CN112350941B - Message encapsulation method and sending method for ESP (electronic stability program) to realize source routing at overlay layer - Google Patents

Message encapsulation method and sending method for ESP (electronic stability program) to realize source routing at overlay layer Download PDF

Info

Publication number
CN112350941B
CN112350941B CN202010958347.2A CN202010958347A CN112350941B CN 112350941 B CN112350941 B CN 112350941B CN 202010958347 A CN202010958347 A CN 202010958347A CN 112350941 B CN112350941 B CN 112350941B
Authority
CN
China
Prior art keywords
message
node
routing
stack
sending
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010958347.2A
Other languages
Chinese (zh)
Other versions
CN112350941A (en
Inventor
黄韬
张晨
邢业平
汪硕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Network Communication and Security Zijinshan Laboratory
Original Assignee
Network Communication and Security Zijinshan Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Network Communication and Security Zijinshan Laboratory filed Critical Network Communication and Security Zijinshan Laboratory
Priority to CN202010958347.2A priority Critical patent/CN112350941B/en
Priority to PCT/CN2020/120650 priority patent/WO2022052201A1/en
Publication of CN112350941A publication Critical patent/CN112350941A/en
Application granted granted Critical
Publication of CN112350941B publication Critical patent/CN112350941B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/20Hop count for routing purposes, e.g. TTL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/34Source routing

Abstract

The invention relates to a message encapsulation method and a message sending method for realizing source routing of an ESP (electronic stability program) on an Overlay layer, which are based on ESP encapsulation, carry out semantic extension on an SPI (Serial peripheral interface) field of the ESP encapsulation, combine the prior SR technology to realize the Segment routing of an Overlay layer in IPv4, specifically design two SR realization modes of MPLS (multi-protocol label switching) label stack Segment routing and IP (Internet protocol) Segment routing, simultaneously use an authentication tail in an SR (sequence routing) head, combine a controller to issue a key between nodes, authenticate a Segment List, prevent a man-in-the-middle from tampering, ensure the safety of an SR path and effectively improve the safety of message transmission; in addition, in the design of the invention, the encryption and decryption are only needed once between the IPsec tunnel endpoints, namely, the performance reduction caused by the encryption and decryption of the middle path segment due to the routing of the segment route is avoided.

Description

Message encapsulation method and sending method for ESP (electronic stability program) to realize source routing at overlay layer
Technical Field
The invention relates to a message encapsulation method and a message sending method for an ESP (electronic stability program) to realize source routing in an overlay layer, belonging to the technical field of IP (Internet protocol) networks.
Background
In the current network, in order to implement the TE function of the network, Segment Routing (Segment Routing) technology is popular, and the technology is divided into SR-MPLS technology and SRv6 technology. The SR-MPLS multiplexes the original forwarding surface flow of MPLS, and guides the route forwarding by pressing an MPLS label stack on a source node; SRv6 is to guide IPv6 forwarding by newly defining an extension header of IPv 6.
In SR-MPLS, because a conventional MPLS label stack is used, the SR-MPLS is only applicable to an underlay network, for an overlay network, because multiple underlay nodes may exist between overlay nodes, SR-MPLS cannot be used (SR-MPLS is implemented by 2.5 layers, that is, adjacent nodes are required to support SR-MPLS), and in a current mainstream tunnel protocol for implementing overlay, there is no definition of a corresponding label stack, so that SR capability of the overlay network cannot be implemented.
In SRv6, because the information for guiding forwarding is in the IP extension header, segment routing of the underlay layer and the overlay layer can be conveniently implemented, but because the scheme is for the IPv6 network, the scheme cannot be applied to the IPv4 network, and the SR capability of the overlay network in the IPv4 network cannot be solved.
In order to realize the TE capability of the IPv4 overlay network, a currently common technology is a tunnel splicing technology, that is, nodes in the overlay network are connected and abstracted into multiple segments of tunnels, and different paths are selected in a splicing manner. However, when the overlay network traffic needs to be guaranteed to be secure (mostly using IPsec for guarantee), this technique may cause frequent encryption and decryption of the multi-segment tunnel between the endpoints, increase the burden on the overlay intermediate node, and increase the traffic delay. Meanwhile, tunnel splicing requires a large amount of complicated configuration, intermediate nodes also need to save states, and when scheduling is frequent, great difficulty is brought to maintenance work.
Disclosure of Invention
The invention aims to solve the technical problem of providing a message encapsulation method, a message transmission system, a message transmission device and a message transmission storage medium for realizing source routing of an ESP (electronic stability program) in an Overlay layer, performing semantic extension on an SPI (Serial peripheral interface) field of the ESP based on ESP encapsulation, realizing Segment routing of the Overlay layer in IPv4, authenticating a Segment List and effectively improving the security of message transmission.
The invention adopts the following technical scheme for solving the technical problems: the invention designs an ESP-based encapsulation message for realizing source routing at overlay layer, which sequentially comprises an MAC (media access control) head, an IP (Internet protocol) head, a UDP (user datagram protocol) head, a flag bit field, a transfer routing stack and an ESP (electronic stability program) message from head to tail;
wherein, the destination IP in the IP header points to the next hop node;
setting a flag bit field to be larger than 0, wherein an SPI field is formed based on the flag bit field, the SPI field is used for pointing to security association, and the flag bit field is defined to be larger than 255; or forming SR-Flag based on the Flag bit field to realize the correspondence between the SR-Flag and different segment routing operations, and defining the different values in the range of 1 to 255 corresponding to the Flag bit field;
based on the flag bit field, respectively corresponding to different segment routing operations, the transit routing stacks respectively form stack structures under the corresponding segment routing operations, and the transit routing stacks sequentially comprise the number of nodes, each node in sequence and an authentication tail from head to tail; the node number represents the number of nodes which pass through from a next hop node pointed by a target IP in an IP head to the target node under a preset message sending path; each node in sequence represents each node which is sequentially passed by a target IP in the IP head after the next hop node under a preset message sending path; the authentication tail is used for authenticating the number of nodes in the transit routing stack and each node in the sequence;
and (4) updating the transit routing stack in the ESP tunnel encapsulation data format respectively in sequence along with each node which is passed by the ESP message in sequence in the process of sending the ESP message from the source node to the destination node.
As a preferred technical scheme of the invention: the definition Flag bit field corresponds to any two different values a or b in the range of 1 to 255 to form SR-Flag, and the SR-Flag corresponds to the sectional routing based on the MPLS label stack or the sectional routing based on the IP respectively;
when the label bit field is based on corresponding segmented routing based on the MPLS label stack, the transit routing stack forms the corresponding MPLS label stack, and the MPLS label stack sequentially comprises label number, each label in sequence and authentication tail from head to tail; the label number represents the number of nodes passing through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; each label in sequence represents the label of each node passing through the target IP in the IP head after the target IP points to the next hop node under the preset message sending path; the authentication tail is used for realizing the authentication of each label in the label number and sequence in the MPLS label stack;
when the flag bit field is based on corresponding IP-based segmented routing, the transit routing stack forms a corresponding IP routing stack, and the IP routing stack sequentially comprises an IP number, each IP in sequence and an authentication tail from head to tail; the IP number represents the number of nodes which pass through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; sequentially representing the IP of each node which is sequentially passed by the target IP in the IP head after the next hop node to the target node under the preset message sending path by each IP; and the authentication tail is used for authenticating the IP number and each IP in sequence in the IP routing stack.
As a preferred technical scheme of the invention: the ESP message sequentially comprises an ESP head, an inner layer IP message and an ESP tail from head to tail.
The invention also designs a method for sending the message encapsulation method for the ESP to realize the source routing at the overlay layer, wherein the encapsulated message sequentially comprises an MAC (media access control) head, an IP (Internet protocol) head, a UDP (user Datagram protocol) head, a flag bit field, a transit routing stack and an ESP (electronic stability program) message from head to tail; the label number represents the number of nodes passing through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; each label in sequence represents the label of each node passing through the target IP in the IP head after the target IP points to the next hop node under the preset message sending path; the authentication tail is used for realizing the authentication of each label in the label number and sequence in the MPLS label stack; the method for sending the encapsulating message for realizing the source routing on the overlay layer based on the ESP comprises the following steps A1 to A5 when the label bit field corresponds to the segmented routing based on the MPLS label stack, so that the ESP message is sent from a source node to a destination node;
step A1, the source node determines a target IP in an IP header in an ESP tunnel encapsulation data format, the number of labels in an MPLS label stack, each label in sequence and an authentication tail according to a preset message sending path from the source node to the target node based on the label of the unique identifier corresponding to each node in the network, further encrypts and encapsulates the original message according to the ESP tunnel encapsulation data format to form a sending message, then sends the sending message to the node corresponding to the target IP according to the target IP in the IP header in the sending message, and enters step A2;
step A2, after receiving the sent message, the node corresponding to the destination IP authenticates the MPLS label stack according to the authentication tail in the MPLS label stack, if the authentication is passed, the step A3 is entered; if the authentication is not passed, discarding the sending message;
step A3, obtaining the first label of each label in sequence in the MPLS label stack in the transmitted message, based on the label of unique identification corresponding to each node in the network, packaging the IP of the node corresponding to the label into the target IP in the IP header in the transmitted message, updating aiming at the target IP, simultaneously deleting the first label of each label in sequence in the MPLS label stack, and subtracting 1 for updating the number of labels in the MPLS label stack, thereby updating the transmitted message, and then entering the step A4;
step A4, judging whether the number of labels in the MPLS label stack in the sent message is equal to 1, if yes, entering step A5; otherwise, sending the sending message to the node corresponding to the destination IP, and returning to the step A2;
and A5, deleting the flag bit field and the MPLS label stack in the sending message, thereby updating the sending message, sending the sending message to the node corresponding to the destination IP, namely sending the sending message to the destination node, receiving the sending message by the destination node, and finishing the sending of the ESP message from the source node to the destination node.
The invention also designs a method for sending the message encapsulation method for the ESP to realize the source routing at the overlay layer, wherein the encapsulated message sequentially comprises an MAC (media access control) head, an IP (Internet protocol) head, a UDP (user Datagram protocol) head, a flag bit field, a transfer routing stack and an ESP (electronic stability program) message from head to tail; the IP number represents the number of nodes which pass through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; sequentially representing the IP of each node which is sequentially passed by the target IP in the IP head after the next hop node to the target node under the preset message sending path by each IP; the authentication tail is used for authenticating the IP number and each IP in sequence in the IP routing stack; the method for sending the encapsulating message for realizing the source routing on the overlay layer based on the ESP comprises the following steps B1 to B5 when the segment routing based on the IP is corresponding to the flag bit field, so that the ESP message is sent from a source node to a target node;
b1, the source node determines a target IP in an IP header in an ESP tunnel encapsulation data format, the number of IPs in an IP routing stack, each IP in sequence and an authentication tail according to the IP corresponding to each node in the network and a preset message sending path from the source node to the target node, then carries out encryption encapsulation according to the ESP tunnel encapsulation data format aiming at the original message to form a sending message, then sends the sending message to the node corresponding to the target IP according to the target IP in the IP header of the sending message, and enters the step B2;
b2, after receiving the sending message, the node corresponding to the destination IP authenticates the IP routing stack according to the authentication tail in the IP routing stack, if the authentication is passed, the step B3 is entered; if the authentication is not passed, discarding the sending message;
step B3, obtaining the first IP of each IP in sequence in the IP routing stack in the message, packaging the IP into the target IP in the IP header in the message, updating according to the target IP, simultaneously deleting the first IP of each IP in sequence in the IP routing stack, and subtracting 1 from the number of the IPs in the IP routing stack for updating the message, and then entering the step B4;
step B4, judging whether the IP number in the IP routing stack in the sent message is equal to 1, if so, entering step B5; otherwise, sending the sending message to the node corresponding to the destination IP, and returning to the step B2;
and step B5, deleting the flag bit field and the IP routing stack in the sending message, thereby updating the sending message, sending the sending message to the node corresponding to the destination IP, namely sending the sending message to the destination node, receiving the sending message by the destination node, and completing the sending of the ESP message from the source node to the destination node.
The invention also designs a system for the message transmitting method for the ESP to realize the source routing at overlay layer, which comprises an MAC (media access control) header, an IP (Internet protocol) header, a UDP (user datagram protocol) header, a mark bit field, a transit routing stack and an ESP (electronic stability program) message from head to tail based on an ESP (electronic stability program) tunnel encapsulation data format, wherein the system comprises a mark bit field identification module, a transit routing stack construction module and a transit routing stack updating module;
the flag bit field identification module defines a flag bit field to form an SPI field according to the fact that the flag bit field is larger than 255, and the SPI field is used for pointing to security association; the Flag bit field identification module defines the Flag bit field to form SR-Flag according to different values in the range of 1-255 corresponding to the Flag bit field, so as to realize the correspondence between the Flag bit field and different segment routing operations;
the relay routing stack construction module defines relay routing stacks to respectively form corresponding stack structures under corresponding segmented routing operations according to results of the flag bit field identification module corresponding to different segmented routing operations to the flag bit field, wherein the relay routing stacks sequentially comprise the number of nodes, each node in sequence and an authentication tail from head to tail; the label number represents the number of nodes passing through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; each label in sequence represents each node which is sequentially passed by a target IP in the IP head after the next hop node under a preset message sending path; the authentication tail is used for authenticating the number of nodes in the transit routing stack and each node in the sequence;
and the transfer routing stack updating module is used for updating transfer routing stacks in the ESP tunnel encapsulation data format at each node through which the ESP messages sequentially pass in the process of sending the ESP messages from the source node to the destination node.
As a preferred technical scheme of the invention: the transfer routing stack construction module defines transfer routing stack structures of the segmented routing based on the MPLS label stack and the IP segmented routing respectively according to the result of the operation of the flag bit field corresponding to different segmented routing respectively by the flag bit field identification module and according to the following method;
defining a Flag bit field corresponding to any two different values a or b in the range of 1 to 255 to form SR-Flag, wherein the SR-Flag corresponds to a segmented route based on MPLS label stack or a segmented route based on IP respectively;
when the label bit field is based on corresponding segmented routing based on the MPLS label stack, the transit routing stack forms the corresponding MPLS label stack, and the MPLS label stack sequentially comprises label number, each label in sequence and authentication tail from head to tail; the label number represents the number of nodes passing through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; each label in sequence represents the label of each node passing through the target IP in the IP head after the target IP points to the next hop node under the preset message sending path; the authentication tail is used for realizing the authentication of each label in the label number and sequence in the MPLS label stack;
when the flag bit field is based on corresponding IP-based segmented routing, the transit routing stack forms a corresponding IP routing stack, and the IP routing stack sequentially comprises an IP number, each IP in sequence and an authentication tail from head to tail; the IP number represents the number of nodes which pass through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; sequentially representing the IP of each node which is sequentially passed by the target IP in the IP head after the next hop node to the target node under the preset message sending path by each IP; and the authentication tail is used for authenticating the IP number and each IP in sequence in the IP routing stack.
As a preferred technical scheme of the invention: the transit routing stack updating module comprises an encapsulation sending module, an authentication module, an encapsulation updating module, a forwarding judgment module and a message updating and forwarding module;
when the flag bit field corresponds to the segmented routing based on the MPLS label stack:
the transfer routing stack updating module is used for respectively updating the transfer routing stacks in the ESP tunnel encapsulation data format at each node through which the ESP messages sequentially pass, so that the ESP messages are sent from the source node to the destination node;
the encapsulation sending module is used for determining a target IP in an IP head in an ESP tunnel encapsulation data format, the number of labels in an MPLS label stack, each label in sequence and an authentication tail according to a preset message sending path from a source node to a target node based on the label of the unique identifier corresponding to each node in the network, further carrying out encryption encapsulation according to the ESP tunnel encapsulation data format on an original message to form a sending message, and then sending the sending message to the node corresponding to the target IP according to the target IP in the IP head in the sending message;
the authentication module is used for authenticating the MPLS label stack according to the authentication tail in the MPLS label stack after receiving the sent message aiming at the node corresponding to the target IP;
an encapsulation updating module, configured to encapsulate, based on a label with a unique identifier corresponding to each node in a network, an IP of a node corresponding to a label to a destination IP in an IP header in a transmission packet, update the destination IP, delete the first label of each label in the MPLS label stack in sequence, and update the number of labels in the MPLS label stack by subtracting 1, thereby updating the transmission packet;
a forwarding judgment module, configured to judge whether the number of labels in an MPLS label stack in a sent message is equal to 1;
a message updating and forwarding module, configured to delete the flag bit field and the MPLS label stack in the transmission message, so as to update the transmission message, and send the transmission message to a node corresponding to the destination IP, that is, send the transmission message to the destination node, where the destination node receives the transmission message, and completes sending the ESP message from the source node to the destination node;
when the flag bit field corresponds to IP-based segmented routing:
the transfer routing stack updating module is used for respectively updating the transfer routing stacks in the ESP tunnel encapsulation data format at each node through which the ESP messages sequentially pass, so that the ESP messages are sent from the source node to the destination node;
the encapsulation sending module is used for determining a target IP in an IP head in an ESP tunnel encapsulation data format, the number of the IPs in an IP routing stack, each IP in sequence and an authentication tail according to the IP corresponding to each node in a network aiming at a source node and a preset message sending path from the source node to a target node, further carrying out encryption encapsulation according to the ESP tunnel encapsulation data format aiming at an original message to form a sending message, and then sending the sending message to the node corresponding to the target IP according to the target IP in the IP head of the sending message;
the authentication module is used for authenticating the IP routing stack according to the authentication tail in the IP routing stack after receiving the sending message aiming at the node corresponding to the target IP;
an encapsulation updating module, configured to encapsulate, for a first IP of each sequential IP in an IP routing stack in a transmission message, the IP into a destination IP in an IP header in the transmission message, update for the destination IP, delete the first IP of each sequential IP in the IP routing stack at the same time, and perform minus 1 update for the number of IPs in the IP routing stack, thereby updating the transmission message;
the forwarding judgment module is used for judging whether the IP number in the IP routing stack in the sent message is equal to 1 or not;
and the message updating and forwarding module is used for deleting the flag bit field and the IP routing stack in the sending message, so as to update the sending message, send the sending message to the node corresponding to the destination IP, namely send the sending message to the destination node, and the destination node receives the sending message, thereby completing the sending of the ESP message from the source node to the destination node.
The invention also designs a device for a sending method of a message encapsulation method for enabling an ESP to implement source routing at overlay layer, which at least comprises a processor and a memory, wherein the memory stores computer execution instructions, and the processor executes the computer execution instructions stored in the memory, so that the device for implementing the encapsulated message of the source routing at overlay layer based on the ESP executes the method from step a1 to step a5 or the method from step B1 to step B5.
The present invention also contemplates a computer-readable storage medium storing a computer program or instructions which, when executed, implement the method of step a 1-step a5 or the method of step B1-step B5 described above.
Compared with the prior art, the invention adopts the technical scheme that the method, the system, the equipment and the storage medium for realizing the encapsulation message of the source route on the overlay layer based on the ESP have the following technical effects:
the invention designs a message encapsulation method, a message transmission method, a message system, a message device and a message storage medium for realizing source routing of an ESP (electronic stability program) on an Overlay layer, semantically expands an SPI (Serial peripheral interface) field of the message encapsulation method based on ESP encapsulation, combines the existing SR technology to realize the Segment routing of an Overlay layer in IPv4, specifically designs two SR realization modes of MPLS (multi-protocol label switching) label stack Segment routing and IP (Internet protocol) Segment routing, simultaneously authenticates a segmentList by using an authentication tail in an SR head and combining a key between nodes issued by a controller, prevents a middleman from being tampered, ensures the safety of an SR path and can effectively improve the safety of message transmission; in addition, in the design of the invention, the encryption and decryption are only needed once between the IPsec tunnel endpoints, namely, the performance reduction caused by the encryption and decryption of the middle path segment due to the routing of the segment route is avoided.
Drawings
FIG. 1 is a diagram illustrating a prior art ESP packet encapsulation format;
fig. 2 is a schematic diagram showing a forwarding packet format of a segment route based on an MPLS label stack;
FIG. 3 is a diagram illustrating a forwarding packet format for IP-based segment routing;
FIG. 4 is a schematic diagram of an embodiment of the present invention;
FIG. 5 is a forwarding diagram of a segmented route based on an MPLS label stack according to an embodiment;
fig. 6 shows a forwarding diagram of an embodiment IP-based segment routing.
Detailed Description
The following description will explain embodiments of the present invention in further detail with reference to the accompanying drawings.
ESP (encapsulating security payloads), that is, an encapsulating protocol of IPsec, mostly uses ESP tunnel encapsulation of IPsec in an overlay network of current SD-WAN, and in order to support traversal of NAT, a message encapsulation format of the ESP tunnel encapsulation is as shown in fig. 1, where a UDP header is added for traversal of NAT, and in order to distinguish an IKE message from an ESP message, RFC3948 defines a non-ESP-marker, that is, a 4-byte all-0 field, which is identified as an IKE message. When the 4 bytes are not 0, it represents the SPI field of the ESP, which queries its SA through the SPI field.
Based on the existing ESP message encapsulation format, the invention designs a message encapsulation method for ESP to realize source routing at overlay layer, the encapsulated message sequentially comprises an MAC (media access control) head, an IP (Internet protocol) head, a UDP (user Datagram protocol) head, a flag bit field, a transit routing stack and an ESP message from head to tail; the ESP message sequentially comprises an ESP header, an inner layer IP message and an ESP tail from head to tail.
Wherein, the destination IP in the IP header points to the next hop node; setting the flag bit field to be larger than 0, and defining the flag bit field to be larger than 255, wherein the flag bit field forms an SPI field which is used for pointing to security association; defining Flag bit fields corresponding to different values in the range of 1-255 to form SR-Flag, and realizing the correspondence between the SR-Flag and different segment routing operations;
based on the flag bit field, respectively corresponding to different segment routing operations, the transit routing stacks respectively form stack structures under the corresponding segment routing operations, and the transit routing stacks sequentially comprise the number of nodes, each node in sequence and an authentication tail from head to tail; the node number represents the number of nodes which pass through from a next hop node pointed by a target IP in an IP head to the target node under a preset message sending path; each node in sequence represents each node which is sequentially passed by a target IP in the IP head after the next hop node under a preset message sending path; the authentication tail is used for authenticating the number of nodes in the transit routing stack and each node in the sequence.
And (4) updating the transit routing stack in the ESP tunnel encapsulation data format respectively in sequence along with each node which is passed by the ESP message in sequence in the process of sending the ESP message from the source node to the destination node.
In specific practical application, the Flag bit field of the design definition corresponds to any two different values a or b in the range of 1 to 255 to form an SR-Flag, which respectively corresponds to a segment routing based on the MPLS label stack or a segment routing based on the IP.
As shown in fig. 2, the UDP header is added in order to traverse the NAT and support the segment routing in a scenario without the NAT, and both the source port and the destination port are 4500; the UDP header is followed by a 4-byte field, namely a flag bit field, when the flag bit field corresponds to a segmented route based on an MPLS label stack, the transfer route stack forms the corresponding MPLS label stack, and the MPLS label stack sequentially comprises a label number, each label in sequence and an authentication tail from the head to the tail; the label number represents the number of nodes passing through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; each label in sequence represents the label of each node passing through the sequence of the target IP in the IP head after the target IP points to the next hop node under the preset message sending path, the label is the SID of the segmented route, which can be the node SID or the adjacent SID, and the SIDs can be uniformly distributed by the SD-WAN controller; the authentication tail is used for authenticating each label in the label number and sequence in the MPLS label stack, in practical application, the authentication tail adopts 12 bytes, the authentication tail authenticates the MPLS label stack by using MD5-96 or SHA-96, namely, the label number and the label 1-label N field are authenticated, the modification of a man-in-the-middle is prevented, and authentication keys are uniformly distributed by a controller. For subsequent continuation of the MPLS label stack carrying the conventional ESP header, the encryption and authentication scope of ESP is as defined in RFC 4303.
Corresponding to the message encapsulation method designed for the ESP to realize the source routing at the overlay layer, the invention also designs a method for transmitting the encapsulated message based on the ESP to realize the source routing at the overlay layer, and when the flag bit field corresponds to the segmented routing based on the MPLS label stack, the ESP message is transmitted from the source node to the destination node according to the following steps A1 to A5.
And step A1, the source node determines a target IP in an IP header in an ESP tunnel encapsulation data format, the number of labels in an MPLS label stack, each label in sequence and an authentication tail according to the label of the unique identifier corresponding to each node in the network and a preset message sending path from the source node to the target node, then encrypts and encapsulates the original message according to the ESP tunnel encapsulation data format to form a sending message, then sends the sending message to the node corresponding to the target IP according to the target IP in the IP header in the sending message, and enters the step A2.
Step A2, after receiving the sent message, the node corresponding to the destination IP authenticates the MPLS label stack according to the authentication tail in the MPLS label stack, if the authentication is passed, the step A3 is entered; if the authentication is not passed, the sending message is discarded.
Step A3, obtaining the first label of each label in sequence in the MPLS label stack in the transmitted message, based on the label of unique identification corresponding to each node in the network, packaging the IP of the node corresponding to the label into the target IP in the IP header in the transmitted message, updating aiming at the target IP, simultaneously deleting the first label of each label in sequence in the MPLS label stack, and subtracting 1 for updating aiming at the number of labels in the MPLS label stack, thereby updating the transmitted message, and then entering the step A4.
Step A4, judging whether the number of labels in the MPLS label stack in the sent message is equal to 1, if yes, entering step A5; otherwise, the sending message is sent to the node corresponding to the destination IP, and the step A2 is returned.
And A5, deleting the flag bit field and the MPLS label stack in the sending message, thereby updating the sending message, sending the sending message to the node corresponding to the destination IP, namely sending the sending message to the destination node, receiving the sending message by the destination node, and finishing the sending of the ESP message from the source node to the destination node.
As shown in fig. 3, the UDP header is for traversing the NAT, and in order to support the segment routing, the UDP header is also added in a scenario without the NAT, and both the source port and the destination port are 4500; the UDP header is followed by a 4-byte field, namely a flag bit field, when the flag bit field corresponds to an IP-based segmented route, the transfer route stack forms a corresponding IP route stack, and the IP route stack sequentially comprises an IP number, each IP in sequence and an authentication tail from the head to the tail; the IP number represents the number of nodes which pass through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; sequentially representing the IP of each node which is sequentially passed by the target IP in the IP head after the next hop node to the target node under the preset message sending path by each IP; the authentication tail is used for authenticating the IP number and each IP in sequence in the IP routing stack, in practical application, the authentication tail adopts 12 bytes, the authentication tail authenticates the IP routing stack by using MD5-96 or SHA-96, namely, the IP number and the IP1-IPN field are authenticated, the modification of a man-in-the-middle is prevented, and authentication keys are uniformly distributed by a controller. For subsequent continuation of the IP routing stack carrying the conventional ESP header, the encryption and authentication scope of ESP is as defined in RFC 4303.
And when the flag bit field corresponds to the IP-based segmented routing, the ESP message is sent from the source node to the destination node according to the following steps B1 to B5.
And B1, the source node determines a target IP in an IP header in an ESP tunnel encapsulation data format, the number of the IPs in an IP routing stack, each IP in sequence and an authentication tail according to the IP corresponding to each node in the network and a preset message sending path from the source node to the target node, then carries out encryption encapsulation according to the ESP tunnel encapsulation data format aiming at the original message to form a sending message, then sends the sending message to the node corresponding to the target IP according to the target IP in the IP header of the sending message, and enters the step B2.
B2, after receiving the sending message, the node corresponding to the destination IP authenticates the IP routing stack according to the authentication tail in the IP routing stack, if the authentication is passed, the step B3 is entered; if the authentication is not passed, the sending message is discarded.
Step B3, obtaining the first IP of each IP in sequence in the IP routing stack in the message, packaging the IP into the destination IP in the IP header in the message, updating according to the destination IP, simultaneously deleting the first IP of each IP in sequence in the IP routing stack, and subtracting 1 from the number of the IPs in the IP routing stack for updating the message, and then entering the step B4.
Step B4, judging whether the IP number in the IP routing stack in the sent message is equal to 1, if so, entering step B5; otherwise, the sending message is sent to the node corresponding to the destination IP, and the step B2 is returned.
And step B5, deleting the flag bit field and the IP routing stack in the sending message, thereby updating the sending message, sending the sending message to the node corresponding to the destination IP, namely sending the sending message to the destination node, receiving the sending message by the destination node, and completing the sending of the ESP message from the source node to the destination node.
For a segment route based on an MPLS label stack and a segment route based on an IP, according to a specific embodiment, as shown in fig. 4, an IPsec tunnel is established between a and B, a forwarding traffic path is expected to be a path a- > C- > D- > B, that is, a packet transmission path is preset, and a controller allocates a node SID to all devices: a (16001), B (16002), C (16003), D (16004), E (16005), F (16006).
When a segment routing based on the MPLS label stack is performed, as shown in fig. 5, the controller issues a label stack (16003, 16004, 16002) to the node a and associates the label stack with the corresponding IPsec tunnel, and simultaneously issues an inter-a-C authentication key S (a-C), an inter-C-D authentication key S (C-D), and an inter-D-B authentication key S (D-B); the following processes are performed in sequence in the application.
1. And A, encapsulating the message through the ESP, finding a corresponding label stack, adding the label stack (16004, 16002) after the ESP is encapsulated, setting SR-Flags =1 and the number of labels as 2, using S (A-C) to authenticate the number of labels and the label stack, adding the labels and the label stack to an authentication tail, checking the IP-C of the C according to 16003, and encapsulating the labels in the outer layer of the IP.
2. After C receives the message, the message is known to be an IPsec related message according to the UDP destination port number 4500, and the label processing is known to be needed according to SR-Flag =1, the label number and the label stack are authenticated by using S (A-C), the IP-D of D is found according to 16004 after passing, the label number is modified after popping 16004, the authentication tail is refilled by using S (C-D), and the IP-D is encapsulated in the outer layer destination IP to be sent out.
3. After D receives the message, similar to C, but after 16002 is found to be the label stack bottom, SR-Flag, label number and authentication tail are all removed, and IP-B is encapsulated in outer layer purpose IP to be sent out.
4. And B, after receiving the message, the message is a common ESP message and is subjected to normal decryption processing.
The label pop described above is different from the ordinary MPLS flow.
When the IP-based segment routing is performed, as shown in fig. 6, the controller issues IP routing information (IP-C, IP-D, IP-B) to the node a and associates the IP routing information with the corresponding IPsec tunnel, and the following processes are sequentially performed in the application.
1. And A discovers corresponding SR IP routing information through an ESP encapsulation message, then adds IP routing information (IP-D, IP-B) after ESP encapsulation, sets the number of the IP to be 2, sets SR-Flags =2, adds the number of the IP and IP authentication to an authentication tail by S (A-C), and encapsulates the IP-C in an outer layer of IP for sending.
2. After C receives the message, the message is known to be an IPsec related message according to the UDP destination port number 4500, and the SR IP processing is known to be needed according to SR-Flag =2, the IP number and the IP use S (A-C) are authenticated, after the authentication is passed, the IP number is reduced by 1, the IP-D is popped up, the IP number and the IP use S (C-D) are authenticated and then filled into an authentication tail, and the IP-D is packaged in an outer layer destination IP to be sent out.
3. D, after receiving the message, similar to C, but after finding that the number of the IP is 0, removing all the IP options, and encapsulating the IP-B in the outer layer purpose IP for sending.
4. And B, after receiving the message, the message is a common ESP message and is subjected to normal decryption processing.
Corresponding to the message encapsulation method designed for the ESP to realize the source routing at the overlay layer, the invention also designs a system for encapsulating the message based on the ESP to realize the source routing at the overlay layer, the data format based on the ESP tunnel encapsulation sequentially comprises an MAC (media access control) head, an IP (Internet protocol) head, a UDP (user Datagram protocol) head, a flag bit field, a transit routing stack and the ESP message from head to tail, and the system comprises a flag bit field identification module, a transit routing stack construction module and a transit routing stack updating module.
The flag bit field identification module defines a flag bit field to form an SPI field according to the fact that the flag bit field is larger than 255, and the SPI field is used for pointing to security association; and the Flag bit field identification module defines the Flag bit field to form SR-Flag according to different values in the range of 1-255 corresponding to the Flag bit field, so as to realize the correspondence between the Flag bit field and different segment routing operations.
The relay routing stack construction module defines relay routing stacks to respectively form corresponding stack structures under corresponding segmented routing operations according to results of the flag bit field identification module corresponding to different segmented routing operations to the flag bit field, wherein the relay routing stacks sequentially comprise the number of nodes, each node in sequence and an authentication tail from head to tail; the label number represents the number of nodes passing through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; each label in sequence represents each node which is sequentially passed by a target IP in the IP head after the next hop node under a preset message sending path; the authentication tail is used for authenticating the number of nodes in the transit routing stack and each node in the sequence.
In application, the transit routing stack construction module defines transit routing stack structures of the segment routing based on the MPLS label stack and the segment routing based on the IP according to the result that the flag bit field identification module respectively corresponds to different segment routing operations.
Defining a Flag bit field corresponding to any two different values a or b in the range of 1 to 255 to form SR-Flag, wherein the SR-Flag corresponds to a segmented route based on MPLS label stack or a segmented route based on IP respectively;
when the label bit field is based on corresponding segmented routing based on the MPLS label stack, the transit routing stack forms the corresponding MPLS label stack, and the MPLS label stack sequentially comprises label number, each label in sequence and authentication tail from head to tail; the label number represents the number of nodes passing through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; each label in sequence represents the label of each node passing through the target IP in the IP head after the target IP points to the next hop node under the preset message sending path; the authentication tail is used for realizing the authentication of each label in the label number and sequence in the MPLS label stack;
when the flag bit field is based on corresponding IP-based segmented routing, the transit routing stack forms a corresponding IP routing stack, and the IP routing stack sequentially comprises an IP number, each IP in sequence and an authentication tail from head to tail; the IP number represents the number of nodes which pass through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; sequentially representing the IP of each node which is sequentially passed by the target IP in the IP head after the next hop node to the target node under the preset message sending path by each IP; and the authentication tail is used for authenticating the IP number and each IP in sequence in the IP routing stack.
The transit routing stack updating module comprises an encapsulation sending module, an authentication module, an encapsulation updating module, a forwarding judgment module and a message updating and forwarding module.
When the flag bit field corresponds to the segmented routing based on the MPLS label stack:
the transfer routing stack updating module is used for respectively updating the transfer routing stacks in the ESP tunnel encapsulation data format at each node through which the ESP messages sequentially pass, so that the ESP messages are sent from the source node to the destination node;
the encapsulation sending module is used for determining a target IP in an IP head in an ESP tunnel encapsulation data format, the number of labels in an MPLS label stack, each label in sequence and an authentication tail according to a preset message sending path from a source node to a target node based on the label of the unique identifier corresponding to each node in the network, further carrying out encryption encapsulation according to the ESP tunnel encapsulation data format on an original message to form a sending message, and then sending the sending message to the node corresponding to the target IP according to the target IP in the IP head in the sending message;
the authentication module is used for authenticating the MPLS label stack according to the authentication tail in the MPLS label stack after receiving the sent message aiming at the node corresponding to the target IP;
an encapsulation updating module, configured to encapsulate, based on a label with a unique identifier corresponding to each node in a network, an IP of a node corresponding to a label to a destination IP in an IP header in a transmission packet, update the destination IP, delete the first label of each label in the MPLS label stack in sequence, and update the number of labels in the MPLS label stack by subtracting 1, thereby updating the transmission packet;
a forwarding judgment module, configured to judge whether the number of labels in an MPLS label stack in a sent message is equal to 1;
a message updating and forwarding module, configured to delete the flag bit field and the MPLS label stack in the transmission message, so as to update the transmission message, and send the transmission message to a node corresponding to the destination IP, that is, send the transmission message to the destination node, where the destination node receives the transmission message, and completes sending the ESP message from the source node to the destination node;
when the flag bit field corresponds to IP-based segmented routing:
the transfer routing stack updating module is used for respectively updating the transfer routing stacks in the ESP tunnel encapsulation data format at each node through which the ESP messages sequentially pass, so that the ESP messages are sent from the source node to the destination node;
the encapsulation sending module is used for determining a target IP in an IP head in an ESP tunnel encapsulation data format, the number of the IPs in an IP routing stack, each IP in sequence and an authentication tail according to the IP corresponding to each node in a network aiming at a source node and a preset message sending path from the source node to a target node, further carrying out encryption encapsulation according to the ESP tunnel encapsulation data format aiming at an original message to form a sending message, and then sending the sending message to the node corresponding to the target IP according to the target IP in the IP head of the sending message;
the authentication module is used for authenticating the IP routing stack according to the authentication tail in the IP routing stack after receiving the sending message aiming at the node corresponding to the target IP;
an encapsulation updating module, configured to encapsulate, for a first IP of each sequential IP in an IP routing stack in a transmission message, the IP into a destination IP in an IP header in the transmission message, update for the destination IP, delete the first IP of each sequential IP in the IP routing stack at the same time, and perform minus 1 update for the number of IPs in the IP routing stack, thereby updating the transmission message;
the forwarding judgment module is used for judging whether the IP number in the IP routing stack in the sent message is equal to 1 or not;
and the message updating and forwarding module is used for deleting the flag bit field and the IP routing stack in the sending message, so as to update the sending message, send the sending message to the node corresponding to the destination IP, namely send the sending message to the destination node, and the destination node receives the sending message, thereby completing the sending of the ESP message from the source node to the destination node.
The invention also designs a device for a sending method of a message encapsulation method for an ESP to realize source routing at overlay layer, which at least comprises a processor and a memory, wherein the memory stores computer execution instructions, and the processor executes the computer execution instructions stored in the memory, so that the device for encapsulating the message for realizing the source routing at overlay layer based on the ESP executes the method from the step A1 to the step A5 or the method from the step B1 to the step B5.
Furthermore, the present invention also contemplates a storage medium storing a computer program or instructions which, when executed, implements the method of step a 1-step a5 or the method of step B1-step B5 described above.
The technical scheme is designed based on the encapsulating message of the ESP to realize the source routing at the Overlay layer, and a sending method, a system, equipment and a storage medium, in practical application, the SPI field of the encapsulating message is semantically expanded, the existing SR technology is combined to realize the Segment routing of the Overlay layer in the IPv4, two SR realization modes of the MPLS label stack Segment routing and the IP-based Segment routing are specifically designed, meanwhile, the authentication tail is used in the SR head, the key between nodes is issued by the controller, and the segmentList is authenticated, so that the tampering of a middleman is prevented, the safety of the SR path is guaranteed, and the safety of message transmission can be effectively improved; in addition, in the design of the invention, the encryption and decryption are only needed once between the IPsec tunnel endpoints, namely, the performance reduction caused by the encryption and decryption of the middle path segment due to the routing of the segment route is avoided.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.

Claims (10)

1. The message encapsulation method for ESP to realize source routing in overlay layer is characterized in that: the encapsulation message sequentially comprises an MAC (media access control) head, an IP (Internet protocol) head, a UDP (user datagram protocol) head, a flag bit field, a transfer routing stack and an ESP (electronic stability program) message from head to tail;
wherein, the destination IP in the IP header points to the next hop node;
setting a flag bit field to be larger than 0, wherein an SPI field is formed based on the flag bit field, the SPI field is used for pointing to security association, and the flag bit field is defined to be larger than 255; or forming SR-Flag based on the Flag bit field to realize the correspondence between the Flag bit field and different segment routing operations, and defining the Flag bit field to correspond to different values in the range of 1 to 255;
based on flag bit field corresponding to different section routing operation, transfer routing stack forms corresponding section routing operation
The relay routing stack sequentially comprises a node number, each node in sequence and an authentication tail from head to tail; the node number represents the number of nodes which pass through from a next hop node pointed by a target IP in an IP head to the target node under a preset message sending path; each node in sequence represents each node which is sequentially passed by a target IP in the IP head after the next hop node under a preset message sending path; the authentication tail is used for authenticating the number of nodes in the transit routing stack and each node in the sequence;
and (4) updating the transit routing stack in the ESP tunnel encapsulation data format respectively in sequence along with each node which is passed by the ESP message in sequence in the process of sending the ESP message from the source node to the destination node.
2. The message encapsulation method for the ESP to implement source routing at overlay layer according to claim 1, wherein: the definition Flag bit field corresponds to any two different values a or b in the range of 1 to 255 to form SR-Flag, and the SR-Flag corresponds to the sectional routing based on the MPLS label stack or the sectional routing based on the IP respectively;
when the label bit field is based on corresponding segmented routing based on the MPLS label stack, the transit routing stack forms the corresponding MPLS label stack, and the MPLS label stack sequentially comprises label number, each label in sequence and authentication tail from head to tail; the label number represents the number of nodes passing through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; each label in sequence represents the label of each node passing through the target IP in the IP head after the target IP points to the next hop node under the preset message sending path; the authentication tail is used for realizing the authentication of each label in the label number and sequence in the MPLS label stack;
when the flag bit field is based on corresponding IP-based segmented routing, the transit routing stack forms a corresponding IP routing stack, and the IP routing stack sequentially comprises an IP number, each IP in sequence and an authentication tail from head to tail; the IP number represents the number of nodes which pass through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; sequentially representing the IP of each node which is sequentially passed by the target IP in the IP head after the next hop node to the target node under the preset message sending path by each IP; and the authentication tail is used for authenticating the IP number and each IP in sequence in the IP routing stack.
3. The message encapsulation method for the ESP to implement the source route at overlay layer according to claim 1 or 2, characterized in that: the ESP message sequentially comprises an ESP head, an inner layer IP message and an ESP tail from head to tail.
4. A method for sending message encapsulation method for ESP to realize source routing in overlay layer is characterized in that: the encapsulating message sequentially comprises an MAC (media access control) head, an IP (Internet protocol) head, a UDP (user datagram protocol) head, a flag bit field, a transfer routing stack and an ESP (electronic stability program) message from head to tail, when the flag bit field corresponds to a segmented route based on the MPLS label stack, the transfer routing stack forms a corresponding MPLS label stack, and the MPLS label stack sequentially comprises a label number, each label in sequence and an authentication tail from head to tail; the label number represents the number of nodes passing through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; each label in sequence represents the label of each node passing through the target IP in the IP head after the target IP points to the next hop node under the preset message sending path; the authentication tail is used for realizing the authentication of each label in the label number and sequence in the MPLS label stack; the method for sending the encapsulating message for realizing the source routing on the overlay layer based on the ESP comprises the following steps A1 to A5 when the label bit field corresponds to the segmented routing based on the MPLS label stack, so that the ESP message is sent from a source node to a destination node;
step A1, the source node determines a target IP in an IP header in an ESP tunnel encapsulation data format, the number of labels in an MPLS label stack, each label in sequence and an authentication tail according to a preset message sending path from the source node to the target node based on the label of the unique identifier corresponding to each node in the network, further encrypts and encapsulates the original message according to the ESP tunnel encapsulation data format to form a sending message, then sends the sending message to the node corresponding to the target IP according to the target IP in the IP header in the sending message, and enters step A2;
step A2, after receiving the sent message, the node corresponding to the destination IP authenticates the MPLS label stack according to the authentication tail in the MPLS label stack, if the authentication is passed, the step A3 is entered; if the authentication is not passed, discarding the sending message;
step A3, obtaining the first label of each label in sequence in the MPLS label stack in the transmitted message, based on the label of unique identification corresponding to each node in the network, packaging the IP of the node corresponding to the label into the target IP in the IP header in the transmitted message, updating aiming at the target IP, simultaneously deleting the first label of each label in sequence in the MPLS label stack, and subtracting 1 for updating the number of labels in the MPLS label stack, thereby updating the transmitted message, and then entering the step A4;
step A4, judging whether the number of labels in the MPLS label stack in the sent message is equal to 1, if yes, entering step A5; otherwise, sending the sending message to the node corresponding to the destination IP, and returning to the step A2;
and A5, deleting the flag bit field and the MPLS label stack in the sending message, thereby updating the sending message, sending the sending message to the node corresponding to the destination IP, namely sending the sending message to the destination node, receiving the sending message by the destination node, and finishing the sending of the ESP message from the source node to the destination node.
5. A method for sending message encapsulation method for ESP to realize source routing in overlay layer is characterized in that: the encapsulated message sequentially comprises an MAC (media access control) header, an IP (Internet protocol) header, a UDP (user datagram protocol) header, a flag bit field, a transfer routing stack and an ESP (electronic stability program) message from head to tail, when the flag bit field corresponds to the IP-based segmented routing, the transfer routing stack forms a corresponding IP routing stack, and the IP routing stack sequentially comprises an IP number, each IP in sequence and an authentication tail from head to tail; the IP number represents the number of nodes which pass through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; sequentially representing the IP of each node which is sequentially passed by the target IP in the IP head after the next hop node to the target node under the preset message sending path by each IP; the authentication tail is used for authenticating the IP number and each IP in sequence in the IP routing stack; the method for sending the encapsulating message for realizing the source routing on the overlay layer based on the ESP comprises the following steps B1 to B5 when the segment routing based on the IP is corresponding to the flag bit field, so that the ESP message is sent from a source node to a target node;
b1, the source node determines a target IP in an IP header in an ESP tunnel encapsulation data format, the number of IPs in an IP routing stack, each IP in sequence and an authentication tail according to the IP corresponding to each node in the network and a preset message sending path from the source node to the target node, then carries out encryption encapsulation according to the ESP tunnel encapsulation data format aiming at the original message to form a sending message, then sends the sending message to the node corresponding to the target IP according to the target IP in the IP header of the sending message, and enters the step B2;
b2, after receiving the sending message, the node corresponding to the destination IP authenticates the IP routing stack according to the authentication tail in the IP routing stack, if the authentication is passed, the step B3 is entered; if the authentication is not passed, discarding the sending message;
step B3, obtaining the first IP of each IP in sequence in the IP routing stack in the message, packaging the IP into the target IP in the IP header in the message, updating according to the target IP, simultaneously deleting the first IP of each IP in sequence in the IP routing stack, and subtracting 1 from the number of the IPs in the IP routing stack for updating the message, and then entering the step B4;
step B4, judging whether the IP number in the IP routing stack in the sent message is equal to 1, if so, entering step B5; otherwise, sending the sending message to the node corresponding to the destination IP, and returning to the step B2;
and step B5, deleting the flag bit field and the IP routing stack in the sending message, thereby updating the sending message, sending the sending message to the node corresponding to the destination IP, namely sending the sending message to the destination node, receiving the sending message by the destination node, and completing the sending of the ESP message from the source node to the destination node.
6. The system for the message encapsulation method for the ESP to realize the source routing in the overlay layer is characterized in that: the system comprises a mark bit field identification module, a transit routing stack construction module and a transit routing stack updating module, wherein the system comprises an MAC (media access control) head, an IP (Internet protocol) head, a UDP (user datagram protocol) head, a mark bit field, a transit routing stack and an ESP (electronic stability program) message from head to tail;
the flag bit field identification module defines a flag bit field to form an SPI field according to the fact that the flag bit field is larger than 255, and the SPI field is used for pointing to security association; the Flag bit field identification module defines the Flag bit field to form SR-Flag according to different values in the range of 1-255 corresponding to the Flag bit field, so as to realize the correspondence between the Flag bit field and different segment routing operations;
the relay routing stack construction module defines relay routing stacks to respectively form corresponding stack structures under corresponding segmented routing operations according to results of the flag bit field identification module corresponding to different segmented routing operations to the flag bit field, wherein the relay routing stacks sequentially comprise the number of nodes, each node in sequence and an authentication tail from head to tail; the label number represents the number of nodes passing through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; each label in sequence represents each node which is sequentially passed by a target IP in the IP head after the next hop node under a preset message sending path; the authentication tail is used for authenticating the number of nodes in the transit routing stack and each node in the sequence;
and the transfer routing stack updating module is used for updating transfer routing stacks in the ESP tunnel encapsulation data format at each node through which the ESP messages sequentially pass in the process of sending the ESP messages from the source node to the destination node.
7. The system for packet encapsulation method for ESP to implement source routing at overlay layer according to claim 6, characterized in that: the transfer routing stack construction module defines transfer routing stack structures of the segmented routing based on the MPLS label stack and the IP segmented routing respectively according to the result of the operation of the flag bit field corresponding to different segmented routing respectively by the flag bit field identification module and according to the following method;
defining a Flag bit field corresponding to any two different values a or b in the range of 1 to 255 to form SR-Flag, wherein the SR-Flag corresponds to a segmented route based on MPLS label stack or a segmented route based on IP respectively;
when the label bit field is based on corresponding segmented routing based on the MPLS label stack, the transit routing stack forms the corresponding MPLS label stack, and the MPLS label stack sequentially comprises label number, each label in sequence and authentication tail from head to tail; the label number represents the number of nodes passing through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; each label in sequence represents the label of each node passing through the target IP in the IP head after the target IP points to the next hop node under the preset message sending path; the authentication tail is used for realizing the authentication of each label in the label number and sequence in the MPLS label stack;
when the flag bit field is based on corresponding IP-based segmented routing, the transit routing stack forms a corresponding IP routing stack, and the IP routing stack sequentially comprises an IP number, each IP in sequence and an authentication tail from head to tail; the IP number represents the number of nodes which pass through from a next hop node pointed by a target IP in an IP head to a target node under a preset message sending path; sequentially representing the IP of each node which is sequentially passed by the target IP in the IP head after the next hop node to the target node under the preset message sending path by each IP; and the authentication tail is used for authenticating the IP number and each IP in sequence in the IP routing stack.
8. The system for packet encapsulation method for ESP to implement source routing at overlay layer according to claim 6, characterized in that: the transit routing stack updating module comprises an encapsulation sending module, an authentication module, an encapsulation updating module, a forwarding judgment module and a message updating and forwarding module;
when the flag bit field corresponds to the segmented routing based on the MPLS label stack:
the transfer routing stack updating module is used for respectively updating the transfer routing stacks in the ESP tunnel encapsulation data format at each node through which the ESP messages sequentially pass, so that the ESP messages are sent from the source node to the destination node;
the encapsulation sending module is used for determining a target IP in an IP head in an ESP tunnel encapsulation data format, the number of labels in an MPLS label stack, each label in sequence and an authentication tail according to a preset message sending path from a source node to a target node based on the label of the unique identifier corresponding to each node in the network, further carrying out encryption encapsulation according to the ESP tunnel encapsulation data format on an original message to form a sending message, and then sending the sending message to the node corresponding to the target IP according to the target IP in the IP head in the sending message;
the authentication module is used for authenticating the MPLS label stack according to the authentication tail in the MPLS label stack after receiving the sent message aiming at the node corresponding to the target IP;
an encapsulation updating module, configured to encapsulate, based on a label with a unique identifier corresponding to each node in a network, an IP of a node corresponding to a label to a destination IP in an IP header in a transmission packet, update the destination IP, delete the first label of each label in the MPLS label stack in sequence, and update the number of labels in the MPLS label stack by subtracting 1, thereby updating the transmission packet;
a forwarding judgment module, configured to judge whether the number of labels in an MPLS label stack in a sent message is equal to 1;
a message updating and forwarding module, configured to delete the flag bit field and the MPLS label stack in the transmission message, so as to update the transmission message, and send the transmission message to a node corresponding to the destination IP, that is, send the transmission message to the destination node, where the destination node receives the transmission message, and completes sending the ESP message from the source node to the destination node;
when the flag bit field corresponds to IP-based segmented routing:
the transfer routing stack updating module is used for respectively updating the transfer routing stacks in the ESP tunnel encapsulation data format at each node through which the ESP messages sequentially pass, so that the ESP messages are sent from the source node to the destination node;
the encapsulation sending module is used for determining a target IP in an IP head in an ESP tunnel encapsulation data format, the number of the IPs in an IP routing stack, each IP in sequence and an authentication tail according to the IP corresponding to each node in a network aiming at a source node and a preset message sending path from the source node to a target node, further carrying out encryption encapsulation according to the ESP tunnel encapsulation data format aiming at an original message to form a sending message, and then sending the sending message to the node corresponding to the target IP according to the target IP in the IP head of the sending message;
the authentication module is used for authenticating the IP routing stack according to the authentication tail in the IP routing stack after receiving the sending message aiming at the node corresponding to the target IP;
an encapsulation updating module, configured to encapsulate, for a first IP of each sequential IP in an IP routing stack in a transmission message, the IP into a destination IP in an IP header in the transmission message, update for the destination IP, delete the first IP of each sequential IP in the IP routing stack at the same time, and perform minus 1 update for the number of IPs in the IP routing stack, thereby updating the transmission message;
the forwarding judgment module is used for judging whether the IP number in the IP routing stack in the sent message is equal to 1 or not;
and the message updating and forwarding module is used for deleting the flag bit field and the IP routing stack in the sending message, so as to update the sending message, send the sending message to the node corresponding to the destination IP, namely send the sending message to the destination node, and the destination node receives the sending message, thereby completing the sending of the ESP message from the source node to the destination node.
9. The device for sending the message encapsulation method for the ESP to realize the source routing in the overlay layer is characterized in that: the method comprises at least a processor and a memory, wherein the memory stores computer-executable instructions, and the at least the processor executes the computer-executable instructions stored in the memory, so that the device for encapsulating the packet based on the ESP implementing the source routing at the overlay layer executes the method for transmitting the encapsulated packet based on the ESP implementing the source routing at the overlay layer as claimed in claim 4 or claim 5.
10. A computer-readable storage medium, characterized by storing a computer program or instructions which, when executed, implement the ESP source routing-based encapsulated packet transmission method of claim 4 or claim 5 at overlay layer.
CN202010958347.2A 2020-09-14 2020-09-14 Message encapsulation method and sending method for ESP (electronic stability program) to realize source routing at overlay layer Active CN112350941B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010958347.2A CN112350941B (en) 2020-09-14 2020-09-14 Message encapsulation method and sending method for ESP (electronic stability program) to realize source routing at overlay layer
PCT/CN2020/120650 WO2022052201A1 (en) 2020-09-14 2020-10-13 Esp-based encapsulated message implementing source routing in overlay layer and transmission method therefor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010958347.2A CN112350941B (en) 2020-09-14 2020-09-14 Message encapsulation method and sending method for ESP (electronic stability program) to realize source routing at overlay layer

Publications (2)

Publication Number Publication Date
CN112350941A CN112350941A (en) 2021-02-09
CN112350941B true CN112350941B (en) 2021-08-24

Family

ID=74357304

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010958347.2A Active CN112350941B (en) 2020-09-14 2020-09-14 Message encapsulation method and sending method for ESP (electronic stability program) to realize source routing at overlay layer

Country Status (2)

Country Link
CN (1) CN112350941B (en)
WO (1) WO2022052201A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113852552B (en) * 2021-09-23 2023-04-18 网络通信与安全紫金山实验室 Network communication method, system and storage medium
CN114900455A (en) * 2022-05-13 2022-08-12 北京字节跳动网络技术有限公司 Message transmission method, system, equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101989944A (en) * 2009-07-31 2011-03-23 中兴通讯股份有限公司 Method for local protection of Ethernet tunnel and shared node of protection domain working segment
CN105468563A (en) * 2015-12-28 2016-04-06 杭州士兰控股有限公司 SPI slave device, SPI communication system and SPI communication method

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101783715B (en) * 2009-11-19 2011-12-28 北京邮电大学 Method and system for monitoring packet loss rate of network
US8774213B2 (en) * 2011-03-30 2014-07-08 Amazon Technologies, Inc. Frameworks and interfaces for offload device-based packet processing
CN103167489B (en) * 2013-04-03 2015-09-09 国家电网公司 The wireless public network means of communication with security protection in electric power system
US9736063B2 (en) * 2015-02-17 2017-08-15 Huawei Technologies Co., Ltd. Service chaining using source routing
US9967184B2 (en) * 2015-07-02 2018-05-08 Telefonaktiebolaget Lm Ericsson (Publ) Using border gateway protocol to expose maximum segment identifier depth to an external application
WO2017196388A1 (en) * 2016-05-13 2017-11-16 Intel Corporation Mamp and lwip enhancements for concatenation and segmentation
CN107547371A (en) * 2017-09-28 2018-01-05 新华三技术有限公司 A kind of message forwarding method and device
US10469367B2 (en) * 2017-10-04 2019-11-05 Cisco Technology, Inc. Segment routing network processing of packets including operations signaling and processing of packets in manners providing processing and/or memory efficiencies
US10623372B2 (en) * 2017-12-06 2020-04-14 Nicira, Inc. Load balancing IPsec tunnel processing with extended Berkeley packet filter (eBPF)
US20190372948A1 (en) * 2018-06-01 2019-12-05 Nokia Solutions And Networks Oy Scalable flow based ipsec processing
CN109067652A (en) * 2018-09-25 2018-12-21 盛科网络(苏州)有限公司 The method and device of segment identification expense is saved in a kind of IPv6 Segment routing
CN109194579B (en) * 2018-11-19 2020-09-04 盛科网络(苏州)有限公司 Method and device for realizing segmented routing by IPv6

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101989944A (en) * 2009-07-31 2011-03-23 中兴通讯股份有限公司 Method for local protection of Ethernet tunnel and shared node of protection domain working segment
CN105468563A (en) * 2015-12-28 2016-04-06 杭州士兰控股有限公司 SPI slave device, SPI communication system and SPI communication method

Also Published As

Publication number Publication date
WO2022052201A1 (en) 2022-03-17
CN112350941A (en) 2021-02-09

Similar Documents

Publication Publication Date Title
US8966240B2 (en) Enabling packet handling information in the clear for MACSEC protected frames
US6438612B1 (en) Method and arrangement for secure tunneling of data between virtual routers
WO2018040529A1 (en) Message processing method, device and system
CN103188351B (en) IPSec VPN traffic method for processing business and system under IPv6 environment
CN112350941B (en) Message encapsulation method and sending method for ESP (electronic stability program) to realize source routing at overlay layer
US7434045B1 (en) Method and apparatus for indexing an inbound security association database
CN112470427A (en) Secure traffic visibility and analysis for encrypted traffic
CN109639650B (en) Secret communication method based on grouping longitudinal random subdivision and path separation transmission
WO2004042984A2 (en) Bridged cryptographic vlan
EP3861690B1 (en) Securing mpls network traffic
JP2009246801A (en) Method of encrypting divided packet, method of decrypting encrypted divided packet, encryption apparatus and program
CN104954222A (en) Tunnel-mode ESP (electronic stability program) hardware encapsulating device on basis of IPSEC (internet protocol security) protocols
CN113852552B (en) Network communication method, system and storage medium
CN111614538B (en) Message forwarding method based on IPsec encapsulation protocol
US20070217424A1 (en) Apparatus and method for processing packets in secure communication system
CN107547343B (en) Message operation control method and device
CN108390812A (en) Message forwarding method and device
Farrel et al. An MPLS-based forwarding plane for Service Function Chaining
CN112637237B (en) Service encryption method, system, equipment and storage medium based on SRoU
CN113242181B (en) Message and sending method for realizing source routing at overlay layer based on ESP (encapsulating Security protocol) encapsulation and compressed IP (Internet protocol)
JP2021530158A (en) BGP message sending method, BGP message receiving method, and device
CN116527405B (en) SRV6 message encryption transmission method and device and electronic equipment
US11095619B2 (en) Information exchange for secure communication
WO2023030160A1 (en) Packet sending method, network device, storage medium, and program product
WO2019165235A1 (en) Secure encrypted network tunnels using osi layer 2 protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant