CN112738113A - Organization information label generation method and message transmission method - Google Patents
Organization information label generation method and message transmission method Download PDFInfo
- Publication number
- CN112738113A CN112738113A CN202011625175.3A CN202011625175A CN112738113A CN 112738113 A CN112738113 A CN 112738113A CN 202011625175 A CN202011625175 A CN 202011625175A CN 112738113 A CN112738113 A CN 112738113A
- Authority
- CN
- China
- Prior art keywords
- message
- organization
- trusted
- organization information
- label
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
- H04L45/04—Interdomain routing, e.g. hierarchical routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/50—Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for generating organization information labels and a message transmission method, wherein the method for generating the organization information labels comprises the steps that members in a trusted organization alliance generate organization information labels by utilizing boundary routing equipment of the members, and the members in the trusted organization alliance are organizations capable of carrying out message transmission; the organization information label is used for identifying the source of the message; wherein the organization information tag includes: a member identification; and the anti-counterfeiting verification code is periodically transformed. Because the organization information label for identifying the source information of the message is added, the organization where the message is located can be traced back according to the organization information label, and then the organization can further trace back to the individual, thereby resisting the situation that the individual arbitrarily tampers with the message source IP address information.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a method for generating an organization information label and a message transmission method.
Background
When the express is mailed in daily life, only the addressee is written on the package and the fee is paid, the addressee is not mailed, and the person who is the sender needs to be written, so that when the package has problems (such as drugs or bombs), the mailer can be returned according to the sender information to track the package, and therefore the package is required to be posted to show the related certificate and the name and the contact telephone of the sender. Similarly, in the internet, messages are also sent from "source" to "destination", and when a network attack or other malignant event occurs in the network, the source, i.e. tracing, of the event or message also needs to be found, so that the source information in the network message is very important.
At present, information representing a message source in the internet is few, only source IP address information is available at present, and the source IP address information is very easy to be tampered and counterfeited. Network attacks with false source IP addresses are often used in the network, and great hidden danger is caused to network safety due to the fact that sources are difficult to trace. According to the statistics of the internet observation organization CAIDA, the distributed denial of service attack initiated by the forged source IP address is at least 4000 times per week. When analyzing why a source IP address is counterfeit, the method is generally attributed to a vulnerability of the internet, that is, the current internet does not check the source IP address when forwarding a message, and only forwards the message according to a destination address without checking the authenticity of the source IP address when routing. The existing and deeply fixed internet design is a vulnerability of an architecture level, is difficult to repair at present, and the same problem exists in IPv 6.
Therefore, it is necessary to solve the problem that the source cannot be traced due to network attacks such as tampering with the source IP address.
Disclosure of Invention
In order to solve the above problems, the present invention provides a method for generating an organization information tag and a method for transmitting a message.
In a first aspect, the present invention provides a method for generating an organization information tag, including:
the method comprises the steps that members in a trusted organization alliance generate organization information labels by utilizing boundary routing equipment of the members, wherein the members in the trusted organization alliance are organizations capable of transmitting messages; the organization information label is used for identifying the source of the message;
wherein the organization information tag includes:
a member identification; and
the anti-counterfeiting verification code is periodically transformed.
According to an embodiment of the present invention, optionally, the member identifier is a number of a member in the trusted organization alliance.
In some embodiments, the anti-counterfeiting verification code is a ciphertext encrypted according to a private key of the member.
In some embodiments, the members of the trusted organization federation include autonomous domains and/or subnetworks.
The organization information tag further includes:
a security tag and/or a user type tag;
wherein the security label is used for indicating that messages generated by the member and destined to other members are subjected to security check; the user type label is used for indicating the type of the member generating the message.
In a second aspect, the present invention provides a packet transmission method, including:
establishing a trusted organization alliance, wherein a first member in the trusted organization alliance generates an organization information label according to the method of the first aspect;
a first member in the trusted organization alliance loads the message which is generated by the first member and is sent to other members with an organization information label of the first member;
the second member in the trusted organization alliance carries out organization information label verification on the message from the first member;
and if the verification is passed, the message is a credible message, and the credible message is forwarded.
In some embodiments, the loading, by a first member in the trusted organization alliance, the generated messages to other members with an organization information tag of the first member includes:
and inserting the organization information label into the IP header of the message in the form of an IPv6 extension header.
In some embodiments, the organization information tag validation comprises:
extracting an organization information label in the message;
determining the anti-counterfeiting verification code of the first member in the current time period announced in the trusted organization alliance according to the member identification in the extracted organization information label;
and when the anti-counterfeiting verification code in the extracted organization information label is consistent with the anti-counterfeiting verification code in the current time period, the verification is passed.
In some embodiments, when the second member is a destination member, the forwarding the trusted packet includes:
and removing the organization information label in the trusted message, and forwarding the trusted message to a destination host.
In some embodiments, when the second member is a non-destination member, the forwarding the trusted packet includes:
and forwarding the credible message carrying the organization information label.
In some embodiments, the border routing device comprises:
a border router; and
and the label loading and detecting equipment is connected with the boundary router and is used for realizing the generation, loading, verification and unloading of the organization information label.
In some embodiments, the tag loading and detection device is an OpenFlow switch.
One or more embodiments of the invention have at least the following beneficial effects:
the member in the trusted organization alliance utilizes the boundary routing equipment to generate the organization information label, and the organization information label for identifying the source information of the message is added, so that the organization where the message is located can be traced back according to the organization information label, and further, the organization can be traced back to the individual, and the situation that the individual arbitrarily tampers with the message source IP address information is resisted.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic diagram of an organization information tag format according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of another tag format for organization information provided by an embodiment of the invention;
fig. 3 is a flowchart of a message transmission method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an application scenario provided in the embodiment of the present invention;
fig. 5 is a schematic diagram of an application scenario for verifying authenticity of a source IP address with assistance of an organization information tag according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
The applicant analyzes the related technology to know that, besides the reason that the internet forwarding message does not check the authenticity of the source IP address may cause the network attack to fail to trace, the related technology also has an important reason that causes the network attack to fail to trace, namely: at present, a lot of information including a source IP address in a message is generated at a host side, an individual has complete control right, the individual can arbitrarily modify the message information, and the information representing the source of the message is completely under the control of the individual at present, which is very unfavorable for network tracing.
For the situation that only one message (source IP address) represents the source of the message in the network and is under the complete control of the online personal user, the current situation is very unfavorable for network tracing. To this end, embodiments of the present invention add "source" information to the message that is controlled by the organization rather than by the individual. The 'source' of the message generally refers to tracing back to a host or an individual corresponding to the message source IP address, which is fine-grained tracing, and if the 'source IP address' is not controlled and cannot trace back to the individual or the host, a coarse-grained tracing can be considered, that is, the message is traced back to an organization (or a certain AS) where the message is sent, and then the individual is further positioned in the organization by a specific method.
In view of the above, because the source IP address information representing the source of the message is controlled by a person and the authenticity of the message cannot be guaranteed, and the unicity of the source information of the message is avoided, the embodiment of the invention designs that an organization that identifies the source of the message is added to the message by an organization that sends the message, and the organization information tag is added to the message by a border routing device of the organization that sends the message and is not controlled by the person, so the organization information tag has certain authority and certain anti-counterfeiting property, and meanwhile, the source organization (which is the source AS in general case) where the message is located can be found according to the organization information tag, and then the source of the network attack is found in the organization, which has certain deterrent effect on the network attack and is beneficial to reducing network attack events in the network. This Organization information tag may be referred to as a "trusted Source Organization tag," which is a Trustworthy Source Organization Label (TSOL).
The organization information label at least has the following advantages:
(1) the source information of the message is increased. The organization where the message is located can be easily traced according to the trusted source organization label, and further individuals can be traced in the organization;
(2) the label is added by an organization, is not controlled by a person, and can resist the situation that the person arbitrarily tampers with the message source IP address information. Even if an individual tampers with the information of the source IP address part, the organization information label written by the organization is still real, credible and effective;
(3) the label does not affect the normal forwarding of the message. Because the newly added organization information is outside the source IP address information, the source IP address and the destination address information of the message are not modified, and therefore, the normal routing and receiving and sending of the message are not influenced.
Example one
The embodiment provides a method for generating an organization information tag, which includes:
a member in a trusted organization alliance (TAU) generates an organization information label by using a boundary routing device, wherein the member in the trusted organization alliance is an organization capable of carrying out message transmission; the organization information label is used for identifying the source of the message;
wherein, organize the information label and include:
including member identification; and
the anti-counterfeiting verification code is periodically transformed.
In practical applications, the members of the trusted organization association TAU include Autonomous domains (AS) and/or subnetworks (networks with one or more IP prefixes), that is, the trusted organization association TAU may be formed by one or more Autonomous domains AS members, one or more subnetworks AS members, or one or more Autonomous domains AS and one or more subnetworks AS members, which is not limited in this embodiment. Each member maintains a unique organization information tag (trusted source organization member tag TSOL) that identifies itself from other members and that other networks cannot counterfeit, and that identifies the source of the message.
In the organization information tag, one part is a plaintext (plaintext part) and the other part is a ciphertext (ciphertext part); the clear text portion contains a member identification, which in some cases may be the member's number in a trusted organization federation, such AS an AS number or AS No., that identifies from which member the organization information tag came, to distinguish from other members; the cryptograph part comprises a periodically transformed anti-counterfeiting Verification Code (VC), and the anti-counterfeiting Verification Code is a cryptograph encrypted according to a private key of a member and is used for preventing an organization information label of the member from being forged by other networks. The organization information labels of each member of the trusted organization alliance TAU are different, and the organization information labels are changed along with the periodic update of the anti-counterfeiting verification codes VC. The organization information label or the anti-counterfeiting verification code VC of each member is periodically announced in the trusted organization alliance TUA, and the message carrying the organization information label is only transmitted in the trusted organization alliance TAU.
In some embodiments, an autonomous domain AS is a member of a trusted organization association TAU (trusted AS, TA), and if an autonomous domain AS wants to join the trusted organization association TAU, an offline application is required, and the trusted qualification of the association is checked, it can be understood that there may be multiple trusted organization association TAUs in the internet, and the trusted organization association TAUs do not interfere with each other.
In some embodiments, the organization information tag is inserted into the IP header of the message in the form of an IPv6 extension header. Still taking the autonomous domain AS a member TA of the trusted organization association TAU AS an example, AS shown in fig. 1, the IPv6 extension header mainly includes the following two parts:
part A: and the plaintext part comprises a 32-bit (bit) AS number of a source member TA generating the message, and is used for identifying which autonomous domain AS the message is sent by, and searching the anti-counterfeiting verification code of the member TA corresponding to the AS number, announced in the trusted organization alliance TAU, by a target member TA or an intermediate member TA (non-target member TA) receiving the message according to the information of the AS number.
And part B: the cryptograph part comprises a 32-bit cryptograph which is periodically transformed and encrypted by a private key of a source member TA, is equivalent to the exclusive signature of the member TA and is periodically updated, and the cryptograph is the anti-counterfeiting verification code VC.
The combination of the part A and the part B can be used for identifying the source organization and the source of a message. In the trusted organization alliance TAU, according to the organization information label, no matter whether the source IP address in the message is real or not, the source of the message, namely the source member TA (autonomous domain AS for generating the message), can be traced, thereby solving the problem that the source cannot be traced due to the source IP address being tampered.
The authenticity, reliability and anti-counterfeiting performance of the organization information label are the basis for practical application, so the anti-counterfeiting performance analysis of the organization information label is as follows:
(1) the organization information label is generated by the boundary routing device of the member TA, is an uncontrollable part of an individual and is not easy to be tampered. Because the member TA is an audited and trusted organization, and it is an organization behavior that an organization information label is printed on the message, the individual is not controllable, if the individual forges an organization information label, the border routing device of the autonomous domain AS can cover the individual organization information label after discovering, and can also discard the message. Compared with the source IP address of the message (which can be falsified by an individual), the organization information label has more safety and authenticity.
(2) The organization information label is only transmitted in the trusted organization alliance TAU, the member TA does not add the organization information label to the message to the non-member TA, and the non-member TA cannot acquire the trusted source organization label TSOL of the member TA and further cannot forge the trusted source organization label TSOL.
(3) The organization information tag appears only on the backbone network and is not generally available to the host terminal. The organization information label is loaded on the boundary routing equipment of the source member TA and unloaded on the boundary routing equipment of the target member TA, so that the organization information label cannot reach the host, and the probability of obtaining and counterfeiting by the host is reduced.
(4) If the situation that the organization information label is intercepted and forged still happens except the above situation, the anti-counterfeiting performance of the organization information label is enhanced by the B part (anti-counterfeiting verification code VC) of the organization information label. The anti-counterfeiting verification code VC is an encrypted random number which is periodically transformed: on one hand, the periodic transformation of the anti-counterfeiting verification code VC can effectively reduce the condition that the organization information label is replayed, on the other hand, the anti-counterfeiting verification code VC is a ciphertext obtained by encrypting a private key of a source member TA, the public key of the member TA announced in a trusted organization alliance TAU by the member TA can be decrypted, the private key encryption is firstly carried out, the decryption of the public key is the authentication behavior of the source member TA, other organizations cannot forge the ciphertext obtained by encrypting the private key of the member TA, and therefore the anti-counterfeiting verification code VC can only be generated by a sender (the source member TA) and has anti-counterfeiting property.
In some cases, some authenticity of other aspects of the message may also be proven through the organization information tag, such as having been subjected to source IP address verification checks or other security checks, the message coming from an educational network/educational user, etc., which may be used for subsequent routing control and routing optimization of the message. Thus, in some embodiments, the organization information tag may further include:
a security tag and/or a user type tag;
the security label is used for indicating that messages generated by the member and destined to other members are subjected to security check; the user type tag is used to indicate the type of member that generated the message.
In some embodiments, the security tag may be an SAV (Source Address Validation) tag, which is used to indicate that the message has been subjected to Source IP Address Validation check of the autonomous domain AS, and its Source IP Address is real. In some cases, the security label may also be another security check label, which is used to indicate that the message has passed security checks of other aspects of the autonomous domain AS, such AS Ingress/Egress check, uRPF check. Certain routing preference can be given to the messages which pass the security check, for example, the messages can access websites with higher security level, and the like, which is helpful for promoting the deployment and application of the security check.
In some embodiments, the user type tags may be educational network user tags, bank user tags, cloud agency user tags, government user tags, and the like. According to the user type labels, certain control can be performed on message routing, for example, users of an education network can open access to foreign academic websites and the like.
The number of the derived labels, such as the security label and the user type label, can be various, in order to prevent the problem that the Maximum Transmission Unit (MTU) is generated due to the overlarge message length, 1 derived label added to the message by each member TA can be selected, or 2 to 3 derived labels can be selected, when the derived label is selected to be 1, the security label or the user type label can be added to the organization information label on the basis of the member identifier and the periodically transformed anti-counterfeiting verification code, when the derived label is selected to be 2, 1 security label and 1 user type label can be added to the organization information label on the basis of the member identifier and the periodically transformed anti-counterfeiting verification code, or 2 security labels of different types and the like can be added to the organization information label.
The formats of trusted derivative tags such as security tag, user type tag, etc. may be embedded in the header of the message in the form of part C in fig. 2. The value of the derivative tag may be designed with reference to TLV format, T representing the type of the derivative tag, L representing the length of the derivative tag, and V representing the value of the derivative tag.
In summary, the organization information label of the embodiment has at least the following features:
(1) the organization information label is credible and anti-counterfeiting;
(2) organization information labels are lightweight;
(3) the organizational information tag will change the internet architecture: the boundary routing equipment of the trusted organization alliance member adds an organization information label into the message, the content of the message is no longer determined by a person, and the content of the message is added with trusted source information, so that the security defect of the current Internet system structure can be changed.
(4) Organization information tag usage: the method can be used for trust level evaluation of trusted organization alliance members (such AS Autonomous System (AS)) and source IP address verification, tracing of network attack events, trusted source organization, the light internet, important network facility construction and the like.
Example two
Fig. 3 shows a flow chart of a message transmission method, and as shown in fig. 3, this embodiment provides a message transmission method, including:
step S110, a trusted organization alliance is established, and a first member in the trusted organization alliance generates an organization information tag according to the method of the first embodiment.
In some embodiments, there may be multiple federation of trusted organizations in the internet, without interfering with each other. The members of the trusted organization association TAU include autonomous domains AS and/or subnetworks (networks with one or more IP prefixes), that is, the trusted organization association TAU may be formed by one or more autonomous domains AS members, one or more subnetworks AS members, one or more autonomous domains AS members, and one or more subnetworks AS members, which is not limited in this embodiment. Each member maintains a unique organization information tag (trusted source organization member tag TSOL) that identifies itself from other members and that other networks cannot counterfeit, and that identifies the source of the message. If a certain autonomous domain AS wants to join the TAU, an offline application is required, and the AS passes the credible qualification verification of the TAU.
Step S120, the first member in the trusted organization alliance loads the message which is generated by the first member and is sent to other members with the organization information label of the first member.
The source member that generates messages to other members is the first member, which may be any member of the trusted group alliance TAU. And each member marks the organization information label of the member on the boundary routing equipment of the member, wherein the messages generated by the member and destined to other members.
The organization information labels of each member of the trusted organization alliance TAU are different, and the organization information labels are changed along with the periodic update of the anti-counterfeiting verification codes VC. The organization information label or the anti-counterfeiting verification code VC of each member is periodically announced in the trusted organization alliance TUA, and the message carrying the organization information label is only transmitted in the trusted organization alliance TAU.
In some embodiments, the organization information tag comprises: member identification and periodically transformed anti-counterfeiting verification code. A first member in a trusted organization alliance TAU loads the message generated by the first member and destined to other members with an organization information label of the first member, and the method comprises the following steps:
and inserting the organization information label into the IP header of the message in the form of an IPv6 extension header.
Taking the autonomous domain AS a member TA of the trusted organization association TAU, AS shown in fig. 1, the IPv6 extension header mainly includes the following two parts:
part A: and the plaintext part comprises a 32-bit (bit) AS number of a source member TA generating the message, and is used for identifying which autonomous domain AS the message is sent by, and searching the anti-counterfeiting verification code of the member TA corresponding to the AS number, announced in the trusted organization alliance TAU, by a target member TA or an intermediate member TA (non-target member TA) receiving the message according to the information of the AS number.
And part B: the cryptograph part comprises a 32-bit cryptograph which is periodically transformed and encrypted by a private key of a source member TA, is equivalent to the exclusive signature of the member TA and is periodically updated, and the cryptograph is the anti-counterfeiting verification code VC.
The combination of the part A and the part B can be used for identifying the source organization and the source of a message. In the trusted organization alliance TAU, according to the organization information label, no matter whether the source IP address in the message is real or not, the source of the message, namely the source member TA (an autonomous domain AS and other organizations for generating the message) can be traced, so that the problem that the source cannot be traced due to the source IP address being tampered is solved.
In other embodiments, the organization information tag may further include:
a security tag and/or a user type tag;
the security label is used for indicating that messages generated by the member and destined to other members are subjected to security check; the user type tag is used to indicate the type of member that generated the message.
The formats of trusted derivative tags such as security tag, user type tag, etc. may be embedded in the header of the message in the form of part C in fig. 2. The value of the derivative tag may be designed with reference to TLV format, T representing the type of the derivative tag, L representing the length of the derivative tag, and V representing the value of the derivative tag.
Step S130, the second member in the trusted organization alliance conducts organization information label verification on the message from the first member.
The message received becomes the second member, and therefore the second member may be any member of the trusted group alliance TAU.
In step S130, the second member in the trusted organization alliance performs organization information tag verification on the packet from the first member, that is, performs "true" and "false" verification on the organization information tag, including:
and S130-1, extracting the organization information label in the message.
Step S130-2, according to the member identification in the extracted organization information label, determining the anti-counterfeiting verification code of the first member in the current time period announced in the trusted organization alliance.
Specifically, firstly, an AS number is extracted from a plaintext part (the first 32 bits) in an organization information tag; finding out the anti-counterfeiting verification code VC of the current time period announced by the autonomous domain in advance in a trusted organization alliance TAU according to the AS number;
and S130-3, when the anti-counterfeiting verification code in the extracted organization information label is consistent with the anti-counterfeiting verification code in the current time period, the verification is passed.
Step S140, if the verification is passed, the message is a credible message, and the credible message is forwarded.
And step S150, if the verification fails, discarding the message.
Specifically, if the anti-counterfeit verification code VC of the ciphertext portion (the last 32 bits) of the organization information tag in the packet is consistent with the anti-counterfeit verification code VC of the current time period, it indicates that the organization information tag is true and the verification is passed, otherwise, the organization information tag is false and the verification is not passed, the source of the packet is not trusted, and the source IP address is also not trusted, so the packet is intercepted.
It should be understood that, although the steps in the flowchart of fig. 3 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 3 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
In practical application, after adding the organization information label to the message, the message carrying the organization information label is routed in the network and finally reaches the destination. In the routing process of the message, the router of each member can check the organization information label in the message.
If the organization information label in the message is verified to be true, the message is shown to be really from the source member (the organization generating the message) identified by the organization information label, because the source of the message is determined, the message is convenient to trace the source, if the message is found to be related to a certain network attack, the source of the message (the organization generating the message) can be traced, and a host or a user initiating the network attack can be further found by utilizing an internal management means of the organization. Because the source of the message is easy to find, the network attack in the trusted organization alliance TAU is not facilitated to be started, and the network attack risk is greatly reduced. Meanwhile, the source organization passes the off-line trust investigation and has certain credibility, and the sent message also has certain credibility, so that the credible message carrying the organization information label can obtain the subsequent forwarding service/network service.
If the organization information label is not verified to be true, the organization information label of the message is indicated to be forged or tampered, the message is not from the source member TA identified in the organization information label, and at the moment, the source of the message is not true (or the message is not coming), the router which finds that the organization information label is false can immediately discard the message, so that the network attack event can be found and blocked in advance, and the network resource is saved.
Because the organization information label has strong anti-counterfeiting property and the probability that the organization information label is false is very small, the message carrying the organization information label is more convenient to trace the source and is more trustworthy than the message not carrying the organization information label, and the network equipment can select to provide better network service for the message carrying the organization information label, so that the implementation of the organization information label is beneficial to encouraging more organizations such AS autonomous system Access (AS) and the like to join a trusted organization alliance (TAU). With the expansion of trusted organization alliance TAU and more trusted messages carrying organization information labels in the network, fewer and less messages at counterfeit sources in the network are provided, which is helpful for reducing network attack events, purifying network environment and improving network security.
When the destination IP address of the message belongs to a certain member TA, the member TA is called as the destination member TA, when the message carrying the organization information label reaches the boundary of the destination member TA, the boundary routing equipment of the destination member TA verifies the authenticity of the organization information label, if the organization information label is true, the message can be trusted and forwarded continuously, and if the organization information label is not true, the boundary routing equipment of the destination member TA discards the message. In practical applications, since the host operating system may not be able to identify the organization information label without removing the organization information label, which will affect the processing of the packet by the host, without updating or upgrading the organization information label, the boundary routing device of the destination member TA may remove the organization information label in the verified packet and further forward the removed organization information label to the destination host. Therefore, in some embodiments, when the second member receiving the message is the destination member, forwarding the trusted message includes: and detaching the organization information label in the trusted message, and forwarding the trusted message to the destination host.
The member only forwards the message in the message routing process, and when the router of the non-target member receives and forwards the message with the organization information label, the router of the non-target member can also verify the organization information label in the message. If the organization information label is true, the source of the message is credible, and the message is continuously forwarded; if the organization information label is not true, the source of the message is not credible, and the router can discard the message. The problem of the source of the message can be found in advance in the forwarding process before the message reaches the target member, the message can be blocked in advance, the occurrence of network attack events can be blocked in advance, even the network attack flow can be reduced, and the network bandwidth resources can be protected. Therefore, in some embodiments, when the second member is a non-destination member, forwarding the trusted packet includes: and forwarding the credible message carrying the organization information label.
In the message transmission method of this embodiment, a first member in a trusted organization alliance generates an organization information tag, and in message transmission, the first member loads a message generated by the first member and destined to other members with the organization information tag of the first member; the second member verifies the organization information label of the message from the first member, the message passing the verification is a credible message and is continuously forwarded until the message reaches the target member, the organization information label passing the verification is removed and then is forwarded to the target host, and through the message transmission, network attack behaviors such as tampering of a source IP address and the like can be timely found in the message transmission process, source organization generating the message can be accurately traced, and the intra-domain host of the tampered source organization is further determined.
EXAMPLE III
In this embodiment, an application scenario is provided in conjunction with fig. 4:
the autonomous domain AS1, the autonomous domain AS3 and the autonomous domain AS4 form a trusted organization alliance TAU under line. The trusted source organization label TSOL (organization information label) of the autonomous domain AS1 is marked on the message sent by the autonomous domain AS1 to the autonomous domain AS3, while the message sent by the autonomous domain AS1 to the autonomous domain AS5 (member TA of the untrusted organization association TAU) will not carry the trusted source organization label TSOL, and the message sent by the autonomous domain AS6 (member TA of the untrusted organization association TAU) to the autonomous domain AS3 will not carry the trusted source organization label TSOL. The autonomous domain AS1, autonomous domain AS3 and autonomous domain AS4 maintain respective trusted source organization labels TSOL, anti-counterfeiting verification codes VC in the trusted source organization labels TSOL change periodically, and the trusted source organization labels TSOL are announced in a trusted organization alliance TAU periodically.
Example four
In this embodiment, an application scenario for verifying the authenticity of a source IP address with the aid of an organization information tag is provided in conjunction with fig. 5:
counterfeit case 1: a host in the TAU of the trusted organization alliance impersonates the IP addresses of other member TAs.
In fig. 5, a message is sent from the autonomous domain AS1 in the trusted organization association TAU, and the source IP address of the message does not belong to the autonomous domain AS 1. When the host message leaves the autonomous domain AS1, the trusted source organization label TSOL of the autonomous domain AS1 is loaded by the border routing device. The target member TA first checks the trusted source organization tag TSOL (including AS number, anti-fake verification code VC), and if the trusted source organization tag TSOL is false, it indicates that the source of the message is not trusted, and the message will be discarded. If the trusted source organization label TSOL is verified to be true, then consistency between the source IP address and the AS number is retrieved through a Resource Public Key Infrastructure (RPKI) system, if the source IP address and the AS number are not consistent, the source IP address is judged to be fake, and the message can be intercepted.
Counterfeit case 2: a host outside the TAU of the trusted organization alliance impersonates the source IP address of a member TA in the TAU of the trusted organization alliance.
In fig. 5, a message is sent from the autonomous domain AS6, which is a member of the TAU of the untrusted organization association, and the source IP address of the message does not belong to the autonomous domain AS6, but instead, the source IP address of the autonomous domain AS1, which is a member of the TAU of the untrusted organization association, is forged. Because the trusted source organization tag TSOL of the member TA where the fake source IP address is located is unknown to the external host of the trusted organization alliance TAU, the message does not have the trusted source organization tag TSOL of the autonomous domain AS1 or the correct trusted source organization tag TSOL of the autonomous domain AS 1. Autonomous domain AS1 is a member of trusted organization alliance TAU, so messages sent from it should carry the correct trusted source organization label TSOL of autonomous domain AS 1. If the message does not have the trusted source organization label TSOL of the autonomous domain AS1 or the correct trusted source organization label TSOL of the autonomous domain AS1, it is determined that the message "message source header is not trusted", and the source IP address is also not trusted, so that the message can be intercepted.
The analysis of the two kinds of counterfeiting conditions can obtain that: all source IP addresses in the trusted organization alliance TAU cannot be counterfeited, source IP addresses of members of the untrusted organization alliance TAU can also be counterfeited, the trusted source organization label TSOL can effectively protect the alliance members, an autonomous domain AS added into the trusted organization alliance TAU obtains benefits, deployment of the scheme and expansion of the trusted organization alliance TAU are stimulated to a certain extent, and network attack risks are greatly reduced.
EXAMPLE five
In this embodiment, with the help of an organization information tag including a member identifier, an anti-counterfeit verification code that is periodically transformed, and a derivative tag (a security tag, a user type tag, etc.), the security tag may be an SAV tag that performs routing optimization on a packet:
if the message carries member identification, periodically transformed anti-counterfeiting verification code and derivative label, and passes consistency check (source IP address, AS number, anti-counterfeiting verification code VC), the corresponding message can be given 'privilege':
(1) the message carrying the SAV label (security label) as a derivative label indicates that the message has been authenticated by the source IP address of the host granularity originating from the autonomous domain. The messages can access websites with higher security level, such as national government websites and the like;
(2) a message carrying an educational network user tag (user type tag) indicates that the message belongs to an educational network user. The messages can access more foreign websites, such as Google academic websites and the like;
the message carrying the real organization information label is given certain routing optimization or access privilege, deployment of some detection schemes (such as SAV technology) can be stimulated, and deployment and expansion of a trusted organization alliance can be stimulated.
EXAMPLE six
In this embodiment, an implementation of the present invention is explained:
the method of the invention needs the boundary routing equipment of the source member TA to print the organization information label on the message leaving the member TA, and needs the boundary routing equipment of the target member TA to check the organization information label and unload the organization information label in the message, and needs the intermediate routing equipment to check the organization information label. When a boundary routing device supporting the trusted source organization tag TSOL is designed, an OVS (over the air System) of a tag loading and checking device can be hung outside the existing network router to support the operations of generating, loading, verifying, unloading and the like of the trusted source organization tag TSOL without influencing the existing functions of the existing boundary router.
When the boundary router of the source member TA is modified to support the trusted source organization tag TSOL function, a tag loading and checking device can be hung beside the boundary router of the source TA, and the outgoing direction traffic of which the source IP address is the autonomous domain is forwarded to the tag loading and checking device. Thus, in some embodiments, a border routing device comprises:
a border router; and
and the label loading and detecting equipment is connected with the boundary router and is used for realizing generation, loading, verification and unloading of the organization information label.
In some cases, the border router is an existing border router in the domain, and the tag loading and detecting device may be an OpenFlow Switch that is suspended from the existing border router, or an OpenFlow Virtual Switch (OVS), which receives a control instruction of a Controller of the OpenFlow Switch in the domain, including updating: the latest member list of the trusted organization alliance TAU, the latest anti-counterfeiting verification code VC of the trusted organization alliance TAU member, the latest address prefix information of the trusted organization alliance TAU member and the like. The tag loading and checking device receives a control instruction of the Controller in the domain to generate and load (label) the organization information tag for the message, and verifies the organization information tag for the arrived message, and can also realize the unloading of the organization information tag in the message.
In some cases, the border router generates a message, generates an organization information label by the OpenFlow switch, and is loaded into the message, the boundary router sends out the message carrying the organization information label, when the message reaches the non-target member in the trusted organization alliance, the border router of the non-target member receives the message, the OpenFlow switch hung by the border router verifies the organization information label in the message, the message is continuously forwarded by the border router of the non-target member after passing the verification, when the message carrying the organization information label reaches the target member, the boundary router of the target member receives the message, the OpenFlow switch hung by the boundary router verifies the organization information label in the message, the organization information label in the message is removed after the verification is passed, and then the boundary router of the destination member forwards the message which does not carry the organization information label to the destination host. Therefore, the existing functions of the existing boundary router are not influenced, the message is normally forwarded, the message transmission based on the organization information label can be realized, and the problem that the source cannot be traced due to the falsification of the source IP address is solved.
In the embodiments provided in the present invention, it should be understood that the disclosed system and method can be implemented in other ways. The system and method embodiments described above are merely illustrative.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Although the embodiments of the present invention have been described above, the above descriptions are only for the convenience of understanding the present invention, and are not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (12)
1. A method for generating a tissue information tag, comprising:
the method comprises the steps that members in a trusted organization alliance generate organization information labels by utilizing boundary routing equipment of the members, wherein the members in the trusted organization alliance are organizations capable of transmitting messages; the organization information label is used for identifying the source of the message;
wherein the organization information tag includes:
a member identification; and
the anti-counterfeiting verification code is periodically transformed.
2. The method of claim 1, wherein the member identifier is a member number in the trusted organization alliance.
3. The method of claim 1, wherein the anti-counterfeit validation code is a ciphertext encrypted according to a private key of the member.
4. The method of claim 1, wherein the member of the trusted organization federation comprises an autonomous domain and/or a subnet.
5. The method of generating an organization information tag according to claim 1, wherein the organization information tag further comprises:
a security tag and/or a user type tag;
wherein the security label is used for indicating that messages generated by the member and destined to other members are subjected to security check; the user type label is used for indicating the type of the member generating the message.
6. A method for packet transmission, comprising:
establishing a trusted organization federation, a first member of the trusted organization federation generating an organization information tag according to the method of any one of claims 1 to 5;
a first member in the trusted organization alliance loads the message which is generated by the first member and is sent to other members with an organization information label of the first member;
the second member in the trusted organization alliance carries out organization information label verification on the message from the first member;
and if the verification is passed, the message is a credible message, and the credible message is forwarded.
7. The message transmission method according to claim 6, wherein the loading, by the first member in the trusted organization alliance, the message generated by the first member and destined to the other members with the organization information tag of the first member includes:
and inserting the organization information label into the IP header of the message in the form of an IPv6 extension header.
8. The message transmission method according to claim 6, wherein the organizing information tag validation comprises:
extracting an organization information label in the message;
determining the anti-counterfeiting verification code of the first member in the current time period announced in the trusted organization alliance according to the member identification in the extracted organization information label;
and when the anti-counterfeiting verification code in the extracted organization information label is consistent with the anti-counterfeiting verification code in the current time period, the verification is passed.
9. The message transmission method according to claim 6, wherein the forwarding the trusted message when the second member is a destination member includes:
and removing the organization information label in the trusted message, and forwarding the trusted message to a destination host.
10. The message transmission method according to claim 6, wherein when the second member is a non-destination member, the forwarding the trusted message includes:
and forwarding the credible message carrying the organization information label.
11. The message transmission method according to claim 6, wherein the border routing device comprises:
a border router; and
and the label loading and detecting equipment is connected with the boundary router and is used for realizing the generation, loading, verification and unloading of the organization information label.
12. The message transmission method according to claim 11, wherein the label loading and detecting device is an OpenFlow switch.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011625175.3A CN112738113B (en) | 2020-12-31 | 2020-12-31 | Organization information label generation method and message transmission method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011625175.3A CN112738113B (en) | 2020-12-31 | 2020-12-31 | Organization information label generation method and message transmission method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112738113A true CN112738113A (en) | 2021-04-30 |
| CN112738113B CN112738113B (en) | 2022-04-01 |
Family
ID=75609732
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011625175.3A Active CN112738113B (en) | 2020-12-31 | 2020-12-31 | Organization information label generation method and message transmission method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112738113B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113961956A (en) * | 2021-10-28 | 2022-01-21 | 平安科技(深圳)有限公司 | Method, device, equipment and medium for generating and applying tagged network information service |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1921487A (en) * | 2006-09-19 | 2007-02-28 | 清华大学 | Identifying method for IPv6 actual source address between autonomy systems based on signature |
| CN101902474A (en) * | 2010-07-21 | 2010-12-01 | 清华大学 | Label replacement based verification method of IPv6 true source address between every two autonomous domains |
| EP2369792A1 (en) * | 2010-03-25 | 2011-09-28 | Alcatel Lucent | Method for path determination according to adaptation functions |
| WO2014048499A1 (en) * | 2012-09-28 | 2014-04-03 | Nokia Siemens Networks Oy | Mechanism for establishing packet data network connection with multiple ip addresses |
| CN110958334A (en) * | 2019-11-25 | 2020-04-03 | 新华三半导体技术有限公司 | Message processing method and device |
-
2020
- 2020-12-31 CN CN202011625175.3A patent/CN112738113B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1921487A (en) * | 2006-09-19 | 2007-02-28 | 清华大学 | Identifying method for IPv6 actual source address between autonomy systems based on signature |
| EP2369792A1 (en) * | 2010-03-25 | 2011-09-28 | Alcatel Lucent | Method for path determination according to adaptation functions |
| CN101902474A (en) * | 2010-07-21 | 2010-12-01 | 清华大学 | Label replacement based verification method of IPv6 true source address between every two autonomous domains |
| WO2014048499A1 (en) * | 2012-09-28 | 2014-04-03 | Nokia Siemens Networks Oy | Mechanism for establishing packet data network connection with multiple ip addresses |
| CN110958334A (en) * | 2019-11-25 | 2020-04-03 | 新华三半导体技术有限公司 | Message processing method and device |
Non-Patent Citations (2)
| Title |
|---|
| B. SHI等: ""A Construction Method for Alliance-based Network Trust Anchor"", 《2019 IEEE 3RD INFORMATION TECHNOLOGY, NETWORKING, ELECTRONIC AND AUTOMATION CONTROL CONFERENCE (ITNEC),》 * |
| 竺星: ""状态机的域间源地址验证技术研究与实现"", 《中国优秀硕士学位论文信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113961956A (en) * | 2021-10-28 | 2022-01-21 | 平安科技(深圳)有限公司 | Method, device, equipment and medium for generating and applying tagged network information service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112738113B (en) | 2022-04-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7590855B2 (en) | Steganographically authenticated packet traffic | |
| US10341326B2 (en) | Network security for encrypted channel based on reputation | |
| US7308715B2 (en) | Protocol-parsing state machine and method of using same | |
| US6804778B1 (en) | Data quality assurance | |
| US8132011B2 (en) | System and method for authenticating at least a portion of an e-mail message | |
| US8281141B2 (en) | Method and apparatus for monitoring and analyzing degree of trust and information assurance attributes information in a data providence architecture workflow | |
| US8756289B1 (en) | Message authentication using signatures | |
| US8336108B2 (en) | Method and system for collaboration involving enterprise nodes | |
| US20100313253A1 (en) | Method, system and process for authenticating the sender, source or origin of a desired, authorized or legitimate email or electrinic mail communication | |
| US20050265343A1 (en) | Packet filtering apparatus, packet filtering method, and computer program product | |
| Schryen | Anti-spam measures | |
| US11558399B2 (en) | Network transmission path verification | |
| CN111726368B (en) | SRv 6-based inter-domain source address verification method | |
| CN114389835A (en) | IPv6 option explicit source address encryption security verification gateway and verification method | |
| JP2002542722A (en) | Monitoring the integrity of transmitted data | |
| CN112738113B (en) | Organization information label generation method and message transmission method | |
| Mirkovic et al. | Building accountability into the future Internet | |
| Kim et al. | Network forensic evidence acquisition (NFEA) with packet marking | |
| Ramanujan et al. | A survey on DDoS prevention, detection, and traceback in cloud | |
| US11392691B1 (en) | System and method of securing e-mail against phishing and ransomware attack | |
| KR102164338B1 (en) | E-mail Security System to Prevent Sender Impersonation and Method thereof | |
| Haeberlen et al. | Pretty Good Packet Authentication. | |
| Ramamohanarao et al. | The curse of ease of access to the internet | |
| Shah et al. | Phishing: An evolving threat | |
| CN110149324A (en) | A kind of network anti-attack method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |