CN114124799B - Safe transmission system for dynamically adjusting forwarding path - Google Patents

Safe transmission system for dynamically adjusting forwarding path Download PDF

Info

Publication number
CN114124799B
CN114124799B CN202111369130.9A CN202111369130A CN114124799B CN 114124799 B CN114124799 B CN 114124799B CN 202111369130 A CN202111369130 A CN 202111369130A CN 114124799 B CN114124799 B CN 114124799B
Authority
CN
China
Prior art keywords
path
data
forwarding
data packet
paths
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111369130.9A
Other languages
Chinese (zh)
Other versions
CN114124799A (en
Inventor
唱明旭
高晓琼
闫贯博
王东豪
李姝�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jinghang Computing Communication Research Institute
Original Assignee
Beijing Jinghang Computing Communication Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jinghang Computing Communication Research Institute filed Critical Beijing Jinghang Computing Communication Research Institute
Priority to CN202111369130.9A priority Critical patent/CN114124799B/en
Publication of CN114124799A publication Critical patent/CN114124799A/en
Application granted granted Critical
Publication of CN114124799B publication Critical patent/CN114124799B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/24Multipath
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L1/00Arrangements for detecting or preventing errors in the information received
    • H04L1/12Arrangements for detecting or preventing errors in the information received by using return channel
    • H04L1/16Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
    • H04L1/18Automatic repetition systems, e.g. Van Duuren systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a safety transmission system for dynamically adjusting a forwarding path, belongs to the technical field of data transmission, and solves the problem that the existing data transmission path cannot be dynamically adjusted. The system comprises a controller, a source host, a destination host and a switch; the controller comprises a path change identification module, a path and a weight calculation module; the source host comprises a weight updating module and a data sending module; the path change identification module is used for identifying whether to reselect a forwarding path according to the historical communication record and the network topology; the path and weight calculation module is used for calculating a plurality of forwarding paths and weights after the forwarding paths are reselected in the identification; the weight updating module is used for updating the weights of the plurality of forwarding paths through the path and weight calculating module when the data packet is confirmed; the data sending module is used for selecting a forwarding path to send a data packet according to the multiple forwarding paths and the weights, and retransmitting the data packet which does not receive the data reply. The dynamic adjustment of the transmission path is realized.

Description

Safe transmission system for dynamically adjusting forwarding path
Technical Field
The invention relates to the technical field of data transmission, in particular to a safety transmission system for dynamically adjusting a forwarding path.
Background
With the development of the internet of things, the data transmission requirement of the internet of things is higher and higher, and the characteristics of weak processing capability, unstable network link, open network environment, large attack surface and the like of equipment in the internet of things bring serious challenges to the safe data transmission in the internet of things.
The software defined network is widely applied to the internet of things due to the advantages of the software defined network in the aspects of network management and performance improvement, and a software defined internet of things architecture is formed. However, the advantages of software defined networking are currently less used to address security issues in the internet of things.
In the prior art, the application of a high-complexity encryption algorithm depending on strong calculation and cruising ability of a node in the internet of things is limited, so that data transmitted in a network faces greater security risk; meanwhile, the instability of the link causes the loss and retransmission of the data packet, which brings additional overhead and higher delay for the network. In some technologies, although a software-defined internet of things architecture is used, a data transmission path cannot be dynamically adjusted based on a current state, and the security of data transmission still has great hidden danger.
Disclosure of Invention
In view of the foregoing analysis, the present invention provides a secure transmission system for dynamically adjusting a forwarding path, so as to solve the problem that the conventional data transmission path cannot be dynamically adjusted.
The embodiment of the invention provides a safe transmission system for dynamically adjusting a forwarding path, which comprises a controller, a source host, a destination host and a switch, wherein the source host is connected with the switch through a network; the controller comprises a path change identification module, a path and a weight calculation module; the source host comprises a weight updating module and a data sending module;
the path change identification module is used for identifying whether to reselect a forwarding path according to the historical communication record and the network topology;
the path and weight calculation module is used for calculating to obtain a plurality of forwarding paths according to the number of available paths between the source host and the destination host and the number of paths where the switch is located after the forwarding paths are identified to be reselected, and calculating to obtain the weights of the plurality of forwarding paths according to the transmission condition of the data packet;
the weight updating module is used for updating the weights of the plurality of forwarding paths through the path and weight calculating module when the data packet is confirmed;
and the data sending module is used for selecting a forwarding path to send a data packet according to the multiple forwarding paths and the weights and retransmitting the data packet which does not receive the data reply.
Based on the further improvement of the system, after the switch receives a connection request data packet sent by the source host, whether the data packet header has an encryption mark or not is identified according to a preset flow table rule, and if the data packet header has the encryption mark, a data packet header message is sent to the controller; when the header of the connection request data packet has an encryption mark, the connection request data packet comprises an encrypted k value and an encrypted n value; correspondingly, the data sending module selects k forwarding paths to send n pieces of ciphertext data when sending the data packet.
Based on the further improvement of the system, the controller is also used for acquiring the information of the source host and the destination host according to the header message of the data packet; the path change identification module executes the following procedures to identify whether to reselect a forwarding path, including:
according to the historical communication record, determining that the connection is established for the first time or the time interval between the connection and the last communication exceeds the preset overtime, and identifying that the forwarding path is reselected; or the like, or a combination thereof,
acquiring the conditions of increase and decrease of switches and increase and decrease of links on a forwarding path according to network global topology information maintained in a controller, and identifying to reselect the forwarding path when the conditions of increase and decrease of the switches and/or increase and decrease of the links exist; or the like, or, alternatively,
and identifying that the congestion of the detection link or the packet loss rate exceeds a preset threshold value by performing packet capture analysis on the sent packet Out message and the received packet In message, wherein the identification is to reselect a forwarding path.
Based on the further improvement of the system, a plurality of forwarding paths are obtained by calculation according to the available paths between the source host and the destination host and the number of paths where the switches are located, and the method comprises the following steps:
obtaining all available paths from the source host to the destination host according to the breadth first rule, and putting the available paths into an available path set; based on the available path set, acquiring the switches contained in each available path, and putting the switches into the switch set;
traversing the switch set, and calculating the number of available paths containing each switch in the available path set; traversing the available path set, and adding the number of the available paths of the switch on each available path to obtain a collision coefficient of each path;
sorting each path in the available path set according to the size of the collision coefficient, selecting a path with the minimum collision coefficient and not intersected with the path in the selected path set, moving the path into the selected path set as a path selection result, removing the path intersected with the path in the selected path set from the available path set, repeatedly selecting the rest paths in the available path set until the paths are empty, and taking the path in the selected path set as a plurality of final forwarding paths.
Based on the further improvement of the system, the data packet transmission condition comprises: the method comprises the following steps of (1) data packet quality influence factors, historical data packet quality influence factors, data packet states and path weights before updating;
the data packet quality influence factor represents the discarding degree of the data packet, when the source host does not receive the data reply of the destination host within the preset overtime, the data packet is determined to be discarded, the quality influence factor of the data packet is increased by 1, otherwise, the data packet is determined to be received, and the data packet quality influence factor is not changed;
the historical data packet quality influence factor is the sum of the quality influence factors of the historical data packets on the forwarding path;
the data packet state represents the degree of the data packet receiving confirmation, when the data packet receiving confirmation is received, the data packet state is the rate of the data packet receiving confirmation on the forwarding path, and when the data packet receiving confirmation is discarded, the data packet state is 0;
the pre-update path weight is the weight at which the previous packet on the forwarding path was acknowledged.
Based on the further improvement of the system, the calculation formula of the weight is as follows:
Figure BDA0003361718860000041
wherein Q is r,n Denotes the weight Q at which the nth packet on path r is acknowledged r,n-1 Represents the weight of the n-1 th packet on the path r when being confirmed, namely the weight of the path r before the weight update, the initial Q r,0 =1,f n Indicating the quality impact factor of the nth packet, F n-1 Is the sum of the quality impact factors of n-1 historical data packets, the initial F 0 =1, the calculation formula is:
Figure BDA0003361718860000042
P n the state of the nth data packet is represented by the following calculation formula:
P n =S n ×R n ,n≥1
wherein S is n Indicates the case where the nth packet is acknowledged on the path r, and when the acknowledgment is received, S n Is 1, otherwise S n Is 0; r is n Indicating the rate at which packets are acknowledged as received.
Based on the further improvement of the system, the controller also comprises a path issuing module which is used for updating the flow table rule according to the plurality of forwarding paths and the weights and issuing the flow table rule to the switch, instructing the switch to select the path with the largest weight from the plurality of forwarding paths to forward the data connection request packet to the destination host, and sending a message to inform the source host of the plurality of forwarding paths and the weights.
Based on the further improvement of the system, the source host also comprises an encryption module which is used for running a k-n threshold encryption algorithm to encrypt the original data to obtain n parts of ciphertext data;
the n parts of ciphertext data are sent by a data sending module according to a plurality of forwarding paths and weights by selecting k forwarding paths, and the path selection step comprises the following steps:
sorting the path weights from big to small, and selecting k forwarding paths from the maximum weight;
calculating n parts of ciphertext data according to rounding-up to obtain an average value of the number of ciphertext parts on each path in k forwarding paths, and if the average value is greater than a k value, setting the average value as the k value;
distributing the number of the ciphertext data to the k forwarding paths according to the average value;
in k forwarding paths, ciphertext data are sequentially transmitted from the forwarding path with the largest weight;
and updating the use record corresponding to the forwarding path.
Based on a further development of the system described above, the destination host comprises a decryption module and a feedback module, wherein,
the decryption module is used for decrypting the encrypted k value in the connection request data packet and decrypting the ciphertext data to obtain original data when the number of parts of the received unrepeated ciphertext data is larger than or equal to the k value after the target host receives the ciphertext data;
and the feedback module is used for sending a data reply to the source host by the same forwarding path according to the forwarding path mark of the data packet after receiving the data packet, and informing the received data packet number.
Based on the further improvement of the system, the source host retransmits the data packet without receiving the data reply, when the data reply sent by the destination host is not received within the preset timeout time or the received non-repeated ciphertext data reply is less than the k value, the path is reselected to retransmit the data packet without receiving the data reply, and the method comprises the following steps:
according to the use records of the current multiple forwarding paths, if the unused forwarding paths exist and the number of the unused forwarding paths is more than or equal to the number of the forwarding paths which do not receive data replies, recalculating the weights of the current multiple forwarding paths through a weight updating module, sorting according to the weight, selecting from the path with the largest weight in the unused alternative forwarding paths, and retransmitting the data packet which does not receive the data replies until a destination host receives the data packet or the number of the received non-repeated ciphertexts is more than or equal to a value k;
otherwise, recalculating to obtain a plurality of new forwarding paths and path weights through the path and weight calculation module, and selecting a forwarding path from the plurality of new forwarding paths and path weights by the source host to retransmit the data packet which does not receive the data reply until the destination host receives the data packet or the number of the received non-repeated ciphertexts is more than or equal to the value k.
Compared with the prior art, the invention can realize at least one of the following beneficial effects:
1. aiming at the real-time adjustment of the network topology change and the communication record identification forwarding path, a multi-path dynamic selection mechanism is combined, recalculation is carried out at any time, meanwhile, the strategy is adaptively updated by taking the path security weight as the path priority, the data security is improved to the maximum extent, and meanwhile, the service continuity is guaranteed;
2. the method has the advantages that multiple paths are adopted for forwarding, the eavesdropping risk caused by a single-point bug is reduced as much as possible, a k-n threshold encryption algorithm is supported for encrypting the data packet, an attacker cannot acquire any encrypted data related information according to the ciphertext when the ciphertext is stolen by less than or equal to k parts, and the decryption can be performed only when the ciphertext is acquired by more than or equal to k parts. The problem of data leakage caused by partial stealing of data is effectively avoided, the attack difficulty is improved, and the safety of data transmission is guaranteed;
3. the data transmission uses a response retransmission mechanism, the historical transmission conditions of different paths are comprehensively considered, the forwarding paths are dynamically allocated under the condition of ensuring the data security, the same forwarding path is used for sending and replying the data packet, the repeated retransmission of the data caused by the link blockage is effectively avoided, the data transmission failure caused by the malicious discarding of the data packet on the link by an attacker is effectively resisted, the data transmission function is ensured, and the transmission quality is improved.
In the invention, the technical schemes can be combined with each other to realize more preferable combination schemes. Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, wherein like reference numerals are used to designate like parts throughout.
Fig. 1 is a schematic structural diagram of a secure transmission system for dynamically adjusting a forwarding path according to an embodiment of the present invention.
Detailed Description
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate preferred embodiments of the invention and together with the description, serve to explain the principles of the invention and not to limit the scope of the invention.
In an embodiment of the present invention, a secure transmission system for dynamically adjusting a forwarding path is disclosed, as shown in fig. 1, the system includes a controller, a source host, a destination host, and a switch. It should be noted that the transmission paths, the number of switches, and the interaction relationship among the components in fig. 1 are only examples.
The interaction steps of each component in the system in data transmission are as follows:
(1) when starting data transmission, the source host sends a connection request data packet to the target host, and waits for the response of the target host and the controller;
(2) the switch is matched with the connection request data packet through the data packet header marking rule, and the data packet header information is sent to the controller;
(3) the controller acquires information of a source host and a destination host through header information of the data packet, identifies whether a forwarding path needs to be reselected according to historical communication records and network topology, calculates to obtain a plurality of new forwarding paths and path weights if the forwarding paths need to be reselected, updates a flow table rule and issues the rules to the switch;
(4) the controller instructs the switch to select a forwarding connection request data packet from the current multiple forwarding paths to the target host; and sending a message to inform the source host of the path change condition;
(5) and after receiving the connection request packet, the destination host sends a connection request reply to the source host by using the same transmission path.
(6) After a source host receives a connection request reply sent by a target host within a preset overtime time, a k-n threshold encryption algorithm is operated on a data packet to be encrypted to encrypt original data to obtain n parts of ciphertext data; if the connection request reply and the path change condition sent by the target host are not received within the preset timeout, the step (1) is carried out, and the operation is restarted;
(7) the source host selects a forwarding path to send a data packet according to the current multiple forwarding paths and the path weight, and waits for receiving data reply;
(8) the target host receives the data packet sent by the source host and sends a data reply; for ciphertext data encrypted by a k-n threshold, when the number of parts of non-repeated ciphertext data received by a target host is more than or equal to k, decrypting the ciphertext data to obtain original data, and otherwise, waiting for a source host to retransmit the ciphertext data;
(9) when the source host does not receive the data reply sent by the target host within the preset timeout time or the received non-repeated ciphertext data reply is smaller than a k value, if the current forwarding path has an unused path, the source host recalculates the weight of the current forwarding path, otherwise, the controller recalculates to obtain a plurality of forwarding paths and weights; and the source host retransmits the data packet which does not receive the data reply according to the current multiple paths and the weight selection path until the destination host receives the data packet or the number of the received non-repeated ciphertext is more than or equal to the value of k.
In the transmission process, the forwarding path is dynamically adjusted according to the network topology change and the communication record, a multi-path selection mechanism and the real-time updating of the path weight are combined, the strategy is adaptively updated, the data security is improved to the maximum extent, and meanwhile the service continuity is guaranteed.
Specifically, each component realizes data safety transmission through the cooperation of corresponding functional modules, wherein the controller comprises a path change identification module, a path and weight calculation module and a data issuing module; the source host comprises a weight updating module, a data sending module and an encryption module; the destination host comprises a decryption module and a feedback module. The specific schemes, actions and effects of the modules are described in detail below according to the data transmission process.
In step (1), the source host sends a connection request packet, marks a packet header of a packet that needs to be encrypted by k-n, illustratively, related to sensitive traffic and high-security-level traffic data, and marks the connection request packet header and contains an encrypted k value and an encrypted n value.
Considering that the closer the values of k and n are, the greater the limit of secret recovery is, the more difficult it is for an intruder to eavesdrop on transmission data, the k value and the n value are determined comprehensively according to the total number of paths and the forwarding efficiency in the network topology, too much forwarding path selection will occupy too many network resources, additional transmission overhead is brought, decoding consumption will be larger, and therefore, the k value is generally recommended to be less than 4.
Preferably, for data transmission with 4 or more available paths, the values of k and n are set to 3 and 4, respectively, whereas for data transmission with 2 or 3 available paths, the values of k and n are equal to the number of available forwarding paths.
In the step (2), after receiving a connection request data packet sent by a source host, the switch identifies whether a data packet header has an encryption mark according to a preset flow table rule, and if so, sends a data packet header message to the controller through a packetIn message; correspondingly, when the source host sends a data packet, the source host operates a k-n threshold encryption algorithm to encrypt the original data through an encryption module to obtain n parts of ciphertext data; and selecting k forwarding paths through the data sending module to send n parts of ciphertext data.
In the step (3), a path change identification module in the controller is used for identifying whether to reselect a forwarding path according to the historical communication record and the network topology;
specifically, the following procedures are executed to identify whether to reselect a forwarding path, including:
according to the historical communication record, determining that the connection is established for the first time or the time interval between the connection and the last communication exceeds the preset overtime, and identifying that the forwarding path is reselected; or the like, or a combination thereof,
acquiring the increase and decrease of the switches and the increase and decrease of links on a forwarding path according to the network global topology information maintained in the controller, and identifying to reselect the forwarding path when the increase and decrease of the switches and/or the increase and decrease of the links exist; or the like, or, alternatively,
through packet capture analysis of the sent PacketOut message and the received PacketIn message, the congestion of a detection link or the packet loss rate exceeding a preset threshold is identified, and the forwarding path is reselected.
The controller controls all the connected switches globally, so that network topology data can be obtained conveniently, recalculation is performed when the change of the network topology is monitored, and the safety of the data is improved to the maximum extent.
In order to avoid stealing data of multiple paths due to the fact that a single-point switch and a link are broken, paths which are not intersected with each other need to be selected when a transmission path is selected except for a source host and a destination host, and meanwhile, in order to improve the security of ciphertext transmission, as many paths as possible need to be provided so that more paths can be selected for follow-up selection when retransmission is carried out, and therefore the most paths which are not repeated need to be calculated and used as available paths for standby.
It should be noted that when the number of intersections between paths is smaller, this means that the selection of the path has less restrictions on subsequent selection, so that the collision coefficient of each switch is obtained by the number of available paths related to each switch on the path, and then the switch collision coefficients included in the paths are added, and a forwarding path is selected and obtained according to the minimum collision coefficient.
Specifically, the path and weight calculation module in the controller is configured to, after identifying that a forwarding path is reselected, calculate a plurality of forwarding paths according to an available path between the source host and the destination host and the number of paths where the switch is located, and calculate weights of the plurality of forwarding paths according to a packet transmission condition, and includes:
obtaining all available paths from the source host to the destination host according to the breadth first rule, and putting the available paths into an available path set; acquiring the switches contained in each available path based on the available path set, and putting the switches into the switch set;
traversing the switch set, and calculating the number of available paths containing each switch in the available path set; traversing the available path set, and adding the number of available paths of the switches on each available path to obtain a collision coefficient of each path;
sorting each path in the available path set according to the size of the collision coefficient, selecting a path with the minimum collision coefficient and not intersected with the path in the selected path set, moving the path into the selected path set as a path selection result, removing the path intersected with the path in the selected path set from the available path set, repeatedly selecting the rest paths in the available path set until the paths are empty, and taking the path in the selected path set as a plurality of final forwarding paths.
In order to avoid that the connection state and the safety state of the path influence the transmission quality when the path is randomly selected from a plurality of forwarding paths, the path weight is calculated according to indexes such as quality influence factors, and the path with the larger weight is selected as the actual forwarding path.
Specifically, the calculating weights of the calculated multiple forwarding paths according to the transmission condition of the data packet includes: data packet quality influence factors, historical data packet quality influence factors, data packet states and path weights before updating;
the data packet quality influence factor represents the degree of the data packet to be confirmed and discarded, when the source host does not receive the data reply of the destination host within the preset overtime, the data packet is confirmed and discarded, the quality influence factor of the data packet is increased by 1, otherwise, the data packet is confirmed and received, and the data packet quality influence factor is not changed;
the historical data packet quality influence factor is the sum of the quality influence factors of the historical data packets on the forwarding path;
the data packet state represents the degree of the data packet receiving confirmation, when the data packet receiving confirmation is received, the data packet state is the rate of the data packet receiving confirmation on the forwarding path, and when the data packet receiving confirmation is discarded, the data packet state is 0;
the pre-update path weight is the weight at which the previous packet on the forwarding path was acknowledged.
Combining the indexes influencing the transmission condition of the data packet, the calculation formula for obtaining the weight is as follows:
Figure BDA0003361718860000111
wherein Q is r,n Denotes the weight of the n-th packet on the path r when acknowledged, Q r,n-1 Represents the weight of n-1 th data packet on the path r when being confirmed, namely the weight of the path r before the weight update, and the initial Q r,0 =1,f n Indicating the quality impact factor of the nth packet, F n-1 Is a quality influence factor of n-1 historical data packetsAnd, initial F 0 =1, the calculation formula is:
Figure BDA0003361718860000112
P n the state of the nth data packet is represented by the following calculation formula:
P n =S n ×R n n is more than or equal to 1 formula (3)
Wherein S is n Indicates the case where the nth packet is acknowledged on the path r, and when the acknowledgment is received, S n Is 1, otherwise S n Is 0; r n The ratio of the confirmed reception of the data packets is represented, and the ratio is calculated according to the number of the data packets confirmed to be received on the forwarding path r and the total number of the sent data packets, so as to distinguish the quality and importance of the data packets received on different forwarding paths.
Before the weight is calculated for the first time, the controller performs link congestion and packet loss rate detection in the path change identification module to obtain the packet loss number and the reception rate of the data packets on the path, so as to obtain the quality impact factor and the state of the data packets on each path, and calculate the weight value of the path for the first round of data transmission.
The weight formula comprehensively considers the historical transmission condition of the data packet on the path, and focuses on data transmission safety, so that the weight calculation is more reasonable.
According to the historical communication record, if the connection is not established for the first time and the controller identifies that the forwarding path does not need to be reselected, the original forwarding path and the path weight are unchanged.
The controller updates the flow table rule and issues the flow table rule to the switch, and the method comprises the following steps:
if the old path forwarding and path weight exist, the controller deletes the old path forwarding and path weight from the flow table rule of the switch on the old forwarding path through the FlowRemove message, and sends the new path forwarding and path weight to the flow table rule of the switch in the new forwarding path through the FlowAdd message.
In the step (4), the path issuing module in the controller is configured to update the flow table rule according to the multiple forwarding paths and the weights and issue the updated flow table rule to the switch, instruct the switch to select a path with the largest weight among the current multiple forwarding paths through the PacketOut message, forward the cached complete connection request packet to the destination host, and send a message to notify the source host of the updated forwarding paths and the updated weights.
In the step (5), after the destination host receives the connection request data packet, for the connection request packet with the encryption mark, a decryption module in the destination host obtains a decrypted k value and a decrypted n value for judging the number of subsequently received ciphertext data copies; and a feedback module in the target host marks a path label which is the same as that of the connection request data packet for the connection request reply, and sends the connection request reply to the source host through a forwarding path which is the same as that of the connection request data packet.
In step (6), when the source host does not receive the connection request reply and the current path change condition within the preset timeout period, it indicates that there is a problem in path selection or data communication, go to step (1), resend the connection request data packet, recalculate by the controller to obtain multiple new forwarding paths and path weights, send a message to the source host, instruct the switch to send the connection request packet to the destination host, and the source host waits for a preset timeout period again to receive the connection request reply and the current path change condition. Illustratively, the timeout is 30 seconds.
When the source host receives a connection request reply sent by the destination host within a preset overtime, the encryption module runs a k-n threshold encryption algorithm to encrypt the original data for the data needing to be encrypted, and n parts of ciphertext data are obtained.
In step (7), the data sending module in the source host selects a forwarding path with the largest weight according to the multiple forwarding paths and the weights to send the data packet, marks different data packet numbers and forwarding path labels on the data packet, and updates the use record corresponding to the forwarding path. Selecting k forwarding paths for the n parts of ciphertext data to be transmitted, wherein the path selection step comprises the following steps:
sorting the path weights from big to small, and selecting k forwarding paths from the maximum weight;
calculating n parts of ciphertext data according to rounding-up to obtain an average value of the number of ciphertext parts on each path in k forwarding paths, and if the average value is greater than a k value, setting the average value as the k value;
distributing the number of the ciphertext data to the k forwarding paths according to the average value;
among the k forwarding paths, ciphertext data is transmitted in order from the forwarding path having the largest weight.
Preferably, the difference of the number of the transmission ciphertext data between the path with the maximum weight and the path with the minimum weight in the k forwarding paths is not more than 30% of the n transmission ciphertext data.
The method comprehensively considers and selects the final forwarding path according to the link condition of the available path, and has good adaptability to the software defined network with variable network states and network structures.
In step (8), after receiving the data packet, the feedback module in the destination host stores the data according to the data packet number, and sends a data reply to the source host on the same forwarding path according to the forwarding path tag of the data packet, so as to inform the received data packet number. And (5) for the ciphertext data, the destination host acquires the decrypted k value and the decrypted n value in the step (5), and when the number of the received unrepeated ciphertext data is identified to be greater than or equal to the k value, the ciphertext data is decrypted by the decryption module to obtain the original data, and one-time data transmission is completed. Otherwise, waiting for the source host to retransmit the ciphertext.
Under the condition of ensuring data safety, a forwarding path is dynamically allocated to the ciphertext, and the same path is used for sending and replying the same ciphertext, so that repeated data retransmission caused by link blockage is effectively avoided, and data transmission failure caused by malicious discarding of a data packet on a link by an attacker is effectively resisted, thereby ensuring the data transmission function and improving the transmission quality.
In step (9), the retransmitting, by the source host, the data packet for which the data reply is not received when the data reply sent by the destination host is not received within a preset timeout period or when the received non-duplicate ciphertext data reply is less than the value k, the reselecting path to retransmit the data packet for which the data reply is not received includes:
according to the use records of the current multiple forwarding paths, if the unused forwarding paths exist and the number of the unused forwarding paths is more than or equal to the number of the forwarding paths which do not receive data replies, recalculating the weights of the current multiple forwarding paths through a weight updating module, sorting according to the weight, selecting from the path with the largest weight in the unused alternative forwarding paths, and retransmitting the data packet which does not receive the data replies until a destination host receives the data packet or the number of the received non-repeated ciphertexts is more than or equal to a value k;
otherwise, recalculating to obtain a plurality of new forwarding paths and path weights through the path and weight calculation module, and selecting a forwarding path from the plurality of new forwarding paths and path weights by the source host to retransmit the data packet which does not receive the data reply until the destination host receives the data packet or the number of the received non-repeated ciphertexts is more than or equal to the value k.
The system supports multi-path transmission of encrypted data of the k-n threshold, an attacker cannot acquire any information related to the encrypted data according to the encrypted data when the cipher text is stolen by more than or equal to k parts, and can decrypt the encrypted data only when the cipher text is acquired by more than or equal to k parts. The problem of data leakage caused by partial stealing of data is effectively avoided, the attack difficulty is improved, and the safety of data transmission is guaranteed.
Compared with the prior art, the secure transmission system for dynamically adjusting the forwarding path provided by the embodiment identifies the adjustment of the forwarding path aiming at real-time network topology change and communication records, combines a multi-path dynamic selection mechanism, performs recalculation at any time, and adaptively updates the strategy by taking the path security weight as the path priority, thereby improving the data security to the maximum extent and ensuring the continuity of the service; the method has the advantages that multiple paths are adopted for forwarding, the eavesdropping risk caused by a single-point bug is reduced as much as possible, a k-n threshold encryption algorithm is supported for encrypting the data packet, an attacker cannot acquire any encrypted data related information according to the ciphertext when the ciphertext is stolen by less than or equal to k parts, and the decryption can be performed only when the ciphertext is acquired by more than or equal to k parts. The problem of data leakage caused by partial stealing of data is effectively avoided, the attack difficulty is improved, and the safety of data transmission is guaranteed; the data transmission uses a response retransmission mechanism, the historical transmission conditions of different paths are comprehensively considered, the forwarding paths are dynamically allocated under the condition of ensuring the data security, the same forwarding path is used for the sending and the replying of the data packet, the repeated retransmission of the data caused by the link blockage is effectively avoided, the data transmission failure caused by the malicious discarding of the data packet on the link by an attacker is effectively resisted, the data transmission function is ensured, and the transmission quality is improved.
Those skilled in the art will appreciate that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program, which is stored in a computer readable storage medium, to instruct related hardware. The computer readable storage medium is a magnetic disk, an optical disk, a read-only memory or a random access memory.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention.

Claims (9)

1. A safe transmission system for dynamically adjusting a forwarding path is characterized by comprising a controller, a source host, a destination host and a switch; the controller comprises a path change identification module, a path and a weight calculation module; the source host comprises a weight updating module and a data sending module;
the path change identification module is used for identifying whether to reselect a forwarding path according to historical communication records and network topology;
the path and weight calculation module is used for calculating to obtain a plurality of forwarding paths according to the number of available paths between the source host and the destination host and the number of paths where the switch is located after the forwarding paths are identified to be reselected, and calculating to obtain the weights of the plurality of forwarding paths according to the transmission condition of the data packets;
the weight updating module is used for updating the weights of the plurality of forwarding paths through the path and weight calculating module when the data packet is confirmed;
the data sending module is used for selecting a forwarding path to send a data packet according to a plurality of forwarding paths and weights and retransmitting the data packet which does not receive the data reply;
the calculating to obtain a plurality of forwarding paths according to the available paths between the source host and the destination host and the number of paths where the switch is located includes:
obtaining all available paths from the source host to the destination host according to the breadth first rule, and putting the available paths into an available path set; based on the available path set, acquiring the switches contained in each available path, and putting the switches into the switch set;
traversing the switch set, and calculating the number of available paths containing each switch in the available path set; traversing the available path set, and adding the number of the available paths of the switch on each available path to obtain a collision coefficient of each path;
sorting each path in the available path set according to the size of the collision coefficient, selecting a path with the minimum collision coefficient and not intersected with the path in the selected path set, moving the path into the selected path set as a path selection result, removing the path intersected with the path in the selected path set from the available path set, repeatedly selecting the rest paths in the available path set until the paths are empty, and taking the path in the selected path set as a plurality of final forwarding paths.
2. The system of claim 1, wherein the switch identifies whether a packet header has an encryption flag according to a preset flow table rule after receiving a connection request packet sent by a source host, and sends a packet header message to the controller if the packet header has the encryption flag; when the header of the connection request data packet has an encryption mark, the connection request data packet comprises an encrypted k value and an encrypted n value; correspondingly, the data sending module selects k forwarding paths to send n pieces of ciphertext data when sending the data packet.
3. The system of claim 2, wherein the controller is further configured to obtain source host and destination host information according to the packet header message; the path change identification module executes the following procedures to identify whether to reselect a forwarding path, including:
according to the historical communication record, determining that the connection is established for the first time or the time interval between the connection and the last communication exceeds the preset overtime, and identifying that the forwarding path is reselected; or the like, or a combination thereof,
acquiring the increase and decrease of the switches and the increase and decrease of links on a forwarding path according to the network global topology information maintained in the controller, and identifying to reselect the forwarding path when the increase and decrease of the switches and/or the increase and decrease of the links exist; or the like, or, alternatively,
and identifying that the congestion of the detection link or the packet loss rate exceeds a preset threshold value by performing packet capture analysis on the sent packet Out message and the received packet In message, wherein the identification is to reselect a forwarding path.
4. The system according to claim 2 or 3, wherein the packet transmission condition comprises: data packet quality influence factors, historical data packet quality influence factors, data packet states and path weights before updating;
the data packet quality influence factor represents the degree of the data packet to be confirmed and discarded, when the source host does not receive the data reply of the destination host within the preset overtime, the data packet is confirmed and discarded, the quality influence factor of the data packet is increased by 1, otherwise, the data packet is confirmed and received, and the data packet quality influence factor is not changed;
the historical data packet quality influence factor is the sum of the quality influence factors of the historical data packets on the forwarding path;
the data packet state represents the degree of the data packet receiving confirmation, when the data packet receiving confirmation is received, the data packet state is the rate of the data packet receiving confirmation on the forwarding path, and when the data packet receiving confirmation is discarded, the data packet state is 0;
the pre-update path weight is the weight when the previous packet on the forwarding path is acknowledged.
5. The system of claim 4, wherein the weight is calculated by the following formula:
Figure FDA0004097321840000031
wherein Q r,n Denotes the weight Q at which the nth packet on path r is acknowledged r,n-1 Represents the weight of n-1 th data packet on the path r when being confirmed, namely the weight of the path r before the weight update, and the initial Q r,0 =1,f n Indicating the quality impact factor of the nth packet, F n-1 Is the sum of the quality impact factors of n-1 historical data packets, initial F 0 =1, the calculation formula is:
Figure FDA0004097321840000032
P n the state of the nth data packet is represented by the following calculation formula:
P n =S n ×R n ,n≥1
wherein S is n Indicates the case where the nth packet is acknowledged on the path r, and when the acknowledgment is received, S n Is 1, otherwise S n Is 0; r n Indicating the rate at which packets are acknowledged as received.
6. The system of claim 5, wherein the controller further comprises a path issuing module, configured to update the flow table rule according to the multiple forwarding paths and the weights, and issue the updated flow table rule to the switch, instruct the switch to select a path with a highest weight among the multiple forwarding paths to forward the data connection request packet to the destination host, and send a message to notify the source host of the multiple forwarding paths and the weights.
7. The system of claim 2, wherein the source host further comprises an encryption module configured to run a k-n threshold encryption algorithm to encrypt the original data to obtain n pieces of ciphertext data;
the n cipher text data are sent by the data sending module according to a plurality of forwarding paths and weights, and the path selection step comprises the following steps:
sorting the path weights from big to small, and selecting k forwarding paths from the maximum weight;
calculating n parts of ciphertext data according to upward rounding to obtain an average value of the number of ciphertext parts on each path in k forwarding paths, and if the average value is greater than a k value, setting the average value as the k value;
distributing the number of the ciphertext data to the k forwarding paths according to the average value;
in k forwarding paths, ciphertext data are sequentially transmitted from the forwarding path with the largest weight;
and updating the use record corresponding to the forwarding path.
8. The system of claim 7, wherein the destination host comprises a decryption module and a feedback module, wherein,
the decryption module is used for decrypting the encrypted k value in the connection request data packet and decrypting the ciphertext data to obtain original data when the target host receives the ciphertext data and identifies that the number of the received unrepeated ciphertext data is larger than or equal to the k value;
and the feedback module is used for sending data reply to the source host by the same forwarding path according to the forwarding path mark of the data packet after receiving the data packet, and informing the received data packet number.
9. The system of claim 8, wherein the source host retransmits the data packet without receiving the data reply if the data reply sent by the destination host is not received within a preset timeout period or if the received non-duplicate ciphertext data reply is less than a value k, the reselecting path retransmits the data packet without receiving the data reply, comprising:
according to the use records of the current multiple forwarding paths, if the unused forwarding paths exist and the number of the unused forwarding paths is more than or equal to the number of the forwarding paths which do not receive data replies, the weights of the current multiple forwarding paths are recalculated through the weight updating module and are sorted according to the weight, and in an unused alternative forwarding path, the path with the largest weight is selected, and the data packet which does not receive the data replies is retransmitted until the destination host receives the data packet or the number of the received unrepeated ciphertexts is more than or equal to a value k;
otherwise, through the path and weight calculation module, recalculating to obtain a plurality of new forwarding paths and path weights, and then selecting a forwarding path from the plurality of new forwarding paths and path weights by the source host to retransmit the data packet which does not receive the data reply until the destination host receives the data packet or the number of the received non-repeated ciphertexts is more than or equal to the value k.
CN202111369130.9A 2021-11-18 2021-11-18 Safe transmission system for dynamically adjusting forwarding path Active CN114124799B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111369130.9A CN114124799B (en) 2021-11-18 2021-11-18 Safe transmission system for dynamically adjusting forwarding path

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111369130.9A CN114124799B (en) 2021-11-18 2021-11-18 Safe transmission system for dynamically adjusting forwarding path

Publications (2)

Publication Number Publication Date
CN114124799A CN114124799A (en) 2022-03-01
CN114124799B true CN114124799B (en) 2023-04-18

Family

ID=80397598

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111369130.9A Active CN114124799B (en) 2021-11-18 2021-11-18 Safe transmission system for dynamically adjusting forwarding path

Country Status (1)

Country Link
CN (1) CN114124799B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640622B (en) * 2022-03-22 2023-07-18 中国电信股份有限公司 Method and device for determining data transmission path and software-defined network controller
CN117834515A (en) * 2024-01-03 2024-04-05 深圳中维安科技有限公司 Remote data transmission control method and system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021164158A1 (en) * 2020-02-21 2021-08-26 北京交通大学 Adaptive scheduling system and method for cross-protocol fusion transmission

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8730817B2 (en) * 2010-12-07 2014-05-20 At&T Intellectual Property I, L.P. Methods and apparatus to determine network link weights
US9379971B2 (en) * 2012-05-11 2016-06-28 Simula Inovation AS Method and apparatus for determining paths between source/destination pairs
US10356054B2 (en) * 2014-05-20 2019-07-16 Secret Double Octopus Ltd Method for establishing a secure private interconnection over a multipath network
WO2015177789A1 (en) * 2014-05-20 2015-11-26 B. G. Negev Technologies And Application Ltd., At Ben-Gurion Universitiy A method for establishing a secure private interconnection over a multipath network
US10003522B2 (en) * 2015-08-27 2018-06-19 Facebook, Inc. Routing with flow over shared risk link groups
CN108540876A (en) * 2018-03-12 2018-09-14 上海欣诺通信技术股份有限公司 Service path choosing method, SDN controllers, storage medium and electronic equipment
CN112187757A (en) * 2020-09-21 2021-01-05 上海同态信息科技有限责任公司 Multilink privacy data circulation system and method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021164158A1 (en) * 2020-02-21 2021-08-26 北京交通大学 Adaptive scheduling system and method for cross-protocol fusion transmission

Also Published As

Publication number Publication date
CN114124799A (en) 2022-03-01

Similar Documents

Publication Publication Date Title
CN114124799B (en) Safe transmission system for dynamically adjusting forwarding path
US7143282B2 (en) Communication control scheme using proxy device and security protocol in combination
CN1799241B (en) IP mobility
KR100684307B1 (en) Method for receiving arq block and computer-readable medium for recording program thereof
US8879388B2 (en) Method and system for intrusion detection and prevention based on packet type recognition in a network
JP2007235341A (en) Apparatus and network system for performing protection against anomalous communication
US7139679B1 (en) Method and apparatus for cryptographic protection from denial of service attacks
JP2007517458A (en) Packet retransmission method in mobile communication system and computer-readable recording medium on which program is recorded
JP2004525558A (en) Method and apparatus for providing reliable streaming data transmission utilizing an unreliable protocol
US20070280238A1 (en) Method and system for passive loop detection and prevention in a packet network switch
JP2004064652A (en) Communication equipment
Fraczek et al. Stream control transmission protocol steganography
Abdullaziz et al. Network packet payload parity based steganography
CN114079562B (en) Software defined network data safety transmission method based on threshold secret sharing
KR101598775B1 (en) Method, apparatus and computer program for controlling multi-path transmission of packet in software defined network
Choudhury Prioritized treatment of specific OSPF version 2 packets and congestion avoidance
CN113612698A (en) Data packet sending method and device
US6590895B1 (en) Adaptive retransmission for error control in computer networks
JP4610910B2 (en) Communication processing apparatus and method
JP2008028671A (en) Reception side network apparatus
Zhang et al. Selective forwarding attacks against data and ack flows in network coding and countermeasures
CN110289959B (en) Bidirectional anonymous secret communication method using bulletin board
CN110535834B (en) Accelerated processing method and system for network security IPsec
Hwang et al. HMTP: Multipath transport protocol for multihoming wireless erasure networks
Chen et al. Effective retransmission in network coding for TCP

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant