CN110213242A - A kind of highly effective path verification method under multichannel routing background - Google Patents

A kind of highly effective path verification method under multichannel routing background Download PDF

Info

Publication number
CN110213242A
CN110213242A CN201910386189.5A CN201910386189A CN110213242A CN 110213242 A CN110213242 A CN 110213242A CN 201910386189 A CN201910386189 A CN 201910386189A CN 110213242 A CN110213242 A CN 110213242A
Authority
CN
China
Prior art keywords
path
packet header
highly effective
multichannel
method under
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910386189.5A
Other languages
Chinese (zh)
Other versions
CN110213242B (en
Inventor
卜凯
马麟
吴宁超
罗天翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201910386189.5A priority Critical patent/CN110213242B/en
Publication of CN110213242A publication Critical patent/CN110213242A/en
Application granted granted Critical
Publication of CN110213242B publication Critical patent/CN110213242B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of multichannels to route the highly effective path verification method under background, it include: (1) for the multichannel set of paths M that is allowed between source node S, destination node D and two o'clock, multichannel path is divided into the successive single channel section of level, and label is set for each section;(2) in key exchange configuration process, the single channel section of division and corresponding label result are sent to intermediate router by source node, and each router is in the section that itself is locally stored;(3) key exchange is completed with postponing, and source node starts initializtion protocol packet header;(4) after the completion of the initialization of agreement packet header, agreement packet header is packaged into IP packet together with payload and is sent to network, as intermediate router RiWhen receiving data packet, execution route verifying.The present invention has the advantages that the commonsense methods such as communication overhead is low, initializtion protocol head fast, the whole verification time is short do not have, and helps to be promoted in practice.

Description

A kind of highly effective path verification method under multichannel routing background
Technical field
The invention belongs to routing safety technical fields, route the highly effective path under background more particularly, to a kind of multichannel and verify Method.
Background technique
Existing routing procedure be it is opaque, unsafe, when data packet issues, source and destination are all unable to control its turn Hair, this makes whole network be easy to be redirected (redirection) by such as distributed denial of service attack (DDoS) and stream It is attacked with IP hijacking (IP hijacking) etc..In order to guarantee the compliance (path compliance) in path and right The certification (origin authentication) of source node, the path validation based on data packet carrying encryption information are mentioned Out, work is divided into two stages:
Initial phase: the task of initial phase be key foundation with exchange;Simultaneously source point by selected path to All intermediate node declarations.Load forwards the stage: by the key obtained, source can construct the protocol header of encryption and insertion In data packet;Intermediate node needs verify data packet header to prove that data packet is forwarded along legal path, and needs to update and test Card information downstream node proves itself forwarding to data packet.
Path validation pursue efficiency, ICING by syndication message authentication code (MAC) make the space expense of verification information from O(n2) it is reduced to O (n), thinking is that all verify datas prepared for intermediate router are condensed together by exclusive or, when When router receives data packet, similarly information extraction can be realized by calculating exclusive or;OPT inherits ICING polymerization and calculates Strategy made by enabling source and destination share all intermediate node keys (in default communication, source and destination are reliable) The source of obtaining can calculate verifying OV (Origin Validation) in advance for intermediate node,
Assuming that the symmetric key exchange based on public key is believable, then source and the router itself are removed, without other Malicious node can forge the domain;Router, which calculates and verifies the domain, can be completed certification to source point;For path compliance Pressure, OPT passes through the PVF (Path Verification Field) in protocol header and obtains OPV (Origin in conjunction with OV And Path Validation) Lai Shixian, concrete thought is to require each node before forwarding data packet, utilizes own key Encryption updates PVF, meanwhile, it is as follows by correct PVF also as input parameter when source precalculates OV
Based on such design, the intermediate router under OPT agreement need to only use own key to recalculate OPV ', if It compares correctly, then utilizes key updating PVF, reach the verifying complexity of O (1), verifying expense significantly reduces.OPT's goes out Color design makes it many other path validation algorithms, such as the prototype of OSV, PPV, and wherein OSV takes similar orthogonal code division The algorithm of multiplexing generates authentication domain, so that verifying speed is further speeded up;And the method that PPV uses probability sampling, it is not required that All nodes all verify to reduce the expense of verifying data packet.
Traditional routing is typically chosen a paths (usually shortest path) to be communicated, once the path breaks down, The transmission of data will fail.Multichannel routing is then communicated using several backup paths, when a wherein congestion or breaking-up, Flow can be transmitted by other paths.Multichannel routing, although not being widely deployed also, have reliability strong flexibility, The big and safer advantage of flow bandwidth.In real network, how the path number of point-to-point transmission is therefrom selected in index rank Legal set of paths is taken to depend on specific algorithms selection and the expectation of user: feedback routing (Feedback Routing) agreement is intended to be promoted the reliability of data transmission, it always dynamically calculates two roads as disjoint as possible Diameter, so that wherein the accident on a paths has not interfered with the work on one;Etc. costs multichannel Routing Protocol (Equal- Cost Multi-Path) target be that enhancing is concurrent, mulitpath is allowed in the case where cost is equal;Multichannel routes between domain Agreement (Multi-path Interdomain ROting) is then more flexible: node can mode through consultation obtain ideal Path;Path deflection (Path Deflection) is then intended to farthest promote Path diversity, and source is by giving data packet report Different labels is arranged in text, makes the router of approach that different paths be selected to be grouped forwarding.
Path validation has been considered as Future Internet, and one of indispensable function and multichannel routing bring be such as safely The advantages that load balancing, high robust, also complies with the demand of growing reliability and performance.In summary pertinent literature, The verifying in path is all to be discussed using single channel routing as premise without studying the situation routed for multichannel.From Some solutions are set out, and realize that the challenge of the path validation under multichannel routing is:
1, compact indentification protocol head how is generated, under the premise of guaranteeing to verify safety, reduces protocol header as far as possible Size.Since path number increases, the information of packet verifying inevitably increases, the redundancy how found in these data becomes Reduce the major issue of expense.
2, how authentication domain is quickly navigated to, from single channel the case where is different, the verifying that the data packet in multichannel routing carries Information is not simple linear array.How this organizes these information, required for intermediate node is extracted faster The data that input and needs update also become the key for reducing verifying cost.
Summary of the invention
The present invention provides a kind of multichannels to route the highly effective path verification method under background, has communication overhead low, initial Change the advantages that protocol header is fast, the entirety verification time is short.
Technical scheme is as follows:
A kind of highly effective path verification method under multichannel routing background, comprising:
(1) for the multichannel set of paths M being allowed between source node S, destination node D and two o'clock, by multichannel path It is divided into the successive single channel section of level, and label is set for each section;
(2) in key exchange configuration process, the single channel section of division and corresponding label result are sent to by source node Intermediate router, each router is in the section that itself is locally stored;
(3) key exchange is completed with postponing, and source node starts initializtion protocol packet header;
(4) after the completion of the initialization of agreement packet header, agreement packet header is packaged into IP packet together with payload and is sent to net Network, as intermediate router RiWhen receiving data packet, execution route verifying.
In order to avoid the duplicate verification information of carrying function, mulitpath is carried out group by the present invention by way of layer and section It knits, multichannel problem is converted to using the thinking of virtual link by single channel problem.Wherein, the specific steps of step (1) are as follows:
(1-1) generates network flow diagrams G by multichannel path M, and with variable xfThe total flow of network is stored, level is initialized Depth d=0;
(1-2) is traversed since source node to meeting point, by flow and xfEqual node sequence is connected to single hierarchic path h In, construct the single channel path of this layer;
Single hierarchic path h is added in division result H by (1-3);
Each side l=<vi, vj in h that (1-4) traversal has obtained>, ifThen mean that i, j are by void What quasi- link was attached, traversal M integrates merging and extracts wherein using i as starting point, and j is that set M ' is added in the route segment of terminal;
(1-5) for obtained set M ', path therein may judge M ' there is a situation where converging (abnorm) in advance In whether there is or not comprising other convergent points in addition to point j, if so, step (1-6) is jumped to, conversely, jumping to step (1-7);
Path p wherein comprising identical convergent point is selected out, the single channel as lower layer by (1-6) for disambiguation Path exports into H that (for the situation of more convergent point, we pass through lesser node at priority traffic;This is based on heuristic Thinking, the convergent point with smaller flow mostly complete the convergence of flow prior to the convergent point of larger flow), and leave out path from M ' p;
(1-7) enables d '=d+1, by M ' and d ' as input, recursive return to step (1) carries out operation.
By above step, original mulitpath has been converted to the successive single channel section of level;If M=(0,1, 2,4,5,6), (0,1,3,4,5,6) }, obtained result H={ (0, Isosorbide-5-Nitrae, 5,6), (1,2,4), (1,3,4) }, wherein numerical value refers to Show the label (Router ID) of router;Conversion in this way, (0,1) and (4,5,6) being overlapped in original path become A part of single channel section, and branch is then transferred to the solution of low layer recurrence.It is wanted to help the router for executing verifying to navigate to rapidly The section of verifying, the present invention are also each section of imparting label (Tag), being used in Tiered verification of this skill, which seems, especially closes It is suitable, because the path that the level divided has eliminated the situation of path overlap and has been overlapped can bring ambiguity to the use of label.It is asking During the abbreviation of topic, it has been found that with the nonoverlapping branch of trouble point, the relationship in practical routing procedure is mutual exclusion: being saved If point 1 forwards the packet to node 2, (1,3,4) information that protocol header includes will not then have an effect.Based on this, this hair The bright strategy for proposing path beta pruning cuts off not selected section when router being allowed to make a choice in multiple next-hops Verification information promotes the efficiency of path validation so that protocol header size is further reduced.Utilize the unique of not each section design Cognizable label, trouble point can be distinguished quickly and delete the relevant verification information in unselected path.
In step (2), key exchange configuration is carried out using the dynamic key exchange DRKey of OPT Protocol Design.
In step (3), detailed process is as follows in the initializtion protocol packet header:
(3-1) is that each single channel section that step (1) obtains calculates chain of evidence, and the calculating of the chain of evidence imitates OPT, The tissue of data is completed by chained list;
(3-2) since the bottom, respectively by starting point s in every layer, the identical chain of evidence of terminal d joins end to end merging;
(3-3) is begun stepping through from the bottom, is each starting point s, terminal d, which is found in one layer of chained list, passes through virtual link The point of connection is to (s, d), the step of being inserted into this position by low layer chained list, complete insertion;
(3-4) recurrence is until being completed insertion work upwards outside the path for removing top layer;
(3-5) traverses whole chained list, and agreement packet header is written in protocol metadata and every chain of evidence data.
By above step, multiple chained lists are integrated into a whole chained list.The present invention using this mode tissue packet header and It is not to put side by side, is to enable verifying and beta pruning high to retain the level and coordination between separate path Effect executes.
In step (4), the specific steps of the execution route verifying are as follows:
Data Hash DataHash, time stamp T imestamp needed for (4-1) extracts verifying, regenerate symmetric key Ki;
(4-2) extracts triple (tag, hop, prev) set PATH from the H that establishment process receives, wherein tag is packet N containing nodeiThe corresponding label in path, and hop and prev are hopping sequence number of the node on this path and predecessor node mark Number;
(4-3) traverses the agreement packet header for receiving data packet, navigates to and be locally stored the value identical domain tag position;Pass through Hop finds the OPV of needsi, calculate simultaneously
Compare OPViAnd OPVi', if be proved to be successful, corresponding PVF is updated, otherwise packet discard;
It is noted herein that if finding OPViDuring read the new domain tag ', this means that coming Next layer of chain of evidence, at this point, move the pointer to etag ' to be quickly returning to former level chain of evidence.
In addition, working as node RiWhen being convergent point, it needs to complete double validation.I.e. the verifying of this level with The verifying for the lower-level that convergence comes;It means that step (4-3) can be repeated twice, once wherein primary fail, router is then Selection abandons the data packet.
(4-4) chooses legal next-hop Rj and sends data packet, meanwhile, bifurcation point is execution route beta pruning, and is sent Data packet.
Further include following operation before sending data packet in step (4-4):
(4-4-1) traverses the path in H, finds with RiAs starting point, but next-hop is RjPath p;
(4-4-2) is deleted and the incoherent chain of evidence of p from agreement packet header;
(4-4-3) updates the length and checksum field in the packet header IP.
From the point of view of the research that single channel is verified, the design of OPV is " disposable ", i.e., as corresponding Node extraction OPV and complete After certification, which will not continue to bring benefits, and become useless byte.It cuts in path proposed by the present invention Branch, it is possible to reduce this redundancy bring communication cost.In addition, the present invention while keeping efficiency, can help to communicate to Drive following possibility attack:
Modification attack, attacker can not successfully modify the sensitive field in protocol header in full according to Hash (DataHash), meeting Words mark (SessionID), timestamp (Timestamp) and label (Tag) and PVF, OPV word in other chain of evidence Section.Verifying of the modification of these sensitive datas all by direct or indirect influence subsequent node, leads to authentication failed and packet loss.
Deviate attack, attacker can not make data packet deviate specified path, this is because when data forward a packet to it is incorrect Next-hop when, it does not include can will be dropped by the effective OPV field of verifying so data packet is invalid.
Forgery attack, data packet change and path offset attack do not need strategy, but pass through data packet forgery attack, Attacker can attempt strategically packet spoof and be verified with passing through.In order to forge such data packet, attacker needs source institute The key used constructs effective protocol header.As any verification solution, key setting up procedure should be it is safe, It can prevent from eavesdropping.When attacker can not capture key of the router to kidnap them, it must be forged by random guess One field.However, exhaustive attack in face of biggish key space, can not complete actual attack.
The present invention both remained multichannel routing flexibility, also achieve source node certification and path compliance it is strong System can either make the data packet under agreement quickly find alternative route in link collapse, while prefix such as can also be avoided to rob It holds, refuse the network attacks such as service.The present invention uses path hierarchical fragmentation technique, by dividing exponential other multichannel path For the method in nonoverlapping single channel section and recurrence tissue multichannel section chain of evidence, reduces verifying repeating part bring and open Pin;In the data organization in agreement packet header, router is allowed quickly to navigate to voucher required for verifying by addition label, And the strategy of path beta pruning is taken, further promote the efficiency of verifying.
Detailed description of the invention
Fig. 1 is the flow diagram that a kind of multichannel of the embodiment of the present invention routes the highly effective path verification method under background.
Specific embodiment
The invention will be described in further detail with reference to the accompanying drawings and examples, it should be pointed out that reality as described below It applies example to be intended to convenient for the understanding of the present invention, and does not play any restriction effect to it.
The present invention provides a kind of protocol frames that path validation is carried out in multichannel routing, and on this basis, propose The strategy of path beta pruning, further reduces communication overhead, promotes the efficiency of path validation.In view of OPT is by as original Type is used and expanded by many researchs by next generation network frame, we choose its verifying that single channel is used for as prototype.
In order to avoid the duplicate verification information of carrying function, mulitpath is carried out group by the present invention by way of layer and section It knits, multichannel problem is converted to using the thinking of virtual link by single channel problem.
As shown in Figure 1, the highly effective path verification method under a kind of multichannel routing background, comprising:
S01, for the multichannel set of paths M being allowed between source node S, destination node D and two o'clock, by multichannel path It is divided into the successive single channel section of level, and label is set for each section.Specific steps are as follows:
(1-1) generates network flow diagrams G by multichannel path M, and with variable xfThe total flow of network is stored, level is initialized Depth d=0;
(1-2) is traversed since source node to meeting point, by flow and xfEqual node sequence is connected to single hierarchic path h In, construct the single channel path of this layer;
Single hierarchic path h is added in division result H by (1-3);
Each side l=<vi, vj in h that (1-4) traversal has obtained>, ifThen mean that i, j are by void What quasi- link was attached, traversal M integrates merging and extracts wherein using i as starting point, and j is that set M ' is added in the route segment of terminal;
(1-5) judges in M ' whether there is or not comprising other convergent points in addition to point j, if so, jumping obtained set M ' To step (1-6), conversely, jumping to step (1-7);
Path p wherein comprising identical convergent point is selected out by (1-6), and the single channel path as lower layer is exported into H, And leave out path p from M ';
(1-7) enables d '=d+1, by M ' and d ' as input, recursive return to step (1) carries out operation.
S02, in key exchange configuration process, the single channel section of division and corresponding label result are sent to by source node Intermediate router, each router is in the section that itself is locally stored.
S03 completes key exchange with postponing, and source node starts initializtion protocol packet header.Initializtion protocol packet header it is specific Process is as follows:
(3-1) is that each single channel section that step S01 is obtained calculates chain of evidence, and the calculating of the chain of evidence imitates OPT, The tissue of data is completed by chained list;
(3-2) since the bottom, respectively by starting point s in every layer, the identical chain of evidence of terminal d joins end to end merging;
(3-3) is begun stepping through from the bottom, is each starting point s, terminal d, which is found in one layer of chained list, passes through virtual link The point of connection is to (s, d), the step of being inserted into this position by low layer chained list, complete insertion;
(3-4) recurrence is until being completed insertion work upwards outside the path for removing top layer;
(3-5) traverses whole chained list, and agreement packet header is written in protocol metadata and every chain of evidence data.
Agreement packet header is packaged into together with payload IP packet and is sent to net by S04 after the completion of the initialization of agreement packet header Network, as intermediate router RiWhen receiving data packet, execution route verifying.The specific steps of execution route verifying are as follows:
Data Hash DataHash, time stamp T imestamp needed for (4-1) extracts verifying, regenerate symmetric key Ki;
(4-2) extracts triple (tag, hop, prev) set PATH from the H that establishment process receives, wherein tag is packet N containing nodeiThe corresponding label in path, and hop and prev are hopping sequence number of the node on this path and predecessor node mark Number;
(4-3) traverses the agreement packet header for receiving data packet, navigates to and be locally stored the value identical domain tag position;Pass through Hop finds the OPV of needsi, calculate simultaneously
Compare OPViAnd OPVi', if be proved to be successful, corresponding PVF is updated, otherwise packet discard;
(4-4) chooses legal next-hop Rj and sends data packet, meanwhile, bifurcation point is execution route beta pruning, and is sent Data packet.
Further include following operation before sending data packet:
(4-4-1) traverses the path in H, finds with RiAs starting point, but next-hop is RjPath p;
(4-4-2) is deleted and the incoherent chain of evidence of p from agreement packet header;
(4-4-3) updates the length and checksum field in the packet header IP.
The present embodiment is based on Click modular router analogue simulation.The software frame of router offer object-oriented Structure can be used for the quick processing and analysis of data packet.We first pass through default configuration file conf/make-ip-conf.pl structure Most basic ip router is built, new verifying (Validation) module and classification (Classifier) module are then added, Middle categorization module is inherited from the module class that Click has been provided and authentication module is then integrated with Atlas/COPT to agreement header data Extraction, the operation such as compare, update.
About the detail section of agreement, we imitate OPT, take the AES-128 conduct of cipher block chaining (CBC) mode Asymmetric encryption function, while safe and reliable Hash is realized using SHA-3.In addition, the realization for field indicator, due to me Be element to be realized on Click with C/C++, therefore minimum treat unit is a byte.So we are by each field A byte is arranged in indicator.In emulation experiment, we do not take common random network to test, but pass through BRITE generates in domain between (Intradomain) and domain the network topologies of (Interdomain) two kinds of structures.Using BRITE work The layered structure topology that tool generates can more realistically reflect the attribute of Internet, enable experiment more convincing.
In emulation experiment, we have investigated the performance that two aspects are verified in invention in protocol header initialization with routing procedure. Under the limitation of 1500 given byte Ethernet MTU, the present invention can support the selection of 20 paths or more and control methods Reach limitation in 11 paths and protocol header size of the invention may be as little to the 26.9% of control methods;We also send out Existing, the present invention is suitable for topology between the domain with more overlay segment, because its protocol header size is and the road after multipath segmental Diameter number of segment mesh and length are positively correlated, therefore can increase in path number and (be segmented constant) when keeps stable protocol header length; The generation time of data packet is investigated, the present invention realizes 200% acceleration relatively, more efficient.That verifies when measurement routing is tired Product time, the available present invention are faster than the conclusion of control methods on two kinds of topological structures, can at most improve speed 2.9 times, this is because the data packet in the present invention carries lesser verifying head, thus need the less processing time;Secondly, base The cost of verifying is also reduced in the quick positioning of label;Third, the present invention further reduce protocol header by beta pruning, thus plus Fast verifying speed.The experiment proved that protocol header of the invention can be decreased to the 34.2% of initial size in routing procedure.It removes The reduction of time cost, reduced packet header can also reduce the delay of transmission, reduce the crowded bring congestion problems of network queue.
Technical solution of the present invention and beneficial effect is described in detail in embodiment described above, it should be understood that Above is only a specific embodiment of the present invention, it is not intended to restrict the invention, it is all to be done in spirit of the invention Any modification, supplementary, and equivalent replacement, should all be included in the protection scope of the present invention.

Claims (8)

1. the highly effective path verification method under a kind of multichannel routing background characterized by comprising
(1) for the multichannel set of paths M being allowed between source node S, destination node D and two o'clock, multichannel path is divided For the single channel section for having level successive, and label is set for each section;
(2) in key exchange configuration process, the single channel section of division and corresponding label result are sent to centre by source node Router, each router is in the section that itself is locally stored;
(3) key exchange is completed with postponing, and source node starts initializtion protocol packet header;
(4) after the completion of the initialization of agreement packet header, agreement packet header is packaged into IP packet together with payload and is sent to network, when Intermediate router RiWhen receiving data packet, execution route verifying.
2. the highly effective path verification method under multichannel routing background according to claim 1, which is characterized in that step (1) Specific steps are as follows:
(1-1) generates network flow diagrams G by multichannel path M, and with variable xfThe total flow of network is stored, level depth d is initialized =0;
(1-2) is traversed since source node to meeting point, by flow and xfEqual node sequence is connected in single hierarchic path h, construction The single channel path of this layer;
Single hierarchic path h is added in division result H by (1-3);
Each side l=< vi, vj > in h that (1-4) traversal has obtained, ifThen mean that i, j are by virtual What link was attached, traversal M integrates merging and extracts wherein using i as starting point, and j is that set M ' is added in the route segment of terminal;
(1-5) judges in M ' whether there is or not comprising other convergent points in addition to point j, if so, jumping to step obtained set M ' Suddenly (1-6), conversely, jumping to step (1-7);
Path p wherein comprising identical convergent point is selected out by (1-6), and the single channel path as lower layer is exported into H, and from M ' leaves out path p;
(1-7) enables d '=d+1, by M ' and d ' as input, recursive return to step (1) carries out operation.
3. the highly effective path verification method under multichannel routing background according to claim 1 or 2, which is characterized in that step (2) in, key exchange configuration is carried out using the dynamic key exchange DRKey of OPT Protocol Design.
4. the highly effective path verification method under multichannel routing background according to claim 1 or 2, which is characterized in that step (3) in, detailed process is as follows in the initializtion protocol packet header:
(3-1) is that each single channel section that step (1) obtains calculates chain of evidence, and the calculating of the chain of evidence imitates OPT, data Tissue pass through chained list complete;
(3-2) since the bottom, respectively by starting point s in every layer, the identical chain of evidence of terminal d joins end to end merging;
(3-3) is begun stepping through from the bottom, is each starting point s, and terminal d finds in one layer of chained list and connected by virtual link Point to (s, d), the step of being inserted into this position by low layer chained list, complete insertion;
(3-4) recurrence is until being completed insertion work upwards outside the path for removing top layer;
(3-5) traverses whole chained list, and agreement packet header is written in protocol metadata and every chain of evidence data.
5. the highly effective path verification method under multichannel routing background according to claim 2, which is characterized in that step (4) In, the specific steps of the execution route verifying are as follows:
Data Hash DataHash, time stamp T imestamp needed for (4-1) extracts verifying, regenerate symmetric key Ki
(4-2) extracts triple (tag, hop, prev) set PATH from the H that establishment process receives, wherein tag is comprising section Point NiThe corresponding label in path, and hop and prev are hopping sequence number of the node on this path and predecessor node label;
(4-3) traverses the agreement packet header for receiving data packet, navigates to and be locally stored the value identical domain tag position;It is looked for by hop To the OPV of needsi, calculate simultaneously
Compare OPViAnd OPVi', if be proved to be successful, corresponding PVF is updated, otherwise packet discard;
(4-4) chooses legal next-hop Rj and sends data packet, meanwhile, bifurcation point is execution route beta pruning, and sends data Packet.
6. the highly effective path verification method under multichannel routing background according to claim 5, which is characterized in that step (4- 3) in, if finding the OPV needediDuring read the new domain tag ', this means that having come next layer of evidence Chain, at this point, moving the pointer to etag ' to be quickly returning to former level chain of evidence.
7. the highly effective path verification method under multichannel routing background according to claim 5, which is characterized in that work as node Ri When being convergent point, step (4-3) needs the verifying for completing to verify twice, including this level and converges testing for the lower-level come Card, wherein once authentication failed, router then selects to abandon the data packet.
8. the highly effective path verification method under multichannel routing background according to claim 5, which is characterized in that step (4- 4) further include following operation before sending data packet in:
(4-4-1) traverses the path in H, finds with RiAs starting point, but next-hop is RjPath p;
(4-4-2) is deleted and the incoherent chain of evidence of p from agreement packet header;
(4-4-3) updates the length and checksum field in the packet header IP.
CN201910386189.5A 2019-05-09 2019-05-09 Efficient path verification method under multi-path routing background Active CN110213242B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910386189.5A CN110213242B (en) 2019-05-09 2019-05-09 Efficient path verification method under multi-path routing background

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910386189.5A CN110213242B (en) 2019-05-09 2019-05-09 Efficient path verification method under multi-path routing background

Publications (2)

Publication Number Publication Date
CN110213242A true CN110213242A (en) 2019-09-06
CN110213242B CN110213242B (en) 2020-09-08

Family

ID=67785754

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910386189.5A Active CN110213242B (en) 2019-05-09 2019-05-09 Efficient path verification method under multi-path routing background

Country Status (1)

Country Link
CN (1) CN110213242B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111585984A (en) * 2020-04-24 2020-08-25 清华大学 Decentralized security guarantee method and device for packet full life cycle
CN111641583A (en) * 2020-04-07 2020-09-08 北京邮电大学 Internet of things resource access system and resource access method
CN112491580A (en) * 2020-10-27 2021-03-12 烽火通信科技股份有限公司 Routing passing judgment and problem positioning method and device
CN113507473A (en) * 2021-07-13 2021-10-15 浙江大学 Efficient network path authentication method based on aggregation authentication
WO2021213395A1 (en) * 2020-04-24 2021-10-28 清华大学 Fast source and path verification method based on random authentication and embedding
CN114499920A (en) * 2021-11-09 2022-05-13 清华大学 Source and path verification mechanism based on dynamic label
CN115242702A (en) * 2022-09-22 2022-10-25 广州优刻谷科技有限公司 Internet of things node optimal path planning method and system
CN115720147A (en) * 2022-09-30 2023-02-28 西安交通大学 Path verification method, system and storage medium supporting path hiding

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060041642A1 (en) * 2002-09-30 2006-02-23 Koninklijke Philips Electronics, N.V. Secure proximity verification of a node on a network
CN101170498A (en) * 2007-11-30 2008-04-30 华中科技大学 Secure multi-path routing method for Ad hoc network
CN102611607A (en) * 2011-01-21 2012-07-25 中兴通讯股份有限公司 Processing method and path computation element of inter-domain link information
CN105847034A (en) * 2016-03-16 2016-08-10 清华大学 Source verification and path authentication method and device
CN106851441A (en) * 2017-01-13 2017-06-13 中国人民武装警察部队工程大学 The safe light path of multi-area optical network based on layering PCE sets up agreement
CN107453801A (en) * 2017-08-28 2017-12-08 西安电子科技大学 A kind of Layered Multipath method for routing towards satellite network
CN108650675A (en) * 2018-04-23 2018-10-12 许昌学院 A kind of location privacy protection system of the Homomorphic Encryption Scheme based on big data

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060041642A1 (en) * 2002-09-30 2006-02-23 Koninklijke Philips Electronics, N.V. Secure proximity verification of a node on a network
CN101170498A (en) * 2007-11-30 2008-04-30 华中科技大学 Secure multi-path routing method for Ad hoc network
CN102611607A (en) * 2011-01-21 2012-07-25 中兴通讯股份有限公司 Processing method and path computation element of inter-domain link information
CN105847034A (en) * 2016-03-16 2016-08-10 清华大学 Source verification and path authentication method and device
CN106851441A (en) * 2017-01-13 2017-06-13 中国人民武装警察部队工程大学 The safe light path of multi-area optical network based on layering PCE sets up agreement
CN107453801A (en) * 2017-08-28 2017-12-08 西安电子科技大学 A kind of Layered Multipath method for routing towards satellite network
CN108650675A (en) * 2018-04-23 2018-10-12 许昌学院 A kind of location privacy protection system of the Homomorphic Encryption Scheme based on big data

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
BO WU: "《Enabling Efficient Source and Path Verification》", 《2018 IEEE/ACM 26TH INTERNATIONAL SYMPOSIUM ON QUALITY OF SERVICE》 *
李闵: "《基于流媒体服务的覆盖网络多路路由方案》", 《中国优秀硕士学位论文全文库信息科技辑》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111641583A (en) * 2020-04-07 2020-09-08 北京邮电大学 Internet of things resource access system and resource access method
US11729260B2 (en) 2020-04-07 2023-08-15 Beijing University Of Posts And Telecommunications Internet-of-things resource access system and method
CN111585984A (en) * 2020-04-24 2020-08-25 清华大学 Decentralized security guarantee method and device for packet full life cycle
CN111585984B (en) * 2020-04-24 2021-10-26 清华大学 Decentralized security guarantee method and device for packet full life cycle
WO2021213395A1 (en) * 2020-04-24 2021-10-28 清华大学 Fast source and path verification method based on random authentication and embedding
CN112491580A (en) * 2020-10-27 2021-03-12 烽火通信科技股份有限公司 Routing passing judgment and problem positioning method and device
CN113507473A (en) * 2021-07-13 2021-10-15 浙江大学 Efficient network path authentication method based on aggregation authentication
CN113507473B (en) * 2021-07-13 2022-06-14 浙江大学 Efficient network path authentication method based on aggregation authentication
CN114499920A (en) * 2021-11-09 2022-05-13 清华大学 Source and path verification mechanism based on dynamic label
CN114499920B (en) * 2021-11-09 2022-12-06 清华大学 Source and path verification mechanism based on dynamic label
CN115242702A (en) * 2022-09-22 2022-10-25 广州优刻谷科技有限公司 Internet of things node optimal path planning method and system
CN115720147A (en) * 2022-09-30 2023-02-28 西安交通大学 Path verification method, system and storage medium supporting path hiding

Also Published As

Publication number Publication date
CN110213242B (en) 2020-09-08

Similar Documents

Publication Publication Date Title
CN110213242A (en) A kind of highly effective path verification method under multichannel routing background
CN105743793B (en) Bit index explicit copy (BIER) forwarding for network device components
US9929938B2 (en) Hierarchal label distribution and route installation in a loop-free routing topology using routing arcs at multiple hierarchal levels for ring topologies
CN107567704A (en) Pass through checking using the network path with interior metadata
CN103493441B (en) Use route Track Pick-up without loop route topological
CN103379032B (en) The acquisition methods and device, sub-route computational entity of cross-domain end-to-end route
EP2880826B1 (en) Label distribution and route installation in a loop-free routing topology using routing arcs
CN106330749B (en) The load balance of classification perception in no circuit multiterminal portion network topology
CN106105115A (en) The service chaining originated by service node in network environment
CN106105130A (en) Carry the source routing of entropy head
US20180227218A1 (en) Generating non-congruent paths having minimal latency difference in a loop-free routing topology having routing arcs
US20120300781A1 (en) Packet Routing in a Network
CN107517157A (en) A kind of determining method of path, device and system
CN103888999A (en) WebCache service and CDN service fusion method and device
CN110753054A (en) Anonymous communication method based on SDN
CN101127768A (en) Method, device and system for creating multi-dimension inter-network protocol
Liu et al. Random label based security authentication mechanism for large-scale uav swarm
Schneider et al. Ensuring deadlock-freedom in low-diameter InfiniBand networks
Lopez-Pajares et al. One-shot multiple disjoint path discovery protocol (1S-MDP)
CN105848150B (en) A kind of wireless sensor network grouping small data safety distributing method
Borokhovich et al. The show must go on: Fundamental data plane connectivity services for dependable SDNs
CN106254099A (en) A kind of information synchronization method based on network element device and device
CN103686715B (en) Lightweight secrete discovery and dissemination method for wireless body area network safety data
Adamu et al. Review of deterministic routing algorithm for network-on-chip
CN111224934A (en) Service path verification method for mimicry configuration in mimicry defense

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant