably, thereby greatly reduce safety of user data, reduced the QoS of MPLS VPN.
Summary of the invention
One object of the present invention is to provide a kind of method of message transmission, another object of the present invention is to provide a kind of entry PE, a further object of the present invention is to provide a kind of outlet PE, another purpose of the present invention is to provide a kind of system of message transmission, so that improve the fail safe of transmitting user data among the MPLS VPN.
In order to achieve the above object, technical scheme of the present invention is achieved in that
A kind of method of data message transmission, this method comprises:
Entry PE is obtained the cryptographic algorithm and the encryption key of each VPN correspondence, and outlet PE is obtained the decipherment algorithm and the decruption key of each VPN correspondence;
After entry PE receives data message, utilize with this data message under corresponding cryptographic algorithm and the encryption key of VPN this data message is encrypted transmission then;
After outlet PE receives data message, utilize with this data message under corresponding decipherment algorithm and the decruption key of VPN this data message is deciphered.
A kind of entry PE comprises:
The enciphered message acquiring unit is used to obtain the cryptographic algorithm and the encryption key of each VPN correspondence;
The data message processing unit, be used to receive the data message that user's edge device CE sends, utilize the enciphered message acquiring unit find with this data message under corresponding cryptographic algorithm and the encryption key of VPN, cryptographic algorithm that utilization finds and encryption key are encrypted this data message, send then.
A kind of outlet PE comprises:
The decryption information acquiring unit is used to obtain the decipherment algorithm and the decruption key of each VPN correspondence;
The data message processing unit, be used to receive the data message that entry PE is sent, utilize the decryption information acquiring unit find with this data message under corresponding decipherment algorithm and the decruption key of VPN, utilize the decipherment algorithm find and decruption key to this data message deciphering.
A kind of system of data message transmission comprises entry PE provided by the invention and outlet PE.
This shows that the present invention has the following advantages:
1, in the present invention, at the entry PE place data message is encrypted, like this, when data message transmits in carrier network, transmission medium or equipment fault have appearred even carrier network is the MPLS core net, data message also can be protected owing to having carried out encryption, and can not revealed easily, has improved the fail safe of transmitting user data among the MPLS VPN; In addition, what at the entry PE place data message is carried out is the encryption of VPN under the corresponding message, and what at the outlet PE place data message is carried out is the deciphering of VPN under the corresponding message, because the enciphering and deciphering algorithm that different VPN is used is different usually with key, the therefore fail safe that has further improved transmitting user data among the MPLS VPN.
2; in the prior art; fail safe for the protected data message in other VPN networks can be used the tunnel encryption method to the data message; promptly do not consider the VPN that data message is affiliated; VPN head and data content after the tunnel head in the data message are carried out the encryption in corresponding tunnel; for this kind way; different VPN must be used identical enciphering and deciphering algorithm and key on same tunnel; like this; when outlet PE correctly decrypts according to tunnel information on the tunnel behind all spendable data message of all VPN; if because outlet PE breaks down when causing finding wrong VPN and outbound port from fib table; outlet PE can send to the data message that correctly decrypts the user terminal of a VPN mistakenly, thereby has caused the leakage of user data.And preferably, in the present invention, can only partly carry out the encryption of corresponding VPN to the data content in the data message, because the enciphering and deciphering algorithm that different VPN is used is different usually with key, like this, break down in outlet PE and to cause from fib table, finding wrong VPN, when the outbound port of mistake and wrong decryption information, outlet PE can be carried out wrong deciphering to the data message, and send to the user terminal of a VPN mistakenly, because data message is not correctly deciphered, and therefore, has avoided the leakage of user data, further improve safety of user data, improved the QoS of MPLSVPN.
Description of drawings
Fig. 1 is the networking structure schematic diagram of MPLS VPN.
Fig. 2 is the flow chart of prior art data message transmission in MPLS VPN.
Fig. 3 is the flow chart of one embodiment of the invention data message transmission in MPLS VPN.
Fig. 4 is the structural representation of the entry PE that proposes of the present invention.
Fig. 5 is the structural representation of the outlet PE that proposes of the present invention.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with drawings and the specific embodiments.
The present invention proposes a kind of in MPLS VPN the method for data message transmission.In the method, entry PE is obtained the cryptographic algorithm and the encryption key of each VPN correspondence, and outlet PE is obtained the decipherment algorithm and the decruption key of each VPN correspondence; After entry PE receives data message, utilize with this data message under corresponding cryptographic algorithm and the encryption key of VPN this data message is encrypted transmission then; After outlet PE receives data message, utilize with this data message under corresponding decipherment algorithm and the decruption key of VPN this data message is deciphered.
Fig. 3 is the flow chart of one embodiment of the invention data message transmission in MPLS VPN.Referring to Fig. 1 and Fig. 3, sending datagram with the user terminal 2 of the user terminal among the VPN1 1 in VPN2 is example, and the process of data message transmission specifically may further comprise the steps in MPLS VPN:
Step 301: entry PE is obtained the cryptographic algorithm and the encryption key of each VPN correspondence in advance.
Step 302: outlet PE is obtained the decipherment algorithm and the decruption key of each VPN correspondence in advance.
In above-mentioned steps 301 and step 302, the cryptographic algorithm and the encryption key of each VPN correspondence can manually be set on entry PE in advance, like this, entry PE is provided with cryptographic algorithm and the encryption key that obtains each VPN correspondence according to self.And, the decipherment algorithm and the decruption key of each VPN correspondence can manually be set on outlet PE in advance, like this, outlet PE is provided with decipherment algorithm and the decruption key that obtains each VPN correspondence according to self.
In MPLS VPN, before outlet PE and entry PE were carried out data message mutual, outlet PE can be carried out the mutual of routing iinformation with entry PE.Such as, because outlet PE can be in the transmission of follow-up data message, in data message, stamp corresponding label according to VPN under the data message, therefore, in order to guarantee the normal mutual of data message between entry PE and the outlet PE, outlet PE can be notified to entry PE with the label information of each VPN correspondence, and entry PE is received to return behind the label information and confirmed to reply.
According to the characteristics of outlet PE to entry PE notice routing iinformation, and entry PE can be to the characteristics of outlet PE echo reply information, and step 301 and 302 can also have following two kinds of implementations:
Mode one, the decipherment algorithm and the decruption key of each VPN correspondence are set on outlet PE simultaneously, and cryptographic algorithm and encryption key that each VPN correspondence is set, like this, outlet PE is provided with decipherment algorithm and the decruption key that obtains each VPN correspondence according to self, and outlet PE is in the process of entry PE notice routing iinformation, the cryptographic algorithm and the encryption key of each VPN correspondence can be sent to entry PE, make entry PE obtain the cryptographic algorithm and the encryption key of each VPN correspondence.
MPLS VPN between entry PE and the outlet PE can be MPLS L3VPN or MPLSL2VPN.
The main mode of MPLS L3VPN is border network management protocol-multiprotocol label switching-Virtual Private Network (BGP MPLS VPN), in BGP MPLS VPN, outlet PE sends routing iinformation by Labeled VPNv4 address family to entry PE, therefore, in mode one, when adopting BGP MPLS VPN technologies between entry PE and the outlet PE, outlet PE can send to entry PE with the cryptographic algorithm and the encryption key of each VPN correspondence by the Labeled VPNv4 address family of expansion or the address family of redetermination.
MPLS L2VPN mainly adopts two kinds of signaling methods, is called Kompella and Martini.In Kompella mode MPLS L2VPN, outlet PE sends routing iinformation by L2VPN/VPLS address family to entry PE, therefore, in mode one, when adopting Kompella mode MPLS L2VPN technology between entry PE and the outlet PE, outlet PE can send to entry PE with the cryptographic algorithm and the encryption key of each VPN correspondence by the L2VPN/VPLS address family of expansion or the address family of redetermination.
In Martini mode MPLS L2VPN, outlet PE sends routing iinformation by LDP message to entry PE, therefore, in mode one, when adopting Martini mode MPLS L2VPN technology between entry PE and the outlet PE, outlet PE can send to entry PE with the cryptographic algorithm and the encryption key of each VPN correspondence by the LDP message of expansion.
Mode two, the decipherment algorithm and the decruption key of each VPN correspondence are set on entry PE simultaneously, and cryptographic algorithm and encryption key that each VPN correspondence is set, like this, entry PE is provided with cryptographic algorithm and the encryption key that obtains each VPN correspondence according to self, and entry PE is by the address family of redetermination or the message of redetermination, the decipherment algorithm and the decruption key of each VPN correspondence are sent to outlet PE, make outlet PE obtain the decipherment algorithm and the decruption key of each VPN correspondence.In this kind implementation, because transmission is decipherment algorithm and decruption key, that is to say, need not to transmit cryptographic algorithm and encryption key, therefore, when entry PE and outlet PE used the importance of decipherment algorithm and decruption key to be lower than the rivest, shamir, adelman of importance of cryptographic algorithm and encryption key, this implementation was especially suitable.
Aforesaid way one and mode two make that the user only needs manually to be provided with on entry PE or outlet PE, and need not on entry PE and outlet PE, to be provided with respectively, therefore, be convenient to subsequent modification and attended operation, and, under the encryption key of the VNP correspondence situation identical, can significantly reduce the workload that the user manually is provided with decruption key.
Step 303: entry PE is saved in the cryptographic algorithm and the encryption key of this VPN correspondence in the fib table of this VPN correspondence in self when setting up corresponding fib table at each VPN.
Step 304: outlet PE is saved in the decipherment algorithm of this VPN correspondence and the information of decruption key in the fib table of this VPN correspondence in self when setting up corresponding fib table at each VPN.
Step 305: user terminal 1 sends to CE1 with data message, and it is PE1 that CE1 sends to entry PE with the data message that receives.
Step 306:PE1 is according to the inbound port and the vlan information of data message, the VPN under the specified data message.
Step 307:PE1 obtains the forwarding information corresponding with determined VPN (FIB) table.
Step 308:PE1 finds outbound port, ARP(Address Resolution Protocol), required information and cryptographic algorithm and the cryptographic algorithm such as MPLS label of encapsulation from the fib table that is obtained.
Step 309:PE1 utilizes the information of obtaining such as MPLS label the data message to be carried out the encapsulation of encapsulation of VPN head and tunnel head.
Step 310:PE1 utilizes cryptographic algorithm and the cryptographic algorithm obtained that the data content that encapsulates in the data message of back is partly encrypted, and it is PE2 that the data encrypted message is sent to outlet PE.
After step 311:PE2 carries out tunnel head decapsulation and VPN decapsulation to the data message that receives, determine the VPN under the message.
Step 312:PE2 obtains the fib table corresponding with determined VPN, finds outbound port, ARP and decipherment algorithm and decruption key from the fib table that is obtained.
Decipherment algorithm that step 313:PE2 utilization is obtained and decruption key partly are decrypted the data content of data message.
Step 314:PE2 sends from outbound port after the data message after deciphering is carried out corresponding VPN encapsulation.
After step 315:CE2 receives data message, data message is sent to user terminal 2.
In addition, the invention allows for entry PE among a kind of MPLS VPN.Fig. 4 is the structural representation of the entry PE that proposes of the present invention.Referring to Fig. 4, this entry PE comprises:
The enciphered message acquiring unit is used to obtain the cryptographic algorithm and the encryption key of each VPN correspondence;
The data message processing unit, be used to receive the data message that user's edge device CE sends, utilize the enciphered message acquiring unit find with this data message under corresponding cryptographic algorithm and the encryption key of VPN, cryptographic algorithm that utilization finds and encryption key are encrypted this data message, send then.
In the entry PE that the present invention proposes, described enciphered message acquiring unit obtain the cryptographic algorithm of each VPN correspondence and encryption key mode can for: according to the user cryptographic algorithm and the encryption key that obtains each VPN correspondence is set manually; Perhaps, described enciphered message acquiring unit is used for obtaining the cryptographic algorithm and the encryption key of each VPN correspondence from the expansion Labeled VPNv4 address family that outlet PE is sent, the L2VPN/VPLS address family of expansion, the LDP message of expansion or the address family of redetermination.
In the entry PE that the present invention proposes, the specific implementation of described data message processing unit can comprise:
User interface section is used to receive the data message that CE sends, and this data message is sent to virtual routing unit;
Virtual routing unit, the cryptographic algorithm and the encryption key that are used for each VPN correspondence that the receiving encryption key acquiring unit sends, the cryptographic algorithm of each VPN correspondence and the information of encryption key are kept in the fib table of this VPN correspondence, VPN under the data message of sending according to user interface section, from the fib table of this VPN correspondence, obtain cryptographic algorithm and encryption key, the cryptographic algorithm obtained and encryption key and data message are sent to the encryption performance element;
Encrypt performance element, the cryptographic algorithm and the encryption key that are used to utilize virtual routing unit to send are encrypted the data message, and the data encrypted message is sent to operator's interface unit;
Operator's interface unit is used for sending the data message that receives to outlet PE.
In the entry PE that the present invention proposes, described encryption performance element specifically is used for the data content of data message is encrypted.
In addition, the invention allows for outlet PE among a kind of MPLS VPN.Fig. 5 is the structural representation of the outlet PE that proposes of the present invention.Referring to Fig. 5, this outlet PE comprises:
The decryption information acquiring unit is used to obtain the decipherment algorithm and the decruption key of each VPN correspondence;
The data message processing unit, be used to receive the data message that entry PE is sent, utilize the decryption information acquiring unit find with this data message under corresponding decipherment algorithm and the decruption key of VPN, utilize the decipherment algorithm find and decruption key to this data message deciphering.
In the outlet PE that the present invention proposes, described decryption information acquiring unit is used for obtaining according to user's configuration the decipherment algorithm and the decruption key of each VPN correspondence; Perhaps, described decryption information acquiring unit is used for the address family of the redetermination sent from entry PE or the message of redetermination, obtains the decipherment algorithm and the decruption key of each VPN correspondence.
In the outlet PE that the present invention proposes, the specific implementation of described data message processing unit can comprise:
Operator's interface unit is used to receive the data message that entry PE is sent, and this data message is sent to virtual routing unit;
Virtual routing unit, the decipherment algorithm and the decruption key that are used for each VPN correspondence that the receiving and deciphering information acquisition unit sends, the decipherment algorithm of each VPN correspondence and the information of decruption key are kept in the fib table of this VPN correspondence, VPN under the data message of sending according to operator's interface unit, from the fib table of this VPN correspondence, obtain decipherment algorithm and decruption key, the decipherment algorithm that obtains and decruption key and data message are sent to the deciphering performance element;
The deciphering performance element, the decipherment algorithm and the decruption key that are used to utilize virtual routing unit to send are decrypted the data message.
In the outlet PE that the present invention proposes, described deciphering performance element specifically is used for the data content of data message is decrypted.
In addition, the invention allows for the system of data message transmission among a kind of MPLS VPN, comprise entry PE and outlet PE, wherein, entry PE can utilize any one entry PE of mentioning in the above embodiment of the present invention to realize, outlet PE can utilize any one outlet PE of mentioning in the above embodiment of the present invention to realize.
In a word, the above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (14)
1. the method for a data message transmission is characterized in that, this method comprises:
The inlet equipment PE of operator obtains the cryptographic algorithm and the encryption key of each Virtual Private Network VPN correspondence, and outlet PE is obtained the decipherment algorithm and the decruption key of each VPN correspondence;
After entry PE receives data message, utilize with this data message under corresponding cryptographic algorithm and the encryption key of VPN this data message is encrypted transmission then;
After outlet PE receives data message, utilize with this data message under corresponding decipherment algorithm and the decruption key of VPN this data message is deciphered.
2. method according to claim 1 is characterized in that, this method further comprises: the cryptographic algorithm and the encryption key of each VPN correspondence are set on outlet PE in advance, and decipherment algorithm and decruption key that each VPN correspondence is set;
Described outlet PE is obtained the decipherment algorithm of each VPN correspondence and the step of decruption key comprises: outlet PE is provided with decipherment algorithm and the decruption key that obtains each VPN correspondence according to self;
Described entry PE is obtained the cryptographic algorithm of each VPN correspondence and the step of encryption key comprises:
When adopting BGP MPLS VPN technologies between entry PE and the outlet PE, outlet PE is by the Labeled VPNv4 address family of expansion or the address family of redetermination, and the cryptographic algorithm and the encryption key of each VPN correspondence sent to entry PE;
When adopting the MPLS L2VPN technology of Kompella mode between entry PE and the outlet PE, outlet PE is by the L2VPN/VPLS address family of expansion or the address family of redetermination, and the cryptographic algorithm and the encryption key of each VPN correspondence sent to entry PE;
When adopting the MPLS L2VPN technology of Martini mode between entry PE and the outlet PE, outlet PE is by the LDP message of expansion, and the cryptographic algorithm and the encryption key of each VPN correspondence sent to entry PE.
3. method according to claim 1 is characterized in that, this method further comprises: the cryptographic algorithm and the encryption key of each VPN correspondence are set on entry PE in advance, and the decipherment algorithm of each VPN correspondence and decruption key;
Described entry PE is obtained the cryptographic algorithm of each VPN correspondence and the step of encryption key comprises: entry PE is provided with cryptographic algorithm and the encryption key that obtains each VPN correspondence according to self;
Described outlet PE is obtained the decipherment algorithm of each VPN correspondence and the step of decruption key comprises: inlet by redetermination address family or the message of redetermination, the decipherment algorithm and the decruption key of each VPN correspondence sent to outlet PE.
4. method according to claim 1 is characterized in that,
Obtain the cryptographic algorithm and encryption key of each VPN correspondence in entry PE after, further comprise: entry PE is kept at the cryptographic algorithm of each VPN correspondence and the information of encryption key in the forwarding information fib table of this VPN correspondence; Then, the cryptographic algorithm and the encryption key that utilize when described entry PE is carried out described the encryption obtain the fib table by this entry PE VPN correspondence under the data message that receives;
And/or, obtain the decipherment algorithm and decruption key of each VPN correspondence in outlet PE after, further comprise: outlet PE is kept at the decipherment algorithm of each VPN correspondence and the information of decruption key in the fib table of this VPN correspondence; Then, the decipherment algorithm and the decruption key that utilize when described outlet PE is carried out described the deciphering obtain the fib table by this outlet PE VPN correspondence under the data message that receives.
5. according to any described method in the claim 1 to 4, it is characterized in that the described step that this data message is encrypted comprises: described entry PE is encrypted the data content in this data message;
Described step to this data message deciphering comprises: described entry PE is decrypted the data content in this data message.
6. an entry PE is characterized in that, comprising:
The enciphered message acquiring unit is used to obtain the cryptographic algorithm and the encryption key of each VPN correspondence;
The data message processing unit, be used to receive the data message that user's edge device CE sends, utilize the enciphered message acquiring unit find with this data message under corresponding cryptographic algorithm and the encryption key of VPN, cryptographic algorithm that utilization finds and encryption key are encrypted this data message, send then.
7. entry PE according to claim 6 is characterized in that, described enciphered message acquiring unit is used for obtaining according to user's configuration the cryptographic algorithm and the encryption key of each VPN correspondence;
Perhaps, described enciphered message acquiring unit is used for obtaining the cryptographic algorithm and the encryption key of each VPN correspondence from the expansion Labeled VPNv4 address family that outlet PE is sent, the L2VPN/VPLS address family of expansion, the LDP message of expansion or the address family of redetermination.
8. entry PE according to claim 6 is characterized in that, described data message processing unit comprises:
User interface section is used to receive the data message that CE sends, and this data message is sent to virtual routing unit;
Virtual routing unit, the cryptographic algorithm and the encryption key that are used for each VPN correspondence that the receiving encryption key acquiring unit sends, the cryptographic algorithm of each VPN correspondence and the information of encryption key are kept in the fib table of this VPN correspondence, VPN under the data message of sending according to user interface section, from the fib table of this VPN correspondence, obtain cryptographic algorithm and encryption key, the cryptographic algorithm obtained and encryption key and data message are sent to the encryption performance element;
Encrypt performance element, the cryptographic algorithm and the encryption key that are used to utilize virtual routing unit to send are encrypted the data message, and the data encrypted message is sent to operator's interface unit;
Operator's interface unit is used for sending the data message that receives to outlet PE.
9. according to claim 6,7 or 8 described entry PE, it is characterized in that described encryption performance element is used for the data content of data message is encrypted.
10. an outlet PE is characterized in that, comprising:
The decryption information acquiring unit is used to obtain the decipherment algorithm and the decruption key of each VPN correspondence;
The data message processing unit, be used to receive the data message that entry PE is sent, utilize the decryption information acquiring unit find with this data message under corresponding decipherment algorithm and the decruption key of VPN, utilize the decipherment algorithm find and decruption key to this data message deciphering.
11. outlet PE according to claim 10 is characterized in that, described decryption information acquiring unit is used for obtaining according to user's configuration the decipherment algorithm and the decruption key of each VPN correspondence;
Perhaps, described decryption information acquiring unit is used for the address family of the redetermination sent from entry PE or the message of redetermination, obtains the decipherment algorithm and the decruption key of each VPN correspondence.
12. outlet PE according to claim 10 is characterized in that, described data message processing unit comprises:
Operator's interface unit is used to receive the data message that entry PE is sent, and this data message is sent to virtual routing unit;
Virtual routing unit, the decipherment algorithm and the decruption key that are used for each VPN correspondence that the receiving and deciphering information acquisition unit sends, the decipherment algorithm of each VPN correspondence and the information of decruption key are kept in the fib table of this VPN correspondence, VPN under the data message of sending according to operator's interface unit, from the fib table of this VPN correspondence, obtain decipherment algorithm and decruption key, the decipherment algorithm that obtains and decruption key and data message are sent to the deciphering performance element;
The deciphering performance element, the decipherment algorithm and the decruption key that are used to utilize virtual routing unit to send are decrypted the data message.
13., it is characterized in that described deciphering performance element is used for the data content of data message is decrypted according to claim 10,11 or 12 described outlet PE.
14. the system of a data message transmission is characterized in that, comprises as any described entry PE in the claim 6 to 9 and as any described outlet PE in the claim 10 to 13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710176961.8A CN101145904A (en) | 2007-11-07 | 2007-11-07 | A method, device and system for data packet transmission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710176961.8A CN101145904A (en) | 2007-11-07 | 2007-11-07 | A method, device and system for data packet transmission |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101145904A true CN101145904A (en) | 2008-03-19 |
Family
ID=39208221
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710176961.8A Pending CN101145904A (en) | 2007-11-07 | 2007-11-07 | A method, device and system for data packet transmission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101145904A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101674245B (en) * | 2009-10-10 | 2012-06-06 | 华为技术有限公司 | Exit port route filtering method and device |
| CN106789865A (en) * | 2016-07-14 | 2017-05-31 | 深圳市永达电子信息股份有限公司 | A kind of network safety protection method based on GRE network integration SDN technologies and Honeypot Techniques |
| CN107948170A (en) * | 2017-11-30 | 2018-04-20 | 中国平安人寿保险股份有限公司 | Interface requests parameter encryption method, device, equipment and readable storage medium storing program for executing |
| CN109150916A (en) * | 2018-10-25 | 2019-01-04 | 盛科网络(苏州)有限公司 | A method of layer of data encryption in being realized in MPLS L2VPN network |
| CN114866527A (en) * | 2022-04-29 | 2022-08-05 | 中国科学院信息工程研究所 | Data processing method, device and system |
-
2007
- 2007-11-07 CN CN200710176961.8A patent/CN101145904A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101674245B (en) * | 2009-10-10 | 2012-06-06 | 华为技术有限公司 | Exit port route filtering method and device |
| CN106789865A (en) * | 2016-07-14 | 2017-05-31 | 深圳市永达电子信息股份有限公司 | A kind of network safety protection method based on GRE network integration SDN technologies and Honeypot Techniques |
| CN107948170A (en) * | 2017-11-30 | 2018-04-20 | 中国平安人寿保险股份有限公司 | Interface requests parameter encryption method, device, equipment and readable storage medium storing program for executing |
| CN109150916A (en) * | 2018-10-25 | 2019-01-04 | 盛科网络(苏州)有限公司 | A method of layer of data encryption in being realized in MPLS L2VPN network |
| CN114866527A (en) * | 2022-04-29 | 2022-08-05 | 中国科学院信息工程研究所 | Data processing method, device and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5060081B2 (en) | Relay device that encrypts and relays frames | |
| US9258282B2 (en) | Simplified mechanism for multi-tenant encrypted virtual networks | |
| CN103188351B (en) | IPSec VPN traffic method for processing business and system under IPv6 environment | |
| US8000344B1 (en) | Methods, systems, and computer program products for transmitting and receiving layer 2 frames associated with different virtual local area networks (VLANs) over a secure layer 2 broadcast transport network | |
| US20080028225A1 (en) | Authorizing physical access-links for secure network connections | |
| US20060182124A1 (en) | Cipher Key Exchange Methodology | |
| US20050220091A1 (en) | Secure remote mirroring | |
| JP2008104040A (en) | Common key producing device, and common key producing method | |
| CN108966174A (en) | A kind of communication encryption method of unmanned plane and earth station | |
| CN103905180A (en) | Method for enabling classical application to have access to quantum communication network | |
| CN106878278B (en) | Message processing method and device | |
| CN110858822B (en) | Media access control security protocol message transmission method and related device | |
| CN102664896A (en) | Safety network transmission system and method based on hardware encryption | |
| CN106790200B (en) | Chip co-processing method for DTLS encryption and decryption of CAPWAP control channel | |
| WO2022028513A1 (en) | Data sending method and apparatus and data receiving method and apparatus for resisting network communication monitoring | |
| CN101145904A (en) | A method, device and system for data packet transmission | |
| WO2011079717A1 (en) | Message transmitting method, equipment and system | |
| CN112187757A (en) | Multilink privacy data circulation system and method | |
| US20110302416A1 (en) | Method and system for secured communication in a non-ctms environment | |
| CN111555879B (en) | Satellite communication network management channel message encryption and decryption method and system | |
| CN114095423A (en) | MPLS-based power communication backbone network data security protection method and system | |
| JPH1141280A (en) | Communication system, vpn repeater and recording medium | |
| WO2020228130A1 (en) | Communication method and system for network management server and network element of communication device | |
| CN109150916A (en) | A method of layer of data encryption in being realized in MPLS L2VPN network | |
| WO2011023010A1 (en) | Method, device and system for data security transmission and reception in a pseudo-wire network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20080319 |