CN104935593A - Data message transmitting method and device - Google Patents
Data message transmitting method and device Download PDFInfo
- Publication number
- CN104935593A CN104935593A CN201510333329.4A CN201510333329A CN104935593A CN 104935593 A CN104935593 A CN 104935593A CN 201510333329 A CN201510333329 A CN 201510333329A CN 104935593 A CN104935593 A CN 104935593A
- Authority
- CN
- China
- Prior art keywords
- data message
- switch
- transmission
- key information
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/302—Route determination based on requested QoS
- H04L45/306—Route determination based on the nature of the carried application
Abstract
The present application provides a data message transmitting method and device. The data message transmitting method is applied to a controller in a software defined network (SDN) and comprises: receiving a current data message to be transmitted and judging whether the data message needs encrypting transmission or not; and if the data message needs encrypting transmission, selecting a transmission path for the data message according to the encrypting capability information of a switch in the current SDN and transmitting a flow table to the switch on the transmission path so that the switch on the transmission path performs encrypting transmission on the data message according to pre-stored secret key information and the flow table. The data message transmitting method and device can realize encrypting transmission on messages with higher security requirement, thereby enhancing the security of relevant services.
Description
Technical field
The application relates to network communication technology field, particularly relates to a kind of transmission method and device of data message.
Background technology
SDN (Software Defined Network, software defined network) be a kind of novel network architecture, in the optional implementation of one, the chain of command of the network equipment can be separated with data surface by OpenFlow (open flows) technology by it, thus realizes the flexible control to network traffics.In SDN, usually the controller and some switches realizing data surface function that realize chain of command function is comprised, because the price of the business board with cryptographic capabilities is higher, so usually only have the section ports of part switch to comprise this business board, the data message namely only having the port by comprising this business board to send could be encrypted.
In SDN, the transmission path confirming data message is responsible for by controller, and issues stream table to the switch on transmission path, according to the stream table received, data message is forwarded to object equipment from source device to make these switches.Current controller is when confirming the transmission path of data message, an optimal transmission paths can be selected according to the annexation between the port of respective switch and these ports, like this, inevitably existing needs the message not encrypted of encrypted transmission to be namely transmitted, thus significantly reduces the fail safe of corresponding business.
Summary of the invention
In view of this, the application provides a kind of transmission method and device of data message.
Particularly, the application is achieved by the following technical solution:
According to the first aspect of the embodiment of the present invention, provide a kind of transmission method of data message, the method is applied on the controller in software defined network SDN, comprising:
Receive current data message waiting for transmission, and judge that data message is the need of encrypted transmission; And if data message needs encrypted transmission, then according to the cryptographic capabilities information of switch in current SDN be data message select transmission path, and send stream table to the switch on transmission path, according to the key information prestored and stream table, transmission is encrypted to data message to make the switch on transmission path.
According to the second aspect of the embodiment of the present invention, provide a kind of transmission method of data message, the method is applied on the switch in software defined network SDN, and described method comprises:
Current data message waiting for transmission is sent to controller, to make described controller after determining that described data message needs encrypted transmission, according to the cryptographic capabilities information of switch in current SDN be described data message select transmission path, and on described transmission path switch send stream table; And
Receive described stream table, and according to the key information prestored and described stream table, transmission is encrypted to described data message.
According to the third aspect of the embodiment of the present invention, provide a kind of transmitting device of data message, on the controller of this application of installation in SDN, comprising:
Judge module, for receiving current data message waiting for transmission, and judges that described data message is the need of encrypted transmission; And
Select sending module, if judge that described data message needs encrypted transmission for described judge module, then according to the cryptographic capabilities information of switch in current SDN be described data message select transmission path, and send stream table to the switch on described transmission path, according to the key information prestored and described stream table, transmission is encrypted to described data message to make the switch on described transmission path.
According to the fourth aspect of the embodiment of the present invention, provide a kind of transmitting device of data message, on the switch of described application of installation in SDN, described device comprises:
Sending module, for sending current data message waiting for transmission to controller, to make described controller after determining that described data message needs encrypted transmission, according to the cryptographic capabilities information of switch in current SDN be described data message select transmission path, and on described transmission path switch send stream table; And
Transport module, for receiving described stream table, and is encrypted transmission according to the key information prestored and described stream table to described data message.
In the embodiment of the present application, by judging that data message waiting for transmission is the need of encrypted transmission, and when this data message needs encrypted transmission, be that this data message selects transmission path according to the cryptographic capabilities information of switch in current SDN, and make the switch on transmission path be encrypted transmission according to the key information prestored to this data message, the message higher to security requirement can be realized thus and be encrypted transmission, thus improve the fail safe of related service.
Accompanying drawing explanation
Fig. 1 is the flow chart of the transmission method of a kind of data message shown in the application one exemplary embodiment;
Fig. 2 is the flow chart of the transmission method of the another kind of data message shown in the application one exemplary embodiment;
Fig. 3 is the signaling process figure of the transmission method of a kind of data message shown in the application one exemplary embodiment;
Fig. 4 is the configuration diagram of a kind of SDN shown in the application one exemplary embodiment;
Fig. 5 is a kind of hardware structure diagram of the transmitting device place controller of the application's data message;
Fig. 6 is the block diagram of the transmitting device of a kind of data message shown in the application one exemplary embodiment;
Fig. 7 is a kind of hardware structure diagram of the transmitting device place switch of the application's data message;
Fig. 8 is the block diagram of the transmission of the another kind of data message shown in the application one exemplary embodiment.
Embodiment
Here will be described exemplary embodiment in detail, its sample table shows in the accompanying drawings.When description below relates to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawing represents same or analogous key element.Execution mode described in following exemplary embodiment does not represent all execution modes consistent with the application.On the contrary, they only with as in appended claims describe in detail, the example of apparatus and method that some aspects of the application are consistent.
Only for describing the object of specific embodiment at term used in this application, and not intended to be limiting the application." one ", " described " and " being somebody's turn to do " of the singulative used in the application and appended claims is also intended to comprise most form, unless context clearly represents other implications.It is also understood that term "and/or" used herein refer to and comprise one or more project of listing be associated any or all may combine.
Term first, second, third, etc. may be adopted although should be appreciated that to describe various information in the application, these information should not be limited to these terms.These terms are only used for the information of same type to be distinguished from each other out.Such as, when not departing from the application's scope, the first information also can be called as the second information, and similarly, the second information also can be called as the first information.Depend on linguistic context, word as used in this " if " can be construed as into " ... time " or " when ... time " or " in response to determining ".
The transmission method embodiment of the application's data message may be used in SDN, adopt the embodiment of the method that the application provides, the high data message of fail safe in SDN is transmitted after its encryption by the switch with cryptographic capabilities, the low data message of fail safe is not by having the switch ports themselves transmission of cryptographic capabilities, reasonably make use of device resource, and, by controller unified management key information, timing upgrades key information, substantially increases the fail safe of business.Be described in detail below in conjunction with the implementation procedure of specific embodiment to the application.
Fig. 1 is the flow chart of the transmission method of a kind of data message shown in the application one exemplary embodiment, and this embodiment is described from the controller side SDN.As shown in Figure 1, the transmission method of this data message comprises:
Step S101, receives current data message waiting for transmission, and determines that this data message is the need of encrypted transmission.
In this embodiment, after controller receives the data message of switch transmission, predetermined encryption mark whether can be comprised by detecting in this data message, also by judging whether the attribute information of this data message meets the various ways such as preset requirement, can determine that this data message is the need of encrypted transmission.
Wherein, the data message that the supplier of data message and transporter can arrange to comprise predetermined encryption mark in advance needs encrypted transmission, and this predetermined encryption mark can be used for showing that the safe class of this data message is greater than predetermined threshold value.Particularly, when the supplier of data message determines that the safe class of this data message is greater than predetermined threshold value, in this data message, then add predetermined encryption mark, when determining that the safe class of this data message is not more than predetermined threshold value, in data message, then do not add predetermined encryption mark, predetermined encryption mark can be arranged as required flexibly.Like this, passing controller in loser and SDN when receiving data message waiting for transmission, whether can comprise predetermined encryption mark and determine whether to be encrypted transmission to this data message by detecting in data message.
Such as, comprise " Encryption Id " if controller detects in current data message, then can determine to be encrypted transmission to data message.
In addition, the attribute information of data message can be the priority of data message, when controller judges that the priority of data message is greater than predetermined threshold value, is encrypted transmission to this data message.
Such as, if the priority of this data message is 7, predetermined threshold value is 5, and the priority due to this data message is greater than predetermined threshold value 5, then can determine that this data message needs encrypted transmission.It should be noted that, above-mentioned predetermined threshold value 5 is only example, in actual applications, can arrange flexibly as required.
Step S102, if this data message needs encrypted transmission, be then that this data message selects transmission path according to the cryptographic capabilities information of switch in current SDN, and send stream table to the switch on transmission path, according to the key information prestored and stream table, transmission is encrypted to this data message to make the switch on transmission path.
If determine, this data message needs encrypted transmission, then need the switch selecting to have cryptographic capabilities from the switch current SDN, for this data message selects transmission path, like this, because the switch on transmission path all has cryptographic capabilities, therefore transmission can be encrypted to this data message, thus ensure the fail safe of this data message.In addition, if determine, this data message does not need encrypted transmission, then need for this data message selects transmission path equally, switch ports themselves just on this transmission path does not have cryptographic capabilities, therefore transmission cannot be encrypted to this data message, thus, the security requirement of user can be distinguished, the message higher to security requirement is encrypted transmission, thus improves the fail safe of related service.
It should be noted that, in this embodiment, before select to have the switch of cryptographic capabilities from the switch in current SDN, the method can also comprise: the cryptographic capabilities information knowing switch in current SDN.
Wherein, cryptographic capabilities information comprises the mark supporting the port of security protocol and the switch at place thereof, security protocol can include but not limited to MAC safety (Media Access Control Security, MACsec) agreement, wherein, MACsec defines the method that the data security based on IEEE 802 LAN communicates, it can be the MAC layer data input and data output service that user provides safe, comprises the verification of ciphering user data, Frame integrity checking and data origin authenticity.
Particularly, controller and switch set up OpenFlow when being connected, and the OpenFlow protocol massages by expansion obtains the cryptographic capabilities information of switch, such as, whether switch supports MACsec, supports which port of the switch of MACsec supports MACsec etc.
It should be noted that to only have two switches to support MACsec, the link between them just can use MACsec to encrypt simultaneously.If, switch A and switch b are all support MACsec, switch C does not support MACsec, then only have the data message between switch A and switch b can be encrypted, and the message between switch A and switch C and between switch b and switch C all can not be encrypted.
In addition, such as support that in order to make the switch with cryptographic capabilities the switch of MACsec can be encrypted needing the data message of encrypted transmission, controller also needs to generate key information, and send this key information to the switch with cryptographic capabilities, particularly, the OpenFlow protocol massages by expansion sends this key information.
It is pointed out that in the OpenFlow protocol massages that the present embodiment is expanded and comprise new field, this new field is for representing cryptographic capabilities information and the key information of switch.
In this embodiment, switch, after receiving key information, can use this key information to be encrypted transmission to this data message.In order to improve fail safe, controller can upgrade key information, such as, can determine when upgrade key information according to flow.
Particularly, switch ports themselves flow can be obtained by timing and count the flow value obtained between switch, before this flow value reaches flow threshold, namely the difference of flow value and flow threshold is in preset range, then the key information after renewal can be informed to switch, like this, when flow value between switch reaches flow threshold, can be automatically switched use new key, and wherein, preset range can be arranged as required flexibly.
For example, when supposing that the flow value of arranging between switch A and switch b reaches 10T byte, more new key, then controller can obtain a port flow counting from switch every 10 seconds, when finding to have have sent 8T byte between switch A and switch b, new key can be issued switch A and switch b.When switch A and switch b find the port accepts of oneself and the flow counting of transmission amounts up to 10T byte, the key of oneself can be upgraded simultaneously.
In addition, controller according to traffic conditions real-time informing switch adjustment flow threshold, during to avoid flow less, can also reduce the fail safe of transmission path because key cannot upgrade for a long time.
As can be seen here, the transmission path be made up of the switch ports themselves with cryptographic capabilities can be selected for the message that security requirement is higher by above-described embodiment, for message that security requirement is not high selects the transmission path that is made up of the switch ports themselves without cryptographic capabilities, both ensure that the fail safe of corresponding business, take full advantage of again the resource of equipment in current SDN.
The transmission method of above-mentioned data message, by judging that data message waiting for transmission is the need of encrypted transmission, and when this data message needs encrypted transmission, be that this data message selects transmission path according to the cryptographic capabilities information of switch in current SDN, and make the switch on transmission path be encrypted transmission according to the key information prestored to this data message, the message higher to security requirement can be realized thus and be encrypted transmission, thus improve the fail safe of related service.
Fig. 2 is the flow chart of the transmission method of the another kind of data message shown in the application one exemplary embodiment, and this embodiment is described from the exchanger side SDN.As shown in Figure 2, the transmission method of this data message comprises:
Step S201, current data message waiting for transmission is sent to controller, to make controller after determining that this data message needs encrypted transmission, the cryptographic capabilities information according to switch in current SDN is this data message selection transmission path, and sends stream table to the switch on transmission path.
In this embodiment, after switch receives data message waiting for transmission, if search the stream table less than correspondence, then send this data message to controller, so that by controller for this data message selects transmission path, particularly, controller can according to the cryptographic capabilities information of the switch in current SDN be need encrypted transmission message (such as, the message that security requirement is higher) select the transmission path that is made up of the switch ports themselves with cryptographic capabilities, can for not needing the message of encrypted transmission (such as yet, the message that security requirement is not high) select the transmission path that is made up of the switch ports themselves without cryptographic capabilities, then stream table is sent to the switch on corresponding transmission path.
Wherein, controller obtains the details of the cryptographic capabilities information of switch can the relevant portion of embodiment shown in Figure 1, does not repeat herein.
Step S202, receives stream table, and is encrypted transmission according to the key information prestored and above-mentioned stream table to this data message.
In this embodiment, before being encrypted transmission according to the key information that prestores and stream table to data message, the method can also comprise: receives and key information after preserving the key information or renewal that controller sends.Particularly, controller sends key information by the OpenFlow protocol massages of expansion, and detail can the relevant portion of embodiment shown in Figure 1, does not repeat herein.
After key information after switch keeps renewal, whether the flow value that can detect between peer switches according to above-mentioned stream table reaches the flow threshold prestored, if reach, then the key information after can using renewal is encrypted this data message, to improve fail safe.
Certainly, before whether the flow value between detection with peer switches reaches flow threshold, also need to receive and preserve the flow threshold of controller transmission or the flow threshold after upgrading.The object that controller upgrades flow threshold is when avoiding flow less, the problem of the transmission path poor stability caused because key cannot upgrade for a long time.
In this embodiment, after switch receives stream table, transmission can be encrypted according to the key information prestored to this data message.In addition, when in this data message encrypted transmission to last switch on transmission path, the key information sent according to controller by this switch is decrypted encrypted message, to send this data message to object equipment.
Above-mentioned data message transmission method embodiment, by sending current data message waiting for transmission to controller, to make controller after determining that this data message needs encrypted transmission, be that this data message selects transmission path according to the cryptographic capabilities information of switch in current SDN, and send stream table to the switch on transmission path, and receive stream table, and according to the key information prestored and this stream table, transmission is encrypted to this data message, the message higher to security requirement can be realized thus and be encrypted transmission, thus improve the fail safe of related service.
Fig. 3 is the signaling process figure of the transmission method of a kind of data message shown in the application one exemplary embodiment, Fig. 4 is the configuration diagram of a kind of SDN shown in the application one exemplary embodiment, is embodiment illustrated in fig. 3ly described for the network architecture shown in Fig. 4.
In SDN as shown in Figure 4, switch A-C is all connected with controller, equipment 1 is connected with switch A, and equipment 2 is connected with switch b, and equipment 3 is connected with switch C, switch A-switch C interconnects, suppose, switch A and switch b support MACsec, and switch C does not support MACsec, then only have the data message between switch A and switch b can be encrypted, and the message between switch A and switch C and between switch b and switch C all can not be encrypted.
Assuming that current message waiting for transmission comprises message 1 and message 2, the process transmitted above-mentioned message can see Fig. 3, and this process is described from three switches and the mutual angle of controller, and as shown in Figure 3, this process comprises:
S301, after switch A receives the message 1 from equipment 1, sends message 1 to controller.
Wherein, the source device of message 1 is equipment 1, and object equipment is equipment 2, and priority is 7, switch A does not exist the stream table of message 1.
S302, controller is greater than predetermined threshold value determination message 1 according to the priority of message 1 and needs encrypted transmission, and selects transmission path for message 1.
Priority due to message 1 is greater than predetermined threshold value 6, therefore needs encrypted transmission, so select the link transmission message 1 possessing cryptographic capabilities, the link selected in this embodiment is the link between switch A-switch b.
S303, controller sends stream table to switch A and switch b.
S304, switch A sends encrypted message 1 to switch b after encrypting message 1.
S305, switch b is decrypted encrypted message 1, and sends message 1 to equipment 2.
S306, after switch A receives message 2, sends message 2 to controller.
Wherein, the source device of message 2 is equipment 1, and object equipment is also equipment 2, and priority is 1, switch A does not exist the stream table of message 2.
S307, controller is less than predetermined threshold value determination message 2 according to the priority of message 2 and does not need encrypted transmission, and selects transmission path for message 2.
Priority due to message 2 is less than predetermined threshold value 6, therefore does not need encrypted transmission, so select the link transmission message 2 not possessing cryptographic capabilities, the link selected in this embodiment is the link between switch A-switch C-switch b.
S308, controller sends stream table to switch A, switch C, switch b.
S309, message 2 is sent to switch C according to stream table by switch A, and message 2 is sent to switch b according to stream table by switch C.
S310, switch b sends message 2 to equipment 2.
As can be seen here, by above-mentioned steps, can be encrypted transmission by the message higher to security requirement such as message 1 grade, the message not high to security requirement such as message 2 grade carries out non-encrypted transmission, thus improve the fail safe of related service, the Appropriate application resource of switch.
Corresponding with the embodiment of the transmission method of aforementioned data message, present invention also provides the embodiment of the transmitting device of data message.
The embodiment of the transmitting device of the application's data message can be applied on the controller.Device embodiment can pass through software simulating, also can be realized by the mode of hardware or software and hardware combining.For software simulating, as the device on a logical meaning, be by the processor of its place controller, computer program instructions corresponding in nonvolatile memory is read operation in internal memory to be formed.Say from hardware view, as shown in Figure 5, it is a kind of hardware structure diagram of the transmitting device place controller of the application's data message, except the processor shown in Fig. 5, internal memory, network interface and nonvolatile memory, in embodiment, the controller at device place is usually according to its actual functional capability, other hardware can also be comprised, this is repeated no more.
Fig. 6 is the block diagram of the transmitting device of a kind of data message shown in the application one exemplary embodiment, and this device can be applicable on the controller in SDN, and as shown in Figure 6, the transmitting device of this data message comprises judge module 61 and selects sending module 62, wherein:
Judge module 61 for receiving current data message waiting for transmission, and judges that this data message is the need of encrypted transmission; If select sending module 62 to judge that this data message needs encrypted transmission for this judge module 61, be then that this data message selects transmission path according to the cryptographic capabilities information of switch in current SDN, and send stream table to the switch on this transmission path, according to the key information prestored and stream table, transmission is encrypted to this data message to make the switch on this transmission path.
In an optional implementation, whether judge module 61 can comprise predetermined encryption mark by detecting in this data message, also can by judging whether the attribute information of this data message meets the various ways such as preset requirement, whether the priority of such as data message is greater than predetermined threshold value, determines that this data message is the need of encrypted transmission.
In another optional implementation, this device can also comprise knows module 63, this knows module 63, for at this selection sending module 62 according to the cryptographic capabilities information of switch in current SDN for this data message is selected before transmission path, know the cryptographic capabilities information of switch in this current SDN, wherein, this cryptographic capabilities information comprises the mark supporting the port of security protocol and the switch at place thereof.
In another optional implementation, this device can also comprise generation sending module 64, and this generation sending module 64, for generating key information, and sends this key information to the switch with cryptographic capabilities.
In another optional implementation, this device can also comprise: upgrade sending module 65, this renewal sending module 65 at this generation sending module 64 to after the switch with cryptographic capabilities sends this key information, upgrade this key information, and send the key information after upgrading to the switch of correspondence.
In another optional implementation, this renewal sending module 65, obtains the flow value between the switch with cryptographic capabilities specifically for: timing, if the difference of this flow value and the flow threshold prestored is in preset range, then upgrades key information.
In another optional implementation, this renewal sending module 65 can also be used for: upgrade flow threshold, and sends the flow threshold after upgrading to the switch of correspondence.
In said apparatus, the implementation procedure of the function and efficacy of unit specifically refers to the implementation procedure of corresponding step in said method, does not repeat them here.
For device embodiment, because it corresponds essentially to embodiment of the method, so relevant part illustrates see the part of embodiment of the method.Device embodiment described above is only schematic, the unit wherein illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of the application's scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
The transmitting device of above-mentioned data message, judge that data message waiting for transmission is the need of encrypted transmission by judge module, and by selecting sending module when this data message needs encrypted transmission, be that this data message selects transmission path according to the cryptographic capabilities information of switch in current SDN, and make the switch on transmission path be encrypted transmission according to the key information prestored to this data message, the message higher to security requirement can be realized thus and be encrypted transmission, thus improve the fail safe of related service.
Corresponding with the embodiment of the transmission method of aforementioned data message, present invention also provides the embodiment of the transmitting device of data message.
The embodiment of the transmitting device of the application's data message can be applied on switches.Device embodiment can pass through software simulating, also can be realized by the mode of hardware or software and hardware combining.For software simulating, as the device on a logical meaning, be by the processor of its place switch, computer program instructions corresponding in nonvolatile memory is read operation in internal memory to be formed.Say from hardware view, as shown in Figure 7, it is a kind of hardware structure diagram of the transmitting device place switch of the application's data message, except the processor shown in Fig. 7, internal memory, network interface and nonvolatile memory, in embodiment, the switch at device place is usually according to its actual functional capability, other hardware can also be comprised, this is repeated no more.
Fig. 8 is the block diagram of the transmitting device of the another kind of data message shown in the application one exemplary embodiment, and this device can be applicable on the switch in SDN, and as shown in Figure 8, the transmitting device of this data message comprises sending module 81 and transport module 82, wherein:
Sending module 81 is for sending current data message waiting for transmission to controller, to make this controller after determining that this data message needs encrypted transmission, cryptographic capabilities information according to switch in current SDN is this data message selection transmission path, and sends stream table to the switch on this transmission path; Transport module 82 for receiving this stream table, and is encrypted transmission according to the key information prestored and this stream table to this data message.
In an optional implementation, this device can also comprise preserves module 83, this preservation module 83, for before being encrypted transmission according to the key information prestored and this stream table to this data message at this transport module 82, receives and key information after preserving the key information or renewal that this controller sends.
In another optional implementation, this transport module 82 can be specifically for: if when detecting between peer switches flow value and reach according to this stream table the flow threshold prestored, use the key information after the renewal prestored to be encrypted this data message.
In another optional implementation, this preservation module 83 can also be used for: receive and preserve the flow threshold of this controller transmission or the flow threshold after upgrading.
In said apparatus, the implementation procedure of the function and efficacy of unit specifically refers to the implementation procedure of corresponding step in said method, does not repeat them here.
For device embodiment, because it corresponds essentially to embodiment of the method, so relevant part illustrates see the part of embodiment of the method.Device embodiment described above is only schematic, the unit wherein illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of the application's scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
The transmitting device of above-mentioned data message, current data message waiting for transmission is sent to controller by sending module, to make controller after determining that this data message needs encrypted transmission, be that this data message selects transmission path according to the cryptographic capabilities information of switch in current SDN, and send stream table to the switch on transmission path, and receive stream table by transport module, and according to the key information prestored and this stream table, transmission is encrypted to this data message, the message higher to security requirement can be realized thus and be encrypted transmission, thus improve the fail safe of related service.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, within all spirit in the application and principle, any amendment made, equivalent replacements, improvement etc., all should be included within scope that the application protects.
Claims (22)
1. a transmission method for data message, is characterized in that, described method is applied on the controller in software defined network SDN, and described method comprises:
Receive current data message waiting for transmission, and judge that described data message is the need of encrypted transmission; And
If described data message needs encrypted transmission, then according to the cryptographic capabilities information of switch in current SDN be described data message select transmission path, and send stream table to the switch on described transmission path, according to the key information prestored and described stream table, transmission is encrypted to described data message to make the switch on described transmission path.
2. method according to claim 1, is characterized in that, described be that before described data message selects transmission path, described method also comprises according to the cryptographic capabilities information of switch in current SDN:
Know the cryptographic capabilities information of switch in described current SDN, wherein, described cryptographic capabilities information comprises the mark supporting the port of security protocol and the switch at place thereof.
3. method according to claim 1, is characterized in that, described method also comprises:
Generate key information, and send described key information to the switch with cryptographic capabilities.
4. method according to claim 3, is characterized in that, after sending described key information to the switch with cryptographic capabilities, also comprises:
Upgrade described key information, and send the key information after upgrading to the switch of correspondence.
5. method according to claim 4, is characterized in that, the described key information of described renewal, comprising:
Timing obtain there is cryptographic capabilities switch between flow value, if the difference of described flow value and the flow threshold prestored is in preset range, then upgrade described key information.
6. method according to claim 5, is characterized in that, described method also comprises:
Upgrade described flow threshold, and send the flow threshold after upgrading to the switch of correspondence.
7. method according to claim 1, is characterized in that, the described data message of described judgement, the need of encrypted transmission, comprising:
Detect in described data message and whether comprise predetermined encryption mark; Or
Judge whether the priority of described data message is greater than predetermined threshold value.
8. a transmission method for data message, is characterized in that, described method is applied on the switch in SDN, and described method comprises:
Current data message waiting for transmission is sent to controller, to make described controller after determining that described data message needs encrypted transmission, according to the cryptographic capabilities information of switch in current SDN be described data message select transmission path, and on described transmission path switch send stream table; And
Receive described stream table, and according to the key information prestored and described stream table, transmission is encrypted to described data message.
9. method according to claim 8, is characterized in that, before the key information prestored in described basis and described stream table are encrypted transmission to described data message, described method also comprises:
Receive and preserve the key information of described controller transmission or the key information after upgrading.
10. method according to claim 9, is characterized in that, the key information that described basis prestores and described stream table are encrypted transmission to described data message, comprising:
If when detecting between peer switches flow value and reach according to described stream table the flow threshold prestored, use the key information after the renewal prestored to be encrypted described data message.
11. methods according to claim 10, is characterized in that, described method also comprises:
Receive and preserve the flow threshold of described controller transmission or the flow threshold after upgrading.
The transmitting device of 12. 1 kinds of data messages, is characterized in that, on the controller of described application of installation in SDN, described device comprises:
Judge module, for receiving current data message waiting for transmission, and judges that described data message is the need of encrypted transmission; And
Select sending module, if judge that described data message needs encrypted transmission for described judge module, then according to the cryptographic capabilities information of switch in current SDN be described data message select transmission path, and send stream table to the switch on described transmission path, according to the key information prestored and described stream table, transmission is encrypted to described data message to make the switch on described transmission path.
13. devices according to claim 12, is characterized in that, described device also comprises:
Know module, before being described data message selection transmission path at described selection sending module according to the cryptographic capabilities information of switch in current SDN, know the cryptographic capabilities information of switch in described current SDN, wherein, described cryptographic capabilities information comprises the mark supporting the port of security protocol and the switch at place thereof.
14. devices according to claim 12, is characterized in that, described device also comprises:
Generating sending module, for generating key information, and sending described key information to the switch with cryptographic capabilities.
15. devices according to claim 14, is characterized in that, also comprise:
Upgrade sending module, at described generation sending module to after the switch with cryptographic capabilities sends described key information, upgrade described key information, and send the key information after upgrading to the switch of correspondence.
16. devices according to claim 15, is characterized in that, described renewal sending module, specifically for:
Timing obtain there is cryptographic capabilities switch between flow value, if the difference of described flow value and the flow threshold prestored is in preset range, then upgrade described key information.
17. devices according to claim 16, is characterized in that, described renewal sending module, also for:
Upgrade described flow threshold, and send the flow threshold after upgrading to the switch of correspondence.
18. devices according to claim 12, is characterized in that, described judge module, specifically for:
Detect in described data message and whether comprise predetermined encryption mark; Or
Judge the priority whether predetermined threshold value of described data message.
The transmitting device of 19. 1 kinds of data messages, is characterized in that, on the switch of described application of installation in SDN, described device comprises:
Sending module, for sending current data message waiting for transmission to controller, to make described controller after determining that described data message needs encrypted transmission, according to the cryptographic capabilities information of switch in current SDN be described data message select transmission path, and on described transmission path switch send stream table; And
Transport module, for receiving described stream table, and is encrypted transmission according to the key information prestored and described stream table to described data message.
20. devices according to claim 19, is characterized in that, described device also comprises:
Preserve module, before according to the key information prestored and described stream table transmission being encrypted to described data message at described transport module, receives and key information after preserving the key information of described controller transmission or renewal.
21. devices according to claim 20, is characterized in that, described transport module, specifically for:
If when detecting between peer switches flow value and reach according to described stream table the flow threshold prestored, use the key information after the renewal prestored to be encrypted described data message.
22. devices according to claim 21, is characterized in that, described preservation module, also for:
Receive and preserve the flow threshold of described controller transmission or the flow threshold after upgrading.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510333329.4A CN104935593B (en) | 2015-06-16 | 2015-06-16 | The transmission method and device of data message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510333329.4A CN104935593B (en) | 2015-06-16 | 2015-06-16 | The transmission method and device of data message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104935593A true CN104935593A (en) | 2015-09-23 |
| CN104935593B CN104935593B (en) | 2018-11-27 |
Family
ID=54122565
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510333329.4A Active CN104935593B (en) | 2015-06-16 | 2015-06-16 | The transmission method and device of data message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104935593B (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105591738A (en) * | 2015-12-22 | 2016-05-18 | 杭州华三通信技术有限公司 | Key update method and device |
| CN105721317A (en) * | 2016-02-25 | 2016-06-29 | 上海斐讯数据通信技术有限公司 | SDN-based data flow encryption method and system |
| CN105827665A (en) * | 2016-06-06 | 2016-08-03 | 南开大学 | Method for encrypting flow table information sensitive data between SDN network controller and interchanger |
| CN106453406A (en) * | 2016-11-22 | 2017-02-22 | 中国电子科技集团公司第三十研究所 | Systematic software-defined data center network security method |
| CN106603568A (en) * | 2016-12-30 | 2017-04-26 | 广东欧珀移动通信有限公司 | Data encryption method, data encryption device, and access point equipment |
| CN106685903A (en) * | 2015-11-10 | 2017-05-17 | 中国电信股份有限公司 | Data transmission method based on SDN, SDN controller and SDN system |
| CN106850443A (en) * | 2017-02-10 | 2017-06-13 | 济南浪潮高新科技投资发展有限公司 | A kind of SDN flow table issuance methods based on TPM |
| CN107819685A (en) * | 2016-09-13 | 2018-03-20 | 华为数字技术(苏州)有限公司 | The method and the network equipment of a kind of data processing |
| CN108337243A (en) * | 2017-11-02 | 2018-07-27 | 北京紫光恒越网络科技有限公司 | Message forwarding method, device and forwarding unit |
| CN109922047A (en) * | 2019-01-31 | 2019-06-21 | 武汉天喻聚联网络有限公司 | A kind of image delivering system and method |
| CN110226312A (en) * | 2017-02-03 | 2019-09-10 | 三菱电机株式会社 | Transmission device and communication network |
| WO2019174296A1 (en) * | 2018-03-15 | 2019-09-19 | Oppo广东移动通信有限公司 | Data processing method, access network device, and core network device |
| CN110912875A (en) * | 2019-11-08 | 2020-03-24 | 中国电子科技集团公司第三十研究所 | Network encryption method, system, medium and equipment based on southbound interface |
| CN110943996A (en) * | 2019-12-03 | 2020-03-31 | 迈普通信技术股份有限公司 | Management method, device and system for business encryption and decryption |
| CN113039765A (en) * | 2018-09-21 | 2021-06-25 | 诺基亚技术有限公司 | Method and apparatus for secure messaging between network functions |
| CN113676467A (en) * | 2021-08-16 | 2021-11-19 | 北京全路通信信号研究设计院集团有限公司 | Data processing method, device, equipment and storage medium |
| CN114301735A (en) * | 2021-12-10 | 2022-04-08 | 北京天融信网络安全技术有限公司 | Method, system, terminal and storage medium for managing and controlling IPSEC tunnel data distribution on demand |
| TWI771518B (en) * | 2017-11-07 | 2022-07-21 | 大陸商Oppo廣東移動通信有限公司 | Method for processing data, access network device, and core network device |
| CN115225333A (en) * | 2022-06-23 | 2022-10-21 | 中国电子科技集团公司第三十研究所 | TSN encryption method and system based on software definition |
| CN114584490B (en) * | 2022-03-25 | 2024-04-09 | 阿里巴巴(中国)有限公司 | Data transmission detection method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1909448A (en) * | 2005-08-05 | 2007-02-07 | 华为技术有限公司 | Method for realizing end to end encryption transmission in MPLS VPN network |
| CN101515896A (en) * | 2009-03-20 | 2009-08-26 | 成都市华为赛门铁克科技有限公司 | Safe socket character layer protocol message forwarding method, device, system and exchange |
| CN103428771A (en) * | 2013-09-05 | 2013-12-04 | 迈普通信技术股份有限公司 | Communication method, software defined network SDN switch and communication system |
| CN103685250A (en) * | 2013-12-04 | 2014-03-26 | 蓝盾信息安全技术股份有限公司 | Virtual machine security policy migration system and method based on SDN |
-
2015
- 2015-06-16 CN CN201510333329.4A patent/CN104935593B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1909448A (en) * | 2005-08-05 | 2007-02-07 | 华为技术有限公司 | Method for realizing end to end encryption transmission in MPLS VPN network |
| CN101515896A (en) * | 2009-03-20 | 2009-08-26 | 成都市华为赛门铁克科技有限公司 | Safe socket character layer protocol message forwarding method, device, system and exchange |
| CN103428771A (en) * | 2013-09-05 | 2013-12-04 | 迈普通信技术股份有限公司 | Communication method, software defined network SDN switch and communication system |
| CN103685250A (en) * | 2013-12-04 | 2014-03-26 | 蓝盾信息安全技术股份有限公司 | Virtual machine security policy migration system and method based on SDN |
Cited By (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106685903B (en) * | 2015-11-10 | 2021-04-09 | 中国电信股份有限公司 | SDN-based data transmission method, SDN controller and SDN system |
| CN106685903A (en) * | 2015-11-10 | 2017-05-17 | 中国电信股份有限公司 | Data transmission method based on SDN, SDN controller and SDN system |
| CN105591738A (en) * | 2015-12-22 | 2016-05-18 | 杭州华三通信技术有限公司 | Key update method and device |
| CN105591738B (en) * | 2015-12-22 | 2018-12-25 | 新华三技术有限公司 | A kind of key updating method and device |
| CN105721317A (en) * | 2016-02-25 | 2016-06-29 | 上海斐讯数据通信技术有限公司 | SDN-based data flow encryption method and system |
| CN105721317B (en) * | 2016-02-25 | 2019-09-13 | 上海斐讯数据通信技术有限公司 | A kind of data stream encryption method and system based on SDN |
| CN105827665A (en) * | 2016-06-06 | 2016-08-03 | 南开大学 | Method for encrypting flow table information sensitive data between SDN network controller and interchanger |
| CN107819685A (en) * | 2016-09-13 | 2018-03-20 | 华为数字技术(苏州)有限公司 | The method and the network equipment of a kind of data processing |
| CN106453406A (en) * | 2016-11-22 | 2017-02-22 | 中国电子科技集团公司第三十研究所 | Systematic software-defined data center network security method |
| CN106453406B (en) * | 2016-11-22 | 2019-05-28 | 中国电子科技集团公司第三十研究所 | A kind of software definition data center network time slot scrambling of architecture |
| CN106603568A (en) * | 2016-12-30 | 2017-04-26 | 广东欧珀移动通信有限公司 | Data encryption method, data encryption device, and access point equipment |
| CN106603568B (en) * | 2016-12-30 | 2019-09-17 | Oppo广东移动通信有限公司 | Data ciphering method, device and access point apparatus |
| CN110226312A (en) * | 2017-02-03 | 2019-09-10 | 三菱电机株式会社 | Transmission device and communication network |
| CN106850443A (en) * | 2017-02-10 | 2017-06-13 | 济南浪潮高新科技投资发展有限公司 | A kind of SDN flow table issuance methods based on TPM |
| CN108337243A (en) * | 2017-11-02 | 2018-07-27 | 北京紫光恒越网络科技有限公司 | Message forwarding method, device and forwarding unit |
| TWI771518B (en) * | 2017-11-07 | 2022-07-21 | 大陸商Oppo廣東移動通信有限公司 | Method for processing data, access network device, and core network device |
| US11317291B2 (en) | 2018-03-15 | 2022-04-26 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Data processing method, access network device, and core network device |
| US11722899B2 (en) | 2018-03-15 | 2023-08-08 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Data processing method, access network device, and core network device |
| WO2019174296A1 (en) * | 2018-03-15 | 2019-09-19 | Oppo广东移动通信有限公司 | Data processing method, access network device, and core network device |
| CN113039765A (en) * | 2018-09-21 | 2021-06-25 | 诺基亚技术有限公司 | Method and apparatus for secure messaging between network functions |
| CN113039765B (en) * | 2018-09-21 | 2023-09-12 | 诺基亚技术有限公司 | Method and apparatus for secure messaging between network functions |
| CN109922047B (en) * | 2019-01-31 | 2021-11-19 | 武汉天喻聚联网络有限公司 | Image transmission system and method |
| CN109922047A (en) * | 2019-01-31 | 2019-06-21 | 武汉天喻聚联网络有限公司 | A kind of image delivering system and method |
| CN110912875A (en) * | 2019-11-08 | 2020-03-24 | 中国电子科技集团公司第三十研究所 | Network encryption method, system, medium and equipment based on southbound interface |
| CN110912875B (en) * | 2019-11-08 | 2022-03-22 | 中国电子科技集团公司第三十研究所 | Network encryption method, system, medium and equipment based on southbound interface |
| CN110943996A (en) * | 2019-12-03 | 2020-03-31 | 迈普通信技术股份有限公司 | Management method, device and system for business encryption and decryption |
| CN113676467A (en) * | 2021-08-16 | 2021-11-19 | 北京全路通信信号研究设计院集团有限公司 | Data processing method, device, equipment and storage medium |
| CN113676467B (en) * | 2021-08-16 | 2024-01-05 | 北京全路通信信号研究设计院集团有限公司 | Data processing method, device, equipment and storage medium |
| CN114301735A (en) * | 2021-12-10 | 2022-04-08 | 北京天融信网络安全技术有限公司 | Method, system, terminal and storage medium for managing and controlling IPSEC tunnel data distribution on demand |
| CN114584490B (en) * | 2022-03-25 | 2024-04-09 | 阿里巴巴(中国)有限公司 | Data transmission detection method and device |
| CN115225333B (en) * | 2022-06-23 | 2023-05-12 | 中国电子科技集团公司第三十研究所 | TSN encryption method and system based on software definition |
| CN115225333A (en) * | 2022-06-23 | 2022-10-21 | 中国电子科技集团公司第三十研究所 | TSN encryption method and system based on software definition |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104935593B (en) | 2018-11-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104935593A (en) | Data message transmitting method and device | |
| CN101300806B (en) | System and method for processing secure transmissions | |
| US8774415B2 (en) | Key sharing device, key sharing method, and computer program product | |
| US10154018B2 (en) | Method and system for facilitating network joining | |
| CN101258505B (en) | Secure software updates | |
| CN104935594A (en) | Message processing method based on virtual extensible local area network tunnel and device | |
| US8619986B2 (en) | Systems and methods for secure communication using a communication encryption bios based upon a message specific identifier | |
| EP2406749B1 (en) | Transfer device for sensitive material such as a cryptographic key | |
| JP5090408B2 (en) | Method and apparatus for dynamically controlling destination of transmission data in network communication | |
| US10470102B2 (en) | MAC address-bound WLAN password | |
| CN109347700B (en) | Test method, test device, electronic equipment and storage medium | |
| CN101378361A (en) | Traffic control system and traffic control method | |
| TWI725148B (en) | Methods, systems, and media for using dynamic public key infrastructure to send and receive encrypted messages | |
| CN107172001B (en) | Control method and device of website proxy server and key proxy server | |
| CN109831328A (en) | Switching method, device, the electronic equipment of intelligent route selection | |
| CN109635581A (en) | A kind of data processing method, equipment, system and storage medium | |
| US9626522B1 (en) | Method and apparatus for the network steganographic assessment of a test subject | |
| CN105634720B (en) | A kind of method, terminal device and the system of encryption safe configuration file | |
| CN105069362A (en) | Storage method and device | |
| JP6826207B2 (en) | Routing method and equipment | |
| CN105187369A (en) | Data access method and data access device | |
| CN113992427B (en) | Data encryption sending method and device based on adjacent nodes | |
| CN111478974A (en) | Network connection method and device, electronic equipment and readable storage medium | |
| US20210319114A1 (en) | Method and service to encrypt data stored on volumes used by containers | |
| CN110602693B (en) | Networking method and equipment of wireless network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |