CN107086959A - The method and device of operation management maintainance message authentication - Google Patents
The method and device of operation management maintainance message authentication Download PDFInfo
- Publication number
- CN107086959A CN107086959A CN201610088118.3A CN201610088118A CN107086959A CN 107086959 A CN107086959 A CN 107086959A CN 201610088118 A CN201610088118 A CN 201610088118A CN 107086959 A CN107086959 A CN 107086959A
- Authority
- CN
- China
- Prior art keywords
- network element
- authentication information
- oam message
- information
- mark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/50—Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The application is related to the communications field, more particularly to a kind of operation management maintainance OAM message authentication method and the first network element.The OAM message authentication method includes:First network element receives the first OAM message, and first OAM message carries the first mark and the first authentication information;First network element determines second authentication information according to the described first mapping for being identified to the second authentication information;First network element judges whether first authentication information matches with second authentication information;If first authentication information is mismatched with second authentication information, first network element determines that first OAM message is invalid packet.By determining whether the first authentication information matches with the second authentication information, first network element can identify whether first OAM message is legal message, so as to avoid performing the false command in illegal OAM message, the stability and security of communication are favorably improved.
Description
Technical field
The application is related to the communications field, more particularly to a kind of operation management maintainance message authentication method and dress
Put.
Background technology
Operation management maintainance (English:Operations, administration and maintenance,
Referred to as:OAM) technology, is a kind of to provide link defects detection and the technology of defect correction for network.Phase
The network equipment of mutual communication, by sending OAM message, detects the passage (English for communication:channel)
Whether normal condition is in, and when detecting abnormal for the passage appearance of communication, by mutually sending out
OAM message trigger protection Switchover mechanism is sent, communication is switched to the protection passage pre-set, so as to drop
The low packet loss caused because service aisle is abnormal, ensures the stability of business transmission.For example, automatic protect
Protective switching (English:Automatic protection switching, referred to as:APS) message is a kind of
OAM message.Network node is consulted by mutually sending APS messages when the passage of communication occurs abnormal
And protection tunneling traffic is switched to jointly.
When OAM message is distorted by the malice of other equipment, or OAM message is that other network elements are forged,
Or network manager to the configuration error of parameter when, receiving the network equipment of OAM message may get
Incorrect switching request, so that the network node makes mistake according to incorrect switching request
Switch, cause proper communication to be severely impacted.
The content of the invention
This application provides a kind of method and device of operation management maintainance OAM message certification, for reducing
The network equipment does the risk switched made mistake according to incorrect OAM message, improves the stability of communication.
First aspect includes there is provided a kind of method of OAM message certification, methods described:
First network element receives the first OAM message, and first OAM message carries the first mark and first and recognized
Demonstrate,prove information;
First network element determines described second according to the described first mapping for being identified to the second authentication information
Authentication information;
First network element judges whether first authentication information matches with second authentication information;
If first authentication information is mismatched with second authentication information, first network element is determined
First OAM message is invalid packet.
First network element judges that described second recognizes by determining the second authentication information according to the first mark
Whether card information matches with the first authentication information in the first OAM message, judges first OAM message
Whether it is legal message.Therefore, in the case of network manager's configuration the first mark mistake, Huo Zhe
In the case that one mark is distorted or forged by other network elements malice, first network element can be by determining
State the first authentication information to mismatch with second authentication information, so as to identify first OAM message
In information be wrong, and avoid according in first OAM message information perform mistake instruction,
Improve the safety and stability of communication.
Optionally, first network element determine first OAM message be invalid packet after, in addition to:
First network element preserves first OAM message.
First network element preserves the first illegal OAM message, and can be received for network manager's analysis should
The reason for invalid packet, provides more information.For example, recognizing in first authentication information and described second
Information is demonstrate,proved to mismatch, be due to caused by the first mark configuration error in the case of, preserve the first OAM
Message, can provide information for network manager's analysis configuration mistake, so as to correct the wrong configuration.
It is due to the first OAM for example, being mismatched in first authentication information and second authentication information
Message is in the case that other network elements malice is distorted or forged, to preserve first OAM message, Ke Yiwei
Network manager searches the network element and provides more information, so as to improve the security of network.
Optionally, in a kind of example, first authentication information is encryption information, first network element
Judge whether first authentication information matches with second authentication information, including:First network element
According to the described first mapping for being identified to decipherment algorithm, the decipherment algorithm is determined;The first network element root
Decryption computing is done to first authentication information according to the decipherment algorithm, the 3rd authentication information is obtained;It is described
First network element judges whether the 3rd authentication information is equal with second authentication information.
Optionally, in another example, first network element and the second network element pass through the first Tag switching
Path (English:Label switch path, referred to as:LSP) communicate, described first is designated described the
The multiprotocol label switching MPLS label of two network elements encapsulation, second authentication information is included in following information
At least one of:LSR (the English of second network element:label switch router,
Referred to as:LSR mark);The LSR of first network element mark;And the mark of the first LSP.
Optionally, methods described also includes:First network element is according to the 3rd network element to the 4th authentication information
Mapping, obtain the 4th authentication information;First network element sends the 2nd OAM to the 3rd network element
Message, second OAM message carries the 4th authentication information, and the 4th authentication information is used to refer to
Show the 3rd network element, second OAM message is legal message.
Optionally, first network element obtains described the according to the mapping of the 3rd network element to the 4th authentication information
Four authentication informations, including:First network element is according to the mapping of the 3rd network element to AES, really
The fixed AES;First network element according to the mapping of the 3rd network element to the 5th authentication information,
Determine the 5th authentication information;First network element is believed the 5th certification according to the AES
Computing is encrypted in breath, obtains the 4th authentication information.
Optionally, first network element is communicated with the 3rd network element by the 2nd LSP, and the described 4th recognizes
Demonstrate,proving information includes at least one information in following information:The LSR of 3rd network element mark;It is described
The LSR of first network element mark;And the mark of the 2nd LSP.
Second aspect there is provided a kind of first network element, including:Processor and network interface, the processing
Device is used for:
First OAM message is received by the network interface, first OAM message carries first and identified
With the first authentication information;
According to the described first mapping for being identified to the second authentication information, second authentication information is determined;
Judge whether first authentication information matches with second authentication information;
If first authentication information is mismatched with second authentication information, the first OAM is determined
Message is invalid packet.
Optionally, the processor is additionally operable to, it is determined that first OAM message be invalid packet after,
Preserve first OAM message.
Optionally, first authentication information be encryption information, judgement first authentication information with
Whether second authentication information matches, including:According to the described first mapping for being identified to decipherment algorithm,
Determine the decipherment algorithm;Decryption computing is done to first authentication information according to the decipherment algorithm, obtained
Obtain the 3rd authentication information;Judge whether the 3rd authentication information is equal with second authentication information.
Optionally, first network element is communicated with the second network element by the first label switching path LSP, institute
State the first multiprotocol label switching MPLS label for being designated the second network element encapsulation, second certification
Information includes at least one in following information:The LSR LSR of second network element mark
Know;The LSR of first network element mark;And the mark of the first LSP.
Optionally, the processor is additionally operable to:According to the mapping of the 3rd network element to the 4th authentication information, obtain
Take the 4th authentication information;By the network interface, the 2nd OAM reports are sent to the 3rd network element
Text, second OAM message carries the 4th authentication information, and the 4th authentication information is used to indicate
3rd network element, second OAM message is legal message.
Optionally, it is described that the 4th certification letter is obtained according to the mapping of the 3rd network element to the 4th authentication information
Breath, including:According to the mapping of the 3rd network element to AES, the AES is determined;According to
The mapping of 3rd network element to the 5th authentication information, determines the 5th authentication information;Added according to described
Close algorithm the 5th authentication information is encrypted computing, obtains the 4th authentication information.
Optionally, first network element is communicated with the 3rd network element by the 2nd LSP, and the described 4th recognizes
Demonstrate,proving information includes at least one information in following information:The LSR of 3rd network element mark;It is described
The LSR of first network element mark;And the mark of the 2nd LSP.
Brief description of the drawings
In order to illustrate more clearly of the technical scheme in the embodiment of the present application, in being described below to embodiment
The required accompanying drawing used is briefly described, it should be apparent that, drawings in the following description are this Shens
Some embodiments please, for those of ordinary skill in the art, are not paying creative labor
Under the premise of, other accompanying drawings can also be obtained according to these accompanying drawings.
A kind of application scenarios schematic diagram that Fig. 1 provides for the embodiment of the present application.
A kind of authentication method schematic flow sheet for OAM message that Fig. 2 provides for the embodiment of the present application.
A kind of schematic diagram for OAM message form that Fig. 3 a provide for the embodiment of the present application.
The schematic diagram for another OAM message form that Fig. 3 b provide for the embodiment of the present application.
The authentication method schematic flow sheet for another OAM message that Fig. 4 provides for the embodiment of the present application.
A kind of structural representation for first network element that Fig. 5 provides for the embodiment of the present application.
Embodiment
The application scenarios of the embodiment of the present application description are for the skill of more clear explanation the embodiment of the present application
Art scheme, does not constitute the restriction of the technical scheme provided for the embodiment of the present application, the common skill in this area
Art personnel understand that, with the differentiation and the appearance of new business scene of the network architecture, the embodiment of the present application is provided
Technical scheme for similar technical problem, it is equally applicable.
A kind of application scenarios schematic diagram that Fig. 1 provides for the embodiment of the present application.As shown in figure 1, the first net
The passage for being used to communicate between the network element 102 of member 101 and second includes service aisle and protection passage.
For example, first network element 101 can be router, the network switch, fire wall, ripple
Divide multiplexing equipment, Packet Transport Network equipment, base station, base station controller or data center etc..Described
Two network elements 102 can be router, the network switch, fire wall, WDM, packet transmission
Net equipment, base station, base station controller or data center etc..Service aisle protects passage to be pseudo-
Line (English:Pseudo wire, referred to as:PW) or tunnel (English:tunnel).
By mutually sending operation management maintainance (English between first network element 101 and the second network element 102:
Operations, administration and maintenance, referred to as:OAM) message, detection is used
In communication passage whether be in normal condition, and detect be currently used in communication passage occur it is different
Chang Shi, is switched by sending OAM message trigger protection.
In a kind of example, using Ethernet (English between the first network element 101 and the second network element 102:
Ethernet) communicate, the OAM message can be ITU-T Y.1731 specified in OAM message.Tool
For body, the OAM message can be APS (English:automatic protection
Switching, referred to as:APS) message, for example, can be specified in ITU-T G8031/Y.1342
APS messages.
In another example, handed between the first network element 101 and the second network element 102 using multiprotocol label
Change (English:Multiprotocol Label Swi tching, referred to as:MPLS) tunnel communication, it is described
OAM message can be ITU-T Y.1711 defined messages.Specifically, the OAM message can be
APS messages.
In common communication process, the first network element 101 receives OAM message, is reported by the OAM
MPLS label (English in information in literary stem, such as MPLS stems:Label), it is determined that described
OAM message comes from the second network element 102, and searches between the first network element 101 and the second network element 102 for leading to
The corresponding oam state machine of passage of letter, and according to the request carried in the OAM message, to the OAM
The state of state machine is configured accordingly, and further performs phase according to the state of the oam state machine
The operation answered.
In such scheme, the first network element 101 is when receiving OAM message, not to the OAM message
Authenticity or correctness are authenticated.Therefore, if the OAM message that first network element 101 is received
It is that other network equipments are forged or distorted, or, known in first network element 101 using MPLS label
In the example in the source of not described OAM message, if network manager's configuration error, cause and the first net
The OAM message that 3rd network element (not shown in figure 1) of the communication of member 101 is sent to the first network element 101
MPLS label, the MPLS label of the OAM message sent with the second network element 102 to the first network element 101
Label value is identical, then the first network element 101, may when receiving the OAM message from the 3rd network element
OAM message from the 3rd network element is identified as the OAM message from the second network element 102.In appearance
When stating situation, the finger carried in the source for the OAM message that the first network element 101 is received or OAM message
Order is probably incorrect.First network element 101 can perform the operation of mistake according to incorrect OAM message,
The passage for being for example switched to mistake is communicated with the second network element 102, causes normal communication to be affected.
The embodiment of the present application provides a kind of method of OAM message certification, for reducing the network equipment according to not
Correct OAM message does the risk switched made mistake, improves the stability of communication.
The method that Fig. 2 shows a kind of OAM message certification that the embodiment of the present application is provided.For example,
Methods described can apply in the scene shown in Fig. 1.The first network element in method shown in Fig. 2, can
With using the first network element 101 shown in Fig. 1.The second network element in method shown in Fig. 2, can be adopted
With the second network element 102 shown in Fig. 1.It the described method comprises the following steps.
S201, the first network element receives the first OAM message, first OAM message carry the first mark and
First authentication information.
For example, first OAM message can be using the OAM message described in Fig. 1.Further
Ground, first OAM message can be the APS messages described in Fig. 1.
First mark is carried in the stem of first OAM message, for indicating the first OAM
The source of message.For example, first OAM message includes MPLS stems, described first is designated institute
State the label (English in MPLS stems:Label) field.In another example, in first OAM message
Including VLAN (English:Virtual local area network, referred to as:VLAN) label
(English:VLAN tag), described first is designated the VLAN mark (English in the VLAN tag:
VLAN identifier, referred to as:VID) field.
First authentication information carries the payload (English in first OAM message:Payload in).
For example, first authentication information can be by one defined in the payload in first OAM message
Individual type-length-value (English:Type-Length-Value, referred to as:TLV) realize, that is, define
The Value that one Type is used to indicate in the TLV is the value of first authentication information.
It is to allow to increase the OAM message of extended field in first OAM message in a kind of example
In the case of, such as described first OAM is the situation of APS messages specified in ITU-T G8031/Y.1342
Under, first authentication information can be carried in the extended field of the APS messages.Fig. 3 a are shown
In ITU-T G8031/Y.1342 standards, the payload of the APS messages of first authentication information is not carried
Form schematic diagram.Fig. 3 b are shown carries the first certification letter by increasing a TLV in extended field
The form schematic diagram of the payload of the APS messages of breath.It should be noted that the Value fields shown in Fig. 3 b
Length be only schematical, the embodiment of the present application is not limited for the specific length of Value fields.
It is the OAM reports for not allowing to increase extended field in first OAM message in another example
In the case of text, first authentication information can be carried in other untapped fields of agreement.For example,
First OAM message is ITU-T Y.1711 in the case of defined message, first authentication information
It can carry in filling (English:Padding) in field.
S202, first network element determines institute according to the described first mapping for being identified to the second authentication information
State the second authentication information.
The described first mapping for being identified to second authentication information is stored in first network element.It is described
Second authentication information is the letter that network manager configures in first network element and second network element in advance
Breath.In a kind of example, the mapping of first mark and second authentication information can be stored directly
In a list item of mark and the mapping table of authentication information.In another example, first network element
The described first mapping for being identified to oam state machine is stored, first network element is identified according to first, really
Determine the corresponding oam state machine of first OAM message, the oam state machine is used to monitor described first
The working condition of service aisle and protection passage between network element and second network element.In the first OAM
During message is the example of APS messages, the state machine can also be APS state machines.Further, institute
The mapping that oam state machine is also stored in the first network element to authentication information is stated, first network element is according to institute
The corresponding oam state machine of the first OAM message is stated, second authentication information is found.
S203, first network element judge first authentication information and second authentication information whether
Match somebody with somebody.
Optionally, in a kind of possible example, first authentication information is encryption information, described the
One network element judges whether first authentication information matches with second authentication information, including:Described
One network element determines the decipherment algorithm according to the described first mapping for being identified to decipherment algorithm;Described first
Network element does decryption computing to first authentication information according to the decipherment algorithm, obtains the 3rd authentication information;
First network element judges whether the 3rd authentication information is equal with second authentication information.If institute
State the 3rd authentication information equal with second authentication information, then first network element determines that described first recognizes
Card information is matched with second authentication information.
For example, first network element and second network element are configured with AES and corresponding jointly
Decipherment algorithm.First network element and second network element have also prestored second authentication information.
Second network element to first network element before first OAM message is sent, according to the encryption
Algorithm, second authentication information is encrypted computing, obtains first authentication information.Optionally,
The detailed process that computing is encrypted to second authentication information in second network element includes:Described second
Network element generates random number, and second network element is using the AES to the random number and described second
Authentication information does cryptographic calculation, obtains encryption parameter.First authentication information includes the random number
With the encryption parameter.For example, being carried in first authentication information by customized TLV first
In the case of in OAM message, the TLV can include the first sub- TLV and the second sub- TLV, described first
Sub- TLV be in Value be the random number value, the Value in the second sub- TLV is described
The value of encryption parameter.First network element is received after first authentication information, obtains the random number
With the encryption parameter, the random number and the encryption parameter are decrypted according to the decipherment algorithm
Computing, obtains the 3rd authentication information.If the 3rd authentication information is equal with second authentication information,
Then first network element determines that first OAM message is legal message.If the 3rd authentication information
Unequal with second authentication information, then first network element determines that first OAM message is illegal
Message.
Optionally, in alternatively possible example, first network element and second network element pass through the
One label switching path LSP communicates, and described first is designated the multiprotocol label of the second network element encapsulation
MPLS label is exchanged, second authentication information includes at least one in following information:Second net
The LSR LSR of member mark (English:indentifier);First network element
LSR mark;And the mark of the first LSP.The LSR of first network element mark is whole
It is unique in MPLS network.The LSR of second network element mark is only in whole MPLS network
One.The mark of first LSP is unique in whole MPLS network.
For example, the LSR of second network element is stored in first network element and second network element
Mark.Second network element to the first network element before first OAM message is sent, by described the
The LSR of two network elements mark writes first OAM message as first authentication information.In addition,
Second network element also writes the first OAM using MPLS label set in advance as the described first mark
The MPLS stems of message.First network element is after first OAM message is received, according to described
MPLS label and the mapping of second authentication information, obtain second authentication information.Described second recognizes
The LSR for the second network element for demonstrate,proving information to store in first network element mark.First network element compares
First authentication information and second authentication information, if first authentication information and described second
Authentication information is equal, it is determined that first authentication information is matched with second authentication information.
If first authentication information is mismatched with second authentication information, first network element is performed
S204。
S204, first network element determines that first OAM message is invalid packet.
Configured information of first network element not in first OAM message performs corresponding operation.
Optionally, first network element determine first OAM message be invalid packet after, described first
Network element preserves first OAM message.
By preserving invalid packet, first network element can provide the letter of invalid packet for network manager
Breath, so that network manager determines the source of the invalid packet.
Optionally, first network element determines that first OAM message is described after invalid packet, to abandon
First OAM message.
Optionally, if first authentication information is matched with second authentication information, first net
Member performs S205.
S205, first network element determines that first OAM message is legal message.First network element
Further the configured information in first OAM message performs corresponding operation.For example, described
One OAM message is used to indicate that communication is switched to protection passage by first network element from service aisle, described
Communication is switched to protection passage by the first network element according to the instruction of first OAM message from service aisle.
Alternatively, the first network element can also be when sending OAM message, in OAM reports to other network elements
Authentication information is write in text, the authentication information is used for the network element for indicating to receive the OAM message, the OAM
Message is legal message.For example, when first network element is to the 3rd network element the second OAM message of transmission, such as
Shown in Fig. 4, methods described further comprises S401 and S402.
S401, first network element obtains described the according to the mapping of the 3rd network element to the 4th authentication information
Four authentication informations.
Optionally, in a kind of example, first network element is according to the 3rd network element to the 4th authentication information
Mapping obtains the 4th authentication information, including:First network element is according to the 3rd network element to encryption
The mapping of algorithm, determines the AES;First network element is recognized according to the 3rd network element to the 5th
The mapping of information is demonstrate,proved, the 5th authentication information is determined;First network element is according to the AES pair
Computing is encrypted in 5th authentication information, obtains the 4th authentication information.
For example, computing is encrypted to the 5th authentication information and obtains described for first network element
The specific implementation of four authentication informations, can be using the second network element in S203 to second authentication information
The specific implementation that computing obtains first authentication information is encrypted.
Optionally, in another example, first network element passes through the 2nd LSP with the 3rd network element
Communication, the 4th authentication information includes at least one information in following information:3rd network element
LSR mark;The LSR of first network element mark;And the mark of the 2nd LSP.
S402, first network element sends the second OAM message, the 2nd OAM to the 3rd network element
Message carries the 4th authentication information.
For example, form of the 4th authentication information in second OAM message, can be used
With first authentication information in first OAM message identical form.
For example, the 3rd network element judges the 2nd OAM reports according to the 4th authentication information
Text whether be legal message concrete mode, can be using in the method described in Fig. 2, first network element
According to first authentication information, judge first OAM message whether be legal message concrete mode.
Fig. 5 is a kind of structural representation for first network element that the embodiment of the present application is provided.As shown in figure 5,
First network element 500 includes processor 501 and network interface 502.Optionally, in addition to memory 503.
Processor 501 includes but is not limited to central processing unit (English:Central processing unit,
Referred to as:CPU), network processing unit (English:Network processor, referred to as:NP), it is special
Integrated circuit (English:Application-specific integrated circuit, referred to as:ASIC) or
PLD (English:Programmable logic device, abbreviation:PLD one in)
It is individual or multiple.Above-mentioned PLD can be CPLD (English:complex
Programmable logic device, abbreviation:CPLD), field programmable gate array (English:
Field-programmable gate array, abbreviation:FPGA), GAL (English:generic
Array logic, abbreviation:GAL) or its any combination.
Network interface 502 can be wireline interface, for example Fiber Distributed Data Interface (English:Fiber
Distributed Data Interface, referred to as:FDDI), Ethernet (English:Ethernet) interface.
Network interface 502 can also be wave point, such as wireless lan interfaces.
Memory 503 is used for the programmed instruction for storing the execution of processor 501.Memory 503 is included but not
It is limited to content adressable memory (English:Content-addressable memory, referred to as:CAM),
Such as three-state content addressing memory (English:Ternary CAM, referred to as:TCAM), arbitrary access
Memory (English:Random-access memory, referred to as:RAM).
Memory 503 can also be integrated in processor 501.If memory 503 and processor 501
It is separate device, memory 503 and processor 501 are connected, such as memory 503 and processing
Device 501 can pass through bus communication.Network interface 503 and processor 501 can by bus communication,
Network interface 503 can also be direct-connected with processor 501.
Processor 501 is used to perform following operation:First OAM reports are received by the network interface 502
Text, first OAM message carries the first mark and the first authentication information;It is identified to according to described first
The mapping of second authentication information, determines second authentication information;Judge first authentication information and institute
State whether the second authentication information matches;If first authentication information and second authentication information are not
Match somebody with somebody, it is invalid packet to determine first OAM message.
Optionally, the processor 501 is additionally operable to, it is determined that first OAM message is invalid packet
Afterwards, first OAM message is preserved.
Optionally, first authentication information be encryption information, judgement first authentication information with
Whether second authentication information matches, including:According to the described first mapping for being identified to decipherment algorithm,
Determine the decipherment algorithm;Decryption computing is done to first authentication information according to the decipherment algorithm, obtained
Obtain the 3rd authentication information;Judge whether the 3rd authentication information is equal with second authentication information.
Optionally, first network element 500 is communicated with the second network element by the first label switching path LSP,
Described first is designated the multiprotocol label switching MPLS label of the second network element encapsulation, and described second recognizes
Demonstrate,proving information includes at least one in following information:The LSR LSR's of second network element
Mark;The LSR of first network element 500 mark;And the mark of the first LSP.
Optionally, the processor 501 is additionally operable to:According to the mapping of the 3rd network element to the 4th authentication information,
Obtain the 4th authentication information;By the network interface, the 2nd OAM is sent to the 3rd network element
Message, second OAM message carries the 4th authentication information, and the 4th authentication information is used to refer to
Show the 3rd network element, second OAM message is legal message.
Optionally, it is described that the 4th certification letter is obtained according to the mapping of the 3rd network element to the 4th authentication information
Breath, including:According to the mapping of the 3rd network element to AES, the AES is determined;According to
The mapping of 3rd network element to the 5th authentication information, determines the 5th authentication information;Added according to described
Close algorithm the 5th authentication information is encrypted computing, obtains the 4th authentication information.
Optionally, first network element 500 is communicated with the 3rd network element by the 2nd LSP, and described
Four authentication informations include at least one information in following information:The LSR of 3rd network element mark;
The LSR of first network element mark;And the mark of the 2nd LSP.
The first network element 500 that the present embodiment is provided can apply in the method for Fig. 2 or Fig. 4 embodiments,
Realize the function of its first network element.Other additional functions that first network element can be realized, and and its
The interaction of his network element, refer to the description to the first network element in embodiment of the method, no longer go to live in the household of one's in-laws on getting married herein
State.
Each embodiment in this specification is described by the way of progressive, identical between each embodiment
Similar part is mutually referring to what each embodiment was stressed is the difference with other embodiment
Part.For system embodiment, because it is substantially similar to embodiment of the method, so retouching
That states is fairly simple, and the relevent part can refer to the partial explaination of embodiments of method.
Obviously, those skilled in the art can carry out various changes and modification without departing from this to the application
The scope of application.So, if these modifications and variations of the application belong to the application claim and its
Within the scope of equivalent technologies, then the application is also intended to comprising including these changes and modification.
Claims (14)
1. a kind of authentication method of operation management maintainance OAM message, it is characterised in that methods described includes:
First network element receives the first OAM message, and first OAM message carries the first mark and first and recognized
Demonstrate,prove information;
First network element determines described second according to the described first mapping for being identified to the second authentication information
Authentication information;
First network element judges whether first authentication information matches with second authentication information;
If first authentication information is mismatched with second authentication information, first network element is determined
First OAM message is invalid packet.
2. according to the method described in claim 1, it is characterised in that first network element determines described
One OAM message be invalid packet after, in addition to:
First network element preserves first OAM message.
3. method according to claim 1 or 2, it is characterised in that first authentication information is
Encryption information, first network element judge first authentication information and second authentication information whether
Match somebody with somebody, including:
First network element determines the decipherment algorithm according to the described first mapping for being identified to decipherment algorithm;
First network element does decryption computing according to the decipherment algorithm to first authentication information, obtains
3rd authentication information;
First network element judges whether the 3rd authentication information is equal with second authentication information.
4. method according to claim 1 or 2, it is characterised in that first network element and second
Network element is communicated by the first label switching path LSP, and described first is designated the second network element encapsulation
Multiprotocol label switching MPLS label, second authentication information includes at least one in following information:
The LSR LSR of second network element mark;
The LSR of first network element mark;And
The mark of first LSP.
5. according to any described method of Claims 1-4, it is characterised in that methods described also includes:
First network element obtains the 4th certification according to the mapping of the 3rd network element to the 4th authentication information
Information;
First network element sends the second OAM message to the 3rd network element, and second OAM message is taken
With the 4th authentication information, the 4th authentication information is used to indicate the 3rd network element, described second
OAM message is legal message.
6. method according to claim 5, it is characterised in that first network element is according to the 3rd net
The mapping of member to the 4th authentication information obtains the 4th authentication information, including:
First network element determines the AES according to the mapping of the 3rd network element to AES;
First network element determines the described 5th according to the mapping of the 3rd network element to the 5th authentication information
Authentication information;
Computing is encrypted to the 5th authentication information according to the AES in first network element, obtains
Obtain the 4th authentication information.
7. method according to claim 5, it is characterised in that first network element and the described 3rd
Network element is communicated by the 2nd LSP, and the 4th authentication information includes at least one information in following information:
The LSR of 3rd network element mark;
The LSR of first network element mark;And
The mark of 2nd LSP.
8. a kind of first network element, it is characterised in that including:Processor and network interface, the processor
For:
First OAM message is received by the network interface, first OAM message carries first and identified
With the first authentication information;
According to the described first mapping for being identified to the second authentication information, second authentication information is determined;
Judge whether first authentication information matches with second authentication information;
If first authentication information is mismatched with second authentication information, the first OAM is determined
Message is invalid packet.
9. the first network element according to claim 8, it is characterised in that the processor is additionally operable to,
After it is determined that first OAM message is invalid packet, first OAM message is preserved.
10. the first network element according to claim 8 or claim 9, it is characterised in that first certification
Information is encryption information, described to judge whether first authentication information matches with second authentication information,
Including:
According to the described first mapping for being identified to decipherment algorithm, the decipherment algorithm is determined;
Decryption computing is done to first authentication information according to the decipherment algorithm, the 3rd authentication information is obtained;
Judge whether the 3rd authentication information is equal with second authentication information.
11. the first network element according to claim 8 or claim 9, it is characterised in that first network element
Communicated with the second network element by the first label switching path LSP, described first is designated second network element
The multiprotocol label switching MPLS label of encapsulation, second authentication information is included in following information at least
One:
The LSR LSR of second network element mark;
The LSR of first network element mark;And
The mark of first LSP.
12. according to any the first described network element of claim 8 to 11, it is characterised in that the processing
Device is additionally operable to:
According to the mapping of the 3rd network element to the 4th authentication information, the 4th authentication information is obtained;
By the network interface, the second OAM message, the 2nd OAM are sent to the 3rd network element
Message carries the 4th authentication information, and the 4th authentication information is used to indicate the 3rd network element, institute
The second OAM message is stated for legal message.
13. the first network element according to claim 12, it is characterised in that described according to the 3rd network element
Mapping to the 4th authentication information obtains the 4th authentication information, including:
According to the mapping of the 3rd network element to AES, the AES is determined;
According to the mapping of the 3rd network element to the 5th authentication information, the 5th authentication information is determined;
Computing is encrypted to the 5th authentication information according to the AES, the described 4th is obtained and recognizes
Demonstrate,prove information.
14. the first network element according to claim 12, it is characterised in that first network element and institute
State the 3rd network element to communicate by the 2nd LSP, the 4th authentication information includes at least one in following information
Item information:
The LSR of 3rd network element mark;
The LSR of first network element mark;And
The mark of 2nd LSP.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610088118.3A CN107086959B (en) | 2016-02-16 | 2016-02-16 | Method and device for authenticating operation management maintenance message |
| PCT/CN2017/071512 WO2017140199A1 (en) | 2016-02-16 | 2017-01-18 | Operations, administration and maintenance message authentication method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610088118.3A CN107086959B (en) | 2016-02-16 | 2016-02-16 | Method and device for authenticating operation management maintenance message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107086959A true CN107086959A (en) | 2017-08-22 |
| CN107086959B CN107086959B (en) | 2020-11-06 |
Family
ID=59614549
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610088118.3A Active CN107086959B (en) | 2016-02-16 | 2016-02-16 | Method and device for authenticating operation management maintenance message |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107086959B (en) |
| WO (1) | WO2017140199A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112839009A (en) * | 2019-11-22 | 2021-05-25 | 华为技术有限公司 | Method, device and system for processing message |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030177221A1 (en) * | 2002-03-18 | 2003-09-18 | Hamid Ould-Brahim | Resource allocation using an auto-discovery mechanism for provider-provisioned layer-2 and layer-3 Virtual Private Networks |
| CN101651670A (en) * | 2008-10-29 | 2010-02-17 | 中国科学院声学研究所 | Integrated management method for services and users in Ethernet service operation and system thereof |
| CN102857521A (en) * | 2012-10-12 | 2013-01-02 | 盛科网络(苏州)有限公司 | Method and device for setting operation, administration and maintenance (OAM) security authentication |
| CN103428009A (en) * | 2012-05-14 | 2013-12-04 | 中兴通讯股份有限公司 | Method and device for achieving OAM of grouped synchronous networks |
| CN103684792A (en) * | 2013-12-23 | 2014-03-26 | 加弘科技咨询(上海)有限公司 | Safety authentication method for OAM (Operation, Administration and Maintenance) and OAM message sending/receiving device |
| CN103780420A (en) * | 2012-10-25 | 2014-05-07 | 中国电信股份有限公司 | Automatic configuration method and system of Ethernet connectivity detection in VPLS environment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8830841B1 (en) * | 2010-03-23 | 2014-09-09 | Marvell Israel (M.I.S.L) Ltd. | Operations, administration, and maintenance (OAM) processing engine |
-
2016
- 2016-02-16 CN CN201610088118.3A patent/CN107086959B/en active Active
-
2017
- 2017-01-18 WO PCT/CN2017/071512 patent/WO2017140199A1/en active Application Filing
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030177221A1 (en) * | 2002-03-18 | 2003-09-18 | Hamid Ould-Brahim | Resource allocation using an auto-discovery mechanism for provider-provisioned layer-2 and layer-3 Virtual Private Networks |
| CN101651670A (en) * | 2008-10-29 | 2010-02-17 | 中国科学院声学研究所 | Integrated management method for services and users in Ethernet service operation and system thereof |
| CN103428009A (en) * | 2012-05-14 | 2013-12-04 | 中兴通讯股份有限公司 | Method and device for achieving OAM of grouped synchronous networks |
| CN102857521A (en) * | 2012-10-12 | 2013-01-02 | 盛科网络(苏州)有限公司 | Method and device for setting operation, administration and maintenance (OAM) security authentication |
| CN103780420A (en) * | 2012-10-25 | 2014-05-07 | 中国电信股份有限公司 | Automatic configuration method and system of Ethernet connectivity detection in VPLS environment |
| CN103684792A (en) * | 2013-12-23 | 2014-03-26 | 加弘科技咨询(上海)有限公司 | Safety authentication method for OAM (Operation, Administration and Maintenance) and OAM message sending/receiving device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112839009A (en) * | 2019-11-22 | 2021-05-25 | 华为技术有限公司 | Method, device and system for processing message |
| CN112839009B (en) * | 2019-11-22 | 2023-09-01 | 华为技术有限公司 | Method, device and system for processing message |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107086959B (en) | 2020-11-06 |
| WO2017140199A1 (en) | 2017-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10153951B2 (en) | Determining the operations performed along a service path/service chain | |
| US11012353B2 (en) | Using in-band operations data to signal packet processing departures in a network | |
| CN112189323B (en) | Segment routing using secure segment identifiers | |
| CN107113239B (en) | Packet obfuscation and packet forwarding | |
| US8370921B2 (en) | Ensuring quality of service over VPN IPsec tunnels | |
| EP3151464B1 (en) | Fault detection method and apparatus for service chain | |
| CN105453491B (en) | Long-range LFA is extended quickly to re-route | |
| CN109873760A (en) | Handle the method and apparatus of routing and the method and apparatus of data transmission | |
| CN107710716A (en) | For realizing the communication equipment of the selective encryption in software defined network | |
| EP3861699A1 (en) | Proxy ports for network device functionality | |
| CN106487675A (en) | For the outlet protection in EVPN with BUM flow during link failure | |
| CN106878166A (en) | Route advertising method and device | |
| EP3861690B1 (en) | Securing mpls network traffic | |
| CN102739816B (en) | Unaddressed device communication from within an mpls network | |
| CN110383280B (en) | Method and apparatus for providing network security for time-aware end-to-end packet flow networks | |
| CN110048986B (en) | Method and device for ensuring ring network protocol operation safety | |
| US20160134607A1 (en) | Method of rsvp authentication with non-directly connected neighbor | |
| CN112929200A (en) | SDN multi-controller oriented anomaly detection method | |
| CN105471599A (en) | Protection switching method and network device | |
| CN104506369B (en) | A kind of detection method and equipment of packet loss position | |
| WO2016090815A1 (en) | Switching control method and device in deploying high-capacity service | |
| CN107086959A (en) | The method and device of operation management maintainance message authentication | |
| WO2016101492A1 (en) | Setting method and device for service forwarding table | |
| US10374922B2 (en) | In-band, health-based assessments of service function paths | |
| CN102461090B (en) | For the protection of communication network method and realize the secure router of this method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |