CN113852552B - Network communication method, system and storage medium - Google Patents
Network communication method, system and storage medium Download PDFInfo
- Publication number
- CN113852552B CN113852552B CN202111113185.3A CN202111113185A CN113852552B CN 113852552 B CN113852552 B CN 113852552B CN 202111113185 A CN202111113185 A CN 202111113185A CN 113852552 B CN113852552 B CN 113852552B
- Authority
- CN
- China
- Prior art keywords
- message
- node
- security association
- network communication
- sid
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/34—Source routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/54—Organization of routing tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses a network communication method and system based on SRv6, belonging to the field of IP networks. A network communication method comprises the following steps: in the first node, the message matches a segmented routing strategy according to an SR (scheduling request) drainage strategy; judging whether the segmented routing strategy has a security association index, if so, encrypting the packet message by using the matched security association, and processing the message by using an SR (sequence request) drainage strategy; if not, the message is processed by using an SR (scheduling request) drainage strategy; the tail node receives the message and carries out SR processing; judging whether the SID carries a decryption attribute, if so, decrypting the message by using the specified security association in the decryption attribute, and then processing the message by using an END action tail node of the SID; and if not, using the END action tail node of the SID to process the message.
Description
Technical Field
The invention relates to the field of network communication, in particular to a network communication method, a system and a storage medium based on SRV 6.
Background
In the current IPv6 network, if encryption authentication of an IP packet is to be implemented and path selection of the packet is to be implemented, SRv6 (Segment Routing) and IPsec (IP security) are generally used in combination. The message structure of the combined SRv6 and IPsec tunnel ESP is shown in fig. 1.
In the existing mode, if the two services are combined, the following problems occur:
1. both services provide tunnel encapsulation service, and when the two services need to be combined, the service processing of the forwarding plane serial will cause the encapsulation error of the message to the outer layer IP head.
2. In the forwarding process, the End node needs to process the SID instruction of the SRv6 first and then process the IPsec service, but in the actions of the End node of the SRv6 service, the End and other actions require to use the inner layer IP packet for forwarding, and at this time, the inner layer packets are all ciphertexts, and cannot be further processed.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a network communication method, a system and a storage medium based on SRv 6.
As an aspect of the present application, there is provided a network communication method, including the steps of:
at a first node, configuring a segmented routing strategy by a message according to an SR (routing request) drainage strategy, and if the segmented routing strategy comprises an index corresponding to IPsec (Internet protocol security) security association and an SID (security identifier) related to SRv6, encrypting the message of the first node through the security association corresponding to the index and sending the encrypted message to an intermediate node; and the tail node receives the encrypted message forwarded by the intermediate node and decrypts the encrypted message through the decryption attribute carried by the SID.
Optionally, the segment routing policy is configured according to the SR drainage policy.
Optionally, the security association is configured with an SPI, a decryption key, or a decryption algorithm.
Optionally, the intermediate node forwards the encrypted packet according to the path information provided by the segment routing policy.
Optionally, the SID is in IPv6 format.
Optionally, the message of the head node encapsulates an SRv6 header and an ESP trailer, and the segment routing policy is configured in the SRv6 header.
Optionally, the decryption attribute decrypts the encrypted message by a security association pointed to by the index of the encrypted message.
As another aspect of the present application, there is provided a network communication system including: a sending end and a receiving end; a first node connected with the transmitting end; a tail node connected with the receiving end; and a plurality of intermediate nodes coupled between the head node and the tail node for forwarding the packet, wherein in the head node, the packet is encrypted by a security association pointed by an index of the security association in a segment routing policy, and the segment routing policy designates an index corresponding to the IPsec security association and an SID related to SRv 6; in the tail node, the message is decrypted by the decryption attribute in SRv 6.
Preferably, the message of the head node encapsulates an SRv6 header and an ESP trailer, and the segment routing policy is configured in the SRv6 header. Optionally, the security association is configured with an SPI, a decryption key, or a decryption algorithm.
Optionally, an index in the decryption attribute indicates the security association.
Optionally, the packet is encapsulated with an SRv6 header and an ESP trailer.
The above-described method or system can also be applied in devices, for example: a computer-readable storage medium comprising instructions stored thereon which, when executed, implement any of the above-described network communication methods.
A router comprises a storage medium and an executor, wherein the executor can execute instructions stored in the storage medium to realize any one of the network communication methods. The invention also discloses the application of the equipment, such as: the application of any one of the systems in SD-WAN.
The invention can realize the message processing of combining SRv6 and IPsec by adding the encryption attribute in the sectional routing Policy (SR-Policy) and adding the additional decryption attribute in SID. Moreover, since the index of the security association is directly indicated in the decryption attribute, the corresponding security association can be quickly matched, and the processing speed of forwarding is improved.
Drawings
The invention will be further described with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of a tunnel encapsulation message combining SRv6 and IPsec ESP in the prior art;
fig. 2 is a flow chart of message processing in a head node of the present application;
fig. 3 is a flow chart of message processing in a tail node of the present application;
fig. 4 is a schematic view of an application scenario in a specific example of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In some specific examples of the present invention, a network communication method for implementing SRv6 and IPsec is disclosed, which may include the following steps: as shown in fig. 2, in the head node, the packet matches the segment routing policy according to the SR drainage policy; judging whether an index of Security Association (SA) exists in the segmented routing strategy, if so, encrypting the packet message by using the matched Security Association, and processing the message by using an SR (sequence request) drainage strategy; if not, the message is processed by using an SR (sequence request) drainage strategy, namely the segmented routing strategy is configured according to the SR drainage strategy, and the intermediate node forwards the encrypted message according to the path information provided by the segmented routing strategy. In addition, as shown in fig. 1, the encrypted message may be encapsulated between the SRv6 header and the ESP trailer, wherein the segment routing policy may be configured at the SRv6 header.
As shown in fig. 3, the tail node receives the packet and performs segment routing processing; judging whether the SID carries a decryption attribute, if so, decrypting the message by using the security association specified by the index in the decryption attribute, and then processing the message by using the END action of the SID; and if not, using the END action tail node of the SID to process the message. Therefore, the problem that actions such as end.T and the like cannot be forwarded and processed due to the fact that the messages of the inner layer are all in an encrypted state after encapsulation can be solved. And by quickly matching the corresponding security association, the processing speed of forwarding is increased, and the accuracy is improved. The security association is configured with an SPI, a decryption key, or a decryption algorithm.
In the above process, the SRv6 Header inserted in the message is a Segment Routing Header (SRH) in the first node of the network, and the Segment Routing list is pushed into the SRH, and the SRH can direct the active segments encoded in the Segment Routing list. In some examples of the invention, when a segment is completed, the segment is retained in the segment routing list, updated to point to the next segment in the segment routing list, and intermediate nodes continually update and offset addresses to complete forwarding. And the network intermediate node forwards the information according to the path information provided by the SRH extension header.
In some examples of the invention, segments in the segment routing list may be links describing a global segment or a global node, or pointing to a neighboring node.
In some examples of the invention, the SID refers to a Segment Routing Identifier (Segment Routing Identifier), which may be configured in IPv6 format. In some examples of the present invention, the SID may include, but is not limited to, a location identification (Locator) SID, a network Function (Function) SID, and a parameters (Args) SID. The location identity is used to assign a physical address of the network node, which may direct routing and data forwarding; the stored values of network functions may be used to define device behavior; the parameters are used to define the execution of the forwarding instructions.
In some examples of the invention, a network communication system is proposed, comprising: the system comprises an information sending end, a first node connected with the information sending end, a tail node, a receiving end connected with the tail node and a plurality of intermediate nodes. The first node matches the segmented routing strategy to the message according to the SR flow guiding strategy; and judging whether the segmented routing strategy has a security association index or not, and configuring an SR (scheduling request) drainage strategy to process the message. The system can also be configured with SID for marking the destination address or link in the network communication system; the tail node can execute SR processing on the received message and judge whether the SID carries the decryption attribute. The intermediate node is arranged between the head node and the tail node and used for forwarding the message.
In other examples of the present invention, a network communication system in a specific application scenario is disclosed, as shown in fig. 4. The hosts of IPv4 at two sides are respectively used as an information sending end and an information receiving end, and communicate through an IPv6 network supporting SRv6 at the middle, namely middle nodes B and C, and each node is configured in advance as follows:
a node A, namely a first node of the system of the example, is configured with a segmented routing strategy of SRv6 according to an SR (sequence request) drainage strategy, path information (A2:: 1, A3::1, A4:: 1) is indicated in the segmented routing strategy, an index of tunnel encapsulation and encryption security association is indicated, and meanwhile, encryption security association is configured, and SPI, an encryption key and an encryption algorithm in the security association are indicated. SRv6 policy drainage is configured.
The SID of the End action is configured on the node B.
The SID of the End action is configured on the C node, and the additional feature PSP is configured.
At the D node, i.e. the end node of the present exemplary system, the SID of the end.dt4 action is configured to indicate the corresponding IPv4 routing table information, and configure the additional feature decryption and the related security association index, and also configure the decryption security association to indicate the SPI, decryption key and decryption algorithm in the security association.
The message flow is as follows:
after receiving the IPv4 message of the host side, the node A obtains a segmented routing strategy according to the SR flow guiding strategy, finds out a security association according to a security association index configured by the segmented routing strategy, encrypts the message and further encapsulates an SRv6 extension header. The next protocol number in the SRH head is ESP protocol number, the SID of B, C and D is indicated in the segment routing table, the SL (segment left) of the message SRH is initialized to be 2, and the message SRH is copied to the outer layer IPv6 destination address according to the SID A2::1 indicated by SL, and the message SRH is forwarded by checking the route.
After receiving the message, the node B searches a Local SID table according to an outer layer IPv6 address A2::1, hits an End instruction action, subtracts 1 from SL, copies A3::1 indicated by SL to an outer layer IP header, and searches for a route for forwarding.
After receiving the message, the C node searches a Local SID table according to an outer layer IPv6 address A3::1, hits an End instruction action, subtracts 1 from SL, copies A4::1 indicated by SL to an outer layer IP head, pops up an SRH extension head due to an additional action PSP of A3::1 and SL =0, and searches for a route and forwards.
After receiving the message, the node D searches a Local SID table according to an outer IPv6 address A4::1, hits an end.Dt4 instruction action, decrypts according to the additional attribute, finds security association decryption, peels off an outer message header, uses an inner IP header to look up a table in a routing table specified by the end.Dt4, and forwards the table to a corresponding host.
It is understood that the above embodiment discloses a specific use scenario as an example, but the above network communication method or system can be applied in a router, and can also be applied in an SD-WAN scenario.
Further, in some examples of the invention, a computer-readable storage medium storing instructions is disclosed. When the instructions are executed, the network communication method in any example can be realized. More specifically, the instructions may be in a computer readable language. The computer may be a general purpose computing device or a special purpose computing device. In a specific implementation, the computer may be a desktop computer, a laptop computer, a network server, a Personal Digital Assistant (PDA), a mobile phone, a tablet computer, a wireless terminal device, a communication device, or an embedded device. The storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more integrated servers, data centers, and the like. For example, the storage medium may be, but is not limited to, a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a Digital Versatile Disk (DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)).
In the description herein, references to the description of "one embodiment," "an example," "a specific example" or the like are intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are described in the specification and illustrated only to illustrate the principle of the present invention, but that various changes and modifications may be made therein without departing from the spirit and scope of the present invention, which fall within the scope of the invention as claimed.
Claims (9)
1. A network communication method, comprising the steps of:
at a first node, configuring a segmented routing strategy by a message according to an SR (routing request) drainage strategy, and if the segmented routing strategy comprises an index corresponding to IPsec (Internet protocol security) security association and an SID (security identifier) related to SRv6, encrypting the message of the first node through the security association corresponding to the index and sending the encrypted message to an intermediate node;
and the tail node receives the encrypted message forwarded by the intermediate node and decrypts the encrypted message through the decryption attribute carried by the SID.
2. The method of claim 1, wherein if the segment route has no index corresponding to an IPsec security association, the message is processed using an SR steering policy.
3. The method according to claim 1, wherein the security association is configured with an SPI, a decryption key, or a decryption algorithm.
4. The network communication method according to claim 1, wherein the intermediate node forwards the encrypted packet according to the path information provided by the segment routing policy.
5. The network communication method according to claim 1, wherein the message of the head node encapsulates an SRv6 header and an ESP trailer, and the segment routing policy is configured in the SRv6 header.
6. The method according to claim 1, wherein the decryption attribute decrypts the encrypted message via a security association pointed to by an index of the encrypted message.
7. A network communication system, comprising: a sending end and a receiving end; a head node connected with the transmitting end; a tail node connected with the receiving end; and a plurality of intermediate nodes coupled between the head node and the tail node for forwarding packets,
in the head node, a message configures a sectional routing strategy according to an SR (routing request) drainage strategy, if the sectional routing strategy comprises an index corresponding to IPsec (Internet protocol security) security association and an SID (security identifier) related to SRv6, the head node message is encrypted through the security association corresponding to the index, and the encrypted message is sent to an intermediate node; in the tail node, the packet is decrypted by the decryption attribute of the SID associated with the SRv 6.
8. The network communication system according to claim 7, wherein the message of the head node encapsulates an SRv6 header and an ESP trailer, and the segment routing policy is configured in the SRv6 header.
9. A computer-readable storage medium, in which a computer program is stored, wherein the computer program, when executed by a processor, implements the network communication method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111113185.3A CN113852552B (en) | 2021-09-23 | 2021-09-23 | Network communication method, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111113185.3A CN113852552B (en) | 2021-09-23 | 2021-09-23 | Network communication method, system and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113852552A CN113852552A (en) | 2021-12-28 |
| CN113852552B true CN113852552B (en) | 2023-04-18 |
Family
ID=78979281
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111113185.3A Active CN113852552B (en) | 2021-09-23 | 2021-09-23 | Network communication method, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113852552B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117377015A (en) * | 2022-06-30 | 2024-01-09 | 中国移动通信有限公司研究院 | Message transmission method, device, related equipment and storage medium |
| CN115396354B (en) * | 2022-08-24 | 2023-06-02 | 苏州盛科通信股份有限公司 | SRv6 message SID segmentation query method and application |
| CN116527405B (en) * | 2023-06-30 | 2023-09-05 | 新华三技术有限公司 | SRV6 message encryption transmission method and device and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018167539A1 (en) * | 2017-03-16 | 2018-09-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Ipsec bypass in sdn network |
| CN112600802A (en) * | 2020-12-04 | 2021-04-02 | 盛科网络(苏州)有限公司 | SRv6 encrypted message and SRv6 message encryption and decryption methods and devices |
| CN113347092A (en) * | 2021-05-27 | 2021-09-03 | 大连理工大学 | SRv6 data processing method based on IPv6 |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7739728B1 (en) * | 2005-05-20 | 2010-06-15 | Avaya Inc. | End-to-end IP security |
| US9794169B2 (en) * | 2013-03-15 | 2017-10-17 | Aerohive Networks, Inc. | Application based data traffic routing using network tunneling |
| WO2017141081A1 (en) * | 2016-02-15 | 2017-08-24 | Telefonaktiebolaget Lm Ericsson (Publ) | Techniques for exposing maximum node and/or link segment identifier depth utilizing is-is |
| CN112511427A (en) * | 2020-01-14 | 2021-03-16 | 中兴通讯股份有限公司 | Segment routing service processing method and device, routing equipment and storage medium |
| CN113141339A (en) * | 2020-01-20 | 2021-07-20 | 华为技术有限公司 | SR (scheduling request) message transmission method, device and system |
| CN112350941B (en) * | 2020-09-14 | 2021-08-24 | 网络通信与安全紫金山实验室 | Message encapsulation method and sending method for ESP (electronic stability program) to realize source routing at overlay layer |
| CN112637237B (en) * | 2020-12-31 | 2022-08-16 | 网络通信与安全紫金山实验室 | Service encryption method, system, equipment and storage medium based on SRoU |
-
2021
- 2021-09-23 CN CN202111113185.3A patent/CN113852552B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018167539A1 (en) * | 2017-03-16 | 2018-09-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Ipsec bypass in sdn network |
| CN112600802A (en) * | 2020-12-04 | 2021-04-02 | 盛科网络(苏州)有限公司 | SRv6 encrypted message and SRv6 message encryption and decryption methods and devices |
| CN113347092A (en) * | 2021-05-27 | 2021-09-03 | 大连理工大学 | SRv6 data processing method based on IPv6 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113852552A (en) | 2021-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10992654B2 (en) | Secure WAN path selection at campus fabric edge | |
| CN113852552B (en) | Network communication method, system and storage medium | |
| CN107682284B (en) | Method and network equipment for sending message | |
| US7571463B1 (en) | Method an apparatus for providing a scalable and secure network without point to point associations | |
| US8437345B2 (en) | Terminal and communication system | |
| US9100370B2 (en) | Strong SSL proxy authentication with forced SSL renegotiation against a target server | |
| US7861080B2 (en) | Packet communication system | |
| US7944854B2 (en) | IP security within multi-topology routing | |
| KR101291501B1 (en) | Technique for maintaining secure network connections | |
| CN110650076B (en) | VXLAN implementation method, network equipment and communication system | |
| US20140153577A1 (en) | Session-based forwarding | |
| US7434045B1 (en) | Method and apparatus for indexing an inbound security association database | |
| JP2020520612A (en) | Packet transmission method, edge device, and machine-readable storage medium | |
| JP2009518995A (en) | Digital object title authentication | |
| US20180227395A9 (en) | Methods and systems for creating protocol header for embedded layer two packets | |
| US20230336378A1 (en) | Establishing a network micro-tunnel within a network tunnel | |
| CN106209401B (en) | A kind of transmission method and device | |
| CN116527405B (en) | SRV6 message encryption transmission method and device and electronic equipment | |
| US10708295B1 (en) | Network route hijack protection | |
| US11431730B2 (en) | Systems and methods for extending authentication in IP packets | |
| US7623666B2 (en) | Automatic setting of security in communication network system | |
| WO2023030160A1 (en) | Packet sending method, network device, storage medium, and program product | |
| US20240114013A1 (en) | Packet processing method, client end device, server end device, and computer-readable medium | |
| US7308506B1 (en) | Method and apparatus for processing data traffic across a data communication network | |
| JP4334425B2 (en) | Home agent |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |