CN112187865B - Open shortest path priority message processing method and mimicry equipment - Google Patents

Open shortest path priority message processing method and mimicry equipment Download PDF

Info

Publication number
CN112187865B
CN112187865B CN202010910866.1A CN202010910866A CN112187865B CN 112187865 B CN112187865 B CN 112187865B CN 202010910866 A CN202010910866 A CN 202010910866A CN 112187865 B CN112187865 B CN 112187865B
Authority
CN
China
Prior art keywords
message
protocol
authentication
ospf
executive body
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010910866.1A
Other languages
Chinese (zh)
Other versions
CN112187865A (en
Inventor
马海龙
朱绪全
张震
申涓
罗伟
韩伟涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Network Communication and Security Zijinshan Laboratory
Original Assignee
Information Engineering University of PLA Strategic Support Force
Network Communication and Security Zijinshan Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force , Network Communication and Security Zijinshan Laboratory filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202010910866.1A priority Critical patent/CN112187865B/en
Publication of CN112187865A publication Critical patent/CN112187865A/en
Application granted granted Critical
Publication of CN112187865B publication Critical patent/CN112187865B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/30Routing of multiclass traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/26Special purpose or proprietary protocols or architectures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the technical field of internet communication, in particular to an open shortest path first message processing method and a mimic device, wherein an OSPF protocol agent module is arranged in the mimic device to realize the interactive authentication processing of protocol messages between an external device and each executive body in the mimic device, and the method comprises the following steps: caching neighbor related information aiming at an OSPF protocol message from an external device, wherein a key value of each neighbor in the related information consists of an external device IP address, an external device RouterID, an external device area ID, a mimicry device IP address and a mimicry device RouterID, and determining whether to forward the key value to each executive body in the mimicry device according to the type of the message; and aiming at the OSPF protocol message from each executive body in the mimicry equipment, determining whether to forward the OSPF protocol message to external equipment according to the message type. The invention can ensure the diversification of OSPF routing data by introducing the OSPF proxy module which carries out corresponding processing according to the message type into the mimicry device, and is convenient for the effective implementation of the mimicry scheme in the network defense.

Description

Method for processing priority message of open shortest path and mimicry equipment
Technical Field
The invention relates to the technical field of internet communication, in particular to an open shortest path first message processing method and mimicry equipment.
Background
In recent years, with the development of internet communication technology, communication applications have been popularized unprecedentedly. Open Shortest Path First (OSPF) is a widely used dynamic routing protocol, which belongs to a link state routing protocol and has the advantages of fast convergence rate of route change, no routing loop, support of Variable Length Subnet Mask (VLSM) and summary, hierarchical regional division, etc. Each router is responsible for discovering and maintaining the relation with the neighbor, describing a known neighbor list and a Link State Update (LSU) message, and learning the network topology structure of the whole Autonomous System through the reliable periodic interaction of flooding and other routers in the Autonomous System (AS); and the router at the boundary of the autonomous system is used for injecting the routing information of other AS, thereby obtaining the routing information of the whole Internet. Every other specific time or when the link state changes, the LSA is regenerated, and the router advertises the new LSA through the flooding mechanism so as to realize the real-time update of the route.
According to the specification of the RFC2328 standard, the authentication of the OSPF protocol message is divided into three types: null authentication, simple password authentication, and Cryptographic authentication. For the OSPF protocol message of null authentication and simple password authentication, authentication is only performed on the OSPF protocol message, but fields for authentication are different. For the cryptographically authenticated OSPF protocol packet, when authenticating the OSPF protocol packet, a Cryptographic sequence number (Cryptographic sequence number) of the OSPF protocol packet needs to be considered, so as to ensure that the received Cryptographic sequence number conforms to a standard rule. Data security in the data transmission process of a communication system is more and more concerned by more people, data security in the transmission process is more and more concerned by more people, traditional routing equipment generally does not have relevant security protection means for malicious attack such as a firewall, an anti-virus and the like, potential bugs are numerous, once an attacker controls the routing equipment, the large-scale man-in-the-middle attack can be initiated, sensitive data stealing or tampering is carried out, and even large-scale network paralysis is caused. The emergence of mimic devices such as mimic switches and mimic routers provides a new solution, and the mimic devices introduce multiple heterogeneous redundant executors into the architecture thereof, and through policy or periodic scheduling of different executors, the uncertainty change of the characteristics is presented to the outside. Generating a consensus routing table by performing routing judgment on routing table items generated by each execution body; on the premise of differential design, the probability that different executives have the same vulnerability or backdoor is extremely low, even if an attacker controls part of the executives, the mimicry decision mechanism can also identify the malicious behaviors of the executives, and the capability of the mimicry equipment for coping with network attacks is greatly improved. In order to cooperate with data interaction between the mimic device and the external device, it is necessary that the OSPF protocol proxy component can respectively process the message types to ensure the validity of message interaction.
Disclosure of Invention
Therefore, the invention provides an open shortest path first message processing method and a mimic device, and by introducing an OSPF proxy module which carries out corresponding processing according to message types into the mimic device, the diversification of OSPF routing data can be ensured, and the efficient implementation of the mimic scheme in network defense is facilitated.
According to the design scheme provided by the invention, an open shortest path first message processing method is characterized in that an OSPF protocol agent module is arranged in a mimic device to realize interactive authentication processing of protocol messages between an external device and each executive body in the mimic device, each executive body in the mimic device is divided into a main executive body and a plurality of slave executive bodies which are arranged in parallel, and the interactive authentication processing process comprises the following steps:
caching neighbor related information aiming at an OSPF protocol message from external equipment, wherein a key value of each neighbor in the related information consists of an external equipment IP address, an external equipment RouterID, an external equipment area ID, a mimic equipment IP address and a mimic equipment RouterID, and determining whether to forward the message to each executive body in the mimic equipment or not according to the type of the message;
and aiming at the OSPF protocol message from each executive body in the mimicry equipment, determining whether to forward the OSPF protocol message to external equipment according to the message type.
As the method for processing the open shortest path first message, the invention further updates the cryptology sequence number according to each neighbor key value mark and caches the cryptology sequence number when caching the neighbor related message aiming at the situation that the cryptology authentication is set in the OSPF protocol message.
As the method for processing the open shortest path first message, further, when the type of the OSPF protocol message is a Hello message, in case that the protocol message is from an external device, if the protocol message is null authentication or simple password authentication, copying and distributing the protocol message to each executive body in the mimicry device, and if the protocol message is password authentication, copying and distributing the protocol message to each executive body in the mimicry device according to a cryptology sequence number value in a neighbor key value mark update cache; and forwarding the protocol message according to the original flow aiming at the condition that the protocol message comes from each executive body in the mimicry equipment.
As the open shortest path first message processing method of the present invention, further, when the OSPF protocol message type is the DD message, for the case that the protocol message comes from the external device, if the protocol message is the null authentication or the simple password authentication, the protocol message is forwarded to the main execution body, and if the protocol message is the cryptography authentication, the protocol message is forwarded to the main execution body according to the cryptography sequence value in the neighbor key value update cache; and when the protocol message comes from a master executive body in the mimicry equipment, forwarding the protocol message according to the original flow, and if the protocol message comes from a slave executive body in the mimicry equipment, inquiring neighbor information in a cache according to a target IP (Internet protocol) and a region ID (identity) field in the protocol message, and sending the endogenous message to a source executive body.
As the method for processing the open shortest path first message, further, in the construction of the endogenous message, if configured as null authentication, the checksum value of the head of the endogenous protocol message is recalculated, if configured as simple password authentication, the identity authentication field of the endogenous protocol message is filled in according to the configuration authentication field, the checksum value of the head of the endogenous protocol message is recalculated, if configured as cryptography authentication, the checksum value of the head of the protocol message is filled in to be 0, the cryptography serial number of the head of the protocol message is filled in according to the cryptography serial number cached by the neighbor information, and a new message abstract is regenerated and added into the endogenous message.
As the method for processing the open shortest path first message, further, when the OSPF protocol message type is the LSR message, aiming at the situation that the protocol message comes from the external device, if the protocol message is null authentication or simple password authentication, the protocol message is forwarded to the main executive body, and if the protocol message is password authentication, the cryptology sequence key value in the cache is updated according to the neighbor key value mark, and the protocol message is forwarded to the main executive body; when the protocol message comes from a main executive body in the mimicry equipment, the protocol message is forwarded according to the original flow, if the protocol message comes from a slave executive body, the neighbor information in the buffer is inquired according to the target IP and the area ID field in the protocol message, and the endogenous message is sent to the source executive body.
As the method for processing an open shortest path first message, further, in the structure of the endogenous message, if configured as null authentication, recalculating the checksum value of the header of the endogenous message, if configured as simple password authentication, filling in the identity authentication field of the endogenous message according to the configuration authentication field, recalculating the checksum value of the header of the endogenous message, if configured as cryptography authentication, filling in 0 the checksum value of the header of the endogenous message, filling in the cryptography serial number of the header of the protocol message according to the cryptography serial number cached in the neighbor information, regenerating a new message digest, and adding the new message digest into the endogenous message.
As the open shortest path first message processing method of the present invention, further, when the OSPF protocol message type is the LSU message, in view of the situation that the protocol message comes from the external device, if the protocol message is null authentication or simple password authentication, the protocol message is sent to each execution body, and if the protocol message is password authentication, the cryptography sequence value in the cache is updated according to the neighbor key value mark, and the protocol message is forwarded to each execution body; when the protocol message comes from the main executive body in the mimicry equipment, the protocol message is forwarded according to the original flow, and if the protocol message comes from the slave executive body, the protocol message is discarded.
As the method for processing the open shortest path first message, further, when the type of the OSPF protocol message is the LSA message, aiming at the situation that the protocol message comes from the external device, if the protocol message is null authentication or simple password authentication, the protocol message is sent to the main executive body, and if the protocol message is password authentication, the cryptology sequence value in the cache is updated according to the neighbor key value mark, and the protocol message is forwarded to the main executive body; and when the protocol message comes from the main executive body in the mimicry equipment, the protocol message is forwarded according to the original flow, and if the protocol message comes from the slave executive body, the protocol message is discarded.
As the method for processing the message with the shortest path first, the main executive body and each auxiliary executive body in the mimicry device further adopt heterogeneous software and/or hardware structures for executing the same function.
Further, based on the above method, the present invention further provides a mimicry device, applied to processing an open shortest path first packet in a communication network, including: the OSPF proxy module is arranged between network devices, and a main executive body and a plurality of slave executive bodies which are connected with the OSPF proxy module, wherein the main executive body and the plurality of slave executive bodies are arranged in parallel and adopt heterogeneous software and/or hardware structures for executing the same function, the OSPF proxy module caches neighbor related information aiming at an OSPF protocol message from an external device, and key values of each neighbor in the related information consist of an external device IP address, an external device RouterID, an external device area ID, a pseudo-state device IP address and a pseudo-state device RouterID, and determines whether to forward the information to each executive body in the pseudo-state device according to message types; and aiming at the OSPF protocol message from each executive body in the mimicry equipment, determining whether to forward the OSPF protocol message to external equipment according to the message type.
The invention has the beneficial effects that:
the invention introduces OSPF proxy module in the mimicry device, and combines OSPF message type to forward corresponding message. In view of complexity and security of processing an OSPF message for starting cryptographic authentication by a conventional routing device, customized processing needs to be performed on different executors of a pseudo-device, a processing scheme for the OSPF message for starting cryptographic authentication in an OSPF proxy module IS provided, which effectively ensures correct processing and forwarding of all messages for starting cryptographic authentication, ensures interaction and authentication of all types of OSPF protocol messages by external devices and each executor inside the pseudo-device, can improve security of each executor inside, can ensure diversification of OSPF routing data, improve normal effectiveness of data interaction in a communication system, facilitate effective implementation of a pseudo-scheme in network defense, and provide a solution for other routing protocol proxies (such as IS-IS).
Description of the drawings:
FIG. 1 is a schematic diagram of a mimetic apparatus architecture in an embodiment;
FIG. 2 is a schematic diagram of an OSPF protocol packet header in an embodiment;
FIG. 3 is a schematic diagram of a null authentication protocol message header in an embodiment;
FIG. 4 is a schematic diagram of a simple password authentication protocol message header in an embodiment;
fig. 5 is a schematic diagram of a cryptographic authentication protocol message header in an embodiment.
The specific implementation mode is as follows:
in order to make the objects, technical solutions and advantages of the present invention clearer and more obvious, the present invention is further described in detail below with reference to the accompanying drawings and technical solutions.
Data security in the data transmission process of the information system is more and more concerned by people, data security in the transmission process is more and more concerned by people, and the appearance of mimicry devices such as a mimicry switch, a mimicry router and the like provides a new solution. The embodiment of the invention provides mimicry equipment which is applied to the processing of an open shortest path first message in a communication network and comprises the following components: the OSPF proxy module is arranged between network devices, and a main executive body and a plurality of slave executive bodies which are connected with the OSPF proxy module, wherein the main executive body and the plurality of slave executive bodies are arranged in parallel and adopt heterogeneous software and/or hardware structures for executing the same function, the OSPF proxy module caches neighbor related information aiming at an OSPF protocol message from an external device, and key values of each neighbor in the related information consist of an external device IP address, an external device RouterID, an external device area ID, a pseudo-state device IP address and a pseudo-state device RouterID, and determines whether to forward the information to each executive body in the pseudo-state device according to message types; and aiming at the OSPF protocol message from each executive body in the mimicry equipment, determining whether to forward the OSPF protocol message to external equipment according to the message type.
The mimicry device comprises a plurality of heterogeneous executors with the same functional characteristics, an Open Short Path First (OSPF) protocol agent is a newly added functional module for coordinating the interaction of OSPF protocol messages between external equipment and each internal executor, and can be used for carrying out forwarding processing on corresponding messages by combining OSPF message types in a targeted manner, carrying out special processing on the OSPF protocol messages sent by each executor and presenting a single routing device to the outside; and ensuring the interaction and authentication of each executive body in the external equipment and the mimicry equipment to the OSPF protocol message. The mimicry device, as shown in fig. 1, includes multiple heterogeneous executables with the same function, and is generally divided into a master executor and multiple slave executables, where the executables are configured identically, and the received inputs are the same, but the outputs may not be the same.
According to the specification of the RFC2328 standard, the authentication of the OSPF protocol message is divided into three types: null authentication, simple password authentication, and Cryptographic authentication. For OSPF protocol messages for null authentication and simple password authentication, authentication is only performed on OSPF protocol messages, but fields for authentication are different. For the cryptographically authenticated OSPF protocol packet, when authenticating the OSPF protocol packet, a Cryptographic sequence number (Cryptographic sequence number) of the OSPF protocol packet needs to be considered, so as to ensure that the received Cryptographic sequence number conforms to a standard rule. Therefore, in the embodiment of the present invention, the OSPF protocol agent respectively processes the three authenticated OSPF protocol messages, thereby ensuring that the interaction of the external device and each internal executive body on the OSPF protocol messages can be normally and effectively performed.
The OSPF protocol Header (OSPF Header) is shown in FIG. 2, and the layout of the Authentication (Authentication) field in the OSPF protocol Header when null Authentication is set is shown in FIG. 3. When simple password Authentication is set, the layout of the Authentication field in the OSPF protocol message header is as shown in fig. 4. When cryptographic Authentication is set, the layout of the Authentication field in the header of the OSPF protocol message is shown in fig. 5. In conjunction with the above description and the accompanying drawings, the message processing of the OSPF protocol proxy module in the embodiment of the present invention can be divided into two cases, one is from the external device, and one is from each executable in the mimic device. The following explanation is made for each case:
for OSPF protocol message from external device, the mimic device will be sent to OSPF protocol proxy module for processing, the steps are as follows:
an OSPF protocol proxy module receives an OSPF protocol message from an external device.
And 2, caching the relevant information of the neighbors by an OSPF protocol proxy module, wherein the key value key of each neighbor consists of an external device IP address, an external device Router ID, an external device Area ID, the pseudo device IP address and the pseudo device Router ID.
3. For the OSPF protocol message with the cryptology authentication set, the cryptology sequence number (cryptology sequence number) needs to be updated according to each neighbor Key value Key mark, and cached.
4. And determining whether to forward the message to each internal executive body according to the message type.
The following concrete implementation measures are proposed for the OSPF concrete protocol message:
1) The OSPF protocol agent module receives a Hello message from an external device.
And if the AuthType in the message header of the OSPF protocol is null authentication or simple password authentication, copying and distributing the Hello message to each active executive.
If the AuthType in the OSPF message header is the cryptography authentication, the OSPF protocol agent updates the value of the cryptography sequence number (Cryptographic sequence number) in the cache according to the neighbor Key value Key mark, and copies and distributes the Hello message to each active executive.
2) The OSPF protocol proxy module receives a DD (Database description packet) message from an external device.
And if the AuthType in the message header of the OSPF protocol is null authentication or simple password authentication, directly sending the DD message to the main executive.
If the AuthType in the message header of the OSPF protocol is the cryptography authentication, the OSPF protocol agent updates the value of the cryptography sequence number in the cache according to the neighbor Key value Key tag, and sends the DD message to the main executive.
3) The OSPF protocol proxy module receives an LSR (Link State Request) message from an external device.
If AuthType in the message header of the OSPF protocol is null authentication or simple password authentication, the LSR message is directly sent to the main executive body.
If the AuthType in the message header of the OSPF protocol is the cryptography authentication, the OSPF protocol agent updates the value of the cryptography sequence number (Cryptographic sequence number) in the cache according to the neighbor Key value Key tag, and sends the LSR message to the main execution body.
4) The OSPF protocol proxy module receives an LSU message (Link State Update) from an external device.
And if the AuthType in the message header of the OSPF protocol is null authentication or simple password authentication, directly sending the LSU message to all active executives.
If the AuthType in the message header of the OSPF protocol is the cryptography authentication, the OSPF protocol agent updates the value of the cryptography sequence number in the cache according to the neighbor Key value Key tag, and sends the LSU message to all active executors.
5) The OSPF protocol agent module receives LSA message (Link State acknowledgement) from external device.
If AuthType in the message header of the OSPF protocol is null authentication or simple password authentication, the LSA message is directly sent to the main executive body.
If the AuthType in the message header of the OSPF protocol is the cryptography authentication, the OSPF protocol proxy updates the value of the cryptography sequence number (Cryptographic sequence number) in the cache according to the neighbor Key value Key tag, and sends the LSA message to the main execution body
For OSPF protocol messages from each internal execution body, the mimicry device will be sent to OSPF protocol proxy module for processing, the steps are as follows:
the OSPF protocol proxy module receives OSPF protocol messages from internal executors.
2. According to the type of the OSPF protocol message, the OSPF protocol agent module sends the OSPF protocol message to an external device, or sends an internally generated corresponding OSPF protocol message to a source executive body, or directly discards the OSPF protocol message.
The following concrete implementation measures are proposed for the OSPF concrete protocol message:
1) And the OSPF protocol agent module receives the Hello message from the internal main executive body and forwards the Hello message according to the original flow.
2) And the OSPF protocol agent module receives a Hello message from the internal slave executive body and forwards the Hello message according to the original flow.
3) And the OSPF protocol proxy module receives the DD message from the internal main executive body and forwards the DD message according to the original flow.
4) The OSPF protocol agent module receives a DD message from an internal slave executive body, inquires the neighbor information in the cache according to a destination IP and an Area ID (Area ID) field in the DD message, and sends the internal DD message to a source executive body after the inquiry is successful. The process of constructing the main fields of the DD packet is described as follows:
and the OSPF protocol agent module respectively fills the destination Mac field and the source Mac field in the generated DD message according to the source Mac and the destination Mac of the DD message.
And the OSPF protocol agent module respectively fills a destination IP field and a source IP field of an IP header in the endogenous DD message according to the source IP and the destination IP of the DD message, and recalculates an IP Checksum value.
The OSPF protocol agent module fills in Router ID and Area ID fields of OSPF protocol message head in the internal generation DD message according to the inquired neighbor information.
If the configuration is null authentication, the OSPF protocol agent module recalculates the Checksum value of the OSPF protocol message header in the endogenous DD message.
If the configuration is simple password Authentication, the OSPF protocol agent module fills the Authentication field of the OSPF protocol message header of the internal DD message according to the 32-bit Authentication field in the configuration, and recalculates the OSPF header Checksum value in the internal DD message.
If the cryptology authentication is configured, the OSPF protocol agent module fills the Checksum value of the OSPF header in the DD Message as 0, fills the cryptology sequence number (cryptology sequence number) of the OSPF protocol Message header according to the queried cryptology sequence number of the neighbor information cache, recalculates the OSPF protocol agent according to the configured Key ID and other information to generate a new Message digest, and adds the new Message digest to the back of the endogenous DD Message.
The OSPF protocol agent module compares the Router ID of the received DD message with the Router ID in the inquired neighbor cache information to determine a Master/Slave relationship, and fills the Master field in the DB description, thereby determining the value of the subsequent DD sequence number and filling the value into the DD sequence field in the internal DD message.
And filling an Init field in the DB description in the endogenous DD message according to whether the first DD message is filled, and filling a More field in the endogenous DD message and the DB description according to whether the last DD message is filled.
5) The OSPF protocol agent module receives LSR protocol message from the internal main executive body and forwards the LSR message according to the original flow.
6) The OSPF protocol agent module receives LSR message from internal slave executive body, inquires the neighbor information in buffer according to the destination IP and Area ID (Area ID) field in the received LSR message, and replies the internal LSA message to the source executive body after the inquiry is successful. How the main fields of an LSA are constructed is described herein as follows:
and the OSPF protocol agent module fills the destination Mac and source Mac fields in the internal DD message according to the source Mac and the destination Mac of the received LSR message.
And the OSPF protocol agent module fills the destination IP and the source IP fields of the IP header in the internal LSA message according to the source IP and the destination IP of the LSR message, and recalculates the IP Checksum field.
And the OSPF protocol agent module fills in Router ID and Area ID fields of the OSPF protocol message header in the internal LSA message according to the inquired neighbor information.
If the configured empty authentication is available, the OSPF protocol agent module recalculates the Checksum value of the OSPF protocol message header in the LSA message.
If the simple password Authentication is configured, the OSPF protocol agent module fills the Authentication field of the OSPF protocol message header in the internally generated LSA message according to the 32-bit Authentication field in the configuration, and recalculates the Checksum value of the OSPF protocol message header in the LSA message.
If configured is password authentication, the OSPF protocol agent module fills a Checksum value of an OSPF protocol Message header in the LSA Message as 0, fills a password sequence number (Cryptographic sequence number) of the OSPF protocol Message header according to the queried neighbor information cache, recalculates a new Message digest according to configured Key ID and other information, and adds the Message digest to the back of the LSA Message.
The OSPF protocol proxy module correspondingly fills and writes the LSA header in the LSR message into the LSA header in the internal LSA message.
7) The OSPF protocol agent module receives LSU message from internal main executive body, and forwards LSU message according to original flow.
8) And the OSPF protocol proxy module receives the LSU message from the internal slave executive body and discards the LSU message.
9) The OSPF protocol agent module receives LSA message from the internal main executive body, and forwards the LSA message according to the original flow.
10 OSPF protocol proxy module receives LSA messages from internal slave executives and discards the LSA messages.
By introducing the OSPF proxy module into the mimic device, the corresponding message forwarding processing is performed in a targeted manner by combining with the OSPF message types, the interaction and authentication of the OSPF protocol messages by external devices and various executors in the mimic device are ensured, the diversification of OSPF routing data can be ensured, the normal effectiveness of data interaction in a communication system is improved, and the efficient implementation of the mimic scheme in network defense is facilitated.
Unless specifically stated otherwise, the relative steps, numerical expressions and values of the components and steps set forth in these embodiments do not limit the scope of the present invention.
Based on the foregoing system, an embodiment of the present invention further provides a server, including: one or more processors; a storage device to store one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the system as described above.
Based on the above system, the embodiment of the present invention further provides a computer readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the above system.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the system and the apparatus described above may refer to the corresponding processes in the foregoing system embodiments, and are not described herein again.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and system may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the system according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. An open shortest path first message processing method is characterized in that an OSPF protocol agent module is arranged in a mimic device to realize interactive authentication processing of protocol messages between an external device and each executive body in the mimic device, each executive body in the mimic device is divided into a main executive body and a plurality of slave executive bodies which are arranged in parallel, and the interactive authentication processing process comprises the following steps:
caching neighbor related information aiming at an OSPF protocol message from external equipment, wherein a key value of each neighbor in the related information consists of an external equipment IP address, an external equipment RouterID, an external equipment area ID, a mimic equipment IP address and a mimic equipment RouterID, and determining whether to forward the message to each executive body in the mimic equipment or not according to the type of the message;
aiming at OSPF protocol messages from each executive body in the mimicry equipment, determining whether to forward the OSPF protocol messages to external equipment according to message types;
when the OSPF protocol message type is a Hello message, aiming at the situation that the protocol message comes from external equipment, if the protocol message is null authentication or simple password authentication, copying and distributing the protocol message to each executive body in the mimicry equipment, and if the protocol message is password authentication, copying and distributing the protocol message to each executive body in the mimicry equipment according to a neighboring key value mark updating a password serial number value in a cache; and forwarding the protocol message according to the original flow aiming at the condition that the protocol message comes from each executive body in the mimicry equipment.
2. The method as claimed in claim 1, wherein for the situation that the OSPF protocol message is configured with cryptographic authentication, when the neighbor related message is cached, the cryptographic sequence number is updated according to each neighbor key label, and the cryptographic sequence number is cached.
3. The method according to claim 1, wherein when the OSPF protocol packet type is a DD packet, in case that the protocol packet is from an external device, if the protocol packet is null authentication or simple cipher authentication, the protocol packet is forwarded to the primary executable, and if the protocol packet is cipher authentication, the protocol packet is forwarded to the primary executable by updating a cipher sequence value in the cache according to a neighbor key value; when the protocol message comes from the main executive body in the mimicry equipment, the protocol message is forwarded according to the original flow, if the protocol message comes from the auxiliary executive body in the mimicry equipment, the neighbor information in the cache is inquired according to the target IP and the area ID field in the protocol message, and the endogenous message is sent to the source executive body.
4. The method as claimed in claim 3, wherein in the construction of the endogenous message, if configured as null authentication, the checksum value of the header of the endogenous protocol message is recalculated, and if configured as simple password authentication, the checksum value of the header of the endogenous protocol message is recalculated by filling in the identity authentication field of the endogenous protocol message according to the configuration authentication field, and if configured as cryptography authentication, the checksum value of the header of the protocol message is filled in to 0, and the cryptography serial number of the header of the protocol message is filled in according to the cached cryptography serial number of the neighbor information, so as to regenerate a new message digest and add it to the endogenous message.
5. The method according to claim 1, wherein when the OSPF protocol packet type is an LSR packet, if the protocol packet is null authentication or simple cipher authentication, the protocol packet is forwarded to the primary executable entity, and if the protocol packet is cipher authentication, the cryptographic sequence key in the cache is updated according to the neighbor key label, and the protocol packet is forwarded to the primary executable entity, in view of a situation that the protocol packet is from an external device; when the protocol message comes from the main executive body in the mimicry equipment, the protocol message is forwarded according to the original flow, if the protocol message comes from the slave executive body, the neighbor information in the buffer is inquired according to the destination IP and the area ID field in the protocol message, and the endogenous message is sent to the source executive body.
6. The method as claimed in claim 5, wherein in the construction of the endogenous message, if configured as null authentication, the checksum value of the header of the endogenous message is recalculated, and if configured as simple password authentication, the checksum value of the header of the endogenous message is recalculated by filling in the identity authentication field of the endogenous message according to the configuration authentication field, and if configured as cryptography authentication, the checksum value of the header of the endogenous message is filled in to 0, and the cryptographic serial number of the header of the protocol message is filled in according to the cryptographic serial number cached in the neighbor information, and a new message digest is regenerated and added to the endogenous message.
7. The method of claim 1, wherein when the OSPF protocol packet type is the LSU packet, for the case that the protocol packet is from an external device, if the protocol packet is null authentication or simple cipher authentication, the protocol packet is sent to each executable, and if the protocol packet is cipher authentication, the cryptology sequence value in the cache is updated according to the neighbor key value flag, and the protocol packet is forwarded to each executable; and when the protocol message comes from the main executive body in the mimicry equipment, the protocol message is forwarded according to the original flow, and if the protocol message comes from the slave executive body, the protocol message is discarded.
8. The method of claim 1, wherein when the OSPF protocol packet type is an LSA packet, for a case where the protocol packet is from an external device, if the protocol packet is null authentication or simple cipher authentication, the protocol packet is sent to the primary executor, and if the protocol packet is cipher authentication, the cryptographic sequence value in the cache is updated according to the neighbor key value tag, and the protocol packet is forwarded to the primary executor; and when the protocol message comes from the main executive body in the mimicry equipment, the protocol message is forwarded according to the original flow, and if the protocol message comes from the slave executive body, the protocol message is discarded.
9. The method of claim 1, wherein the master executor and the slave executors in the mimicry device use heterogeneous software and/or hardware structures that perform the same function.
10. A mimicry device applied to open shortest path first message processing in a communication network, the mimicry device being implemented based on the method of claim 1, and comprising: the OSPF proxy module is arranged between network devices, and a main executive body and a plurality of slave executive bodies which are connected with the OSPF proxy module, wherein the main executive body and the plurality of slave executive bodies are arranged in parallel and adopt heterogeneous software and/or hardware structures for executing the same function, the OSPF proxy module caches neighbor related information aiming at an OSPF protocol message from an external device, and key values of each neighbor in the related information consist of an external device IP address, an external device RouterID, an external device area ID, a pseudo-state device IP address and a pseudo-state device RouterID, and determines whether to forward the information to each executive body in the pseudo-state device according to message types; and aiming at the OSPF protocol message from each executive body in the mimicry equipment, determining whether to forward the OSPF protocol message to external equipment according to the message type.
CN202010910866.1A 2020-09-02 2020-09-02 Open shortest path priority message processing method and mimicry equipment Active CN112187865B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010910866.1A CN112187865B (en) 2020-09-02 2020-09-02 Open shortest path priority message processing method and mimicry equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010910866.1A CN112187865B (en) 2020-09-02 2020-09-02 Open shortest path priority message processing method and mimicry equipment

Publications (2)

Publication Number Publication Date
CN112187865A CN112187865A (en) 2021-01-05
CN112187865B true CN112187865B (en) 2022-11-01

Family

ID=73925570

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010910866.1A Active CN112187865B (en) 2020-09-02 2020-09-02 Open shortest path priority message processing method and mimicry equipment

Country Status (1)

Country Link
CN (1) CN112187865B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005452A (en) * 2006-12-22 2007-07-25 华为技术有限公司 Method and system for communication between IP devices
CN107659534A (en) * 2016-07-25 2018-02-02 李志刚 A kind of ospf protocol vulnerability analysis and detecting system
CN110380961A (en) * 2019-07-05 2019-10-25 中国人民解放军战略支援部队信息工程大学 A kind of device and method of conventional router mimicryization transformation
CN111416865A (en) * 2020-03-24 2020-07-14 河南信大网御科技有限公司 Protocol proxy processing method and system based on mimicry defense
CN111431946A (en) * 2020-06-10 2020-07-17 网络通信与安全紫金山实验室 Mimicry router execution body scheduling method and mimicry router

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8068409B2 (en) * 2007-12-18 2011-11-29 Motorola Solutions, Inc. Fast OSPF inactive router detection
CN106656835A (en) * 2016-11-16 2017-05-10 上海红阵信息科技有限公司 Parallel single present system of multiple OSPF protocol execution units

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101005452A (en) * 2006-12-22 2007-07-25 华为技术有限公司 Method and system for communication between IP devices
CN107659534A (en) * 2016-07-25 2018-02-02 李志刚 A kind of ospf protocol vulnerability analysis and detecting system
CN110380961A (en) * 2019-07-05 2019-10-25 中国人民解放军战略支援部队信息工程大学 A kind of device and method of conventional router mimicryization transformation
CN111416865A (en) * 2020-03-24 2020-07-14 河南信大网御科技有限公司 Protocol proxy processing method and system based on mimicry defense
CN111431946A (en) * 2020-06-10 2020-07-17 网络通信与安全紫金山实验室 Mimicry router execution body scheduling method and mimicry router

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
路由器拟态防御能力测试与分析;马海龙等;《信息安全学报》;20170131(第01期);全文 *

Also Published As

Publication number Publication date
CN112187865A (en) 2021-01-05

Similar Documents

Publication Publication Date Title
CN107567704B (en) Network path pass authentication using in-band metadata
KR101593864B1 (en) Content-centric networking
JP2017506846A (en) System and method for securing source routing using digital signatures based on public keys
US9804891B1 (en) Parallelizing multiple signing and verifying operations within a secure routing context
CN110048986B (en) Method and device for ensuring ring network protocol operation safety
Gouda et al. Hop integrity in computer networks
CN115943603A (en) Block chain enhanced routing authorization
JP2023517082A (en) Method and device for preventing replay attacks on SRv6 HMAC verification
CN108055285B (en) Intrusion protection method and device based on OSPF routing protocol
Testart Reviewing a Historical Internet Vulnerability: Why Isn't BGP More Secure and What Can We Do About it?
Alzahrani et al. Mitigating brute-force attacks on Bloom-filter based forwarding
CN112187865B (en) Open shortest path priority message processing method and mimicry equipment
US9614720B2 (en) Notification technique for network reconfiguration
CN114531270B (en) Defensive method and device for detecting segmented routing labels
US11558198B2 (en) Real-time attestation of cryptoprocessors lacking timers and counters
Elamathi et al. Enhanced secure communication over inter-domain routing in heterogeneous wireless networks based on analysis of BGP anomalies using soft computing techniques
US10855578B1 (en) Anonymous communications network utilizing bridging connections between broadcast domains
US10841221B2 (en) Stage one cache lookup for network node of mesh network
Tsumak Securing BGP using blockchain technology
Mathi An optimized and secure BUTE–binding update using twofold encryption for next generation IP mobility
Bhavani et al. IP traceback through modified probabilistic packet marking algorithm using record route
Burns et al. Implementing Address Assurance in the Intel IXP Router
US11895234B2 (en) Delayed quantum key-distribution
Ren et al. ARMA: a scalable secure routing protocol with privacy protection for mobile ad hoc networks
Charles et al. Lightweight Encryption and Anonymous Routing in NoC based SoCs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant