CN112636913B - Networking method for key sharing - Google Patents
Networking method for key sharing Download PDFInfo
- Publication number
- CN112636913B CN112636913B CN202110242847.0A CN202110242847A CN112636913B CN 112636913 B CN112636913 B CN 112636913B CN 202110242847 A CN202110242847 A CN 202110242847A CN 112636913 B CN112636913 B CN 112636913B
- Authority
- CN
- China
- Prior art keywords
- key
- message
- router
- gateway unit
- user gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
Abstract
The invention discloses a networking method for sharing a secret key, which is characterized in that after a user gateway unit is safely accessed into a boundary router, an existing user gateway secret key is shared by a safe channel, each user gateway is provided with a secret key of other user gateway units, then the user gateway unit directly encapsulates the encrypted message by using a tunnel, an IP head of an original message is not encrypted but completely placed on an extension part of the IP head of the tunnel, so that the information of the original IP head is kept, after the boundary router receives the message of the user gateway, the boundary router takes the action of unsealing without decrypting to recover the original IP head, the original IP head is routed to a target boundary router according to the original IP head, the boundary router conducts tunnel encapsulation again and sends the message to the target user gateway unit, and finally, the target user gateway unseals, decrypts and sends the decrypted message to a corresponding user. The invention only needs one encryption and decryption, greatly reduces the burden of the boundary router and improves the message forwarding efficiency.
Description
Technical Field
The invention relates to the technical field of cloud computing networks, in particular to a networking method for key sharing.
Background
The popularization of the internet and the wave of cloud computing make people increasingly unable to leave the network environment. With the rapid development of the mobile internet, various applications and services are layered endlessly, application developers, service providers and the like need to implement their projects or products rapidly, and generally need to arrange themselves or rent server equipment and also need to build a complex network by themselves in the conventional IDC data center, which necessarily requires a lot of time and is very error-prone and also not easy to expand and implement disaster-tolerant.
As a future development direction of cloud computing and virtualized networks, networking and service deployment will become simpler and more convenient, multiple networks in different places are rapidly deployed and distributed, and generally need to be communicated with each other, with the increase of network nodes, complex programs for network communication will also multiply increase, currently, in a cloud computing network environment, users generally provide an Internet Protocol Security (IPSEC) networking mode based on the internet, since each local node needs to provide secure access networking for a plurality of users, access equipment of one node may need to provide thousands of user access services, and how to efficiently provide encrypted transmission for users becomes a key problem to be solved.
Private networks in different regions need interconnection and intercommunication and efficient transmission, firstly an IPSEC security access technology needs to be used, then efficient forwarding is carried out between an access border router and a target border router, the networking is similar to star-type VPN networking, but is different from the center of the star-type VPN, a center under multi-user networking interconnection and intercommunication is provided under a cloud computing scene, the network is a huge router forwarding network consisting of a plurality of local node routers, as a message encrypted by a user needs to arrive at the center first and then reach a target from the center, a common traditional star-type VPN needs to be decrypted at the center once, then encrypted again, and decrypted again after reaching a target user, and the encryption and decryption processes are carried out once more among the two, because of the evolution of an encryption and decryption algorithm and the improvement of software and hardware, the consumption of encryption and decryption becomes less and less, however, in a cloud computing scenario, a forwarding network including a router with a secure access often needs to provide thousands of users with secure access and transmit data, an encryption/decryption operation additionally added by a single user may be negligible, but an encryption/decryption operation added by thousands of users often results in overwhelming a boundary router.
Disclosure of Invention
In order to solve one of the above problems, the present invention provides a networking method for sharing a secret key, in which a secret key of a user gateway unit is mutually learned and recorded, then only an encrypted message of the user gateway unit is received at a border router, only the encrypted message is unpacked without decryption, and is forwarded by a route, and finally, the encrypted message is sent to a target user gateway unit, and then decryption operation is performed, so that the user gateway can concentrate on data security, and the router concentrates on data forwarding, thereby reducing the burden of the router and improving the forwarding efficiency of the message.
In order to solve the technical problems, the invention provides the following technical scheme: a networking method of key sharing runs on a networking system of key sharing, the networking system comprises a plurality of user gateway units and a plurality of routers, and the routers are divided into boundary routers and forwarding routers, wherein the boundary routers are connected with the user gateway units, and the forwarding routers are connected with the boundary routers or the forwarding routers are connected with another forwarding router; the networking method for key sharing comprises the following steps:
step S1, each border router performs key agreement with the user gateway unit directly connected with the border router to obtain the own key of the border router; the user gateway unit saves the key to its local key table, and the border router saves the key to its local key table;
step S2, each border router sends its own key to other border routers or forwarding routers connected with it; at this time, the boundary router which sends the key is taken as a sending boundary router;
step S3, after other border routers receive the key of the sending border router, other border routers save the key to their local key list; or after the forwarding router receives the key of the sending boundary router, the forwarding router forwards the key to the forwarding router or the boundary router connected with the forwarding router;
step S4, repeating the steps S2-S3 until each border router acquires the keys of all other border routers; each border router saves the keys of all other border routers on its local key table and sends the keys of all other border routers to the subscriber gateway unit directly connected to it, which saves the keys of all other border routers on its local key table.
Further, in step S1, the border routers all perform key agreement with their directly connected user gateway units, which specifically includes: the border router and a user gateway unit directly connected with the border router perform IKEv2 KEY negotiation to obtain a KEY of the border router, wherein the KEY of the border router comprises an SPI identifier, a KEY KEY1 and a KEY KEY 2; the SPI identifier is used for correspondingly marking the user gateway units, each user gateway unit has a unique SPI identifier, the KEY1 is an encryption algorithm KEY, and the KEY2 is a verification algorithm KEY.
Further, the boundary router's own key is an IPSEC key.
Further, the step S1 further includes: between each border router and its directly connected subscriber gateway unit, the ESP protocol is used as an encryption protocol and a messaging tunnel T is created.
Further, the step S4 is followed by the following steps:
step S5, the user gateway unit receives an original message P1 sent by a user, wherein the original message P1 comprises an IP header IPH _ C part and a load P _ C message content part;
step S6, the user gateway unit encrypts the content part of the P _ C PAYLOAD message by using a KEY KEY1 in the KEY of the user gateway unit to obtain an ESP _ PAYLOAD part of the encrypted message content, verifies the ESP _ PAYLOAD part of the encrypted message content by using a KEY KEY2 to generate a verification part ESP _ T, and then generates an ESP protocol header ESP _ H, wherein the ESP protocol header ESP _ H comprises an SPI in the KEY of the user gateway unit;
the user gateway unit encapsulates an ESP protocol header ESP _ H, an encrypted message content ESP _ PAYLOAD part and a check part ESP _ T together to obtain a message P2;
step S7, the user gateway unit generates an IP header IPH _ T according to the message transmission tunnel T between the user gateway unit and the boundary router, and encapsulates the IP header IPH _ T and the IP header IPH _ C part into a message P2 to obtain a message P3, wherein the message P3 comprises the IP header IPH _ T, IP header IPH _ C part and a message P2; the user gateway unit sends the message P3 to the boundary router connected with the user gateway unit, at this time, the user gateway unit sending the message P3 is used as a sending user gateway unit, and the boundary router receiving the message P3 is used as a sending boundary router;
step S8, after receiving the message P3, the sending border router removes the IP header IPH _ T of the message P3 to obtain a message P4, wherein the message P4 comprises an IP header IPH _ C part and a message P2; the sending border router obtains a user gateway unit corresponding to a received message P4 according to the IP header IPH _ C part of the message P4, the user gateway unit corresponding to the received message P4 is called a target user gateway unit, and a border router directly connected with the target user gateway unit is called a target border router;
step S9, the sending border router sends the packet P4 to the target border router, which specifically includes:
if the sending border router is directly connected with the target border router, the sending border router directly sends the message P4 to the target border router;
if the sending boundary router needs to pass through a plurality of forwarding routers in the process of sending the message P4, the sending boundary router firstly sends a message P4 to the forwarding routers, and the forwarding routers send the message P4 to the next forwarding router according to the target IP address in the IP header IPH _ C part until the message P4 is sent to the target boundary router;
step S10, after the target boundary router receives the message P4, a new IP header IPH _ T is generated according to the message transmission tunnel T between the target boundary router and the target user gateway unit, the IP header IPH _ T is packaged into the message P4 to obtain a message P5, and the message P5 is sent to the target user gateway unit;
step S11, after the target user gateway unit receives the message P5, the IP header IPH _ T is removed to obtain a message P4; the target user gateway unit obtains a key required for decryption according to an ESP protocol header ESP _ H of the message P4;
the target user gateway unit verifies the ESP _ PAYLOAD part of the encrypted message content by using the KEY KEY2 to generate an ESP _ T verification result, judges whether the ESP _ T verification result is consistent with the ESP _ T verification part of the message P4, if so, the target user gateway unit decrypts the ESP _ PAYLOAD part of the encrypted message content of the message P4 by using the KEY KEY1 in the required KEY to obtain a load P _ C message content part of the original message P1, and combines the load P _ C message content part with the IP head IPH _ C part of the message P4 to obtain an original message P1; the target user gateway unit sends the original message P1 to the user;
if the ESP _ T check result does not match the check portion ESP _ T of the packet P4, the target subscriber gateway unit discards the packet P4.
Further, the step S11 is followed by the following steps:
step S12, when a new user gateway unit is added, the new user gateway unit needs to connect a border router, and the new user gateway unit and the border router perform key agreement to obtain the key of the border router; the boundary router sends the own keys to other boundary routers; other border routers receive the key and store the key in a local key table of the router, and send the key to a user gateway unit directly connected with the router, and the user gateway unit stores the key in the local key table of the router;
the border router connected with the new user gateway unit sends all keys on the local key table to the new user gateway unit, and the new user gateway unit receives all keys and stores the keys in the local key table;
and step S13, repeating the steps S5-S11.
After the technical scheme is adopted, the invention at least has the following beneficial effects: the method is characterized in that after a user gateway unit is safely accessed to a boundary router, a safety channel shares the key of the existing user gateway unit, so that each user gateway unit is provided with the keys of other user gateway units, certainly, certain user gateway units only belonging to a specific group can share the key based on a specific strategy, the network virtualization scene of cloud computing is met, then the user gateway unit directly encapsulates the encrypted message by using a tunnel, the original message IP head is not encrypted but completely placed on the expansion part of the tunnel IP head, so that the original IP head information is reserved, after the boundary router receives the message of the user gateway, the boundary router takes the action of unsealing without decrypting, recovers the original IP head, routes the message to a target boundary router according to the original IP head, the boundary router re-encapsulates the tunnel and sends the message to the target user gateway, and finally, the target user gateway unseals and decrypts the packet and sends the packet to the corresponding user, the whole process only needs one encryption and decryption, the burden of the boundary router is greatly reduced, the boundary router and the general router can be concentrated on packet forwarding, and the transmission efficiency of the packet is greatly improved.
Drawings
Fig. 1 is a flowchart illustrating steps of a method for key sharing networking according to the present invention.
Fig. 2 is a block diagram of a key sharing networking system according to the present invention.
Detailed Description
It should be noted that, in the present application, the embodiments and features of the embodiments may be combined with each other without conflict, and the present application is further described in detail with reference to the drawings and specific embodiments.
Example 1
The networking method for key sharing in this embodiment is operated on a networking system for key sharing, where the networking system includes a plurality of user gateway units and a plurality of routers, and the routers are divided into a plurality of border routers and a plurality of forwarding routers; the border router and the forwarding router are both routers used in a general network, and for distinguishing, the router directly connected with the user gateway unit is called a border router, and the router which is not directly connected with the user gateway unit is used as a forwarding router; generally, a forwarding router is connected with another forwarding router, or a forwarding router is directly connected with a boundary router, obviously, the forwarding router is only used as a transit router for data propagation; in addition, there is also a case where a certain border router is directly connected to another border router; each border router can be connected with a plurality of user gateway units, and one border router can be connected with a plurality of user gateway units (so that in the traditional networking, if the border router decrypts the encrypted message once, and then the target border router re-encrypts the message once, a plurality of encryption and decryption operations are added). In addition, each user gateway unit is directly connected with the user (client) and is used for receiving the original message P1 of the user or sending the original message P1 to the user.
The embodiment discloses a method for networking key sharing, as shown in fig. 1, including the following steps:
step S1, each border router performs key agreement with the user gateway unit directly connected with the border router to obtain the own key of the border router; the user gateway unit saves the key to its local key table, and the border router saves the key to its local key table;
the border routers all perform key agreement with the user gateway units directly connected with the border routers, and the key agreement specifically includes: the method comprises the steps that IKEv2 KEY negotiation is carried out on boundary routers and user gateway units directly connected with the boundary routers to obtain KEYs of the boundary routers, the KEYs are IPSEC KEYs, the IPSEC KEYs comprise SPI identifiers, KEY KEY1 and KEY KEY2, the SPI identifiers are used for correspondingly marking the user gateway units, each user gateway unit is provided with a unique SPI identifier, the KEY KEY1 is an encryption algorithm KEY, and the KEY KEY2 is a verification algorithm KEY;
for example, the border router a1 and the user gateway unit B1 perform key agreement to obtain a key C1, where the key C1 belongs to both the border router a1 and the user gateway unit B1, and the key C1 is stored in the local key table of the border router a1 and the local key table of the user gateway unit B1; KEY C1 is an IPSEC KEY, KEY C1 includes an SPI identifier, KEY1, and KEY 2; the SPI identifier is used to identify the key C1, and when an original message P1 is encrypted using the key C1, the target user gateway unit that finally receives the original message P1 can decrypt the original message P1 using the key C1 according to the SPI identifier, thereby obtaining the content information of the original message P1;
the step S1 further includes: between each boundary router and its directly connected user gateway unit, using ESP protocol as encryption protocol to create message transmission tunnel T;
the packet transmission tunnel T is actually an IP tunnel, and an IP tunnel has a pair of IP components, for example, an IP tunnel is created between the border router a1 and the user gateway unit B1, and assuming that the IP address of a1 is IP _ a1 and the IP address of B1 is IP _ B1, when B1 needs to encapsulate an original packet C1 and send it to a1, the IP pair in the tunnel is used to create a new IP header, which is IPH _ T, and the source IP in IPH _ T is the IP address of the sending end and the target IP is the IP address of the opposite end, in this case, since B1 is sent to a1, the source IP of IPH _ T is IP _ B1 at this time, and the target IP is IP _ a1, so the IP _ T means a new IP header generated during encapsulation, that is the following IP header;
step S2, each border router sends its own key to other border routers or forwarding routers connected with it; at this time, in order to be easily distinguished from other boundary routers, the boundary router which sends the key is used as a sending boundary router;
step S3, after other border routers receive the key of the sending border router, other border routers save the key to their local key list; or after the forwarding router receives the key of the sending boundary router, the forwarding router forwards the key to the forwarding router or the boundary router connected with the forwarding router;
step S4, repeating the steps S2-S3 until each border router acquires the keys of all other border routers; each border router stores the keys of all other border routers in a local key table thereof, and sends the keys of all other border routers to a user gateway unit directly connected with the border router, and the user gateway unit stores the keys of all other border routers in the local key table thereof;
in the above steps S1-S4, each user gateway unit learns and records each other through the key, so that the subsequent packet P4 does not need to be decrypted and encrypted during the transmission process of the router, and only needs to be decrypted according to the corresponding key in the user gateway unit, thereby reducing the load of the router and greatly improving the transmission efficiency of the packet;
step S5, the user gateway unit receives the original message P1 sent by the user (client), the original message P1 includes IP header IPH _ C part and load P _ C message content part, the said IP header IPH _ C part includes the IP address of the client itself and the IP address of the target client, the user gateway unit and all the intermediate forwarding routers only make the action of encapsulation or route forwarding according to the IP address of the target client; the content part of the payload P _ C message is the actual data to be sent in the original message P1; assuming that the user gateway unit is the user gateway unit a1, the original packet P1 is the original packet P1, the IP header IPH _ C portion of the original packet P1 is represented by IPH _ C, and the payload P _ C packet content portion is represented by P _ C, then the original packet P1 is: p1 ═ IPH _ C + P _ C;
step S6, the user gateway unit encrypts the original packet P1 using its own key, specifically: the user gateway unit encrypts the content part of the P _ C load message by using a KEY KEY1 in a self KEY to obtain an ESP _ PAYLOAD part of the encrypted message content, verifies the ESP _ PAYLOAD part of the encrypted message content by using a KEY KEY2 to generate a verification part ESP _ T, and then generates an ESP protocol header ESP _ H, wherein the ESP protocol header ESP _ H comprises an SPI in the self KEY of the user gateway unit, and the SPI value of the ESP header ESP _ H fills an SPI value corresponding to the user gateway unit;
wherein the ESP protocol header ESP _ H functions as: since the SPI is the unique identifier of the subscriber gateway unit, the target subscriber gateway unit that finally receives the original packet P1 can directly obtain the key to which the subscriber gateway unit of the transmitted original packet P1 belongs according to the ESP protocol header ESP _ H, and decrypt the original packet P1 using the key;
the user gateway unit encapsulates an ESP protocol header ESP _ H, an encrypted message content ESP _ PAYLOAD part and a check part ESP _ T together to obtain a message P2; assuming that the packet P2 is the packet P2, the ESP protocol header ESP _ H is represented by ESP _ H, the encrypted packet content ESP _ PAYLOAD portion is represented by ESP _ PAYLOAD, and the check portion ESP _ T is represented by ESP _ T, the packet P2 is: p2 ═ ESP _ H + ESP _ PAYLOAD + ESP _ T;
step S7, the user gateway unit generates an IP header IPH _ T according to the message transmission tunnel T between the user gateway unit and the boundary router, and encapsulates the IP header IPH _ T and the IP header IPH _ C part into a message P2 to obtain a message P3, wherein the message P3 comprises the IP header IPH _ T, IP header IPH _ C part and a message P2; if the available IP header IPH _ C is represented by IPH _ C and the IP header IPH _ T is represented by IPH _ T, the message P3 is: p3 ═ IPH _ T + IPH _ C + P2;
the user gateway unit sends the message P3 to the boundary router connected with the user gateway unit, at this time, the user gateway unit sending the message P3 is used as a sending user gateway unit, and the boundary router receiving the message P3 is used as a sending boundary router;
step S8, after receiving the packet P3, the sending border router removes the IP header IPH _ T of the packet P3 to obtain a packet P4, where the packet P4 includes an IP header IPH _ C portion and a packet P2, and at this time, the packet P4, P4 is IPH _ C + P2; the sending border router obtains a user gateway unit corresponding to a received message P4 according to the IP header IPH _ C part of the message P4, the user gateway unit corresponding to the received message P4 is called a target user gateway unit, and a border router directly connected with the target user gateway unit is called a target border router;
step S9, the sending border router sends the packet P4 to the target border router, which specifically includes:
if the sending border router is directly connected with the target border router, the sending border router directly sends the message P4 to the target border router;
if the sending boundary router needs to pass through a plurality of forwarding routers in the process of sending the message P4, the sending boundary router firstly sends a message P4 to the forwarding routers, and the forwarding routers send the message P4 to the next forwarding router according to the target IP address of the IP header IPH _ C part until the message P4 is sent to the target boundary router;
step S10, after the target boundary router receives the message P4, a new IP header IPH _ T is generated according to the message transmission tunnel T between the target boundary router and the target user gateway unit, the IP header IPH _ T is packaged into the message P4 to obtain a message P5, and the message P5 is sent to the target user gateway unit;
step S11, after the target user gateway unit receives the message P5, the IP header IPH _ T is removed to obtain a message P4;
the target user gateway unit obtains a key required for decryption according to the ESP protocol header ESP _ H of the packet P4, and decrypts the packet P4 by using the key, specifically:
the target user gateway unit uses the KEY KEY2 to verify the ESP _ PAYLOAD part of the encrypted message content to generate an ESP _ T verification result, whether the ESP _ T verification result is consistent with the ESP _ T part of the message P4 is judged, if so, the target user gateway unit uses the KEY KEY1 in the KEY to decrypt the ESP _ PAYLOAD part of the encrypted message content of the message P4 to obtain a load P _ C message content part of the original message P1; combining the content part of the load P _ C message with the IPH _ C part of the IP header of the message P4 to obtain an original message P1; the target user gateway unit sends the original message P1 to the user (client);
if the ESP _ T check result does not match the check portion ESP _ T of the packet P4, the target subscriber gateway unit discards the packet P4.
In the above step S5-step S11, the encryption of the packet is performed between the border router and the user gateway unit, so that the packet is safer, and the packet does not need to be encrypted or decrypted in the transmission process of the forwarding router, and both the border router and the forwarding router can concentrate on packet forwarding, thereby greatly improving the transmission efficiency of the packet and reducing the load of the router;
step S12, when a new user gateway unit is added, the new user gateway unit needs to connect a border router, and the new user gateway unit and the border router perform key agreement to obtain the key of the border router; the boundary router sends the own keys to other boundary routers; other border routers receive the key and store the key in a local key table of the router, and send the key to a user gateway unit directly connected with the router, and the user gateway unit stores the key in the local key table of the router;
the border router connected with the new user gateway unit sends all keys on the local key table to the new user gateway unit, and the new user gateway unit receives all keys and stores all the keys in the local key table;
the key table of the border router stores keys of all other border routers in real time, and all border routers are the same, and the keys of other border routers are always synchronized at each moment, so that when a new user gateway unit is accessed, the connected border router only needs to send all local keys of the connected border router at the moment;
and step S13, repeating the steps S5-S11.
Example 2
This implementation is explained by specific examples based on embodiment 1, and as shown in fig. 2, an existing key-sharing networking system includes a border router a1, a border router a2, a border router A3, a border router a4, a user gateway unit B1, a user gateway unit B2, a user gateway unit B3, a user gateway unit B4, a forwarding router C1, a forwarding router C2, a forwarding router C3, and a forwarding router C4; the border router A1 is connected with the user gateway unit B1 and the forwarding router C1, the border router A2 is connected with the user gateway unit B2 and the forwarding router C2, the border router A3 is connected with the user gateway unit B3 and the forwarding router C3, the border router A4 is connected with the user gateway unit B4 and the forwarding router C4, and the forwarding router C1, the forwarding router C2, the forwarding router C3 and the forwarding router C4 are connected in pairs.
The networking system for sharing the key carries out the following networking method:
1. key sharing and management
(1) The user gateway unit B1 initiates IKEv2 key agreement to border router a1 and negotiates the key C1: KEY C1 includes [ SPI1, KEY11, KEY12] and creates tunnel T1, user gateway unit B1 saves KEY C1 to the local KEY table;
(2) the boundary router A1 inquires the local key table and sends the existing key to the user gateway unit B1, and at the moment, the local key table of the boundary router A1 is empty, so that the sending is not needed;
(3) the boundary router a1 saves the key C1 to the local key table and distributes the key C1 through the general router to the boundary router a2, the boundary router A3 and the boundary router a 4;
(4) other border routers save key C1 to the local key table;
(5) the user gateway unit B2 initiates IKEv2 key agreement to border router a2 and negotiates the key C2: KEY C2 includes [ SPI2, KEY21, KEY22] and creates tunnel T2, user gateway unit B2 saves KEY C2 to the local KEY table;
(6) the boundary router A2 inquires the local key table, sends the existing key C1 to the user gateway unit B2 through T2, and the user gateway unit B2 stores the received key into the local key table;
(7) the border router a2 saves the key C2 to the local key table and distributes the key C2 to other border routers through the general router;
(8) after receiving the key C2, the border router a1 sends the key to the user gateway unit B1 through the tunnel T1, and the user gateway unit B1 stores the key C2 in the local key table;
(9) other border routers receive key C2 and store it in local key table
(10) The access process of the user gateway unit B3 and the user gateway unit B4 is analogized until all the user gateway units are accessed, and the local key table of each user gateway unit has the keys of all the user gateway units;
2. route learning
(1) Running OSPF protocol between the border router and the forwarding router;
(2) through OSPF protocol, each boundary router and forwarding router learn the network segment connected to each user gateway;
3. packet encapsulation forwarding
(1) The user gateway 1 receives the message C1
①SIP:10.10.1.100,DIP:10.10.2.100,PAYLOAD
(2) The user gateway unit B1 encrypts PAYLOAD using the key C1 and becomes ESP _ P1
(3) ESP _ P1 is encapsulated in tunnel T1, and then the IP header of the original SIP, DIP, and the complete extension part in the new IP header of T1 are sent to the boundary router A1
(4) After the boundary router A1 receives the message, the IP header in the T1 is removed, the message composed of the original IP header + ESP _ P1 is recovered, and the local router is searched and sent to the forwarding router
(5) After receiving the message, the forwarding router searches for a route and forwards the route to other forwarding routers or other boundary routers;
(6) when the message reaches the boundary router A2, the message is sent to the user gateway unit B2 according to the knowledge of the IP header DIP, the boundary router A2 is encapsulated again by T2, the original IP header of the message is continuously put in the new IP header extension part and is sent to the user gateway unit B2
(7) After receiving the message, the user gateway unit B2 removes the IP header of T2, looks up the local key table through the SPI1 of the ESP header, decrypts the message using the key C1, combines with the original IP header, restores the original whole message, and finally sends it to the user.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that various equivalent changes, modifications, substitutions and alterations can be made herein without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.
Claims (6)
1. A key-sharing networking method, which is operated on a key-sharing networking system, the networking system comprising a plurality of user gateway units and a plurality of routers, and the routers are divided into a border router and a forwarding router, wherein the border router is connected with the user gateway units, and the forwarding router is connected with the border router or the forwarding router is connected with another forwarding router, the key-sharing networking method comprising the following steps:
step S1, each border router performs key agreement with the user gateway unit directly connected with the border router to obtain the own key of the border router; the user gateway unit saves the key to its local key table, and the border router saves the key to its local key table;
step S2, each border router sends its own key to other border routers or forwarding routers connected with it; at this time, the boundary router which sends the key is taken as a sending boundary router;
step S3, after other border routers receive the key of the sending border router, other border routers save the key to their local key list; or after the forwarding router receives the key of the sending boundary router, the forwarding router forwards the key to the forwarding router or the boundary router connected with the forwarding router;
step S4, repeating the steps S2-S3 until each border router acquires the keys of all other border routers; each border router saves the keys of all other border routers on its local key table and sends the keys of all other border routers to the subscriber gateway unit directly connected to it, which saves the keys of all other border routers on its local key table.
2. The method according to claim 1, wherein in step S1, the border routers perform key agreement with their directly connected user gateway units, which specifically includes: the border router and a user gateway unit directly connected with the border router perform IKEv2 KEY negotiation to obtain a KEY of the border router, wherein the KEY of the border router comprises an SPI identifier, a KEY KEY1 and a KEY KEY 2; the SPI identifier is used for correspondingly marking the user gateway units, each user gateway unit has a unique SPI identifier, the KEY1 is an encryption algorithm KEY, and the KEY2 is a verification algorithm KEY.
3. The method of claim 2, wherein the border router's own key is an IPSEC key.
4. The method for networking key sharing according to claim 2, wherein the step S1 further comprises: between each border router and its directly connected subscriber gateway unit, the ESP protocol is used as an encryption protocol and a messaging tunnel T is created.
5. The method for networking key sharing according to claim 4, wherein the step S4 is further followed by the steps of:
step S5, the user gateway unit receives an original message P1 sent by a user, wherein the original message P1 comprises an IP header IPH _ C part and a load P _ C message content part;
step S6, the user gateway unit encrypts the content part of the P _ C PAYLOAD message by using a KEY KEY1 in the KEY of the user gateway unit to obtain an ESP _ PAYLOAD part of the encrypted message content, verifies the ESP _ PAYLOAD part of the encrypted message content by using a KEY KEY2 to generate a verification part ESP _ T, and then generates an ESP protocol header ESP _ H, wherein the ESP protocol header ESP _ H comprises an SPI in the KEY of the user gateway unit;
the user gateway unit encapsulates an ESP protocol header ESP _ H, an encrypted message content ESP _ PAYLOAD part and a check part ESP _ T together to obtain a message P2;
step S7, the user gateway unit generates an IP header IPH _ T according to the message transmission tunnel T between the user gateway unit and the boundary router, and encapsulates the IP header IPH _ T and the IP header IPH _ C part into a message P2 to obtain a message P3, wherein the message P3 comprises the IP header IPH _ T, IP header IPH _ C part and a message P2; the user gateway unit sends the message P3 to the boundary router connected with the user gateway unit, at this time, the user gateway unit sending the message P3 is used as a sending user gateway unit, and the boundary router receiving the message P3 is used as a sending boundary router;
step S8, after receiving the message P3, the sending border router removes the IP header IPH _ T of the message P3 to obtain a message P4, wherein the message P4 comprises an IP header IPH _ C part and a message P2; the sending border router obtains a user gateway unit corresponding to a received message P4 according to the IP header IPH _ C part of the message P4, the user gateway unit corresponding to the received message P4 is called a target user gateway unit, and a border router directly connected with the target user gateway unit is called a target border router;
step S9, the sending border router sends the packet P4 to the target border router, which specifically includes:
if the sending border router is directly connected with the target border router, the sending border router directly sends the message P4 to the target border router;
if the sending boundary router needs to pass through a plurality of forwarding routers in the process of sending the message P4, the sending boundary router firstly sends a message P4 to the forwarding routers, and the forwarding routers send the message P4 to the next forwarding router according to the target IP address in the IP header IPH _ C part until the message P4 is sent to the target boundary router;
step S10, after the target boundary router receives the message P4, a new IP header IPH _ T is generated according to the message transmission tunnel T between the target boundary router and the target user gateway unit, the IP header IPH _ T is packaged into the message P4 to obtain a message P5, and the message P5 is sent to the target user gateway unit;
step S11, after the target user gateway unit receives the message P5, the IP header IPH _ T is removed to obtain a message P4; the target user gateway unit obtains a key required for decryption according to an ESP protocol header ESP _ H of the message P4;
the target user gateway unit verifies the ESP _ PAYLOAD part of the encrypted message content by using the KEY KEY2 to generate an ESP _ T verification result, judges whether the ESP _ T verification result is consistent with the ESP _ T verification part of the message P4, if so, the target user gateway unit decrypts the ESP _ PAYLOAD part of the encrypted message content of the message P4 by using the KEY KEY1 in the required KEY to obtain a load P _ C message content part of the original message P1, and combines the load P _ C message content part with the IP head IPH _ C part of the message P4 to obtain an original message P1; the target user gateway unit sends the original message P1 to the user;
if the ESP _ T check result does not match the check portion ESP _ T of the packet P4, the target subscriber gateway unit discards the packet P4.
6. The method for networking key sharing according to claim 5, wherein the step S11 is further followed by the steps of:
step S12, when a new user gateway unit is added, the new user gateway unit needs to connect a border router, and the new user gateway unit and the border router perform key agreement to obtain the key of the border router; the boundary router sends the own keys to other boundary routers; other border routers receive the key and store the key in a local key table of the router, and send the key to a user gateway unit directly connected with the router, and the user gateway unit stores the key in the local key table of the router;
the border router connected with the new user gateway unit sends all keys on the local key table to the new user gateway unit, and the new user gateway unit receives all keys and stores the keys in the local key table;
and step S13, repeating the steps S5-S11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110242847.0A CN112636913B (en) | 2021-03-05 | 2021-03-05 | Networking method for key sharing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110242847.0A CN112636913B (en) | 2021-03-05 | 2021-03-05 | Networking method for key sharing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112636913A CN112636913A (en) | 2021-04-09 |
| CN112636913B true CN112636913B (en) | 2021-06-22 |
Family
ID=75297724
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110242847.0A Active CN112636913B (en) | 2021-03-05 | 2021-03-05 | Networking method for key sharing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112636913B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114173332B (en) * | 2022-02-09 | 2022-04-19 | 国网浙江省电力有限公司信息通信分公司 | Data encryption transmission method and device suitable for 5G intelligent power grid inspection robot |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1599312A (en) * | 2004-07-28 | 2005-03-23 | 港湾网络有限公司 | Symmetric identification method in network combination of network equip ment and network combination method |
| CN103975552A (en) * | 2011-12-06 | 2014-08-06 | 思科技术公司 | Secure prefix authorization with untrusted mapping services |
| CN107005562A (en) * | 2014-12-08 | 2017-08-01 | 皇家飞利浦有限公司 | The debugging of equipment in network |
| CN109041169A (en) * | 2018-07-13 | 2018-12-18 | 上海斐讯数据通信技术有限公司 | A kind of network share method and system of the idle bandwidth of router |
| CN111884816A (en) * | 2020-08-07 | 2020-11-03 | 中国人民解放军国防科技大学 | Routing method with metadata privacy protection and source responsibility tracing capability |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100586102C (en) * | 2004-07-06 | 2010-01-27 | 松下电器产业株式会社 | Moving router, home agent, router position registration method, and moving network system |
| US9331941B2 (en) * | 2013-08-12 | 2016-05-03 | Cisco Technology, Inc. | Traffic flow redirection between border routers using routing encapsulation |
-
2021
- 2021-03-05 CN CN202110242847.0A patent/CN112636913B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1599312A (en) * | 2004-07-28 | 2005-03-23 | 港湾网络有限公司 | Symmetric identification method in network combination of network equip ment and network combination method |
| CN103975552A (en) * | 2011-12-06 | 2014-08-06 | 思科技术公司 | Secure prefix authorization with untrusted mapping services |
| CN107005562A (en) * | 2014-12-08 | 2017-08-01 | 皇家飞利浦有限公司 | The debugging of equipment in network |
| CN109041169A (en) * | 2018-07-13 | 2018-12-18 | 上海斐讯数据通信技术有限公司 | A kind of network share method and system of the idle bandwidth of router |
| CN111884816A (en) * | 2020-08-07 | 2020-11-03 | 中国人民解放军国防科技大学 | Routing method with metadata privacy protection and source responsibility tracing capability |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112636913A (en) | 2021-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1556990B1 (en) | Bridged cryptographic vlan | |
| EP1396979B1 (en) | System and method for secure group communications | |
| US7703132B2 (en) | Bridged cryptographic VLAN | |
| US6701437B1 (en) | Method and apparatus for processing communications in a virtual private network | |
| US6157649A (en) | Method and system for coordination and control of data streams that terminate at different termination units using virtual tunneling | |
| US20020184487A1 (en) | System and method for distributing security processing functions for network applications | |
| CN108769292B (en) | Message data processing method and device | |
| CA2466912A1 (en) | Enabling secure communication in a clustered or distributed architecture | |
| JP2006101051A (en) | Server, vpn client, vpn system, and software | |
| US20140301396A1 (en) | Method for constructing virtual private network, method for packet forwarding, and gateway apparatus using the methods | |
| CN101515859A (en) | Method for multicast transport in Internet protocol secure tunnel and device | |
| KR101518438B1 (en) | Method for establishing secure network architecture, method and system for secure communication | |
| CN112636913B (en) | Networking method for key sharing | |
| CN102904792A (en) | Service carrying method and router | |
| CN114915451B (en) | Fusion tunnel encryption transmission method based on enterprise-level router | |
| Fancy et al. | An evaluation of alternative protocols-based Virtual Private LAN Service (VPLS) | |
| CN115459913A (en) | Quantum key cloud platform-based link transparent encryption method and system | |
| CN115733683A (en) | Method for realizing Ethernet link self-organizing encryption tunnel by adopting quantum key distribution | |
| CN116055091A (en) | Method and equipment for realizing IPSec VPN by adopting software definition and quantum key distribution | |
| CN112235318B (en) | Metropolitan area network system for realizing quantum security encryption | |
| CN109361684B (en) | Dynamic encryption method and system for VXLAN tunnel | |
| CN109194558B (en) | Tunnel message authentication forwarding method and system | |
| Aiash | A novel security protocol for resolving addresses in the location/id split architecture | |
| Liyanage | Enhancing security and scalability of virtual private lan services | |
| Korhonen | Future after openvpn and ipsec |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |