CN111030934A - Multi-domain optical network security optical tree establishment system and method based on distributed PCE - Google Patents

Multi-domain optical network security optical tree establishment system and method based on distributed PCE Download PDF

Info

Publication number
CN111030934A
CN111030934A CN201911154078.8A CN201911154078A CN111030934A CN 111030934 A CN111030934 A CN 111030934A CN 201911154078 A CN201911154078 A CN 201911154078A CN 111030934 A CN111030934 A CN 111030934A
Authority
CN
China
Prior art keywords
domain
pce
message
source
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911154078.8A
Other languages
Chinese (zh)
Other versions
CN111030934B (en
Inventor
吴启武
周阳
姜灵芝
甘波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Engineering University of Chinese Peoples Armed Police Force
Original Assignee
Engineering University of Chinese Peoples Armed Police Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Engineering University of Chinese Peoples Armed Police Force filed Critical Engineering University of Chinese Peoples Armed Police Force
Priority to CN201911154078.8A priority Critical patent/CN111030934B/en
Publication of CN111030934A publication Critical patent/CN111030934A/en
Application granted granted Critical
Publication of CN111030934B publication Critical patent/CN111030934B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/16Multipoint routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/48Routing tree calculation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/62Wavelength based
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • H04Q2011/0073Provisions for forwarding or routing, e.g. lookup tables

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a system and a method for establishing a multi-domain optical network secure optical tree based on a distributed PCE (personal computer equipment), wherein a trust model, a multicast routing algorithm, a GKMS-DA (Global Key management System-digital authentication) key management scheme and a plurality of security mechanisms are fused to ensure the stable establishment of the secure optical tree under a distributed PCE architecture.

Description

Multi-domain optical network security optical tree establishment system and method based on distributed PCE
Technical Field
The invention relates to a system and a method for establishing a multicast optical tree of a multi-domain optical network, in particular to a system and a method for establishing a secure optical tree of the multi-domain optical network based on a distributed PCE.
Background
With the rapid development of streaming media services such as optical network technology and video monitoring, it is more and more common for people to perform multicast services at the optical layer. However, security threats such as identity impersonation attack, message tampering, replay attack and the like are faced in the process of establishing the optical layer multicast tree, so that how to establish a multi-domain optical network multicast tree meeting the security requirement is very important.
Aiming at the establishment of the multi-domain optical network secure multicast tree, some research achievements are obtained at home and abroad. In RFC5520 and RFC5920, security requirement analysis is performed on the establishment of a cross-domain optical path of a multi-domain optical network, and a corresponding security defense technology is provided, but no method for how to establish a multicast tree is specifically involved. The document (Zhongxianwei, Wu Zuiwu, Wang Jian Ping, etc.. an efficient ASON secure optical path establishment protocol [ J ] photonics newspaper, 2009,38(8):2071 and 2076.) proposes a secure optical path establishment protocol with better performance than RSVP-TE signaling protocol, but the secure optical path establishment protocol is only suitable for single domain optical networks and is only suitable for unicast. The literature (Wu Jiang, Ganodermania zingiberensis. multilayer multi-domain intelligent optical network safety key technology research [ J ]. optical communication technology, 2012,36(12):1-5.) analyzes and summarizes the safety routing and safety signaling in the multi-domain optical network, and gives a future development direction thereof. In the literature (wangzongwei, research [ D ]. university of achievements electronic technology, 2012.) in a hierarchical PCE architecture, the sequential computation mode of each PCE is changed, and a parallel computation method is adopted, so that the delay and blocking rate of path establishment are greatly reduced, but the scheme is only applicable to unicast and does not consider security factors. The document (F.Li, DouZHING, Jinhua Hu, D.ren and J.ZHao.Aneffective RSA scheme under the registration of diffserv QoS in multi-domain tertiary information Networks [ C ]// 201615 th International Conference on optical communication and Networks (ICOCN). IEEE,2016:1-3.) proposes a routing algorithm in a multi-domain software defined optical network, which can realize the establishment of optical paths and allocate spectrum resources, and has a low blocking rate, but the scheme also ignores the safety problem of optical path establishment. The document (Y.Song, Z.Zhou and Y.Chen.Hierarchical path-control in multi-domain software defined optical network [ C ]//2016 First IEEE International Conference on communication and the Internet (ICCCI). IEEE,2016:52-55.) proposes a fast lightpath provisioning mechanism based on a layered PCE architecture, which can provide a faster inter-domain path establishment solution, but which is only applicable to unicast and not applicable to distributed architectures. Document (j.s.choice and x.li.hierarchical Distributed Discovery Protocol for Multi-Domain SDN Networks [ C ]// ieee communications routers. ieee,2017: 773-. In order to solve the communication Security problem in the smart Grid, a lightweight Security Signaling Mechanism of an energy internet multi-domain Optical Network is proposed in the literature (c.yongdong, w.wei, z.yanling and w.jinhuai.light weight Security Signaling Mechanism in Optical Network for smart Power Grid [ C ]//2018 IEEE International Conference on Computer and Communication Engineering Technology (CCET)., IEEE 2018: 110-113).
Therefore, most of the secure optical tree establishment methods in the prior art are based on a hierarchical PCE architecture, do not consider cross-domain routing security factors, are only applicable to unicast, and do not have a multi-domain optical network multicast secure tree establishment system and method under a distributed PCE architecture.
Disclosure of Invention
The invention aims to provide a system and a method for establishing a multi-domain optical network secure optical tree based on a distributed PCE (path computation element), which are used for solving the problems that most of secure optical tree establishing methods in the prior art are based on a layered PCE architecture, do not consider cross-domain routing security factors and are only suitable for unicast.
In order to realize the task, the invention adopts the following technical scheme:
a multi-domain optical network security optical tree establishment system based on a distributed PCE is used for establishing a security optical tree in a multi-domain optical network of the distributed PCE and is characterized by comprising a security service module, a trust management module and a key management module;
the security service module is used for providing message encryption and decryption, identity authentication, source authentication, privacy protection and digital signature service when the security light tree is established;
the trust management module is used for providing trust value calculation service when the safe light tree is established;
the key management module is used for completing the generation, distribution and updating of keys when the safe light tree is established;
the security service module comprises a message encryption and decryption unit, an identity authentication unit, a source authentication unit, a privacy protection unit and a digital signature subunit;
the message encryption and decryption unit is used for encrypting or decrypting messages by using a session key, a PCE layer group key and an autonomous domain layer group key;
the identity authentication unit is used for authenticating the identity of the node to be verified by adopting an identity authentication mechanism;
the source authentication unit is used for performing source authentication on the message by adopting a multicast source authentication mechanism, and if the authentication fails, generating a dangerous operation signal and sending the dangerous operation signal to the LMP unit;
the privacy protection unit is used for encrypting and decrypting the multicast tree;
the digital signature unit is used for carrying out digital signature by utilizing a private key or a public key.
Furthermore, the message encryption and decryption unit comprises a session key encryption and decryption subunit, a PCE layer group key encryption and decryption subunit and an autonomous domain layer group key encryption and decryption subunit;
the session key encryption and decryption subunit is used for encrypting or decrypting messages by using a session key;
the PCE layer group key encryption and decryption subunit is used for encrypting or decrypting messages by using the PCE layer group key;
and the autonomous domain layer group key encryption and decryption subunit is used for encrypting or decrypting messages by using the autonomous domain layer group key.
Further, when the identity authentication unit performs identity authentication on the node to be verified by using an identity authentication mechanism, the identity authentication unit performs identity authentication by using an identity authentication method based on a self-certified public key and an elliptic curve, and the identity authentication method specifically includes:
the node A to be authenticated sends its own public key PAAnd an identity IDASending the information to an authentication node B;
the authentication node B selects a random number B, calculates c as b.G and sends the c as b.G to the node A to be authenticated; g is an n-order base point on the elliptic curve, n is a positive integer, and the authentication node B simultaneously calculates r' ═ B · PA+h(IDA)·G+((PA+((PA+h(IDA))modn)·P1Wherein h (ID)A) For identification IDAMod n denotes the remainder of the division by n, P1The public key represents a domain PCE in which a node A to be authenticated and a node B to be authenticated are located;
the node A to be authenticated uses its own private key SACalculating r ═ S with c sent from the authenticating node BAC, and sends the result to the authenticating node B;
and after receiving the r, the authentication node B verifies whether r' is satisfied, if so, the authentication node B approves the identity of the node A to be authenticated, and the authentication is passed.
Further, when the source authentication subunit performs source authentication on the message by using a multicast source authentication mechanism, the source authentication subunit performs authentication by using a multicast source authentication method based on TCP-AO.
Further, when the privacy protection subunit encrypts and decrypts the multicast tree, the privacy protection subunit encrypts the multicast tree by using a Path segment hiding method of an improved Path-Key, and the privacy protection subunit specifically includes:
a source node initiates a multicast tree request to a PCE (personal computer equipment) of a domain where the source node is located through a PCEP (personal computer ep) communication protocol, the PCE of the domain where the source node is located judges whether a destination node is in the domain, and if the destination node is not in the domain, PCEs of other domains in a multi-domain optical network cooperate with each other to obtain a domain where the destination node is located; a PCE of a domain where a source node is located carries out inter-domain routing calculation according to a domain where a destination node is located, and an inter-domain path is obtained; the PCE of the domain where the source node is located informs the PCE of the domain where the destination node is located to start to calculate the path in each domain;
after the PCE of the domain where the destination node is located obtains the respective intra-domain path, encrypting the respective intra-domain path by using the respective public key, and sending the encrypted intra-domain path to the PCE of the domain where the source node is located;
after receiving the encrypted intra-domain path, the PCE of the domain where the source node is located is spliced with the inter-domain path, and after obtaining a complete path, the PCE is sent to the PCE of the domain where the destination node is located;
the Path segment hiding method adopting the improved Path-Key is used for decryption, and specifically comprises the following steps:
and the PCE of the domain where the destination node is located decrypts the complete path by adopting the PCE layer group key, and then analyzes the path segment according to the PCE number in the path key sub-object, thereby obtaining the complete multicast tree.
A secure optical tree establishment method of a multi-domain optical network based on a distributed PCE utilizes a secure optical tree establishment system of the multi-domain optical network based on the distributed PCE to establish a secure optical tree from a source node to a destination node in the multi-domain optical network of the distributed PCE, wherein the multi-domain optical network comprises a plurality of domains, each domain comprises a PCE, and the PCE of the domain where the source node is located is the source domain PCE;
the method is executed according to the following steps:
step 1, a destination node calls an identity authentication unit to perform identity authentication on a source node, and if the authentication passes, a multicast tree building request is generated; otherwise, the multicast tree is failed to be established, and the communication is interrupted;
the source node calls a session key encryption and decryption subunit to encrypt the multicast tree building request to obtain an encrypted multicast tree building request;
step 2, the PCE of the source domain calls an identity authentication unit to perform identity authentication on the source node, if the authentication is passed, a session key encryption and decryption subunit is called to decrypt the encrypted multicast tree building request, and the multicast tree building request is obtained; if the authentication fails, generating an error message and sending the error message to the source node, and interrupting the connection with the source node;
the source domain PCE calls a source authentication unit to perform source authentication on the multicast tree building request, if the authentication is passed, the domain where the destination node is located is searched, and then step 3 is executed, otherwise, the communication is interrupted after an error message is generated;
step 3, the PCE of the domain where the destination node is located calls an identity authentication subunit to perform identity authentication on the PCE of the source domain, if the authentication is passed, the PCE of the domain where the destination node is located calls a source authentication unit to perform multicast source authentication on the multicast tree building request, and if the authentication is failed, an error message is generated and then communication is interrupted; if the authentication is passed, the PCE of the domain where the destination node is located firstly calls a session key encryption and decryption subunit to encrypt the multicast tree building request and then carries out routing calculation, and if the calculation is successful, an abstract multicast tree is obtained; if the calculation is failed, generating an error message and then interrupting the communication;
a source domain PCE calls a PCE layer group key encryption and decryption subunit to encrypt the abstract multicast tree to obtain an encrypted abstract multicast tree, and the encrypted abstract multicast tree is sent to PCEs of other domains, wherein the other domains are all domains except a domain where a source node is located in the multi-domain optical network;
step 4, PCEs of other domains call PCE layer group key encryption and decryption subunits to decrypt the encrypted abstract multicast tree to obtain the abstract multicast tree;
PCEs of each other domain calculate and obtain respective strict multicast trees in the domain from the abstract multicast tree;
PCEs of each other domain perform wavelength selection on respective paths in the domain to obtain available wavelength information of the paths in the domain of each other domain;
PCEs of other domains call a privacy protection unit to encrypt the strict multicast tree in each domain and then integrate the encrypted strict multicast tree with the available wavelength information of the path in each domain to obtain a calculation message;
PCEs of other domains call PCE layer group key encryption and decryption subunits to encrypt the calculation message, and then the encrypted calculation message is obtained and sent to a PCE of a source domain;
step 5, the source domain PCE calls a PCE layer group key encryption and decryption subunit to decrypt the encrypted calculation message, and the calculation message is obtained;
a domain PCE where the source node is located calls a privacy protection subunit to decrypt the calculation message, and strict multicast tree routing information and available wavelength information of each other domain are obtained;
the source domain PCE splices according to the strict multicast tree routing information of each other domain to obtain a strict multicast tree;
the source domain PCE performs wavelength allocation according to the available wavelength information of each other domain to obtain the available wavelength of the strict multicast tree;
the source domain PCE calls the privacy protection subunit again to encrypt the strict multicast tree to obtain the encrypted strict multicast tree;
the source domain PCE integrates the encrypted strict multicast tree and the available wavelength of the strict multicast tree to obtain available source information;
the source domain PCE calls a PCE layer group key encryption and decryption subunit to encrypt the available source message to obtain the encrypted available source message;
the source domain PCE sends the encrypted available source message to the PCE of each other domain;
step 6, after PCEs of other domains receive the available source message, a source authentication unit is called immediately to authenticate the available source message, and if the authentication fails, an error message is generated and communication is interrupted; if the authentication is passed, the PCE of each other domain calls a PCE layer group key encryption and decryption subunit to decrypt the encrypted available source message to obtain the available source message;
the PCE of each other domain calls a privacy protection subunit to decrypt the encrypted strict multicast tree in the available source message to obtain an intra-domain strict multicast tree and an available wavelength of the intra-domain strict multicast tree;
a source domain PCE obtains an intra-domain strict multicast tree and the available wavelength of the intra-domain strict multicast tree;
PCE of each domain integrates the respective intra-domain strict multicast tree and the available wavelength of the intra-domain strict multicast tree to obtain a new available source message;
the PCE of each domain calls an autonomous domain layer group key encryption and decryption subunit to encrypt the new available source message, and then the encrypted new available source message is obtained;
the PCE of each domain sends the encrypted new available source message to the nodes through which the strict multicast tree in each domain passes;
step 7, after the head node of the strict multicast tree in each domain receives the encrypted new available source message, calling a source authentication unit to authenticate the encrypted new available source message, and if the authentication fails, generating an error message and interrupting communication; if the authentication is passed, calling an autonomous domain layer group key encryption and decryption subunit to decrypt the encrypted new available source message to obtain a new available source message;
the head node of the strict multicast tree in each domain calls a digital signature unit to carry out public key signature on the new available source message, and if the signature fails, communication is interrupted after an error message is generated; if the signature is successful, adding a new available source message in the PATH message to obtain a new PATH message;
the head node of the strict multicast tree in each domain calls an autonomous domain layer group key encryption and decryption subunit to encrypt the new PATH message to obtain an encrypted new PATH message;
the head node of the strict multicast tree in each domain sends the encrypted new PATH message to the downstream node of the strict multicast tree in the domain;
step 8, the downstream node calls a source authentication unit to authenticate the encrypted new PATH message, and if the authentication fails, an error message is generated and then communication is interrupted; if the authentication is passed, calling an autonomous domain layer group key encryption and decryption subunit to decrypt the encrypted new PATH message to obtain a new PATH message;
the downstream node judges whether the available wavelength of the intra-domain strict multicast tree in the new PATH message meets the wavelength threshold range, if not, an error message is generated and then the communication is interrupted; if yes, calling an autonomous domain layer group key encryption and decryption subunit to encrypt the new PATH message to obtain an encrypted new PATH message;
the downstream node sends the encrypted new PATH message to the downstream node of the strict multicast tree in the domain;
step 9, repeating step 8 until the tail node of the strict multicast tree in each domain obtains the encrypted new PATH message;
the tail node of the strict multicast tree in each domain calls a source authentication unit to authenticate the encrypted new PATH message, and if the authentication fails, an error message is generated and communication is interrupted; if the authentication is passed, calling an autonomous domain layer group key encryption and decryption subunit to decrypt the encrypted new PATH message to obtain an RESV message;
a tail node of a strict multicast tree in each domain calls an autonomous domain layer group key encryption and decryption subunit to encrypt the RESV message, and the encrypted RESV message is obtained;
the tail node of the intra-domain strict multicast tree in each domain sends the encrypted RESV message to upstream nodes along the reverse PATH of the transmission PATH of the encrypted new PATH message until reaching the head node of the intra-domain strict multicast tree, wherein in the propagation process of the encrypted RESV message, each upstream node calls an autonomous domain layer group key encryption and decryption subunit to decrypt the encrypted RESV message, the wavelength configuration is carried out after the RESV message is obtained, and if the configuration is wrong, the communication is interrupted after an error message is generated; otherwise, calling an autonomous domain layer group key encryption and decryption subunit to encrypt the RESV message;
step 10, the head node of the strict multicast tree in each domain calls a source authentication unit to authenticate the encrypted RESV message, if the authentication fails, an error message is generated and then the communication is interrupted; if the authentication is successful, generating a configuration success message;
the system calls an identity authentication unit to perform identity authentication on the head node of the strict multicast tree in each domain, and if the authentication fails, an error message is generated and then communication is interrupted; if the authentication is passed, the head node of the strict multicast tree in each domain calls a session key encryption and decryption subunit to encrypt the configuration success message, and the encrypted configuration success message is obtained;
the head node of the strict multicast tree in each domain sends the encrypted configuration success message to the PCE of the domain;
step 11, the PCE of each domain calls a source authentication unit to authenticate the encrypted configuration success message, and if the authentication fails, an error message is generated and then the communication is interrupted; if the authentication is passed, the PCE of each domain calls an identity authentication unit to authenticate the head node of the strict multicast tree in the domain of the domain, and if the authentication is failed, an error message is generated and then the communication is interrupted; if the authentication is passed, calling a session key encryption and decryption subunit to decrypt the encrypted configuration success message to obtain a configuration success message;
PCEs of other domains call an identity authentication module to perform identity authentication, and if authentication fails, communication is interrupted after an error message is generated; if the authentication is passed, calling a PCE layer group key encryption and decryption subunit to encrypt the configuration success message to obtain an encrypted configuration success message;
the PCE of each other domain sends the encrypted configuration success message to the PCE of the source domain;
step 12: the source domain PCE calls a source authentication unit to authenticate the encrypted configuration success message, and if the authentication fails, an error message is generated and then the communication is interrupted; if the authentication is passed, calling an identity authentication module to perform identity authentication on PCEs of other domains, and if the authentication is failed, generating an error message and then interrupting communication; if the authentication is passed, a PCE layer group key encryption and decryption subunit is called to decrypt the encrypted configuration success message to obtain a configuration success message;
the source domain PCE judges whether a configuration success message of each other domain is obtained and an error message is not received, and then a tree building success message is generated;
step 13: the source domain PCE calls a session key encryption and decryption submodule to encrypt the successful tree building message, and the encrypted successful tree building message is obtained;
the source domain PCE sends the encrypted successful tree building message to a source node;
step 14: the source node calls a source authentication unit to authenticate the encrypted tree building success message, and if the authentication fails, an error message is generated and then communication is interrupted; if the authentication is passed, calling a session key encryption and decryption submodule to decrypt the encrypted successful tree building message to obtain the successful tree building message, and finishing building the safe optical tree.
Compared with the prior art, the invention has the following technical effects:
1. the system and the method for establishing the multi-domain optical network secure optical tree based on the distributed PCE apply a source authentication and digital signature technology to the message and the signaling in the establishment process of the multicast optical tree by applying a public key cryptosystem based on self-authentication, and can resist the tampering, the forgery and the replay attack of malicious nodes;
2. the system and the method for establishing the multi-domain optical network secure optical tree based on the distributed PCE improve a Path-Key-based Path segment hiding mechanism aiming at a distributed PCE architecture system, and a source domain PCE encrypts detailed topology of each domain by using a public Key of each PCE, so that only each domain knows the detailed topology in the domain per se, and the security of topology information is ensured;
3. the system and the method for establishing the multi-domain optical network security optical tree based on the distributed PCE use an identity authentication mechanism based on a self-authentication public key and an elliptic curve, so that even if a malicious user obtains user information, the multicast optical tree cannot be established, and identity forgery attack of illegal users is resisted to a certain extent.
Drawings
Fig. 1 is a schematic structural diagram of a system for establishing a secure optical tree of a multi-domain optical network based on a distributed PCE according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an original Path _ Key Path segment hiding mechanism;
FIG. 3 is a schematic diagram of a Path segment hiding mechanism of the improved Path-Key provided in the present invention;
fig. 4 is a flowchart of a method for establishing a secure optical tree of a multi-domain optical network based on a distributed PCE according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a network topology provided in one embodiment of the present invention;
FIG. 6 is a graph comparing network connection blocking rate experiments for different domain numbers provided in an embodiment of the present invention;
fig. 7 is a comparison graph of multicast tree setup time experiments under different network loads according to an embodiment of the present invention;
fig. 8 is a comparison graph of data packet delivery rate experiments at different malicious node ratios, provided in an embodiment of the present invention.
Detailed Description
The present invention will be described in detail below with reference to the accompanying drawings and examples. So that those skilled in the art can better understand the present invention. It is to be expressly noted that in the following description, a detailed description of known functions and designs will be omitted when it may obscure the subject matter of the present invention.
The technical terms appearing in the present invention are explained below:
PATH message: the RSVP-TE protocol is a resource reservation-traffic engineering protocol;
RESV message: a resource reservation message;
the multicast source authentication method based on TCP-AO: TCP-AO is a standard proposed by IETF in 2010 to replace TCP-MD5, and compared with TCP-MD5, TCP-AO supports multiple MAC algorithms including AES-128-CMAC-96, HMAC-SHA-1-96, supports in-band key change operation, uses hash function to provide protection for TCP connection, and prevents security threats such as message tampering and replay attack.
Example one
The embodiment discloses a secure optical tree establishment system of a multi-domain optical network based on a distributed PCE, which is used for establishing a secure optical tree in the multi-domain optical network of the distributed PCE and comprises a security service module, a trust management module and a key management module;
the safety service module is used for providing information encryption and decryption, identity authentication, source authentication, privacy protection and digital signature service when the safety light tree is established;
the trust management module is used for providing trust value calculation service when the safety light tree is established;
the key management module is used for completing the generation, distribution and updating of keys when the safe light tree is established;
the security service module comprises a message encryption and decryption unit, an identity authentication unit, a source authentication unit, a privacy protection unit and a digital signature subunit;
the message encryption and decryption unit is used for encrypting or decrypting messages by using the session key, the PCE layer group key and the autonomous domain layer group key;
the identity authentication unit is used for authenticating the identity of the node to be verified by adopting an identity authentication mechanism;
the source authentication unit is used for performing source authentication on the message by adopting a multicast source authentication mechanism;
the privacy protection unit is used for encrypting and decrypting the multicast tree;
the digital signature unit is used for carrying out digital signature by utilizing a private key or a public key.
In this embodiment, in order to deal with the security threat faced by the control plane of the multi-domain optical network and improve the security of establishing the multicast tree, under the distributed PCE architecture, seven security mechanisms are designed on the control plane to ensure the security of the system and the method provided by the present invention.
As shown in fig. 1, the multi-domain optical network control plane after security extension further includes an information management unit, a node control unit, a PCE unit, an OSPF-TE unit, an RSVP-TE unit, and an LMP unit; the system is characterized by also comprising a security service unit, a trust management unit and a key management unit;
the information management unit is used for realizing data interaction between the PCE unit, the LMP unit and the key management unit and the security service unit;
the PCE unit is used for performing path calculation according to the multicast tree building request of the node in the domain to obtain a safe optical tree path;
the node control unit is used for realizing data communication among all nodes in the multi-domain optical network;
the LMP unit is used for monitoring whether dangerous operation exists in the multi-domain optical network, and if so, a dangerous prompt signal is generated;
the OSPF-TE unit is used for issuing traffic engineering information in the multi-domain optical network; the system is also used for updating the traffic engineering information by using a flooding method according to the danger prompt signal;
and the RSVP-TE unit is used for executing RSVP-TE protocol according to the safe optical tree path and realizing the establishment of the safe optical tree.
As shown in fig. 1, the information management unit is a center for convergence and processing of various types of information in the control plane, and is mainly responsible for coordinating and processing service information fed back from other units.
The security service unit is a guarantee that the optical network can perform secure multicast, and mainly provides various security services such as message encryption and decryption, identity authentication, source authentication, privacy protection, digital signature and the like.
The node control unit is mainly responsible for resource allocation and interface service provision of each node of the optical network, so that data communication can be carried out between the nodes through normal interfaces.
The PCE is used for performing path computation according to topology and resource information reserved in the TED after receiving a path computation request sent by a source node or other nodes.
The OSPF-TE unit is responsible for the release of TE information in an optical network domain and updates and maintains the information in the TED.
The RSVP-TE unit executes RSVP-TE protocol, and performs resource configuration service such as wavelength and the like on the nodes according to RSVP messages among the nodes, and finally, the establishment work of the point-to-multipoint multicast tree is realized.
The LMP unit is a monitor of the whole network state, and is mainly responsible for collecting the on-off state of the optical link and the reservation condition of the interface resource, and when the dangerous operation exists in the network, the OSPF-TE unit is informed in time.
And the trust management unit calls a trust database based on the LCT model to calculate and judge the security behaviors of each node and the PCE, and provides current and historical data query service when the node or the PCE needs to query trust value data.
And the key management unit calls a key database by applying a GKMS-DA key management scheme to complete the generation, distribution and updating of the key.
Optionally, the message encryption and decryption unit includes a session key encryption and decryption subunit, a PCE layer group key encryption and decryption subunit, and an autonomous domain layer group key encryption and decryption subunit;
the session key encryption and decryption subunit is used for encrypting or decrypting messages by using a session key;
the PCE layer group key encryption and decryption subunit is used for encrypting or decrypting messages by using the PCE layer group key;
and the autonomous domain layer group key encryption and decryption subunit is used for encrypting or decrypting messages by using the autonomous domain layer group key.
Optionally, when the identity authentication unit performs identity authentication on the node to be verified by using an identity authentication mechanism, the identity authentication unit performs identity authentication by using an identity authentication method based on a self-certified public key and an elliptic curve, where the identity authentication method specifically includes:
the node A to be authenticated sends its own public key PAAnd an identity IDASending the information to an authentication node B;
the authentication node B selects a random number B, calculates c as b.G and sends the c as b.G to the node A to be authenticated; g is an elliptic curve E (F)P) At the base point of n orders, the authentication node B calculates r' ═ B · P simultaneouslyA+h(IDA)·G+((PA+((PA+h(IDA))modn)·P1
The node A to be authenticated uses its own private key SACalculating r ═ S with c sent from the authenticating node BAC, and sending the resultGiving the authentication node B;
and after receiving the r, the authentication node B verifies whether r' is satisfied, if so, the authentication node B approves the identity of the node A to be authenticated, and the authentication is passed.
In the process of establishing the multi-domain optical network multicast tree, how to perform efficient identity authentication between nodes, between nodes and PCE, and between PCE and PCE is the key for establishing the secure multicast tree.
In this embodiment, taking the identity authentication process between the nodes A, B in the same domain of the multi-domain optical network as an example, a public-private key pair (P) of the nodes a and B is defined asA,SA)、(PB,SB) The identities of A and B are (ID)A,IDB) Public-private key pair (P) of PCE of the domain1,S1) The other parameter symbols are consistent with chapter three GKMS-DA. The identity authentication of A and B includes three stages, namely system initialization, registration and identity authentication, the nodes A and B complete the system initialization and registration process to obtain their public and private key pairs and identity marks (P) respectivelyA,SA)、(PB,SB)、(IDA,IDB). The specific steps of the nodes A and B for completing identity authentication are as follows:
the node A verifies the authenticity of its identity to the node B, and uses its public key PAAnd an identity IDAAnd sending the data to B. A → B (P)A,IDA,h(PA,IDA))。
The node B selects a random number B, calculates c as b.G and sends the c to the node A: b → A: { c }, while calculating RA=PA+h(IDA)·G+((PA+((PA+h(IDA))modn)·P1,r′=b·RA
Node A calculates r as S by using its private key and c sent by node BAC, and sends the result to the node B: a → B: { r }.
After receiving r, node B verifies that r' is satisfied, and if the equation is satisfied, node B recognizes the identity of node a.
The node B proves its identity to the node A, the method is the same as the above steps, and the node B is modifiedChanging the parameters c' ═ b · G and R in step 2B=PB+h(IDB)·G+((PB+((PB+h(IDB))modn)·P1And (4) finishing. At this point, the identity authentication of nodes a and B is completed.
Nodes a and B calculate a shared session key K ═ h (a · R)B+SA·c)=h(b·RA+SB·c′)。
Optionally, when the source authentication subunit performs source authentication on the message by using a multicast source authentication mechanism, the source authentication subunit performs authentication by using a multicast source authentication method based on TCP-AO.
In this embodiment, the multicast source authentication mechanism of the multi-domain optical network needs to ensure three functions, one is data integrity, that is, it is ensured that a message received by a receiving end is not tampered by nodes other than multicast group members. The second is a data source authentication function, i.e. it is ensured that the message received by the receiving end originates from the correct sending end. And thirdly, non-repudiation, namely, the receiver can provide evidence for a third party after receiving the message, so as to prevent the repudiation of the sender. Because TCP connection needs to be established between the node and the PCE firstly in the multicast routing process, the system and the method provided by the invention adopt TCP-AO (authentication option) provided by IETF in RFC5925 to realize multicast source authentication. TCP-AO is a standard proposed by IETF in 2010 to replace TCP-MD5, and compared with TCP-MD5, TCP-AO supports multiple MAC algorithms including AES-128-CMAC-96, HMAC-SHA-1-96, supports in-band key change operation, uses hash function to provide protection for TCP connection, and prevents security threats such as message tampering and replay attack.
The core of the TCP-AO mechanism is to generate and configure a traffic Key TK (traffic keys) through a cipher suite MKT (Master Key tuple), so as to ensure data transmission and verification. The total length of TCP-AO is 29, KeyID is used for identifying the MKT type used by the sending end, RNextKeyID is used for suggesting the MKT type used by the receiving end by the sending end, wherein the MKT comprises a Master key (DA-PCE adopts a shared session key generated by an identity authentication mechanism based on a self-certified public key and an elliptic curve as a Master key), an MAC algorithm, identity identifications of the sending end and the receiving end, a TCP connection identifier and a KDF (Key Derivation function) algorithm for generating a flow key by using the Master key.
After receiving TCP-AO message, the receiving end generates TK according to corresponding MKT to verify whether TCP message head is consistent with MAC value, if so, the message source passes authentication, and the message is not tampered by other than multicast group in transmission. In the process of establishing the tree by multicast, because a TCP session does not exist before, the source authentication can be ensured by using a message authentication code in an RESV object, the mechanism encrypts the message by using an autonomous domain layer group key in GKMS-DA, and then PCE digitally signs the routing and wavelength information, so that a receiving end is ensured to know which PCE the source of the message comes from.
Optionally, when the privacy protection subunit encrypts and decrypts the multicast tree, the Path segment hiding method with the Path-Key improved is adopted for encryption, and the method specifically includes:
a source node initiates a multicast tree request to a PCE (personal computer equipment) of a domain where the source node is located through a PCEP (personal computer ep) communication protocol, the PCE of the domain where the source node is located judges whether a destination node is in the domain, and if the destination node is not in the domain, PCEs of other domains in a multi-domain optical network cooperate with each other to obtain a domain where the destination node is located; a PCE of a domain where a source node is located carries out inter-domain routing calculation according to a domain where a destination node is located, and an inter-domain path is obtained; the PCE of the domain where the source node is located informs the PCE of the domain where the destination node is located to start to calculate the path in each domain;
after the PCE of the domain where the destination node is located obtains the respective intra-domain path, encrypting the respective intra-domain path by using the respective public key, and sending the encrypted intra-domain path to the PCE of the domain where the source node is located;
after receiving the encrypted intra-domain path, the PCE of the domain where the source node is located is spliced with the inter-domain path, and after obtaining a complete path, the PCE is sent to the PCE of the domain where the destination node is located;
the Path segment hiding method adopting the improved Path-Key is used for decryption, and specifically comprises the following steps:
and the PCE of the domain where the destination node is located decrypts the complete path by adopting the PCE layer group key, and then analyzes the path segment of the PCE according to the PCE number in the path key sub-object, thereby obtaining the complete multicast tree.
In the process of establishing a tree in a multi-domain optical network multicast based on distributed PCEs, the formation of a multicast optical tree is completed by the cooperation of a plurality of PCEs, each PCE is responsible for calculating a part of a path, but when an autonomous domain is managed by different service providers, the confidentiality rule of the PCEs can be damaged, namely, a certain autonomous domain provides PCE path section information to PCEs in other domains, and topology information in the autonomous domain can be exposed. To avoid this problem, RFC5520 proposes a Path segment hiding mechanism of Path-Key. As shown in fig. 2, for the path segment { ASBR2, C, D, destination node }, to ensure privacy between { C, D }, PCE layer group key encryption is used to obtain a loose path { ASBR2, destination node } or a strict path { ASBR2, C, D, destination node }. However, the problem of inter-domain privacy disclosure exists, that is, the topology of { ASBR2, C, D, destination node } is known by PCEs of other domains, and the original Path-Key Path segment hiding mechanism only provides inter-domain Path hiding protection mechanisms of two autonomous domains, and cannot provide Path privacy protection for the multicast tree of the multi-domain optical network based on the distributed PCE.
Therefore, the invention improves the original Path segment hiding mechanism of Path-Key by using GKMS-DA Key management scheme under the distributed PCE architecture, so that each PCE can only acquire the detailed topology information of the autonomous domain, thereby ensuring the confidentiality of the topology among different domains. Taking fig. 3 as an example, the specific steps of improving the Path segment hiding mechanism of Path-Key are as follows:
step 1: source domain PCC to PCE via PCEP communication protocol1And initiating a multicast treeing request. PCE1Judging destination node m1、m2Not in the local domain, and then discovering the destination node m through mutual cooperation of PCEs1And m2The domain is D2And D3Then PCE1The calculation of the abstract path can be carried out according to the TED information to obtain the abstract path { source PCC-D1- (ASBR1-ASBR 3-D)2-m1)-ASBR2-ASBR4-D3-m2And then PCE1Informing PCE through PCEP2And PCE3Strict routes within the respective domains are started to be calculated.
Step 2: PCE2And PCE3The complete path { ASBR3-C-D-m in each domain is obtained by calculation1And { ASBR4-E-F-m2And then PCE2And PCE3Encrypting the respective complete paths by using the respective public keys to obtain { ASBR3-PKS2-m1And { ASBR4-PKS3-m2And sends the path to the PCE1. The Path Key Subobject PKS (Path-Key object) consists of a protected object and a corresponding PCEID, and a Path segment { ASBR3-PKS is obtained after encryption2-m1And { ASBR4-PKS3-m2Called the secret Path segment cps (confidential Path segment).
And step 3: PCE1Received PCE2And PCE3After the sent paths are spliced into a complete path { source PCC-PKS1-(ASBR1-PKS2-m1)-ASBR2-ASBR4-PKS3-m2And then integrated into a PCRep message and sent to the PCE2And PCE3
And 4, step 4: PCE2And PCE3Receiving a source domain PCE1After the sent complete path, the PCE layer group key is used for decrypting the path, then the path section is analyzed according to the PCEID in the PKS, so that a complete multicast tree is obtained, and then the RSVP-TE protocol is continuously executed. PCE1The multicast tree obtained by analysis is { source PCC-A-B- (ASBR 3-PKS)2-m1)-ASBR1-ASBR4-PKS3-m2},PCE2The obtained multicast tree is { source PCC-PKS1-(ASBR3-C-D-m1)-ASBR2-ASBR4-PKS3-m2},PCE3The obtained multicast tree is { source PCC-PKS1-(ASBR3-PKS2-m1)-ASBR2-ASBR4-E-F-m3Obviously, each control domain can only know detailed topology information of the control domain, and cannot decrypt encrypted path segments in other domains, so that the privacy of the inter-domain topology is ensured.
Example two
The embodiment provides a method for establishing a secure optical tree of a multi-domain optical network based on a distributed PCE (path computation element), which is characterized in that a secure optical tree from a source node to a destination node is established in the multi-domain optical network of the distributed PCE by utilizing a system for establishing the secure optical tree of the multi-domain optical network based on the distributed PCE as in the first embodiment, wherein the multi-domain optical network comprises a plurality of domains, each domain comprises a PCE, and the PCE of the domain where the source node is located is the source domain PCE;
the method is executed according to the following steps:
step 1, a destination node calls an identity authentication unit to perform identity authentication on a source node, and if the authentication passes, a multicast tree building request is generated; otherwise, the multicast tree is failed to be established, and the communication is interrupted;
the source node calls a session key encryption and decryption subunit to encrypt the multicast tree building request, and the encrypted multicast tree building request is obtained;
step 2, the PCE of the source domain calls an identity authentication unit to perform identity authentication on the source node, and if the authentication is passed, a session key encryption and decryption subunit is called to decrypt the encrypted multicast tree building request to obtain the multicast tree building request; if the authentication fails, generating an error message and sending the error message to the source node, and interrupting the connection with the source node;
the source domain PCE calls a source authentication unit to perform source authentication on the multicast tree building request, if the authentication is passed, the domain where the destination node is located is searched, and then the step 3 is executed, otherwise, the communication is interrupted after an error message is generated;
step 3, the PCE of the domain where the destination node is located calls an identity authentication subunit to perform identity authentication on the PCE of the source domain, if the authentication is passed, the PCE of the domain where the destination node is located calls a source authentication unit to perform multicast source authentication on the multicast tree building request, and if the authentication is failed, an error message is generated and then communication is interrupted; if the authentication is passed, the PCE of the domain where the destination node is located firstly calls a session key encryption and decryption subunit to encrypt the multicast tree building request and then carries out routing calculation, and if the calculation is successful, an abstract multicast tree is obtained; if the calculation is failed, generating an error message and then interrupting the communication;
a source domain PCE calls a PCE layer group key encryption and decryption subunit to encrypt an abstract multicast tree to obtain an encrypted abstract multicast tree, and the encrypted abstract multicast tree is sent to PCEs of other domains, wherein the other domains are all domains except a domain where a source node is located in a multi-domain optical network;
step 4, the PCE of each other domain calls a PCE layer group key encryption and decryption subunit to decrypt the encrypted abstract multicast tree to obtain the abstract multicast tree;
PCEs of other domains calculate and obtain respective strict multicast trees in the domains from the abstract multicast tree;
PCEs of each other domain perform wavelength selection on respective paths in the domain to obtain available wavelength information of the paths in the domain of each other domain;
PCEs of other domains call a privacy protection unit to encrypt the strict multicast tree in each domain and then integrate the encrypted strict multicast tree with the available wavelength information of the path in each domain to obtain a calculation message;
PCEs of other domains call PCE layer group key encryption and decryption subunits to encrypt the calculation message, and then the encrypted calculation message is obtained and sent to a PCE of a source domain;
step 5, the source domain PCE calls a PCE layer group key encryption and decryption subunit to decrypt the encrypted calculation message, and the calculation message is obtained;
a domain PCE where a source node is located calls a privacy protection subunit to calculate a message and decrypt the message, and strict multicast tree routing information and available wavelength information of each other domain are obtained;
the source domain PCE splices according to the strict multicast tree routing information of each other domain to obtain a strict multicast tree;
the source domain PCE performs wavelength allocation according to the available wavelength information of each other domain to obtain the available wavelength of the strict multicast tree;
the source domain PCE calls the privacy protection subunit again to encrypt the strict multicast tree to obtain the encrypted strict multicast tree;
the source domain PCE integrates the encrypted strict multicast tree and the available wavelength of the strict multicast tree to obtain available source information;
a source domain PCE calls a PCE layer group key encryption and decryption subunit to encrypt an available source message to obtain an encrypted available source message;
the source domain PCE sends the encrypted available source message to the PCE of each other domain;
step 6, after PCEs of other domains receive the available source message, a source authentication unit is called immediately to authenticate the available source message, and if the authentication fails, an error message is generated and communication is interrupted; if the authentication is passed, the PCE of each other domain calls a PCE layer group key encryption and decryption subunit to decrypt the encrypted available source message to obtain the available source message;
the PCE of each other domain calls a privacy protection subunit to decrypt the encrypted strict multicast tree in the available source message to obtain an intra-domain strict multicast tree and an available wavelength of the intra-domain strict multicast tree;
a source domain PCE obtains an intra-domain strict multicast tree and the available wavelength of the intra-domain strict multicast tree;
PCE of each domain integrates the respective intra-domain strict multicast tree and the available wavelength of the intra-domain strict multicast tree to obtain a new available source message;
the PCE of each domain calls an autonomous domain layer group key encryption and decryption subunit to encrypt the new available source message, and then the encrypted new available source message is obtained;
the PCE of each domain sends the encrypted new available source message to the nodes through which the strict multicast tree in each domain passes;
step 7, after the head node of the strict multicast tree in each domain receives the encrypted new available source message, calling a source authentication unit to authenticate the encrypted new available source message, and if the authentication fails, generating an error message and interrupting communication; if the authentication is passed, calling an autonomous domain layer group key encryption and decryption subunit to decrypt the encrypted new available source message to obtain a new available source message;
the head node of the strict multicast tree in each domain calls a digital signature unit to carry out public key signature on the new available source message, and if the signature fails, communication is interrupted after an error message is generated; if the signature is successful, adding a new available source message in the PATH message to obtain a new PATH message;
a head node of a strict multicast tree in each domain calls an autonomous domain layer group key encryption and decryption subunit to encrypt a new PATH message to obtain an encrypted new PATH message;
the head node of the intra-domain strict multicast tree in each domain sends the encrypted new PATH message to the downstream node of the intra-domain strict multicast tree;
step 8, the downstream node calls a source authentication unit to authenticate the encrypted new PATH message, and if the authentication fails, an error message is generated and then communication is interrupted; if the authentication is passed, calling an autonomous domain layer group key encryption and decryption subunit to decrypt the encrypted new PATH message to obtain a new PATH message;
the downstream node judges whether the available wavelength of the intra-domain strict multicast tree in the new PATH message meets the wavelength threshold range, if not, an error message is generated and then communication is interrupted; if the routing information accords with the routing information, the downstream node calls an autonomous domain layer group key encryption and decryption subunit to encrypt the new PATH message to obtain an encrypted new PATH message;
the downstream node sends the encrypted new PATH message to the downstream node of the strict multicast tree in the domain;
step 9, repeating step 8 until the tail node of the strict multicast tree in each domain obtains the encrypted new PATH message;
the tail node of the strict multicast tree in each domain calls a source authentication unit to authenticate the encrypted new PATH message, and if the authentication fails, an error message is generated and communication is interrupted; if the authentication is passed, calling an autonomous domain layer group key encryption and decryption subunit to decrypt the encrypted new PATH message to obtain an RESV message;
a tail node of a strict multicast tree in each domain calls an autonomous domain layer group key encryption and decryption subunit to encrypt the RESV message, and the encrypted RESV message is obtained;
the tail node of the intra-domain strict multicast tree in each domain sends the encrypted RESV message to the upstream node along the reverse PATH of the transmission PATH of the encrypted new PATH message until reaching the head node of the intra-domain strict multicast tree, wherein in the propagation process of the encrypted RESV message, each upstream node calls an autonomous domain layer group key encryption and decryption subunit to decrypt the encrypted RESV message, the wavelength configuration is carried out after the RESV message is obtained, and if the configuration is wrong, the communication is interrupted after an error message is generated; otherwise, calling an autonomous domain layer group key encryption and decryption subunit to encrypt the RESV message;
step 10, a head node of a strict multicast tree in each domain calls a source authentication unit to authenticate the encrypted RESV message, and if authentication fails, an error message is generated and communication is interrupted; if the authentication is successful, generating a configuration success message;
the system calls an identity authentication unit to perform identity authentication on the head node of the strict multicast tree in each domain, and if the authentication fails, communication is interrupted after an error message is generated; if the authentication is passed, calling a session key encryption and decryption subunit to encrypt the configuration success message, and obtaining an encrypted configuration success message;
the head node of the strict multicast tree in each domain sends the encrypted configuration success message to the PCE of the domain;
step 11, the PCE of each domain calls a source authentication unit to authenticate the encrypted configuration success message, and if the authentication fails, an error message is generated and then the communication is interrupted; if the authentication is passed, the PCE of each domain calls an identity authentication unit to authenticate the head node of the strict multicast tree in the domain of the domain, and if the authentication is failed, an error message is generated and then the communication is interrupted; if the authentication is passed, calling a session key encryption and decryption subunit to decrypt the encrypted configuration success message to obtain a configuration success message;
PCEs of other domains call an identity authentication module to perform identity authentication, and if authentication fails, communication is interrupted after an error message is generated; if the authentication is passed, calling a PCE layer group key encryption and decryption subunit to encrypt the configuration success message, and obtaining the encrypted configuration success message;
the PCE of each other domain sends the encrypted configuration success message to the PCE of the source domain;
step 12: the source domain PCE calls a source authentication unit to authenticate the encrypted configuration success message, and if the authentication fails, an error message is generated and then communication is interrupted; if the authentication is passed, calling an identity authentication module to perform identity authentication on PCEs of other domains, and if the authentication is failed, generating an error message and then interrupting communication; if the authentication is passed, a PCE layer group key encryption and decryption subunit is called to decrypt the encrypted configuration success message to obtain a configuration success message;
the source domain PCE judges whether a configuration success message of each other domain is obtained and an error message is not received, and then a tree building success message is generated;
step 13: the source domain PCE calls a session key encryption and decryption submodule to encrypt the successful tree building message, and the encrypted successful tree building message is obtained;
the source domain PCE sends the encrypted successful tree building message to a source node;
step 14: the source node calls a source authentication unit to authenticate the encrypted tree building success message, and if the authentication fails, communication is interrupted after an error message is generated; if the authentication is passed, calling a session key encryption and decryption submodule to decrypt the encrypted successful tree building message to obtain the successful tree building message, and completing building of the safe optical tree.
In this embodiment, 12 function modules are defined for simplifying the step description, see table 1, for the call in the DA-PCE tree building process.
TABLE 1 DA-PCE method defined function module
Figure BDA0002284341320000201
Figure BDA0002284341320000211
In this embodiment, taking fig. 4 as an example, the total number of domains in the figure is 4, and each domain is D1、D2、D3And D4Four PCEs, PCE respectively1、PCE2、PCE3、PCE4The source node is m1Destination node is m8And m10. The sequence numbers of the steps of the system and method provided by the invention are marked in the figure, and the steps are as follows. Receiving multicast request R ═ m1;m8,m10After the step of (c) is finished,
step 1: source node m1Call F _ Authen (m)1) And F _ Sessionon key module, m at this time1As a PCC to PCE1And sending a multicast tree building request.
Step 2: PCE1After receiving a tree building request from PCC, calling F _ Authen (m)1) F _ Session key and F _ TCP-AO modules, and judges the destination node m8And m10Are all out of D1Inner, this time PCE1Invoking F _ Session key and F _ Autothen (PCE1) to send to other PCEs, finding m8And m10The domain is D3And D4
And step 3: PCE1F _ Authen (PCE1), F _ TCP-AO, F _ Session key and F _ SMRAD are called to obtain an optimal abstract multicast tree T0(m1-D1-m3-m4-D2-m5-(m6-m7-D3-m8)-m9-D4-m10) Then PCE1Calling F _ PCE and sending the abstract path to the PCE2、PCE3、PCE4
And 4, step 4: PCE2、PCE3And PCE4And after receiving the abstract path, calling the F _ PCE for decryption, then searching the abstract path of the domain and the available wavelength, and calling the F _ SMRAD. PCE1Get path m1-m2-m3,PCE2Get path m4-m5-m6,PCE3Get path m7-m8,PCE4Get path m9-m10. Then each PCE calls F _ Wave to select wavelength, calls F _ Path-Key to generate a calling message, calls F _ PCE to encrypt the message and sends the message to the PCE1Unified wait PCE1And carrying out uniform resource configuration.
And 5: PCE1And calling the F _ PCE and the F _ Path-Key. The PCRep messages sent by each PCE are combined, F _ Wave is called for wavelength allocation, and then the PCE1Calling the F _ Path-Key again to encrypt the strict multicast tree to obtain TPKS(m1-PKS1-m3-m4-PKS2-m5-(m6-m7-PKS3-m8)-m9-PKS4-m10) And simultaneously, the wavelength λ and the allocated wavelength λ are integrated into an Available resource message, the F _ PCE is called, the message is sent to the other PCEs, and the other PCEs are instructed to complete the path and wavelength configuration established by the optical tree.
Step 6: after each PCE receives the Available resource message, the PCEs immediately call F _ Path-Key, F _ TCP-AO and F _ PCE to begin analyzing TPKSThe sub-LSPs of the path segments in the respective domain are obtained, and then the sub-LSPs and the reserved wavelength information form a new Available resource message. And calling F _ Group and F _ Sig (each PCE) to send to the source node and each branch node, and checking paths and available wavelengths by each node.
And 7: head node m of each sub LSP1And m5After receiving the Available resource message, it calls respective F _ TCP-AO, F _ Group and F _ Ver (PCE) at the same time, then adds the obtained route and wavelength information of sub LSP in PATH message, calls F _ Group to encrypt the message and sends it to downstream node. In this example, three LSPs are configured simultaneously to minimize configuration delay.
And 8: and after receiving the PATH message, the downstream node calls the F _ Group and the F _ TCP-AO to obtain the routing and wavelength information of the sub LSP and then judges the available wavelength. If the wavelength is available, F _ Group is called, the message is continuously sent to the downstream node, and if the wavelength is not available, F _ Error is called. For cross-domain LSPm in this example5-m6-m7-m8M in6Calling F _ Group and F _ TCP-AO to decrypt, then detecting available wavelength, and passing through session key k between boundary nodesiTo m7Node m, node m7Invoking F _ TCP-AO and kiDecrypting, detecting wavelength, transferring to m by calling F _ Group8
And step 9: tail node m of each sub LSP4、m8、m10After receiving the PATH message, firstly calling F _ Group and F _ TCP-AO to obtain the routing and wavelength information of the sub LSP, generating RESV message, calling F _ Group to encrypt the message, and then sending the message to the upstream node along the reverse PATH of the PATH message. Node calls F _ G passed on the reverse pathThe roup and F _ TCP-AO decrypt the RESV message, which is then based on the PCE1The wavelength configuration is performed. And after the configuration is finished, calling F _ Group to encrypt the RESV message, continuously transmitting the RESV message to the head node of each sub LSP, and calling F _ Error if an Error occurs in the period.
Step 10: each sub LSP header node m1And m5Calling F _ Group and F _ TCP-AO, if the wavelength Configuration is successful, indicating that the sub LSP path Configuration is successful, immediately generating Configuration success message, calling F _ Session key and F _ Authen (m)1Or m5) And sends the message to the PCE1And PCE2. If the wavelength configuration fails, F _ Error is called.
Step 11: PCE1And PCE2Invoking F _ Authen (m) upon receipt of a message1Or m5) F _ TCP-AO, and F _ Session. If the message is correct, then PCE2Invoking F _ PCE, F _ Authen (PCE)2) Sent to PCE1
Step 12: PCE1Invoking F _ Authen (PCE)2) F _ TCP-AO and F _ PCE. If the PCE is at this time1After all Configuration success message messages are collected and the RESV-ERROR message is not received, the establish message is generated. If the RESV-ERROR message is received, F _ Error is called.
Step 13: PCE1Calling F _ Session key to send message to source node m1Indicating that the wavelength configuration is complete.
Step 14: m is1Invoke F _ Session key and F _ TCP-AO, then go to m8And m10And transmitting data, and finishing the establishment of the multicast optical tree.
EXAMPLE III
In this embodiment, the system and method for establishing a secure optical tree of a multi-domain optical network based on a distributed PCE provided by the present invention are verified, NS-2 is used for experiments, a PH-PCE protocol, an HDTD protocol and related modules of the system and method provided by the present invention are compiled based on an optical network simulation system SSANS, and meanwhile, NSBench script generation software and Gnuplot graph drawing software are embedded in NS-2. A network topology structure designed and generated through NSBench and used for experiments is shown in fig. 5, each domain realizes 20 nodes and 29 communication links, wherein the number i of the domains can be set according to actual requirements, a pce needs to be added to the network topology of the system and method provided by the present invention and the HDTD protocol, the time for the pce to calculate boundary nodes and abstract paths is set to 25ms, the average arrival rate of path request messages PCReq in the experiments is subject to poisson distribution, the proportion of malicious nodes in all nodes is specifically set according to the experiment requirements, and the rest parameters of the experiments are set in table 2.
TABLE 2 parameter settings
Parameter(s) Numerical value
Number of wave lengths 10
Bandwidth of wavelength 2Gbps
Connection time of a node to a PCE 1ms
Connection time of PCE and PCE 1ms
Node routing delay 7ms
The PCE computes the time of the available path segment wavelengths 10ms
Firstly, network connection blocking rate experiments under different domain numbers are carried out, and under the conditions that the proportion of malicious nodes is 5% and the network load is 60Erl, the network connection blocking rates of the three protocols under different domain numbers are as shown in fig. 6. The experimental results show that: with the increase of the number of domains, the network connection blocking rate of the three protocols is improved. The network connection blocking rate of the PH-PCE protocol is more rapid along with the increase of the number of the domains, which indicates that the resource conflict processing capability of the PH-PCE protocol is weaker when the number of the domains is larger, because the PH-PCE protocol is a unicast protocol and has poorer tree building capability under a multi-domain multicast environment. The network connection blocking rate of the HDTD and the system and the method provided by the invention is more stable along with the increase of the number of the domains, because the HDTD and the system and the method adopt a distributed tree building method, the resource conflict can be effectively reduced, and the efficiency of the optical tree connection is improved.
Secondly, a multicast tree establishment time experiment under different network loads is carried out, and under the conditions that the proportion of malicious nodes is 5% and the number of domains is 8, the multicast tree establishment time under different network loads of the three protocols is shown in fig. 7. The experimental results show that: when the network load is small, the tree building time of the three protocols is slow. When the network load is large, the tree building time of the PH-PCE protocol and the HDTD protocol is increased greatly, which is caused by the characteristics of the layered PCE architecture, and when the network load is large, the bearing capacity of the parent PCE is exceeded, so that the tree building time is inevitably long. The system and the method provided by the invention are based on a distributed PCE architecture, and the tree building time is correspondingly increased when the network load is larger, but the increase amplitude is smaller and is lower than the tree building time of a PH-PCE protocol and an HDTD protocol.
Next, data packet delivery rate experiments under different malicious node ratios are performed, and under the conditions that the network load is 60Erl and the number of domains is 8, the data packet delivery rates of the three protocols under the environments with different malicious node ratios are as shown in fig. 8. The experimental results show that: with the increase of the proportion of malicious nodes in the network, the data packet delivery rates of the three protocols are reduced to different degrees. The performance of the PH-PCE protocol and the HDTD protocol is poor because the two protocols lack corresponding security mechanisms, and when malicious nodes in the network increase, the normal nodes cannot identify the malicious nodes, resulting in the data packets being discarded by the malicious nodes. The system and the method provided by the invention can effectively monitor the malicious behaviors of the nodes by applying various safety mechanisms, and once the trust value of the node is lower than the set threshold value, the system and the method provided by the invention can shield the nodes in the routing selection and select the nodes and paths with high trust values, so that the system and the method provided by the invention have better performance in the malicious node environment.

Claims (6)

1. A multi-domain optical network security optical tree establishment system based on a distributed PCE is used for establishing a security optical tree in a multi-domain optical network of the distributed PCE and is characterized by comprising a security service module, a trust management module and a key management module;
the security service module is used for providing message encryption and decryption, identity authentication, source authentication, privacy protection and digital signature service when the security light tree is established;
the trust management module is used for providing trust value calculation service when the safe light tree is established;
the key management module is used for completing the generation, distribution and updating of keys when the safe light tree is established;
the security service module comprises a message encryption and decryption unit, an identity authentication unit, a source authentication unit, a privacy protection unit and a digital signature subunit;
the message encryption and decryption unit is used for encrypting or decrypting messages by using a session key, a PCE layer group key and an autonomous domain layer group key;
the identity authentication unit is used for performing identity authentication by adopting an identity authentication mechanism;
the source authentication unit is used for performing source authentication on the message by adopting a multicast source authentication mechanism;
the privacy protection unit is used for encrypting and decrypting the multicast tree;
the digital signature unit is used for carrying out digital signature by utilizing a private key or a public key.
2. The system for establishing the secure optical tree of the multi-domain optical network based on the distributed PCE of claim 1, wherein the message encryption and decryption unit comprises a session key encryption and decryption subunit, a PCE layer group key encryption and decryption subunit, and an autonomous domain layer group key encryption and decryption subunit;
the session key encryption and decryption subunit is used for encrypting or decrypting messages by using a session key;
the PCE layer group key encryption and decryption subunit is used for encrypting or decrypting messages by using the PCE layer group key;
and the autonomous domain layer group key encryption and decryption subunit is used for encrypting or decrypting messages by using the autonomous domain layer group key.
3. The system for establishing the secure optical tree of the multi-domain optical network based on the distributed PCE of claim 1, wherein the identity authentication unit performs the identity authentication by using an identity authentication mechanism and an identity authentication method based on a self-certified public key and an elliptic curve, and the identity authentication method specifically comprises:
the node A to be authenticated sends its own public key PAAnd an identity IDASending the information to an authentication node B;
the authentication node B selects a random number B, calculates c as b.G and sends the c as b.G to the node A to be authenticated; g is an n-order base point on the elliptic curve, n is a positive integer, and the authentication node B simultaneously calculates r' ═ B · PA+h(IDA)·G+((PA+((PA+h(IDA))modn)·P1Wherein h (ID)A) For identification IDAMod n denotes the remainder of the division by n, P1The public key represents a domain PCE in which a node A to be authenticated and a node B to be authenticated are located;
the node A to be authenticated uses its own private key SACalculating r ═ S with c sent from the authenticating node BAC, and sends the result to the authenticating node B;
and after receiving the r, the authentication node B verifies whether r' is satisfied, if so, the authentication node B approves the identity of the node A to be authenticated, and the authentication is passed.
4. The system for establishing the secure optical tree of the multi-domain optical network based on the distributed PCE of claim 1, wherein the source authentication subunit performs the authentication by using a multicast source authentication method based on TCP-AO when performing the source authentication of the message by using a multicast source authentication mechanism.
5. The system for establishing the secure optical tree of the multi-domain optical network based on the distributed PCE of claim 1, wherein the privacy protection subunit encrypts the multicast tree by using a Path segment hiding method of an improved Path-Key when encrypting and decrypting the multicast tree, and specifically comprises:
a source node initiates a multicast tree request to a PCE (personal computer equipment) of a domain where the source node is located through a PCEP (personal computer ep) communication protocol, the PCE of the domain where the source node is located judges whether a destination node is in the domain, and if the destination node is not in the domain, PCEs of other domains in a multi-domain optical network cooperate with each other to obtain a domain where the destination node is located; a PCE of a domain where a source node is located carries out inter-domain routing calculation according to a domain where a destination node is located, and an inter-domain path is obtained; the PCE of the domain where the source node is located informs the PCE of the domain where the destination node is located to start to calculate the path in each domain;
after the PCE of the domain where the destination node is located obtains the respective intra-domain path, encrypting the respective intra-domain path by using the respective public key, and sending the encrypted intra-domain path to the PCE of the domain where the source node is located;
after receiving the encrypted intra-domain path, the PCE of the domain where the source node is located is spliced with the inter-domain path, and after obtaining a complete path, the PCE is sent to the PCE of the domain where the destination node is located;
the Path segment hiding method adopting the improved Path-Key is used for decryption, and specifically comprises the following steps:
and the PCE of the domain where the destination node is located decrypts the complete path by adopting the PCE layer group key, and then analyzes the path segment according to the PCE number in the path key sub-object, thereby obtaining the complete multicast tree.
6. A method for establishing a secure optical tree of a multi-domain optical network based on a distributed PCE, characterized in that, by using the system for establishing a secure optical tree of a multi-domain optical network based on a distributed PCE as claimed in any one of claims 1 to 5, a secure optical tree from a source node to a destination node is established in the multi-domain optical network of the distributed PCE, wherein the multi-domain optical network comprises a plurality of domains, each domain comprises a PCE, and the PCE of the domain where the source node is located is the source domain PCE;
the method is executed according to the following steps:
step 1, a destination node calls an identity authentication unit to perform identity authentication on a source node, and if the authentication passes, a multicast tree building request is generated; otherwise, the multicast tree is failed to be established, and the communication is interrupted;
the source node calls a session key encryption and decryption subunit to encrypt the multicast tree building request to obtain an encrypted multicast tree building request;
step 2, the PCE of the source domain calls an identity authentication unit to perform identity authentication on the source node, if the authentication is passed, a session key encryption and decryption subunit is called to decrypt the encrypted multicast tree building request, and the multicast tree building request is obtained; if the authentication fails, generating an error message and sending the error message to the source node, and interrupting the connection with the source node;
the source domain PCE calls a source authentication unit to perform source authentication on the multicast tree building request, if the authentication is passed, the domain where the destination node is located is searched, and then step 3 is executed, otherwise, the communication is interrupted after an error message is generated;
step 3, the PCE of the domain where the destination node is located calls an identity authentication subunit to perform identity authentication on the PCE of the source domain, if the authentication is passed, the PCE of the domain where the destination node is located calls a source authentication unit to perform multicast source authentication on the multicast tree building request, and if the authentication is failed, an error message is generated and then communication is interrupted; if the authentication is passed, the PCE of the domain where the destination node is located firstly calls a session key encryption and decryption subunit to encrypt the multicast tree building request and then carries out routing calculation, and if the calculation is successful, an abstract multicast tree is obtained; if the calculation is failed, generating an error message and then interrupting the communication;
a source domain PCE calls a PCE layer group key encryption and decryption subunit to encrypt the abstract multicast tree to obtain an encrypted abstract multicast tree, and the encrypted abstract multicast tree is sent to PCEs of other domains, wherein the other domains are all domains except a domain where a source node is located in the multi-domain optical network;
step 4, PCEs of other domains call PCE layer group key encryption and decryption subunits to decrypt the encrypted abstract multicast tree to obtain the abstract multicast tree;
PCEs of each other domain calculate and obtain respective strict multicast trees in the domain from the abstract multicast tree;
PCEs of each other domain perform wavelength selection on respective paths in the domain to obtain available wavelength information of the paths in the domain of each other domain;
PCEs of other domains call a privacy protection unit to encrypt the strict multicast tree in each domain and then integrate the encrypted strict multicast tree with the available wavelength information of the path in each domain to obtain a calculation message;
PCEs of other domains call PCE layer group key encryption and decryption subunits to encrypt the calculation message, and then the encrypted calculation message is obtained and sent to a PCE of a source domain;
step 5, the source domain PCE calls a PCE layer group key encryption and decryption subunit to decrypt the encrypted calculation message, and the calculation message is obtained;
a domain PCE where the source node is located calls a privacy protection subunit to decrypt the calculation message, and strict multicast tree routing information and available wavelength information of each other domain are obtained;
the source domain PCE splices according to the strict multicast tree routing information of each other domain to obtain a strict multicast tree;
the source domain PCE performs wavelength allocation according to the available wavelength information of each other domain to obtain the available wavelength of the strict multicast tree;
the source domain PCE calls the privacy protection subunit again to encrypt the strict multicast tree to obtain the encrypted strict multicast tree;
the source domain PCE integrates the encrypted strict multicast tree and the available wavelength of the strict multicast tree to obtain available source information;
the source domain PCE calls a PCE layer group key encryption and decryption subunit to encrypt the available source message to obtain the encrypted available source message;
the source domain PCE sends the encrypted available source message to the PCE of each other domain;
step 6, after PCEs of other domains receive the available source message, a source authentication unit is called immediately to authenticate the available source message, and if the authentication fails, an error message is generated and communication is interrupted; if the authentication is passed, the PCE of each other domain calls a PCE layer group key encryption and decryption subunit to decrypt the encrypted available source message to obtain the available source message;
the PCE of each other domain calls a privacy protection subunit to decrypt the encrypted strict multicast tree in the available source message to obtain an intra-domain strict multicast tree and an available wavelength of the intra-domain strict multicast tree;
a source domain PCE obtains an intra-domain strict multicast tree and the available wavelength of the intra-domain strict multicast tree;
PCE of each domain integrates the respective intra-domain strict multicast tree and the available wavelength of the intra-domain strict multicast tree to obtain a new available source message;
the PCE of each domain calls an autonomous domain layer group key encryption and decryption subunit to encrypt the new available source message, and then the encrypted new available source message is obtained;
the PCE of each domain sends the encrypted new available source message to the nodes through which the strict multicast tree in each domain passes;
step 7, after the head node of the strict multicast tree in each domain receives the encrypted new available source message, calling a source authentication unit to authenticate the encrypted new available source message, and if the authentication fails, generating an error message and interrupting communication; if the authentication is passed, calling an autonomous domain layer group key encryption and decryption subunit to decrypt the encrypted new available source message to obtain a new available source message;
the head node of the strict multicast tree in each domain calls a digital signature unit to carry out public key signature on the new available source message, and if the signature fails, communication is interrupted after an error message is generated; if the signature is successful, adding a new available source message in the PATH message to obtain a new PATH message;
the head node of the strict multicast tree in each domain calls an autonomous domain layer group key encryption and decryption subunit to encrypt the new PATH message to obtain an encrypted new PATH message;
the head node of the strict multicast tree in each domain sends the encrypted new PATH message to the downstream node of the strict multicast tree in the domain;
step 8, the downstream node calls a source authentication unit to authenticate the encrypted new PATH message, and if the authentication fails, an error message is generated and then communication is interrupted; if the authentication is passed, calling an autonomous domain layer group key encryption and decryption subunit to decrypt the encrypted new PATH message to obtain a new PATH message;
the downstream node judges whether the available wavelength of the intra-domain strict multicast tree in the new PATH message meets the wavelength threshold range, if not, an error message is generated and then the communication is interrupted; if yes, calling an autonomous domain layer group key encryption and decryption subunit to encrypt the new PATH message to obtain an encrypted new PATH message;
the downstream node sends the encrypted new PATH message to the downstream node of the strict multicast tree in the domain;
step 9, repeating step 8 until the tail node of the strict multicast tree in each domain obtains the encrypted new PATH message;
the tail node of the strict multicast tree in each domain calls a source authentication unit to authenticate the encrypted new PATH message, and if the authentication fails, an error message is generated and communication is interrupted; if the authentication is passed, calling an autonomous domain layer group key encryption and decryption subunit to decrypt the encrypted new PATH message to obtain an RESV message;
a tail node of a strict multicast tree in each domain calls an autonomous domain layer group key encryption and decryption subunit to encrypt the RESV message, and the encrypted RESV message is obtained;
the tail node of the intra-domain strict multicast tree in each domain sends the encrypted RESV message to upstream nodes along the reverse PATH of the transmission PATH of the encrypted new PATH message until reaching the head node of the intra-domain strict multicast tree, wherein in the propagation process of the encrypted RESV message, each upstream node calls an autonomous domain layer group key encryption and decryption subunit to decrypt the encrypted RESV message, the wavelength configuration is carried out after the RESV message is obtained, and if the configuration is wrong, the communication is interrupted after an error message is generated; otherwise, calling an autonomous domain layer group key encryption and decryption subunit to encrypt the RESV message;
step 10, the head node of the strict multicast tree in each domain calls a source authentication unit to authenticate the encrypted RESV message, if the authentication fails, an error message is generated and then the communication is interrupted; if the authentication is successful, generating a configuration success message;
the system calls an identity authentication unit to perform identity authentication on the head node of the strict multicast tree in each domain, and if the authentication fails, an error message is generated and then communication is interrupted; if the authentication is passed, the head node of the strict multicast tree in each domain calls a session key encryption and decryption subunit to encrypt the configuration success message, and the encrypted configuration success message is obtained;
the head node of the strict multicast tree in each domain sends the encrypted configuration success message to the PCE of the domain;
step 11, the PCE of each domain calls a source authentication unit to authenticate the encrypted configuration success message, and if the authentication fails, an error message is generated and then the communication is interrupted; if the authentication is passed, the PCE of each domain calls an identity authentication unit to authenticate the head node of the strict multicast tree in the domain of the domain, and if the authentication is failed, an error message is generated and then the communication is interrupted; if the authentication is passed, calling a session key encryption and decryption subunit to decrypt the encrypted configuration success message to obtain a configuration success message;
PCEs of other domains call an identity authentication module to perform identity authentication, and if authentication fails, communication is interrupted after an error message is generated; if the authentication is passed, calling a PCE layer group key encryption and decryption subunit to encrypt the configuration success message to obtain an encrypted configuration success message;
the PCE of each other domain sends the encrypted configuration success message to the PCE of the source domain;
step 12: the source domain PCE calls a source authentication unit to authenticate the encrypted configuration success message, and if the authentication fails, an error message is generated and then the communication is interrupted; if the authentication is passed, calling an identity authentication module to perform identity authentication on PCEs of other domains, and if the authentication is failed, generating an error message and then interrupting communication; if the authentication is passed, a PCE layer group key encryption and decryption subunit is called to decrypt the encrypted configuration success message to obtain a configuration success message;
the source domain PCE judges whether a configuration success message of each other domain is obtained and an error message is not received, and then a tree building success message is generated;
step 13: the source domain PCE calls a session key encryption and decryption submodule to encrypt the successful tree building message, and the encrypted successful tree building message is obtained;
the source domain PCE sends the encrypted successful tree building message to a source node;
step 14: the source node calls a source authentication unit to authenticate the encrypted tree building success message, and if the authentication fails, an error message is generated and then communication is interrupted; if the authentication is passed, calling a session key encryption and decryption submodule to decrypt the encrypted successful tree building message to obtain the successful tree building message, and finishing building the safe optical tree.
CN201911154078.8A 2019-11-22 2019-11-22 Multi-domain optical network security optical tree establishment system and method based on distributed PCE Active CN111030934B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911154078.8A CN111030934B (en) 2019-11-22 2019-11-22 Multi-domain optical network security optical tree establishment system and method based on distributed PCE

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911154078.8A CN111030934B (en) 2019-11-22 2019-11-22 Multi-domain optical network security optical tree establishment system and method based on distributed PCE

Publications (2)

Publication Number Publication Date
CN111030934A true CN111030934A (en) 2020-04-17
CN111030934B CN111030934B (en) 2022-03-22

Family

ID=70207207

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911154078.8A Active CN111030934B (en) 2019-11-22 2019-11-22 Multi-domain optical network security optical tree establishment system and method based on distributed PCE

Country Status (1)

Country Link
CN (1) CN111030934B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120226824A1 (en) * 2011-03-02 2012-09-06 Ciena Corporation Distributed network planning systems and methods
CN106161440A (en) * 2016-07-04 2016-11-23 中国人民武装警察部队工程大学 Based on D S evidence and the multi-area optical network trust model of theory of games
CN106169996A (en) * 2016-07-04 2016-11-30 中国人民武装警察部队工程大学 Multi-area optical network key management method based on key hypergraph and identification cipher
CN106851441A (en) * 2017-01-13 2017-06-13 中国人民武装警察部队工程大学 The safe light path of multi-area optical network based on layering PCE sets up agreement
CN108848074A (en) * 2018-05-31 2018-11-20 西安电子科技大学 The information service entities cross-domain authentication method of trust value is acted on behalf of based on domain
CN110086779A (en) * 2019-03-26 2019-08-02 中国人民武装警察部队工程大学 A kind of communication security method of discrimination of multi-area optical network crosstalk attack

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120226824A1 (en) * 2011-03-02 2012-09-06 Ciena Corporation Distributed network planning systems and methods
CN106161440A (en) * 2016-07-04 2016-11-23 中国人民武装警察部队工程大学 Based on D S evidence and the multi-area optical network trust model of theory of games
CN106169996A (en) * 2016-07-04 2016-11-30 中国人民武装警察部队工程大学 Multi-area optical network key management method based on key hypergraph and identification cipher
CN106851441A (en) * 2017-01-13 2017-06-13 中国人民武装警察部队工程大学 The safe light path of multi-area optical network based on layering PCE sets up agreement
CN108848074A (en) * 2018-05-31 2018-11-20 西安电子科技大学 The information service entities cross-domain authentication method of trust value is acted on behalf of based on domain
CN110086779A (en) * 2019-03-26 2019-08-02 中国人民武装警察部队工程大学 A kind of communication security method of discrimination of multi-area optical network crosstalk attack

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
J. TOUCH等: "The TCP Authentication Option", 《IETF标准》 *
吴启武等: "基于密钥超图和身份密码的多域光网络密钥管理方案", 《工程科学与技术》 *
文闻等: "基于PCE架构的多域光网络安全建路机制", 《光通信研究》 *
曹炳华等: "基于自证明公钥和零知识证明的身份认证协议", 《计算机工程》 *

Also Published As

Publication number Publication date
CN111030934B (en) 2022-03-22

Similar Documents

Publication Publication Date Title
TWI676384B (en) Quantum key distribution system, method and device based on trusted relay
CN110581763B (en) Quantum key service block chain network system
US8954727B2 (en) Security control in a communication system
Chattaraj et al. On the design of blockchain-based access control scheme for software defined networks
CN114286334B (en) Multi-user authentication method, system and information processing terminal for mobile communication scene
Wyss et al. Secure and scalable QoS for critical applications
Tang et al. A lightweight two-way authentication scheme between communication nodes for software defined optical access network
CN111030934B (en) Multi-domain optical network security optical tree establishment system and method based on distributed PCE
Arslan et al. Security issues and performance study of key management techniques over satellite links
Alzahrani et al. Key management in information centric networking
Polito et al. Inter-domain path provisioning with security features: Architecture and signaling performance
Alouneh et al. A Multiple LSPs Approach to Secure Data in MPLS Networks.
Goodrich Leap-frog packet linking and diverse key distributions for improved integrity in network broadcasts
Shibasaki et al. An AODV-based communication-efficient secure routing protocol for large scale ad-hoc networks
Roy et al. Efficient authentication and key management scheme for wireless mesh networks
Aytaç et al. Authenticated quality of service aware routing in software defined networks
Li et al. A Hybrid Group Key Management Protocol for Reliable and Authenticated Rekeying.
Zhou et al. A security optical tree establishment protocol based on distributed path computation element in multi-domain optical networks
Chen et al. A secure network coding based on broadcast encryption in sdn
Sani et al. Towards secure energy internet communication scheme: An identity-based key bootstrapping protocol supporting unicast and multicast
Sagara et al. A distributed authentication platform architecture for peer-to-peer applications
Liu et al. Security authentication based on generated address algorithm for software-defined optical communication network
Singh et al. An Energy Efficient Cluster Based Group Key Management Scheme using Elliptical Curve Cryptography in Wireless Sensor Network
Sharma et al. Extending certificateless authentication for wireless sensor networks: A novel insight
Zubair et al. Design, implement, and evaluate the performance of an IPsec inspired security framework for HIP-VPLS environments

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant