CN114071264A - Communication method of network service on endogenous safety optical network and endogenous safety optical network - Google Patents

Communication method of network service on endogenous safety optical network and endogenous safety optical network Download PDF

Info

Publication number
CN114071264A
CN114071264A CN202111342549.5A CN202111342549A CN114071264A CN 114071264 A CN114071264 A CN 114071264A CN 202111342549 A CN202111342549 A CN 202111342549A CN 114071264 A CN114071264 A CN 114071264A
Authority
CN
China
Prior art keywords
service
network
router
current
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111342549.5A
Other languages
Chinese (zh)
Other versions
CN114071264B (en
Inventor
李大伟
林亦雷
肖云杰
冯晨
刘莹
汤皓岚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Shanghai Electric Power Co Ltd
Original Assignee
State Grid Shanghai Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Shanghai Electric Power Co Ltd filed Critical State Grid Shanghai Electric Power Co Ltd
Priority to CN202111342549.5A priority Critical patent/CN114071264B/en
Publication of CN114071264A publication Critical patent/CN114071264A/en
Application granted granted Critical
Publication of CN114071264B publication Critical patent/CN114071264B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0005Switch and router aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/20Hop count for routing purposes, e.g. TTL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • H04Q2011/0073Provisions for forwarding or routing, e.g. lookup tables
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • H04Q2011/0075Wavelength grouping or hierarchical aspects

Abstract

The invention discloses a communication method of network services on an endogenous safe optical network and the endogenous safe optical network. The method comprises the following steps: acquiring service attribute information of all network services through a current IP router, and transmitting the service attribute information to a corresponding current encryption and decryption terminal; determining and encrypting a security key required by all network services to be transmitted to a corresponding next hop IP router under the same wavelength channel according to the attribute information of each service by the current encryption and decryption terminal; transmitting all network services to be transmitted carried by the same wavelength channel to a corresponding next hop IP router through the current optical communication node; and taking the next-hop IP router as a new current IP router, and returning to continue executing the operation of acquiring the service attribute information until all network services finish communication. According to the embodiment of the invention, the network service communication is carried out through the encryption and decryption terminal and the attribute information of each service, so that the key resource is effectively saved, and the problems of low security level and low utilization rate of the key resource are solved.

Description

Communication method of network service on endogenous safety optical network and endogenous safety optical network
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a communication method of network services on an endogenous secure optical network and the endogenous secure optical network.
Background
In the big data era, the networking application of services has become a trend, and if a service data packet carrying confidential and sensitive information is stolen in the network communication process, the loss which is difficult to measure will be caused, so that the network communication security is more and more emphasized. The intrinsic safety optical communication technology is a network safety communication technology which is popular in recent years.
Fig. 1 shows a network architecture diagram of an intrinsic safety optical network constructed based on an intrinsic safety optical communication technology, as shown in fig. 1, an optical layer 120 composed of an IP layer 110 composed of Internet Protocol (IP) routers and optical communication nodes based on a Wavelength Division Multiplexing (WDM) technology, where one IP router of the IP layer 110 corresponds to one optical communication node of the optical layer 120. The network traffic is one of the main services carried by the optical network, and the optical layer 120 guarantees the service quality of the network traffic by providing it with a "end-to-end" reliable optical channel. The convergence of a plurality of low-speed network services on one high-speed optical channel is beneficial to improving the throughput of the network and the utilization rate of network resources (such as WDM optical repeaters), thereby reducing the cost of the network. Fig. 1 also shows a communication process of network traffic on an endogenous secure optical network, and it can be seen that network traffic 1, network traffic 2, and network traffic 3 having the same source node and different sink nodes converge on the same wavelength channel through an IP port and a WDM optical repeater, and separate corresponding IP traffic on an IP router at each network traffic sink node.
In the aspect of network communication security, the endogenous secure optical network does not depend on any additional key distribution link, key agreement is mainly completed by using physical layer link attributes, and finally keys generated between nodes are stored in a key storage module of a corresponding node encryption terminal. However, the existing network service secure communication mechanism based on physical layer security is stiff, which is only suitable for a small amount of dedicated network service secure communication, and the process of distributing keys and encrypting and decrypting for network services is only completed at the source and destination nodes of the network services, and the complex diversity characteristics of the whole network service carried by the backbone network are not considered, which easily causes the shortage of key resources, the utilization rate of the key resources is low, so that the waiting time delay and blocking rate of the network service secure communication are greatly increased, and the performance of the optical network is seriously affected.
Disclosure of Invention
The invention provides a communication method of network services on an endogenous safe optical network and the endogenous safe optical network, which are used for realizing the safe communication of all the network services on the endogenous safe optical network.
In a first aspect, an embodiment of the present invention provides a method for communicating a network service on an endogenous secure optical network, where an IP layer and an optical layer of the endogenous secure optical network respectively include a set number of IP routers and optical communication nodes, and each IP router corresponds to an encryption/decryption terminal and an optical communication node, where the method includes:
after receiving the network service, the current IP router acquires the service attribute information of all the network services and transmits the service attribute information to the corresponding current encryption and decryption terminal;
determining and encrypting a security key required by all network services to be transmitted to a corresponding next hop IP router under the same wavelength channel according to the service attribute information by the current encryption and decryption terminal;
transmitting all network services to be transmitted carried by the same wavelength channel to a corresponding next hop IP router through the current optical communication node;
and taking the next-hop IP router as a new current IP router, and returning to continue executing the operation of acquiring the service attribute information until all network services finish communication.
In a second aspect, an embodiment of the present invention further provides an endogenous secure optical network, where the endogenous secure optical network includes: the system comprises an IP layer and an optical layer, wherein the IP layer and the optical layer respectively comprise a set number of IP routers and optical communication nodes, and each IP router corresponds to one encryption and decryption terminal and one optical communication node;
one IP router is used as the current IP router, and the corresponding encryption and decryption terminal and the corresponding optical communication node are respectively used as the current encryption and decryption terminal and the current optical communication node;
the current IP router is used for acquiring the service attribute information of all network services after receiving the network services and transmitting the service attribute information to the corresponding current encryption and decryption terminal;
the current encryption and decryption terminal is used for determining and encrypting a security key required by all network services to be transmitted to the corresponding next hop IP router under the same wavelength channel according to the service attribute information;
and the current optical communication node is used for transmitting all network services to be transmitted, which are carried by the same wavelength channel, to the corresponding next-hop IP router, and the next-hop IP router is used as a new current IP router.
In the technical scheme provided by the embodiment of the invention, firstly, after receiving network services through a current IP router, service attribute information of all the network services is obtained and transmitted to a corresponding current encryption and decryption terminal; then, determining and encrypting a security key required by all network services to be transmitted to a corresponding next hop IP router under the same wavelength channel according to the attribute information of each service by the current encryption and decryption terminal; then, all network services to be transmitted carried by the same wavelength channel are transmitted to the corresponding next hop IP router through the current optical communication node; and finally, taking the next-hop IP router as a new current IP router, and returning to continue executing the operation of acquiring the service attribute information until all network services finish communication. According to the embodiment of the invention, the encryption and decryption terminal determines and encrypts the security key required by all the network services to be transmitted to the corresponding next-hop IP router under the same wavelength channel according to the attribute information of each service so as to carry out the communication of the network services, thereby solving the problems of low security level and low key resource utilization rate in the existing IP service security communication and effectively saving key resources. And the key resources of the segmented link are fully utilized, the use of the key resources of the long-distance link is reduced, and the safe communication of all IP services on the endogenous safe optical network is completed while the key resources are saved and the utilization rate of the key resources is improved. Compared with the prior art, the adopted communication method of the network service on the endogenous safe optical network considers the characteristics of the complex diversity of the whole network IP service borne by the backbone network, solves the problem of low utilization rate of key resources, reduces the waiting time delay and the blocking rate of the safe communication of the IP service to a certain extent, and effectively improves the performance of the optical network.
Drawings
FIG. 1 is a network architecture diagram of an intrinsic safe optical network constructed based on intrinsic safe optical communication technology;
FIG. 2 is a schematic diagram of a communication process of network traffic over an endogenous secure optical network according to the prior art;
fig. 3 is a flowchart of a communication method of network services over an intrinsic safety optical network according to an embodiment of the present invention;
fig. 4 is a flowchart of a communication method of network services over an intrinsic safety optical network according to a second embodiment of the present invention;
fig. 5 is a schematic diagram of secure communication of an IP service on an endogenous secure optical network according to a third embodiment of the present invention;
fig. 6 is a schematic flowchart of a secure communication method of an IP service on an endogenous secure optical network according to a third embodiment of the present invention;
fig. 7 is a flowchart of a method for secure communication of an IP service over an endogenous secure optical network according to a third embodiment of the present invention;
fig. 8 is a schematic structural diagram of an endogenous secure optical network according to a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
To facilitate verification of the communication process of the network service on the endogenous secure optical network in the prior art, fig. 2 shows a schematic view of the communication process of the network service on the endogenous secure optical network in the prior art, as shown in fig. 2, key agreement is completed between endogenous secure optical communication nodes by using physical layer link attributes, and finally a key generated between the nodes is stored in a key storage module of the corresponding node encryption/decryption terminal. When the network service reaches the source node, the network service source and destination node distributes a key for the network service corresponding to the key storage module of the encryption terminal, the encryption and decryption terminal encrypts the network service based on the key, the encrypted network service is converged to the wavelength channel through the IP router and the WDM optical repeater, and the network service decrypts the IP service after reaching the destination node through the WDM optical repeater and the IP router. The Advanced Encryption Standard (AES) Encryption algorithm has higher Encryption efficiency and higher practicability than the information theory secure one-time pad Encryption algorithm, and the security of the encrypted service can meet the current security requirement. The network service security communication process based on the endogenous security optical communication introduced above is mainly applicable to a small amount of dedicated network services (such as network services of government affairs and financial departments), is difficult to adapt to complex and diverse network services borne by a backbone network, and easily causes shortage of key resources.
In view of this, the present application provides a communication method for network services on an endogenous secure optical network, which fully utilizes key resources of a segmented link, reduces the use of key resources of a remote link, and is beneficial to complete secure communication of all network services on the endogenous secure optical network while saving the key resources and improving the utilization rate of the key resources. And the performance of the optical network is effectively improved by considering the characteristics of the complexity and diversity of the whole network service borne by the backbone network.
Example one
Fig. 3 is a flowchart of a communication method for network services on an endogenous secure optical network according to an embodiment of the present invention, where this embodiment is applicable to a situation when performing secure communication on all network services on an endogenous secure optical network, and the method may be executed by an endogenous secure optical network, where an IP layer and an optical layer of the endogenous secure optical network respectively include a set number of IP routers and optical communication nodes, and each IP router corresponds to one encryption/decryption terminal and one optical communication node, and specifically includes the following steps:
s310, after receiving the network service through the current IP router, acquiring the service attribute information of all the network services, and transmitting the service attribute information to the corresponding current encryption and decryption terminal.
Wherein, the current IP router can be understood as the IP router currently communicating. Current IP routers can read the address in each packet and then decide how to transmit. The network traffic may be understood as network traffic received by the IP router. Illustratively, the network traffic may be IP traffic; the network traffic generated during end-to-end bidirectional real-time communication between networks may also be used, and the embodiment is not limited herein.
In this embodiment, the service attribute information may be understood as service attribute information of the transmitted network service. Exemplarily, the service attribute information may be information of a source node of a network service recorded after all network services carried by the same wavelength channel reach a certain node; the key length and the key updating period information in the network service request can also be obtained; the information of the transmission path and the transmission hop count in the network service may also be used, which is not limited in this embodiment.
It should be noted that the current encryption and decryption terminal can be understood as the encryption and decryption terminal corresponding to the current IP router, and the important data is changed into the messy code to be encrypted and transmitted, and is restored by the same or different means to be decrypted after reaching the destination node. Current encryption and decryption terminals include an algorithm and a key, which is an algorithm used to encode and decrypt data, and combine common or understandable information with a string of numbers (keys) to produce an unintelligible ciphertext. And the information communication safety of the network is ensured to a certain extent by proper key encryption.
In this embodiment, each IP router has a corresponding encryption/decryption terminal and a corresponding optical communication node. Illustratively, for the IP router a, the corresponding encryption/decryption terminal is an encryption/decryption terminal a, and the corresponding optical communication node is an optical communication node a; for the IP router B, the corresponding encryption and decryption terminal is an encryption and decryption terminal B, and the corresponding optical communication node is an optical communication node B; for the IP router C, the corresponding encryption and decryption terminal is an encryption and decryption terminal C, and the corresponding optical communication node is an optical communication node C; the present embodiment is not limited thereto.
In this embodiment, after the current IP router receives the network service, the service attribute information of all the network services may be acquired, and the service attribute information may be transmitted to the corresponding current encryption/decryption terminal.
And S320, determining and encrypting security keys required by all network services to be transmitted to the corresponding next-hop IP router under the same wavelength channel according to the service attribute information through the current encryption and decryption terminal.
The network traffic to be transmitted may be understood as the network traffic waiting for transmission.
In this embodiment, the network traffic to be transmitted comes from the same wavelength channel, and then different network traffic is transmitted to the same or different sink nodes through the same or different wavelength channels. The sink node can be understood as a network node which acts as a sink for accepting data packets. Illustratively, network traffic 1, network traffic 2, and network traffic 3 carried by the same wavelength channel all arrive at source node a. If the destination nodes of the network service 1 and the network service 2 are optical communication nodes B and the destination node of the network service 3 is an optical communication node C, it can be known that the wavelength channels of the network service 1 and the network service 2 during transmission are one wavelength channel W1 to be transmitted to the optical communication node B, and the network service 3 is transmitted to the optical communication node B by using the wavelength channel W1 first and then transmitted to the optical communication node C by using the wavelength channel W2.
In this embodiment, the next-hop IP router may be understood as a next IP router corresponding to the current IP router. Illustratively, the source nodes of the network service 1 and the network service 2 are both IP routers a, and the destination nodes are both IP routers C, so that the source nodes of the network service 1 and the network service 2 can be understood as current IP routers, and the next-hop IP router is an IP router C.
In this embodiment, after the service attribute information of all network services is acquired and transmitted to the corresponding current encryption and decryption terminal, the security key required for transmitting all network services to be transmitted to the corresponding next-hop IP router in the same wavelength channel can be determined and encrypted by the current encryption and decryption terminal and according to the service attribute information. The security key may be understood as a parameter, which is input in an algorithm for encrypting the transmitted network traffic or decrypting the encrypted network traffic when all the network traffic to be transmitted in the same wavelength channel is transmitted to the corresponding next-hop IP router. The encryption can be understood as changing original information data by a special algorithm, and even if an unauthorized user obtains the encrypted information, the encryption still cannot know the content of the information because of not knowing a decryption method.
It should be noted that, by using the current encryption/decryption terminal, according to the service attribute information, determining the security key required for transmitting all the network services to be transmitted under the same wavelength channel to the corresponding next hop IP router and encrypting the security key, may be that, first, by using the current encryption/decryption terminal, for all the network services to be transmitted carried under the same wavelength channel, extracting the transmission path, the transmission hop count, the key length, and the key update period from the corresponding service attribute information, then according to each transmission path and the transmission hop count, determining the next hop IP router corresponding to all the network services to be transmitted under the wavelength channel, based on each key length and the key update period, determining the maximum key length and the minimum key update period corresponding to the wavelength channel, and based on the maximum key length and the minimum key update period, determining the security key required for all the network services to be transmitted under the wavelength channel to reach the next hop IP router, finally, encrypting all network services to be transmitted under the wavelength channel by adopting a safe key and combining an advanced encryption standard encryption algorithm; or acquiring the unique identification character string from the service equipment, then generating a data key, encrypting the data key according to an encryption algorithm and macro definition, and dynamically encrypting the data key according to a preset hash function, the MAC address of the acquired equipment and the user password. The present embodiment is not limited thereto.
S330, all network services to be transmitted carried by the same wavelength channel are transmitted to the corresponding next hop IP router through the current optical communication node.
The current optical communication node may be understood as an optical communication node corresponding to the current IP router.
In this embodiment, after determining and encrypting security keys required for transmitting all network services to be transmitted to the corresponding next-hop IP router on the same wavelength channel, all network services to be transmitted carried by the same wavelength channel may be transmitted to the corresponding next-hop IP router through the current optical communication node corresponding to the current IP router.
It should be noted that, by using the current optical communication node, the manner of transmitting all the network services to be transmitted, which are carried by the same wavelength channel, to the corresponding next-hop IP router may be that, first, by using the current optical communication node, all the network services to be transmitted, which are carried by the same wavelength channel, are transmitted from the current optical communication node to the corresponding next optical communication node, and then, all the services to be transmitted are decrypted by the corresponding next encryption/decryption terminal and are transmitted to the corresponding next-hop IP router; or, for receiving the data stream first, determining at least two transmission links where the data stream arrives at the next hop address by the router, and then sharing the data stream on each transmission link and sending the data stream to the next hop address. The present embodiment is again not limited.
S340, taking the next-hop IP router as a new current IP router, and returning to continue executing the operation of acquiring the service attribute information until all network services finish communication.
In this embodiment, after all network services to be transmitted, which are carried by the same wavelength channel, are transmitted to the corresponding next-hop IP router, the next-hop IP router may be used as a new current IP router, and then the operation of obtaining the service attribute information is returned to continue to be executed repeatedly until all network services complete communication.
In the technical scheme provided by the embodiment of the invention, firstly, after receiving network services through a current IP router, service attribute information of all the network services is obtained and transmitted to a corresponding current encryption and decryption terminal; then, determining and encrypting a security key required by all network services to be transmitted to a corresponding next hop IP router under the same wavelength channel according to the attribute information of each service by the current encryption and decryption terminal; transmitting all network services to be transmitted carried by the same wavelength channel to a corresponding next hop IP router through the current optical communication node; and finally, taking the next-hop IP router as a new current IP router, and returning to continue executing the operation of acquiring the service attribute information until all network services finish communication. According to the embodiment of the invention, the encryption and decryption terminal determines and encrypts the security key required by all the network services to be transmitted to the corresponding next-hop IP router under the same wavelength channel according to the attribute information of each service so as to carry out the communication of the network services, thereby solving the problems of low security level and low key resource utilization rate in the existing IP service security communication and effectively saving key resources. And the key resources of the segmented link are fully utilized, the use of the key resources of the long-distance link is reduced, and the safe communication of all IP services on the endogenous safe optical network is completed while the key resources are saved and the utilization rate of the key resources is improved. Compared with the prior art, the adopted communication method of the network service on the endogenous safe optical network considers the characteristics of the complex diversity of the whole network IP service borne by the backbone network, solves the problem of low utilization rate of key resources, reduces the waiting time delay and the blocking rate of the safe communication of the IP service to a certain extent, and effectively improves the performance of the optical network.
Optionally, the method for communicating a network service on an endogenous secure optical network further includes:
and determining the corresponding network service to be transmitted under each wavelength channel based on the host node information in each service attribute information through the current IP router.
The destination node information may be understood as service terminal node information of the transmitted network traffic. Illustratively, the sink node information may be an IP address; some indicative information of the terminal may also be used, and the present embodiment is not limited herein.
It should be noted that, by using the current IP router, based on the destination node information in each service attribute information, the manner of determining the corresponding network service to be transmitted under each wavelength channel may be that, first, each service node associated on the service layer is determined by using the current IP router, and the service node information of each service node is obtained, then, for each network service carried under the same wavelength channel, the destination node information is extracted from the corresponding service attribute information, and the destination node information is compared with each service node information, if there is no matched service node information, the network service is determined as the network service to be transmitted under the wavelength channel to which the network service belongs; the method can also be implemented by firstly determining the fragment length of the data frame to be transmitted in the next preset time according to the length of the non-data transmission segment between the transmitted data frames in the preset time, then fragmenting the data frame to be transmitted in the next preset time according to the fragment length, and finally transmitting the fragmented data frame to be transmitted in the next preset time through a wavelength channel; the present embodiment is not limited thereto.
Optionally, determining, by the current IP router, a corresponding network service to be transmitted in each wavelength channel based on the destination node information in each service attribute information, where the determining includes:
determining each service node related on a service layer through a current IP router, and acquiring service node information of each service node;
for each network service loaded under the same wavelength channel, extracting the host node information from the corresponding service attribute information, and comparing the host node information with the service node information;
and if the matched service node information does not exist, determining the network service as the network service to be transmitted under the wavelength channel to which the network service belongs.
The service node information may be understood as information of each node of the transmitted service. For example, IP address information of each service node, etc.
In this embodiment, first, through a current IP router, each service node associated on a service layer is determined, and service node information of each service node is obtained, then for each network service carried under the same wavelength channel, destination node information is extracted from corresponding service attribute information, and the destination node information is compared with each service node information, if there is no matched service node information, the network service is determined as a network service to be transmitted under the wavelength channel to which the network service belongs; and if the matched service node information exists, the service node information network service completes communication.
Optionally, after comparing the sink node information with each service node information, the method further includes:
and if the matched service node information exists, determining that a target service node corresponding to the matched service node information is a destination node of the network service, and transmitting the network service to the target service node to complete network communication.
The target service node may be understood as node information of the network terminal corresponding to each service node information.
In this embodiment, after the destination node information is compared with each service node information, if there is matched service node information, it may be determined that a target service node corresponding to the matched service node information is a destination node of the network service, and at this time, the network service is transmitted to the target service node to complete network communication.
Example two
Fig. 4 is a flowchart of a communication method for network services over an intrinsic safety optical network according to a second embodiment of the present invention. In this embodiment, further details are provided based on the above embodiments. The method specifically comprises the following steps:
s410, after receiving the network service through the current IP router, acquiring the service attribute information of all the network services, and transmitting the service attribute information to the corresponding current encryption and decryption terminal.
In this embodiment, after receiving the network service, the current IP router may obtain service attribute information of all network services, and then transmit the service attribute information to the corresponding current encryption/decryption terminal.
Specifically, the security key required for transmitting all network services to be transmitted to the corresponding next-hop IP router in the same wavelength channel can be determined and encrypted through the current encryption and decryption terminal and according to the service attribute information, and the specific steps are S420 to S460.
And S420, extracting a transmission path, a transmission hop count, a key length and a key updating period from corresponding service attribute information aiming at all network services to be transmitted carried by the same wavelength channel through the current encryption and decryption terminal.
The transmission path may be understood as a corresponding transmission path formed when the network service is forwarded by different routers from the source node to the destination node.
In this embodiment, the transmission hop count may be understood as the hop count required for reaching the sink node when the network traffic is transmitted. The hop count is understood to be a numerical value. Illustratively, the number of transmission hops may be 2 hops; can be 4 hops; can also be 5 hops; the present embodiment is not limited thereto. For example, if the network service 1 reaches the destination node from the middle of the source node a through 2 IP routers, the number of transmission hops at this time is 3 hops.
In this embodiment, the key length can be understood as an upper security limit of an encryption algorithm. The key lengths corresponding to different network services may be the same or different. Illustratively, the key lengths of network traffic 1, network traffic 2, and network traffic 3 may be L1, L2, and L3, respectively, wherein the size order of L1, L2, and L3 may be L1< L2< L3; or L3< L2< L1; it may also be L1< L3< L2, etc., and the embodiment is not limited herein.
It can be known that the larger the key length is, the greater the difficulty of brute force cracking after service encryption is, and the higher the service security level is. The key length can be changed regularly according to the key updating period so as to improve the cracking difficulty. Illustratively, the key length is 256bit, 512bit, 1024bit, 2048bit, etc., and the key length security is highest at 2048 bit.
It will be appreciated that the rekeying period can be understood as a mechanism written on the IP router to protect the IP router, which can effectively avoid brute force guessing the password. The key update periods corresponding to different network services may be the same or different. Illustratively, the key update periods for different network traffic 1, network traffic 2, and network traffic 3 may be T1, T2, and T3, respectively, wherein the size order of T1, T2, and T3 may be T1< T2< T3; it may also be T2< T1< T3; t3< T1< T2, etc. may also be included, and the embodiment is not limited herein. In this embodiment, when the encryption is set for the IP router, the key update period may be set empirically or may be defined by the user; the present embodiment is not limited thereto.
In this embodiment, after the service attribute information of all network services is obtained and transmitted to the corresponding current encryption and decryption terminal, a transmission path, a transmission hop count, a key length, and a key update period may be extracted from the corresponding service attribute information for all network services to be transmitted carried by the same wavelength channel through the current encryption and decryption terminal, so as to determine next hop IP routers corresponding to all network services to be transmitted under the wavelength channel.
S430, determining next hop IP routers corresponding to all network services to be transmitted under the wavelength channel according to each transmission path and transmission hop number.
In this embodiment, the next-hop IP routers corresponding to all network services to be transmitted in the wavelength channel may be determined according to each transmission path and the transmission hop count.
S440, determining the maximum key length and the minimum key updating period corresponding to the wavelength channel based on the key lengths and the key updating periods.
In this embodiment, the maximum key length may be understood as the key length when the key length value is maximum, that is, the key length when the security is the highest. For example, the key lengths of the network service 1, the network service 2, and the network service 3 may be L1, L2, and L3, respectively, where L1< L2< L3, and then L3 corresponding to the network service is the maximum key length.
It is to be understood that the minimum key update period is understood to be a key update period in which the update period is the minimum among the key update periods. For example, the key lengths of the network service 1, the network service 2, and the network service 3 may be T1, T2, and T3, respectively, where T1< T2< T3, and at this time, T1 corresponding to the network service 1 is the minimum key update period.
In this embodiment, after extracting the transmission path, the transmission hop count, the key length, and the key update period from the corresponding service attribute information, the maximum key length and the minimum key update period corresponding to the wavelength channel may be determined based on each key length and the key update period.
S450, determining the security key required by all network services to be transmitted under the wavelength channel to reach the next hop IP router based on the maximum key length and the minimum key updating period.
In this embodiment, based on the maximum key length and the minimum key update period, the security key required by all network traffic to be transmitted in the wavelength channel to reach the next-hop IP router may be determined.
It should be noted that the security key required for the network traffic to be transmitted to reach the next-hop IP router is related to the destination node to be reached by the large transmission network. In the network services to be transmitted, the security keys of the network services to be transmitted reaching the same host node are the same; the security keys of the network traffic to be transmitted reaching different destination nodes are the same in the same transmission channel and different in the other part of the transmission channel. Illustratively, if the destination nodes of the network service 1, the network service 2 and the network service 3 are all optical communication nodes C, the IP routers reaching the next hop are all IP routers C, the maximum key length request of the network service 1, the network service 2 and the network service 3, which are carried between the optical communication node a and the optical communication node C by the wavelength channel, is L3, the minimum key update period request is T1, and the encryption and decryption terminal a and the encryption terminal C allocate the same key K1-2-3 to the network service 1, the network service 2 and the network service 3 according to the key length L3 and the key update period T1; if the network service 1 and the network service 2 are the same host node and are optical communication node B, the host node of the network service 3 is optical communication node C (from the source node a to the optical communication node C via the optical communication node B), the maximum key length request of the network service 1, the network service 2 and the network service 3 carried between the optical communication node a and the node B by the wavelength channel is L3, the minimum key update period request is T1, the maximum key length request of the network service 3 carried between the optical communication node B and the optical communication node C by the wavelength channel is L3, the minimum key update period request is T3, the encryption/decryption terminal a and the encryption/decryption terminal B are assigned to the network service 1, the network service 2 and the network service 3 the same key K1-2-3 according to the key length L3 and the key update period T1 in the process from the source node a to the optical communication node B, the encryption and decryption terminal B and the encryption and decryption terminal C distribute the corresponding key K3 to the network service 3 according to the key length L3 and the key update period T3.
S460, encrypting all network services to be transmitted under the wavelength channel by adopting a safety key and combining a high-level encryption standard encryption algorithm.
Among these, the advanced encryption standard encryption algorithm may be understood as an encryption method that can support a wider range of blocks and key lengths. For example, when the block length of the advanced encryption standard encryption algorithm is fixed to 128 bits, the key length may be 128, 192 or 256 bits.
In this embodiment, after determining the security key required for all network traffic to be transmitted under the wavelength channel to reach the next-hop IP router, the security key may be combined with an advanced encryption standard encryption algorithm to encrypt all network traffic to be transmitted under the wavelength channel.
Specifically, all network services to be transmitted, which are carried by the same wavelength channel, may be transmitted to the corresponding next-hop IP router through the current optical communication node, and the specific steps may be S470 to S480.
And S470, transmitting all the network services to be transmitted, which are carried by the same wavelength channel, from the current optical communication node to the corresponding next optical communication node through the current optical communication node, so as to decrypt all the services to be transmitted through the corresponding next encryption and decryption terminal, and transmitting the decrypted services to the corresponding next-hop IP router.
And the next encryption and decryption terminal is an encryption and decryption terminal corresponding to the next hop IP router.
In this embodiment, after encrypting all network services to be transmitted in a wavelength channel by using a security key in combination with an advanced encryption standard encryption algorithm, all network services to be transmitted carried in the same wavelength channel may be transmitted from a current optical communication node to a corresponding next optical communication node through the current optical communication node, so as to decrypt all the services to be transmitted by a corresponding next encryption/decryption terminal, and transmit the decrypted services to a corresponding next-hop IP router.
In the technical scheme provided by the embodiment of the invention, firstly, a transmission path, a transmission hop count, a key length and a key updating period are extracted from corresponding service attribute information aiming at all network services to be transmitted carried by the same wavelength channel through a current encryption and decryption terminal, then, according to each transmission path and transmission hop count, next hop IP routers corresponding to all network services to be transmitted under the wavelength channel are determined, and based on each key length and key updating period, the maximum key length and the minimum key updating period corresponding to the wavelength channel are determined; and finally, transmitting all the network services to be transmitted borne by the same wavelength channel from the current optical communication node to the corresponding next optical communication node through the current optical communication node, so as to decrypt all the services to be transmitted through the corresponding next encryption and decryption terminal, and transmitting the services to be transmitted to the corresponding next hop IP router. According to the embodiment of the invention, through the current encryption and decryption terminal, aiming at all network services to be transmitted carried by the same wavelength channel, the transmission path, the transmission hop count, the key length and the key updating period are extracted from the corresponding service attribute information, so that the secure communication of all the network services is completed based on the acquired transmission path, transmission hop count, key length and key updating period, the problems of low security level and low key resource utilization rate in the existing network service secure communication are further solved, and the secure communication of all the network services on an endogenous secure optical network is completed while the key resources are saved and the key resource utilization rate is improved.
EXAMPLE III
Fig. 5 is a schematic diagram of secure communication of an IP service on an endogenous secure optical network according to a third embodiment of the present invention. When a plurality of IP services carried by the same wavelength channel enter the source node a, the source node a may be understood as an IP router a, and if it is desired to implement complete communication of a plurality of IP services carried by the same wavelength channel, the whole process of the specific embodiment of the method for secure communication of IP services on an endogenous secure optical network may be as shown in this third embodiment. It should be noted that the IP traffic represents network traffic, and as shown in fig. 5, the intrinsically safe optical network includes an IP layer 510 and an optical layer 520, where the IP layer and the optical layer respectively include a set number of IP routers and intrinsically safe optical communication nodes. The method comprises the steps of distributing a key for IP services in a backbone network after a plurality of IP services pass through an IP router and before the IP services are multiplexed into the same wavelength channel for encryption, and multiplexing the encrypted IP services into the same wavelength channel for transmission. The IP services have the same or different host nodes, all the IP services borne by the same wavelength channel between each IP service host node and the host node of the previous IP service are decrypted at each IP service host node, the IP service taking the corresponding host node as a destination node is separated, and the rest of the IP services are encrypted and continuously converged into the same wavelength channel for transmission; if the passing node is not the destination node for any IP traffic, it passes directly through the devices in the optical layer 520 without IP layer 510 operation.
Fig. 6 is a schematic flow chart of a secure communication method of an IP service on an endogenous secure optical network according to a third embodiment of the present invention. As shown in fig. 6, the method mainly comprises the following steps:
and S610, recording the service attribute.
Specifically, the recording service attribute includes S611 to S614.
And S611, recording source and destination nodes of all IP services.
After all IP services borne by the same wavelength channel on the endogenous safe optical network reach a certain node, source and destination nodes of all IP services are recorded.
And S612, recording the key length and the key updating period of all IP service requests.
S613, recording transmission paths and hop counts of all IP services.
And S614, sequencing the IP services according to the sequence of the hop counts from small to large, wherein the sequence is the sequence of each IP service reaching the corresponding destination node.
And S620, distributing the security key.
Specifically, the security key distribution includes S621 to S623.
S621, according to the sequence of all IP services reaching the destination node in S614, searching a key storage module corresponding to the destination node of each IP service and the destination node of the previous IP service.
S622, query the request of the maximum key length and the request of the minimum key update period of all IP services carried by the wavelength channel between the destination node of each IP service and the destination node of the previous IP service.
S623, according to the maximum key length and the minimum key updating period request, the key storage module distributes the same key to all IP services borne by the wavelength channel between the destination node of each IP service and the destination node of the previous IP service.
And S630, service safety communication.
Specifically, the service security communication includes S631 to S638.
S631, all IP traffic at the source node enters the encryption and decryption terminal through the IP router.
And S632, encrypting by using the key distributed in the S623 and an AES encryption algorithm.
According to the sequence of all the IP services reaching the destination node in S614, all the IP services carried by the wavelength channel between the destination node of each IP service and the destination node of the previous IP service are encrypted by using the key allocated in S623 and the AES encryption algorithm.
S633, inquiring all wavelength channels of the IP business between the destination node bearing each IP business and the destination node of the previous IP business.
And S634, transmitting all the IP services borne by the IP services to the corresponding destination nodes of each IP service by using the wavelength channels.
And transmitting all the IP services borne by the IP services to the destination node corresponding to each IP service by using the wavelength channel according to the sequence of the IP services to the destination node in the S614.
And S635, decrypting all IP services borne by the wavelength channels between the IP services and the destination node of the previous IP service at the destination node of each IP service by using the key distributed in the step 2.3 and an AES encryption algorithm.
And S636, the IP service which takes the corresponding host node as the destination node enters the IP router through the encryption and decryption terminal.
S637, whether all IP traffic reaches the corresponding sink node.
And S638, if the IP services do not all reach the destination node, turning to S632, and if the IP services all reach the destination node, completing the secure communication of all the IP services.
Fig. 7 is a flowchart of a secure communication method for an IP service on an endogenous secure optical network according to a third embodiment of the present invention. When a plurality of IP services carried by the same wavelength channel enter the source node a, where the source node a may be understood as an IP router a, if the complete communication shown in fig. 7 is to be implemented, the whole process of the specific embodiment of the method for secure communication of IP services on the endogenous secure optical network may be:
IP service 1, service 2 and service 3 loaded by the same wavelength channel all reach a source node A; the destination nodes of the IP service 1 and the IP service 2 are optical communication nodes C, IP, and the destination node of the service 3 is an optical communication node D; the key length requests of IP service 1, IP service 2 and IP service 3 are respectively L1、L2And L3(L1<L2<L3) (ii) a The key updating period requests of the IP service 1, the IP service 2 and the IP service 3 are respectively T1、T2And T3(T1<T2<T3) (ii) a The hop counts of the IP service 1, the IP service 2 and the IP service 3 are respectively 2, 2 and 3; the sequence of IP service 1, IP service 2 and IP service 3 reaching the corresponding destination nodes is that the optical communication is reached firstThe node C then arrives at the optical communication node D. Searching a key storage module of an encryption and decryption terminal C and a key storage module of the encryption and decryption terminal A between an optical communication node C and an optical communication node A, a key storage module of an encryption and decryption terminal D between an optical communication node D and the optical communication node C and a key storage module of the encryption and decryption terminal C; the maximum key length request of IP service 1, IP service 2 and IP service 3 carried by the wavelength channel between the optical communication node A and the optical communication node C is L3Minimum key update period request is T1The maximum key length request of the IP service 3 carried by the wavelength channel between the optical communication node C and the optical communication node D is L3Minimum key update period request is T3(ii) a A key storage module of the encryption and decryption terminal A and a key storage module of the encryption and decryption terminal C according to the key length L3And a key update period T1Assigning the same key K to IP service 1, IP service 2 and IP service 31-2-3The key storage module of the encryption and decryption terminal C and the key storage module of the encryption and decryption terminal D are used for storing the key according to the key length L3And a key update period T3Assigning a corresponding key K to an IP service 33
IP service 1, IP service 2 and IP service 3 at a source node enter an encryption and decryption terminal through an IP router; IP service 1, IP service 2 and IP service 3 utilize secret key K1-2-3Encrypting with an AES encryption algorithm; inquiring wavelength channel W bearing IP service 1, IP service 2 and IP service 31(ii) a Using wavelength channels W1Transmitting the IP service 1, the IP service 2 and the IP service 3 to a node C; using a secret key K1-2-3Decrypting the IP service 1, the IP service 2 and the IP service 3 by using an AES encryption algorithm; and the IP service 1 and the IP service 2 enter the IP router through the encryption and decryption terminal to complete the secure communication. IP service 3 utilizes secret key K3Encrypting with an AES encryption algorithm; inquiring wavelength channel W for bearing IP service 32(ii) a Using wavelength channels W2Transmitting the IP service 3 to a node D; using a secret key K3Decrypting the IP service 3 by using an AES encryption algorithm; and the IP service 3 enters the IP router through the encryption and decryption terminal to complete the secure communication.
Example four
Fig. 8 is a schematic structural diagram of an endogenous secure optical network according to a fourth embodiment of the present invention, where the endogenous secure optical network provided in this embodiment may be implemented by software and/or hardware, and may be applied to an optical communication node, so as to implement a communication method for a network service on the endogenous secure optical network according to the fourth embodiment of the present invention. As shown in fig. 8, the endogenous secure optical network includes:
the optical network comprises an IP layer 810 and an optical layer 820, wherein the IP layer 810 and the optical layer 820 respectively comprise a set number of IP routers and optical communication nodes, and each IP router corresponds to an encryption and decryption terminal and one optical communication node;
one IP router is used as the current IP router, and the corresponding encryption and decryption terminal and the corresponding optical communication node are respectively used as the current encryption and decryption terminal and the current optical communication node;
the current IP router is used for acquiring the service attribute information of all network services after receiving the network services and transmitting the service attribute information to the corresponding current encryption and decryption terminal;
the current encryption and decryption terminal is used for determining and encrypting a security key required by all network services to be transmitted to the corresponding next hop IP router under the same wavelength channel according to the service attribute information;
and the current optical communication node is used for transmitting all network services to be transmitted, which are carried by the same wavelength channel, to the corresponding next-hop IP router, and the next-hop IP router is used as a new current IP router.
Optionally, the current encryption and decryption terminal is specifically configured to:
extracting a transmission path, a transmission hop count, a key length and a key updating period from corresponding service attribute information aiming at all network services to be transmitted carried by the same wavelength channel through the current encryption and decryption terminal;
determining next-hop IP routers corresponding to all network services to be transmitted under the wavelength channel according to the transmission paths and the transmission hop numbers;
determining a maximum key length and a minimum key updating period corresponding to the wavelength channel based on each key length and each key updating period;
determining a security key required by all network services to be transmitted under the wavelength channel to reach the next hop IP router based on the maximum key length and the minimum key updating period;
and encrypting all network services to be transmitted under the wavelength channel by combining the security key with an advanced encryption standard encryption algorithm.
Optionally, the current IP router is further configured to:
and determining the corresponding network service to be transmitted under each wavelength channel based on the host node information in each service attribute information.
Optionally, the current optical communication node is specifically configured to:
transmitting all network services to be transmitted, which are carried by the same wavelength channel, from the current optical communication node to the corresponding next optical communication node, decrypting all the services to be transmitted through the corresponding next encryption and decryption terminal, and transmitting the services to be transmitted to the corresponding next-hop IP router;
the next optical communication node is an optical communication node corresponding to the next hop IP router, and the next encryption and decryption terminal is an encryption and decryption terminal corresponding to the next hop IP router.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A communication method of network service on an endogenous safe optical network is characterized in that an IP layer and an optical layer of the endogenous safe optical network respectively comprise a set number of IP routers and optical communication nodes, each IP router corresponds to an encryption and decryption terminal and an optical communication node, and the method comprises the following steps:
after receiving the network service, the current IP router acquires the service attribute information of all the network services and transmits the service attribute information to the corresponding current encryption and decryption terminal;
determining and encrypting a security key required by all network services to be transmitted to a corresponding next hop IP router under the same wavelength channel according to the service attribute information by the current encryption and decryption terminal;
transmitting all network services to be transmitted carried by the same wavelength channel to a corresponding next hop IP router through the current optical communication node;
and taking the next-hop IP router as a new current IP router, and returning to continue executing the operation of acquiring the service attribute information until all network services finish communication.
2. The method according to claim 1, wherein the determining, by the current encryption/decryption terminal and according to each of the service attribute information, and encrypting the security key required for transmitting all the network services to be transmitted to the corresponding next-hop IP router in the same wavelength channel, includes:
extracting a transmission path, a transmission hop count, a key length and a key updating period from corresponding service attribute information aiming at all network services to be transmitted carried by the same wavelength channel through the current encryption and decryption terminal;
determining next-hop IP routers corresponding to all network services to be transmitted under the wavelength channel according to the transmission paths and the transmission hop numbers;
determining a maximum key length and a minimum key updating period corresponding to the wavelength channel based on each key length and each key updating period;
determining a security key required by all network services to be transmitted under the wavelength channel to reach the next hop IP router based on the maximum key length and the minimum key updating period;
and encrypting all network services to be transmitted under the wavelength channel by combining the security key with an advanced encryption standard encryption algorithm.
3. The method of claim 1, further comprising:
and determining the corresponding network service to be transmitted under each wavelength channel through the current IP router based on the host node information in each service attribute information.
4. The method according to claim 3, wherein the determining, by the current IP router, the network traffic to be transmitted corresponding to each wavelength channel based on the destination node information in each of the service attribute information includes:
determining each service node related on a service layer through a current IP router, and acquiring service node information of each service node;
for each network service loaded under the same wavelength channel, extracting host node information from the corresponding service attribute information, and comparing the host node information with each service node information;
and if the matched service node information does not exist, determining the network service as the network service to be transmitted under the wavelength channel to which the network service belongs.
5. The method of claim 4, wherein after comparing the sink node information with each of the service node information, further comprising:
and if the matched service node information exists, determining that a target service node corresponding to the matched service node information is a destination node of the network service, and transmitting the network service to the target service node to complete network communication.
6. The method according to any one of claims 1 to 5, wherein the transmitting, by the current optical communication node, all network traffic to be transmitted carried by the same wavelength channel to the corresponding next-hop IP router comprises:
transmitting all network services to be transmitted, which are carried by the same wavelength channel, from the current optical communication node to a corresponding next optical communication node through the current optical communication node, decrypting all the services to be transmitted through a corresponding next encryption and decryption terminal, and transmitting the services to a corresponding next-hop IP router;
the next optical communication node is an optical communication node corresponding to the next hop IP router, and the next encryption and decryption terminal is an encryption and decryption terminal corresponding to the next hop IP router.
7. An endogenous secure optical network, comprising: the system comprises an IP layer and an optical layer, wherein the IP layer and the optical layer respectively comprise a set number of IP routers and optical communication nodes, and each IP router corresponds to one encryption and decryption terminal and one optical communication node;
one IP router is used as the current IP router, and the corresponding encryption and decryption terminal and the corresponding optical communication node are respectively used as the current encryption and decryption terminal and the current optical communication node;
the current IP router is used for acquiring the service attribute information of all network services after receiving the network services and transmitting the service attribute information to the corresponding current encryption and decryption terminal;
the current encryption and decryption terminal is used for determining and encrypting a security key required by all network services to be transmitted to the corresponding next hop IP router under the same wavelength channel according to the service attribute information;
and the current optical communication node is used for transmitting all network services to be transmitted, which are carried by the same wavelength channel, to the corresponding next-hop IP router, and the next-hop IP router is used as a new current IP router.
8. The optical network according to claim 7, wherein the current encryption/decryption terminal is specifically configured to:
extracting a transmission path, a transmission hop count, a key length and a key updating period from corresponding service attribute information aiming at all network services to be transmitted carried by the same wavelength channel through the current encryption and decryption terminal;
determining next-hop IP routers corresponding to all network services to be transmitted under the wavelength channel according to the transmission paths and the transmission hop numbers;
determining a maximum key length and a minimum key updating period corresponding to the wavelength channel based on each key length and each key updating period;
determining a security key required by all network services to be transmitted under the wavelength channel to reach the next hop IP router based on the maximum key length and the minimum key updating period;
and encrypting all network services to be transmitted under the wavelength channel by combining the security key with an advanced encryption standard encryption algorithm.
9. The optical network of claim 7, wherein the current IP router is further configured to:
and determining the corresponding network service to be transmitted under each wavelength channel based on the host node information in each service attribute information.
10. Optical network according to any of claims 7 to 9, characterized in that the current optical communication node is specifically configured to:
transmitting all network services to be transmitted, which are carried by the same wavelength channel, from the current optical communication node to the corresponding next optical communication node, decrypting all the services to be transmitted through the corresponding next encryption and decryption terminal, and transmitting the services to be transmitted to the corresponding next-hop IP router;
the next optical communication node is an optical communication node corresponding to the next hop IP router, and the next encryption and decryption terminal is an encryption and decryption terminal corresponding to the next hop IP router.
CN202111342549.5A 2021-11-12 2021-11-12 Communication method of network service on endogenous safe optical network and endogenous safe optical network Active CN114071264B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111342549.5A CN114071264B (en) 2021-11-12 2021-11-12 Communication method of network service on endogenous safe optical network and endogenous safe optical network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111342549.5A CN114071264B (en) 2021-11-12 2021-11-12 Communication method of network service on endogenous safe optical network and endogenous safe optical network

Publications (2)

Publication Number Publication Date
CN114071264A true CN114071264A (en) 2022-02-18
CN114071264B CN114071264B (en) 2024-01-23

Family

ID=80271928

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111342549.5A Active CN114071264B (en) 2021-11-12 2021-11-12 Communication method of network service on endogenous safe optical network and endogenous safe optical network

Country Status (1)

Country Link
CN (1) CN114071264B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812304A (en) * 2006-03-07 2006-08-02 北京大学 Multifibre space division exchanging structure for raising kernel node switch volume and method thereof
WO2016206498A1 (en) * 2015-06-23 2016-12-29 中兴通讯股份有限公司 First quantum node, second quantum node, secure communications architecture system, and method
CN106712941A (en) * 2016-12-31 2017-05-24 北京邮电大学 Quantum key dynamic updating method and system in optical network
CN107508671A (en) * 2017-08-18 2017-12-22 北京邮电大学 Service communication method and device based on quantum key distribution
CN107786260A (en) * 2016-08-24 2018-03-09 中兴通讯股份有限公司 A kind of business transmitting method and system
CN108667526A (en) * 2018-03-14 2018-10-16 北京邮电大学 Multiple services safety transfer method, device and equipment in a kind of optical transfer network
CN109120333A (en) * 2018-07-13 2019-01-01 北京邮电大学 Service protecting method and system in a kind of quantum key distribution optical-fiber network
CN110149204A (en) * 2019-05-09 2019-08-20 北京邮电大学 The key resource allocation methods and system of QKD network
CN110224815A (en) * 2019-05-08 2019-09-10 北京邮电大学 QKD network resource allocation method and system
CN112737698A (en) * 2021-01-08 2021-04-30 赵仕嘉 Networking design and method of optical fiber quantum communication system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812304A (en) * 2006-03-07 2006-08-02 北京大学 Multifibre space division exchanging structure for raising kernel node switch volume and method thereof
WO2016206498A1 (en) * 2015-06-23 2016-12-29 中兴通讯股份有限公司 First quantum node, second quantum node, secure communications architecture system, and method
CN107786260A (en) * 2016-08-24 2018-03-09 中兴通讯股份有限公司 A kind of business transmitting method and system
CN106712941A (en) * 2016-12-31 2017-05-24 北京邮电大学 Quantum key dynamic updating method and system in optical network
CN107508671A (en) * 2017-08-18 2017-12-22 北京邮电大学 Service communication method and device based on quantum key distribution
CN108667526A (en) * 2018-03-14 2018-10-16 北京邮电大学 Multiple services safety transfer method, device and equipment in a kind of optical transfer network
CN109120333A (en) * 2018-07-13 2019-01-01 北京邮电大学 Service protecting method and system in a kind of quantum key distribution optical-fiber network
CN110224815A (en) * 2019-05-08 2019-09-10 北京邮电大学 QKD network resource allocation method and system
CN110149204A (en) * 2019-05-09 2019-08-20 北京邮电大学 The key resource allocation methods and system of QKD network
CN112737698A (en) * 2021-01-08 2021-04-30 赵仕嘉 Networking design and method of optical fiber quantum communication system

Also Published As

Publication number Publication date
CN114071264B (en) 2024-01-23

Similar Documents

Publication Publication Date Title
US11075892B2 (en) Fully cloaked network communication model for remediation of traffic analysis based network attacks
JP6478749B2 (en) Quantum key distribution apparatus, quantum key distribution system, and quantum key distribution method
WO2018082345A1 (en) Quantum key relay method and device based on centralized management and control network
EP3254418B1 (en) Packet obfuscation and packet forwarding
US20160248581A1 (en) Quantum key distribution system, method and apparatus based on trusted relay
US7236597B2 (en) Key transport in quantum cryptographic networks
US7865717B2 (en) Method and apparatus for dynamic, seamless security in communication protocols
EP2515469B1 (en) Method and system for secret communication between nodes
CN111277404B (en) Method for realizing quantum communication service block chain
CN110581763A (en) Quantum key service block chain network system
JP2008533910A (en) How to integrate QKD with IPSec
KR102595369B1 (en) Method, apparatus and system for quantum cryptography key distribution
US20170222803A1 (en) Communication device, cryptographic communication system, cryptographic communication method, and computer program product
US7039190B1 (en) Wireless LAN WEP initialization vector partitioning scheme
Mehdizadeh et al. Lightweight decentralized multicast–unicast key management method in wireless IPv6 networks
Coulibaly et al. Secure burst control packet scheme for Optical Burst Switching networks
US20040158706A1 (en) System, method, and device for facilitating multi-path cryptographic communication
CN106209401A (en) A kind of transmission method and device
US20020116606A1 (en) Encryption and decryption system for multiple node network
CN114071264B (en) Communication method of network service on endogenous safe optical network and endogenous safe optical network
US8670565B2 (en) Encrypted packet communication system
US20230078461A1 (en) Communication device, communication method, and communication system
KR20220148880A (en) Inter-node privacy communication method and network node
US8904036B1 (en) System and method for electronic secure geo-location obscurity network
WO2009067951A1 (en) Method for determining multicasting proxy nodes, and method, device and system for multicasting

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant