CN112637069B - Data message transmission method and device - Google Patents
Data message transmission method and device Download PDFInfo
- Publication number
- CN112637069B CN112637069B CN202011506163.9A CN202011506163A CN112637069B CN 112637069 B CN112637069 B CN 112637069B CN 202011506163 A CN202011506163 A CN 202011506163A CN 112637069 B CN112637069 B CN 112637069B
- Authority
- CN
- China
- Prior art keywords
- application
- key
- ipv6 data
- data message
- identification information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
Abstract
The embodiment of the specification provides a data message transmission method and device. According to the method of the embodiment, firstly, an application client encrypts a field carrying application privacy information in a message header of an IPv6 data message by using a first key and then sends the field to an application sensing node; then, the application sensing node decrypts a field carrying application privacy information in a message header of the IPv6 data message by using a second key; forwarding the IPv6 data message by using the application privacy information obtained by decryption; the second key is provided for the application-aware node by the operator service side, and corresponds to the first key distributed to the application client by the operator service side.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of network communication technologies, and in particular, to a method and an apparatus for transmitting a packet.
Background
With the rapid development of networks, the optimal configuration of Network resources becomes an urgent need for Network management, and the APN6(Application-aware IPv6 Network, IPv 6-based Application traffic aware Network architecture) is being used to solve this pain point.
In the layout scheme of the APN6, a data header of IPv6(Internet Protocol Version 6, Version 6 of the Internet Protocol) may carry application information, so as to facilitate service level division for a network by an operator, and adopt different routing policies according to different service levels, thereby integrally optimizing network resources. However, since the data header of IPv6 carries application information, it faces a threat of being tampered during network transmission, and the application information may involve user privacy, which also faces a threat of user privacy disclosure during network transmission.
Disclosure of Invention
One or more embodiments of the present specification describe a method and an apparatus for transmitting a data packet, so as to improve the transmission security of an IPv6 data packet in an APN 6.
According to a first aspect, a method for transmitting a data packet is provided, the method comprising:
the application sensing node receives an IPv6 data message from an application client;
decrypting a field carrying application privacy information in a message header of the IPv6 data message by using a second key;
forwarding the IPv6 data message by using the application privacy information obtained by decryption;
the second key is provided for the application-aware node by the operator service side, and corresponds to the first key distributed to the application client by the operator service side.
In one embodiment, the method further comprises:
the application sensing node receives a second key and application identification information provided by the operator service end, and maintains the corresponding relation between the second key and the application identification information;
and determining a second key corresponding to the application identification information carried by the IPv6 data message by using the application identification information carried by the IPv6 data message.
In another embodiment, after decrypting the field carrying the application privacy information in the header of the IPv6 data packet, the method further includes:
verifying the IPv6 data message by using verification information carried by the IPv6 data message;
and if the verification is successful, executing the application privacy information obtained by decryption, and forwarding the IPv6 data message.
In one embodiment, the method further comprises:
and if the verification fails, the application sensing node discards the IPv6 data message.
In another embodiment, the validation information comprises a CRC code and/or a timestamp.
In an embodiment, the forwarding the IPv6 data packet by using the application privacy information obtained by decryption includes:
determining a corresponding service level by using the application privacy information obtained by decryption;
and forwarding the IPv6 data message by adopting a routing strategy corresponding to the service level.
In another embodiment, the forwarding the IPv6 data packet includes:
removing the application privacy information from the IPv6 data message;
and forwarding the IPv6 data message with the application privacy information removed.
According to a second aspect, a method for transmitting a data packet is provided, which includes:
the application client encrypts a field carrying application privacy information in a message header of the IPv6 data message by using the first key;
sending the IPv6 data message obtained after encryption to an application sensing node;
the first key is distributed by the operator service side for the application client side, and the first key corresponds to a second key provided by the operator service side for the application sensing node.
In one embodiment, the method further comprises:
and the application client receives and maintains the first key distributed by the operator server.
In another embodiment, the application client is a contract user of the operator.
In an embodiment, before encrypting a field carrying application privacy information in a header of an IPv6 data packet, the method further includes:
and carrying verification information in the IPv6 data message so that the application sensing node can verify the IPv6 data message by using the verification information.
In one embodiment, the verification information includes: a cyclic redundancy check, CRC, code and/or a time stamp.
According to a third aspect, there is provided a method for transmitting a data packet, including:
the operator service side distributes a first key for the application client side;
and providing a second key corresponding to the first key and application identification information corresponding to the application client to an application-aware node.
In one embodiment, the first key and the second key are a key pair of each other.
According to a fourth aspect, the present specification provides a data packet transmission apparatus, disposed in an application-aware node, the apparatus including:
the device comprises a first receiving unit, a second receiving unit and a third receiving unit, wherein the first receiving unit is configured to receive an IPv6 data message from an application client;
the decryption unit is configured to decrypt a field carrying application privacy information in a header of the IPv6 data packet by using a second key;
the forwarding unit is configured to forward the IPv6 data packet by using the application privacy information obtained by decryption;
the second key is provided for the application-aware node by the operator service side and corresponds to the first key distributed to the application client side by the operator service side.
In one embodiment, the apparatus further comprises:
the second receiving unit is configured to receive and maintain a second key and application identification information provided by the operator service terminal;
the forwarding unit is further configured to determine, by using the application identification information carried in the IPv6 data packet, a second key corresponding to the application identification information carried in the IPv6 data packet.
In another embodiment, the method further comprises:
the verification unit is configured to verify the IPv6 data message by utilizing verification information carried by the IPv6 data message;
the forwarding unit is configured to execute the application privacy information obtained by decryption and forward the IPv6 data packet if the verification result of the verification unit is that the verification is successful.
In one embodiment, the forwarding unit is further configured to discard the IPv6 datagram if the verification result of the verification unit is a verification failure.
In another embodiment, the validation information comprises a CRC code and/or a timestamp.
In an embodiment, the forwarding unit is specifically configured to determine a corresponding service level by using the application privacy information obtained by decryption; and forwarding the IPv6 data message by adopting a routing strategy corresponding to the service level.
In another embodiment, the forwarding unit is further configured to remove the application privacy information from the IPv6 data packet, and forward the IPv6 data packet with the application privacy information removed.
According to a fifth aspect, there is further provided a device for transmitting a data packet, where the device is disposed at an application client, and the device includes:
the encryption unit is configured to encrypt fields carrying application privacy information in headers of the IPv6 data messages by using the first key;
the sending unit is configured to send the encrypted IPv6 data message to the application sensing node;
the first key is distributed by the operator service side for the application client side, and the first key corresponds to a second key provided by the operator service side for the application sensing node.
In one embodiment, further comprising:
a receiving unit configured to receive and maintain the first key distributed by the operator service end.
In another embodiment, the application client is a contracted user of the operator.
In one embodiment, further comprising:
and the verification unit is configured to provide the IPv6 data message carrying verification information to the encryption unit.
In another embodiment, the verification information includes: CRC codes and/or time stamps.
According to a sixth aspect, there is further provided a data packet transmission apparatus, disposed at an operator service end, the apparatus including:
an assigning unit configured to assign a first key to the application client;
a sending unit configured to provide a second key corresponding to the first key and application identification information corresponding to the application client to an application-aware node.
In one embodiment, the first key and the second key are the same or are a key pair of each other.
According to a seventh aspect, there is provided a computing device comprising a memory having stored therein executable code and a processor which, when executing the executable code, implements the method of the first aspect.
According to the method and the device provided by the embodiment of the specification, the application client and the application sensing node respectively obtain the secret key from the operator server, and the field carrying the application privacy information in the message header of the IPv6 data message is encrypted and transmitted, so that the application privacy information is prevented from being tampered and leaked in the transmission process, and the transmission safety of the IPv6 data message in the APN6 is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 illustrates a system architecture diagram to which the present description relates and is applicable;
fig. 2 is a flowchart illustrating a method performed by a service provider according to an embodiment of the present disclosure;
FIG. 3 is a flow chart illustrating a method performed by an application client according to an embodiment of the present disclosure;
FIG. 4 is a flow chart of a method performed by an application-aware node provided by an embodiment of the present specification;
FIG. 5 illustrates a detailed interaction diagram between network nodes provided by embodiments of the present description;
FIG. 6 shows a schematic block diagram of a transmission apparatus of data packets according to one embodiment;
FIG. 7 shows a schematic block diagram of a transmission apparatus of data packets according to one embodiment;
fig. 8 shows a schematic block diagram of a transmission device for data packets according to an embodiment.
Detailed Description
The scheme provided by the specification is described below with reference to the accompanying drawings.
To facilitate an understanding of the methods provided herein, a description of system architectures referred to and applicable to the present specification will first be described. As shown in fig. 1, the system architecture mainly includes three network nodes: the system comprises an application client, an application sensing node and an operator server.
Where the application client is installed and running in a terminal device, the terminal device may include but is not limited to devices such as: intelligent mobile terminals, intelligent home devices, network devices, wearable devices, intelligent medical devices, PCs (personal computers), and the like. Wherein the smart mobile device may include devices such as a cell phone, a tablet computer, a notebook computer, a PDA (personal digital assistant), an internet automobile, etc. The intelligent household equipment can comprise intelligent household equipment, such as an intelligent television, an intelligent air conditioner, an intelligent water heater, an intelligent refrigerator, an intelligent air purifier and the like, and the intelligent household equipment can further comprise an intelligent door lock, an intelligent socket, an intelligent electric lamp, an intelligent camera and the like. The network devices may include, for example, switches, wireless APs, servers, etc. Wearable devices may include devices such as smart watches, smart glasses, smart bracelets, virtual reality devices, augmented reality devices, mixed reality devices (i.e., devices that can support virtual reality and augmented reality), and so forth. The intelligent medical device may include, for example, an intelligent thermometer, an intelligent blood pressure meter, an intelligent blood glucose meter, and the like.
The application client may also be various types of applications including, but not limited to, applications such as payment-type applications, multimedia play-type applications, map-type applications, text editing-type applications, financial-type applications, browser-type applications, instant messaging-type applications, and the like.
The operator server refers to a server device of a provider providing network services, and may be a single server or a server group consisting of a plurality of servers. And the system is responsible for providing network services for various applications, such as security authentication, management of network service levels and the like.
The application-aware node is located at the edge of the operator network at the location of the gateway. The method is responsible for providing a routing strategy adaptive to application privacy information for the IPv6 data according to the application privacy information carried in the data packet sent by the application client, and forwarding the routing strategy to a corresponding application server.
It should be understood that the number of application clients, application aware nodes, operator servers in fig. 1 is merely illustrative. Any number may be selected and laid out as desired for the implementation.
Fig. 2 is a flowchart of a method performed by an operator service end provided in an embodiment of the present specification, and as shown in fig. 2, the method may include the following steps:
in step 201, the operator service side distributes a first key to the application client.
In this specification, the operator service side is responsible for distributing keys for each application. To distinguish the keys involved in the embodiments, the key assigned to the application client is referred to as a "first key". References in this specification to "first", "second", etc. do not have limitations in size, order, or number, but are merely intended to distinguish different names.
The operator service side can distribute one first key for one application or distribute a plurality of first keys for one application, but only one first key is ensured to be distributed to one application client side at the same time. And the first key assigned to the application may be updated after being triggered by a specific event or for a certain length of time.
As one implementation manner, the first key allocated by the operator server to the application may be pre-agreed in a process of signing a contract with the application by the operator, and is preset in an installation package of the application client. After the application client is downloaded by the terminal device and installed and operated, the first key distributed by the operator server can be obtained from the installation package. Meanwhile, the operator service end maintains the corresponding relation between the first key and the application identification information.
As another implementation manner, the operator service side may allocate the first key to the application, and maintain a corresponding relationship between the first key and the application identification information. And will issue the first key to each application client corresponding to the application. After receiving the first key issued by the operator server, the application client stores the first key and processes the subsequent IPv6 data message.
In this specification, the first key and the second key may be the same key, in which case the subsequent application client and the application-aware node use a symmetric encryption algorithm for encryption and decryption. The first key and the second key may also be a key pair, e.g. a public key and a private key, respectively. In this case, the subsequent application client and the application-aware node use an asymmetric encryption algorithm for encryption and decryption.
In addition, it has been mentioned above that the operator service end may update the first key allocated to the application client, and in this case, the operator service end may also provide the second key corresponding to the updated first key and the application identification information corresponding to the application client to the application aware node in time.
Fig. 3 is a flowchart of a method performed by an application client according to an embodiment of the present disclosure, and as shown in fig. 3, the method may include the following steps:
For IPv6 data packets, it may carry application privacy information in the extension bit of the header. The IPv6 data packet extensible Header may be an HBH (Hop-by-Hop Options Header), a DOH (Destination Options Header), an SRH (Segment Routing Header), and the like, so that the application privacy information may be carried in at least one packet Header.
The application privacy information is mainly some use information of some users for the application, and the part of information can reflect the requirement of one application for the network. First, different applications have different requirements on the network, and even if different types of applications use different requirements on the network, for example, users use a single application to perform web browsing, music playing, video playing, and other requirements on the network are different. But what specific content the user specifically uses relates to the user privacy should be avoided from tampering or disclosure.
Therefore, before sending the IPv6 data packet, the application client may encrypt a field carrying application privacy information in a packet header of the IPv6 data packet, using a first key assigned to the application by the operator service end.
As one implementation, the application client may encrypt only the field in which the application privacy information is carried. However, the extension bit of the header of the IPv6 data packet may carry other fields besides the field carrying the application privacy information. Other information may be further carried in the extension bits, e.g., 128 bits. Therefore, as another implementation manner, the application client may encrypt the entire extension bit of the header of the IPv6 data packet.
In the embodiment shown in fig. 2, it has been mentioned that the first key and the second key may be the same key, in which case the application client uses a symmetric encryption algorithm for encryption. For example, AES (Advanced Encryption Standard), DES (Data Encryption Standard), or the like can be used.
The first key and the second key may also be a key pair, e.g. a public key and a private key, respectively. In this case, the application client may employ an asymmetric encryption algorithm for encryption. For example, RSA, Elgamal, etc. may be used.
Furthermore, the application client may also carry authentication information in the IPv6 data packet, so that the application-aware node can authenticate the IPv6 data packet by using the authentication information.
As one implementation, the verification information may be a CRC (Cyclic Redundancy Check) code. Namely, the application client generates a CRC code of the IPv6 data packet and carries the CRC code in the IPv6 data packet, so that the application sensing node can perform integrity check on the IPv6 data packet by using the CRC code. The CRC code generation can be implemented using the currently well-established techniques, and will not be described in detail here.
As another implementation, the verification information may also be a timestamp. Namely, the application client can carry the current timestamp in the IPv6 data message and then send the IPv6 data message, so that the application sensing node can detect replay attack on the IPv6 data message by using the timestamp.
And step 303, sending the encrypted IPv6 data message to the application sensing node.
The destination node of the IPv6 data packet sent by the application client is the application server side, that is, the destination address is the address of the application server side. However, in the network transmission process, since the application-aware node is an edge node of the operator network and is located at the gateway location, the IPv6 data packet is forwarded to the application server via the application-aware node.
Fig. 4 is a flowchart of a method performed by an application-aware node according to an embodiment of the present disclosure, and as shown in fig. 4, the method may include the following steps:
And step 403, decrypting the field carrying the application privacy information in the header of the IPv6 data message by using the second key.
As one implementation manner, the application-aware node obtains the second key and the application identification information from the operator server in advance, so that a corresponding relationship between the second key and the application identification information is maintained in the application-aware node. After receiving the IPv6 data packet from the application client, the application sensing node may obtain the application identification information from the IPv6 data packet, that is, obtain the application from which the source is derived. And determining a second key corresponding to the application identification information, and decrypting a field carrying application privacy information in a message header of the IPv6 data message by using the second key.
Besides the implementation manner, a unified first key may be adopted for all applications registered in the operator, and the application aware node acquires a unified second key. And directly utilizing the unified second key to decrypt the field carrying the application privacy information in the message header of the received IPv6 data message.
In the embodiment shown in fig. 2, it has been mentioned that the first key and the second key may be the same key, in which case the application-aware node performs decryption using a symmetric encryption algorithm. For example, AES, DES, etc. may be used.
The first key and the second key may also be a key pair, e.g. a public key and a private key, respectively. In this case, the application-aware node may employ an asymmetric encryption algorithm for decryption. For example, RSA, Elgamal, etc. may be used.
Further, after the field carrying the application privacy information is decrypted, the IPv6 data packet may also be verified by using the verification information carried in the IPv6 data packet, and if the verification is successful, step 405 is executed; otherwise, the IPv6 data packet may be discarded.
As one implementation manner, if the verification information is a CRC code, the application sensing node generates a CRC code of the IPv6 data packet in the same manner as the application client, and then compares the generated CRC code with a CRC code carried in the IPv6 data packet, and if the generated CRC code is consistent with the CRC code, the integrity verification is passed, and if the generated CRC code is inconsistent with the CRC code, the integrity verification is not passed.
As another implementation, if the verification information is a timestamp, the application sensing node may determine whether a time difference between the time when the IPv6 data packet is received and the timestamp exceeds a preset time requirement, and if so, the verification fails, which indicates that the suspicion of replay attack exists. Otherwise, the verification is passed.
And 405, forwarding the IPv6 data message by using the application privacy information obtained by decryption.
Because the application privacy information reflects the use requirements of the user on the network, the corresponding service level can be determined according to the application privacy information obtained by decryption, and the IPv6 data message is forwarded by adopting the routing strategy corresponding to the service level.
For example, a user is using a certain video service in an application, the video service has a high real-time requirement on the network, and thus a high service level can be corresponded to. The application-aware node may forward the IPv6 data packet using a routing policy corresponding to a higher service level, so that the IPv6 data packet may be transmitted via a network node with higher bandwidth and higher processing capability, for example.
For another example, when the user is using the web browsing service in the application, the web browsing service does not need a high service level relative to the video service, and therefore the application-aware node may forward the IPv6 data packet by using a routing policy corresponding to the low service level.
By the routing strategy, network resources can be optimized as much as possible on the basis of ensuring the service quality acquired by the user.
In addition, because the application sensing node is an edge node of the operator network, the operator network is unobstructed and has certain safety, the application sensing node can forward the decrypted IPv6 data message, and the forwarded IPv6 data message actually continues to be transmitted in the operator network. Besides this method, the application-aware node may also forward the received IPv6 data packet, in which case the application server needs to know the information of the second key.
There is also an implementation manner, because the application privacy information is mainly used for the application-aware node to determine the routing policy, and has little meaning to the application server, before forwarding the IPv6 data packet, the application-aware node may remove the application privacy information from the IPv6 data packet, and then forward the IPv6 data packet with the application privacy information removed. After the application privacy information is removed, the extension bits originally occupied by the application privacy information may be filled with predetermined meaningless data such as data all set to 0.
As a typical application scenario, the above manner provided by the present specification may be applicable to contract users. The contracted user refers to a user who is contracted with an operator and registered. After registration, the operator service end knows the network requirement of the user for the application service in advance and synchronizes to the application modification node in advance. After the contract user uses the application client to send the IPv6 data message, the application sensing node provides the application flow of the optimal solution for the IPv6 data message, namely, a routing strategy suitable for the IPv6 data message can be provided according to the network requirement embodied by the application privacy information carried in the IPv6 data message header.
In order to more intuitively understand the manner in which the present description is made, a specific interaction between network nodes is described below by a preferred embodiment shown in fig. 5. As shown in fig. 5, the process includes the following steps:
step 501, an operator service side distributes a first key for an application client side.
In step 503, the operator service end provides the second key corresponding to the first key and the application identification information corresponding to the application client to the application aware node.
And 505, the application client encrypts a field carrying application privacy information in a message header of the IPv6 data message by using the first key, and generates a CRC code and a timestamp for the IPv6 data message, wherein the CRC code and the timestamp are carried in the IPv6 data message.
And step 507, the application client sends the encrypted IPv6 data message to the application sensing node.
In step 509, the application-aware node decrypts, by using the second key, the field carrying the application privacy information in the header of the IPv6 data packet.
And 511, verifying the CRC code and the timestamp carried by the IPv6 data message by the application sensing node, and if the verification is passed, executing 513. If the authentication fails, the IPv6 datagram is discarded, which is not shown in FIG. 5.
And 513, the application sensing node determines a corresponding service level by using the application privacy information obtained by decryption, and forwards the decrypted IPv6 data packet by using a routing policy corresponding to the service level.
Specific processing related to each step in the above-mentioned flow may refer to specific description in the embodiments shown in fig. 2 to fig. 4, which is not described herein again.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
According to another aspect, an apparatus for transmitting data packets is provided. Fig. 6 shows a schematic block diagram of a transmission device for data packets according to an embodiment. The apparatus may be disposed at the application sensing node, and configured to complete the function of the application sensing node in the foregoing embodiment. As shown in fig. 6, the apparatus 600 includes: the first receiving unit 601, the decrypting unit 602, and the forwarding unit 603 may further include a second receiving unit 604 and a verifying unit 605. The main functions of each component unit are as follows:
the first receiving unit 601 is configured to receive an IPv6 data packet from an application client.
And the decryption unit 602 is configured to decrypt, by using the second key, a field carrying the application privacy information in a header of the IPv6 data packet. The second key is provided for the application-aware node by the operator service side, and corresponds to the first key distributed to the application client by the operator service side.
And a forwarding unit 603 configured to forward the IPv6 data packet by using the application privacy information obtained by decryption.
A second receiving unit 604, configured to receive and maintain the second key and the application identification information provided by the operator service end. The second receiving unit 604 obtains the second key and the application identification information from the operator service side in advance, and the operator service side may update the first key allocated to the application client side and correspondingly update the second key corresponding to the application identification information.
Accordingly, the forwarding unit 603 is further configured to determine, by using the application identification information carried in the IPv6 data packet, a second key corresponding to the application identification information carried in the IPv6 data packet.
And the verification unit 605 is configured to verify the IPv6 data message by using the verification information carried by the IPv6 data message.
And a forwarding unit 603 configured to perform, if the verification result of the verification unit 605 is that the verification is successful, a forwarding process on the IPv6 data packet by using the application privacy information obtained by the decryption. If the verification result of the verification unit 605 is verification failure, the forwarding unit 603 discards the IPv6 datagram.
The verification information may include a CRC code and/or a timestamp, among others. The CRC code is used for the application sensing node to carry out integrity check on the IPv6 data message. The timestamp is used for the application-aware node to check whether the IPv6 data message is a replay attack.
As a preferred embodiment, the forwarding unit 603 is specifically configured to determine a corresponding service level by using the application privacy information obtained by decryption; and forwarding the IPv6 data message by adopting a routing strategy corresponding to the service level.
As one implementation manner, the forwarding unit 603 is further configured to remove the application privacy information from the IPv6 data packet, and forward the IPv6 data packet with the application privacy information removed.
According to another aspect, an apparatus for transmitting data packets is provided. Fig. 7 shows a schematic block diagram of a transmission device for data packets according to an embodiment. The device can be arranged at an application client to complete the functions of the application client in the embodiment. As shown in fig. 7, the apparatus 700 includes: the encryption unit 701 and the transmission unit 702 may further include a reception unit 703 and a verification unit 704. The main functions of each component unit are as follows:
an encrypting unit 701 is configured to encrypt, by using a first key, a field carrying application privacy information in a header of the IPv6 data packet. The first key is distributed by the operator service side for the application client side, and the first key corresponds to a second key provided by the operator service side for the application sensing node.
A sending unit 702, configured to send the encrypted IPv6 data packet to the application sensing node.
A receiving unit 703 configured to receive and maintain the first key distributed by the operator service end. The receiving unit 703 obtains the first key from the operator service side in advance, and the operator service side may update the first key allocated to the application client.
In order to further improve the security of message transmission, the verification unit 704 is configured to provide the IPv6 data message with verification information to the encryption unit 701.
The authentication information may include, for example: CRC codes and/or time stamps. The CRC code is used for the application sensing node to carry out integrity check on the IPv6 data message. The timestamp is used for the application-aware node to check whether the IPv6 data message is a replay attack.
As a typical application scenario, the application client may be a contracted user of the operator.
According to another aspect, an apparatus for transmitting data packets is provided. Fig. 8 shows a schematic block diagram of a transmission device for data packets according to an embodiment. The device can be arranged at the operator service end to complete the functions of the operator service end in the embodiment. As shown in fig. 8, the apparatus 800 includes: an allocation unit 801 and a transmission unit 802. The main functions of each component unit are as follows:
an assigning unit 801 is configured to assign a first key to the application client.
As one implementation manner, the first key allocated by the operator server to the application may be pre-agreed in a process of signing a contract with the application by the operator, and is preset in an installation package of the application client. After the application client is downloaded, installed and operated by the terminal device, the first key distributed by the operator server can be obtained from the installation package. Meanwhile, the operator service end maintains the corresponding relation between the first key and the application identification information.
As another implementation manner, the operator service side may allocate the first key to the application, and maintain a corresponding relationship between the first key and the application identification information. And will issue the first key to each application client corresponding to the application through the sending unit 802. After receiving the first key issued by the operator service end, the application client stores the first key and uses the subsequent processing of the IPv6 data message.
A sending unit 802, configured to provide a second key corresponding to the first key and application identification information corresponding to the application client to the application-aware node.
As one implementation manner, if the encryption and decryption methods adopted by the application client and the application sensing node are symmetric encryption algorithms, the first key and the second key are the same. If the encryption and decryption method adopted by the application client and the application sensing node is an asymmetric encryption algorithm, the first key and the second key are a key pair.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described in connection with fig. 2-4.
According to an embodiment of still another aspect, there is also provided a computing device including a memory and a processor, the memory having stored therein executable code, the processor implementing the method described in conjunction with fig. 2-4 when executing the executable code.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.
Claims (29)
1. In a data packet transmission method, an application-aware node maintains a corresponding relationship between a second key and application identification information, where the second key and the application identification information are provided to the application-aware node by an operator service end, and the second key corresponds to a first key allocated to an application client by the operator service end, the method includes:
an application sensing node receives an IPv6 data message from an application client;
determining a second key corresponding to the application identification information carried by the IPv6 data message by using the application identification information carried by the IPv6 data message;
decrypting a field carrying application privacy information in a message header of the IPv6 data message by using a second key;
and forwarding the IPv6 data message by using the application privacy information obtained by decryption.
2. The method of claim 1, further comprising:
and the application perception node receives a second key and application identification information provided by the operator service end and maintains the corresponding relation between the second key and the application identification information.
3. The method according to claim 1, after decrypting the field carrying application privacy information in the header of the IPv6 data packet, further comprising:
verifying the IPv6 data message by using verification information carried by the IPv6 data message;
and if the verification is successful, executing the application privacy information obtained by decryption, and forwarding the IPv6 data message.
4. The method of claim 3, further comprising:
and if the verification fails, the application sensing node discards the IPv6 data message.
5. The method of claim 3, wherein the validation information comprises a CRC code and/or a timestamp.
6. The method according to claim 1, wherein the forwarding the IPv6 data packet by using the application privacy information obtained by decryption includes:
determining a corresponding service level by using the application privacy information obtained by decryption;
and forwarding the IPv6 data message by adopting a routing strategy corresponding to the service level.
7. The method of claim 1, wherein forwarding the IPv6 data packet comprises:
removing the application privacy information from the IPv6 data message;
and forwarding the IPv6 data message with the application privacy information removed.
8. The transmission method of the data message comprises the following steps:
the application client encrypts a field carrying application privacy information in a message header of the IPv6 data message by using the first key;
sending the encrypted IPv6 data message to an application sensing node, so that the application sensing node determines a second key corresponding to the application identification information carried by the IPv6 data message by using the application identification information carried by the IPv6 data message, and decrypts the field carrying the application privacy information by using the second key;
the first key is distributed by the operator service side for each application client side of the application, and the first key corresponds to a second key provided by the operator service side for the application sensing node.
9. The method of claim 8, further comprising:
and the application client receives and maintains the first key distributed by the operator server.
10. The method of claim 8, wherein the application client is a contracted user of an operator.
11. The method according to claim 8, before encrypting the field carrying the application privacy information in the header of the IPv6 data packet, further comprising:
and carrying verification information in the IPv6 data message so that the application sensing node can verify the IPv6 data message by using the verification information.
12. The method of claim 11, wherein the authentication information comprises: a cyclic redundancy check, CRC, code and/or a time stamp.
13. The transmission method of the data message comprises the following steps:
an operator server distributes a first key for each application client of an application, and maintains a corresponding relation between the first key and application identification information of the application;
and providing a second key corresponding to the first key and the application identification information to an application-aware node.
14. The method of claim 13, wherein the first key and the second key are each a key pair.
15. A transmission device for data packets, which is disposed at an application-aware node, where the application-aware node maintains a corresponding relationship between a second key and application identification information, the second key and the application identification information are provided to the application-aware node by an operator service end, and the second key corresponds to a first key allocated to an application client by the operator service end, and the transmission device includes:
the device comprises a first receiving unit, a second receiving unit and a third receiving unit, wherein the first receiving unit is configured to receive an IPv6 data message from an application client;
the decryption unit is configured to decrypt a field carrying application privacy information in a header of the IPv6 data packet by using a second key;
the forwarding unit is configured to forward the IPv6 data packet by using the application privacy information obtained by decryption;
the second key is provided for the application-aware node by the operator service side, and corresponds to the first key distributed to the application client by the operator service side.
16. The apparatus of claim 15, further comprising:
the second receiving unit is configured to receive and maintain a second key and application identification information provided by the operator service terminal;
the forwarding unit is further configured to determine, by using the application identification information carried in the IPv6 data packet, a second key corresponding to the application identification information carried in the IPv6 data packet.
17. The apparatus of claim 15, further comprising:
the verification unit is configured to verify the IPv6 data message by utilizing verification information carried by the IPv6 data message;
and the forwarding unit is configured to execute the application privacy information obtained by decryption and forward the IPv6 data packet if the verification result of the verification unit is that the verification is successful.
18. The apparatus of claim 17, wherein the forwarding unit is further configured to discard the IPv6 datagram if the verification result of the verification unit is a verification failure.
19. The apparatus of claim 17, wherein the validation information comprises a CRC code and/or a timestamp.
20. The apparatus according to claim 15, wherein the forwarding unit is specifically configured to determine the corresponding service level using the decrypted application privacy information; and forwarding the IPv6 data message by adopting a routing strategy corresponding to the service level.
21. The apparatus of claim 15, wherein the forwarding unit is further configured to remove the application privacy information from the IPv6 data packet, and forward the IPv6 data packet with the application privacy information removed.
22. The transmission device of the data message, set up in the application customer end, the apparatus includes:
the encryption unit is configured to encrypt a field carrying application privacy information in a header of the IPv6 data message by using a first key;
a sending unit, configured to send the encrypted IPv6 data packet to an application sensing node, so that the application sensing node determines, by using application identification information carried in the IPv6 data packet, a second key corresponding to the application identification information carried in the IPv6 data packet, and decrypts, by using the second key, the field carrying the application privacy information;
the first key is distributed by the operator service side for each application client side of the application, and the first key corresponds to a second key provided by the operator service side for the application sensing node.
23. The apparatus of claim 22, further comprising:
a receiving unit configured to receive and maintain the first key distributed by the operator service end.
24. The apparatus of claim 22, wherein the application client is a contracted user of an operator.
25. The apparatus of claim 22, further comprising:
and the verification unit is configured to provide the IPv6 data message carrying verification information to the encryption unit.
26. The apparatus of claim 25, wherein the authentication information comprises: CRC codes and/or time stamps.
27. The transmission device of the data message, set up in the operator's service end, the apparatus includes:
the system comprises an allocation unit, a first key generation unit and a second key generation unit, wherein the allocation unit is configured to allocate a first key to each application client of an application and maintain the corresponding relation between the first key and application identification information of the application;
a sending unit configured to provide a second key corresponding to the first key and the application identification information to an application-aware node.
28. The apparatus of claim 27, wherein the first key and the second key are the same or are a key pair of each other.
29. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that, when executed by the processor, implements the method of any of claims 1-14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011506163.9A CN112637069B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011506163.9A CN112637069B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112637069A CN112637069A (en) | 2021-04-09 |
| CN112637069B true CN112637069B (en) | 2022-05-06 |
Family
ID=75317368
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011506163.9A Active CN112637069B (en) | 2020-12-18 | 2020-12-18 | Data message transmission method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112637069B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2611094A1 (en) * | 2011-12-30 | 2013-07-03 | British Telecommunications Public Limited Company | Obtaining information from data items |
| CN104272706A (en) * | 2012-04-17 | 2015-01-07 | Wi-Lan研究所公司 | Systems and methods for application-aware admission control in a communication network |
| CN105024929A (en) * | 2015-07-22 | 2015-11-04 | 上海交通大学 | Application awareness resource management method in software defined network |
| CN105579990A (en) * | 2013-08-12 | 2016-05-11 | 慧与发展有限责任合伙企业 | Application-aware network management |
| CN107154917A (en) * | 2016-03-03 | 2017-09-12 | 华为技术有限公司 | Data transmission method and server |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833732B (en) * | 2012-07-25 | 2017-03-29 | 中兴通讯股份有限公司 | System, data card and its implementation that a kind of IPv6 addresses stateless is automatically configured |
| EP3269187A1 (en) * | 2015-03-11 | 2018-01-17 | Nokia Solutions and Networks Oy | Method and apparatus for resource allocation in v2v communications system |
| KR102203128B1 (en) * | 2015-12-23 | 2021-01-14 | 노키아 솔루션스 앤드 네트웍스 오와이 | Methods, devices and computer program products for PDU formatting according to SDU segmentation |
| US10367677B2 (en) * | 2016-05-13 | 2019-07-30 | Telefonaktiebolaget Lm Ericsson (Publ) | Network architecture, methods, and devices for a wireless communications network |
| US11095626B2 (en) * | 2018-09-26 | 2021-08-17 | Marvell Asia Pte, Ltd. | Secure in-line received network packet processing |
-
2020
- 2020-12-18 CN CN202011506163.9A patent/CN112637069B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2611094A1 (en) * | 2011-12-30 | 2013-07-03 | British Telecommunications Public Limited Company | Obtaining information from data items |
| CN104272706A (en) * | 2012-04-17 | 2015-01-07 | Wi-Lan研究所公司 | Systems and methods for application-aware admission control in a communication network |
| CN105579990A (en) * | 2013-08-12 | 2016-05-11 | 慧与发展有限责任合伙企业 | Application-aware network management |
| CN105024929A (en) * | 2015-07-22 | 2015-11-04 | 上海交通大学 | Application awareness resource management method in software defined network |
| CN107154917A (en) * | 2016-03-03 | 2017-09-12 | 华为技术有限公司 | Data transmission method and server |
Non-Patent Citations (1)
| Title |
|---|
| 基于"IPv6+"的应用感知网络;何林等;《电信科学》;20200817;正文第47页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112637069A (en) | 2021-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20070070996A1 (en) | Port hopping scheme for peer-to-peer connections | |
| CN112637183B (en) | Data message transmission method and device | |
| CN113411190B (en) | Key deployment, data communication, key exchange and security reinforcement method and system | |
| KR20050034607A (en) | Method and apparatus for security in a data processing system | |
| CN114938312B (en) | Data transmission method and device | |
| US11716367B2 (en) | Apparatus for monitoring multicast group | |
| CN113904809A (en) | Communication method, communication device, electronic equipment and storage medium | |
| Festijo et al. | Software-defined security controller-based group management and end-to-end security management | |
| CN113993127B (en) | Method and device for realizing one-key login service | |
| CN114142995A (en) | Key secure distribution method and device for block chain relay communication network | |
| US8504832B2 (en) | Mobile terminal for sharing resources, method of sharing resources within mobile terminal and method of sharing resources between web server and terminal | |
| CN110943996B (en) | Management method, device and system for business encryption and decryption | |
| Tschofenig et al. | RSVP security properties | |
| CN112637069B (en) | Data message transmission method and device | |
| CN116166749A (en) | Data sharing method and device, electronic equipment and storage medium | |
| CN112437098A (en) | Data message transmission method and device | |
| US20120257751A1 (en) | Controlled security domains | |
| CN112187750A (en) | Information encryption method and system based on Internet | |
| US8121141B2 (en) | Confidential transmission of data by change of frequency in a telecommunications network | |
| RU2358406C2 (en) | Authentication and update of session key generation between service network node and at least one communication terminal device with identification card | |
| KR101609095B1 (en) | Apparatus and method for data security in content delivery network | |
| CN113709100B (en) | Shared file access control method, device, equipment and readable storage medium | |
| WO2001022685A1 (en) | Method and arrangement for communications security | |
| CN113194471B (en) | Wireless network access method, device and terminal based on block chain network | |
| CN114124378B (en) | AUTBUS bus-based communication method, system, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |