CN102148704A - Software implementation method for universal network management interface of safe switch - Google Patents
Software implementation method for universal network management interface of safe switch Download PDFInfo
- Publication number
- CN102148704A CN102148704A CN2011100216375A CN201110021637A CN102148704A CN 102148704 A CN102148704 A CN 102148704A CN 2011100216375 A CN2011100216375 A CN 2011100216375A CN 201110021637 A CN201110021637 A CN 201110021637A CN 102148704 A CN102148704 A CN 102148704A
- Authority
- CN
- China
- Prior art keywords
- data
- implementation method
- software implementation
- network management
- udp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a software implementation method for a universal network management interface of a safe switch. The method is used for the network management of an industrial Ethernet switch in a server mode, and mainly comprises the following steps of: performing communication with upper computer management software, executing an instruction transmitted by an upper computer, and transmitting an instruction execution result to the upper computer. The two communication ways of transmission control protocol and user datagram protocol can be supported at the same time, and special needs of a user can be satisfied. A unified data frame format is ensured, and encryption processing can be selectively performed on frames so as to ensure the security, real-time and reliability of data.
Description
Technical field
The present invention is applied to field of computer network administration, it is a kind of switch network management software interface, for the network management of switch provides a kind of safe, general, management method flexibly, have a wide range of applications for real-time, efficient and safe network monitoring.
Background technology
At present, the most frequently used NMP is Simple Network Management Protocol (SNMP), is a kind of connectionless protocol based on UDP, and by using request message and the mode of returning response, SNMP is transmission information between administration agent and keeper.This mechanism has alleviated the burden of administration agent, and its unnecessary other agreement of must supporting reaches the processing procedure based on connection mode.Therefore, snmp protocol provides a kind of exclusive mechanism to handle the problem of reliability and fault detect aspect.In addition, network management system is installed in the bigger network environment usually, comprising a large amount of different types of network and network equipments.Therefore, for dividing management responsibility, should be divided into several user partitions to whole network, can be classified as same SNMP subregion to the network equipment that meets the following conditions: they can be provided for realizing the line of demarcation of the needed fail safe of subregion aspect.Snmp protocol is supported this security model based on zone name information, can add it on each network equipment in the selected subregion to by physics mode.Being recognized based on the authentication model of subregion in the snmp protocol at present is for very illusive, and there is a serious safety problem in it.Main cause is that snmp protocol does not provide encryption function, does not also guarantee can not directly copy partition information from network in SNMP packet exchange process.Only need to use a packet capture instrument just can decipher whole SNMP packet, zone name just is completely exposed like this.Because this reason, most of websites are forbidden the setting operation of administration agent equipment.But done a side effect like this, value that so can only the monitor data object and can not change them has limited the availability of snmp protocol.
In addition, the specific demand of network environment complexity or network management system, the network manager need obtain reliable data, and the SNMP based on UDP then can't finish these specific functions so.The inborn safety defect of snmp protocol can not provide effective protection to the fail safe of exchanger information.And fail safe, for present network, seem particularly important.A kind of energy flexible and changeable and also safely and effectively the switch network way to manage be very important.
Summary of the invention
The objective of the invention is does not provide encryption function and the deficiency that can not provide based on the TCP communication that is connected in order to overcome SNMP, and the slave computer software interface implementation method of a kind of switch that proposes.This method upwards provides the communication with the host computer management software, slave computer is carried out bottom operations such as get and set downwards, is operated under the server mode, shown in block diagram 1.The characteristics of this method are to provide encryption function to Frame, ensure the safety of network management, support two kinds of communication modes of TCP and UDP simultaneously, improved the flexibility and the reliability of network management greatly, data frame structure is simple, can compatible snmp protocol way to manage.
This method is to design on the basis of snmp protocol, and its UDP mode and snmp protocol are basic identical, on this basis, has increased the protocol mode of TCP, satisfies network manager's needs and carries out based on the communication modes that connects.To the get of sensitivity and set order carrying out security control management, the packet of sensitivity has been carried out encryption, make network communication safety not reduce the requirement of real-time again.
The roughly flow process of this method is as shown in Figure 2:
(1) at first interface routine is set up TCP and is connected with UDP, binds corresponding IP and port, and process is in the multichannel listening state then;
(2) host computer is set up communication with the TCP or the UDP of slave computer interface by the port of agreement;
(3) after receiving the request command that the host computer management software sends, judge whether order is encrypted command, if order is encrypted, then earlier order is decrypted the legitimacy of verification command, fill order then.The execution result packing is also judged whether according to a preconcerted arrangement and need encrypt the packet that sends, encrypt if desired, then packet is carried out encryption, at last packet is sent.
The invention has the beneficial effects as follows:
(1) has good versatility
The method compatibility based on the frame format of the SNMP network management protocol of UDP, can not need to do too big change for the SNMP bag and just can be applied directly in this method.
(2) has very high fail safe
This method in the frame header compatibility security control of SNMP network management protocol, done preliminary and limited security control.Simultaneously, this method has been carried out the AES encryption to the Frame of sensitivity, has improved the fail safe of data in transmission over networks greatly.
(3) has good flexibility
Under specific demand, this method provides the communication modes of TCP, and has good extendibility, is well positioned to meet keeper's actual demand.
The invention provides a kind of simple, flexible, safe and general switch webmastering software interface method.
Description of drawings
Fig. 1 switch webmaster block diagram
Network management interface is operated the slave computer bottom, and provides Communications service to host computer.Main operation has get, set, getResques, getResques and trap, communication modes TCP and UDP.
Fig. 2 network management interface main flow
After enabling network management interface, create the link of TCP and UDP, receive the order that host computer is sent, and be decrypted, after the fill order, after the data encryption to the needs transmission, send to host computer.
Fig. 3 data packet messages form
Data packet messages variable length, packet header account for 12 bytes.Head is made up of magic, reserve, command, number and five fields of datalength.
Fig. 4 TCP/UDP handles main flow
After TCP and UDP create successfully, enter the multichannel listening state, receive the order of host computer after, fill order, and send request results to host computer.
Fig. 5 tcp data bag handling process
After TCP receives order, legitimacy check is carried out in order, earlier to the order deciphering, fill order then, and send request results to host computer is encrypted as need, earlier packet is encrypted as the needs deciphering.
Fig. 6 UDP message bag handling process
After UCP receives order, legitimacy check is carried out in order, earlier to the order deciphering, fill order then, and send request results to host computer is encrypted as need, earlier packet is encrypted as the needs deciphering.If the snmp operation is then carried out in snmp packet header, and request results is encrypted, send to host computer.
Embodiment
Technical scheme of the present invention is as follows:
(1) frame format of packet is divided into head and data division.As shown in Figure 3, data frame header is 12 bytes, the data division variable length.Its head quinquepartite is formed: magic, reserve, command, number, datalength.
The magic field is 4 bytes: comprise identification informations such as company, version, the plaintext password between improvement process and the agent process, the type of PDU etc.The magic field provides preliminary and limited security capabilities, has defined the manager of checking, access control and proxy feature and the relation between the agency.
The Reserve field is 4 bytes, as reservation, can be used as the expansion of magic field.
The command field is 1 byte, and main order has:
FSER_ZERO: be 0, the order successful execution
FSER_GET_VALUE: the value that obtains relevant configured parameter
FSER_GET_VALUE_ACK: confirm correctly to obtain relevant configured parameter
FSER_SET_VALUE: relevant configured parameter is set
FSER_SET_VALUE_ACK: confirm correctly to be provided with relevant configured parameter
FSER_GET_FILE: read file
FSER_GET_REG: obtain switch network interface quantity
FSER_GET_SYSMSG: obtain system information
FSER_SET_SYNCTIME: synchronised clock is set
FSER_GET_PORTS_STATUS: obtain switch network interface state
FSER_GET_PORTS_MEDIA: obtain switch network interface type
FSER_GET_IGMPTABLE: obtain main broadcaster's address table
FSER_GET_MACTABLE: obtain mac address table
FSER_GET_RSTPSTATUS: obtain the rapid spanning-tree state
FSER_SET_SWCFGFILE: obtain switch configuration information
FSER_TRAP:trap wraps sign
The number field is 1 byte, as the expansion of command field.
The datalength field is 2 bytes, the length of the data division of expression frame.Its length minimum is 0, is 512 bytes to the maximum.
Data division is that variable and value thereof are formed variable-length.Data division indicates get and set operates the name of one or more variablees and the value of correspondence, and the value of get performance variable should be ignored.
(2) encryption and decryption to Frame adopts the AES128 encryption method.It is fast that the AES encryption method has speed, takies the little characteristics of resource, is fit to be applied in the switch embedded system.The encryption and decryption process of packet is as follows: interface routine reads the bag of receiving earlier, bag is carried out the AES deciphering, with the bag subpackage after the deciphering, read get or set operation, carry out associative operation, then the variable of get or set is encrypted with value packing and AES, the result after will encrypting at last sends.Here most important will managing key, key are adopted and are cut apart the XOR method, and the length of key own is 128, is not isometric N part with the key random division.For each cipher key sections after cutting apart, generate two random train R and the S isometric at random with cipher key sections, R, S and cipher key sections XOR generate T.N is organized R, S, T exist respectively in the different files, can generate a cipher key sections, have only by N group R, S, T ability reconstruct key with one group of R, S, T XOR.The management of key will need the control in conjunction with port and login, and control device such as periodic replacement key etc. just can reach best effect.In order not reduce the real-time of system, need not all data frame encryptions, only the order and the packet of sensitivity are encrypted, so also can reduce the possibility that key is cracked.
(3) exchange interface program provides TCP and two kinds of communication modes of UDP.As shown in Figure 4 after TCP and UDP set up socket and binding IP and port, process is in the select multichannel and monitors and wait for.When the TCP connection request that receives the host computer webmaster and after successfully setting up communication, begin to carry out the TCP communication.Behind the UDP message bag that receives the host computer webmaster, begin to carry out the UDP communication.Receive bag, at first judge the legitimacy in packet header,, directly carry out related command if legal.If illegal, with AES packet is deciphered earlier, then in the legitimacy of judging packet header,, carry out related command if legal, do not conform to rule and abandon.
Which order of making an appointment needs to encrypt to command field, and is then first to the data packet encryption when running into the packet that includes the order that needs encrypt, and sending then.For not needing encrypted data packet then directly to send.
(4) message of the data message format compatible SNMP of this method is being tested to UDP message bag packet header when checking, if when inconsistent, then judge whether it is the SNMP message with the general format of this method agreement.If the SNMP message is then carried out the SNMP associated component bag is unpacked, carry out related command then, detailed process is as shown in Figure 5.The data processing method of TCP and the mode of UDP are basic identical, and detailed process as shown in Figure 6.
The above only is implementation procedure of the present invention and method example, not in order to restriction the present invention, all any modifications of being made with spirit of the present invention and essence, is equal to replacement, improvement etc., all within protection scope of the present invention.
Claims (4)
1. the software implementation method of a ciphering type switch general network administration interface is characterized in that:
A) message format of packet;
B) support TCP and UDP network management interface and processing data packets mode simultaneously;
C) the network management data bag is carried out encryption and key management mode.
2. the software implementation method of ciphering type switch general network administration interface as claimed in claim 1 is characterized in that the data packet messages form is made up of header part and data division in the step a), and data frame header is 12 bytes, the data division variable length.Its head is made up of magic version identifier, reserve reservation, command order, number order expansion and five fields of datalength follow-up data segment length, accounts for 4 bytes, 4 bytes, 1 byte, 1 byte and 2 byte lengths respectively.
3. the software implementation method of ciphering type switch general network administration interface as claimed in claim 1 is characterized in that, software interface provides TCP and two kinds of communication modes of UDP in the step b), its UDP mode compatibility snmp protocol, can be to the identification automatically of SNMP bag.
4. the software implementation method of ciphering type switch general network administration interface as claimed in claim 1, it is characterized in that the AES that carries out that in the step b) data is surrounded by selection encrypts the level of security of agreement get and set order, sign there is the order of level of security, carries out encryption.Cut apart the XOR method for the key management employing and be saved in different physical locations.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100216375A CN102148704A (en) | 2011-01-19 | 2011-01-19 | Software implementation method for universal network management interface of safe switch |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100216375A CN102148704A (en) | 2011-01-19 | 2011-01-19 | Software implementation method for universal network management interface of safe switch |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102148704A true CN102148704A (en) | 2011-08-10 |
Family
ID=44422722
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100216375A Pending CN102148704A (en) | 2011-01-19 | 2011-01-19 | Software implementation method for universal network management interface of safe switch |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102148704A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102368831A (en) * | 2011-12-01 | 2012-03-07 | 内蒙古中大传媒发展有限公司 | Survey method for audience rating of digital television users |
| CN110300105A (en) * | 2019-06-24 | 2019-10-01 | 山东超越数控电子股份有限公司 | A kind of remote cipher key management method of network cryptographic machine |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1384642A (en) * | 2001-04-29 | 2002-12-11 | 华为技术有限公司 | Method of adding subscriber's security confirmation to simple network management protocol |
| CN1933418A (en) * | 2005-09-14 | 2007-03-21 | 华为技术有限公司 | Network management system and method using simple network management protocol |
| US20090182849A1 (en) * | 2008-01-15 | 2009-07-16 | Bea Systems, Inc. | System and Method for Using SNMP in an Application Server Environment |
-
2011
- 2011-01-19 CN CN2011100216375A patent/CN102148704A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1384642A (en) * | 2001-04-29 | 2002-12-11 | 华为技术有限公司 | Method of adding subscriber's security confirmation to simple network management protocol |
| CN1933418A (en) * | 2005-09-14 | 2007-03-21 | 华为技术有限公司 | Network management system and method using simple network management protocol |
| US20090182849A1 (en) * | 2008-01-15 | 2009-07-16 | Bea Systems, Inc. | System and Method for Using SNMP in an Application Server Environment |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102368831A (en) * | 2011-12-01 | 2012-03-07 | 内蒙古中大传媒发展有限公司 | Survey method for audience rating of digital television users |
| CN110300105A (en) * | 2019-06-24 | 2019-10-01 | 山东超越数控电子股份有限公司 | A kind of remote cipher key management method of network cryptographic machine |
| CN110300105B (en) * | 2019-06-24 | 2022-01-04 | 超越科技股份有限公司 | Remote key management method of network cipher machine |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110996318B (en) | Safety communication access system of intelligent inspection robot of transformer substation | |
| US7987359B2 (en) | Information communication system, information communication apparatus and method, and computer program | |
| CN104811444B (en) | A kind of safe cloud control method | |
| CN1949765B (en) | Method and system for obtaining SSH host computer public key of device being managed | |
| CN104601550B (en) | Reverse isolation file transmission system and method based on cluster array | |
| CN111373702B (en) | Interface device for data exchange between a fieldbus network and a cloud | |
| CN109104273B (en) | Message processing method and receiving end server | |
| CN112422560A (en) | Lightweight substation secure communication method and system based on secure socket layer | |
| CN111756528B (en) | Quantum session key distribution method, device and communication architecture | |
| CN109218451A (en) | A kind of data transmission method of distributed cluster system, device, equipment and medium | |
| JP2012048576A (en) | Data transmission processing device and data transmission program | |
| CN100426753C (en) | Network managing method based on SNMP | |
| KR20140091221A (en) | Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof | |
| KR20190040443A (en) | Apparatus and method for creating secure session of smart meter | |
| CN102148704A (en) | Software implementation method for universal network management interface of safe switch | |
| CN111245604A (en) | Server data security interaction system and method | |
| CN100596350C (en) | Method for encrypting and decrypting industrial control data | |
| CN114679265B (en) | Flow acquisition method, device, electronic equipment and storage medium | |
| CN102882897A (en) | Cookie protecting method and device | |
| CN115174071A (en) | Safe transmission method and system for remote upgrading scene of train-mounted software | |
| CN101217532B (en) | An anti-network attack data transmission method and system | |
| CN114826748A (en) | Audio and video stream data encryption method and device based on RTP, UDP and IP protocols | |
| CN101753353B (en) | SNMP based safety management method, Trap message processing method and device | |
| CN113691519B (en) | Off-network equipment centralized control method for unified management of access rights of cloud service | |
| US11805110B2 (en) | Method for transmitting data packets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110810 |