CN113709069A - Lossless switching method and device for data transmission - Google Patents

Lossless switching method and device for data transmission Download PDF

Info

Publication number
CN113709069A
CN113709069A CN202111081084.2A CN202111081084A CN113709069A CN 113709069 A CN113709069 A CN 113709069A CN 202111081084 A CN202111081084 A CN 202111081084A CN 113709069 A CN113709069 A CN 113709069A
Authority
CN
China
Prior art keywords
sak
board
transmission
board card
management board
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111081084.2A
Other languages
Chinese (zh)
Other versions
CN113709069B (en
Inventor
林晓峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN202111081084.2A priority Critical patent/CN113709069B/en
Priority claimed from CN202111081084.2A external-priority patent/CN113709069B/en
Publication of CN113709069A publication Critical patent/CN113709069A/en
Application granted granted Critical
Publication of CN113709069B publication Critical patent/CN113709069B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/55Prevention, detection or correction of errors
    • H04L49/557Error correction, e.g. fault recovery or fault tolerance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Abstract

The present disclosure relates to the field of communications technologies, and in particular, to a lossless handover method and apparatus for data transmission. The method is used for solving the problem that in a device-oriented point-to-point mode, when a management board of any device is abnormal, a data message is lost, and the method comprises the following steps: if the first master control management board of the first device is abnormal, starting a first standby management board to perform replacement operation aiming at the first master control management board, and continuing to perform encryption transmission of data messages with the second device through the first exchange board card based on the first SAK set; after the replacement operation is completed, performing SAK update negotiation with the second equipment to obtain a second SAK set, and when the preset condition is determined to be met, performing encrypted transmission of the data message with the second equipment through the first exchange board card based on the second SAK set; therefore, the fault-tolerant recovery time of the first equipment is prolonged, and lossless switching and smooth switching transmission of the data message between the first equipment and the second equipment are realized.

Description

Lossless switching method and device for data transmission
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a lossless handover method and apparatus for data transmission.
Background
Media Access Control Security (MACsec) is a method for secure communication of data over a local area network based on ieee802.1ae and 802.1X protocols. Wherein, IEEE802.1AE-2006 defines the frame format of data encapsulation, encryption and authentication; MACsec Key Agent (MKA) in 802.1X-2010 defines a Key management protocol, and provides a Key establishment mechanism in a Peer-to-Peer (Peer-to-Peer) manner and a Key establishment mechanism in a Group (Group) manner. By using a Key (security Association Key, SAK) generated by the MKA negotiation, the authenticated user data is encrypted and integrity checked, so that a port of the device performing encrypted data layer transmission can be prevented from processing a message of an unauthenticated device, or a port of the device performing encrypted data layer transmission can be prevented from processing a message tampered with by an unauthenticated device.
In the prior art, in order to ensure the validity of encrypted data transmission, a keep-alive mechanism is usually used to determine whether an opposite device is online, and determine whether a secure link between two devices performing data transmission is unobstructed. Specifically, the keep-alive mechanism is realized based on a keep-alive timer; when the timer is triggered, the two devices with the established safety link respectively send a keep-alive mechanism message to the opposite-end device within a preset time, and when the opposite-end device receives the keep-alive mechanism message, a response message is sent to inform that the safety link between the sending-end devices is normal.
However, assuming that a secure link is established between the first device and the second device, when an abnormal condition occurs on a management board of either one of the first device and the second device, a keep-alive mechanism packet sent through the control plane may not be normally sent or received, thereby causing a loss of a transmitted encrypted data packet.
For example, if the management board of the first device is abnormal and the first device cannot send a keep-alive mechanism message, the second device cannot receive the keep-alive mechanism message sent by the first device, and if the second device does not receive the keep-alive mechanism message sent by the first device within 6 seconds, the second device disconnects the secure link with the first device, sends an instruction to the switch board, and deletes the original SAK in the chip drive through the switch board; the first device encrypts and transmits the data message to be transmitted through the exchange board card, and when the management board of the first device is abnormal and the exchange board card is not abnormal, the first device can still perform encrypted transmission of the data message with the second device through the exchange board card based on the original SAK; because the second device has issued the instruction to delete the original SAK through the switch board card, when the second device receives the data packet sent by the first device through the switch board card, the received data packet sent by the first device cannot be identified due to the absence of the original SAK, that is, the encrypted data packet is determined to be the data packet sent by the unauthenticated device, and the data packet is discarded, thereby causing the loss of the data packet.
In summary, a new method needs to be devised to solve the above problems.
Disclosure of Invention
The present disclosure aims to provide a lossless switching method and apparatus for data transmission, which are used to solve the problem of data packet loss caused by an abnormal management board of any device in a device-oriented point-to-point mode.
The specific technical scheme provided by the embodiment of the disclosure is as follows:
in a first aspect, a lossless handover method for data transmission is applied to a first device, where the first device includes: the method comprises the following steps that a first switching board card, a first main control management board and a first standby management board are used, and the method comprises the following steps:
based on a first Security Association Key (SAK) set, carrying out encrypted transmission of data messages with second equipment through a first switch board card, wherein the first SAK set comprises at least one first SAK, and each first SAK is issued to the first switch board card through the first master control management board;
in the process of encrypting and transmitting the data message with the second device, if the first master control management board is abnormal, the first standby management board is started to perform replacement operation for the first master control management board, and the data message is continuously encrypted and transmitted with the second device through the first switch board card based on the first SAK set;
and after the replacement operation is completed, performing SAK update negotiation with the second equipment to obtain a second SAK set, and when it is determined that a preset condition is met, performing encrypted transmission of data messages through the first switching board and the second equipment based on the second SAK set, wherein the second SAK set comprises at least one second SAK, and each second SAK is issued to the first switching board through the first standby management board.
In the method, the first SAK set comprises at least one first SAK, so that in the process of replacing the first main control management board by the first standby management board, the data message is encrypted and transmitted with the second equipment based on the first SAK set, and the fault-tolerant recovery time of the first equipment can be increased, thereby ensuring the smooth proceeding of the encryption service between the first equipment and the second equipment; and then, after the replacement operation is completed and the preset condition is met, based on a second SAK set obtained by carrying out SAK updating negotiation with the second equipment, carrying out encryption transmission on the data message with the second equipment, thereby realizing lossless switching transmission and smooth switching transmission of the data message between the first equipment and the second equipment through the exchange board card.
Optionally, the performing, based on the first security association key SAK set, encrypted transmission of a data packet through the first switch board and the second device includes:
selecting one first SAK in the first SAK set from a key authentication chain table;
based on the selected first SAK, carrying out encryption transmission of data messages through the first exchange board card and a second exchange board card of the second equipment;
the encrypting transmission of the data packet through the first switch board card and the second device based on the second SAK set includes:
selecting one second SAK in the second SAK set from the key authentication chain table;
and based on the selected second SAK, carrying out encryption transmission of data messages through the first exchange board card and a second exchange board card of the second equipment.
The method introduces the concept of the key authentication chain table, and adopts the scheme of selecting one first SAK in the first SAK set from the key authentication chain table so as to realize the encrypted transmission of the data message based on the first SAK set and the second equipment; or, a scheme of selecting one second SAK in the second SAK set from the key authentication linked list is adopted to realize encrypted transmission of the data message based on the second SAK set and the second device.
Optionally, before performing encrypted transmission of a data packet through the first switch board and the second device based on the first security association key SAK set, the method further includes:
the first SAK set is issued to the first exchange board card through the first master control management board and is stored in the key authentication chain table through the first exchange board card;
after performing an SAK update negotiation with the second device to obtain a second SAK set, the method further includes:
and issuing the second SAK set to the first switch board card through the first standby management board, and storing the second SAK set behind each first SAK in the key authentication chain table through the first switch board card.
In the method, each first SAK included in the key authentication linked list of the first device is issued to the first switch board card through the first master control management board and is stored by the first switch board card, so that one first SAK in the first SAK set can be selected from the key authentication linked list when the encrypted transmission of the data message is performed through the first switch board card and the second device, thereby realizing the transmission of the encrypted data message based on the first SAK set and the second device.
Correspondingly, after the first device obtains the corresponding second SAK set through the first standby management board, the second SAK set is also issued to the first switch board, and is stored in the key authentication chain table through the first switch board after each first SAK, so that after the first device determines that the preset condition is met, one second SAK in the second SAK set can be selected from the key authentication chain table, and transmission of the encrypted data message of the second SAK set and the second device is achieved.
Optionally, the selecting one first SAK in the first set of SAKs from the key authentication chain table includes:
if the first SAK set comprises a plurality of first SAKs, selecting a currently effective first SAK in the first SAK set from the key authentication linked list;
the encrypting transmission of the data message through the first switch board card and the second device based on the first SAK set further includes:
when the currently effective first SAK is determined to be invalid, selecting other currently effective first SAKs in the first SAK set from the key authentication linked list, and carrying out encryption transmission on a data message through the first exchange board card and second equipment based on the other currently effective first SAKs;
the selecting one of the second set of SAKs from a key authentication chain table comprises:
if the second SAK set comprises a plurality of second SAKs, selecting a currently effective second SAK in the second SAK set from the key authentication linked list;
the encrypting transmission of the data message through the first switch board card and the second device based on the second SAK set further includes:
and when determining that the currently effective second SAK is invalid, selecting another currently effective second SAK in the second SAK set from the key authentication linked list, and performing encrypted transmission of the data message with the second device through the first exchange board card based on the other currently effective second SAK.
In the above method, the time validity of each first SAK (or each second SAK) stored in the key authentication chain table is provided, so that each first SAK (or each second SAK) has the time validity for at least two reasons: for the first reason, when each first SAK (or each second SAK) is generated, there exists a random number, such as time corresponding to the generation operation; for the second reason, each first SAK (or each second SAK) corresponds to a maximum number of data packets that can be sent.
Thus, when the first device selects one first SAK (or one second SAK) in the first SAK set (or the second SAK set) from the key authentication linked list, that is, selects a currently valid first SAK (or one second SAK), correspondingly, when the currently valid first SAK (or one second SAK) fails, it needs to select one other currently valid first SAK (or one second SAK) in the first SAK set (or the second SAK set) from the key authentication linked list, and then, based on the other currently valid first SAK (or one second SAK), implements encrypted transmission of the data packet with the second device.
Optionally, the first SAK set is obtained by:
based on the connection associated key information, obtaining the corresponding first SAK set through the first master control management board;
the performing an SAK update negotiation with the second device to obtain a second SAK set includes:
obtaining a corresponding second SAK set through the first standby management board based on the connection associated key information;
wherein the connection associated key information is pre-configured for the first device and the second device by a user or an encrypted service management server; the connection associated key information comprises a secure connection associated key CAK and/or a secure connection associated key name CAN.
In the method, the first SAK set (or the second SAK set) stored in the key authentication linked list is obtained based on the pre-configured connection association key information, so that the uniqueness of the encryption service between the first equipment and the second equipment can be ensured, and meanwhile, the first equipment and the second equipment can correspondingly analyze the encrypted data message sent by the opposite equipment, thereby realizing the smooth development of the encryption service.
Optionally, the preset condition includes some or all of the following:
after the replacement operation is finished, a first preset time length is reached;
and based on the first SAK set, the total amount of the sent data messages reaches a preset threshold value.
In the method, the starting time for carrying out the encrypted transmission of the data message with the second device based on the second SAK set can be preset by setting the preset condition, and since the first SAKs between the first device and the second device are the same, when the first device carries out the encrypted transmission of the data message with the second device based on the second SAK set, the second device can also carry out the encrypted transmission of the data message with the first device based on the second SAK set, thereby realizing the lossless switching transmission and smooth switching transmission of the data message between the first device and the second device through the switch board card.
In a second aspect, a lossless switching method for data transmission is applied to a second device, where the second device includes a second switch board, a second master management board, and a second standby management board, and the method includes:
based on a first Security Association Key (SAK) set, carrying out encrypted transmission of data messages with first equipment through the second switch board, wherein the first SAK set comprises at least one first SAK, and each first SAK is issued to the second switch board through the second master control management board;
in the process of encrypting and transmitting the data message with the first equipment, if the first master control management board of the first equipment is determined to be abnormal, the data message is continuously encrypted and transmitted with the first equipment through the second exchange board card based on the first SAK set; performing SAK update negotiation with the first device to obtain a second SAK set;
and when the preset condition is met, carrying out encrypted transmission of data messages with the first equipment through the second switching board card based on the second SAK set, wherein the second SAK set comprises at least one second SAK, and each second SAK is issued to the second switching board card through the second master control management board.
Optionally, it is determined that the first master management board of the first device is abnormal in the following manner:
through the second master control management board, the keep-alive mechanism message sent by the first equipment is not received within a second preset time length;
after the determining that the first master management board of the first device is abnormal, the method further includes:
and disconnecting the secure link with the first master control management board of the first equipment through the second master control management board.
Optionally, the performing, based on the first security association key SAK set, encrypted transmission of a data packet with the first device through the second switch board includes:
selecting one first SAK in the first SAK set from a key authentication chain table;
based on the selected first SAK, carrying out encryption transmission of data messages with a first switch board card of the first equipment through the second switch board card;
the performing, based on the second SAK set, encrypted transmission of the data packet with the first device through the second switch board includes:
selecting one second SAK in the second SAK set from the key authentication chain table;
and based on the selected second SAK, carrying out encryption transmission of data messages with the first switch board card of the first equipment through the second switch board card.
Optionally, before performing encrypted transmission of a data packet with the first device through the second switch board card based on the first security association key SAK set, the method further includes:
the first SAK set is issued to the second exchange board card through the second master control management board and is stored in the key authentication chain table through the second exchange board card;
after obtaining the second set of SAKs, further comprising:
and issuing the second SAK set to the second exchange board card through the second master control management board, and storing the second SAK set behind each first SAK in the key authentication chain table through the second exchange board card.
Optionally, the selecting one first SAK in the first set of SAKs from the key authentication chain table includes:
if the first SAK set comprises a plurality of first SAKs, selecting a currently effective first SAK in the first SAK set from the key authentication linked list;
the encrypting transmission of the data message with the first device through the second switch board card based on the first SAK set further includes:
when the currently effective first SAK is determined to be invalid, selecting other currently effective first SAKs in the first SAK set from the key authentication linked list, and carrying out encrypted transmission of data messages with first equipment through the second exchange board card based on the other currently effective first SAKs;
the selecting one of the second set of SAKs from a key authentication chain table comprises:
if the second SAK set comprises a plurality of second SAKs, selecting a currently effective second SAK in the second SAK set from the key authentication linked list;
the encrypting transmission of the data packet with the first device through the second switch board card based on the second SAK set further includes:
and when determining that the currently effective second SAK is invalid, selecting another currently effective second SAK in the second SAK set from the key authentication linked list, and performing encrypted transmission of a data message with the first device through the second exchange board card based on the other currently effective second SAK.
Optionally, the first SAK set is obtained by:
based on the connection associated key information, obtaining the corresponding first SAK set through the second master control management board;
the performing an SAK update negotiation with the first device to obtain a second SAK set includes:
performing SAK update negotiation with the first device, and obtaining a corresponding second SAK set through the second master control management board based on the connection association key information;
wherein the connection associated key information is pre-configured for the first device and the second device by a user or an encrypted service management server; the connection associated key information comprises a secure connection associated key CAK and/or a secure connection associated key name CAN.
Optionally, the preset condition includes some or all of the following:
after SAK updating negotiation is carried out with the first equipment, reaching a third preset time length;
and based on the first SAK set, the total amount of the sent data messages reaches a preset threshold value.
In a third aspect, a lossless switching apparatus for data transmission is applied to a first device, where the first device includes: first switching integrated circuit board, first master control management board and first reserve management board, the device includes:
a first transmission module, configured to perform encrypted transmission of a data packet with a second device through the first switch board based on a first security association key SAK set, where the first SAK set includes at least one first SAK, and each first SAK is issued to the first switch board through the first master management board;
a replacement module, configured to, during encryption transmission of a data packet with the second device, if the first master management board is abnormal, start the first standby management board to perform a replacement operation for the first master management board, and continue encryption transmission of a data packet with the second device through the first switch board based on the first SAK set;
and the second transmission module is configured to perform SAK update negotiation with the second device after the replacement operation is completed, obtain a second SAK set, and perform encrypted transmission of a data packet with the second device through the first switch board based on the second SAK set when it is determined that a preset condition is met, where the second SAK set includes at least one second SAK, and each second SAK is issued to the first switch board through the first standby management board.
Optionally, the encrypted transmission of the data packet is performed through the first switch board and the second device based on the first security association key SAK set, and the first transmission module is configured to:
selecting one first SAK in the first SAK set from a key authentication chain table;
based on the selected first SAK, carrying out encryption transmission of data messages through the first exchange board card and a second exchange board card of the second equipment;
the encrypted transmission of the data packet is performed through the first switch board card and the second device based on the second SAK set, and the second transmission module is configured to:
selecting one second SAK in the second SAK set from the key authentication chain table;
and based on the selected second SAK, carrying out encryption transmission of data messages through the first exchange board card and a second exchange board card of the second equipment.
Optionally, before the encrypted transmission of the data packet is performed through the first switch board and the second device based on the first security association key SAK set, the first transmission module is further configured to:
the first SAK set is issued to the first exchange board card through the first master control management board and is stored in the key authentication chain table through the first exchange board card;
after performing an SAK update negotiation with the second device to obtain a second SAK set, the second transmission module is further configured to:
and issuing the second SAK set to the first switch board card through the first standby management board, and storing the second SAK set behind each first SAK in the key authentication chain table through the first switch board card.
Optionally, the selecting a first SAK in the first set of SAKs from the key authentication chain table, the first transmitting module is configured to:
if the first SAK set comprises a plurality of first SAKs, selecting a currently effective first SAK in the first SAK set from the key authentication linked list;
the first transmission module is configured to perform encrypted transmission of a data packet with a second device through the first switch board card based on the first SAK set, and is further configured to:
when the currently effective first SAK is determined to be invalid, selecting other currently effective first SAKs in the first SAK set from the key authentication linked list, and carrying out encryption transmission on a data message through the first exchange board card and second equipment based on the other currently effective first SAKs;
the selecting one of the second set of SAKs from a key authentication chain table, the second transmitting module to:
if the second SAK set comprises a plurality of second SAKs, selecting a currently effective second SAK in the second SAK set from the key authentication linked list;
the encrypted transmission of the data packet is performed through the first switch board card and the second device based on the second SAK set, and the second transmission module is further configured to:
and when determining that the currently effective second SAK is invalid, selecting another currently effective second SAK in the second SAK set from the key authentication linked list, and performing encrypted transmission of the data message with the second device through the first exchange board card based on the other currently effective second SAK.
Optionally, the first transmission module is configured to obtain the first SAK set by:
based on the connection associated key information, obtaining the corresponding first SAK set through the first master control management board;
the second transmission module is configured to perform an SAK update negotiation with the second device to obtain a second SAK set, where:
obtaining a corresponding second SAK set through the first standby management board based on the connection associated key information;
wherein the connection associated key information is pre-configured for the first device and the second device by a user or an encrypted service management server; the connection associated key information comprises a secure connection associated key CAK and/or a secure connection associated key name CAN.
Optionally, the preset condition includes some or all of the following:
after the replacement operation is finished, a first preset time length is reached;
and based on the first SAK set, the total amount of the sent data messages reaches a preset threshold value.
In a fourth aspect, a lossless switching apparatus for data transmission is applied to a second device, where the second device includes a second switch board, a second master management board, and a second standby management board, and the apparatus includes:
a first transmission module, configured to perform encrypted transmission of a data packet with a first device through the second switch board based on a first security association key SAK set, where the first SAK set includes at least one first SAK, and each first SAK is issued to the second switch board through the second master management board;
a determining module, configured to, during encryption transmission of a data packet with the first device, if it is determined that a first master control management board of the first device is abnormal, continue to perform encryption transmission of the data packet with the first device through the second switch board based on the first SAK set; performing SAK update negotiation with the first device to obtain a second SAK set;
and the second transmission module is used for carrying out encrypted transmission of data messages with the first equipment through the second switching board card based on the second SAK set when the preset condition is determined to be met, wherein the second SAK set comprises at least one second SAK, and each second SAK is issued to the second switching board card through the second master control management board.
Optionally, the first transmission module is configured to determine that the first master management board of the first device is abnormal in the following manner:
through the second master control management board, the keep-alive mechanism message sent by the first equipment is not received within a second preset time length;
after determining that the first master management board of the first device is abnormal, the determining module is further configured to:
and disconnecting the secure link with the first master control management board of the first equipment through the second master control management board.
Optionally, the encrypted transmission of the data packet is performed through the second switch board and the first device based on the first security association key SAK set, and the first transmission module is configured to:
selecting one first SAK in the first SAK set from a key authentication chain table;
based on the selected first SAK, carrying out encryption transmission of data messages with a first switch board card of the first equipment through the second switch board card;
the encrypted transmission of the data packet is performed with the first device through the second switch board card based on the second SAK set, and the second transmission module is configured to:
selecting one second SAK in the second SAK set from the key authentication chain table;
and based on the selected second SAK, carrying out encryption transmission of data messages with the first switch board card of the first equipment through the second switch board card.
Optionally, before the encrypted transmission of the data packet is performed through the second switch board and the first device based on the first security association key SAK set, the first transmission module is further configured to:
the first SAK set is issued to the second exchange board card through the second master control management board and is stored in the key authentication chain table through the second exchange board card;
after obtaining the second set of SAKs, the second transmission module is further configured to:
and issuing the second SAK set to the second exchange board card through the second master control management board, and storing the second SAK set behind each first SAK in the key authentication chain table through the second exchange board card.
Optionally, the selecting a first SAK in the first set of SAKs from the key authentication chain table, the first transmitting module is configured to:
if the first SAK set comprises a plurality of first SAKs, selecting a currently effective first SAK in the first SAK set from the key authentication linked list;
the encrypted transmission of the data packet is performed with the first device through the second switch board card based on the first SAK set, and the second transmission module is further configured to:
when the currently effective first SAK is determined to be invalid, selecting other currently effective first SAKs in the first SAK set from the key authentication linked list, and carrying out encrypted transmission of data messages with first equipment through the second exchange board card based on the other currently effective first SAKs;
the selecting one of the second set of SAKs from a key authentication chain table, the second transmitting module to:
if the second SAK set comprises a plurality of second SAKs, selecting a currently effective second SAK in the second SAK set from the key authentication linked list;
the encrypted transmission of the data packet is performed with the first device through the second switch board card based on the second SAK set, and the second transmission module is further configured to:
and when determining that the currently effective second SAK is invalid, selecting another currently effective second SAK in the second SAK set from the key authentication linked list, and performing encrypted transmission of a data message with the first device through the second exchange board card based on the other currently effective second SAK.
Optionally, the first transmission module is configured to obtain the first SAK set by:
based on the connection associated key information, obtaining the corresponding first SAK set through the second master control management board;
the second transmission module is configured to perform an SAK update negotiation with the first device to obtain a second SAK set, where:
performing SAK update negotiation with the first device, and obtaining a corresponding second SAK set through the second master control management board based on the connection association key information;
wherein the connection associated key information is pre-configured for the first device and the second device by a user or an encrypted service management server; the connection associated key information comprises a secure connection associated key CAK and/or a secure connection associated key name CAN.
Optionally, the preset condition includes some or all of the following:
after SAK updating negotiation is carried out with the first equipment, reaching a third preset time length;
and based on the first SAK set, the total amount of the sent data messages reaches a preset threshold value.
In a fifth aspect, a system for lossless handover of data transmission, the system comprising a first device and a second device, wherein,
the first equipment comprises a first exchange board card, a first main control management board and a first standby management board; the system comprises a first exchange board card, a second exchange board card and a first device, wherein the first exchange board card is used for carrying out encryption transmission of data messages with the second device based on a first Security Association Key (SAK) set; and when the first master control management board is abnormal and the replacement operation of the first standby management board for the first master control management board is started, continuing to perform encrypted transmission of data messages through the first exchange board card and the second device based on the first SAK set; the second switching board card is further configured to perform an SAK update negotiation with the second device after the replacement operation is completed, obtain a second SAK set, and perform encrypted transmission of a data packet with the second device through the first switching board card based on the second SAK set when it is determined that a preset condition is satisfied;
the second equipment comprises a second exchange board card, a second main control management board and a second standby management board; the second switch board card is used for carrying out encryption transmission of data messages with the first equipment through the second switch board card based on the first SAK set; and when it is determined that the first master control management board is abnormal, continuing to perform encrypted transmission of data packets with the first device through the second switch board card based on the first SAK set, and performing an SAK update negotiation with the first device to obtain a second SAK set; and the second switch board card is further configured to perform encrypted transmission of a data packet with the first device through the second switch board card based on the second SAK set when it is determined that a preset condition is satisfied.
In a sixth aspect, a network transmission device, comprising a memory and a processor,
the memory for storing computer programs or instructions;
the processor is configured to execute the computer program or instructions in the memory such that the method according to any of the first or second aspects is performed.
Seventh aspect, a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the method of any of the first or second aspects described above.
In addition, for technical effects brought by any one implementation manner of the second aspect to the fifth aspect, reference may be made to technical effects brought by different implementation manners of the first aspect, and details are not described here.
Drawings
FIG. 1A is a block diagram illustrating a lossless handover system for data transmission according to an embodiment of the present disclosure;
FIG. 1B is a schematic diagram of an application scenario in an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of obtaining a first set of SAKs according to an embodiment of the disclosure;
FIG. 3 is a schematic flow chart illustrating data transmission according to an embodiment of the present disclosure;
FIG. 4 is a flow chart illustrating an encrypted transmission according to an embodiment of the present disclosure;
FIG. 5 is a schematic diagram of an application scenario in an embodiment of the present disclosure;
FIG. 6 is a schematic flow chart illustrating data transmission according to an embodiment of the present disclosure;
FIG. 7 is a schematic flow chart illustrating data transmission according to an embodiment of the present disclosure;
FIG. 8 is a schematic diagram of an application scenario in an embodiment of the present disclosure;
FIG. 9 is a schematic diagram of an application scenario in an embodiment of the present disclosure;
FIG. 10 is a schematic diagram illustrating a logic structure of a lossless switching apparatus for data transmission according to an embodiment of the present disclosure;
FIG. 11 is a schematic diagram illustrating a logic structure of a lossless switching apparatus for data transmission according to an embodiment of the present disclosure;
fig. 12 is a schematic physical architecture diagram of a network transmission device in an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only some embodiments of the present disclosure, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
It should be noted that the terms "first," "second," "third," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the disclosure described herein are capable of operation in sequences other than those illustrated or described herein.
In order to solve the problem that in the device-oriented point-to-point mode, when the management board of any device is abnormal, the data message is lost, in the embodiment of the disclosure, the first device performs encrypted transmission of the data message with the second device through the first switch board card based on the first SAK set; in the process of encrypting and transmitting the data message with the second equipment, if the first master control management board is abnormal, the first standby management board is started to carry out replacement operation aiming at the first master control management board, and the data message is continuously encrypted and transmitted with the second equipment through the first exchange board card based on the first SAK set; after the replacement operation is completed, performing SAK update negotiation with the second device to obtain a second SAK set, and when the preset condition is determined to be met, performing encryption transmission of data messages with the second device through the first switching board card based on the second SAK set, wherein the first SAK set comprises at least one first SAK, each first SAK is issued to the first switching board card through the first main control management board, the second SAK set comprises at least one second SAK, and each second SAK is issued to the first switching board card through the first standby management board, so that smooth proceeding of encryption service between the first device and the second device is ensured, and loss of the data messages is avoided.
In the following description of the preferred embodiments of the present disclosure, reference is made to the accompanying drawings, which are included to provide a further understanding of the disclosure, and it is to be understood that the preferred embodiments described herein are for the purpose of illustration and explanation only and are not intended to limit the disclosure, and that the features of the embodiments and examples of the disclosure may be combined with each other without conflict.
Fig. 1A shows an architecture diagram of a lossless handover system for data transmission in an embodiment of the present disclosure. Referring to fig. 1A, the system includes a first device and a second device, where the first device includes a first switch board, a first master management board, and a first standby management board; the second device comprises a second switching board card, a second main control management board and a second standby management board.
The first equipment is used for carrying out encryption transmission of data messages with the second equipment through the first exchange board card based on the first SAK set; the first standby management board is used for carrying out encryption transmission of the data message through the first exchange board card and the second equipment on the basis of the first SAK set when the first master control management board is abnormal and the replacement operation of the first standby management board for the first master control management board is started; and the second switching board card is further configured to perform SAK update negotiation with the second device after the replacement operation is completed, obtain a second SAK set, and perform encrypted transmission of the data message with the second device through the first switching board card based on the second SAK set when it is determined that the preset condition is met.
The second equipment is used for carrying out encryption transmission of the data message with the first equipment through a second exchange board card based on the first SAK set; and the second switching board card is used for carrying out encrypted transmission of the data message with the first equipment through the second switching board card and carrying out SAK updating negotiation with the first equipment to obtain a second SAK set when the first master control management board is determined to be abnormal; and the second switch board card is further used for carrying out encryption transmission of the data message with the first equipment through the second switch board card based on the second SAK set when the preset condition is determined to be met.
In a specific implementation, the first device is configured to perform an encryption operation on a first data packet to be transmitted based on the first SAK set and/or the second SAK set, and send the encrypted first data packet to the second device; and receiving the encrypted second data message sent by the second device, and decrypting the received encrypted second data message based on the first SAK set and/or the second SAK set.
Correspondingly, the second device is configured to receive the encrypted first data packet sent by the first device, and perform a decryption operation on the encrypted first data packet based on the first SAK set and/or the second SAK set; based on the first SAK set and/or the second SAK set, carrying out encryption operation on a second data message to be transmitted, and sending the encrypted second data message to the first equipment; thus, encrypted transmission of data messages between the first device and the second device is achieved.
Fig. 1B shows a schematic diagram of an application scenario in an embodiment of the present disclosure. As shown in fig. 1B, it is assumed that the first device and the second device are both configured with a master management board and a standby management board, and the user configures the same connection association key information for the first device and the second device, and sends the configured same connection association key information to the first device and the second device that need to perform MACsec encryption service.
Then, the first device and the second device configured with the same connection association key information negotiate through respective master management boards, determine an SAK generating device for the MACsec encrypted service, and obtain a first SAK set for the MACsec encrypted service by the determined SAK generating device based on the connection association key information.
Optionally, in this embodiment of the present disclosure, the connection association key information includes, but is not limited to, at least one of the following:
1. secure Connectivity Association Key (CAK);
2. the secure connection Association Key Name (CAN).
In the embodiment of the present disclosure, which device of the first device and the second device participating in the MACsec encryption service is an SAK generating device may be determined in the following manner:
1. determining the equipment with higher priority as the SAK generating equipment based on the priorities corresponding to the first equipment and the second equipment respectively;
2. when the priorities of the first device and the second device are the same, the device meeting the set condition is determined as the SAK generating device by comparing the sizes of the unique identifications (system mac, sysmac) of the first device and the second device.
In the embodiment of the present disclosure, the setting condition may be specifically set according to an actual use condition, and is not specifically limited herein.
Optionally, in the embodiment of the present disclosure, in the device that needs to perform the MACsec encryption service, which device is the SAK generating device may also be determined according to user pre-configuration, and therefore, a manner of determining which device is the SAK generating device is not specifically limited, and specific setting may be performed according to an actual use condition, which is not described herein again.
Further, in the embodiment of the present disclosure, the number of the devices performing the MACsec encryption service may be two, or three, or may be other set values, which is not specifically limited herein.
Optionally, in this embodiment of the present disclosure, the connection association key information may also be preconfigured by the encrypted service management server for the first device and the second device.
For convenience of description, in the embodiments of the present disclosure, a lossless handover method for data transmission is described by taking encrypted transmission of a data packet between two devices (e.g., a first device and a second device) as an example.
For example, still referring to fig. 1B, the connection association key information (i.e., CAK and/or CAN)) configured to be the same for the first device and the second device is taken as an example.
The first device and the second device negotiate through respective master control management boards, and it is determined that the configured connection associated key information and the related configuration parameters are the same, and it is determined that the negotiation is successful.
Assume that the first device is determined to be a SAK generating device.
Then, the first device generates at least one set of SAK, Key Encryption Key (KEK) and Integrity Check Key (ICK) through the main control management board based on the connection association Key information, where the SAK is an Encryption Key used for encrypting a data packet to be transmitted, the KEK is an Encryption Key used for encrypting the SAK, and the ICK is a Key used for checking the data packet.
The first device encrypts the SAK through a first master control management board based on the KEK to generate an encrypted SAK and packages the encrypted SAK into a message; and calculating an Integrity Check Value (ICV) by the first master control management board based on the ICK, packaging the ICV into a message to obtain a complete MKA protocol message, and then sending the MKA protocol message to the second equipment.
Correspondingly, the second device generates at least one group of ICK and KEK based on the connection associated key information, and obtains the check code ICV of the data message based on the generated ICK. Since the second device is not the SAK generating device, the operation of deriving the key SAK for data encryption is not performed. After receiving the MKA protocol message sent by the first equipment, the second equipment determines whether the MKA protocol message can be analyzed by comparing ICVs carried in the MKA protocol message, and after the verification is successful, an encrypted secret key SAK carried in the message is analyzed; and decrypting the encrypted secret key SAK through the generated KEK to obtain the secret key SAK of the data message which is encrypted and transmitted with the first equipment.
In the embodiment of the present disclosure, through the above process, both the first device and the second device obtain the same secret key SAK of the data packet, that is, a secure link is established between the first device and the second device.
Optionally, in this disclosure, the keys may be generated by using a KDF algorithm of an AES encryption packet based on preconfigured connection-related key information.
Optionally, the above-mentioned manners of generating the SAK and synchronizing the SAK between the first device and the second device may include multiple manners, and are not limited to the above-mentioned manner.
Optionally, in this embodiment of the present disclosure, through the above operations, the first device and the second device obtain the same at least one SAK, then the first device and the second device issue the obtained at least one SAK to the switch board, and the switch board performs the following operations:
for one of the at least one SAK, 2 Secure Channels (SC) are configured, and correspond to a receive SC and a transmit SC, respectively, and correspondingly, a receive SC of the first device corresponds to a transmit SC of the second device, and a transmit SC of the second device corresponds to a receive SC of the first device.
In the prior art, each SC is configured with a Security Association (SA), where one SA includes a set of encryption algorithms for data to be transmitted, a key for integrity check, and the like. Usually, in the transmission process of a data Packet, each time a data Packet is sent, a Packet Number (PN) is consumed correspondingly. The total number of messages that can be sent by each SAK is fixed, and the total number of PNs is usually 0 xffffffffff, that is, the total number of messages that can be sent by each SAK is 4294967295.
In the embodiment of the present disclosure, each SC may include one SA, or may include a plurality of SAs, where each SA corresponds to a different secret key SAK. For convenience of description, in the embodiments of the present disclosure, only two SAs per SC are taken as an example for description.
For example, referring to fig. 2, the connection association key information (i.e., CAK and/or CAN)) configured identically by the first device and the second device is still taken as an example.
Assuming that the first device negotiates with a second master management board of the second device through the first master management board, and it is determined that the first device is the SAK generating device.
Then, the first device generates a corresponding first SAK set through the first master management board based on the connection association key information, then sends a corresponding MKA protocol packet to the second device through the first master management board based on the first SAK set, and issues the first SAK set to the first switch board, and then the first switch board is stored in the key authentication chain table 1, and two SCs 1 (corresponding to the receive SC1 and the send SC1, respectively) are installed in the chip driver, and two SAs are configured for each SC1, for example, for the receive SC1, SA _1, SA _2 are configured, and SA _1 and SA _2 correspond to different SAKs, respectively.
Optionally, the first device synchronizes the acquired connection association key information and the generated first SAK set to the first standby management board through the first master management board.
Correspondingly, the second device receives the corresponding MKA protocol message through the second master control management board, and verifies and decrypts the received MKA protocol messages based on the connection association key information to obtain the corresponding first SAK set, similarly to the operation executed by the first device.
Then, the first SAK set is issued to the second switch board through the second master management board, stored in the key authentication chain table 2 through the second switch board, and two SCs 2 (corresponding to the receive SC2 and the transmit SC2, respectively) are installed in the chip driver, and two SAs are configured for each SC2, for example, for the transmit SC2, SA _1, SA _2 are configured, and SA _1 and SA _2 correspond to different SAKs, respectively.
Optionally, in this embodiment of the present disclosure, SA _1 included in the transmission SC2 of the second device has the same SAK as SA _1 included in the reception SC1 of the first device; SA _2 included in the transmission SC2 of the second device has the same SAK as SA _2 included in the reception SC1 of the first device.
Referring to fig. 3, in the embodiment of the present disclosure, the provided lossless switching method for data transmission is applied to a first device, where the first device includes a first switch board, a first main control management board, and a first standby management board, and the specific flow is as follows:
step 300: the first device performs encrypted transmission of the data message with the second device through the first switch board card based on the first SAK set, wherein the first SAK set comprises at least one first SAK, and each first SAK is issued to the first switch board card through the first master control management board.
In the embodiment of the present disclosure, the first device negotiates with the second device through the first master control management board to obtain the first SAK set, and issues the first SAK set to the first switch board, and then the first switch board is stored in the key authentication chain table.
Specifically, referring to fig. 4, in the embodiment of the present disclosure, a first device implements encrypted transmission of a data packet with a second device by performing the following steps:
step 400: one of the first SAKs in the first set of SAKs is selected from the key authentication chain table.
In the embodiment of the present disclosure, the first device selects one first SAK in the first SAK set from the key authentication chain table through the first switch board.
Optionally, in this embodiment of the present disclosure, if the first SAK set includes a plurality of first SAKs, a currently valid first SAK in the first SAK set is selected from the key authentication linked list.
Step 410: and based on the selected first SAK, carrying out encryption transmission on the data message through the first exchange board card and a second exchange board card of the second equipment.
In the embodiment of the present disclosure, after performing step 400, the first device selects one first SAK in the first SAK set from the pre-stored key authentication chain table through the first switch board card, and then, when performing step 410, the first switch board card and the second switch board card of the second device perform encrypted transmission of the data packet based on the selected one first SAK.
Optionally, in this embodiment of the present disclosure, if the first SAK includes multiple first SAKs, when it is determined that one currently valid first SAK is invalid, another currently valid first SAK in the first SAK set is selected from the key authentication linked list, and based on the other currently valid first SAK, the data packet is encrypted and transmitted between the first switch board and the second device.
Step 310: in the process of encrypting and transmitting the data message with the second device, if the first master control management board is abnormal, the first standby management board is started to perform replacement operation for the first master control management board, and the first device continues to encrypt and transmit the data message with the second device through the first exchange board card based on the first SAK set.
In the embodiment of the present disclosure, in the process of encrypting and transmitting the data packet with the second device, if the first main control management board is abnormal, the first standby management board is started to perform a replacement operation for the first main control management board, and when the first switch board is not abnormal, the first device continues to perform encryption and transmission of the data packet with the second switch board card of the second device according to the methods described in steps 400 to 410.
In this embodiment of the present disclosure, the first device starts the first standby management board to perform a replacement operation for the first main control management board, and specifically, the first device synchronizes the configuration information included in the first main control management board to the first standby management board.
In this embodiment of the present disclosure, when the first standby management board of the first device performs a replacement operation with the first main control management board, there are two cases as follows:
in a first case, when the first device is an SAK generating device, since the first master control management board is abnormal and the first device does not have the ability to issue the SAK, the data packet encrypted and transmitted by the first switch board card is not affected by the abnormality of the first master control management board, and is still encrypted and transmitted with the second switch board card of the second device based on the first SAK set.
In the second case, when the first device is a non-SAK generating device, because the first master management board is abnormal, the first device does not have the ability to update the SAK, the first device is disconnected from the second device in the management layer, and the first switch board card performs encrypted transmission of the data packet with the second switch board card of the second device based on the first SAK set.
Optionally, it is ensured that, when the master control management board of any device is abnormal, a replacement operation performed by the standby management board for the master control management board is started, and in the replacement process, the switch board of the device with the abnormal master control management board still can perform encrypted transmission of the data packet with the opposite device based on the first SAK set, so that when the master control management board of any device is abnormal, the data packet is not lost.
Optionally, in this embodiment of the present disclosure, if the first SAK set includes a plurality of first SAKs, when a currently valid first SAK in the first SAK set selected from the key authentication linked list fails, another currently valid first SAK in the first SAK set may be selected from the key authentication linked list, so that processing time of an abnormal event may be extended by configuring a certain number of SAs in advance, thereby reducing a loss rate of a data packet to the maximum extent, and even completely eliminating a loss phenomenon of the data packet.
Step 320: and after the first equipment completes the replacement operation, performing SAK update negotiation with the second equipment to obtain a second SAK set.
In this embodiment of the present disclosure, after the first device completes the replacement operation of the first standby management board for the first main control management board, the following operations need to be performed:
and operation one, performing identity authentication with the second equipment, and determining corresponding SAK generating equipment.
Specifically, in this embodiment of the present disclosure, the first device compares, through the first standby management board, the connection association key information configured in advance and the related configuration parameter with the second device, and when it is determined that the first device and the second device are configured with the same connection association key information and the related configuration parameter, it is determined that negotiation with the second device is successful, and then, negotiation is further performed, and the SAK generating device between the first device and the second device is determined.
And operation two, based on the connection associated key information, obtaining a corresponding second SAK set through the first standby management board.
Specifically, the embodiments of the present disclosure include, but are not limited to, the following two cases:
in a first case, when the first device is an SAK generating device, based on the connection association key information, a corresponding second SAK set is obtained through the first standby management board, and an MKA protocol packet corresponding to the second SAK set is sent to the second device, so that the second device obtains the corresponding second SAK set through the second master management board.
And in the second situation, when the first device is a non-SAK generating device, based on the connection associated key information, the MKA protocol message sent by the second device is received through the first standby management board, and the MKA protocol message is checked and decrypted to obtain a corresponding second SAK set.
In the embodiment of the present disclosure, after the first device performs an SAK update negotiation with the second device through the first standby management board to obtain the second SAK set, the first device issues the second SAK set to the first switch board through the first standby management board, and stores the second SAK set behind each first SAK in the key authentication linked list through the first switch board.
For example, referring to fig. 5, the connection association key information (i.e., CAK and/or CAN)) configured identically by the first device and the second device is still taken as an example.
After the first device completes the replacement operation, the first standby management board negotiates with the second device, determines that the configured connection-related key information and the related configuration parameters are the same, and determines that the first device is an SAK generating device.
Then, the first device generates a corresponding second SAK set through the first standby management board based on the connection-related key information, sends an MKA protocol message corresponding to the second SAK set to the second device, issues the second SAK set to the first switch board, and stores the second SAK set behind each first SAK in the key authentication chain table 1 through the first switch board.
Correspondingly, the second device receives the MKA protocol message through the second master control management board, verifies and decrypts the MKA protocol message based on the connection-associated key information to obtain a corresponding second SAK set, issues the second SAK set to the second switch board, and stores the second SAK set behind each first SAK in the key authentication chain table 2 through the second switch board.
For example, it is still exemplified that the first device and the second device are configured with the same connection association key information (i.e., CAK and/or CAN)).
After the first device completes the replacement operation, it is assumed that the first device determines that the configured connection associated key information and the related configuration parameters are the same through negotiation with the second device, and determines that the first device is a non-SAK generating device.
Then, the first device receives the MKA protocol message corresponding to the second SAK set sent by the second device through the second master control management board, verifies and decrypts the MKA protocol message based on the connection-associated key information to obtain a corresponding second SAK set, sends the second SAK set to the second switch board, and stores the second switch board behind each first SAK in the key authentication chain table 2, where the MKA protocol message corresponding to the second SAK set sent by the second device is generated based on the connection-associated key information, and sends the second SAK set to the first switch board, and the first switch board stores behind each first SAK in the key authentication chain table 1.
Step 330: when the first equipment determines that the preset condition is met, encrypted transmission of data messages is carried out between the first switching board card and the second equipment through a second SAK set based on the second SAK set, wherein the second SAK set comprises at least one second SAK, and each second SAK is issued to the first switching board card through a first standby management board.
In the embodiment of the present disclosure, referring to fig. 6, when it is determined that a preset condition is met, a first device implements encrypted transmission of a data packet with a second device by using the following steps:
step 600: one of the second set of SAKs is selected from the key authentication chain.
In this embodiment of the disclosure, in the step 320, the first device stores the second SAK set in each first SAK in the key authentication chain table through the first switch board, and in the step 600, selects one second SAK in the second SAK set from the key authentication chain table.
Step 610: and based on the selected second SAK, carrying out encryption transmission on the data message through the first exchange board card and a second exchange board card of the second equipment.
In the embodiment of the present disclosure, when the step 610 is executed, based on the execution of the step 600, the selected second SAK performs data packet transmission with the second switch board card of the second device.
Optionally, in this embodiment of the present disclosure, if the first SAK set includes multiple first SAKs, selecting, from the key authentication linked list, one first SAK that is currently valid in the first SAK set; if the first SAK comprises a plurality of first SAKs, when the currently effective first SAK is determined to be invalid, other currently effective first SAKs in the first SAK set are selected from the key authentication linked list, and data messages are encrypted and transmitted with the second equipment through the first exchange board card based on the other currently effective first SAKs.
Optionally, in this embodiment of the present disclosure, the preset condition includes, but is not limited to, at least one of the following conditions:
condition 1, after the replacement operation is completed, a first preset time period is reached.
In the embodiment of the present disclosure, the first preset duration may be determined according to a ratio of the remaining number of transmittable encrypted data packets to the network encryption traffic speed, and then, after the first device completes the replacement operation and reaches the first preset duration, the data packets are encrypted and transmitted through the first switch board and the second device based on the second SAK set.
Optionally, in the embodiment of the present disclosure, the first preset time period may be specifically set according to an actual application situation, and is not limited herein.
For example, it is assumed that the ratio of the number of remaining transmittable encrypted data packets to the transmittable encrypted traffic speed is 5 s.
Then, after the first device completes the replacement operation, performing an SAK update negotiation with the second device to obtain a second SAK set, and when it is determined that the first preset time duration (i.e., 5s) is reached after the replacement operation is completed, performing encrypted transmission of the data packet with the second device based on the second SAK set.
And 2, based on the first SAK set, the total amount of the transmitted data messages reaches a preset threshold value.
In the embodiment of the present disclosure, each SAK corresponds to a maximum number of data packets that can be sent, so that the number of data packets that can be sent corresponding to each SAK in the first SAK set may be preset, and a corresponding preset threshold value is obtained according to the number of data packets that can be sent; because the first SAK sets obtained by the first device and the second device are the same, when the first device determines that the preset condition is met, the second device also meets the preset condition, so that encrypted transmission of the data message is performed with the first device based on the second SAK set, and loss of the data message can be avoided.
Correspondingly, referring to fig. 7, in the embodiment of the present disclosure, the provided lossless switching method for data transmission is applied to a second device, where the second device includes a second switch board, a second main control management board, and a second standby management board, and the specific flow is as follows:
step 700: and the second equipment performs encrypted transmission of the data message with the first equipment through a second switching board card based on a first SAK set, wherein the first SAK set comprises at least one first SAK, and each first SAK is issued to the second switching board card through a second main control management board.
In this embodiment of the present disclosure, before step 700 is executed, the same operation as that executed by the first device is performed, and first, the second device obtains a corresponding first SAK set through the second master control management board based on the connection association key information, and issues the first SAK set to the second switch board, and stores the first SAK set in the key authentication chain table through the second switch board.
Then, the second device performs encrypted transmission of the data packet with the first device through the second switch board card based on the first SAK set by adopting the following operations:
operation one, one first SAK in the first set of SAKs is selected from the key authentication chain table.
Optionally, in this embodiment of the present disclosure, if the first SAK set includes a plurality of first SAKs, a currently valid first SAK in the first SAK set is selected from the key authentication linked list.
And secondly, based on the selected first SAK, performing encrypted transmission of the data message with the first exchange board card of the first device through the second exchange board card.
Optionally, in this embodiment of the present disclosure, if the first SAK set includes a plurality of first SAKs, when it is determined that one currently valid first SAK is invalid, another currently valid first SAK in the first SAK set is selected from the key authentication chain table, and based on the other currently valid first SAK, the encrypted transmission of the data packet is performed with the first device through the second switch board.
Step 710: and in the process of encrypting and transmitting the data message with the first equipment, if the second equipment determines that the first main control management board of the first equipment is abnormal, continuing to encrypt and transmit the data message with the first equipment through the second exchange board card based on the first SAK set.
In this embodiment of the disclosure, the second device may determine that the first master control management board of the first device is abnormal through the second master control management board in a manner that the keep-alive mechanism message sent by the first device is not received within a second preset time period, then disconnect the secure link with the first master control management board of the first device through the second master control management board, and perform encrypted transmission of the data message with the first device through the second exchange board based on the first SAK set.
Therefore, the first master control management board of the first device is ensured to be abnormal, after the SAK updating negotiation request is sent to the first device, and before the SAK updating negotiation response information returned by the first device is not received, the data message is encrypted and transmitted with the first device through the second exchange board card based on the first SAK set, so that the data message is not lost.
Optionally, in this embodiment of the present disclosure, if the first SAK set includes a plurality of first SAKs, when a currently valid first SAK in the first SAK set selected from the key authentication linked list fails, another currently valid first SAK in the first SAK set may be selected from the key authentication linked list, so that processing time of an abnormal event may be extended by configuring a certain number of SAs in advance, thereby reducing a loss rate of a data packet to the maximum extent, and even completely eliminating a loss phenomenon of the data packet.
Step 720: and the second equipment performs SAK updating negotiation with the first equipment to obtain a second SAK set.
In this embodiment of the present disclosure, after receiving the SAK update negotiation response message returned by the first device, the second device executes the following operations:
and operation one, performing identity authentication with the first equipment, and determining corresponding SAK generating equipment.
Specifically, in this embodiment of the present disclosure, the second device compares, through the second master management board, the connection association key information and the related configuration parameters that are configured in advance with the first device, and when it is determined that the first device and the second device are configured with the same connection association key information and the related configuration parameters, it is determined that negotiation with the first device is successful, and then, negotiation is further performed, so as to determine the SAK generating device between the first device and the second device.
And operation two, performing SAK update negotiation with the first device, and obtaining a corresponding second SAK set through the second master control management board based on the connection associated key information.
Specifically, the embodiments of the present disclosure include, but are not limited to, the following two cases:
in case one, when the second device is a non-SAK generating device, based on the connection-associated key information, the MKA protocol packet sent by the first device through the first standby management board is received through the second master management board, and the MKA protocol packet is checked and decrypted to obtain a corresponding second SAK set.
In case two, when the second device is an SAK generating device, based on the connection association key information, a corresponding second SAK set is obtained through the second master control management board, and an MKA protocol packet corresponding to the second SAK set is sent to the first device, so that the first device obtains the corresponding second SAK set through the first standby management board.
In the embodiment of the present disclosure, after the second device performs an SAK update negotiation with the first device through the second master control management board to obtain the second SAK set, the second device issues the second SAK set to the second switch board through the second master control management board, and stores the second SAK set behind each first SAK in the key authentication chain table through the second switch board.
For example, referring to fig. 8, the connection association key information (i.e., CAK and/or CAN)) configured to be the same for the first device and the second device is still taken as an example.
It is assumed that the second device negotiates with the first device through the second master management board, determines that the configured connection associated key information and the related configuration parameters are the same, and determines that the second device is an SAK generating device.
Then, the second device generates a corresponding second SAK set through the second master control management board based on the connection-associated key information, sends an MKA protocol message corresponding to the second SAK set to the first device through the second master control management board, issues the second SAK set to the second switch board, and stores the second SAK set behind each first SAK in the key authentication chain table 2 through the second switch board.
Correspondingly, the first device receives the MKA protocol message, checks and decrypts the MKA protocol message based on the connection associated key information to obtain a corresponding second SAK set, issues the second SAK set to the first switch board, and stores the second SAK set behind each first SAK in the key authentication chain table 1 by the first switch board.
For example, it is still exemplified that the first device and the second device are configured with the same connection association key information (i.e., CAK and/or CAN)).
It is assumed that the second device negotiates with the first device through the second master management board, determines that the configured connection associated key information and the related configuration parameters are the same, and determines that the second device is a non-SAK generating device.
Then, the second device receives, through the second master management board, the MKA protocol packet corresponding to the second SAK set sent by the first device, and based on the connection-related key information, checks and decrypts the MKA protocol packet to obtain a corresponding second SAK set, and issues the second SAK set to the second switch board, and the second switch board stores the second SAK set behind each first SAK in the key authentication chain table 2, where the MKA protocol packet corresponding to the second SAK set sent by the first device is generated based on the connection-related key information, and issues the second SAK set to the first switch board, and the second switch board stores behind each first SAK in the key authentication chain table 1.
Step 730: and when the second equipment determines that the preset condition is met, carrying out encrypted transmission of the data message with the first equipment through a second switching board card based on a second SAK set, wherein the second SAK set comprises at least one second SAK, and each second SAK is issued to the second switching board card through a second master control management board.
In the embodiment of the disclosure, when the second device determines that the preset condition is met, one second SAK in the second SAK set is selected from the key authentication linked list; and based on the selected second SAK, the second exchange board card and the exchange board card of the first equipment carry out encryption transmission of the data message.
Optionally, in this embodiment of the present disclosure, if the second SAK set includes a plurality of second SAKs, selecting, from the key authentication linked list, a currently valid second SAK in the second SAK set; then, when determining that the currently effective second SAK is invalid, selecting another currently effective second SAK in the second SAK set from the key authentication linked list, and performing encrypted transmission of the data packet with the first device through the second switch board card based on the other currently effective second SAK.
Optionally, in this embodiment of the present disclosure, the preset condition includes, but is not limited to, at least one of the following conditions:
and in the condition 1, after SAK update negotiation is performed on the first equipment, a third preset time length is reached.
In this embodiment of the present disclosure, the third preset time may be determined according to a ratio of the remaining number of transmittable encrypted data packets to the network encryption traffic speed, and then, after performing an SAK update negotiation with the first device and reaching the third preset time, the second device performs encrypted transmission of the data packets with the first device through the second switch board based on the second SAK set.
Optionally, in the embodiment of the present disclosure, the third preset time period may be specifically set according to an actual application situation, and is not limited herein.
For example, it is assumed that the ratio of the number of remaining transmittable encrypted data packets to the transmittable encrypted traffic speed is 3 s.
Then, the second device performs an SAK update negotiation with the first device to obtain a second SAK set, and performs encrypted transmission of the data packet with the first device based on the second SAK set when a third preset duration (i.e., 3s) is reached after the second device determines that the SAK update negotiation with the first device is performed.
And 2, based on the first SAK set, the total amount of the transmitted data messages reaches a preset threshold value.
In the embodiment of the present disclosure, each SAK corresponds to a maximum number of data packets that can be sent, so that the number of data packets that can be sent corresponding to each SAK in the first SAK set may be preset, and a corresponding preset threshold value is obtained according to the number of data packets that can be sent; because the first SAK sets obtained by the first device and the second device are the same, when the first device determines that the preset condition is met, the second device also meets the preset condition, so that encrypted transmission of the data message is performed with the first device based on the second SAK set, and loss of the data message can be avoided.
In the embodiment of the disclosure, after receiving AN encrypted data packet sent by AN opposite-end device, a first device or a second device verifies the encrypted data packet, when it is determined that the received encrypted data packet can be parsed, a corresponding receiving SA is parsed according to AN field in AN encryption header, and if SA _2 is received, the encrypted data packet is decrypted at the receiving SA _2, so that it is ensured that when a sending end is switched from SA _1 to SA _2, a receiving end can still accurately decrypt the received encrypted data packet, and further, lossless switching of data transmission is further achieved.
In the embodiment of the present disclosure, if the first device and the second device are configured with new connection associated key information and it is determined that the new connection associated key information is the same, corresponding third SAK sets are respectively obtained based on the new connection associated key information, and the third SAK sets are respectively issued to the respective first switch board and the second switch board, and are respectively stored in the key authentication chain table of the respective first SAK and/or the respective second SAK through the first switch board and the second switch board.
Optionally, in this embodiment of the present disclosure, a periodic deletion operation may be performed on each SAK included in the key authentication linked list, so as to delete an SAK that is no longer used and a corresponding SA; and when a new SAK set is issued each time, detecting whether each SAK contained in the key authentication chain table is respectively valid, and if one or more SAKs in the key authentication chain table are determined to be invalid, executing deletion operation aiming at the one or more SAKs.
Optionally, in this embodiment of the present disclosure, if encrypted transmission is no longer required between the first device and the second device, the first device or the second device disconnects the secure link between the first device and the second device, and after deleting the corresponding key authentication chain table, performs transmission of the unencrypted data packet between the first device and the second device.
For example, referring to fig. 9, the first device and the second device are reconfigured with the same connection association key information (i.e., CAK and/or CAN)) as an example.
Assuming that the first device and the second device obtain an updated third SAK set based on the connection association key information, and the second device generates a device for the SAK.
Then, the first device and the second device respectively issue the obtained third SAK sets to the respective first switch board card and the second switch board card, and respectively store the third SAK sets after the existing second SAKs in the key authentication chain table through the first switch board card and the second switch board card, where the first SAKs are stored before the second SAKs.
After the third SAK sets are stored by the first switch board card and the second switch board card, failure detection is performed on each existing first SAK and each second SAK included in the respective key authentication chain table.
Further, it is assumed that the key authentication chain table contains SA _1(SAK) and SA _3(SAK) invalid.
The first device deletes both SA _1(SAK) and SA _3(SAK) through the first switch board, and the second device deletes both SA _1(SAK) and SA _3(SAK) through the second switch board.
Based on the same inventive concept, referring to fig. 10, an embodiment of the present disclosure provides a lossless switching apparatus for data transmission, which is applied to a first device (e.g., a network transmission device), where the first device includes a first switch board, a first master management board, and a first standby management board, and the apparatus includes:
a first transmission module 1001, configured to perform encrypted transmission of a data packet with a second device through the first switch board based on a first security association key SAK set, where the first SAK set includes at least one first SAK, and each first SAK is issued to the first switch board through the first master control management board;
a replacing module 1002, configured to, in the process of performing encrypted transmission of a data packet with the second device, if the first master management board is abnormal, start the first standby management board to perform a replacing operation for the first master management board, and continue to perform encrypted transmission of a data packet with the second device through the first switch board based on the first SAK set;
a second transmission module 1003, configured to perform an SAK update negotiation with the second device after the replacement operation is completed, to obtain a second SAK set, and perform encrypted transmission of a data packet with the second device through the first switch board based on the second SAK set when it is determined that a preset condition is met, where the second SAK set includes at least one second SAK, and each second SAK is issued to the first switch board through the first standby management board.
Optionally, the encrypted transmission of the data packet is performed through the first switch board and the second device based on the first security association key SAK set, and the first transmission module 1001 is configured to:
selecting one first SAK in the first SAK set from a key authentication chain table;
based on the selected first SAK, carrying out encryption transmission of data messages through the first exchange board card and a second exchange board card of the second equipment;
the encrypted transmission of the data packet is performed through the first switch board card and the second device based on the second SAK set, and the second transmission module is configured to:
selecting one second SAK in the second SAK set from the key authentication chain table;
and based on the selected second SAK, carrying out encryption transmission of data messages through the first exchange board card and a second exchange board card of the second equipment.
Optionally, before performing encrypted transmission of a data packet with a second device through the first switch board card based on a first security association key SAK set, the first transmission module 1001 is further configured to:
the first SAK set is issued to the first exchange board card through the first master control management board and is stored in the key authentication chain table through the first exchange board card;
after performing an SAK update negotiation with the second device to obtain a second SAK set, the second transmission module 1003 is further configured to:
and issuing the second SAK set to the first switch board card through the first standby management board, and storing the second SAK set behind each first SAK in the key authentication chain table through the first switch board card.
Optionally, the selecting a first SAK in the first set of SAKs from the key authentication chain table, and the first transmitting module 1001 is configured to:
if the first SAK set comprises a plurality of first SAKs, selecting a currently effective first SAK in the first SAK set from the key authentication linked list;
the first transmission module 1001 is further configured to perform encrypted transmission of a data packet with a second device through the first switch board card based on the first SAK set, and:
when the currently effective first SAK is determined to be invalid, selecting other currently effective first SAKs in the first SAK set from the key authentication linked list, and carrying out encryption transmission on a data message through the first exchange board card and second equipment based on the other currently effective first SAKs;
the selecting a second SAK in the second set of SAKs from the key authentication chain table, and the second transmission module 1003 is configured to:
if the second SAK set comprises a plurality of second SAKs, selecting a currently effective second SAK in the second SAK set from the key authentication linked list;
the second transmission module 1003 is further configured to, based on the second SAK set, perform encrypted transmission of a data packet with the second device through the first switch board card, and be further configured to:
and when determining that the currently effective second SAK is invalid, selecting another currently effective second SAK in the second SAK set from the key authentication linked list, and performing encrypted transmission of the data message with the second device through the first exchange board card based on the other currently effective second SAK.
Optionally, the first transmission module is configured to obtain the first SAK set by:
based on the connection associated key information, obtaining the corresponding first SAK set through the first master control management board;
the second transmission module is configured to perform an SAK update negotiation with the second device to obtain a second SAK set, where:
obtaining a corresponding second SAK set through the first standby management board based on the connection associated key information;
wherein the connection associated key information is pre-configured for the first device and the second device by a user or an encrypted service management server; the connection associated key information comprises a secure connection associated key CAK and/or a secure connection associated key name CAN.
Optionally, the preset condition includes some or all of the following:
after the replacement operation is finished, a first preset time length is reached;
and based on the first SAK set, the total amount of the sent data messages reaches a preset threshold value.
Based on the same inventive concept, referring to fig. 11, an embodiment of the present disclosure provides a lossless switching apparatus for data transmission, which is applied to a second device (e.g., a network transmission device), where the second device includes a second switch board, a second master management board, and a second standby management board, and the apparatus includes:
a first transmission module 1101, configured to perform encrypted transmission of a data packet with a first device through the second switch board based on a first security association key SAK set, where the first SAK set includes at least one first SAK, and each first SAK is issued to the second switch board through the second master management board;
a determining module 1102, configured to, during an encrypted transmission process of a data packet with the first device, if it is determined that a first master control management board of the first device is abnormal, continue to perform encrypted transmission of the data packet with the first device through the second switch board based on the first SAK set; performing SAK update negotiation with the first device to obtain a second SAK set;
a second transmission module 1103, configured to perform, when it is determined that a preset condition is met, encrypted transmission of a data packet through the second switch board and the first device based on the second SAK set, where the second SAK set includes at least one second SAK, and each second SAK is issued to the second switch board through the second master management board.
Optionally, the first transmission module 1101 is configured to determine that the first master management board of the first device is abnormal by:
through the second master control management board, the keep-alive mechanism message sent by the first equipment is not received within a second preset time length;
after determining that the first master management board of the first device is abnormal, the determining module 1102 is further configured to:
and disconnecting the secure link with the first master control management board of the first equipment through the second master control management board.
Optionally, the encrypted transmission of the data packet is performed through the second switch board and the first device based on the first security association key SAK set, and the first transmission module 1101 is configured to:
selecting one first SAK in the first SAK set from a key authentication chain table;
based on the selected first SAK, carrying out encryption transmission of data messages with a first switch board card of the first equipment through the second switch board card;
the second transmission module 1103 is configured to perform, based on the second SAK set, encrypted transmission of a data packet with the first device through the second switch board, where:
selecting one second SAK in the second SAK set from the key authentication chain table;
and based on the selected second SAK, carrying out encryption transmission of data messages with the first switch board card of the first equipment through the second switch board card.
Optionally, before performing encrypted transmission of a data packet with the first device through the second switch board card based on the first security association key SAK set, the first transmission module 1101 is further configured to:
the first SAK set is issued to the second exchange board card through the second master control management board and is stored in the key authentication chain table through the second exchange board card;
after obtaining the second set of SAKs, the second transmitting module 1103 is further configured to:
and issuing the second SAK set to the second exchange board card through the second master control management board, and storing the second SAK set behind each first SAK in the key authentication chain table through the second exchange board card.
Optionally, the selecting a first SAK in the first set of SAKs from the key authentication chain table, the first transmission module 1101 is configured to:
if the first SAK set comprises a plurality of first SAKs, selecting a currently effective first SAK in the first SAK set from the key authentication linked list;
the second transmission module 1103 is further configured to, based on the first SAK set, perform encrypted transmission of a data packet with the first device through the second switch board card, where:
when the currently effective first SAK is determined to be invalid, selecting other currently effective first SAKs in the first SAK set from the key authentication linked list, and carrying out encrypted transmission of data messages with first equipment through the second exchange board card based on the other currently effective first SAKs;
the selecting a second SAK in the second set of SAKs from the key authentication chain table, and the second transmitting module 1103 is configured to:
if the second SAK set comprises a plurality of second SAKs, selecting a currently effective second SAK in the second SAK set from the key authentication linked list;
the second transmission module 1103 is further configured to, based on the second SAK set, perform encrypted transmission of a data packet with the first device through the second switch board card, where:
and when determining that the currently effective second SAK is invalid, selecting another currently effective second SAK in the second SAK set from the key authentication linked list, and performing encrypted transmission of a data message with the first device through the second exchange board card based on the other currently effective second SAK.
Optionally, the first transmission module 1101 is configured to obtain the first SAK set by:
based on the connection associated key information, obtaining the corresponding first SAK set through the second master control management board;
the second transmission module 1103 is configured to perform an SAK update negotiation with the first device to obtain a second SAK set, where:
performing SAK update negotiation with the first device, and obtaining a corresponding second SAK set through the second master control management board based on the connection association key information;
wherein the connection associated key information is pre-configured for the first device and the second device by a user or an encrypted service management server; the connection associated key information comprises a secure connection associated key CAK and/or a secure connection associated key name CAN.
Optionally, the preset condition includes some or all of the following:
after SAK updating negotiation is carried out with the first equipment, reaching a third preset time length;
and based on the first SAK set, the total amount of the sent data messages reaches a preset threshold value.
Referring to fig. 12, an embodiment of the present disclosure provides a network transmission device, including a memory 1201 and a processor 1202, specifically:
a memory 1201 for storing computer programs or instructions.
A processor 1202 for executing the computer program or instructions in the memory to cause any one of the methods performed by the lossless switching apparatus (e.g., network transmission device) for data transmission as described in the various embodiments above.
The embodiment of the present disclosure does not limit the specific connection medium between the memory 1201 and the processor 1202. In fig. 12, the memory 1201 and the processor 1202 are connected by a bus 1200, the bus 1200 is shown by a thick line in fig. 12, and the connection manner between other components is merely illustrative and not limited. The bus 1200 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 12, but this is not intended to represent only one bus or type of bus.
Memory 1201 may be a volatile memory (volatile memory), such as a random-access memory (RAM); the memory 1201 may also be a non-volatile memory (non-volatile memory) such as, but not limited to, a read-only memory (rom), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD), or any other medium which can be used to carry or store desired program code in the form of instructions or data structures and which can be accessed by a computer. The memory 1201 may be a combination of the above memories.
Based on the same inventive concept, the disclosed embodiments provide a computer-readable storage medium, on which computer program instructions are stored, and the computer program instructions, when executed by a processor, implement any one of the methods performed by the lossless switching apparatus (e.g., network transmission device) for data transmission in the above embodiments.
In summary, in the embodiment of the present disclosure, in the process of performing data packet encryption transmission between the first device and the second device, if the first master management board is abnormal, the first standby management board is started to perform a replacement operation for the first master management board, and the first switching board continues to perform data packet encryption transmission with the second device through the first switching board based on the first SAK set; then, after the replacement operation is completed and when the preset condition is determined to be met, carrying out encrypted transmission of the data message through the first switching board card and the second equipment based on a second SAK set obtained by carrying out SAK update negotiation with the second equipment, wherein the first SAK set comprises at least one first SAK, each first SAK is issued to the first switching board card through a first main control management board, the second SAK set comprises at least one second SAK, and each second SAK is issued to the first switching board card through a first standby management board; therefore, because the first SAK set comprises at least one first SAK, the data message is encrypted and transmitted with the second equipment based on the first SAK set in the process of replacing the first main control management board by the first standby management board, so that the fault-tolerant recovery time of the first equipment can be prolonged, and the smooth proceeding of the encryption service between the first equipment and the second equipment is ensured; then, after the replacement operation is completed and the preset condition is determined to be met, based on the second SAK set, encrypted transmission of the data message is performed through the first switching board card and the second device, so that lossless switching transmission and smooth switching transmission of the data message through the first switching board card (namely on the data plane) between the first device and the second device are achieved, and the problem that the data message is lost due to the fact that the first main control management board of the first device is abnormal is solved.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the present disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications can be made in the present disclosure without departing from the spirit and scope of the disclosure. Thus, if such modifications and variations of the present disclosure fall within the scope of the claims of the present disclosure and their equivalents, the present disclosure is intended to include such modifications and variations as well.

Claims (12)

1. A lossless handover method for data transmission, which is applied to a first device, and the first device comprises: the method comprises the following steps that a first switching board card, a first main control management board and a first standby management board are used, and the method comprises the following steps:
based on a first Security Association Key (SAK) set, carrying out encrypted transmission of data messages with second equipment through the first switch board card, wherein the first SAK set comprises at least one first SAK, and each first SAK is issued to the first switch board card through the first master control management board;
in the process of encrypting and transmitting the data message with the second device, if the first master control management board is abnormal, the first standby management board is started to perform replacement operation for the first master control management board, and the data message is continuously encrypted and transmitted with the second device through the first switch board card based on the first SAK set;
and after the replacement operation is completed, performing SAK update negotiation with the second equipment to obtain a second SAK set, and when it is determined that a preset condition is met, performing encrypted transmission of data messages through the first switching board and the second equipment based on the second SAK set, wherein the second SAK set comprises at least one second SAK, and each second SAK is issued to the first switching board through the first standby management board.
2. The method of claim 1, wherein the performing, by the first switch board, encrypted transmission of the data packet with the second device based on the first set of security association keys SAK comprises:
selecting one first SAK in the first SAK set from a key authentication chain table;
based on the selected first SAK, carrying out encryption transmission of data messages through the first exchange board card and a second exchange board card of the second equipment;
the encrypting transmission of the data packet through the first switch board card and the second device based on the second SAK set includes:
selecting one second SAK in the second SAK set from the key authentication chain table;
and based on the selected second SAK, carrying out encryption transmission of data messages through the first exchange board card and a second exchange board card of the second equipment.
3. The method of claim 2, further comprising, prior to the encrypted transmission of the data packet with the second device via the first switch board based on the first set of security association keys SAK:
the first SAK set is issued to the first exchange board card through the first master control management board and is stored in the key authentication chain table through the first exchange board card;
after performing an SAK update negotiation with the second device to obtain a second SAK set, the method further includes:
and issuing the second SAK set to the first switch board card through the first standby management board, and storing the second SAK set behind each first SAK in the key authentication chain table through the first switch board card.
4. The method of claim 2, wherein the selecting one of the first set of SAKs from a key authentication chain table comprises:
if the first SAK set comprises a plurality of first SAKs, selecting a currently effective first SAK in the first SAK set from the key authentication linked list;
the encrypting transmission of the data message through the first switch board card and the second device based on the first SAK set further includes:
when the currently effective first SAK is determined to be invalid, selecting other currently effective first SAKs in the first SAK set from the key authentication linked list, and carrying out encryption transmission on a data message through the first exchange board card and second equipment based on the other currently effective first SAKs;
the selecting one of the second set of SAKs from a key authentication chain table comprises:
if the second SAK set comprises a plurality of second SAKs, selecting a currently effective second SAK in the second SAK set from the key authentication linked list;
the encrypting transmission of the data message through the first switch board card and the second device based on the second SAK set further includes:
and when determining that the currently effective second SAK is invalid, selecting another currently effective second SAK in the second SAK set from the key authentication linked list, and performing encrypted transmission of the data message with the second device through the first exchange board card based on the other currently effective second SAK.
5. The method of any one of claims 1-4, wherein the first set of SAKs is obtained by:
based on the connection associated key information, obtaining the corresponding first SAK set through the first master control management board;
the performing an SAK update negotiation with the second device to obtain a second SAK set includes:
obtaining a corresponding second SAK set through the first standby management board based on the connection associated key information;
wherein the connection associated key information is pre-configured for the first device and the second device by a user or an encrypted service management server; the connection associated key information comprises a secure connection associated key CAK and/or a secure connection associated key name CAN.
6. The method of claim 5, wherein the preset conditions include some or all of:
after the replacement operation is finished, a first preset time length is reached;
and based on the first SAK set, the total amount of the sent data messages reaches a preset threshold value.
7. A lossless switching method for data transmission is applied to a second device, wherein the second device includes a second switch board, a second main control management board and a second standby management board, and the method includes:
based on a first Security Association Key (SAK) set, carrying out encrypted transmission of data messages with first equipment through the second switch board, wherein the first SAK set comprises at least one first SAK, and each first SAK is issued to the second switch board through the second master control management board;
in the process of encrypting and transmitting the data message with the first equipment, if the first master control management board of the first equipment is determined to be abnormal, the data message is continuously encrypted and transmitted with the first equipment through the second exchange board card based on the first SAK set; performing SAK update negotiation with the first device to obtain a second SAK set;
and when the preset condition is met, carrying out encrypted transmission of data messages with the first equipment through the second switching board card based on the second SAK set, wherein the second SAK set comprises at least one second SAK, and each second SAK is issued to the second switching board card through the second master control management board.
8. A lossless switching apparatus for data transmission, which is applied to a first device, wherein the first device comprises: first switching integrated circuit board, first master control management board and first reserve management board, the device includes:
a first transmission module, configured to perform encrypted transmission of a data packet with a second device through the first switch board based on a first security association key SAK set, where the first SAK set includes at least one first SAK, and each first SAK is issued to the first switch board through the first master management board;
a replacement module, configured to, during encryption transmission of a data packet with the second device, if the first master management board is abnormal, start the first standby management board to perform a replacement operation for the first master management board, and continue encryption transmission of a data packet with the second device through the first switch board based on the first SAK set;
and the second transmission module is configured to perform SAK update negotiation with the second device after the replacement operation is completed, obtain a second SAK set, and perform encrypted transmission of a data packet with the second device through the first switch board based on the second SAK set when it is determined that a preset condition is met, where the second SAK set includes at least one second SAK, and each second SAK is issued to the first switch board through the first standby management board.
9. A lossless switching device for data transmission is applied to a second device, where the second device includes a second switch board, a second main control management board and a second standby management board, and the device includes:
a first transmission module, configured to perform encrypted transmission of a data packet with a first device through the second switch board based on a first security association key SAK set, where the first SAK set includes at least one first SAK, and each first SAK is issued to the second switch board through the second master management board;
a determining module, configured to, during encryption transmission of a data packet with the first device, if it is determined that a first master control management board of the first device is abnormal, continue to perform encryption transmission of the data packet with the first device through the second switch board based on the first SAK set; performing SAK update negotiation with the first device to obtain a second SAK set;
and the second transmission module is used for carrying out encrypted transmission of data messages with the first equipment through the second switching board card based on the second SAK set when the preset condition is determined to be met, wherein the second SAK set comprises at least one second SAK, and each second SAK is issued to the second switching board card through the second master control management board.
10. A lossless handover system for data transmission, the system comprising a first device and a second device, wherein,
the first equipment comprises a first exchange board card, a first main control management board and a first standby management board; the system comprises a first exchange board card, a second exchange board card and a first device, wherein the first exchange board card is used for carrying out encryption transmission of data messages with the second device based on a first Security Association Key (SAK) set; and when the first master control management board is abnormal and the replacement operation of the first standby management board for the first master control management board is started, continuing to perform encrypted transmission of data messages through the first exchange board card and the second device based on the first SAK set; the second switching board card is further configured to perform an SAK update negotiation with the second device after the replacement operation is completed, obtain a second SAK set, and perform encrypted transmission of a data packet with the second device through the first switching board card based on the second SAK set when it is determined that a preset condition is satisfied;
the second equipment comprises a second exchange board card, a second main control management board and a second standby management board; the second switch board card is used for carrying out encryption transmission of data messages with the first equipment through the second switch board card based on the first SAK set; and when it is determined that the first master control management board is abnormal, continuing to perform encrypted transmission of data packets with the first device through the second switch board card based on the first SAK set, and performing an SAK update negotiation with the first device to obtain a second SAK set; and the second switch board card is further configured to perform encrypted transmission of a data packet with the first device through the second switch board card based on the second SAK set when it is determined that a preset condition is satisfied.
11. A network transmission device, comprising a processor and a memory,
the memory for storing computer programs or instructions;
the processor for executing a computer program or instructions in a memory, such that the method of any of claims 1-7 is performed.
12. A computer-readable storage medium, having computer program instructions stored thereon, which, when executed by a processor, implement the steps of the method of any one of claims 1-7.
CN202111081084.2A 2021-09-15 Lossless switching method and device for data transmission Active CN113709069B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111081084.2A CN113709069B (en) 2021-09-15 Lossless switching method and device for data transmission

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111081084.2A CN113709069B (en) 2021-09-15 Lossless switching method and device for data transmission

Publications (2)

Publication Number Publication Date
CN113709069A true CN113709069A (en) 2021-11-26
CN113709069B CN113709069B (en) 2024-04-19

Family

ID=

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030117949A1 (en) * 2001-12-21 2003-06-26 Moller Hanan Z. Method and apparatus for switching between active and standby switch fabrics with no loss of data
US20080205653A1 (en) * 2005-09-20 2008-08-28 Telefonaktiebolaget Lm Ericsson (Publ) Method and Mobility Anchor Point for Authenticating Updates from Mobile Node
CN101442471A (en) * 2008-12-31 2009-05-27 杭州华三通信技术有限公司 Method for implementing backup and switch of IPSec tunnel, system and node equipment, networking architecture
CN101848399A (en) * 2009-03-24 2010-09-29 华为技术有限公司 Nondestructive changeover method, nondestructive changeover equipment and switching equipment
US20110296044A1 (en) * 2010-05-25 2011-12-01 Brian Weis Keep-alive hiatus declaration
CN103501298A (en) * 2013-09-29 2014-01-08 杭州华三通信技术有限公司 Method and device for ensuring continuous flow in a link circuit during no-break service upgrade process
JP2015133610A (en) * 2014-01-14 2015-07-23 住友電気工業株式会社 Station side device, pon system and control method of station side device
CN107769914A (en) * 2016-08-17 2018-03-06 华为技术有限公司 Protect the method and the network equipment of data transmission security
US20180302269A1 (en) * 2017-04-17 2018-10-18 Hewlett Packard Enterprise Development Lp Failover in a Media Access Control Security Capable Device
US20190386824A1 (en) * 2018-06-13 2019-12-19 Hewlett Packard Enterprise Development Lp Failover in a media access control security capabale device
US20210067329A1 (en) * 2018-01-16 2021-03-04 Raytheon Company High availability secure network including dual mode authentication
CN112787802A (en) * 2019-11-11 2021-05-11 中兴通讯股份有限公司 Key switching method, device, terminal and computer readable storage medium

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030117949A1 (en) * 2001-12-21 2003-06-26 Moller Hanan Z. Method and apparatus for switching between active and standby switch fabrics with no loss of data
US20080205653A1 (en) * 2005-09-20 2008-08-28 Telefonaktiebolaget Lm Ericsson (Publ) Method and Mobility Anchor Point for Authenticating Updates from Mobile Node
CN101442471A (en) * 2008-12-31 2009-05-27 杭州华三通信技术有限公司 Method for implementing backup and switch of IPSec tunnel, system and node equipment, networking architecture
CN101848399A (en) * 2009-03-24 2010-09-29 华为技术有限公司 Nondestructive changeover method, nondestructive changeover equipment and switching equipment
US20110296044A1 (en) * 2010-05-25 2011-12-01 Brian Weis Keep-alive hiatus declaration
CN103501298A (en) * 2013-09-29 2014-01-08 杭州华三通信技术有限公司 Method and device for ensuring continuous flow in a link circuit during no-break service upgrade process
JP2015133610A (en) * 2014-01-14 2015-07-23 住友電気工業株式会社 Station side device, pon system and control method of station side device
CN107769914A (en) * 2016-08-17 2018-03-06 华为技术有限公司 Protect the method and the network equipment of data transmission security
US20180302269A1 (en) * 2017-04-17 2018-10-18 Hewlett Packard Enterprise Development Lp Failover in a Media Access Control Security Capable Device
US20210067329A1 (en) * 2018-01-16 2021-03-04 Raytheon Company High availability secure network including dual mode authentication
US20190386824A1 (en) * 2018-06-13 2019-12-19 Hewlett Packard Enterprise Development Lp Failover in a media access control security capabale device
CN112787802A (en) * 2019-11-11 2021-05-11 中兴通讯股份有限公司 Key switching method, device, terminal and computer readable storage medium

Similar Documents

Publication Publication Date Title
EP2697931B1 (en) Qkd key management system
RU2736870C1 (en) Complex for secure data transmission in digital data network using single-pass quantum key distribution system and method of keys adjustment during operation of system
CN104660603A (en) Method and system for extended use of quantum keys in IPSec VPN (internet protocol security-virtual private network)
CN109586908A (en) A kind of safe packet transmission method and its system
US10298394B2 (en) Method to authenticate two devices to establish a secure channel
WO2022088094A1 (en) Secure communication method and apparatus
KR102017758B1 (en) Health device, gateway device and method for securing protocol using the same
CN101282208B (en) Method for updating safety connection association master key as well as server and network system
CN110808834A (en) Quantum key distribution method and quantum key distribution system
KR20220137124A (en) Key update method and related devices
KR101359789B1 (en) System and method for security of scada communication network
US20070055870A1 (en) Process for secure communication over a wireless network, related network and computer program product
WO2009109133A1 (en) Method and apparatus for recovering the connection
KR20190040443A (en) Apparatus and method for creating secure session of smart meter
CN113709069B (en) Lossless switching method and device for data transmission
CN113709069A (en) Lossless switching method and device for data transmission
CN113452514B (en) Key distribution method, device and system
KR20230039722A (en) Pre-shared key PSK update method and device
KR101339013B1 (en) Method for processing multi security of dnp message in data link
CN109922042B (en) Method and system for managing sub-keys of lost equipment
CN114448609A (en) Group key management method, device, related equipment and storage medium
CN114500007B (en) Method, device, medium and equipment for realizing MACsec in M-LAG system
CN102148704A (en) Software implementation method for universal network management interface of safe switch
US20220255911A1 (en) Method for Secure Communication and Device
WO2022105809A1 (en) Key updating method and apparatus, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant