CN108390825B - Method and system for establishing secure optical tree in multi-domain optical network based on hierarchical PCE - Google Patents

Method and system for establishing secure optical tree in multi-domain optical network based on hierarchical PCE Download PDF

Info

Publication number
CN108390825B
CN108390825B CN201810072313.6A CN201810072313A CN108390825B CN 108390825 B CN108390825 B CN 108390825B CN 201810072313 A CN201810072313 A CN 201810072313A CN 108390825 B CN108390825 B CN 108390825B
Authority
CN
China
Prior art keywords
tree
building request
domain
tree building
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810072313.6A
Other languages
Chinese (zh)
Other versions
CN108390825A (en
Inventor
吴启武
姜灵芝
耿新元
李芳�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Engineering University of Chinese Peoples Armed Police Force
Original Assignee
Engineering University of Chinese Peoples Armed Police Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Engineering University of Chinese Peoples Armed Police Force filed Critical Engineering University of Chinese Peoples Armed Police Force
Publication of CN108390825A publication Critical patent/CN108390825A/en
Application granted granted Critical
Publication of CN108390825B publication Critical patent/CN108390825B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/16Multipoint routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/27Arrangements for networking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/48Routing tree calculation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • H04Q2011/0073Provisions for forwarding or routing, e.g. lookup tables

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a method and a system for establishing a multi-domain optical network secure optical tree based on a layered PCE (personal computer equipment), aiming at the security threat existing in a multi-domain optical network multicast routing protocol, a corresponding security mechanism is designed by utilizing a nested Hash chain and a trust model theory, and the establishment of the multi-domain optical network secure optical tree is realized by optimizing the original optical tree calculation and optical tree establishment process; the method can realize the calculation and the establishment of the multi-domain optical network safety optical tree while ensuring the self safety, and has lower blocking rate and smaller optical tree establishment time delay.

Description

基于分层PCE的多域光网络安全光树建立方法及系统Method and system for establishing secure optical tree in multi-domain optical network based on hierarchical PCE

技术领域technical field

本发明涉及一种基于分层PCE的多域光网络安全光树建立方法及系统。The present invention relates to a method and system for establishing a multi-domain optical network security optical tree based on layered PCE.

背景技术Background technique

当前光通信技术和实时流媒体组播应用飞速发展,利用光网络组播方式传输信息变得越来越广泛,如何建立和维护一个满足安全需求的组播树成为多域光网络中十分重要的问题。With the rapid development of optical communication technology and real-time streaming media multicast applications, the use of optical network multicast to transmit information has become more and more extensive. How to establish and maintain a multicast tree that meets security requirements has become a very important factor in multi-domain optical networks. question.

2010年,IETF(The Internet Engineering Task Force,国际互联网工程任务组)在RFC(Request For Comments,请求评议文档)5920中描述在GMPLS(Generalized Multi-Protocol Label Switching,多标签交换协议)的组播过程中面临的各种安全威胁,提出防御技术以及检测和报告机制,但并未提及安全建立组播树的方案;现有技术中提出恢复满足时延约束的光树的方法,但是并未有相关机制应对光网络组播中存在的安全问题;另外相关文献通过对基于RSVP-TE(Resource Reservation Protocol-Traffic Engineering,基于流量工程的资源预留协议)协议可靠性机制的具体分析,讨论RSVP-TE协议可能面临的安全问题,并提出了相应的对策,但以上两者均未形成相关的组播协议;此外,提出了通过并行方式创建光路的方法,能够有效节约资源配置时间,但该协议为单播协议,不能实现安全组播的目的。In 2010, IETF (The Internet Engineering Task Force) described the multicast process in GMPLS (Generalized Multi-Protocol Label Switching, Multi-Label Switching Protocol) in RFC (Request For Comments) 5920 Various security threats faced in the Relevant mechanisms deal with the security problems existing in optical network multicast; in addition, related literature discusses the RSVP-TE (Resource Reservation Protocol-Traffic Engineering, Traffic Engineering-based Resource Reservation Protocol) protocol reliability mechanism through specific analysis. The security problems that the TE protocol may face, and corresponding countermeasures are proposed, but neither of the above two forms a relevant multicast protocol; in addition, a method of creating optical paths in parallel is proposed, which can effectively save resource allocation time, but the protocol It is a unicast protocol and cannot achieve the purpose of secure multicast.

发明内容SUMMARY OF THE INVENTION

针对上述现有技术中存在的问题,本发明提出了一种基于分层PCE的多域光网络安全光树建立方法,能够实现组播树的安全建立,在阻塞率与光树建立时延方面表现良好。In view of the above problems in the prior art, the present invention proposes a method for establishing a secure optical tree of a multi-domain optical network based on a layered PCE, which can realize the secure establishment of a multicast tree. In terms of blocking rate and optical tree establishment delay good performance.

为了实现上述目的,本发明采用如下技术方案:In order to achieve the above object, the present invention adopts the following technical solutions:

一种基于分层PCE的多域光网络安全光树建立方法,包括以下步骤:A method for establishing a multi-domain optical network security optical tree based on hierarchical PCE, comprising the following steps:

步骤1,光网络中的源节点接收到组播连接请求,源节点发送建树请求R1至源节点所在域的cPCE,cPCE子路径计算单元;Step 1, the source node in the optical network receives the multicast connection request, and the source node sends a tree-building request R1 to the cPCE of the domain where the source node is located, and the cPCE sub-path calculation unit;

步骤2,源节点所在域的cPCE接收建树请求R1并利用基于嵌套哈希链的双向认证方法对建树请求R1进行身份认证,并利用TCP-AO机制对建树请求R1进行源认证;源节点所在域的cPCE将建树请求R1发送至pPCE,pPCE为父路径计算单元;Step 2, the cPCE of the domain where the source node is located receives the tree-building request R1 and uses the two-way authentication method based on the nested hash chain to perform identity authentication on the tree-building request R1, and uses the TCP-AO mechanism to perform source authentication on the tree-building request R1; The cPCE of the domain sends the tree-building request R1 to the pPCE, which is the parent path calculation unit;

步骤3,pPCE接收到源节点所在域的cPCE发送的建树请求R1后,利用基于嵌套哈希链的双向认证方法对建树请求R1进行身份认证,并利用TCP-AO机制对建树请求R1进行源认证;采用基于人工免疫与信任度的多域光网络安全组播路由计算算法计算得到最优的抽象组播树路由信息;建树请求R1与最优的抽象组播树路由信息形成建树请求R2,pPCE将建树请求R2发送到该最优的抽象组播树路由信息所经过的域中的cPCE;Step 3, after receiving the tree-building request R1 sent by the cPCE of the domain where the source node is located, the pPCE uses the two-way authentication method based on the nested hash chain to authenticate the tree-building request R1, and uses the TCP-AO mechanism to source the tree-building request R1. Authentication; adopt the multi-domain optical network security multicast routing calculation algorithm based on artificial immunity and trust degree to calculate the optimal abstract multicast tree routing information; the tree establishment request R1 and the optimal abstract multicast tree routing information form the establishment request R2, The pPCE sends the tree establishment request R2 to the cPCE in the domain through which the optimal abstract multicast tree routing information passes;

步骤4,最优的抽象组播树路由信息所经过的每个域中的cPCE计算得到域内组播树路由信息;域内组播树路由信息和建树请求R2形成建树请求R3;各个域中的cPCE将建树请求R3发送至pPCE;In step 4, the cPCE in each domain that the optimal abstract multicast tree routing information passes through is calculated to obtain the intra-domain multicast tree routing information; the intra-domain multicast tree routing information and the tree-building request R2 form a tree-building request R3; the cPCE in each domain Send the tree-building request R3 to pPCE;

步骤5,确定分配波长;将步骤4中得到的所有的域内组播树路由信息组合形成严格组播树路由信息;严格组播树路由信息和分配波长形成建树请求R4;pPCE将建树请求R4发送到管理源节点或分支节点的cPCE中;Step 5, determine the distribution wavelength; combine all the intra-domain multicast tree routing information obtained in step 4 to form strict multicast tree routing information; strict multicast tree routing information and distribution wavelengths form a tree-building request R4; pPCE sends the tree-building request R4 into the cPCE that manages the source node or branch node;

步骤6,步骤5中的管理源节点或者分支节点的cPCE接收到建树请求R4后,利用TCP-AO机制对建树请求R4进行源认证;管理源节点或者分支节点的cPCE分别从建树请求R4中读取严格组播树路由信息,管理源节点的cPCE截取所在域中的源节点至分支节点之间的路由信息,该路由信息与分配波长生成建树请求R5,管理源节点的cPCE将建树请求R5发送给源节点;管理分支节点的cPCE截取所在域中的分支节点之间的路由信息,该路由信息与分配的波长生成建树请求R5’,管理分支节点的cPCE将建树请求R5’发送给各个分支节点;Step 6, after receiving the tree-building request R4, the cPCE of the management source node or the branch node in step 5 uses the TCP-AO mechanism to perform source authentication on the tree-building request R4; the cPCE of the management source node or the branch node reads the tree-building request R4 respectively. Take the strict multicast tree routing information, and the cPCE managing the source node intercepts the routing information between the source node and the branch node in the domain where it is located. To the source node; the cPCE of the management branch node intercepts the routing information between the branch nodes in the domain, the routing information and the allocated wavelength generate a tree-building request R5', and the cPCE of the management branch node sends the tree-building request R5' to each branch node ;

步骤7,源节点和各个分支节点接收到建树请求R5和建树请求R5’后,利用TCP-AO机制对建树请求R5和建树请求R5’进行源认证,分别得到源节点至分支节点之间的路由信息和各个分支节点之间的路由信息,且均得到分配波长;源节点和各个分支节点启动RSVP-TE协议,分别将路由信息和波长信息形成PATH消息,并将PATH消息发送至下游节点;Step 7, after the source node and each branch node receive the tree-building request R5 and the tree-building request R5', use the TCP-AO mechanism to perform source authentication on the tree-building request R5 and the tree-building request R5', and obtain the route between the source node and the branch node respectively. information and routing information between each branch node, and all get assigned wavelengths; the source node and each branch node start the RSVP-TE protocol, respectively form the routing information and the wavelength information into a PATH message, and send the PATH message to the downstream node;

步骤8,当下游节点接收到PATH消息后,判断分配波长在该下游节点与下一节点之间的链路上是否被占用,若未被占用,则将PATH消息传到下一节点;若被占用,则返回步骤5;Step 8: After the downstream node receives the PATH message, it determines whether the allocated wavelength is occupied on the link between the downstream node and the next node. If it is not occupied, the PATH message is passed to the next node; Occupied, return to step 5;

步骤9,步骤8中传送过程中的所有尾节点接收到PATH消息后,利用TCP-AO机制对PATH消息进行源认证,生成RESV消息,沿步骤8中的传送路径反向传递至上游的源节点和各个分支节点,并按照分配的波长完成相邻节点之间的链路上的波长配置;Step 9: After all the tail nodes in the transmission process in Step 8 receive the PATH message, they use the TCP-AO mechanism to authenticate the source of the PATH message, generate a RESV message, and transmit it to the upstream source node in the reverse direction along the transmission path in Step 8. and each branch node, and complete the wavelength configuration on the link between adjacent nodes according to the assigned wavelength;

步骤10,源节点和所有分支节点接收到RESV消息后,各自生成确认消息,将确认消息发送至各自所在域的cPCE;cPCE将确认消息转发至pPCE;pPCE确认收到所有的确认消息后,pPCE向源节点所在域的cPCE发送建树成功消息,源节点所在域的cPCE发送建树成功消息至源节点;源节点即可开始组播发送数据。Step 10: After the source node and all branch nodes receive the RESV message, they each generate a confirmation message and send the confirmation message to the cPCE in their respective domains; the cPCE forwards the confirmation message to the pPCE; after the pPCE confirms that all the confirmation messages are received, the pPCE Send a tree establishment success message to the cPCE in the domain where the source node is located, and the cPCE in the domain where the source node is located sends the tree establishment success message to the source node; the source node can then start multicast sending data.

本发明的另一个方面提供一种基于分层PCE的多域光网络安全光树建立系统,包括接收建树请求R1模块、发送建树请求R1模块、形成建树请求R2模块、形成建树请求R3模块、形成建树请求R4模块、形成建树请求R5模块、PATH消息形成模块、传送PATH消息模块、生成RESV消息模块和确认消息生成模块,其中,Another aspect of the present invention provides a multi-domain optical network security optical tree establishment system based on layered PCE, including a module for receiving a tree-building request R1, a module for sending a tree-building request R1, a module for forming a tree-building request R2, a module for forming a tree-building request R3, a module for forming a tree-building request tree-building request R4 module, tree-building request R5 module, PATH message forming module, transmission PATH message module, generating RESV message module and confirmation message generating module, wherein,

接收建树请求R1模块,用于实现以下功能:Receive the tree-building request R1 module, which is used to implement the following functions:

光网络中的源节点接收到组播连接请求,源节点发送建树请求R1至源节点所在域的cPCE;The source node in the optical network receives the multicast connection request, and the source node sends a tree-building request R1 to the cPCE of the domain where the source node is located;

发送建树请求R1模块,用于实现以下功能:Send a tree-building request to the R1 module to implement the following functions:

源节点所在域的cPCE接收建树请求R1并利用基于嵌套哈希链的双向认证方法对建树请求R1进行身份认证,并利用TCP-AO机制对建树请求R1进行源认证;源节点所在域的cPCE将建树请求R1发送至pPCE;The cPCE of the domain where the source node is located receives the tree-building request R1 and uses the two-way authentication method based on the nested hash chain to authenticate the tree-building request R1, and uses the TCP-AO mechanism to perform source authentication for the tree-building request R1; the cPCE of the domain where the source node is located Send the tree-building request R1 to pPCE;

形成建树请求R2模块,用于实现以下功能:A tree-building request R2 module is formed to implement the following functions:

pPCE接收到源节点所在域的cPCE发送的建树请求R1后,利用基于嵌套哈希链的双向认证方法对建树请求R1进行身份认证,并利用TCP-AO机制对建树请求R1进行源认证;采用基于人工免疫与信任度的多域光网络安全组播路由计算算法计算得到最优的抽象组播树路由信息;建树请求R1与最优的抽象组播树路由信息形成建树请求R2,pPCE将建树请求R2发送到该最优的抽象组播树路由信息所经过的域中的cPCE;After receiving the tree-building request R1 sent by the cPCE in the domain where the source node is located, the pPCE uses the two-way authentication method based on the nested hash chain to authenticate the tree-building request R1, and uses the TCP-AO mechanism to perform source authentication for the tree-building request R1; The multi-domain optical network security multicast routing calculation algorithm based on artificial immunity and trust degree calculates the optimal abstract multicast tree routing information; the tree establishment request R1 and the optimal abstract multicast tree routing information form the establishment request R2, and pPCE will establish the tree Request R2 to send to the cPCE in the domain through which the optimal abstract multicast tree routing information passes;

形成建树请求R3模块,用于实现以下功能:A tree-building request R3 module is formed to implement the following functions:

最优的抽象组播树路由信息所经过的每个域中的cPCE计算得到域内组播树路由信息;域内组播树路由信息和建树请求R2形成建树请求R3;各个域中的cPCE将建树请求R3发送至pPCE;The cPCE in each domain that the optimal abstract multicast tree routing information passes through calculates the intra-domain multicast tree routing information; the intra-domain multicast tree routing information and the tree-building request R2 form a tree-building request R3; the cPCE in each domain will create a tree-building request R3 is sent to pPCE;

形成建树请求R4模块,用于实现以下功能:A tree-building request R4 module is formed to implement the following functions:

确定分配波长;将形成建树请求R3模块,中得到的所有的域内组播树路由信息组合形成严格组播树路由信息;严格组播树路由信息和分配波长形成建树请求R4;pPCE将建树请求R4发送到管理源节点或分支节点的cPCE中;Determine the allocated wavelength; combine all the intra-domain multicast tree routing information obtained in the R3 module to form a tree-building request to form a strict multicast tree routing information; the strict multicast tree routing information and the allocated wavelength form a tree-building request R4; pPCE will create a tree-building request R4 Sent to the cPCE that manages the source node or branch node;

形成建树请求R5模块和建树请求R5’模块,用于实现以下功能:A tree-building request R5 module and a tree-building request R5' module are formed to implement the following functions:

形成建树请求R4模块中的管理源节点或者分支节点的cPCE接收到建树请求R4后,利用TCP-AO机制对建树请求R4进行源认证;管理源节点或者分支节点的cPCE分别从建树请求R4中读取严格组播树路由信息,管理源节点的cPCE截取所在域中的源节点至分支节点之间的路由信息,该路由信息与分配波长生成建树请求R5,管理源节点的cPCE将建树请求R5发送给源节点;管理分支节点的cPCE截取所在域中的分支节点之间的路由信息,该路由信息与分配的波长生成建树请求R5’,管理分支节点的cPCE将建树请求R5’发送给各个分支节点;After receiving the tree-building request R4, the cPCE that manages the source node or branch node in the tree-building request R4 module uses the TCP-AO mechanism to perform source authentication on the tree-building request R4; the cPCE that manages the source node or the branch node reads the tree-building request R4 respectively. Take the strict multicast tree routing information, and the cPCE managing the source node intercepts the routing information between the source node and the branch node in the domain where it is located. To the source node; the cPCE of the management branch node intercepts the routing information between the branch nodes in the domain, the routing information and the allocated wavelength generate a tree-building request R5', and the cPCE of the management branch node sends the tree-building request R5' to each branch node ;

PATH消息形成模块,用于实现以下功能:PATH messages form modules that implement the following functions:

源节点和各个分支节点接收到建树请求R5后,利用TCP-AO机制对建树请求R5进行源认证,分别得到源节点至分支节点之间的路由信息和各个分支节点之间的路由信息,且均得到分配波长;源节点和各个分支节点启动RSVP-TE协议,分别将路由信息和波长信息形成PATH消息,并将PATH消息发送至下游节点;After the source node and each branch node receive the tree-building request R5, they use the TCP-AO mechanism to perform source authentication on the tree-building request R5, and respectively obtain the routing information between the source node and the branch nodes and the routing information between each branch node, and both are obtained. Obtain the allocated wavelength; the source node and each branch node start the RSVP-TE protocol, respectively form the PATH message with the routing information and the wavelength information, and send the PATH message to the downstream node;

传送PATH消息模块,用于实现以下功能:Transport PATH message module, used to implement the following functions:

当下游节点接收到PATH消息后,判断分配波长在该下游节点与下一节点之间的链路上是否被占用,若未被占用,则将PATH消息传到下一节点;若被占用,则进入形成建树请求R4模块;When the downstream node receives the PATH message, it determines whether the allocated wavelength is occupied on the link between the downstream node and the next node. If it is not occupied, the PATH message is transmitted to the next node; if it is occupied, the Enter to form a tree to request the R4 module;

生成RESV消息模块,用于实现以下功能:Generate a RESV message module to implement the following functions:

传送PATH消息模块中传送过程中的所有尾节点接收到PATH消息后,利用TCP-AO机制对PATH消息进行源认证,生成RESV消息,沿步骤8中的传送路径反向传递至上游的源节点和各个分支节点,并按照分配的波长完成相邻节点之间的链路上的波长配置;After receiving the PATH message, all the tail nodes in the transmission process in the transmitting PATH message module use the TCP-AO mechanism to authenticate the source of the PATH message, generate a RESV message, and transmit it to the upstream source node and the upstream source node along the transmission path in step 8. Each branch node completes the wavelength configuration on the link between adjacent nodes according to the assigned wavelength;

确认消息生成模块,用于实现以下功能:The confirmation message generation module is used to implement the following functions:

源节点和所有分支节点接收到RESV消息后,各自生成确认消息,将确认消息发送至各自所在域的cPCE;cPCE将确认消息转发至pPCE;pPCE确认收到所有的确认消息后,pPCE向源节点所在域的cPCE发送建树成功消息,源节点所在域的cPCE发送建树成功消息至源节点;源节点即可开始组播发送数据。After the source node and all branch nodes receive the RESV message, they each generate an acknowledgment message and send the acknowledgment message to the cPCE in their respective domains; the cPCE forwards the acknowledgment message to the pPCE; after the pPCE confirms receipt of all the acknowledgment messages, the pPCE sends the acknowledgment message to the source node. The cPCE in the domain where it is located sends a tree establishment success message, and the cPCE in the domain where the source node is located sends a tree establishment success message to the source node; the source node can then start multicasting to send data.

与现有技术相比,本发明具有以下技术效果:在保证自身安全性的同时,可实现多域光网络安全光树的计算与建立,并具有较低的阻塞率和较小的光树建立时延。Compared with the prior art, the present invention has the following technical effects: while ensuring its own security, it can realize the calculation and establishment of a multi-domain optical network security optical tree, and has a lower blocking rate and a smaller optical tree establishment. time delay.

下面结合附图和实施例对本发明的方案作进一步详细地解释和说明。The solution of the present invention will be further explained and described in detail below in conjunction with the accompanying drawings and embodiments.

附图说明Description of drawings

图1是组播请求数目与平均阻塞率的关系图;Figure 1 is a graph showing the relationship between the number of multicast requests and the average blocking rate;

图2是域数量与平均阻塞率的关系图;Figure 2 is a graph of the relationship between the number of domains and the average blocking rate;

图3是网络负载与平均光树建立时间的关系;Figure 3 is the relationship between network load and average optical tree setup time;

图4是网络信令数与网络运行时间的关系。Figure 4 shows the relationship between the number of network signaling and the network running time.

具体实施方式Detailed ways

基于嵌套哈希链的双向认证方法,可参见专利文献:基于哈希函数的双向认证方法及系统,专利文献:申请号CN 200910168758,公开号CN 101662366A,公开日:2010年3月3日。For the bidirectional authentication method based on the nested hash chain, please refer to the patent document: Hash function-based bidirectional authentication method and system, patent document: application number CN 200910168758, publication number CN 101662366A, publication date: March 3, 2010.

基于人工免疫与信任度的多域光网络安全组播路由计算算法,可参见文献:耿新元吴启武姜灵芝,基于人工免疫与信任度的多域光网络安全组播路由算法[J];《科学技术与工程》2017年第33期291-296页。Multi-domain optical network security multicast routing algorithm based on artificial immunity and trust degree, please refer to the literature: Geng Xinyuan Wu Qiwu Jiang Lingzhi, Multi-domain optical network security multicast routing algorithm based on artificial immunity and trust degree [J]; "Science and Technology" and Engineering, 2017, Issue 33, pp. 291-296.

本发明的基于分层PCE的多域光网络安全光树建立方法,本发明中源节点与目的节点不在一个域内,具体包括以下步骤:The multi-domain optical network security optical tree establishment method based on the layered PCE of the present invention, in the present invention, the source node and the destination node are not in the same domain, and specifically includes the following steps:

步骤1,光网络中的源节点接收到客户网络的组播连接请求,源节点发送建树请求R1至源节点所在域的cPCE;Step 1, the source node in the optical network receives the multicast connection request of the customer network, and the source node sends a tree-building request R1 to the cPCE of the domain where the source node is located;

步骤2,源节点所在域的cPCE接收建树请求R1并利用基于嵌套哈希链的双向认证方法对建树请求R1进行身份认证,并利用TCP-AO机制对建树请求R1进行源认证,目的节点与源节点不在一个域内,此建树请求R1为跨域建树请求,源节点所在域的cPCE将建树请求R1发送至pPCE;Step 2, the cPCE of the domain where the source node is located receives the tree-building request R1 and uses the two-way authentication method based on the nested hash chain to perform identity authentication on the tree-building request R1, and uses the TCP-AO mechanism to perform source authentication on the tree-building request R1. If the source node is not in a domain, the tree-building request R1 is a cross-domain tree-building request, and the cPCE of the domain where the source node is located sends the tree-building request R1 to the pPCE;

步骤3,pPCE接收到源节点所在域的cPCE发送的建树请求R1后,利用基于嵌套哈希链的双向认证方法对建树请求R1进行身份认证,并利用TCP-AO机制对建树请求R1进行源认证;根据源节点所在域和目的节点所在域,采用基于人工免疫与信任度的多域光网络安全组播路由计算算法计算得到最优的抽象组播树路由信息;建树请求R1与最优的抽象组播树路由信息形成建树请求R2,pPCE将建树请求R2发送到该最优的抽象组播树路由信息所经过的域中的cPCE。Step 3, after receiving the tree-building request R1 sent by the cPCE of the domain where the source node is located, the pPCE uses the two-way authentication method based on the nested hash chain to authenticate the tree-building request R1, and uses the TCP-AO mechanism to source the tree-building request R1. Authentication; According to the domain where the source node is located and the domain where the destination node is located, the optimal abstract multicast tree routing information is calculated by using the multi-domain optical network security multicast routing calculation algorithm based on artificial immunity and trust degree; The abstract multicast tree routing information forms a tree establishment request R2, and the pPCE sends the tree establishment request R2 to the cPCE in the domain where the optimal abstract multicast tree routing information passes.

步骤4,最优的抽象组播树路由信息所经过的每个域中的cPCE计算得到域内组播树路由信息;域内组播树路由信息和建树请求R2形成建树请求R3;各个域中的cPCE将建树请求R3发送至pPCE;In step 4, the cPCE in each domain that the optimal abstract multicast tree routing information passes through is calculated to obtain the intra-domain multicast tree routing information; the intra-domain multicast tree routing information and the tree-building request R2 form a tree-building request R3; the cPCE in each domain Send the tree-building request R3 to pPCE;

步骤5,采用首次命中算法得到分配波长,可选地,此处也可采用最大利用算法或者最小利用算法得到分配波长;将步骤4中得到的每个域中的cPCE计算得到的各个域内组播树路由信息组合形成严格组播树路由信息;严格组播树路由信息和分配波长形成建树请求R4;pPCE将建树请求R4发送到管理源节点或分支节点的cPCE中;Step 5, using the first hit algorithm to obtain the allocated wavelength, optionally, the maximum utilization algorithm or the minimum utilization algorithm can also be used to obtain the allocated wavelength here; The tree routing information is combined to form the strict multicast tree routing information; the strict multicast tree routing information and the allocated wavelength form the tree establishment request R4; the pPCE sends the tree establishment request R4 to the cPCE that manages the source node or branch node;

步骤6,步骤5中的管理源节点或者分支节点的cPCE接收到建树请求R4后,利用TCP-AO机制对建树请求R4进行源认证;Step 6, after the cPCE of the management source node or branch node in step 5 receives the tree-building request R4, utilizes the TCP-AO mechanism to perform source authentication on the tree-building request R4;

每个cPCE从建树请求R4中读取严格组播树路由信息,管理源节点的cPCE截取该cPCE所在域中的源节点至分支节点之间的路由信息,该路由信息与分配波长生成建树请求R5,管理源节点的cPCE将建树请求R5发送给源节点;管理分支节点的cPCE截取该管理分支节点的cPCE所在域中的分支节点之间的路由信息,该路由信息与分配的波长生成建树请求R5’,管理分支节点的cPCE将建树请求R5’发送给各个分支节点。Each cPCE reads the strict multicast tree routing information from the tree establishment request R4, and the cPCE managing the source node intercepts the routing information between the source node and the branch node in the domain where the cPCE is located, and the routing information and the assigned wavelength generate the tree establishment request R5 , the cPCE of the management source node sends the tree-building request R5 to the source node; the cPCE of the management branch node intercepts the routing information between the branch nodes in the domain where the cPCE of the management branch node is located, and the routing information and the assigned wavelength generate the tree-building request R5 ', the cPCE managing the branch nodes sends a tree-building request R5' to each branch node.

步骤7,源节点和各个分支节点接收到建树请求R5和建树请求R5’后,利用TCP-AO机制对建树请求R5和建树请求R5’进行源认证,分别得到源节点至分支节点之间的路由信息和各个分支节点之间的路由信息,且均得到分配波长;源节点和各个分支节点启动RSVP-TE协议,分别将路由信息和波长信息形成PATH消息,并将PATH消息发送至下游节点。Step 7, after the source node and each branch node receive the tree-building request R5 and the tree-building request R5', use the TCP-AO mechanism to perform source authentication on the tree-building request R5 and the tree-building request R5', and obtain the route between the source node and the branch node respectively. The source node and each branch node start the RSVP-TE protocol, respectively form a PATH message with the routing information and wavelength information, and send the PATH message to the downstream node.

步骤8,当下游节点接收到PATH消息后,判断分配的波长在该下游节点与下一节点之间的链路上是否被占用,若未被占用,则将PATH消息传到下一节点;若被占用,则返回步骤5。Step 8: After the downstream node receives the PATH message, it is judged whether the allocated wavelength is occupied on the link between the downstream node and the next node, and if it is not occupied, the PATH message is transmitted to the next node; If it is occupied, go back to step 5.

步骤9,步骤8中传送过程中的所有尾节点接收到PATH消息后,利用TCP-AO机制对PATH消息进行源认证,生成RESV消息,沿步骤8中的传送路径反向传递至上游的源节点和各个分支节点,并按照分配的波长完成相邻节点之间的链路上的波长配置。Step 9: After all the tail nodes in the transmission process in Step 8 receive the PATH message, they use the TCP-AO mechanism to authenticate the source of the PATH message, generate a RESV message, and transmit it to the upstream source node in the reverse direction along the transmission path in Step 8. and each branch node, and complete the wavelength configuration on the link between adjacent nodes according to the assigned wavelength.

步骤10,源节点和所有分支节点接收到RESV消息后,各自生成确认消息,将确认消息发送至所在域的cPCE;cPCE将确认消息转发至pPCE;pPCE确认收到全部的确认消息后,说明波长资源配置完毕,pPCE向源节点所在域的cPCE发送建树成功消息,源节点所在域的cPCE发送建树成功消息至源节点;源节点即可开始组播发送数据。Step 10: After the source node and all branch nodes receive the RESV message, they each generate an acknowledgment message, and send the acknowledgment message to the cPCE in the domain; the cPCE forwards the acknowledgment message to the pPCE; after the pPCE confirms that it has received all the acknowledgment messages, it specifies the wavelength. After the resource configuration is completed, the pPCE sends a tree establishment success message to the cPCE in the domain where the source node resides, and the cPCE in the source node's domain sends a tree establishment success message to the source node; the source node can then start multicast sending data.

本发明的另一个方面提供一种基于分层PCE的多域光网络安全光树建立系统,包括接收建树请求R1模块、发送建树请求R1模块、形成建树请求R2模块、形成建树请求R3模块、形成建树请求R4模块、形成建树请求R5模块、PATH消息形成模块、传送PATH消息模块、生成RESV消息模块和确认消息生成模块,其中,Another aspect of the present invention provides a multi-domain optical network security optical tree establishment system based on layered PCE, including a module for receiving a tree-building request R1, a module for sending a tree-building request R1, a module for forming a tree-building request R2, a module for forming a tree-building request R3, a module for forming a tree-building request tree-building request R4 module, tree-building request R5 module, PATH message forming module, transmission PATH message module, generating RESV message module and confirmation message generating module, wherein,

接收建树请求R1模块,用于实现以下功能:Receive the tree-building request R1 module, which is used to implement the following functions:

光网络中的源节点接收到组播连接请求,源节点发送建树请求R1至源节点所在域的cPCE;The source node in the optical network receives the multicast connection request, and the source node sends a tree-building request R1 to the cPCE of the domain where the source node is located;

发送建树请求R1模块,用于实现以下功能:Send a tree-building request to the R1 module to implement the following functions:

源节点所在域的cPCE接收建树请求R1并利用基于嵌套哈希链的双向认证方法对建树请求R1进行身份认证,并利用TCP-AO机制对建树请求R1进行源认证;源节点所在域的cPCE将建树请求R1发送至pPCE;The cPCE of the domain where the source node is located receives the tree-building request R1 and uses the two-way authentication method based on the nested hash chain to authenticate the tree-building request R1, and uses the TCP-AO mechanism to perform source authentication for the tree-building request R1; the cPCE of the domain where the source node is located Send the tree-building request R1 to pPCE;

形成建树请求R2模块,用于实现以下功能:A tree-building request R2 module is formed to implement the following functions:

pPCE接收到源节点所在域的cPCE发送的建树请求R1后,利用基于嵌套哈希链的双向认证方法对建树请求R1进行身份认证,并利用TCP-AO机制对建树请求R1进行源认证;采用基于人工免疫与信任度的多域光网络安全组播路由计算算法计算得到最优的抽象组播树路由信息;建树请求R1与最优的抽象组播树路由信息形成建树请求R2,pPCE将建树请求R2发送到该最优的抽象组播树路由信息所经过的域中的cPCE;After receiving the tree-building request R1 sent by the cPCE in the domain where the source node is located, the pPCE uses the two-way authentication method based on the nested hash chain to authenticate the tree-building request R1, and uses the TCP-AO mechanism to perform source authentication for the tree-building request R1; The multi-domain optical network security multicast routing calculation algorithm based on artificial immunity and trust degree calculates the optimal abstract multicast tree routing information; the tree establishment request R1 and the optimal abstract multicast tree routing information form the establishment request R2, and pPCE will establish the tree Request R2 to send to the cPCE in the domain through which the optimal abstract multicast tree routing information passes;

形成建树请求R3模块,用于实现以下功能:A tree-building request R3 module is formed to implement the following functions:

最优的抽象组播树路由信息所经过的每个域中的cPCE计算得到域内组播树路由信息;域内组播树路由信息和建树请求R2形成建树请求R3;各个域中的cPCE将建树请求R3发送至pPCE;The cPCE in each domain that the optimal abstract multicast tree routing information passes through calculates the intra-domain multicast tree routing information; the intra-domain multicast tree routing information and the tree-building request R2 form a tree-building request R3; the cPCE in each domain will create a tree-building request R3 is sent to pPCE;

形成建树请求R4模块,用于实现以下功能:A tree-building request R4 module is formed to implement the following functions:

确定分配波长;将形成建树请求R3模块,中得到的所有的域内组播树路由信息组合形成严格组播树路由信息;严格组播树路由信息和分配波长形成建树请求R4;pPCE将建树请求R4发送到管理源节点或分支节点的cPCE中;Determine the allocated wavelength; combine all the intra-domain multicast tree routing information obtained in the R3 module to form a tree-building request to form a strict multicast tree routing information; the strict multicast tree routing information and the allocated wavelength form a tree-building request R4; pPCE will create a tree-building request R4 Sent to the cPCE that manages the source node or branch node;

形成建树请求R5模块和建树请求R5’模块,用于实现以下功能:A tree-building request R5 module and a tree-building request R5' module are formed to implement the following functions:

形成建树请求R4模块中的管理源节点或者分支节点的cPCE接收到建树请求R4后,利用TCP-AO机制对建树请求R4进行源认证;管理源节点或者分支节点的cPCE分别从建树请求R4中读取严格组播树路由信息,管理源节点的cPCE截取所在域中的源节点至分支节点之间的路由信息,该路由信息与分配波长生成建树请求R5,管理源节点的cPCE将建树请求R5发送给源节点;管理分支节点的cPCE截取所在域中的分支节点之间的路由信息,该路由信息与分配的波长生成建树请求R5’,管理分支节点的cPCE将建树请求R5’发送给各个分支节点;After receiving the tree-building request R4, the cPCE that manages the source node or branch node in the tree-building request R4 module uses the TCP-AO mechanism to perform source authentication on the tree-building request R4; the cPCE that manages the source node or the branch node reads the tree-building request R4 respectively. Take the strict multicast tree routing information, and the cPCE managing the source node intercepts the routing information between the source node and the branch node in the domain where it is located. To the source node; the cPCE of the management branch node intercepts the routing information between the branch nodes in the domain, the routing information and the allocated wavelength generate a tree-building request R5', and the cPCE of the management branch node sends the tree-building request R5' to each branch node ;

PATH消息形成模块,用于实现以下功能:PATH messages form modules that implement the following functions:

源节点和各个分支节点接收到建树请求R5和建树请求R5’后,利用TCP-AO机制对建树请求R5和建树请求R5’进行源认证,分别得到源节点至分支节点之间的路由信息和各个分支节点之间的路由信息,且均得到分配波长;源节点和各个分支节点启动RSVP-TE协议,分别将路由信息和波长信息形成PATH消息,并将PATH消息发送至下游节点;After the source node and each branch node receive the tree-building request R5 and the tree-building request R5', use the TCP-AO mechanism to perform source authentication on the tree-building request R5 and the tree-building request R5', and obtain the routing information between the source node and the branch node and each of them respectively. The routing information between the branch nodes is all assigned wavelengths; the source node and each branch node start the RSVP-TE protocol, respectively form the routing information and the wavelength information into a PATH message, and send the PATH message to the downstream node;

传送PATH消息模块,用于实现以下功能:Transport PATH message module, used to implement the following functions:

当下游节点接收到PATH消息后,判断分配波长在该下游节点与下一节点之间的链路上是否被占用,若未被占用,则将PATH消息传到下一节点;若被占用,则进入形成建树请求R4模块;When the downstream node receives the PATH message, it determines whether the allocated wavelength is occupied on the link between the downstream node and the next node. If it is not occupied, the PATH message is transmitted to the next node; if it is occupied, the Enter to form a tree to request the R4 module;

生成RESV消息模块,用于实现以下功能:Generate a RESV message module to implement the following functions:

传送PATH消息模块中传送过程中的所有尾节点接收到PATH消息后,利用TCP-AO机制对PATH消息进行源认证,生成RESV消息,沿步骤8中的传送路径反向传递至上游的源节点和各个分支节点,并按照分配的波长完成相邻节点之间的链路上的波长配置;After receiving the PATH message, all the tail nodes in the transmission process in the transmitting PATH message module use the TCP-AO mechanism to authenticate the source of the PATH message, generate a RESV message, and transmit it to the upstream source node and the upstream source node along the transmission path in step 8. Each branch node completes the wavelength configuration on the link between adjacent nodes according to the assigned wavelength;

确认消息生成模块,用于实现以下功能:The confirmation message generation module is used to implement the following functions:

源节点和所有分支节点接收到RESV消息后,各自生成确认消息,将确认消息发送至各自所在域的cPCE;cPCE将确认消息转发至pPCE;pPCE确认收到所有的确认消息后,pPCE向源节点所在域的cPCE发送建树成功消息,源节点所在域的cPCE发送建树成功消息至源节点;源节点即可开始组播发送数据。After the source node and all branch nodes receive the RESV message, they each generate an acknowledgment message and send the acknowledgment message to the cPCE in their respective domains; the cPCE forwards the acknowledgment message to the pPCE; after the pPCE confirms receipt of all the acknowledgment messages, the pPCE sends the acknowledgment message to the source node. The cPCE in the domain where it is located sends a tree establishment success message, and the cPCE in the domain where the source node is located sends a tree establishment success message to the source node; the source node can then start multicasting to send data.

实施例Example

本发明采用基于NS-2的多域光网络仿真系统SSANS验证本发明(PB-PCE)的有效性。本发明的光路请求以泊松分布生成,连接时间满足指数分布;网络负载单位为Erl(Erlang);设置W个波长,波长的带宽为2.5Gbps;设置占总数量为5%的恶意节点随机进行攻击。仿真结果如下:The present invention adopts the multi-domain optical network simulation system SSANS based on NS-2 to verify the effectiveness of the present invention (PB-PCE). The optical path request of the present invention is generated by Poisson distribution, and the connection time satisfies the exponential distribution; the network load unit is Erl (Erlang); W wavelengths are set, and the bandwidth of the wavelength is 2.5Gbps; attack. The simulation results are as follows:

(1)连接阻塞率(1) Connection blocking rate

图1是在域数量为10的情况下进行的仿真实验,给出了阻塞率随组播请求数量的影响;图2是在网络负载为100Erlang的情况下进行的仿真实验,给出了域数量对平均连接阻塞率的影响。Figure 1 is a simulation experiment performed when the number of domains is 10, and the effect of the blocking rate with the number of multicast requests is given; Figure 2 is a simulation experiment performed when the network load is 100Erlang, and the number of domains is given Impact on average connection blocking rate.

分析图1的仿真实验可知,在光网络波长数W分别设置为10,15,20的情况下,随着组播请求数量的增加,连接阻塞率都在明显上升,而当波长数目增加后,连接阻塞率有显著改善。Analysis of the simulation experiment in Figure 1 shows that when the number of wavelengths W of the optical network is set to 10, 15, and 20 respectively, as the number of multicast requests increases, the connection blocking rate increases significantly, and when the number of wavelengths increases, The connection blocking rate has been significantly improved.

分析图2的仿真实验可以得到以下结果,在光网络波长数W分别设置为10,15,20的情况下,当域数量增长时,连接阻塞率增长较为平稳。这是由于在本发明中采用了并行分支建树方式进行组播树的建立,有效减少了波长争用带来的资源冲突,且应用多种安全机制制裁了恶意行为,能够提高连接的效率。在波长数增加后,连接阻塞率有所下降。The following results can be obtained by analyzing the simulation experiment in Figure 2. When the number of wavelengths W of the optical network is set to 10, 15, and 20, respectively, when the number of domains increases, the connection blocking rate increases relatively smoothly. This is because the parallel branch tree building method is adopted in the present invention to establish the multicast tree, which effectively reduces the resource conflict caused by wavelength contention, and applies various security mechanisms to sanction malicious behavior, which can improve the connection efficiency. As the number of wavelengths increases, the connection blocking rate decreases.

(2)组播树建立时间(2) Multicast tree establishment time

在波长数为10的条件下,对光树建立的时延受到网络负载的影响情况进行仿真。图3给出了网络负载对平均光树建立时间的影响。Under the condition that the number of wavelengths is 10, the time delay of optical tree establishment is simulated by the influence of network load. Figure 3 shows the effect of network load on the average optical tree setup time.

分析图3的仿真结果可以得到,在域数量D分别设置为5,10,15的情况下,当光网络的负载增加时,在负载小的时候增长较为缓慢,当高负载运行时开始线性增加。这是由于在本发明的方法中采用了分支并行建树方法,在低负载时域数量的增加不会导致光树建立时间的显著增加;而在负载过高的情形中,路由及波长分配等业务运算及建树请求消息数目超出了PCE的承载力,且由于消息量增加带来的资源紧张也会造成光树建立时间快速增加;但由于安全波长分配机制能够合理分配资源有效避免波长冲突,光树建立时延仍在可接受范围内。Analysis of the simulation results in Figure 3 shows that when the number of domains D is set to 5, 10, and 15 respectively, when the load of the optical network increases, the growth is slow when the load is small, and begins to increase linearly when the load is high. . This is because the branch parallel tree building method is adopted in the method of the present invention, and the increase of the number of light trees in the low load time domain will not lead to a significant increase in the establishment time of the optical tree; and in the case of excessive load, services such as routing and wavelength allocation The number of computing and tree-building request messages exceeds the carrying capacity of the PCE, and the resource shortage caused by the increase in message volume will also cause a rapid increase in the optical tree setup time; however, due to the secure wavelength allocation mechanism, resources can be reasonably allocated to effectively avoid wavelength conflicts. The setup delay is still acceptable.

(3)消息负载(3) Message load

在域数量为10,波长数为10的条件下进行仿真,图4给出了信令数网络运行时间的关系。The simulation is carried out under the condition that the number of domains is 10 and the number of wavelengths is 10. Figure 4 shows the relationship between the signaling number and the network running time.

从图4中可以看出,在网络负载L分别设置为50Erl,100Erl的情况下,当光网络的域数量增加时,信令数均随时间呈线性增长。但是在负载为150Erl时,光网络波长资源紧张,需要发出大量信令调用多个模块减轻整个网络压力,因此在负载150Erl时信令总数增长较快,但仍在光网络可承受范围内。It can be seen from Figure 4 that when the network load L is set to 50Erl and 100Erl respectively, when the number of domains of the optical network increases, the number of signaling increases linearly with time. However, when the load is 150Erl, the wavelength resources of the optical network are tight, and a large amount of signaling needs to be sent to call multiple modules to reduce the pressure on the entire network. Therefore, when the load is 150Erl, the total number of signaling increases rapidly, but it is still within the acceptable range of the optical network.

Claims (2)

1. A method for establishing a multi-domain optical network security optical tree based on a layered PCE is characterized by comprising the following steps:
step 1, a source node in an optical network receives a multicast connection request, and the source node sends a tree building request R1 to a cPCE of a domain where the source node is located;
step 2, the cPCE of the domain where the source node is located receives the tree building request R1, performs identity authentication on the tree building request R1 by using a two-way authentication method based on a nested hash chain, and performs source authentication on the tree building request R1 by using a TCP-AO mechanism; the cPCE of the domain where the source node is located sends a tree building request R1 to the pPCE;
step 3, after receiving a tree building request R1 sent by a cPCE of a domain where a source node is located, the pPCE performs identity authentication on the tree building request R1 by using a two-way authentication method based on a nested hash chain, and performs source authentication on the tree building request R1 by using a TCP-AO mechanism; calculating to obtain optimal abstract multicast tree routing information by adopting a multi-domain optical network secure multicast routing calculation algorithm based on artificial immunity and trust; the tree building request R1 and the optimal abstract multicast tree routing information form a tree building request R2, and the pPCE sends the tree building request R2 to the cPCE in the domain through which the optimal abstract multicast tree routing information passes;
step 4, the cPEC in each domain through which the optimal abstract multicast tree routing information passes is calculated to obtain intra-domain multicast tree routing information; the intra-domain multicast tree routing information and the tree building request R2 form a tree building request R3; the cPCE in each domain sends a tree building request R3 to the pPCE;
step 5, determining the distribution wavelength; combining all intra-domain multicast tree routing information obtained in the step 4 to form strict multicast tree routing information; strictly multicasting tree routing information and wavelength allocation to form a tree building request R4; the pPCE sends a tree building request R4 to a cPCE of a management source node or a branch node;
step 6, after receiving the tree building request R4, the pcec managing the source node or the branch node in step 5 performs source authentication on the tree building request R4 by using a TCP-AO mechanism; the cPCE of the management source node or the branch node respectively reads strict multicast tree routing information from the tree building request R4, the cPCE of the management source node intercepts the routing information between the source node in the domain and the branch node, the routing information and the allocated wavelength generate a tree building request R5, and the cPCE of the management source node sends the tree building request R5 to the source node; the cPCE of the management branch node intercepts routing information among the branch nodes in the domain, the routing information and the allocated wavelength generate a tree building request R5 ', and the cPCE of the management branch node sends the tree building request R5' to each branch node;
step 7, after the source node and each branch node receive the tree building request R5 and the tree building request R5 ', the TCP-AO mechanism is utilized to perform source authentication on the tree building request R5 and the tree building request R5', so as to respectively obtain the routing information between the source node and each branch node and the routing information between each branch node, and respectively obtain the distribution wavelength; the source node and each branch node start an RSVP-TE protocol, respectively form routing information and wavelength information into PATH information, and send the PATH information to a downstream node;
step 8, after the downstream node receives the PATH message, judging whether the allocated wavelength is occupied on the link between the downstream node and the next node, if not, transmitting the PATH message to the next node; if the vehicle is occupied, returning to the step 5;
step 9, after all tail nodes in the transmission process in step 8 receive the PATH message, performing source authentication on the PATH message by using a TCP-AO mechanism to generate an RESV message, transmitting the RESV message to the upstream source node and each branch node in the reverse direction along the transmission PATH in step 8, and completing wavelength configuration on links between adjacent nodes according to the allocated wavelengths;
step 10, after receiving the RESV messages, the source node and all the branch nodes respectively generate confirmation messages and send the confirmation messages to the cPCE of the domain where the source node and all the branch nodes respectively belong; the cPEC forwards the confirmation message to the pPCE; after the pPCE confirms that all confirmation messages are received, the pPCE sends a tree building success message to the cPCE of the domain where the source node is located, and the cPCE of the domain where the source node is located sends the tree building success message to the source node; the source node can start multicasting the transmission data.
2. A multi-domain optical network security optical tree establishment system based on hierarchical PCE is characterized by comprising a tree building request receiving R1 module, a tree building request sending R1 module, a tree building request forming R2 module, a tree building request forming R3 module, a tree building request forming R4 module, a tree building request forming R5 module, a PATH message forming module, a PATH message transmitting module, a RESV message generating module and a confirmation message generating module, wherein,
receiving a tree building request R1 module for realizing the following functions:
a source node in an optical network receives a multicast connection request, and the source node sends a tree building request R1 to a cPCE of a domain where the source node is located;
a send tree construction request R1 module for implementing the following functions:
the cPCE of the domain where the source node is located receives the tree building request R1, performs identity authentication on the tree building request R1 by using a two-way authentication method based on a nested hash chain, and performs source authentication on the tree building request R1 by using a TCP-AO mechanism; the cPCE of the domain where the source node is located sends a tree building request R1 to the pPCE;
a tree building request R2 module is formed for implementing the following functions:
after receiving a tree building request R1 sent by a cPCE of a domain where a source node is located, the pPCE performs identity authentication on the tree building request R1 by using a two-way authentication method based on a nested hash chain, and performs source authentication on the tree building request R1 by using a TCP-AO mechanism; calculating to obtain optimal abstract multicast tree routing information by adopting a multi-domain optical network secure multicast routing calculation algorithm based on artificial immunity and trust; the tree building request R1 and the optimal abstract multicast tree routing information form a tree building request R2, and the pPCE sends the tree building request R2 to the cPCE in the domain through which the optimal abstract multicast tree routing information passes;
a tree building request R3 module is formed for implementing the following functions:
the cPCE in each domain through which the optimal abstract multicast tree routing information passes calculates to obtain intra-domain multicast tree routing information; the intra-domain multicast tree routing information and the tree building request R2 form a tree building request R3; the cPCE in each domain sends a tree building request R3 to the pPCE;
a tree building request R4 module is formed for implementing the following functions:
determining an allocation wavelength; combining all intra-domain multicast tree routing information obtained by a tree building request R3 forming module to form strict multicast tree routing information; strictly multicasting tree routing information and wavelength allocation to form a tree building request R4; the pPCE sends a tree building request R4 to a cPCE of a management source node or a branch node;
form a request to build R5 module and a request to build R5' module for implementing the following functions:
after receiving the tree building request R4, the cPCE forming the management source node or the branch node in the tree building request R4 module performs source authentication on the tree building request R4 by utilizing a TCP-AO mechanism; the cPCE of the management source node or the branch node respectively reads strict multicast tree routing information from the tree building request R4, the cPCE of the management source node intercepts the routing information between the source node in the domain and the branch node, the routing information and the allocated wavelength generate a tree building request R5, and the cPCE of the management source node sends the tree building request R5 to the source node; the cPCE of the management branch node intercepts routing information among the branch nodes in the domain, the routing information and the allocated wavelength generate a tree building request R5 ', and the cPCE of the management branch node sends the tree building request R5' to each branch node;
a PATH message forming module, configured to implement the following functions:
after the source node and each branch node receive the tree building request R5 and the tree building request R5 ', the TCP-AO mechanism is utilized to carry out source authentication on the tree building request R5 and the tree building request R5', and the routing information between the source node and the branch node and the routing information between each branch node are respectively obtained and the distributed wavelengths are obtained; the source node and each branch node start an RSVP-TE protocol, respectively form routing information and wavelength information into PATH information, and send the PATH information to a downstream node;
a transmit PATH message module to implement the following functions:
after receiving the PATH message, the downstream node judges whether the allocated wavelength is occupied on a link between the downstream node and the next node, and if not, the PATH message is transmitted to the next node; if the tree is occupied, entering a tree building request R4 module;
the RESV message generation module is used for realizing the following functions:
after all tail nodes in the transmission process in the PATH message transmission module receive the PATH message, source authentication is carried out on the PATH message by utilizing a TCP-AO mechanism to generate an RESV message, the RESV message is transmitted to an upstream source node and each branch node along the transmission PATH in the step 8 in the reverse direction, and wavelength configuration on a link between adjacent nodes is completed according to the allocated wavelength;
the confirmation message generation module is used for realizing the following functions:
after receiving the RESV message, the source node and all the branch nodes respectively generate confirmation messages and send the confirmation messages to the cPCE of the domain where the source node and all the branch nodes are located; the cPEC forwards the confirmation message to the pPCE; after the pPCE confirms that all confirmation messages are received, the pPCE sends a tree building success message to the cPCE of the domain where the source node is located, and the cPCE of the domain where the source node is located sends the tree building success message to the source node; the source node can start multicasting the transmission data.
CN201810072313.6A 2018-01-04 2018-01-25 Method and system for establishing secure optical tree in multi-domain optical network based on hierarchical PCE Active CN108390825B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810008698X 2018-01-04
CN201810008698 2018-01-04

Publications (2)

Publication Number Publication Date
CN108390825A CN108390825A (en) 2018-08-10
CN108390825B true CN108390825B (en) 2020-10-16

Family

ID=63076548

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810072313.6A Active CN108390825B (en) 2018-01-04 2018-01-25 Method and system for establishing secure optical tree in multi-domain optical network based on hierarchical PCE

Country Status (1)

Country Link
CN (1) CN108390825B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110120836B (en) * 2019-03-26 2020-05-05 中国人民武装警察部队工程大学 Method for determining and positioning crosstalk attack detection node of multi-domain optical network
CN111030933B (en) * 2019-11-22 2021-11-02 中国人民武装警察部队工程大学 A Secure Multicast Routing Method for Multi-Domain Optical Networks Based on Distributed PCE

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100375456C (en) * 2004-11-09 2008-03-12 中兴通讯股份有限公司 Method of Realizing Optical Multicast in Intelligent Optical Network
CN102447674B (en) * 2010-10-08 2016-06-29 中兴通讯股份有限公司 A kind of method of security negotiation and device
CN103259768B (en) * 2012-02-17 2018-06-19 中兴通讯股份有限公司 A kind of message authentication method, system and device
CN104579946B (en) * 2013-10-21 2018-01-16 华为技术有限公司 Determine the method and communication equipment of path-calculating element
US10164872B2 (en) * 2014-09-05 2018-12-25 Telefonaktiebolaget Lm Ericsson (Publ) Explicit control of aggregation links via IS-IS
CN106169996B (en) * 2016-07-04 2019-04-09 中国人民武装警察部队工程大学 Key management method for multi-domain optical network based on key hypergraph and identity cipher
CN106851441B (en) * 2017-01-13 2019-07-26 中国人民武装警察部队工程大学 Multi-domain Optical Network Security Optical Path Establishment Protocol Based on Layered PCE

Also Published As

Publication number Publication date
CN108390825A (en) 2018-08-10

Similar Documents

Publication Publication Date Title
CN104168191B (en) Routing method for meeting multiple constrained parameter conditions in large-scale software-defined network
CN102238443A (en) Method for establishing cross-domain path meeting wavelength-continuity constraints
Li et al. Connection-oriented and connectionless remote entanglement distribution strategies in quantum networks
CN105634941A (en) Cross-domain path calculation method and device
CN111030933B (en) A Secure Multicast Routing Method for Multi-Domain Optical Networks Based on Distributed PCE
CN108390825B (en) Method and system for establishing secure optical tree in multi-domain optical network based on hierarchical PCE
CN101150878A (en) A Parallel Signaling Method to Realize Optical Channel Fast Connection in Intelligent Optical Network
CN106851441A (en) The safe light path of multi-area optical network based on layering PCE sets up agreement
Balakrishnan et al. Team: Trust enhanced security architecture for mobile ad-hoc networks
Singh et al. Issues and challenges associated with secure QoS aware routing in MANETs
CN101060480B (en) HORSEI2-based mobile self-organized network safety QoS multicast route creating method
Ott et al. Algorithms for flow allocation for multi protocol label switching
CN111030934B (en) A system and method for establishing a secure optical tree in a multi-domain optical network based on distributed PCE
Polito et al. Extending the inter-domain PCE framework for authentication and authorization in GMPLS networks
Kaidan et al. Research on the efficiency of optical resources utilization for OLS networks
Li et al. Experiment of Extended Segment Routing Enabled Fast End-to-End Service Provisioning in Multi-Domain for the Fifth Generation Fixed Network (F5G)
Alazemi et al. Advance reservation in distributed multidomain networks
Tasneem et al. Improving QoS of Peer to Peer Multimedia Services by Employing Multiple Upstream Wavelengths in EPON
Rosenbaum et al. Dynamic routing of restorable QoS connections in MPLS networks
Lee et al. A lightweight implementation of RSVP-TE protocol for MPLS-TE signaling
CN116456510A (en) A Blockchain Consensus Mechanism Based on the Division of Wireless Mesh Network Organizations
Manolova et al. Location-based restoration mechanism for multi-domain GMPLS networks
Manisekar et al. An enhanced proactive transmission protocol for optical burst switching networks
Li et al. Joint Bandwidth and Key on Demand (BKoD) Provisioning for Dynamic Service of Optical Transport Networks in F6G
Chen et al. PCE-based network design for multi-domain layer 1 virtual private networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant