CN108243099B

CN108243099B - Method, device and system for path selection

Info

Publication number: CN108243099B
Application number: CN201611210906.1A
Authority: CN
Inventors: 丁潜; 盛秋康; 张晓东
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2016-12-24
Filing date: 2016-12-24
Publication date: 2021-03-23
Anticipated expiration: 2036-12-24
Also published as: CN113055284A; CN108243099A

Abstract

The embodiment of the invention provides a method for selecting a path, which is applied to an APS network, wherein the network comprises a first network device and a second network device, a main path and a standby path are established between the first network device and the second network device, and a flow decision message is transmitted between the first network device and the second network device, and the method comprises the following steps: the first network equipment receives a first flow decision message sent by the second network equipment, wherein the first flow decision message comprises flow trend decision information and dynamic encryption verification information, encryption verification is carried out on the first flow decision message according to the dynamic encryption verification information, and a flow path sent to the second network equipment is selected according to the flow trend decision information after verification is passed. By using the dynamic encryption verification information to carry out encryption verification on the first traffic decision message, the correctness of the source of the APS message can be improved.

Description

Method, device and system for path selection

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and a system for path selection.

Background

Automatic Protection Switching (APS) in the service transmission process in a network refers to using one Protection channel to provide Protection for one or more working channels. When the working channel fails, the service originally transmitted on the working channel can be automatically switched to the protection channel, thereby ensuring that the user data is not lost to the maximum extent and improving the reliability of the network. The APS protocol is used to coordinate the actions of both source and sink parties during bidirectional protection switching, so that the source and sink parties cooperate to jointly complete the functions of protection switching, switching delay, waiting for recovery, and the like. The source and destination terminals may be source Provider Edge (PE) nodes/devices and a remote or opposite end PE at both ends of a data transmission Network (e.g., Internet Protocol Radio Access Network (IPRAN)/metropolitan area Network (metropolitan area Network), Packet Transport Network (PTN), etc.).

APS, as a protection mechanism, provides end-to-end protection for Label Switched Paths (LSP) or Pseudowires (PW). By pre-establishing a protection path to switch use when a working path (node) fails, loss of traffic interruption due to the failure of the working path is minimized.

The APS state machine in the source PE determines the switched path according to the current defect state of the path, the far-end APS packet, or further by integrating other conditions, such as configuring the issued manual switching command and/or WRT or Hold-Off Timer. At present, the unique key value for identifying the APS message is a service label, and APS messages with the same service label are regarded as APS messages corresponding to the same service. If the source of the APS message is wrong, the APS decision is wrong, thereby affecting the accuracy or efficiency of the path switching.

Disclosure of Invention

The embodiment of the application provides a method, a device, a system and a storage medium for selecting a path applied to APS, which can reduce source errors of APS messages, thereby improving the accuracy or efficiency of path switching. The embodiment of the application also provides a method, a device, a system and a storage medium for APS message verification, which can reduce APS message source errors and improve APS decision correctness.

In a first aspect, an embodiment of the present invention provides a method for selecting a path, where the method is applied to an APS network, where the network includes a first network device and a second network device, a main path and a standby path are established between the first network device and the second network device, and a traffic decision packet is transmitted between the first network device and the second network device, and the method includes: the first network equipment receives a first flow decision message sent by the second network equipment, wherein the first flow decision message comprises flow trend decision information and dynamic encryption verification information, encryption verification is carried out on the first flow decision message according to the dynamic encryption verification information, and a flow path sent to the second network equipment is selected according to the flow trend decision information after verification is passed.

The first flow decision message is encrypted and verified by using dynamic encryption verification information comprising a dynamically and randomly generated random Key value, so that the flow decision message can be prevented from being an APS message from hackers or illegal third-party attacks, or from being an APS message based on residual APS configuration or wrong configuration sent by third network equipment, the source correctness of the APS message is improved, the decision information can be used for carrying out path switching decision according to the correct flow trend in the APS message, the decision correctness of the APS is improved, and the correctness or the efficiency of path switching is improved.

With reference to the first aspect, in a first possible implementation manner, the method further includes sending, by the first network device, an encryption negotiation packet to the second network device, where the encryption negotiation packet carries an encryption capability and an encryption algorithm of the first network device; receiving an encryption negotiation reply message returned by the second network equipment, wherein the encryption negotiation reply message carries the encryption capability and the encryption algorithm of the second network equipment; and recording the encryption capability and encryption algorithm of the second network device.

The flexibility of encryption and decryption verification is increased by negotiation of encryption capabilities and encryption algorithms rather than direct system configuration.

With reference to the first aspect, in a second possible implementation manner, the method further includes that the dynamic encryption verification information includes a random Key value and a first digest obtained by calculating the random Key value by using an encryption algorithm of the second network device and configuration information acquired by the second network device, where the configuration information includes one of the following information: tunnel information and OAM information; and the first network equipment calculates the Key value and a second digest obtained by the configuration information acquired by the first network equipment by using the encryption algorithm, and verifies the second digest and the first digest.

With reference to the first aspect, in a third possible implementation manner, the method further includes that the dynamic encryption verification information includes a random Key value, configuration information, and a first digest obtained by calculating the Key value and the configuration information using an encryption algorithm of the second network device, and the configuration information includes at least one of the following information: tunnel information and OAM information; and the first network equipment calculates the Key value and the configuration information by using the encryption algorithm to obtain a second abstract, and verifies the second abstract and the first abstract.

In the second and third possible implementations, the correctness of the source of the APS message is further improved by further incorporating configuration information (e.g., tunnel information and/or OAM information) into the calculation of the encryption digest, thereby providing the correctness of path selection. Because both the tunnel information and the OAM information are information known only by the network devices at both ends of the main/standby path and not known by the third party, the difficulty of sending the illegal APS message by the third party is further improved. And the two possible implementation modes provide flexible and diversified modes for acquiring the configuration information for calculating the encryption digest, thereby being beneficial to supporting the encryption verification modes of various different devices.

In a second aspect, an embodiment of the present invention provides a method for checking a packet, where the method is applied to an APS network, the network includes a first network device and a second network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, the traffic decision packet is used to negotiate traffic decision information between the first network device and the second network device, and the first network device and the second network device select a path for traffic transmission according to the traffic decision information A random Key value, and a first digest, the first digest being obtained by calculating the Key value using an encryption algorithm of the second network device and configuration information, the configuration information including at least one of: tunnel information and OAM information; the first network equipment calculates the Key value and configuration information by using the encryption algorithm to obtain a second abstract, and verifies the second abstract and the first abstract; and under the condition that the second abstract is consistent with the first abstract, the first network equipment selects a path for transmitting the flow from the first network equipment to the second network equipment according to the flow trend decision information. And under the condition that the second abstract is inconsistent with the first abstract, the first network equipment ignores the first traffic decision message.

The encryption abstract calculation is carried out on the first flow decision message by using the random Key value generated at random and the protected configuration information, and the encryption verification of the flow decision message is carried out by verifying the encryption abstracts calculated at two ends, so that the flow decision message can be prevented from being an APS message from hackers or illegal third party attacks, or the flow decision message is an APS message based on residual APS configuration or error configuration sent by third network equipment, the source correctness of the APS message is improved, the path switching decision can be carried out according to the flow trend decision information in the correct APS message, and the correctness of the APS decision is improved.

With reference to the second aspect, in a first possible implementation manner, the method further includes sending an encryption negotiation packet to the second network device, where the encryption negotiation packet carries an encryption capability and an encryption algorithm of the first network device; receiving an encryption negotiation reply message returned by the second network equipment, wherein the encryption negotiation reply message carries the encryption capability and the encryption algorithm of the second network equipment; and recording the encryption capability and the encryption algorithm of the second network equipment.

With reference to the second aspect, in a second possible implementation manner, when the second digest is inconsistent with the first digest, the Key value sent by the second network device is recorded, so as to form a mask list.

A blacklist is formed by recording wrong Key values, and subsequently, if a flow decision message (such as an APS message) carrying the same Key value is received, the APS message can be directly ignored, so that the APS verification speed and efficiency are improved.

With reference to the second aspect, in a third possible implementation manner, the configuration information for calculating the first digest and the second digest is carried in the first traffic decision packet, negotiated and determined in the encryption negotiation packet and the encryption negotiation reply packet, or stored in the first network device and the second network device.

The implementation mode provides flexible and diversified modes for acquiring the configuration information for calculating the encryption abstract, thereby being beneficial to supporting the encryption verification modes of various different devices.

In a third aspect, an embodiment of the present invention provides a path selection apparatus, where the apparatus is applied to an APS network, where the network includes a first network device and a second network device, the path selection apparatus is the first network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, and the first network device includes: a receiving and sending unit, configured to receive a first traffic decision packet sent by the second network device, where the first traffic decision packet includes traffic trend decision information and dynamic encryption check information; and the path selection unit is used for carrying out encryption verification on the first flow decision message according to the dynamic encryption verification information and selecting a path for sending flow to the second network equipment according to the flow trend decision information after the verification is passed.

In a fourth aspect, an embodiment of the present invention provides a device for selecting a path, where the device is applied to an APS network, the network includes a first network device and a second network device, the device is the first network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, and the first network device includes: the transceiver is used for receiving a first traffic decision message sent by the second network device, wherein the first traffic decision message comprises traffic trend decision information and dynamic encryption check information; and the processor is used for carrying out encryption verification on the first flow decision message according to the dynamic encryption verification information and selecting a path for sending flow to the second network equipment according to the flow trend decision information after the verification is passed.

In a fifth aspect, an embodiment of the present invention provides a device for verifying a packet, where the device is applied to an APS network, the network includes a first network device and a second network device, the device is the first network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, the traffic decision packet is used to negotiate traffic decision information between the first network device and the second network device, and the first network device and the second network device select a path for traffic transmission according to the traffic decision information, where the device includes: a transceiver unit, configured to receive a first traffic decision packet sent by the second network device, where the first traffic decision packet includes the traffic trend decision information, a random Key value, and a first digest, the first digest is obtained by calculating the Key value and configuration information using an encryption algorithm of the second network device, and the configuration information includes at least one of the following information: tunnel information and OAM information; a processing unit, configured to calculate the Key value and the configuration information using the encryption algorithm to obtain a second digest, check the second digest and the first digest, select a path for transmitting traffic from the first network device to the second network device according to the traffic trend decision information when the second digest is consistent with the first digest, and ignore the first traffic decision packet when the second digest is inconsistent with the first digest.

In a sixth aspect, an embodiment of the present invention provides a device for verifying a packet, where the device is applied to an APS network, the network includes a first network device and a second network device, the device is the first network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, the traffic decision packet is used to negotiate traffic decision information between the first network device and the second network device, and the first network device and the second network device select a path for traffic transmission according to the traffic decision information, where the device includes: a transceiver, configured to receive a first traffic decision packet sent by the second network device, where the first traffic decision packet includes the traffic trend decision information, a random Key value, and a first digest, the first digest is obtained by calculating the Key value and configuration information using an encryption algorithm of the second network device, and the configuration information includes at least one of the following information: tunnel information and OAM information; and the processor is used for calculating the Key value and the configuration information by using the encryption algorithm to obtain a second abstract, checking the second abstract and the first abstract, selecting a path for transmitting flow from the first network equipment to the second network equipment according to the flow trend decision information under the condition that the second abstract is consistent with the first abstract, and ignoring the first flow decision message under the condition that the second abstract is inconsistent with the first abstract.

A seventh aspect, an embodiment of the present application provides a method for checking a packet, where the method is applied to an APS network, where the network includes a first network device and a second network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, the traffic decision packet is used to negotiate traffic decision information between the first network device and the second network device, the first network device and the second network device select a path for traffic transmission according to the traffic decision information, and the method is executed by the second network device, where the method includes: acquiring flow trend decision information, configuration information and a random Key value, wherein the configuration information comprises at least one of the following information: OAM information and tunnel information; calculating the random Key value and the configuration information by using an encryption algorithm to obtain a first abstract; sending a first traffic decision message to the first network device, where the first traffic decision message includes the traffic trend decision information, a random Key value, and the first abstract; the configuration information, the random Key value, and the first digest are used by the first network device to verify the first traffic decision packet, and the traffic trend decision information is used by the first network device to select a transmission path for transmitting traffic to the second network device after the verification is passed.

Performing encryption digest calculation on the first traffic decision message by using a dynamically randomly generated random Key value and protected configuration information (OAM information and/or tunnel information), transmitting the random Key value and the encryption digest to a peer network device, thus, the opposite terminal network equipment can use the random Key value to calculate a second encryption digest by adopting the agreed encryption digest to carry out encryption check on the flow decision message, so that the traffic decision packet can be prevented from being an APS packet originated from a hacker or an illegal third party attack, or the flow decision message is an APS message based on residual APS configuration or error configuration sent by the third network device, which improves the accuracy of the source of the APS message, therefore, the path switching decision can be carried out according to the correct flow trend decision information in the APS message, and the accuracy of the APS decision is improved.

With reference to the seventh aspect, in a first possible implementation manner, the method further includes: the second network equipment sends an encryption negotiation message to the first network equipment, wherein the encryption negotiation message carries the encryption capability and the encryption algorithm of the first network equipment; receiving an encryption negotiation reply message returned by the first network equipment, wherein the encryption negotiation reply message carries the encryption capability and the encryption algorithm of the first network equipment; and recording the encryption capability and the encryption algorithm of the first network equipment.

In an eighth aspect, an embodiment of the present application provides an apparatus for verifying a packet, where the apparatus is applied to an APS network, the network includes a first network device and a second network device, the apparatus is the second network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, the traffic decision packet is used to negotiate traffic decision information between the first network device and the second network device, and the first network device and the second network device select a path for traffic transmission according to the traffic decision information, where the apparatus includes: the acquiring unit is used for acquiring flow trend decision information, configuration information and a random Key value, wherein the configuration information comprises at least one of the following information: OAM information and tunnel information; the processing unit is used for calculating the random Key value and the configuration information by using an encryption algorithm to obtain a first abstract; a receiving and sending unit, configured to send a first traffic decision packet to the first network device, where the first traffic decision packet includes the traffic trend decision information, a random Key value, and the first abstract; the configuration information, the random Key value, and the first digest are used by the first network device to verify the first traffic decision packet, and the traffic trend decision information is used by the first network device to select a transmission path for transmitting traffic to the second network device after the verification is passed.

In a ninth aspect, an embodiment of the present application provides an apparatus for verifying a packet, where the apparatus is applied to an APS network, the network includes a first network device and a second network device, the apparatus is the second network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, the traffic decision packet is used to negotiate traffic decision information between the first network device and the second network device, and the first network device and the second network device select a path for traffic transmission according to the traffic decision information, where the apparatus includes: a processor and a transceiver; the processor is configured to obtain flow trend decision information, configuration information, and a random Key value, where the configuration information includes at least one of the following information: OAM information and tunnel information, and use the cryptographic algorithm to calculate said random Key value and said configuration information to get the first summary; the transceiver is configured to send a first traffic decision packet to the first network device, where the first traffic decision packet includes the traffic trend decision information, a random Key value, and the first abstract; the configuration information, the random Key value, and the first digest are used by the first network device to verify the first traffic decision packet, and the traffic trend decision information is used by the first network device to select a transmission path for transmitting traffic to the second network device after the verification is passed.

In a tenth aspect, an embodiment of the present application provides a computer-readable storage medium, where a program code is stored in the computer-readable storage medium, and the program code is used to instruct execution of the method in the first aspect or any possible implementation manner of the first aspect.

In an eleventh aspect, the present application provides a computer-readable storage medium, in which program codes are stored, and the program codes are used for instructing to execute the method in the second aspect or any possible implementation manner of the second aspect.

In a twelfth aspect, an embodiment of the present application provides a computer-readable storage medium, where a program code is stored in the computer-readable storage medium, and the program code is used to instruct execution of the method in any possible implementation manner of the seventh aspect or the seventh aspect.

In a thirteenth aspect, an embodiment of the present application provides a system for verifying a packet, where the system is applied to an APS network, and the system includes a first network device and a corresponding second network device in any implementation manner of the third to sixth aspects.

In a fourteenth aspect, an embodiment of the present application provides a system for verifying a packet, which is applied to an APS network, and the system includes the second network device and the corresponding first network device in the eighth to ninth aspects.

In a fourteenth aspect, an embodiment of the present application provides a system for verifying a packet, which is applied to an APS network, and the system includes the first network device in any implementation manner of the third to sixth aspects and the second network device in the eighth to ninth aspects.

Drawings

Fig. 1 is a schematic diagram of an APS protection scenario networking architecture according to an embodiment of the present invention;

fig. 2 is a schematic diagram of an APS system switching operation according to an embodiment of the present invention;

fig. 3 is a working schematic diagram of switching an APS from a main path to a standby path according to an embodiment of the present invention;

fig. 4 is a schematic diagram illustrating processing of an abnormal APS packet according to an embodiment of the present invention;

fig. 5 is a schematic diagram of a path selection process according to an embodiment of the present invention;

fig. 6 is a schematic diagram of an APS message verification process according to an embodiment of the present invention;

fig. 7 is a schematic diagram of an APS packet extension method according to an embodiment of the present invention;

fig. 8 is a schematic diagram illustrating an APS message Payload according to an embodiment of the present invention;

fig. 9 is a schematic diagram of a dynamic encryption and verification process for an APS message according to an embodiment of the present invention;

fig. 10 is a schematic structural diagram of a path selection device according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of a message verification apparatus according to an embodiment of the present invention;

fig. 12 is a schematic structural diagram of another message checking apparatus according to an embodiment of the present invention;

fig. 13 is a schematic structural diagram of a network device applied to an APS according to an embodiment of the present invention;

fig. 14 is a schematic structural diagram of an APS system according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The network architecture and the service scenario described in the embodiment of the present invention are for more clearly illustrating the technical solution of the embodiment of the present invention, and do not form a limitation on the technical solution provided in the embodiment of the present invention, and it can be known by those skilled in the art that the technical solution provided in the embodiment of the present invention is also applicable to similar technical problems along with the evolution of the network architecture and the appearance of a new service scenario.

Referring to fig. 1, a schematic diagram of a Networking architecture of an APS protection scenario system according to an embodiment of the present invention is shown, where the Networking system may be a data transmission Network or a bearer Network, such as an Internet Protocol Radio Access Network (IPRAN)/metropolitan area Network (metropolitan area Network), a Packet Transport Network (PTN), a Synchronous Optical Network (SDH), and an Optical transmission Network (otn). The network system includes an operator edge node or device PE1, an operator (Provider, P) device P1, an operator (Provider, P) device P2, and a PE 2. It should be noted that, in the embodiment of the present application, an edge node of an operator is taken as an example, and in the following embodiments, a first PE, a device, and a second PE are also mainly taken as examples for description. The first network device and the second network device may be specifically a router, a switch, or other devices that forward traffic, and further include a switch in an SDN (software Defined network) scenario, in which case the network device may be formed by combining a controller and a corresponding forwarding device together. The two paths are included between PE1 and PE2, where a working path (english: work path) (or called a main path, which may be used interchangeably throughout the present application) is composed of PE1-P1-PE2, and a protection path (english: protection path) (or called a backup path, which may be used interchangeably throughout the present application) is composed of PE1-P2-PE 2. The primary path may be a path such as an LSP or a PW, and the backup path may be a path such as an LSP or a PW. When the main path fails, the PE device switches (or switches, which can be used interchangeably throughout the application) the traffic flow from the main path to the standby path, thereby not interrupting the corresponding service. The active/standby paths may be located in the same tunnel or in different tunnels. It should be noted that the system shown in fig. 1 is only one application scenario of the embodiment of the present application, and should not be limited to the application scenario of the present application.

Fig. 2 provides a schematic diagram of a specific implementation of an APS switching principle, in which a source PE device and a destination PE on an end-to-end service node device both include an Operation, Administration and Maintenance (OAM) state machine and an APS state machine, where the OAM state machine includes a working path OAM state machine and a protection path OAM state machine. (for convenience of explanation, the source PE device is referred to as a first PE device, and the sink or source PE device is referred to as a second PE device). And finishing the APS path switching process through the interaction of the OAM of the PE equipment at the two ends and the APS state machine and the interaction of the OAM and the APS state machine in each end equipment. The OAM message is sent and received on the main path and the standby path so as to detect the fault of the main path and the standby path. And the OAM state machine informs the APS state machine of the state of each path through the interactive message period in the fixed equipment. The APS state machines of the PE devices at the two ends coordinate APS decision results of the two ends by running APS messages on the standby path. The working process of the APS provided in the embodiment of the present application is further described below by taking the case that the APS is switched from the primary path to the standby path.

Referring to fig. 3, the specific operation process of switching the APS from the primary path to the standby path is as follows:

1) after a main path between the first PE device and the second PE device fails, the OAM state machine of the main path in the first PE device perceives that there is a problem with the transmission and reception of the path message on the main path. And the OAM state machine of the main path in the first PE equipment informs the main path fault of the APS state machine of the first PE equipment of walking the standby path through the interactive messages in the equipment. Similarly, the OAM state machine of the main path in the second PE device senses that there is a problem with the path packet transmission and reception on the main path, and the OAM state machine of the main path in the second PE device notifies the APS state machine of the main path in the second PE device of the main path failure of the backup path through the inter-device interaction packet.

2) Similarly, the OAM state machine of the standby path in the second PE device informs the APS state machine of the standby path in the second PE device that the standby path is normal through the inter-device interaction message,

3) and the APS state machine in the second PE device sends an APS message to the APS state machine in the first PE device to inform the APS state machine of moving away a standby path, wherein the APS message comprises a service label and flow moving decision information. The traffic direction decision information may specifically include information that may affect the APS decision result and the traffic switching state, for example, information indicating whether the service traffic should be routed on the main path or the standby path, and further may further include other information that may affect the traffic decision, specifically referring to the implementation in fig. 5 below, the service label is used to indicate a service corresponding to the APS packet, and if it is determined that the service labels are the same after the first PE device receives the APS packet, the traffic direction decision information in the APS packet is used as a reference for the path decision.

4) And the APS state machine in the first PE device synthesizes the notification state of the OAM state machine and the APS message content of the second PE device, and decides that the flow should go to the standby path.

5) And the APS state machine in the first PE equipment refreshes the forwarding path state and the standby path.

6) The APS state machine in the first PE device informs the APS state machine of the second PE device of the standby path of the first PE device through an APS message, and the APS state machine in the second PE device also decides the standby path after receiving the message.

In the above path switching decision process, the unique identifier for identifying the APS packet is a service label, and APS packets with the same service label are regarded as APS packets corresponding to the same service. As mentioned above, if the service label carried in the APS message sent by the second PE to the first PE is the same as the normal label of the service corresponding to the traffic to be switched, for example, both are 100, the first PE device will refer to the content carried in the APS message sent by the second PE device when performing the path switching decision, and if the source of the APS message is wrong, the APS decision may be wrong. Using a unique service label to identify an APS message may cause the following problems in practice:

in a static scene, APS configuration or APS with wrong configuration remains on the device, and if static tags of APS messages with the remaining or wrong configuration are repeated, the PE device may receive the wrong APS message, thereby affecting a decision result of the APS.

Under the malicious attack scene: the simulated APS PayLoad message carrying the illegal state and carrying the normal service label are constructed maliciously, and then the APS message can be received and processed by the PE, so that the decision of the APS is wrong, and the correctness of path switching is influenced.

The result of the above-mentioned malicious APS message is similar to the problem caused by residual or incorrectly configured APS, which may cause the problem of incorrect or incorrect path decision result caused by the incorrect input source of the APS, and further affect the correctness of the path switching.

As shown in fig. 4, the APS state machine on PE2 receives an APS message of the PE1 device, where service labels carried in the APS message are the same as normal labels of APS on PE2, for example, both are 100, and the flow trend decision information in the APS message indicates standby. In addition, the PE2 also continuously receives an APS message from the PE3 (the APS message is sent by remaining or wrong configuration of the PE 3), a service label in the APS message is also the same as an APS normal service label, the traffic direction decision information carried in the message is a standby path, and also receives an APS message from a Hacker, the service label in the APS message is also the same as an APS normal service label, and the carried traffic direction decision information is a standby path, the three APS messages all trigger the PE2 to perform path decision, and the decision result is the standby path or the main path, so that the APS decision result of the PE2 continuously oscillates, and the accuracy or efficiency of path switching is affected.

In order to solve the above problem, an embodiment of the present invention provides a method for selecting a path, referring to fig. 5, in conjunction with the network scenarios in fig. 1 to 4, a PE in this embodiment may be the PE in fig. 1 to 4, where the method includes the following steps:

502: PE1 acquires a path defect status.

In a specific embodiment, the PE1 obtains the path defect status of the main path and the standby path between the PE1 and the PE2, and for convenience of description, the PE1 is referred to as a first PE device, and the PE2 is referred to as a second PE device. Specifically, the main path OAM state machine in the first PE device may monitor a defect state of the main path, and the standby path OAM state machine in the first PE device may monitor a defect state of the standby path, where the specific states include a fault state and a normal state. It is to be appreciated that in alternative embodiments, the defect status of the primary path and the backup path may also be monitored simultaneously by one OAM state machine. And the OAM state machine periodically informs the monitoring result to the APS state machine of the first PE device, so that the defect states of the main path and the standby path are acquired. Reference may be made in particular to the embodiments of figures 2 and 3 described above. It can be understood that the present invention may use other existing manners to monitor the defect state of the active/standby path on the first PE device, and is not limited to the interaction manner of the OAM state machine and the APS state machine.

504: receiving a first traffic decision message sent by PE2, where the first traffic decision message includes traffic trend decision information and dynamic encryption check information.

In a specific embodiment, the APS state machine of the first PE device and the APS state machine of the second PE device may interact through a path with a normal state, and the APS state machine of the second PE device sends a first traffic decision packet to the APS state machine of the first PE device, where the traffic decision packet may specifically be an APS packet and an adopted protocol is an APS protocol, an MPLS protocol, or a TP protocol, or may also adopt a protocol newly generated in the future. Specifically, reference may be made to the specific manner described in the embodiment corresponding to fig. 2 and 3, which is not described herein again. The first flow decision message comprises flow trend decision information and dynamic encryption check information. Referring to fig. 6 and fig. 7, in an embodiment provided by the present application, the dynamic encryption check information may include a random Key value and an encryption digest, or include a random Key value, configuration information, and an encryption digest. The embodiment takes an example in which the dynamic encryption verification information includes a random Key value, configuration information, and an encryption digest. It is understood that the cryptographic digest may also be calculated only with the random Key value, in which case neither PE1 nor PE2 may obtain the configuration information. In the case that the encrypted digest needs to be calculated by using the configuration information, the manner of obtaining the configuration information for calculating the encrypted digest may include the following: (1) PE1 and PE2 locally store configuration information negotiated by both parties, and the system directly configures the configuration information of the calculation encryption summary; (2) the configuration information for calculating the encrypted abstract is appointed in the encrypted negotiation message and the encrypted negotiation reply message; (3) the configuration information for calculating the encrypted digest is carried in the first traffic decision message (as in this embodiment and the embodiment of fig. 9).

Wherein the configuration information includes OAM information and/or tunnel information. The tunnel information refers to the tunnel information of the tunnel where the main/standby path is located, as described above, the main/standby path may be located in the same tunnel or in different tunnels, which is not limited in the present invention. The tunnel information may be some information for identifying a service, and for different services, there are some information dedicated to the service, for example, the tunnel information may be identified by using a key element for identifying a forwarding path of the tunnel, such as a forwarding label, a service ID (e.g., a table switched path-ID of LSP service or a Virtual Circuit-ID of PW service), a destination address, an identification ID of a router, or a loopback address. The OAM information is information related to a Maintenance Entity Group (MEG) formed by OAM configured on the two PE devices, where the MEG has two Maintenance End Points (MEPs), and the MEP uses the MEP-id and remote-MEP-id to identify the local MEP and the remote MEP, that is, the OAM information may include the MEG, the MEP-id, the remote-MEP-id information, and may also include information such as the sending frequency of the OAM message.

And randomly generating a random Key value for the PE2 and filling the random Key value into the first traffic decision message (such as an APS message). The cryptographic digest is obtained by the PE2 computing the random Key value and configuration information using the cryptographic algorithm supported by the PE 2. As shown in fig. 7, a manner of carrying the dynamic Encryption check information is provided, where the dynamic Encryption check information may be obtained by extending an APS Message TLV, and specifically, a support field, a code type field, a Key, and a Digest field may be added under Value, where the support field indicates whether dynamic Encryption is supported, the code type field indicates an Encryption type, for example, the Encryption type may be MD5(Message Digest Algorithm MD5) or SHA-1(Secure Hash Algorithm SHA-1), aes (advanced Encryption standard), and the like, the Key field is filled with a random Key Value generated by a PE, and the Digest field is filled with an Encryption Digest obtained by the PE using an Encryption Algorithm supported by the PE to calculate the Key Value and configuration information. As described above, in the situation where the configuration information needs to be carried by the first traffic decision packet, the configuration information may also be carried by the Key field, that is, a part of the Key field is used to carry the random Key value, and a part of the Key field is used to carry the configuration information. It is understood that the above expansion manner for carrying the state encryption check information is only one example, and the example does not constitute a limitation of the present invention. Under the condition of adopting the MPLS protocol or the TP protocol, the corresponding field of the MPLS protocol or the TP protocol packet may be extended to carry the above information, which is not described herein repeatedly.

As shown in fig. 8, the traffic trend decision information in an embodiment provided by the present application may specifically include information that may affect the APS decision result and the traffic switching state. For example: and (3) requesting Signal information in the APS message, wherein the information is filled in whether the opposite end wants to send the traffic from the standby path, and if the field is filled in 0x01, the opposite end decides to go to the standby path. In addition, the traffic trend decision information may further include that all fields in the APS standard message, such as State, ABDR, Requested Signal, bridge Signal, are input to the APS State machine, which may affect the APS decision result. Wherein "state" indicates the request type of APS transmitted from the remote end. The request and the local terminal switching request act together to generate the final switching state of the local terminal. The ABDR fields include the following, respectively: 1) a: with or without an APS channel. 2) B: bridge mode, for example, is 1:1 or 1+ 1. 3) D: switching mode, single-ended switching or double-ended switching. 4) R: and a back-cutting mode, wherein the back-cutting can be performed or can not be performed. The Requested Signal and the bridge Signal are used for carrying the bridging and switching states of the local end and transmitting the bridging and switching states to the far end. And meanwhile, the method is also used for carrying out consistency comparison with the received remote bridging switching state. It can be understood that, in the case of using the MPLS protocol or the TP protocol, the traffic trend decision information may be carried by a field corresponding to the MPLS protocol or the TP protocol packet, which is not described herein repeatedly.

506: and carrying out encryption verification on the first flow decision message.

In a specific embodiment, after receiving a first traffic decision packet sent by the PE2, the PE1 performs encryption verification on the first traffic decision packet according to the dynamic encryption verification information, specifically referring to fig. 9, the PE1 calculates the random Key value and the configuration information carried in the first traffic decision packet sent by the PE2 by using an encryption algorithm in which both parties negotiate to be consistent to obtain a second digest (for convenience of description, in this embodiment of the present application, a digest carried in the first traffic decision packet sent by the PE2 and calculated by the PE2 is referred to as a first digest, and a digest calculated by the PE1 is referred to as a second digest), and by comparing the second digest with the first digest, if they are consistent, the verification is passed, otherwise, the verification is failed. It should be understood that the above encryption verification is only one embodiment provided by the present invention, and it is not limited to the present invention, and those skilled in the art can think of other verification methods based on reading the present application document, and the protection scope of the present invention is also covered.

508: if the verification is passed, PE1 selects a path according to the path defect state and the traffic trend decision information.

Referring to the embodiments in fig. 2 and 3, the PE1 selects a path for transmitting traffic to the PE2 according to the obtained path state information and the traffic trend decision information returned by the PE 2. In an embodiment, as shown in fig. 8, if the traffic routing decision information includes multiple selectable alternative paths, the traffic routing decision information may further include information affecting path selection, such as load, priority, and the like, of each alternative path, and PE1 selects a path for transmitting traffic according to the received information and a comprehensive analysis of the path defect status, so that a more suitable path may be further selected for transmitting traffic, thereby providing traffic transmission efficiency. It is understood that PE1 may also select two or more paths as paths for transmitting traffic to PE2 after comprehensive analysis, thereby further increasing flexibility of path selection and improving load balancing of traffic transmission.

510: and if the check is not passed, ignoring the first flow decision message.

In a specific embodiment, after the PE1 verifies that the first traffic decision packet does not pass, the first traffic decision packet may be discarded or the traffic trend decision information in the first traffic decision packet may be ignored, and is not used as a decision factor for selecting a path.

512: sending traffic to the PE2 over the path selected by PE 1.

PE1 utilizes its selected path to transmit traffic to PE 2.

In a specific embodiment, the PE1 may further record the Key value sent by the second network device to form a mask list, that is, after decryption fails, record an incorrect Key value and add the incorrect Key value to a blacklist, and a message with the same Key is sent next time without being analyzed and processed directly.

In this embodiment, dynamic encryption check information is added to the traffic decision packet sent by the PE2, where the dynamic encryption check information has characteristics of randomness and dynamic change, the traffic decision packet is checked according to the dynamic encryption check information, and the traffic trend decision information in the traffic decision packet is used as a decision factor or basis for path selection only after the dynamic encryption check information passes the check, so that obtaining an incorrect APS packet and then obtaining an incorrect traffic trend decision information as a decision factor or basis for path selection can be avoided to a great extent, and further, the problem of inaccurate or incorrect path decision result due to an APS incorrect input source problem can be avoided.

Referring to fig. 6, in combination with the network scenarios in fig. 1 to 4, a method for dynamically encrypting and verifying an APS packet according to an embodiment of the present invention is provided, where a PE in this embodiment may be the PE in fig. 1 to 4, and the method specifically includes the following steps:

602: and filling APS encryption negotiation messages.

In a specific embodiment, the PE1 fills its own encryption capability and its own supported encryption algorithm into the APS encryption negotiation packet, and specifically as shown in fig. 7, the APS encryption negotiation packet is generated by filling its own encryption capability and its own supported encryption algorithm into the extended APS packet TLV, the extended support field and the code type field, respectively. For example, if the support value is 1, the PE1 supports APS message encryption, the PE1 does not support APS message encryption, the code type value is 1, the MD5 encryption algorithm is supported, and the SHA-1 encryption algorithm is supported. It is understood that other values may be taken, or other fields of the APS message may be extended or reserved unused fields may be used to carry the encryption capability and encryption algorithm. The invention is not limited in this regard.

604: the PE1 sends an APS encryption negotiation message to the PE2, wherein the APS encryption negotiation message carries negotiation parameters including the encryption capability of the PE1 and the encryption algorithm supported by the PE 1.

PE1 sends the APS encryption negotiation packet generated in step 602 to PE2, negotiates the encryption capabilities and encryption algorithms of both parties, and PE2 records the encryption capabilities and encryption algorithms of PE1 after receiving the APS encryption negotiation packet.

606: PE2 populates the APS encryption negotiation message.

In a specific embodiment, refer to step 602 above.

608: PE2 returns an APS encryption negotiation reply message to PE1, which carries negotiation parameters including the encryption capability of PE2 and the encryption algorithm supported by PE 2.

In a specific embodiment, referring to step 604, after receiving the APS encryption negotiation reply message, PE1 records the encryption capability and encryption algorithm of PE 2.

The APS encryption negotiation process is completed between PE1 and PE2, via steps 602-608. The two ends know each other about the encryption capabilities and supported encryption algorithms of the opposite ends. And on the basis of the APS encryption negotiation, the subsequent normal APS communication message is transmitted and received. Refer specifically to steps 610-616.

610: the PE1 sends a normal APS communication packet to the PE2, where the APS packet carries the random Key value, configuration information, and encryption digest obtained by the PE 1.

Based on the foregoing encryption negotiation, PE1 knows the encryption capability and supported encryption algorithm of PE2, for example, that PE2 supports APS message encryption and the supported encryption algorithm is MD 5. PE1 obtains a random Key value, specifically, a Key value randomly generated by PE1 or a random Key value obtained by other means, and obtains configuration information, where the configuration information may include OAM information and/or tunnel information, and then calculates the random Key value and the configuration information by using an encryption algorithm (e.g., MD5) supported by both parties to obtain an encryption digest. By adding the protected OAM information and/or tunnel information and other word configuration information into the password calculation, an attacker can not match the encryption summary after modifying the information, so that the APS message of the attacker is discarded or the traffic trend decision information carried in the APS message is not considered, and the accuracy of path selection cannot be influenced by the abnormal APS message. In addition, the generated face abstract is continuously and dynamically changed by adding the randomly generated Key value into the password calculation, even if an attacker obtains a message and obtains configuration information in the message, the APS message of the attacker is discarded or traffic trend decision information carried in the APS message is not considered due to the fact that the Key value is not matched with the encryption abstract due to the dynamic property of the Key value, and therefore the probability of obtaining an abnormal APS message or an APS error input source is reduced, and further the condition that a path decision result is inaccurate or wrong is reduced.

612: and the PE2 verifies the APS message sent by the PE 1.

In a specific implementation manner, referring to fig. 9 and step 506 in fig. 5, the PE2 calculates, by using an encryption algorithm (e.g., MD5) that two parties negotiate to be consistent, the random Key value and the configuration information obtained in the APS communication message sent by the PE1 to obtain a digest, and compares the digest with the digest carried in the APS communication message sent by the PE1, if the comparison result is consistent, the authentication is passed, otherwise, the authentication is not passed. It should be understood that the APS verification described above is only one embodiment provided by the present invention, and is not to be construed as a limitation to the present invention, and those skilled in the art can understand that other verification methods are within the scope of the present invention based on the reading of the present application.

614: the PE2 sends a normal APS communication packet to the PE1, where the APS packet carries the random Key value, configuration information, and encryption digest obtained by the PE 2.

In a specific embodiment, refer to step 610 above, which is not described herein again.

616: and the PE1 verifies the APS message sent by the PE 2.

In a specific embodiment, refer to step 612 above, which is not described herein again.

Referring to fig. 9, in combination with the network scenarios in fig. 1 to 4, a method for dynamically encrypting and verifying an APS packet provided in this embodiment of the present application may be a PE in fig. 1 to 4, where the method specifically includes the following contents:

902: PE1 receives a first traffic decision message, which carries a random Key value, configuration information, and a first digest.

In a specific implementation manner, PE1 receives a first traffic decision packet, such as an APS packet, sent by PE2, where the first traffic decision packet carries traffic trend decision information, a random Key value generated by PE2, and configuration information, and the PE2 calculates a first digest obtained by calculating the random Key value and the configuration information by using an encryption algorithm supported by the PE 2. The traffic trend decision information can refer to step 504 in fig. 5. The random Key value, the configuration information, the first digest, and the like refer to the relevant steps in fig. 5 and fig. 6, and are not described herein again. In this embodiment, the configuration information of the calculation encryption digest is carried in the first traffic decision packet, as described in step 504 in fig. 5, and in the case that the configuration information of the calculation encryption digest is obtained in the above two other manners, the first traffic decision packet does not include the configuration information.

904: PE1 computes a second digest.

In a specific embodiment, PE1 obtains the first traffic decision packet sent by PE2, obtains the random Key value and the configuration information carried therein, and calculates the obtained random Key value and the configuration information by using an encryption algorithm that is agreed between the two parties to obtain a second digest. In the case that the configuration information of the calculation cryptographic summary is obtained through the other two manners, PE1 may directly obtain the configuration information of the calculation cryptographic summary from the locally stored configuration information negotiated by both parties according to the configuration information of the system configuration; or the configuration information for calculating the encrypted abstract is obtained by carrying the configuration information for calculating the encrypted abstract in the encrypted negotiation message and the encrypted negotiation reply message.

906: the first digest and the second digest are verified.

In a specific embodiment, the verification is performed by comparing the first digest and the second digest.

908: and if the check is not passed, ignoring the first flow decision message.

In a specific embodiment, the first traffic decision packet may be omitted: and discarding the first traffic decision message or ignoring traffic trend decision information in the first traffic decision message, without using the first traffic decision message as a decision factor for selecting a path. Reference may be made specifically to step 512 of fig. 5.

910: and if the check is passed, the PE1 selects a path for transmitting the traffic according to the traffic trend decision information.

Referring specifically to step 508 of fig. 5, further description is omitted here.

912: PE1 utilizes the selected path to transport traffic to the second PE.

Referring specifically to step 512 in fig. 5, details are not repeated here.

Fig. 10 is a schematic block diagram of a path selection apparatus 1000 for implementing APS according to an embodiment of the present application, where the apparatus shown in fig. 10 may be a PE device in the foregoing method embodiments (as in fig. 1 to 6), and may implement the functions of the PE device. The apparatus is applied to an APS network scenario, where the network includes a first network device (e.g., the first PE) and a second network device (e.g., the second PE), the apparatus for selecting a path is the first network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, and the path selecting apparatus includes an obtaining unit 1002, a transceiving unit 1004, and a path selecting unit 1006.

An obtaining unit 1002, configured to obtain path defect states of the main path and the standby path between the first network device and the second network device;

a transceiving unit 1004, configured to receive a first traffic decision packet sent by the second network device, where the first traffic decision packet includes traffic trend decision information and dynamic encryption check information;

a path selecting unit 1006, configured to perform encryption verification on the first traffic decision packet according to the dynamic encryption verification information, and select a path for sending traffic to the second network device according to the path defect state and the traffic trend decision information after verification passes.

In a specific embodiment, the obtaining unit 1002 may specifically refer to fig. 2 and 3, which use an internal interaction manner of an OAM state machine and an APS state machine to obtain the path defect states of the main path and the standby path between the first network device and the second network device. It can be understood that the obtaining unit 1002 may also adopt other ways of obtaining the path defect states of the primary path and the secondary path between the first network device and the second network device, which will occur to those skilled in the art after the present application, and the present invention is not limited thereto.

In a specific embodiment, for the specific embodiments of the transceiving unit 1004 and the path selecting unit 1006, reference may be made to an APS encryption negotiation process between two PEs, information exchanged in the encryption negotiation process, and a normal APS communication and verification process after negotiation in fig. 5 to 9, which is not described in detail for brevity.

Fig. 11 is a schematic block diagram of a packet checking apparatus 1100 for implementing APS according to an embodiment of the present application, where the apparatus shown in fig. 11 may be a PE device in the foregoing method embodiment (as in fig. 1 to 6), and may implement the functions of the PE device. The apparatus is applied to an APS network scenario, where the network includes a first network device (e.g., the first PE) and a second network device (e.g., the second PE), the packet verification apparatus is the first network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, the traffic decision packet is used to negotiate traffic decision information between the first network device and the second network device, the first network device and the second network device select a path for traffic transmission according to the traffic decision information, and the packet verification apparatus includes a transceiving unit 1102 and a processing unit 1104.

A transceiver unit 1102, configured to receive a first traffic decision packet sent by the second network device, where the first traffic decision packet includes the traffic trend decision information, a random Key value, and a first digest, the first digest is obtained by calculating the Key value and configuration information using an encryption algorithm of the second network device, and the configuration information includes at least one of the following information: tunnel information and OAM information;

a processing unit 1104, configured to calculate the Key value and the configuration information using the encryption algorithm to obtain a second digest, check the second digest and the first digest, select a path for transmitting traffic from the first network device to the second network device according to the traffic trend decision information when the second digest is consistent with the first digest, and ignore the first traffic decision packet when the second digest is inconsistent with the first digest.

In a specific embodiment, the specific embodiment of the transceiver unit 1102 may refer to an APS encryption negotiation process, information exchanged in the encryption negotiation process, and a normal APS communication and verification process after negotiation between two PEs in fig. 5 to 9, which are not described in detail for brevity. The specific implementation of the processing unit 1104 may refer to APS message interaction and APS verification processing after the APS encryption negotiation process of the first PE in fig. 5 to 9, and is not described again for brevity.

Fig. 12 is a schematic block diagram of a packet checking apparatus 1200 for implementing APS according to an embodiment of the present application, where the apparatus shown in fig. 12 may be a PE device in the foregoing method embodiment (as in fig. 1 to 6), and may implement the functions of the PE device. The apparatus is applied to an APS network scenario, where the network includes a first network device (e.g., the first PE) and a second network device (e.g., the second PE), the packet verification apparatus is the second network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, the traffic decision packet is used to negotiate traffic decision information between the first network device and the second network device, and the first network device and the second network device select a path for traffic transmission according to the traffic decision information, where the apparatus includes:

an obtaining unit 1202, configured to obtain flow trend decision information, configuration information, and a random Key value, where the configuration information includes at least one of the following information: OAM information and tunnel information;

a processing unit 1204, configured to calculate the random Key value and the configuration information using an encryption algorithm to obtain a first digest;

a transceiving unit 1206, configured to send a first traffic decision packet to the first network device, where the first traffic decision packet includes the traffic trend decision information, the random Key value, and the first abstract; the configuration information, the random Key value, and the first digest are used by the first network device to verify the first traffic decision packet, and the traffic trend decision information is used by the first network device to select a transmission path for transmitting traffic to the second network device after the verification is passed.

In a specific embodiment, the transceiver 1204 is further configured to send an encryption negotiation packet to the first network device, where the encryption negotiation packet carries an encryption capability and an encryption algorithm of the first network device, and receive an encryption negotiation reply packet returned by the first network device, where the encryption negotiation reply packet carries the encryption capability and the encryption algorithm of the first network device; the processing unit 1206 is further configured to record an encryption capability and an encryption algorithm of the first network device.

In a specific embodiment, for the specific embodiments of the transceiver unit 1202, the processing unit 1204 and the transceiver unit 1206, reference may be made to the functions and implementation steps of the second PE in fig. 5 to 9, and for brevity, no further description is given.

Fig. 13 is a schematic structural diagram of a network device 1300 implementing APS according to an embodiment of the present application, where the apparatus shown in fig. 13 may be a PE device in the foregoing method embodiments (as in fig. 1 to 6), and may implement the functions of the PE device. The apparatus is applied to an APS network scenario, where the network includes a first network device (e.g., the first PE) and a second network device (e.g., the second PE), the apparatus for selecting a path establishes a path between the first network device and the second network device, the path includes a main path and a standby path, and a traffic decision packet is transmitted between the first network device and the second network device, as shown in fig. 13, the apparatus 1300 includes a processor 1302, a memory 1304 and a transceiver 1308, and various connection lines 1310 connecting the processor 1302, the memory 1304 and the transceiver 1308. The transceiver 1306 is used for the apparatus to communicate with the outside world, the Memory 1304 is used for storing program instructions or programs 1306, the Memory 1304 may include a high-speed Random Access Memory (RAM) and may further include a non-volatile Memory (non-volatile Memory), such as at least one magnetic disk Memory, and the processor 1302 may call the program instructions stored in the Memory 1304 to execute corresponding functions.

In one particular embodiment:

the transceiver 1308 is configured to receive a first traffic decision packet sent by the second network device, where the first traffic decision packet includes traffic trend decision information and dynamic encryption check information;

the processor 1302 is configured to obtain path defect states of the main path and the standby path between the first network device and the second network device, perform encryption verification on the first traffic decision packet according to the dynamic encryption verification information, and select a path for sending traffic to the second network device according to the path defect state and the traffic trend decision information after the verification is passed.

In this specific embodiment, the functions and implementation steps of the first PE in fig. 5 to 9 may be referred to for specific implementation of the transceiver 1308 and the caregiver 1302, and are not described again for brevity.

In another embodiment:

the transceiver 1308 is configured to receive a first traffic decision packet sent by the second network device, where the first traffic decision packet includes the traffic trend decision information, a random Key value, and a first digest, where the first digest is obtained by calculating the Key value and configuration information using an encryption algorithm of the second network device, and the configuration information includes at least one of the following information: tunnel information and OAM information;

the processor 1302 is configured to calculate the Key value and the configuration information using the encryption algorithm to obtain a second digest, check the second digest and the first digest, select a path for transmitting traffic from the first network device to the second network device according to the traffic trend decision information when the second digest is consistent with the first digest, and ignore the first traffic decision packet when the second digest is inconsistent with the first digest.

In yet another embodiment:

the processor 1302 is configured to obtain traffic trend decision information, configuration information, and a random Key value, where the configuration information includes at least one of the following information: OAM information and tunnel information, and use the cryptographic algorithm to calculate said random Key value and said configuration information to get the first summary;

the transceiver 1308 is configured to send a first traffic decision packet to the first network device, where the first traffic decision packet includes the traffic trend decision information, the random Key value, and the first abstract; the configuration information, the random Key value, and the first digest are used by the first network device to verify the first traffic decision packet, and the traffic trend decision information is used by the first network device to select a transmission path for transmitting traffic to the second network device after the verification is passed.

In this specific embodiment, the functions and processing steps of the second PE in fig. 5 to 9 may be referred to in the specific embodiments of the processor 1302 and the transceiver 1308, and are not described again for brevity.

In addition to the above conventional manners such as executing program code instructions on a memory by a processor, the present embodiment may also be based on a virtual first network device and a virtual second network device that are implemented by a physical server in combination with the network function virtualization NFV technology, where the virtual first network device is a virtual router or a switch. Through reading the application, a person skilled in the art can combine NFV technology to virtually create multiple PE devices with the above functions on a physical server. And will not be described in detail herein.

Fig. 14 is a schematic block diagram of a network system 1400 for implementing APS according to an embodiment of the present application, where the system shown in fig. 14 includes a first network device and a second network device, which may be the first PE and the second PE in fig. 1 to 6 and fig. 9 to 13. For details, reference is made to the above embodiments, which are not described herein again.

In the several embodiments provided in this application, it should be understood that the disclosed systems and methods may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is merely a logical division, and in actual implementation, there may be other divisions, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each module may exist alone physically, or two or more modules are integrated into one unit. The integrated module can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing data.

Claims

1. A method for selecting a path is applied to an APS network, the network includes a first network device and a second network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, and a traffic decision packet is transmitted between the first network device and the second network device, and the method includes:

the first network equipment acquires the path defect states of the main path and the standby path between the first network equipment and second network equipment;

the first network equipment receives a first traffic decision message sent by the second network equipment, wherein the first traffic decision message comprises traffic trend decision information and dynamic encryption check information;

and the first network equipment performs encryption verification on the first traffic decision message according to the dynamic encryption verification information, and selects a path for sending traffic to the second network equipment according to the path defect states of the main path and the standby path and the traffic trend decision information after verification is passed.

2. The method of claim 1, wherein prior to receiving the first traffic decision packet sent by the second network device, the method further comprises:

sending an encryption negotiation message to the second network device, wherein the encryption negotiation message carries the encryption capability and the encryption algorithm of the first network device;

receiving an encryption negotiation reply message returned by the second network equipment, wherein the encryption negotiation reply message carries the encryption capability and the encryption algorithm of the second network equipment;

and recording the encryption capability and the encryption algorithm of the second network equipment.

3. The method of claim 2, wherein the dynamic encryption check information includes a random Key value and a first digest obtained by computing the random Key value using an encryption algorithm of the second network device and configuration information obtained by the second network device, the configuration information including one of: tunnel information and OAM information;

the performing encryption verification on the first traffic decision packet according to the dynamic encryption verification information includes:

and calculating the Key value and the configuration information acquired by the first network equipment by using the encryption algorithm to obtain a second abstract, and checking the second abstract and the first abstract.

4. The method of claim 2, wherein the dynamic cryptographic check information includes a random Key value, configuration information, and a first digest that is computed using a cryptographic algorithm of the second network device from the Key value and configuration information, the configuration information including at least one of: tunnel information and OAM information;

and calculating the Key value and the configuration information by using the encryption algorithm to obtain a second abstract, and verifying the second abstract and the first abstract.

5. The method according to claim 3 or 4, wherein a path for sending traffic to the second network device is selected according to the path defect status and the traffic trend decision information if the second summary and the first summary are consistent.

6. The method according to any of claims 1-4, wherein if the path defect status is the primary path failure and the traffic trend decision information indicates to move the backup path, then selecting the backup path to send traffic to the second network device.

7. The method according to any of claims 1-4, wherein the first traffic decision packet is ignored if the check fails.

8. The method of any one of claims 1-4, further comprising:

and sending a second traffic decision message to the second network device to notify the path selected by the first network device to send traffic to the second network device.

9. The method according to any of claims 1-4, wherein the traffic decision message is an APS message, and the APS message employs an APS protocol, an MPLS protocol, or a TP protocol.

10. The method of any one of claims 1-4, wherein the path is an LSP path or a PW path.

11. The method of any one of claims 1-4, wherein the first network device and second network device are operator edge node devices.

12. A method for checking a packet is applied to an APS network, the network includes a first network device and a second network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, the traffic decision packet is used for negotiating traffic decision information between the first network device and the second network device, and the first network device and the second network device select a path for traffic transmission according to the traffic decision information, the method includes:

the first network device receives a first traffic decision message sent by the second network device, where the first traffic decision message includes the traffic trend decision information, a random Key value, and a first digest, the first digest is obtained by calculating the Key value and configuration information using an encryption algorithm of the second network device, and the configuration information includes at least one of the following information: tunnel information and OAM information;

the first network equipment calculates the Key value and configuration information by using the encryption algorithm to obtain a second abstract, and verifies the second abstract and the first abstract;

under the condition that the second abstract is consistent with the first abstract, the first network equipment selects a path for transmitting the flow from the first network equipment to the second network equipment according to the flow trend decision information;

and under the condition that the second abstract is inconsistent with the first abstract, the first network equipment ignores the first traffic decision message.

13. The method of claim 12, further comprising:

14. The method of claim 13, further comprising, in the event that the second digest is inconsistent with the first digest, recording the Key value sent by the second network device to form a masked list.

15. The method according to any of claims 12-14, wherein the configuration information for computing the first and second digests is carried in the first traffic decision message, negotiated determination through the encrypted negotiation message and encrypted negotiation reply message, or stored in the first and second network devices.

16. A device for selecting a path, where the device is applied to an APS network, the network includes a first network device and a second network device, the device for selecting a path is the first network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, and a traffic decision packet is transmitted between the first network device and the second network device, where the first network device includes:

an obtaining unit, configured to obtain path defect states of the main path and the standby path between the first network device and the second network device;

a receiving and sending unit, configured to receive a first traffic decision packet sent by the second network device, where the first traffic decision packet includes traffic trend decision information and dynamic encryption check information;

and the path selection unit is used for carrying out encryption verification on the first flow decision message according to the dynamic encryption verification information and selecting a path for sending flow to the second network equipment according to the path defect state and the flow trend decision information after the verification is passed.

17. The apparatus of claim 16, wherein:

the transceiver unit is further configured to send an encryption negotiation packet to the second network device, where the encryption negotiation packet carries the encryption capability and the encryption algorithm of the first network device, and receive an encryption negotiation reply packet returned by the second network device, where the encryption negotiation reply packet carries the encryption capability and the encryption algorithm of the second network device;

the path selection unit is further configured to record an encryption capability and an encryption algorithm of the second network device.

18. The apparatus of claim 17, the dynamic cryptographic check information comprising a random Key value and a first digest obtained by computing the random Key value using a cryptographic algorithm of the second network device and configuration information obtained by the second network device, the configuration information comprising one of: tunnel information and OAM information;

the encryption verification of the first traffic decision packet by the path selection unit according to the dynamic encryption verification information specifically comprises: and calculating the Key value and the configuration information acquired by the first network equipment by using the encryption algorithm to obtain a second abstract, and checking the second abstract and the first abstract.

19. The apparatus of claim 17, wherein the dynamic encryption verification information includes a random Key value, configuration information, and a first digest that is computed using an encryption algorithm of the second network device from the Key value and configuration information, the configuration information including one of: tunnel information and OAM information;

the encryption verification of the first traffic decision packet by the path selection unit according to the dynamic encryption verification information specifically comprises: and calculating the Key value and the configuration information by using the encryption algorithm to obtain a second abstract, and verifying the second abstract and the first abstract.

20. The apparatus according to claim 18 or 19, wherein the path selecting unit is specifically configured to select, if the second digest is consistent with the first digest, a path for sending traffic to the second network device according to the path defect status and the traffic trend decision information.

21. A device for selecting a path, where the device is applied to an APS network, the network includes a first network device and a second network device, the device is the first network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, and a traffic decision packet is transmitted between the first network device and the second network device, and the first network device includes:

the transceiver is used for receiving a first traffic decision message sent by the second network device, wherein the first traffic decision message comprises traffic trend decision information and dynamic encryption check information;

and the processor is used for acquiring the path defect states of the main path and the standby path between the first network device and the second network device, performing encryption verification on the first traffic decision message according to the dynamic encryption verification information, and selecting a path for sending traffic to the second network device according to the path defect state and the traffic trend decision information after verification is passed.

22. The apparatus of claim 21, wherein:

the transceiver is further configured to send an encryption negotiation packet to the second network device, where the encryption negotiation packet carries the encryption capability and the encryption algorithm of the first network device, and receive an encryption negotiation reply packet returned by the second network device, where the encryption negotiation reply packet carries the encryption capability and the encryption algorithm of the second network device;

the processor is further configured to record an encryption capability and an encryption algorithm of the second network device.

23. The apparatus of claim 22, wherein the dynamic encryption verification information comprises a random Key value and a first digest obtained by computing the random Key value using an encryption algorithm of the second network device and configuration information obtained by the second network device, the configuration information comprising one of: tunnel information and OAM information;

the encryption verification of the first traffic decision message by the processor according to the dynamic encryption verification information specifically comprises the following steps: and calculating the Key value and the configuration information acquired by the first network equipment by using the encryption algorithm to obtain a second abstract, and checking the second abstract and the first abstract.

24. The apparatus of claim 22, wherein the dynamic encryption verification information includes a random Key value, configuration information, and a first digest that is computed using an encryption algorithm of the second network device from the Key value and configuration information, the configuration information including one of: tunnel information and OAM information;

the encryption verification of the first traffic decision message by the processor according to the dynamic encryption verification information specifically comprises the following steps: and calculating the Key value and the configuration information by using the encryption algorithm to obtain a second abstract, and verifying the second abstract and the first abstract.

25. The apparatus according to claim 23 or 24, wherein the processor is specifically configured to select a path for sending traffic to the second network device according to the path defect status and the traffic trend decision information if the second digest and the first digest are consistent.

26. A device for verifying a packet, where the device is applied to an APS network, the network includes a first network device and a second network device, the device is the first network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, the traffic decision packet is used to negotiate traffic decision information between the first network device and the second network device, and the first network device and the second network device select a path for traffic transmission according to the traffic decision information, where the device includes:

a transceiver unit, configured to receive a first traffic decision packet sent by the second network device, where the first traffic decision packet includes the traffic trend decision information, a random Key value, and a first digest, the first digest is obtained by calculating the Key value and configuration information using an encryption algorithm of the second network device, and the configuration information includes at least one of the following information: tunnel information and OAM information;

a processing unit, configured to calculate the Key value and the configuration information using the encryption algorithm to obtain a second digest, check the second digest and the first digest, select a path for transmitting traffic from the first network device to the second network device according to the traffic trend decision information when the second digest is consistent with the first digest, and ignore the first traffic decision packet when the second digest is inconsistent with the first digest.

27. A device for verifying a packet, where the device is applied to an APS network, the network includes a first network device and a second network device, the device is the first network device, a path is established between the first network device and the second network device, the path includes a main path and a standby path, a traffic decision packet is transmitted between the first network device and the second network device, the traffic decision packet is used to negotiate traffic decision information between the first network device and the second network device, and the first network device and the second network device select a path for traffic transmission according to the traffic decision information, where the device includes:

a transceiver, configured to receive a first traffic decision packet sent by the second network device, where the first traffic decision packet includes the traffic trend decision information, a random Key value, and a first digest, the first digest is obtained by calculating the Key value and configuration information using an encryption algorithm of the second network device, and the configuration information includes at least one of the following information: tunnel information and OAM information;

and the processor is used for calculating the Key value and the configuration information by using the encryption algorithm to obtain a second abstract, checking the second abstract and the first abstract, selecting a path for transmitting flow from the first network equipment to the second network equipment according to the flow trend decision information under the condition that the second abstract is consistent with the first abstract, and ignoring the first flow decision message under the condition that the second abstract is inconsistent with the first abstract.

28. A system for validating packets for use in an APS network, the system comprising a first network device according to any one of claims 16 to 27 and a corresponding second network device.