CN106657121B - The method and exchange chip of mirror image 802.1AE plaintext and ciphertext - Google Patents

The method and exchange chip of mirror image 802.1AE plaintext and ciphertext Download PDF

Info

Publication number
CN106657121B
CN106657121B CN201611270020.6A CN201611270020A CN106657121B CN 106657121 B CN106657121 B CN 106657121B CN 201611270020 A CN201611270020 A CN 201611270020A CN 106657121 B CN106657121 B CN 106657121B
Authority
CN
China
Prior art keywords
message
mirror image
engine modules
identifier
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611270020.6A
Other languages
Chinese (zh)
Other versions
CN106657121A (en
Inventor
马千里
方沛昱
杨曙军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Centec Communications Co Ltd
Original Assignee
SHENGKE NETWORK (SUZHOU) CO Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHENGKE NETWORK (SUZHOU) CO Ltd filed Critical SHENGKE NETWORK (SUZHOU) CO Ltd
Priority to CN201611270020.6A priority Critical patent/CN106657121B/en
Publication of CN106657121A publication Critical patent/CN106657121A/en
Application granted granted Critical
Publication of CN106657121B publication Critical patent/CN106657121B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/10Packet switching elements characterised by the switching fabric construction
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Facsimile Transmission Control (AREA)

Abstract

Present invention discloses the methods and exchange chip of a kind of mirror image 802.1AE plaintext and ciphertext, are applied to network communication technology field.The method includes enabling Port Mirroring function, and configure Port Mirroring mode;Mirror image pattern and message identifier logic and operation are judged as a result, the condition that current message satisfaction is mirrored then executes mirror image operation if result is non-zero.The method and exchange chip of mirror image 802.1AE plaintext and ciphertext of the present invention, flexible function, scene applied to different demands, it is plaintext or ciphertext that the exchanger chip, which can perceive currently processed message, in conjunction with the mirror image pattern of configuration, can flexible mirror image 802.1AE ciphertext, perhaps in plain text or simultaneously mirror image ciphertext and plaintext.

Description

The method and exchange chip of mirror image 802.1AE plaintext and ciphertext
Technical field
The present invention relates to a kind of network communication technology fields, in plain text and close more particularly, to a kind of flexible mirror image 802.1AE The method and exchange chip of text.
Background technique
MACsec is a main protocol to protect LAN safety, this agreement is awarded by non-on identification local area network Website is believed to prevent its communication, to guarantee that network operates normally, while can also protect information integrity and secrecy letter, and reduce Attack to two-layer protocol protects local area network not by passive wiring, personation, go-between and part refusal task attack well Deng attack.
MACsec can provide safe MAC layer data transmission and reception service, including ciphering user data, data for user Frame completeness check, enable MACsec function and enable MACsec protection port send data frame when, need to it into Row encryption;Enable MACsec function port receive by MACsec encapsulate data frame when, need that it is decrypted.Add Code key used in decrypting is that receiving-transmitting sides are obtained by protocol negotiation.If received and dispatched between both ends, there are third party's eavesdroppings Person is the data being encrypted due to eavesdropping obtain, so three layers of message or more of content cannot be stolen, therefore safety Property is guaranteed.
Port Mirroring refers to by configuring interchanger or router, the data forwardings of one or more ports to a certain A port, to realize the monitoring to network, Port Mirroring is an effective security means to network flow monitoring, to monitoring The analysis of flow can carry out the inspection of safety, while also can accurately be positioned in network failure in time.
Prior art 802.1AE encryption/decryption module be it is achieved above in MAC, interchanger receives one When 802.1AE ciphertext, is decrypted in MAC layer, the plaintext after decryption is then sent into switch processes chip;Exchanger chip need to The message to be sent is sent to MAC layer, and then MAC layer is encrypted, and what is finally sent from interchanger is exactly 802.1AE ciphertext;
Enable MACsec function port on enable Port Mirroring function when, can only mirror image go out 802.1AE ciphertext, cannot Mirror image goes out in plain text, or cannot go out ciphertext and plaintext by mirror image simultaneously.
Summary of the invention
It is an object of the invention to overcome the deficiencies of existing technologies, the side of a kind of mirror image 802.1AE plaintext and ciphertext is provided Method and exchange chip, the method and exchange chip can mirror image go out some port 802.1AE ciphertext perhaps plaintext or simultaneously Ciphertext and plaintext.
To achieve the above object, the following technical solutions are proposed by the present invention: a kind of side of mirror image 802.1AE plaintext and ciphertext Method, which comprises the steps of:
Step 1, Port Mirroring function is enabled, and configures Port Mirroring mode;
Step 2, judge mirror image pattern and message identifier logic and operation as a result, if result for non-zero, current message Meet the condition being mirrored, then executes mirror image operation.
Preferably, the Port Mirroring mode, which is selected from, does not enable mirror image, mirror image plaintext, mirror image ciphertext, and simultaneously One of mirror image plaintext and ciphertext, wherein
The configuration order of mirror image is not enabled are as follows: mirrorMode [1:0]=2 ' 00;
The configuration order of mirror image plaintext are as follows: mirrorMode [1:0]=2 ' 01;
The configuration order of mirror image ciphertext are as follows: mirrorMode [1:0]=2 ' 10;
The configuration order of mirror image plaintext and ciphertext simultaneously are as follows: mirrorMode [1:0]=2 ' 11.
Preferably, the message identifier includes the first message identifier and the second message identifier, first message Identifier indicates whether message needs to decrypt, and decryption whether is completed, and whether second message identifier indicates message It needs to encrypt, and encryption whether is completed.
Preferably, first message identifier is (1,0), then message needs to decrypt, and does not complete decryption oprerations;
First message identifier is (0,1), then decryption is completed in message, does not need to decrypt again;
First message identifier is (0,0), then message does not need to decrypt;
Second message identifier is (0,0), then message does not need to encrypt;
Second message identifier is (0,1), then message needs to encrypt, and does not complete encryption;
Second message identifier is (1,0), then encryption is completed in message.
Realize that the power mirror image 802.1AE exchange chip with the method for ciphertext in plain text, including entrance handle engine modules, message Scheduling engine module, outlet processing engine modules and 802.1AE encryption and decryption modules, the dispatching message engine modules One end and entrance processing engine modules be connected, the other end is connected with outlet processing engine modules, and the 802.1AE is encrypted It is connected with one end of deciphering module and outlet processing engine modules, the other end with entrance processing engine modules, the inlet It manages engine modules, dispatching message engine modules, outlet processing engine modules and 802.1AE encryption and decryption modules and forms one Loopback circuit carries out loop back processing being to message.
Preferably, the entrance processing engine modules indicate message with message identifier by logic judgment message information Whether need to decrypt, and decryption whether is completed;
The outlet processing engine modules indicate whether message needs with message identifier by logic judgment message information Encryption, and encryption whether is completed.
Preferably, the message identifier includes the first message identifier and the second message identifier, the entrance processing Engine modules indicate whether message needs to decrypt by first message identifier, and decryption whether is completed;It is described go out Second message identifier described in mouth processing engine modules indicates whether message needs to encrypt, and encryption whether is completed.
Preferably, in the entrance processing engine modules, the result of mirror image pattern and first identifier symbol logic and operation is Non-zero then makees mirror image operation;In the outlet processing engine modules, the logic and operation of mirror image pattern and the second message identifier As a result it is non-zero, then executes mirror image operation.
Preferably, first message identifier is (1,0), then message needs to decrypt, and does not complete decryption oprerations;
First message identifier is (0,1), then decryption is completed in message, does not need to decrypt again;
First message identifier is (0,0), then message does not need to decrypt;
Second message identifier is (0,0), then message does not need to encrypt;
Second message identifier is (0,1), then message needs to encrypt, and does not complete encryption;
Second message identifier is (1,0), then encryption is completed in message.
The beneficial effects of the present invention are:
Mirror image 802.1AE of the present invention is in plain text and the method and exchange chip of ciphertext, flexible function are applied to difference The scene of demand, it is plaintext or ciphertext that the exchanger chip, which can perceive currently processed message, in conjunction with the mirror image of configuration Mode, can flexible mirror image 802.1AE ciphertext, perhaps in plain text or simultaneously mirror image ciphertext and plaintext.
Detailed description of the invention
Fig. 1 is exchange chip structural block diagram schematic diagram of the invention;
Fig. 2 is the method flow diagram schematic diagram of mirror image 802.1AE plaintext and ciphertext of the invention;
Fig. 3 is the Message processing flow diagram of mirror image 802.1AE plaintext and ciphertext of the invention.
Appended drawing reference: 1, entrance processing engine modules, 2, dispatching message engine modules, 3, outlet processing engine modules, 4, 802.1AE encryption and decryption modules.
Specific embodiment
Below in conjunction with attached drawing of the invention, clear, complete description is carried out to the technical solution of the embodiment of the present invention.
As shown in connection with fig. 1, the exchange chip of disclosed a kind of mirror image 802.1AE plaintext and ciphertext, the friendship Changing chip includes that entrance processing engine modules 1, dispatching message engine modules 2, outlet processing engine modules 3 and 802.1AE add Close and deciphering module 4, wherein
Entrance processing engine modules 1 are connected with dispatching message engine modules 2, entrance processing engine modules 1 into The message entered performs corresponding processing, and is sent into dispatching message engine modules 2;
Further, the entrance processing engine modules 1 parse message content, obtain forwarding behavior and editor Behavior;
One end of the dispatching message engine modules 2 is connected with entrance processing engine modules 1, and the other end and outlet are handled Engine modules 3 are connected, and treated that message is done further to entrance processing engine modules 1 for the dispatching message engine modules 2 Processing, treated message the is fed through outlet processing engine modules 3 of dispatching message engine modules 2 do subsequent processing;
Further, 2 pairs of the dispatching message engine modules messages for entering dispatching message engine modules 2 carry out queue Scheduling, duplication and buffer management.
One end of the outlet processing engine modules 3 is connected with dispatching message engine modules 2, the other end and 802.1AE Encryption and decryption modules 4 are connected, after the message that the outlet processing engine modules 3 export dispatching message engine modules 2 is done The message for needing to encrypt or decrypt is sent into 802.1AE encryption and decryption modules 4 and carries out encryption or decryption process by continuous processing, Otherwise, it directly forwards.
Further, described 3 pairs of engine modules of the outlet processing messages for entering outlet processing engine modules 3 are compiled Volume, forwarding.
One end of the 802.1AE encryption and decryption modules 4 with outlet processing engine modules 3 be connected, the other end with enter Mouthful processing engine modules 1 be connected, 802.1AE encryption and decryption modules 4 will outlet processing engine modules 3 in needs encryption or Person needs the message decrypted, and entrance processing engine modules 1 are sent directly into after encryption or decryption, and entrance handles engine modules 1 Message after encryption or decryption is further processed.
Entrance handles engine modules 1, dispatching message engine modules 2, outlet processing engine modules 3 and 802.1AE encryption A loopback circuit is formed with deciphering module 4, to message loop back processing being.
In entrance processing engine modules 1, by logic judgment message information, accorded with first identifier (needToDecrypt, Decrypted) indicates whether message needs to decrypt, and decryption whether is completed;In outlet, processing is drawn It holds up in module 3, by logic judgment message information, accords with (Encrypted, needToEncrypt) identifier table with second identifier Show whether message needs to encrypt, and encryption whether is completed, wherein needToDecrypt and Decrypted, Encrypted It is indicated with the value binary number 0 or 1 of needToEncrypt.
Further, if first identifier symbol (needToDecrypt, Decrypted) identifier is (1,0), message is indicated It needs to decrypt, and does not complete decryption oprerations;If it is (0,1) that first identifier, which accords with (needToDecrypt, Decrypted) identifier, It indicates that decryption is completed in message, does not need to decrypt again;If first identifier symbol (needToDecrypt, Decrypted) identifier is (0,0) indicates that message does not need to decrypt;If it is (0,0) that second identifier, which accords with (Encrypted, needToEncrypt) identifier, Indicate that message does not need to encrypt;If it is (0,1) that second identifier, which accords with (Encrypted, needToEncrypt) identifier, report is indicated Text needs to encrypt, and does not complete encryption;If it is (1,0), table that second identifier, which accords with (Encrypted, needToEncrypt) identifier, Show that encryption is completed in message.
In conjunction with shown in Fig. 1 and Fig. 3, after the ciphertext from the port for starting MACsec function enters exchange chip, entrance Processing engine modules 1 parse the message, it is found that the message is ciphertext, be denoted as the first ciphertext message, logic judgment The first ciphertext message needs to decrypt, and corresponding (needToDecrypt, Decrypted) identifier is (1,0), indicates institute It states the first ciphertext message to need to decrypt, and does not complete decryption oprerations, therefore the first ciphertext message is sent to dispatching message Engine modules 2 carry out queue scheduling, and are fed through in outlet processing engine modules 3 and handle, corresponding at this time (Encrypted, NeedToEncrypt) identifier is (0,0), indicates that the first ciphertext message does not need to encrypt, continues to send ciphertext message It is decrypted into 802.1AE encryption and decryption modules 4.
The first ciphertext message becomes plaintext message after the decryption of 802.1AE encryption and decryption modules 4, is denoted as the Two plaintext messages, the second plaintext message are fed again into the dissection process into entrance processing engine modules 1, obtain forwarding mesh Address, corresponding (needToDecrypt, Decrypted) identifier is (0,1), and decryption oprerations are completed in expression, continue by Second plaintext message is fed through dispatching message engine modules 2, and the dispatching message engine modules 2 are searched according to forwarding destination address The port for needing to forward, meanwhile, judge whether outlet enables MACsec function, message is handled by outlet if enabling Engine modules 3 are sent in 802.1AE encryption and decryption modules 4 and are encrypted, in outlet processing engine modules 3, phase (Encrypted, the needToEncrypt) identifier answered is (0,1), and expression needs to encrypt, and does not complete cryptographic operation.
After the encryption of 802.1AE encryption and decryption modules 4, second plaintext message becomes ciphertext message, and it is close to be denoted as third Text, the third ciphertext message are fed again into entrance processing engine modules 1 and carry out dissection process, obtain forwarding destination address, (needToDecrypt, Decrypted) identifier is (0,0) accordingly, and expression does not need to decrypt, the dispatching message engine Module 2 searches the port that forwarding destination address obtains forwarding, and encryption message is fed through in outlet processing engine modules 3, phase (Encrypted, the needToEncrypt) identifier answered is (1,0), and encryption is completed in expression, encrypts message from corresponding port It forwards.
Mirror image 802.1AE is in plain text and ciphertext needs to enable Port Mirroring function, and the configuration mirroring mode on port, specifically , the mirror image pattern includes four kinds,
1) mirrorMode [1:0]=2 ' 00, expression do not enable image feature;
2) mirrorMode [1:0]=2 ' 01, mirror image is in plain text;
3) mirrorMode [1:0]=2 ' 10, mirror image ciphertext;
4) mirrorMode [1:0]=2 ' 11, while mirror image plaintext and ciphertext, wherein mirrorMode [1:0] expression takes Two bit binary value, 2 ' 00 indicate binary numbers 00, likewise, 2 ' 01,2 ' 10 and 2 ' 10 indicate binary number 01,10, 11。
Entrance processing engine modules 1 in, judge mirror image pattern and first identifier symbol logic and operation as a result, if result For non-zero, then current message meets the condition being mirrored, then makees mirror image operation.
Outlet processing engine modules 3 in, judge mirror image pattern and second identifier symbol logic and operation as a result, if result For non-zero, then current message meets the condition being mirrored, then makees mirror image operation.
Specifically, if port configuration mirroring mode is mirrorMode [1:0]=2 ' 01, i.e., mirror image in plain text, for the first time into It is ciphertext message that entrance, which handles the message in engine modules 1, i.e. the first ciphertext message, corresponding (needToDecrypt, Decrypted) identifier is (1,0), and the operation result of the two logical AND is zero at this time, then does not execute mirror image operation;
First ciphertext message enters in outlet processing engine modules 3 by dispatching message engine modules 2, accordingly (Encrypted, needToEncrypt) identifier be (0,0), at this time mirrorMode [1:0] and (Encrypted, NeedToEncrypt) result of the two logic and operation is zero, then does not execute mirror image operation, outlet processing engine modules 3 will be close Text is sent in 802.1AE encryption and decryption modules 4 and is decrypted;
After the decryption of 802.1AE encryption and decryption modules 4, the first ciphertext message becomes plaintext message, i.e. second plaintext Message, the second plaintext message are again introduced into entrance by loopback and handle engine modules 1, accordingly (needToDecrypt, Decrypted) identifier is (0,1), and the operation result of the two logical AND is non-zero at this time, then executes mirror image operation, that is, execute Mirror image is in plain text;
Second plaintext message enters in outlet processing engine modules 3 by dispatching message engine modules 2, accordingly (Encrypted, needToEncrypt) identifier be (0,1), at this time mirrorMode [1:0] and (Encrypted, NeedToEncrypt) result of the two logic and operation is non-zero, then executes mirror image operation, i.e. execution mirror image plaintext;
After the encryption of 802.1AE encryption and decryption modules 4, second plaintext message becomes ciphertext message, i.e. third ciphertext Message, the third ciphertext message are again introduced into entrance by loopback and handle engine modules 1, accordingly (needToDecrypt, Decrypted) identifier is (0,0), and the operation result of the two logical AND is zero at this time, then does not execute mirror image operation;
Third ciphertext message enters in outlet processing engine modules 3 by dispatching message engine modules 2, accordingly (Encrypted, needToEncrypt) identifier be (1,0), at this time mirrorMode [1:0] and (Encrypted, NeedToEncrypt) result of the two logic and operation is zero, then does not execute mirror image operation, third ciphertext message is sent out It goes.
Port configuration mirroring mode is mirrorMode [1:0]=2 ' 10 and mirrorMode [1:0]=2 ' 11, together MirrorMode [1:0]=2 ' 01 treatment process is identical, no longer repeats one by one.
The present invention passes through loopback by realizing centralized 802.1AE encryption and decryption engine in exchanger chip The exchanger chip mirror image operation different with plaintext to 802.1AE ciphertext may be implemented in mode.
As shown in Fig. 2, a kind of mirror image 802.1AE includes the following steps: in plain text with the method for ciphertext
Step 1, Port Mirroring function is enabled, and configures Port Mirroring mode;
Step 2, judge mirror image pattern and message identifier logic and operation as a result, if result for non-zero, current message Meet the condition being mirrored, then executes mirror image operation.
Specifically, interchanger enables Port Mirroring function, and configure Port Mirroring mode;Engine modules are handled in entrance In, if the logic and operation result non-zero of the mirror image pattern and the first message identifier, current message satisfaction is mirrored Condition executes mirror image operation;
In outlet processing engine modules 3, if the logic and operation result of the mirror image pattern and the second message identifier Non-zero, then current message meets the condition being mirrored, and executes mirror image operation.
The message identifier includes the first message identifier and the second message identifier, the first message identifier table Showing whether message needs to decrypt, and decryption whether is completed, second message identifier indicates whether message needs to encrypt, And encryption whether is completed;First message identifier indicates that display is current with (needToDecrypt, Decrypted) Entrance handles the message information in engine modules 1, as whether message needs to decrypt, and decryption whether is completed;Described second Message identifier is indicated with (Encrypted, needToEncrypt), shows the message letter in current outlet processing engine modules 3 Whether breath as whether message needs to encrypt, and is completed encryption.
Specifically, enabling Port Mirroring function, Port Mirroring mode is configured, the Port Mirroring mode includes four kinds:
1) mirrorMode [1:0]=2 ' 00, expression do not enable image feature;
2) mirrorMode [1:0]=2 ' 01, mirror image is in plain text;
3) mirrorMode [1:0]=2 ' 10, mirror image ciphertext;
4) mirrorMode [1:0]=2 ' 11, while mirror image plaintext and ciphertext, wherein mirrorMode [1:0] Expression takes two bit binary value, and 2 ' 00 indicate binary number 00, likewise, 2 ' 01,2 ' 10 and 2 ' 10 indicate binary number 01、10、11。
Entrance processing engine modules 1 in, judge mirror image pattern and first identifier symbol logic and operation as a result, if result For non-zero, then current results meet the condition being mirrored, then make mirror image operation.
Outlet processing engine modules 3 in, judge mirror image pattern and second identifier symbol logic and operation as a result, if result For non-zero, then currently meets the condition being mirrored, then make mirror image operation.
In conjunction with shown in Fig. 2 and Fig. 3, specifically, if port configuration mirroring mode is mirrorMode [1:0]=2 ' 10, i.e., Mirror image ciphertext, the first message in direction processing engine modules such as that enters is ciphertext message, corresponding (needToDecrypt, Decrypted) identifier is (1,0), needs to be decrypted, and the operation result of the two logical AND is non-zero at this time, then holds The operation of row mirror image ciphertext;
Ciphertext message enters in outlet processing engine modules 3 by dispatching message engine modules 2, accordingly (Encrypted, needToEncrypt) identifier be (0,0), at this time mirrorMode [1:0] and (Encrypted, NeedToEncrypt) result of the two logic and operation is zero, then does not execute mirror image operation, outlet processing engine modules 3 will be close Text is sent in 802.1AE encryption and decryption modules 4 and is decrypted.
After the decryption of 802.1AE encryption and decryption modules 4, ciphertext message becomes plaintext message, and the plaintext message is logical It crosses loopback and is again introduced into entrance processing engine modules 1, corresponding (needToDecrypt, Decrypted) identifier is (0,1), The operation result of the two logical AND is zero at this time, then does not execute mirror image operation.
Plaintext message is again introduced into outlet processing engine modules 3 by dispatching message engine modules 2, due to interface enabling MACsec function needs just be forwarded away after encryption in plain text, corresponding (Encrypted, needToEncrypt) mark Knowing symbol is (0,1), at this time the knot of both mirrorMode [1:0] and (Encrypted, needToEncrypt) logic and operation Fruit is zero, then does not execute mirror image operation, and ciphertext is sent in 802.1AE encryption and decryption modules 4 by outlet processing engine modules 3 It is encrypted.
After the encryption of 802.1AE encryption and decryption modules 4, plaintext message becomes ciphertext message, and the ciphertext message is again Both secondary ingress manages engine modules 1, and corresponding (needToDecrypt, Decrypted) identifier is (0,0), at this time The operation result of logical AND is zero, then does not execute mirror image operation;
Ciphertext is again introduced into outlet processing engine modules 3, corresponding (Encrypted, needToEncrypt) identifier For (1,0), the result of both mirrorMode [1:0] and (Encrypted, needToEncrypt) logic and operation is at this time Non-zero, then execute mirror image operation, and ciphertext is transmitted.
Port configuration mirroring mode is mirrorMode [1:0]=2 ' 10 and mirrorMode [1:0]=2 ' 11, together MirrorMode [1:0]=2 ' 01 treatment process is identical, no longer repeats one by one.
Mirror image 802.1AE of the present invention is in plain text and the method and exchange chip of ciphertext, flexible function are applied to difference The scene of demand, it is plaintext or ciphertext that the exchanger chip, which can perceive currently processed message, in conjunction with the mirror image of configuration Mode, can flexible mirror image 802.1AE ciphertext, perhaps in plain text or simultaneously mirror image ciphertext and plaintext.
Technology contents and technical characteristic of the invention have revealed that as above, however those skilled in the art still may base Make various replacements and modification without departing substantially from spirit of that invention, therefore, the scope of the present invention in teachings of the present invention and announcement It should be not limited to the revealed content of embodiment, and should include various without departing substantially from replacement and modification of the invention, and be this patent Shen Please claim covered.

Claims (2)

1. a kind of method of mirror image 802.1AE plaintext and ciphertext, which comprises the steps of:
Step 1, enable Port Mirroring function, and configure Port Mirroring mode, the Port Mirroring mode be selected from do not enable mirror image, Mirror image in plain text, mirror image ciphertext, and simultaneously mirror image in plain text and one of ciphertext, wherein not enabling the configuration order of mirror image Are as follows: mirrorMode [1:0]=2 ' 00, the configuration order of mirror image plaintext are as follows: mirrorMode [1:0]=2 ' 01, mirror image The configuration order of ciphertext are as follows: mirrorMode [1:0]=2 ' 10, while the configuration order of mirror image plaintext and ciphertext are as follows: MirrorMode [1:0]=2 ' 11;
Step 2, mirror image pattern and message identifier logic and operation are judged as a result, current message meets if result is non-zero The condition being mirrored then executes mirror image operation, and the message identifier includes the first message identifier and the second message identifier, First message identifier indicates whether message needs to decrypt, and decryption whether is completed, and first message identification Symbol is (1,0), then message needs to decrypt, and does not complete decryption oprerations, and the first message identifier is (0,1), then message is completed Decryption, does not need to decrypt again, and the first message identifier is (0,0), then message does not need to decrypt;The second message identifier table Showing whether message needs to encrypt, and encryption whether is completed, the second message identifier is (0,0), then message does not need to encrypt, Second message identifier is (0,1), then message needs to encrypt, and does not complete encryption, and the second message identifier is (1,0), then reports Encryption is completed in text.
2. realizing the exchange chip of the method for mirror image 802.1AE plaintext and ciphertext in claim 1, which is characterized in that including entering Mouth processing engine modules, dispatching message engine modules, outlet processing engine modules and 802.1AE encryption and decryption modules, institute The one end for stating dispatching message engine modules is connected with entrance processing engine modules, and the other end is connected with outlet processing engine modules It connects, one end of the 802.1AE encryption and decryption modules and outlet processing engine modules, the other end and entrance handle engine modules It is connected, the entrance processing engine modules, dispatching message engine modules, outlet processing engine modules and 802.1AE encryption A loopback circuit is formed with deciphering module, and loop back processing being is carried out to message;
The entrance processing engine modules indicate whether message needs to solve with message identifier by logic judgment message information It is close, and decryption whether is completed, the outlet processing engine modules are by logic judgment message information, with message identifier table Show whether message needs to encrypt, and encryption whether is completed;
The message identifier includes the first message identifier and the second message identifier, handles engine modules in the entrance In, first message identifier indicates whether message needs to decrypt, and decryption whether is completed, first message identification Symbol is (1,0), then message needs to decrypt, and does not complete decryption oprerations, and the first message identifier is (0,1), then message is completed Decryption, does not need to decrypt again, and the first message identifier is (0,0), then message does not need to decrypt, and the entrance handles engine modules In, the result of mirror image pattern and first identifier symbol logic and operation is non-zero, then makees mirror image operation;
In outlet processing engine modules, second message identifier indicates whether message needs to encrypt, and whether Encryption is completed, second message identifier is (0,0), then message does not need to encrypt, and the second message identifier is (0,1), Then message needs to encrypt, and does not complete encryption, and the second message identifier is (1,0), then encryption, the exit is completed in message It manages in engine modules, the logic and operation result of mirror image pattern and the second message identifier is non-zero, then executes mirror image operation.
CN201611270020.6A 2016-12-30 2016-12-30 The method and exchange chip of mirror image 802.1AE plaintext and ciphertext Active CN106657121B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611270020.6A CN106657121B (en) 2016-12-30 2016-12-30 The method and exchange chip of mirror image 802.1AE plaintext and ciphertext

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611270020.6A CN106657121B (en) 2016-12-30 2016-12-30 The method and exchange chip of mirror image 802.1AE plaintext and ciphertext

Publications (2)

Publication Number Publication Date
CN106657121A CN106657121A (en) 2017-05-10
CN106657121B true CN106657121B (en) 2019-10-08

Family

ID=58838527

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611270020.6A Active CN106657121B (en) 2016-12-30 2016-12-30 The method and exchange chip of mirror image 802.1AE plaintext and ciphertext

Country Status (1)

Country Link
CN (1) CN106657121B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040124A (en) * 2018-09-17 2018-12-18 盛科网络(苏州)有限公司 The method and apparatus of processing message for interchanger
US11283733B2 (en) * 2018-10-02 2022-03-22 Arista Networks, Inc. Proxy ports for network device functionality
US11418434B2 (en) 2018-10-02 2022-08-16 Arista Networks, Inc. Securing MPLS network traffic
CN111092829B (en) * 2019-12-09 2022-04-01 昆高新芯微电子(江苏)有限公司 Multi-core switching chip based on switching architecture and data transmission method thereof
CN111107087B (en) * 2019-12-19 2022-03-25 杭州迪普科技股份有限公司 Message detection method and device
CN112565263A (en) * 2020-12-04 2021-03-26 盛科网络(苏州)有限公司 Encryption and decryption method and device based on hard pipeline

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101197775A (en) * 2007-11-19 2008-06-11 福建星网锐捷网络有限公司 Method, device and system for implementing port mirror-image
CN101355503A (en) * 2008-09-03 2009-01-28 中兴通讯股份有限公司 System and method for automatic mirror-image of packet
CN103051497A (en) * 2012-12-28 2013-04-17 华为技术有限公司 Business flow-mirroring method and mirroring device
CN103581034A (en) * 2012-07-27 2014-02-12 北京宽广电信高技术发展有限公司 Message mirroring and encrypted transmitting method
CN105611529A (en) * 2015-12-31 2016-05-25 盛科网络(苏州)有限公司 Chip implementation method for encrypting and decrypting CAPWAP DTLS message
CN105656655A (en) * 2014-11-14 2016-06-08 华为技术有限公司 Method, device and system for network security management
CN105939230A (en) * 2016-04-27 2016-09-14 杭州迪普科技有限公司 Multipoint remote monitoring method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101197775A (en) * 2007-11-19 2008-06-11 福建星网锐捷网络有限公司 Method, device and system for implementing port mirror-image
CN101355503A (en) * 2008-09-03 2009-01-28 中兴通讯股份有限公司 System and method for automatic mirror-image of packet
CN103581034A (en) * 2012-07-27 2014-02-12 北京宽广电信高技术发展有限公司 Message mirroring and encrypted transmitting method
CN103051497A (en) * 2012-12-28 2013-04-17 华为技术有限公司 Business flow-mirroring method and mirroring device
CN105656655A (en) * 2014-11-14 2016-06-08 华为技术有限公司 Method, device and system for network security management
CN105611529A (en) * 2015-12-31 2016-05-25 盛科网络(苏州)有限公司 Chip implementation method for encrypting and decrypting CAPWAP DTLS message
CN105939230A (en) * 2016-04-27 2016-09-14 杭州迪普科技有限公司 Multipoint remote monitoring method and device

Also Published As

Publication number Publication date
CN106657121A (en) 2017-05-10

Similar Documents

Publication Publication Date Title
CN106657121B (en) The method and exchange chip of mirror image 802.1AE plaintext and ciphertext
TW439381B (en) Method of implementing connection security in a wireless network
CN101594227B (en) Methods and devices for data encrypting and decrypting and communication system
CN104935593B (en) The transmission method and device of data message
CN101309273B (en) Method and device for generating safety alliance
CN105721317B (en) A kind of data stream encryption method and system based on SDN
CN106301765B (en) Encryption and decryption chip and method for realizing encryption and decryption
CN102035845B (en) Switching equipment for supporting link layer secrecy transmission and data processing method thereof
JPWO2002082715A1 (en) Encryption device, decryption device, integrity authenticator generation device, integrity authenticator addition device, integrity confirmation device, and wireless communication device
CN107342977A (en) Suitable for the information security method of point-to-point instant messaging
CN105792190B (en) Data encryption, decryption and transmission method in communication system
CN107181716A (en) A kind of secure communication of network system and method based on national commercial cipher algorithm
CN110383280A (en) Method and apparatus for the end-to-end stream of packets network with network safety for Time Perception
CN106230793A (en) A kind of MPLSVPN of realization operates in the method on the IPVPN of encryption
EP3713147B1 (en) Railway signal security encryption method and system
CN103220279A (en) Safe data transmission method and system
CN104239808A (en) Method and device for encryption transmission of data
CN107276884A (en) A kind of autonomous encrypting and deciphering system of social software based on intelligent terminal
CN108111308A (en) One kind is based on the encrypted industry internet communication encryption method of dynamic random
CN102355353A (en) Encrypted input method and encrypted communication method and device
CN109040124A (en) The method and apparatus of processing message for interchanger
CN107294968A (en) The monitoring method and system of a kind of audio, video data
CN106161386A (en) A kind of method and apparatus realizing that IPsec shunts
CN106603499A (en) Safety communication reconstruction method and system for power distribution terminal
CN105262759A (en) Method and system for encrypted communication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 215101 unit 13 / 16, 4th floor, building B, No. 5, Xinghan street, Suzhou Industrial Park, Jiangsu Province

Patentee after: Suzhou Shengke Communication Co.,Ltd.

Address before: 215021 unit 13 / 16, floor 4, building B, No. 5, Xinghan street, industrial park, Suzhou, Jiangsu Province

Patentee before: CENTEC NETWORKS (SU ZHOU) Co.,Ltd.

CP03 Change of name, title or address