CN113037684A - VxLan tunnel authentication method, device and system and gateway - Google Patents
VxLan tunnel authentication method, device and system and gateway Download PDFInfo
- Publication number
- CN113037684A CN113037684A CN201911341457.8A CN201911341457A CN113037684A CN 113037684 A CN113037684 A CN 113037684A CN 201911341457 A CN201911341457 A CN 201911341457A CN 113037684 A CN113037684 A CN 113037684A
- Authority
- CN
- China
- Prior art keywords
- authentication
- vxlan
- tunnel
- data packet
- vcpe
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a virtual extended local area network tunnel authentication method, device and system and a gateway, and relates to the technical field of computer networks. The VxLan tunnel authentication method disclosed by the invention comprises the following steps: the VxLan challenge data packet is sent to the CPE at the opposite end of the tunnel by the virtual enterprise gateway vCPE under the condition that the IP address carried by the VxLan tunnel is determined not to be in the pre-configured range; the vCPE receives the VxLan challenge response data packet, records the identification of the VxLan tunnel, randomly generates an authentication plaintext, and feeds the authentication plaintext back to the CPE through the VxLan authentication data packet; the vCPE acquires a tunnel password through the VxLan tunnel identifier, decrypts the authentication ciphertext in the VxLan authentication response data packet according to the tunnel password, and acquires a decryption authentication ciphertext; and matching the decrypted authentication ciphertext with the authentication plaintext, and if the decrypted authentication ciphertext is successfully matched with the authentication plaintext, feeding back the authentication success to the CPE. By the method, the authentication and identification of the vCPE to the CPE can be effectively realized, the complexity of the system is greatly simplified, and the authentication safety is improved.
Description
Technical Field
The present disclosure relates to the field of computer network technologies, and in particular, to a VxLan (Virtual Extensible LAN) tunnel authentication method, apparatus, system, and gateway.
Background
The VxLan tunnel is a peer-to-peer tunnel technology, no distinction between an initiator and a responder exists in protocol design, and communication can be carried out by configuring VxLan tunnel parameters of the initiator and the responder on VTEPs at two ends. The VxLan tunnel is applied to an IDC machine room and a cloud resource pool at the earliest time, so that the problems that VLAN resources are easy to exhaust, virtual machines are easy to migrate and the like are solved, and functions of authentication, identification and the like are not added like other tunnel technologies such as IPSec and L2 TP. VxLan is currently receiving more and more attention and application in the Internet field due to the advantages of good OverLay, light weight, easiness in deployment and the like.
Disclosure of Invention
An object of the present disclosure is to provide an authentication identification scheme for a VxLan tunnel.
According to an aspect of some embodiments of the present disclosure, a VxLan tunnel authentication method is proposed, including: the VxLan challenge data packet is sent to the CPE at the opposite end of the tunnel by the virtual enterprise gateway vCPE under the condition that the IP address carried by the VxLan tunnel is determined not to be in the preconfigured range, so that the VxLan challenge response data packet carrying the VxLan tunnel identifier is generated by the CPE according to the VxLan challenge data packet; the vCPE receives the VxLan challenge response data packet, records the identification of the VxLan tunnel, randomly generates an authentication plaintext, feeds the authentication plaintext back to the CPE through the VxLan authentication data packet, so that the CPE encrypts the authentication plaintext by taking a tunnel password as a key, generates an authentication ciphertext, and feeds the authentication ciphertext back to the vCPE through the VxLan authentication response data packet; the vCPE acquires a tunnel password through the VxLan tunnel identifier, decrypts the authentication ciphertext in the VxLan authentication response data packet according to the tunnel password, and acquires a decryption authentication ciphertext; matching the decrypted authentication ciphertext with the authentication plaintext, and if the decrypted authentication ciphertext is successfully matched with the authentication plaintext, feeding back the authentication success to the CPE; and if the authentication fails, closing the tunnel.
In some embodiments, the VxLan tunnel authentication method further comprises: and the vCPE receives the VxLan data packet from the CPE and acquires the IP address borne by the VxLan tunnel.
In some embodiments, the VNI field of the VxLan challenge packet is a predetermined value, such that the CPE generates the VxLan challenge response packet if it determines that the VNI field is a predetermined value.
In some embodiments, the VxLan challenge-response packet carries a VxLan tunnel identification through the VNI field; the VxLan authentication data packet carries authentication plaintext through a VNI field; the VxLan authentication response data packet carries an authentication ciphertext through a VNI field.
In some embodiments, the tunnel identification, authentication plaintext, and authentication ciphertext are 24 bits in length.
According to an aspect of some embodiments of the present disclosure, a VxLan tunnel authentication method is proposed, including: the method comprises the steps that a VxLan challenge response data packet carrying VxLan tunnel identification is generated by CPE under the condition that the VxLan challenge data packet from the vCPE is received by the CPE, so that after the VxLan challenge response data packet is received by the vCPE, an authentication plaintext is randomly generated, and the authentication plaintext is carried by VNI of the VxLan challenge response data packet and fed back to the CPE; the method comprises the steps that the CPE receives a VxLan authentication data packet, encrypts an authentication plaintext by taking a tunnel password as a secret key, generates an authentication ciphertext, carries the authentication ciphertext through a VNI of a VxLan authentication response data packet, and feeds back the authentication ciphertext to the vCPE so that the vCPE can obtain the tunnel password through an identifier of a VxLan tunnel, decrypts the authentication ciphertext in the VxLan authentication response data packet according to the tunnel password, obtains a decryption authentication ciphertext, and matches the decryption authentication ciphertext with the authentication plaintext; determining that the authentication is successful under the condition of receiving an authentication success message fed back by the vCPE; in the case of a tunnel closure, it is determined that authentication failed.
In some embodiments, the virtual extended local area network tunnel authentication method further includes: and sending a VxLan data packet to the vCPE so that the vCPE can acquire the IP address carried by the VxLan tunnel, wherein the VxLan challenge data packet is sent to the CPE at the opposite end of the tunnel by the vCPE under the condition that the IP address carried by the VxLan tunnel is determined not to be in the preconfigured range.
In some embodiments, the VxLan tunnel authentication method further comprises: and the CPE acquires the VNI field under the condition that the data packet from the vCPE is received, and if the VNI field is a preset value, the received data packet is determined to be the VxLan challenge data packet.
In some embodiments, the VxLan challenge-response packet carries a VxLan tunnel identification through the VNI field; the VxLan authentication data packet carries authentication plaintext through a VNI field; the VxLan authentication response data packet carries an authentication ciphertext through a VNI field.
In some embodiments, the tunnel identification, authentication plaintext, and authentication ciphertext are 24 bits in length.
According to an aspect of some embodiments of the present disclosure, a VxLan tunnel authentication method is proposed, including: any one of the above mentioned virtual extended local area network tunnel authentication methods performed by the vCPE; and, any of the virtual extended local area network tunnel authentication methods mentioned hereinabove as being performed by a CPE.
By the method, the CPE and the vCPE can effectively realize the authentication and identification of the vCPE to the CPE without adding an additional authentication protocol in the VxLan message or depending on other controllers, and the complexity of the system is greatly simplified; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication security is improved.
According to an aspect of some embodiments of the present disclosure, there is provided a VxLan tunnel authentication apparatus, including: a memory; and a processor coupled to the memory, the processor configured to perform any of the virtual extensible local area network tunnel authentication methods above based on instructions stored in the memory.
The authentication device can effectively realize the authentication and identification of the vCPE to the CPE without adding an additional authentication protocol in the VxLan message or depending on other controllers, thereby greatly simplifying the complexity of the system; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication security is improved.
According to an aspect of some embodiments of the present disclosure, a computer-readable storage medium is proposed, on which computer program instructions are stored, which instructions, when executed by a processor, implement the steps of any of the virtual extended local area network tunnel authentication methods above.
By executing the instruction on the computer-readable storage medium, the authentication and identification of the vCPE to the CPE can be effectively realized without adding an additional authentication protocol in the VxLan message and without depending on other controllers, and the complexity of the system is greatly simplified; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication security is improved.
According to an aspect of some embodiments of the present disclosure, a VxLan tunnel authentication system is proposed, including: CPE and vCPE; the CPE and the vCPE are configured to perform any of the virtual extended local area network tunnel authentication methods described above.
The VxLan tunnel authentication system can effectively realize the authentication and identification of the vCPE to the CPE without adding an additional authentication protocol in the VxLan message or depending on other controllers, thereby greatly simplifying the complexity of the system; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication security is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and not to limit the disclosure. In the drawings:
fig. 1 is a flow diagram of some embodiments of a VxLan tunnel authentication method of the present disclosure.
Fig. 2 is a flowchart of other embodiments of the VxLan tunnel authentication method of the present disclosure.
Fig. 3 is a schematic diagram of some embodiments of a data packet in the VxLan tunnel authentication method according to the present disclosure.
Fig. 4 is a signaling flow diagram of some embodiments of a VxLan tunnel authentication method of the present disclosure.
Fig. 5 is a schematic diagram of some embodiments of a VxLan tunnel authentication device of the present disclosure.
Fig. 6 is a schematic diagram of other embodiments of the VxLan tunnel authentication device of the present disclosure.
Fig. 7 is a schematic diagram of some embodiments of a VxLan tunnel authentication system of the present disclosure.
Detailed Description
The technical solution of the present disclosure is further described in detail by the accompanying drawings and examples.
In the operating environment of the vCPE, a general CPE side is a Tunnel data active initiator, CPE network access IP addresses of many small and medium-sized enterprise customers are not fixed at present, and when some situations occur, such as the CPE is restarted, and devices such as BRAS and the like can reallocate the IP addresses, but a VxLan Tunnel needs to be preconfigured with IP addresses of VTEPs (VxLan Tunnel Endpoint simulators) of both sides. It is common practice to perform dynamic configuration by a Controller, such as SDN-C (software Defined Network Controller).
The vCPE is usually deployed at an edge node of the Internet, the traffic of the CPE side is introduced to the vCPE side through a tunnel technology, the VxLan tunnel technology is more and more concerned due to the characteristics of good OVLay, easiness in deployment and the like, for small and medium-sized enterprises, the CPE has fewer fixed public network IPs, and the VxLan belongs to a peer-to-peer tunnel technology, so that obstacles are brought to the wide application of the VxLan.
A flowchart of some embodiments of the vCPE-side VxLan tunnel authentication method of the present disclosure is shown in fig. 1.
In step 101, the vCPE sends a VxLan challenge packet to the CPE at the opposite end of the tunnel if it is determined that the IP address carried by the VxLan tunnel is not within the preconfigured range. In some embodiments, the vCPE obtains the IP address carried by the VxLan tunnel upon receiving the VxLan packet from the CPE, matches the IP address with an IP address within a preconfigured range, and determines whether the IP address carried by the VxLan tunnel is within the preconfigured range.
In some embodiments, the CPE generates a VxLan challenge response packet carrying a VxLan tunnel identification from the VxLan challenge packet.
In step 102, the vCPE receives the VxLan challenge response data packet, records the identification of the VxLan tunnel, randomly generates an authentication plaintext, and feeds back the authentication plaintext to the CPE through the VxLan authentication data packet. In some embodiments, the CPE encrypts an authentication plaintext with the tunnel password as a key, generates an authentication ciphertext, and feeds back the authentication ciphertext to the vCPE through the VxLan authentication response packet.
In step 103, the vCPE obtains a tunnel password through the VxLan tunnel identifier, decrypts the authentication ciphertext in the VxLan authentication response packet according to the tunnel password, and obtains a decryption authentication ciphertext.
In step 104, the vCPE matches the decrypted authentication ciphertext with the authentication plaintext. If the matching is successful, go to step 105; if the matching is not successful, go to step 106.
In step 105, the authentication success is fed back to the CPE.
In step 106, it is determined that authentication failed, the tunnel is closed.
By the method, the vCPE can effectively realize the authentication identification of the vCPE to the CPE without adding an additional authentication protocol in the VxLan message or depending on other controllers, and the complexity of the system is greatly simplified; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication security is improved.
Flow diagrams of further embodiments of the CPE-side VxLan tunnel authentication method of the present disclosure are shown in fig. 2.
In step 201, the CPE generates a VxLan challenge response packet carrying a VxLan tunnel identifier when receiving the VxLan challenge packet from the vCPE. In some embodiments, the CPE may send a VxLan packet to the vCPE. The vCPE acquires the IP address carried by the VxLan tunnel based on the VxLan data packet, and sends a VxLan challenge data packet to the enterprise gateway CPE at the opposite end of the tunnel under the condition that the IP address carried by the VxLan tunnel is determined not to be in the preconfigured range.
In some embodiments, after receiving the VxLan challenge response packet, the vCPE randomly generates an authentication plaintext, and feeds back the authentication plaintext carried by the VNI of the VxLan authentication packet to the CPE.
In step 202, the CPE receives the VxLan authentication data packet, encrypts an authentication plaintext with the tunnel password as a key, generates an authentication ciphertext, carries the authentication ciphertext through the VNI of the VxLan authentication response data packet, and feeds back the authentication ciphertext to the vCPE. In some embodiments, the vCPE obtains a tunnel password by querying through the VxLan tunnel identifier, decrypts the authentication ciphertext in the VxLan authentication response packet according to the tunnel password, obtains a decryption authentication ciphertext, and matches the decryption authentication ciphertext with the authentication plaintext.
In step 203, the CPE determines whether an authentication success message fed back from the vCPE is received. If the message is received, go to step 204; otherwise, the tunnel is closed, and authentication failure is determined.
In step 204, authentication is determined to be successful.
By the method, the CPE can effectively realize the authentication identification of the vCPE to the CPE without adding an additional authentication protocol in the VxLan message or depending on other controllers, thereby greatly simplifying the authentication complexity; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication security is improved.
In some embodiments, as shown in fig. 3, since the VNI of the VxLan tunnel is 24 bits, the tunnel ID is 24 bits. When receiving a VxLan data packet sent by CPE, the vCPE analyzes the IP carried by the VxLan tunnel, if the IP is not in a pre-configured VxLan tunnel list (the CPE is re-allocated with an IP address at a WAN side due to restart and the like), or authentication and identification are needed due to overtime and other reasons, the vCPE sends an unloaded VxLan data packet to the CPE side, and a special VNI value is used for identifying in the packet header of the VxLan packet, such as 0xFE0xFE0 xFE. When the CPE receives this packet, it indicates that the vCPE requires authentication.
When the CPE receives the challenge VxLan packet sent by the vCPE once, the vCPE is indicated to require the authentication of the CPE. The CPE assembles an unloaded VxLan packet with the VNI in the VxLan header of the VxLan packet being the tunnel ID, which as previously mentioned is 24 bits.
The vCPE records the ID of the received VxLan tunnel, and simultaneously generates a section of 24-bit random plaintext, and the vCPE takes the plaintext as a VNI value to generate a VxLan authentication initiation packet and sends the VxLan authentication initiation packet to the CPE; after receiving the authentication initiating packet, the CPE encrypts an authentication plaintext in the VNI by taking the tunnel password as a secret key to generate a 24-bit ciphertext, and meanwhile, the ciphertext serving as a new VNI is packaged in an authentication response VxLan message and is sent to the vCPE. And the vCPE retrieves the tunnel password through the tunnel ID, decrypts the authentication ciphertext by taking the password as a key, compares the authentication ciphertext with the plaintext sent before, completes tunnel authentication identification if the authentication ciphertext is successful, and closes the tunnel if the authentication ciphertext is failed, and sends an authentication result packet to the CPE at the same time.
In some embodiments, the authentication result may also be 24 bits, sent as a VNI field, for example, if it is 0xEF0x EF0x EF, the authentication is successful, and if it is 0x EE0x EE0x EE, the authentication fails.
By the method, VNI fields in VxLan packet headers can be fully utilized, interface intervention is not needed, extra authentication control protocols are not needed to be loaded in VxLan loads, and dynamic configuration is not needed to be interfered by a controller.
A signaling flow diagram of some embodiments of the VxLan tunnel authentication method of the present disclosure is shown in fig. 4.
In 401-403, the CPE sends a VxLan data packet to the vCPE, and the vCPE firstly judges whether authentication and identification are needed through an authentication strategy library; if authentication is needed, the vCPE sends an authentication challenge packet to the CPE, and the CPE encapsulates the tunnel ID in the VNI to generate a response challenge packet.
In 404-410, the vCPE forwards the tunnel ID to an authentication identification unit to request authentication, the authentication unit calls a generator to generate a random authentication plaintext, the random authentication plaintext is forwarded to the CPE through an authentication initiating packet, and the CPE encrypts the plaintext by using a tunnel password as a key to generate a VNI and encapsulates the VNI in an authentication response packet.
In 411-415, the authentication identification unit decrypts the ciphertext by using the tunnel password and compares the ciphertext with the authentication plaintext to obtain an authentication result, and finally encapsulates the authentication result into VNI and returns the VNI to the CPE end, if the authentication fails, the tunnel is closed by the vCPE.
By the method, the processes of challenge- > response to war- > initiation of authentication- > response authentication are realized by changing the value of the VNI in the VxLan data packets back and forth between the vCPE and the CPE, no additional authentication protocol is required to be added into the VxLan message, no other controller is required, and the vCPE authenticates and identifies the CPE when the VxLan tunnel is initiated by the CPE according to the service requirement; meanwhile, a method for carrying out authentication based on plaintext/ciphertext encryption and decryption is provided, and tunnel passwords are not transmitted, so that the whole system is safer and more reliable.
Fig. 5 shows a schematic structural diagram of an embodiment of the VxLan tunnel authentication apparatus of the present disclosure. The VxLan tunnel authentication device comprises a memory 501 and a processor 502. Wherein: the memory 501 may be a magnetic disk, flash memory, or any other non-volatile storage medium. The memory is used for storing the instructions in the corresponding embodiments of the VxLan tunnel authentication method above. The processor 502 is coupled to the memory 501 and may be implemented as one or more integrated circuits, such as a microprocessor or microcontroller. The processor 502 is used for executing instructions stored in the memory, and can simplify the complexity of authentication and improve the security of authentication.
In one embodiment, as also shown in fig. 6, the VxLan tunnel authentication apparatus 600 includes a memory 601 and a processor 602. The processor 602 is coupled to the memory 601 by a BUS 603. The VxLan tunnel authentication apparatus 600 may be further connected to an external storage apparatus 605 through a storage interface 604 to call external data, and may be further connected to a network or another computer system (not shown) through a network interface 606. And will not be described in detail herein.
In the embodiment, the data instruction is stored in the memory, and the processor processes the instruction, so that the complexity of authentication can be simplified, and the security of the authentication can be improved.
In another embodiment, a computer readable storage medium has stored thereon computer program instructions which, when executed by a processor, implement the steps of a method in a corresponding embodiment of a VxLan tunnel authentication method. As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
A schematic diagram of some embodiments of the VxLan tunnel authentication system of the present disclosure is shown in fig. 7. The CPE 71 may be any one of the above mentioned, and executes a VxLan tunnel authentication method on the CPE side; the vCPE72 may also be any one of the above mentioned, and performs a VxLan tunnel authentication method on the vCPE side.
The VxLan tunnel authentication system can effectively realize the authentication and identification of the vCPE to the CPE without adding an additional authentication protocol in the VxLan message or depending on other controllers, thereby greatly simplifying the complexity of the system; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication security is improved.
In some embodiments, the authentication policy repository in the vCPE72 can be based on the reason that its authentication policy may be an IP address update of the CPE, a timeout, etc., which will activate authentication; in order to improve the security, the vCPE72 does not transmit a tunnel password, but uses the password as an encryption key to perform encryption/decryption comparison on a random plaintext to complete authentication; in some embodiments, the encryption/decryption algorithm is a symmetric encryption algorithm, since the plaintext/ciphertext is 24 bits, a stream cipher algorithm, such as RC4, may be used without using DES, 3DES, ASE, or other block cipher algorithms. Since the tunnel cipher is used as an encryption/decryption key, it is not limited to a long one, and 128 or more bits (the RC4 encryption key of 128 or more bits is secure and reliable) can be used to enhance the security.
The method mentioned above has universality, universality and cross-platform performance, and can be implemented and deployed on vCPE equipment based on various platforms, and also can be implemented and deployed on other tunnel gateways based on physical equipment or virtual machines; in addition, the cloud gateway can be deployed in a mainstream cloud resource pool (such as a wing cloud) and can also be deployed in a cloud gateway of an enterprise private cloud resource pool, and the cloud gateway has a wide application prospect.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Thus far, the present disclosure has been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
The methods and apparatus of the present disclosure may be implemented in a number of ways. For example, the methods and apparatus of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
Finally, it should be noted that: the above examples are intended only to illustrate the technical solutions of the present disclosure and not to limit them; although the present disclosure has been described in detail with reference to preferred embodiments, those of ordinary skill in the art will understand that: modifications to the specific embodiments of the disclosure or equivalent substitutions for parts of the technical features may still be made; all such modifications are intended to be included within the scope of the claims of this disclosure without departing from the spirit thereof.
Claims (14)
1. A virtual extended local area network tunnel authentication method comprises the following steps:
the method comprises the steps that a VxLan challenge data packet is sent to an enterprise gateway CPE at the opposite end of a tunnel by a virtual enterprise gateway vCPE under the condition that the IP address carried by a VxLan tunnel of a virtual expansion local area network is determined not to be in a pre-configured range, so that the VxLan challenge data packet carrying VxLan tunnel identification is generated by the CPE according to the VxLan challenge data packet;
the vCPE receives the VxLan challenge response data packet, records the identification of the VxLan tunnel, randomly generates an authentication plaintext, feeds the authentication plaintext back to the CPE through the VxLan authentication data packet, so that the CPE encrypts the authentication plaintext by taking a tunnel password as a key to generate an authentication ciphertext, and feeds the authentication ciphertext back to the vCPE through the VxLan authentication response data packet;
the vCPE acquires a tunnel password through the VxLan tunnel identifier, decrypts the authentication ciphertext in the VxLan authentication response data packet according to the tunnel password, and acquires a decryption authentication ciphertext;
matching the decryption authentication ciphertext with the authentication plaintext, and if the decryption authentication ciphertext is successfully matched with the authentication plaintext, feeding back the authentication success to the CPE; and if the authentication fails, closing the tunnel.
2. The method of claim 1, further comprising:
and the vCPE receives the VxLan data packet from the CPE and acquires the IP address borne by the VxLan tunnel.
3. The method of claim 1, wherein a VNI field of the VxLan challenge data packet is a predetermined value, such that the CPE generates the VxLan challenge response data packet if the VNI field is determined to be the predetermined value.
4. The method of claim 1, wherein,
the VxLan challenge response data packet carries the VxLan tunnel identifier through a VNI field;
the VxLan authentication data packet carries the authentication plaintext through a VNI field;
and the VxLan authentication response data packet carries the authentication ciphertext through a VNI field.
5. The method of claim 1, wherein the tunnel identification, the authentication plaintext, and the authentication ciphertext are 24 bits in length.
6. A virtual extended local area network tunnel authentication method comprises the following steps:
the method comprises the steps that an enterprise gateway CPE generates a VxLan challenge response data packet carrying VxLan tunnel identification under the condition that the VxLan challenge data packet of a virtual expansion local area network from a virtual enterprise gateway vCPE is received, so that the vCPE randomly generates an authentication plaintext after receiving the VxLan challenge response data packet, and the authentication plaintext is carried by a VNI of the VxLan authentication data packet and fed back to the CPE;
the CPE receives the VxLan authentication data packet, encrypts the authentication plaintext by taking a tunnel password as a key, generates an authentication ciphertext, carries the authentication ciphertext through a VNI of a VxLan authentication response data packet, and feeds the authentication ciphertext back to the vCPE, so that the vCPE obtains the tunnel password through the mark of the VxLan tunnel, decrypts the authentication ciphertext in the VxLan authentication response data packet according to the tunnel password, obtains a decrypted authentication ciphertext, and matches the decrypted authentication ciphertext with the authentication plaintext;
determining that the authentication is successful under the condition of receiving an authentication success message fed back by the vCPE;
in the case of a tunnel closure, it is determined that authentication failed.
7. The method of claim 6, further comprising:
and sending a VxLan data packet to the vCPE so that the vCPE can acquire the IP address carried by the VxLan tunnel, wherein the VxLan challenge data packet is sent to the enterprise gateway CPE at the opposite end of the tunnel by the vCPE under the condition that the IP address carried by the VxLan tunnel of the virtual extended local area network is determined not to be in the preconfigured range.
8. The method of claim 6, further comprising:
and the CPE acquires the VNI field under the condition that the data packet from the vCPE is received, and if the VNI field is a preset value, the received data packet is determined to be the VxLan challenge data packet.
9. The method of claim 6, wherein,
the VxLan challenge response data packet carries the VxLan tunnel identifier through a VNI field;
the VxLan authentication data packet carries the authentication plaintext through a VNI field;
and the VxLan authentication response data packet carries the authentication ciphertext through a VNI field.
10. The method of claim 1, wherein the tunnel identification, the authentication plaintext, and the authentication ciphertext are 24 bits in length.
11. A virtual extended local area network tunnel authentication method comprises the following steps:
the virtual extended local area network tunnel authentication method executed by the virtual enterprise gateway vCPE according to any one of claims 1 to 5; and the combination of (a) and (b),
the virtual extended local area network tunnel authentication method performed by an enterprise gateway CPE as claimed in any one of claims 6 to 10.
12. A virtual extensible local area network tunnel authentication device comprises:
a memory; and
a processor coupled to the memory, the processor configured to perform the method of any of claims 1-10 based on instructions stored in the memory.
13. A computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the method of any one of claims 1 to 11.
14. A virtual extended local area network tunnel authentication system includes:
a virtual enterprise gateway configured to perform the method of any of claims 1 to 5; and the combination of (a) and (b),
an enterprise gateway configured to perform the method of any of claims 6 to 10.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911341457.8A CN113037684B (en) | 2019-12-24 | 2019-12-24 | VxLan tunnel authentication method, device and system and gateway |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911341457.8A CN113037684B (en) | 2019-12-24 | 2019-12-24 | VxLan tunnel authentication method, device and system and gateway |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113037684A true CN113037684A (en) | 2021-06-25 |
CN113037684B CN113037684B (en) | 2022-05-24 |
Family
ID=76451244
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911341457.8A Active CN113037684B (en) | 2019-12-24 | 2019-12-24 | VxLan tunnel authentication method, device and system and gateway |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113037684B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115065576A (en) * | 2022-08-17 | 2022-09-16 | 广州赛讯信息技术有限公司 | VXLAN tunnel establishment method, device, network system and storage medium |
WO2023231311A1 (en) * | 2022-05-31 | 2023-12-07 | 中国电信股份有限公司 | Vxlan tunnel authentication method and system, and access gateway and network access device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160241515A1 (en) * | 2015-02-16 | 2016-08-18 | Telefonaktiebolaget L M Ericsson (Publ) | Method and system for providing "anywhere access" for fixed broadband subscribers |
CN107493297A (en) * | 2017-09-08 | 2017-12-19 | 安徽皖通邮电股份有限公司 | A kind of method of VxLAN tunnels access authentication |
CN108028748A (en) * | 2016-02-27 | 2018-05-11 | 华为技术有限公司 | For handling the method, equipment and system of VXLAN messages |
CN109361684A (en) * | 2018-11-14 | 2019-02-19 | 盛科网络(苏州)有限公司 | A kind of dynamic encrypting method and system in the tunnel VXLAN |
CN109995639A (en) * | 2018-01-02 | 2019-07-09 | 中国移动通信有限公司研究院 | A kind of data transmission method, device, interchanger and storage medium |
-
2019
- 2019-12-24 CN CN201911341457.8A patent/CN113037684B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160241515A1 (en) * | 2015-02-16 | 2016-08-18 | Telefonaktiebolaget L M Ericsson (Publ) | Method and system for providing "anywhere access" for fixed broadband subscribers |
CN108028748A (en) * | 2016-02-27 | 2018-05-11 | 华为技术有限公司 | For handling the method, equipment and system of VXLAN messages |
CN107493297A (en) * | 2017-09-08 | 2017-12-19 | 安徽皖通邮电股份有限公司 | A kind of method of VxLAN tunnels access authentication |
CN109995639A (en) * | 2018-01-02 | 2019-07-09 | 中国移动通信有限公司研究院 | A kind of data transmission method, device, interchanger and storage medium |
CN109361684A (en) * | 2018-11-14 | 2019-02-19 | 盛科网络(苏州)有限公司 | A kind of dynamic encrypting method and system in the tunnel VXLAN |
Non-Patent Citations (1)
Title |
---|
扶奉超等: "基于SDN的政企vCPE VPN业务研究", 《电信科学》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023231311A1 (en) * | 2022-05-31 | 2023-12-07 | 中国电信股份有限公司 | Vxlan tunnel authentication method and system, and access gateway and network access device |
CN115065576A (en) * | 2022-08-17 | 2022-09-16 | 广州赛讯信息技术有限公司 | VXLAN tunnel establishment method, device, network system and storage medium |
CN115065576B (en) * | 2022-08-17 | 2022-11-04 | 广州赛讯信息技术有限公司 | VXLAN tunnel establishment method, device, network system and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN113037684B (en) | 2022-05-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11405780B2 (en) | Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus | |
US10601594B2 (en) | End-to-end service layer authentication | |
US11825303B2 (en) | Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus | |
US11165604B2 (en) | Method and system used by terminal to connect to virtual private network, and related device | |
US10498531B2 (en) | Electronic subscriber identity module (eSIM) provisioning error recovery | |
JP6903006B2 (en) | User plane security for next-generation cellular networks | |
TWI695611B (en) | Method and apparatus for serving network authentication in wireless communications | |
US20110113236A1 (en) | Methods, systems, and computer readable media for offloading internet protocol security (ipsec) processing using an ipsec proxy mechanism | |
US9516061B2 (en) | Smart virtual private network | |
US10911581B2 (en) | Packet parsing method and device | |
CN110870277A (en) | Introducing middleboxes into secure communication between a client and a server | |
EP3461097A1 (en) | Encrypted content detection method and apparatus | |
CN106169952B (en) | A kind of authentication method that internet Key Management Protocol is negotiated again and device | |
US11388145B2 (en) | Tunneling data traffic and signaling over secure etls over wireless local area networks | |
WO2012026855A1 (en) | Methods and arrangements for secure communication over an ip network | |
CN113037684B (en) | VxLan tunnel authentication method, device and system and gateway | |
CN114629678B (en) | TLS-based intranet penetration method and device | |
US20160105401A1 (en) | System and method for internet protocol security processing | |
CN110830351B (en) | Tenant management and service providing method and device based on SaaS service mode | |
CN112788594A (en) | Data transmission method, device and system, electronic equipment and storage medium | |
US20180183584A1 (en) | IKE Negotiation Control Method, Device and System | |
CN112838925A (en) | Data transmission method, device and system, electronic equipment and storage medium | |
US20170078288A1 (en) | Method for accessing communications network by terminal, apparatus, and communications system | |
CN113973001A (en) | Method and device for updating authentication key | |
CN114039812B (en) | Data transmission channel establishment method, device, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |