CN104935593B - The transmission method and device of data message - Google Patents

The transmission method and device of data message Download PDF

Info

Publication number
CN104935593B
CN104935593B CN201510333329.4A CN201510333329A CN104935593B CN 104935593 B CN104935593 B CN 104935593B CN 201510333329 A CN201510333329 A CN 201510333329A CN 104935593 B CN104935593 B CN 104935593B
Authority
CN
China
Prior art keywords
data message
interchanger
transmission
key information
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510333329.4A
Other languages
Chinese (zh)
Other versions
CN104935593A (en
Inventor
彭剑远
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201510333329.4A priority Critical patent/CN104935593B/en
Publication of CN104935593A publication Critical patent/CN104935593A/en
Application granted granted Critical
Publication of CN104935593B publication Critical patent/CN104935593B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/302Route determination based on requested QoS
    • H04L45/306Route determination based on the nature of the carried application

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides the transmission method and device of a kind of data message.The transmission method of the data message is applied on the controller in software defined network SDN, including:Current data message to be transmitted is received, and judges whether data message needs encrypted transmission;And if data message needs encrypted transmission, it is then that data message selects transmission path according to the cryptographic capabilities information of interchanger in current SDN, and the interchanger in transmission path sends flow table, so that the interchanger in transmission path carries out encrypted transmission to data message according to the key information and flow table prestored.The transmission method and device of above-mentioned data message are, it can be achieved that carry out encrypted transmission to the higher message of security requirement, to improve the safety of related service.

Description

The transmission method and device of data message
Technical field
This application involves network communication technology field more particularly to the transmission methods and device of a kind of data message.
Background technique
SDN (Software Defined Network, software defined network) is a kind of novel network architecture, in one kind In optional implementation, the control plane of the network equipment and data surface can be carried out by OpenFlow (open flows) technology Separation, to realize the flexible control to network flow.In SDN, if generally comprise realize control plane function controller and The dry interchanger for realizing data surface function, since the price of the business board with cryptographic capabilities is higher, so usually only part The section ports of interchanger include this business board, i.e., the datagram literary talent only sent by the inclusion of the port of this business board It can be encrypted.
In SDN, controller is responsible for confirming the transmission path of data message, and the interchanger in transmission path issues stream Table, so that data message is forwarded to purpose equipment from source device according to received flow table by these interchangers.Controller exists at present When confirming the transmission path of data message, it can be selected according to the connection relationship between the port of respective switch and these ports One optimal transmission paths needs the message of encrypted transmission is not encrypted to be transmitted, thus pole in this way, being inevitably present The earth reduces the safety of corresponding business.
Summary of the invention
In view of this, the application provides the transmission method and device of a kind of data message.
Specifically, the application is achieved by the following technical solution:
According to a first aspect of the embodiments of the present invention, a kind of transmission method of data message is provided, this method is applied to soft Part defines on the controller in network SDN, including:
Current data message to be transmitted is received, and judges whether data message needs encrypted transmission;And if datagram Text needs encrypted transmission, then is data message selection transmission path according to the cryptographic capabilities information of interchanger in current SDN, and to Interchanger in transmission path sends flow table, so that the interchanger in transmission path is according to the key information and flow table logarithm prestored Encrypted transmission is carried out according to message.
According to a second aspect of the embodiments of the present invention, a kind of transmission method of data message is provided, this method is applied to soft Part defines on the interchanger in network SDN, the method includes:
Current data message to be transmitted is sent to controller, so that the controller is determining the data message needs After encrypted transmission, according to the cryptographic capabilities information of interchanger in current SDN it is that the data message selects transmission path, and to institute The interchanger stated in transmission path sends flow table;And
The flow table is received, and encryption biography is carried out to the data message according to the key information and the flow table that prestore It is defeated.
According to a third aspect of the embodiments of the present invention, a kind of transmitting device of data message is provided, which is applied to SDN In controller on, including:
Judgment module for receiving current data message to be transmitted, and judges whether the data message needs to encrypt Transmission;And
Sending module is selected, if judging that the data message needs encrypted transmission, basis for the judgment module The cryptographic capabilities information of interchanger is data message selection transmission path in current SDN, and in the transmission path Interchanger sends flow table, so that the interchanger in the transmission path is according to the key information and the flow table prestored to the number Encrypted transmission is carried out according to message.
According to a fourth aspect of the embodiments of the present invention, a kind of transmitting device of data message is provided, described device is applied to On interchanger in SDN, described device includes:
Sending module, for sending current data message to be transmitted to controller, so that the controller is determining It states after data message needs encrypted transmission, is that the data message selects according to the cryptographic capabilities information of interchanger in current SDN Transmission path, and the interchanger in the transmission path sends flow table;And
Transmission module, for receiving the flow table, and according to the key information and the flow table prestored to the datagram Text carries out encrypted transmission.
In the embodiment of the present application, by judging whether data message to be transmitted needs encrypted transmission, and in the data It is that the data message selects transmission path according to the cryptographic capabilities information of interchanger in current SDN when message needs encrypted transmission, And interchanger in transmission path is made to carry out encrypted transmission to the data message according to the key information prestored, it thus can realize pair The higher message of security requirement carries out encrypted transmission, to improve the safety of related service.
Detailed description of the invention
Fig. 1 is a kind of flow chart of the transmission method of data message shown in one exemplary embodiment of the application;
Fig. 2 is the flow chart of the transmission method of another data message shown in one exemplary embodiment of the application;
Fig. 3 is a kind of signaling process figure of the transmission method of data message shown in one exemplary embodiment of the application;
Fig. 4 is a kind of configuration diagram of SDN network shown in one exemplary embodiment of the application;
Fig. 5 is a kind of hardware structure diagram of controller where the transmitting device of the application data message;
Fig. 6 is a kind of block diagram of the transmitting device of data message shown in one exemplary embodiment of the application;
Fig. 7 is a kind of hardware structure diagram of interchanger where the transmitting device of the application data message;
Fig. 8 is the block diagram of the transmission of another data message shown in one exemplary embodiment of the application.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application. It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determination ".
The transmission method embodiment of the application data message may be used in SDN, be implemented using method provided by the present application Example, so that data message highly-safe in SDN transmits after being encrypted by the interchanger with cryptographic capabilities to it, peace The complete low data message of property is transmitted by not having the switch port of cryptographic capabilities, and device resource is reasonably utilized, also, Key information is managed collectively by controller, timing updates key information, substantially increases the safety of business.Below with reference to specific The realization process of the application is described in detail in embodiment.
Fig. 1 is a kind of flow chart of the transmission method of data message shown in one exemplary embodiment of the application, the implementation Example is described from the controller side in SDN.As shown in Figure 1, the transmission method of the data message includes:
Step S101 receives current data message to be transmitted, and determines whether the data message needs encrypted transmission.
It in this embodiment, can be by detecting the datagram after controller receives the data message that interchanger is sent Whether identified comprising predetermined encryption in text, whether can also meet preset requirement etc. by judging the attribute information of the data message Various ways, to determine whether the data message needs encrypted transmission.
Wherein, the supplier and transporter of data message can arrange to need comprising the data message of predetermined encryption mark in advance Encrypted transmission is wanted, predetermined encryption mark may be used to indicate that the security level of the data message is greater than preset threshold.Specifically, when When the supplier of data message determines that the security level of the data message is greater than preset threshold, then added in the data message pre- If encryption identification, when the security level for determining the data message is not more than preset threshold, then added not in data message pre- If encryption identification, predetermined encryption mark can according to need flexible setting.In this way, the controller passed in loser, that is, SDN is receiving When data message to be transmitted, it can be determined whether by whether including predetermined encryption mark in detection data message to the number Encrypted transmission is carried out according to message.
For example, can determine if controller detects in current data message comprising " Encryption Id " to data Message carries out encrypted transmission.
In addition, the attribute information of data message can be the priority of data message, when controller judges data message Priority be greater than preset threshold when, to the data message carry out encrypted transmission.
For example, if the priority of the data message is 7, preset threshold 5, since the priority of the data message is greater than in advance If threshold value 5, then it can determine that the data message needs encrypted transmission.It should be noted that above-mentioned preset threshold 5 is merely illustrative, In practical applications, it can according to need carry out flexible setting.
Step S102, if the data message needs encrypted transmission, according to the cryptographic capabilities information of interchanger in current SDN Transmission path is selected for the data message, and the interchanger in transmission path sends flow table, so that the exchange in transmission path Machine carries out encrypted transmission to the data message according to the key information and flow table prestored.
If it is determined that the data message needs encrypted transmission, then need to select that there is encryption from the interchanger in current SDN The interchanger of ability selects transmission path for the data message, in this way, since the interchanger in transmission path all has encryption energy Power, therefore encrypted transmission can be carried out to the data message, to guarantee the safety of the data message.In addition, however, it is determined that the number Encrypted transmission is not needed according to message, then also needs to select transmission path, the only friendship in the transmission path for the data message Port change planes without cryptographic capabilities, therefore encrypted transmission can not be carried out to the data message, thus, it is possible to distinguish the safety of user Property demand, to the higher message of security requirement carry out encrypted transmission, to improve the safety of related service.
It should be noted that in this embodiment, in friendship of the selection with cryptographic capabilities from the interchanger in current SDN Before changing planes, this method can also include:Know the cryptographic capabilities information of interchanger in current SDN.
Wherein, cryptographic capabilities information includes that the mark of the interchanger of port and its place of security protocol, safety is supported to assist View can include but is not limited to MAC safety (Media Access Control Security, MACsec) agreement, wherein The method that MACsec defines the communication of the data safety based on 802 local area network of IEEE, can provide safe MAC for user Layer data sends and receives service, including ciphering user data, data frame integrity checking and data origin authenticity verification.
Specifically, when controller is established OpenFlow with interchanger and connected, the OpenFlow protocol massages of extension can be passed through Which end of the interchanger of MACsec supported for example, whether interchanger supports MACsec for the cryptographic capabilities information for obtaining interchanger Mouth supports MACsec etc..
It should be noted that only two interchangers support MACsec simultaneously, the link between them just be can be used MACsec encryption.If switch A and switch b are all that MACsec, interchanger C is supported not to support MACsec, then only exchange Data message between machine A and switch b can be encrypted, and between switch A and interchanger C and switch b and exchange Message between machine C cannot be encrypted.
In addition, in order to allow the interchanger with cryptographic capabilities for example to support the interchanger of MACsec encrypts needs to pass Defeated data message is encrypted, and controller also needs to generate key information, and sending to the interchanger with cryptographic capabilities should Key information specifically can send the key information by the OpenFlow protocol massages of extension.
It should be pointed out that including new field, the new field in the OpenFlow protocol massages of the present embodiment extension For indicating the cryptographic capabilities information and key information of interchanger.
In this embodiment, the key information can be used to the data message after receiving key information in interchanger Carry out encrypted transmission.In order to improve safety, controller can update key information, such as can when more be determined according to flow New key information.
Specifically, the flow value between interchanger can be obtained by timing acquisition switch port flow counting, Before the flow value reaches flow threshold, i.e., the difference of flow value and flow threshold within a preset range, then can will be after update Key information notify to interchanger, in this way, can automatically switch to make when the flow value between interchanger reaches flow threshold With new key, wherein preset range can according to need flexible setting.
For example, it is assumed that when the flow value between agreement switch A and switch b reaches 10T byte, more new key, Then controller can obtain port flow from interchanger with every 10 seconds and count, when between discovery switch A and switch b When being had sent 8T byte, new key can be issued into switch A and switch b.When switch A and switch b are found certainly When the flow counting that oneself port sends and receivees amounts up to 10T byte, the key of oneself can be updated simultaneously.
In addition, controller can also according to traffic conditions real-time informing interchanger adjust flow threshold, to avoid flow compared with Hour, the safety of transmission path is reduced because key can not update for a long time.
It can be seen that can be through the foregoing embodiment the higher message selection of security requirement by with cryptographic capabilities The transmission path of switch port composition is the not high message selection of security requirement by not having the exchange generator terminal of cryptographic capabilities The transmission path of mouth composition, not only ensure that the safety of corresponding business, but also take full advantage of the money of equipment in current SDN network Source.
Whether the transmission method of above-mentioned data message needs encrypted transmission by judging data message to be transmitted, and It is that data message selection passes according to the cryptographic capabilities information of interchanger in current SDN when the data message needs encrypted transmission Defeated path, and the interchanger in transmission path is made to carry out encrypted transmission to the data message according to the key information prestored, thus It can be achieved to carry out encrypted transmission to the higher message of security requirement, to improve the safety of related service.
Fig. 2 is the flow chart of the transmission method of another data message shown in one exemplary embodiment of the application, the reality Example is applied to be described from the exchanger side in SDN.As shown in Fig. 2, the transmission method of the data message includes:
Step S201 sends current data message to be transmitted to controller, so that controller is determining the data message It is data message selection transmission path according to the cryptographic capabilities information of interchanger in current SDN after needing encrypted transmission, and to Interchanger in transmission path sends flow table.
In this embodiment, after interchanger receives data message to be transmitted, if searching less than corresponding flow table, to Controller sends the data message, and to be that the data message selects transmission path by controller, specifically, controller can root Cryptographic capabilities information according to the interchanger in current SDN is to need the message of encrypted transmission (for example, the higher report of security requirement Text) select the transmission path being made of the switch port with cryptographic capabilities, or do not need the message of encrypted transmission The transmission path that (for example, security requirement not high message) selection is made of the switch port for not having cryptographic capabilities, so The interchanger in corresponding transmission path sends flow table afterwards.
Wherein, the details that controller obtains the cryptographic capabilities information of interchanger can be found in the dependent part of embodiment illustrated in fig. 1 Point, it does not repeat herein.
Step S202 receives flow table, and is encrypted according to the key information and above-mentioned flow table that prestore to the data message Transmission.
It in this embodiment, should before carrying out encrypted transmission to data message according to the key information prestored and flow table Method can also include:Receive and save the key information or updated key information of controller transmission.Specifically, controller Key information can be sent by the OpenFlow protocol massages of extension, detail can be found in the dependent part of embodiment illustrated in fig. 1 Point, it does not repeat herein.
After interchanger keeps updated key information, it can be detected between peer switches according to above-mentioned flow table Whether flow value reaches the flow threshold prestored, if reaching, can be used updated key information to the data message into Row encryption, to improve safety.
Certainly, before whether the flow value between detection and peer switches reaches flow threshold, it is also necessary to receive simultaneously Save flow threshold or updated flow threshold that controller is sent.The purpose that controller updates flow threshold is to avoid flow When smaller, the problem of transmission path safety difference because caused by key can not update for a long time.
In this embodiment, after interchanger receives flow table, can according to the key information prestored to the data message into Row encrypted transmission.In addition, when on the last one interchanger in the data message encrypted transmission to transmission path, by the exchange Encryption message is decrypted in the key information that machine is sent according to controller, to send the data message to purpose equipment.
Above-mentioned data message transmission method embodiment, by sending current data message to be transmitted to controller, so that Controller is the number according to the cryptographic capabilities information of interchanger in current SDN after determining that the data message needs encrypted transmission Transmission path is selected according to message, and the interchanger in transmission path sends flow table, and receives flow table, and close according to what is prestored Key information and the flow table carry out encrypted transmission to the data message, thus can realize and add to the higher message of security requirement Close transmission, to improve the safety of related service.
Fig. 3 is a kind of signaling process figure of the transmission method of data message shown in one exemplary embodiment of the application, Fig. 4 It is a kind of configuration diagram of SDN network shown in one exemplary embodiment of the application, embodiment illustrated in fig. 3 is with net shown in Fig. 4 It is described for network framework.
In SDN network as shown in Figure 4, switch A-C is connected with controller, and equipment 1 is connected with switch A, if Standby 2 are connected with switch b, and equipment 3 is connected with interchanger C, switch A-interchanger C interconnection, it is assumed that switch A and switch b MACsec, interchanger C is supported not to support MACsec, then the data message only between switch A and switch b can be added It is close, and the message between switch A and interchanger C and between switch b and interchanger C cannot be encrypted.
It is assumed that current message to be transmitted includes message 1 and message 2, the process transmitted to above-mentioned message be can be found in Fig. 3, which is described from the angle of three interchangers and controller interaction, as shown in figure 3, the process includes:
S301 after switch A receives the message 1 from equipment 1, sends message 1 to controller.
Wherein, the source device of message 1 is equipment 1, and purpose equipment is equipment 2, priority 7, and there is no reports on switch A The flow table of text 1.
S302, controller are greater than preset threshold according to the priority of message 1 and determine that message 1 needs encrypted transmission, and be report Text 1 selects transmission path.
Since the priority of message 1 is greater than preset threshold 6, therefore encrypted transmission is needed, then selection has cryptographic capabilities Link transmission message 1, link of the link selected in this embodiment between switch A-switch b.
S303, controller send flow table to switch A and switch b.
S304 after switch A encrypts message 1, sends encryption message 1 to switch b.
Encryption message 1 is decrypted in S305, switch b, and sends message 1 to equipment 2.
S306 after switch A receives message 2, sends message 2 to controller.
Wherein, the source device of message 2 is equipment 1, and purpose equipment is also equipment 2, priority 1, is not present on switch A The flow table of message 2.
S307, controller is less than preset threshold according to the priority of message 2 and determines that message 2 does not need encrypted transmission, and is Message 2 selects transmission path.
Since the priority of message 2 is less than preset threshold 6, therefore encrypted transmission is not needed, then selects do not have encryption energy The link transmission message 2 of power, link of the link selected in this embodiment between switch A-interchanger C- switch b.
S308, controller send flow table to switch A, interchanger C, switch b.
Message 2 is sent to interchanger C according to flow table by S309, switch A, and message 2 is sent to by interchanger C according to flow table Switch b.
S310, switch b send message 2 to equipment 2.
It can be seen that through the above steps, encrypted transmission can be carried out to the higher message of the security requirements such as message 1, The message not high to security requirements such as messages 2 carries out non-encrypted transmission, so that the safety of related service is improved, it is rationally sharp With the resource of interchanger.
Corresponding with the embodiment of the transmission method of aforementioned data message, present invention also provides the transmission of data message dresses The embodiment set.
The embodiment of the transmitting device of the application data message can be using on the controller.Installation practice can pass through Software realization can also be realized by way of hardware or software and hardware combining.Taking software implementation as an example, it anticipates as a logic Device in justice is to be read computer program instructions corresponding in nonvolatile memory by the processor of controller where it Get what operation in memory was formed.For hardware view, as shown in figure 5, being the transmitting device place of the application data message A kind of hardware structure diagram of controller, in addition to processor shown in fig. 5, memory, network interface and nonvolatile memory it Outside, the controller in embodiment where device can also include other hardware generally according to its actual functional capability, no longer superfluous to this It states.
Fig. 6 is a kind of block diagram of the transmitting device of data message shown in one exemplary embodiment of the application, which can Applied on the controller in SDN, as shown in fig. 6, the transmitting device of the data message includes that judgment module 61 and selection are sent Module 62, wherein:
Judgment module 61 judges whether the data message needs to encrypt biography for receiving current data message to be transmitted It is defeated;If selection sending module 62 judges that the data message needs encrypted transmission for the judgment module 61, according to current SDN The cryptographic capabilities information of middle interchanger is that the data message selects transmission path, and the interchanger in the transmission path sends stream Table, so that the interchanger in the transmission path carries out encrypted transmission to the data message according to the key information and flow table prestored.
In an optional implementation, whether judgment module 61 can be by detecting in the data message comprising default Whether encryption identification can also meet the various ways such as preset requirement by judging the attribute information of the data message, such as count Whether it is greater than preset threshold according to the priority of message, to determine whether the data message needs encrypted transmission.
In another optional implementation, which can also include knowing module 63, this knows module 63, is used for This select sending module 62 according to the cryptographic capabilities information of interchanger in current SDN for the data message select transmission path it Before, know the cryptographic capabilities information of interchanger in the current SDN, wherein the cryptographic capabilities information includes supporting security protocol The mark of the interchanger of port and its place.
In another optional implementation, which can also include generating sending module 64, which sends mould Block 64 sends the key information for generating key information, and to the interchanger with cryptographic capabilities.
In another optional implementation, which can also include:Sending module 65 is updated, which sends mould Block 65 is used for after the generation sending module 64 sends the key information to the interchanger with cryptographic capabilities, updates the key Information, and updated key information is sent to corresponding interchanger.
In another optional implementation, which is specifically used for:Timing, which obtains, has encryption energy Flow value between the interchanger of power, if the difference of the flow value and the flow threshold prestored is within a preset range, the Xinmi City Ze Geng Key information.
In another optional implementation, which be can be also used for:Update flow threshold, and to Corresponding interchanger sends updated flow threshold.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein being used as separate part description Unit may or may not be physically separated, component shown as a unit may or may not be Physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to the actual needs Some or all of the modules therein is selected to realize the purpose of application scheme.Those of ordinary skill in the art are not paying wound In the case that the property made is worked, it can understand and implement.
The transmitting device of above-mentioned data message judges whether data message to be transmitted needs to encrypt biography by judgment module It is defeated, and through selection sending module when the data message needs encrypted transmission, according to the cryptographic capabilities of interchanger in current SDN Information is that the data message selects transmission path, and makes the interchanger in transmission path according to the key information prestored to the data Message carries out encrypted transmission, thus can realize and carry out encrypted transmission to the higher message of security requirement, to improve correlation The safety of business.
Corresponding with the embodiment of the transmission method of aforementioned data message, present invention also provides the transmission of data message dresses The embodiment set.
The embodiment of the transmitting device of the application data message can be using on switches.Installation practice can pass through Software realization can also be realized by way of hardware or software and hardware combining.Taking software implementation as an example, it anticipates as a logic Device in justice is to be read computer program instructions corresponding in nonvolatile memory by the processor of interchanger where it Get what operation in memory was formed.For hardware view, as shown in fig. 7, being the transmitting device place of the application data message A kind of hardware structure diagram of interchanger, in addition to processor shown in Fig. 7, memory, network interface and nonvolatile memory it Outside, the interchanger in embodiment where device can also include other hardware generally according to its actual functional capability, no longer superfluous to this It states.
Fig. 8 is the block diagram of the transmitting device of another data message shown in one exemplary embodiment of the application, the device It can be applied on the interchanger in SDN, as shown in figure 8, the transmitting device of the data message includes sending module 81 and transmission mould Block 82, wherein:
Sending module 81 is used to send current data message to be transmitted to controller, so that the controller is determining the number It is data message selection transmission road according to the cryptographic capabilities information of interchanger in current SDN after needing encrypted transmission according to message Diameter, and the interchanger in the transmission path sends flow table;Transmission module 82 is used to receive the flow table, and according to the key prestored Information and the flow table carry out encrypted transmission to the data message.
In an optional implementation, which can also include preserving module 83, which is used for Before the transmission module 82 carries out encrypted transmission to the data message according to the key information and the flow table that prestore, receive and save The key information or updated key information that the controller is sent.
In another optional implementation, which can be specifically used for:If being detected according to the flow table When flow value between peer switches reaches the flow threshold prestored, using the updated key information prestored to the number It is encrypted according to message.
In another optional implementation, which be can be also used for:Receive and save controller hair The flow threshold or updated flow threshold sent.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein being used as separate part description Unit may or may not be physically separated, component shown as a unit may or may not be Physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to the actual needs Some or all of the modules therein is selected to realize the purpose of application scheme.Those of ordinary skill in the art are not paying wound In the case that the property made is worked, it can understand and implement.
The transmitting device of above-mentioned data message sends current data message to be transmitted to controller by sending module, So that controller, after determining that the data message needs encrypted transmission, the cryptographic capabilities information according to interchanger in current SDN is The data message selects transmission path, and the interchanger in transmission path sends flow table, and passes through transmission module receiving stream Table, and encrypted transmission is carried out to the data message according to the key information and the flow table that prestore, it thus can realize and safety is wanted Higher message is asked to carry out encrypted transmission, to improve the safety of related service.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.

Claims (22)

1. a kind of transmission method of data message, which is characterized in that the method is applied to the control in software defined network SDN On device, the method includes:
Current data message to be transmitted is received, and judges whether the data message needs encrypted transmission;And
It is the data according to the cryptographic capabilities information of interchanger in current SDN if the data message needs encrypted transmission Message selects transmission path, and the interchanger in the transmission path sends flow table, so that the exchange in the transmission path Machine carries out encrypted transmission to the data message according to the key information and the flow table prestored, wherein the cryptographic capabilities letter Breath includes the mark for supporting the interchanger of port and its place of security protocol.
2. the method according to claim 1, wherein in the current SDN of the basis interchanger cryptographic capabilities Before information is data message selection transmission path, the method also includes:
Know the cryptographic capabilities information of interchanger in the current SDN.
3. the method according to claim 1, wherein the method also includes:
Key information is generated, and sends the key information to the interchanger with cryptographic capabilities.
4. according to the method described in claim 3, it is characterized in that, sending the key to the interchanger with cryptographic capabilities After information, further include:
The key information is updated, and sends updated key information to corresponding interchanger.
5. according to the method described in claim 4, it is characterized in that, described update the key information, including:
Timing obtains the flow value between the interchanger with cryptographic capabilities, if the difference of the flow value and the flow threshold prestored Value within a preset range, then updates the key information.
6. according to the method described in claim 5, it is characterized in that, the method also includes:
The flow threshold is updated, and sends updated flow threshold to corresponding interchanger.
7. judging whether the data message needs to encrypt biography the method according to claim 1, wherein described It is defeated, including:
It detects in the data message and whether is identified comprising predetermined encryption;Or
Judge whether the priority of the data message is greater than preset threshold.
8. a kind of transmission method of data message, which is characterized in that the method is applied on the interchanger in SDN, the side Method includes:
Current data message to be transmitted is sent to controller, so that the controller is determining that the data message needs to encrypt After transmission, according to the cryptographic capabilities information of interchanger in current SDN it is that the data message selects transmission path, and to the biography Interchanger on defeated path sends flow table, wherein the cryptographic capabilities information includes supporting the port and its place of security protocol Interchanger mark;And
The flow table is received, and encrypted transmission is carried out to the data message according to the key information and the flow table prestored.
9. according to the method described in claim 8, it is characterized in that, the key information prestored in the basis and the flow table pair Before the data message carries out encrypted transmission, the method also includes:
Receive and save key information or updated key information that the controller is sent.
10. according to the method described in claim 9, it is characterized in that, key information that the basis prestores and the flow table pair The data message carries out encrypted transmission, including:
If detect that the flow value between peer switches reaches the flow threshold prestored according to the flow table, using prestoring Updated key information the data message is encrypted.
11. according to the method described in claim 10, it is characterized in that, the method also includes:
Receive and save flow threshold or updated flow threshold that the controller is sent.
12. a kind of transmitting device of data message, which is characterized in that described device is applied on the controller in SDN, the dress Set including:
Judgment module for receiving current data message to be transmitted, and judges whether the data message needs encrypted transmission; And
Sending module is selected, if judging that the data message needs encrypted transmission for the judgment module, according to current The cryptographic capabilities information of interchanger is that the data message selects transmission path, and the exchange in the transmission path in SDN Machine sends flow table, so that the interchanger in the transmission path is according to the key information and the flow table prestored to the datagram Text carries out encrypted transmission, wherein the cryptographic capabilities information includes supporting the interchanger of the port and its place of security protocol Mark.
13. device according to claim 12, which is characterized in that described device further includes:
Module is known, for select sending module according to the cryptographic capabilities information of interchanger in current SDN to be the number described Before selecting transmission path according to message, the cryptographic capabilities information of interchanger in the current SDN is known.
14. device according to claim 12, which is characterized in that described device further includes:
Sending module is generated, sends the key information for generating key information, and to the interchanger with cryptographic capabilities.
15. device according to claim 14, which is characterized in that further include:
Sending module is updated, for sending the key information to the interchanger with cryptographic capabilities in the generation sending module Later, the key information is updated, and sends updated key information to corresponding interchanger.
16. device according to claim 15, which is characterized in that the update sending module is specifically used for:
Timing obtains the flow value between the interchanger with cryptographic capabilities, if the difference of the flow value and the flow threshold prestored Value within a preset range, then updates the key information.
17. device according to claim 16, which is characterized in that the update sending module is also used to:
The flow threshold is updated, and sends updated flow threshold to corresponding interchanger.
18. device according to claim 12, which is characterized in that the judgment module is specifically used for:
It detects in the data message and whether is identified comprising predetermined encryption;Or
Judge the data message priority whether preset threshold.
19. a kind of transmitting device of data message, which is characterized in that described device is applied on the interchanger in SDN, the dress Set including:
Sending module, for sending current data message to be transmitted to controller, so that the controller is determining the number It is data message selection transmission according to the cryptographic capabilities information of interchanger in current SDN after needing encrypted transmission according to message Path, and the interchanger in the transmission path sends flow table, wherein the cryptographic capabilities information includes supporting security protocol Port and its place interchanger mark;And
Transmission module, for receiving the flow table, and according to the key information and the flow table prestored to the data message into Row encrypted transmission.
20. device according to claim 19, which is characterized in that described device further includes:
Preserving module, for being carried out according to the key information and the flow table prestored to the data message in the transmission module Before encrypted transmission, key information or updated key information that the controller is sent are received and saved.
21. device according to claim 20, which is characterized in that the transmission module is specifically used for:
If detect that the flow value between peer switches reaches the flow threshold prestored according to the flow table, using prestoring Updated key information the data message is encrypted.
22. device according to claim 21, which is characterized in that the preserving module is also used to:
Receive and save flow threshold or updated flow threshold that the controller is sent.
CN201510333329.4A 2015-06-16 2015-06-16 The transmission method and device of data message Active CN104935593B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510333329.4A CN104935593B (en) 2015-06-16 2015-06-16 The transmission method and device of data message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510333329.4A CN104935593B (en) 2015-06-16 2015-06-16 The transmission method and device of data message

Publications (2)

Publication Number Publication Date
CN104935593A CN104935593A (en) 2015-09-23
CN104935593B true CN104935593B (en) 2018-11-27

Family

ID=54122565

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510333329.4A Active CN104935593B (en) 2015-06-16 2015-06-16 The transmission method and device of data message

Country Status (1)

Country Link
CN (1) CN104935593B (en)

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685903B (en) * 2015-11-10 2021-04-09 中国电信股份有限公司 SDN-based data transmission method, SDN controller and SDN system
CN105591738B (en) * 2015-12-22 2018-12-25 新华三技术有限公司 A kind of key updating method and device
CN105721317B (en) * 2016-02-25 2019-09-13 上海斐讯数据通信技术有限公司 A kind of data stream encryption method and system based on SDN
CN105827665A (en) * 2016-06-06 2016-08-03 南开大学 Method for encrypting flow table information sensitive data between SDN network controller and interchanger
CN107819685A (en) * 2016-09-13 2018-03-20 华为数字技术(苏州)有限公司 The method and the network equipment of a kind of data processing
CN106453406B (en) * 2016-11-22 2019-05-28 中国电子科技集团公司第三十研究所 A kind of software definition data center network time slot scrambling of architecture
CN106603568B (en) * 2016-12-30 2019-09-17 Oppo广东移动通信有限公司 Data encryption method and device and access point equipment
CN110226312A (en) * 2017-02-03 2019-09-10 三菱电机株式会社 Transmission device and communication network
CN106850443A (en) * 2017-02-10 2017-06-13 济南浪潮高新科技投资发展有限公司 A kind of SDN flow table issuance methods based on TPM
CN108337243B (en) * 2017-11-02 2021-12-07 紫光恒越技术有限公司 Message forwarding method, device and forwarding equipment
TWI771518B (en) * 2017-11-07 2022-07-21 大陸商Oppo廣東移動通信有限公司 Method for processing data, access network device, and core network device
WO2019174015A1 (en) 2018-03-15 2019-09-19 Oppo广东移动通信有限公司 Data processing method, access network device, and core network device
EP3854053A1 (en) * 2018-09-21 2021-07-28 Nokia Technologies Oy Method and apparatus for secure messaging between network functions
CN109922047B (en) * 2019-01-31 2021-11-19 武汉天喻聚联网络有限公司 Image transmission system and method
CN110912875B (en) * 2019-11-08 2022-03-22 中国电子科技集团公司第三十研究所 Network encryption method, system, medium and equipment based on southbound interface
CN110943996B (en) * 2019-12-03 2022-03-22 迈普通信技术股份有限公司 Management method, device and system for business encryption and decryption
CN113676467B (en) * 2021-08-16 2024-01-05 北京全路通信信号研究设计院集团有限公司 Data processing method, device, equipment and storage medium
CN114301735B (en) * 2021-12-10 2023-05-02 北京天融信网络安全技术有限公司 Method, system, terminal and storage medium for managing and controlling on-demand distribution of IPSEC tunnel data
CN114584490B (en) * 2022-03-25 2024-04-09 阿里巴巴(中国)有限公司 Data transmission detection method and device
CN115225333B (en) * 2022-06-23 2023-05-12 中国电子科技集团公司第三十研究所 TSN encryption method and system based on software definition

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909448A (en) * 2005-08-05 2007-02-07 华为技术有限公司 Method for realizing end to end encryption transmission in MPLS VPN network
CN101515896A (en) * 2009-03-20 2009-08-26 成都市华为赛门铁克科技有限公司 Safe socket character layer protocol message forwarding method, device, system and exchange
CN103428771A (en) * 2013-09-05 2013-12-04 迈普通信技术股份有限公司 Communication method, software defined network SDN switch and communication system
CN103685250A (en) * 2013-12-04 2014-03-26 蓝盾信息安全技术股份有限公司 Virtual machine security policy migration system and method based on SDN

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909448A (en) * 2005-08-05 2007-02-07 华为技术有限公司 Method for realizing end to end encryption transmission in MPLS VPN network
CN101515896A (en) * 2009-03-20 2009-08-26 成都市华为赛门铁克科技有限公司 Safe socket character layer protocol message forwarding method, device, system and exchange
CN103428771A (en) * 2013-09-05 2013-12-04 迈普通信技术股份有限公司 Communication method, software defined network SDN switch and communication system
CN103685250A (en) * 2013-12-04 2014-03-26 蓝盾信息安全技术股份有限公司 Virtual machine security policy migration system and method based on SDN

Also Published As

Publication number Publication date
CN104935593A (en) 2015-09-23

Similar Documents

Publication Publication Date Title
CN104935593B (en) The transmission method and device of data message
Kim et al. Security and performance considerations in ros 2: A balancing act
CN105516139B (en) A kind of transmission method of network data, apparatus and system
CN103581173B (en) Safe data transmission method, system and device based on industrial Ethernet
CN108173644A (en) Data transmission encryption method and device, storage medium, equipment and server
CN104935594B (en) Message processing method and device based on virtual expansible LAN tunnel
EP4007206A1 (en) Quantum key distribution method, device, and system
CN109525989A (en) Data processing, identity identifying method and system, terminal
CN110035058B (en) Resource request method, device and storage medium
CN107306214A (en) Terminal connects method, system and the relevant device of Virtual Private Network
CN110198295A (en) Safety certifying method and device and storage medium
CN106031120B (en) Key management
CN102970676B (en) A kind of method handled initial data, Internet of things system and terminal
CN110300108A (en) A kind of power distribution automation message encryption transmission method, system, terminal and storage medium
CN107710676A (en) Gateway apparatus and its control method
CN110383280A (en) Method and apparatus for providing network security for time-aware end-to-end packet flow networks
CN106612267B (en) Verification method and verification device
CN105119891B (en) A kind of data interactive method, set-top box and server
CN108933763A (en) A kind of data message sending method, the network equipment, control equipment and network system
CN105981028B (en) Network element certification on communication network
CN106209401B (en) A kind of transmission method and device
CN103650457B (en) The detection method of a kind of shared access, equipment and terminal unit
CN108848413A (en) Anti-replay-attack system, method, apparatus and the storage medium of video
CN106487761B (en) Message transmission method and network equipment
CN104468540B (en) A kind of Working mode switching method and PE equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant