CN114362985A

CN114362985A - Message processing method and device

Info

Publication number: CN114362985A
Application number: CN202011285029.0A
Authority: CN
Inventors: 谢经荣; 闫刚; 李振斌
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-09-29
Filing date: 2020-11-17
Publication date: 2022-04-15

Abstract

The embodiment of the application discloses a message processing method, wherein a head node for tunnel encapsulation of an original user message can perform Hash calculation according to a first checksum of the original user message to obtain first check information, and the first check information is encapsulated into a tunnel head to obtain a first message. After the head node forwards the first packet, the node receiving the first packet may verify the integrity of the first packet according to the first check information, thereby determining whether the user packet in the received first packet is tampered, and further determining whether the packet payload of the user packet is tampered.

Description

Message processing method and device

The present application claims priority of chinese patent application entitled "an IP transmission method for guaranteeing integrity of user message" filed by the chinese intellectual property office at 29/09/29/2020, application No. 202011053857.1, which is incorporated herein by reference in its entirety.

Technical Field

The present application relates to the field of communications, and in particular, to a method and an apparatus for processing a packet.

Background

A packet transmitted in an Internet Protocol (IP) network may be referred to as an IP packet.

At present, in the transmission process of an IP message, there is a risk that a message payload in the IP message is tampered, and how to detect whether the message payload of the IP message is tampered is a problem to be solved urgently at present.

Disclosure of Invention

The embodiment of the application provides a message processing method and device, which can determine whether the message payload of an IP message is tampered.

In a first aspect, an embodiment of the present application provides a message processing method, which may be executed by a first communication device. In one example, a first communication device may obtain a first packet, the first packet being an IP packet, the first packet including a tunnel header and a user packet. The tunnel header of the first packet includes first check information, the first check information is obtained by performing hash calculation on first target content, and the first target content includes a first check sum of the original user packet. After the first communication device acquires the first message, the first communication device may send the first message. Since the tunnel header of the first packet includes the first check information obtained by performing hash calculation on the first target content including the first checksum capable of checking the original user packet, the user packet can be checked according to the first check information. Therefore, by using the scheme, the communication device receiving the first message can verify whether the user message is tampered through the first check information, so as to determine whether the IP message payload of the user message is tampered. In an example, if second check information obtained by the second communication device performing hash calculation according to the second target content does not match the first check information, it is indicated that the second target content is different from the first target content, and further, it may be determined that the second checksum in the second target content is different from the first checksum, so that it may be determined that the user packet in the first packet has been tampered, and it may be further determined that the payload of the user packet has been tampered. The second target content may include a second checksum of the user packet. Moreover, the first target content has a smaller data amount than the entire user message. Therefore, compared with the scheme of verifying whether the message payload of the user message is tampered by performing hash calculation on the whole user message, the resource overhead is smaller.

In an implementation manner, it is considered that the first checksum, which is obtained by calculation, is located in an original user packet, that is, a packet payload of the first packet. Therefore, for the communication device that performs integrity verification on the first packet by using the first verification information, the packet payload of the first packet must be analyzed, and then the first verification information can be verified in a matching manner. For the intermediate node for forwarding the packet in the IP network domain, the intermediate node needs to consume the additional resource of the intermediate node when parsing the packet payload of the first packet. In order to avoid this problem, in an implementation manner of the embodiment of the present application, a head node that tunnel-encapsulates an original user packet may encapsulate first information into a tunnel header of a first packet, where the first information is used to indicate the first checksum, so that a communication device that receives the first packet obtains the first checksum indicated by the first information by using a first in the tunnel header of the first packet, and thus performs matching verification on first verification information by using the first checksum.

In an implementation manner, the user packet further includes a second checksum and a checksum of the user packet, and if the first packet is not tampered in the forwarding process, the content of the user packet is the same as the content of the original user packet, that is: the first checksum and the second checksum are the same.

In an implementation manner, the user packet further includes a second checksum of the user packet, and if the first packet is tampered during the forwarding process, the content of the user packet may be different from the content of the original user packet, and for this case, the first checksum and the second checksum may be different.

In one implementation, the first communication device is a head node that performs tunnel encapsulation on the original user packet. For this case, the first communication device may receive an original user packet sent by the user equipment, and encapsulate a tunnel header for the original user packet, thereby obtaining the first packet.

In one implementation, the first communication device may be an intermediate node in a forwarding path of the first packet. For this case, the first communication device may receive the first packet sent by a header node that performs tunneling on the original user packet.

In a second aspect, an embodiment of the present application provides a message processing method, which may be executed by a second communication device. In one example, the second communications apparatus can receive a first packet, the first packet being an IP packet, the first packet including a tunnel header and a user packet. The tunnel header of the first packet includes first check information, the first check information is obtained by performing hash calculation according to first target content, and the first target content includes a first checksum of the original user packet. Since the first check information is obtained by performing hash calculation according to the first target content of the first checksum including the original user packet, the user packet can be checked according to the first check information. After receiving the first message, the second communication device may perform integrity verification on the first message according to the first check information, thereby determining whether the message payload of the user message is tampered. In one example, the second verification information obtained by the second communication device performing the hash calculation according to the second target content does not match the first verification information. It is indicated that the second target content is different from the first target content, and further, it may be determined that the second checksum in the second target content is different from the first checksum, so that it may be determined that the user packet in the first packet has been tampered, and it is further determined that the payload of the user packet has been tampered. The second target content may include a second checksum of the user packet. Therefore, by using the scheme, the second communication device can verify whether the message payload of the user message is tampered by the first check information. Moreover, the first target content has a smaller data amount than the entire user message. Therefore, compared with the scheme of verifying whether the message payload of the user message is tampered by performing hash calculation on the whole user message, the resource overhead is smaller.

In one implementation manner, the tunnel header further includes first information, and the first information is used to indicate the first checksum.

In an implementation manner, when the second communication device performs integrity verification on the first packet according to the first verification information, the second communication device may perform hash calculation according to a second target content of the first packet to obtain second verification information, and perform matching verification on the first verification information and the second verification information. If the first check information and the second check information match, for example, the first check information and the second check information are the same, the second communication device may determine that the first packet passes the integrity verification. If the first check information and the second check information do not match, for example, the first check information and the second check information are different, the second communication device may determine that the first packet fails the integrity verification.

In one implementation, the user packet includes a second checksum of the user packet. The second communication device calculates a second target content of the second check-up information, which may include the second checksum. For this situation, if the second communication device determines that the first check information and the second check information match, it may be determined that the user packet is not tampered, that is, the user packet in the packet 1 is the original user packet, and further determine that the packet payload of the user packet is not tampered. And if the second communication device determines that the first check information and the second check information are not matched, the message payload of the user message is falsified.

In an implementation manner, if a tunnel header of a first packet includes first information, when a second communication apparatus performs integrity verification on the first packet according to the first verification information, the second communication apparatus may first determine, according to the first information, the first checksum; then, performing hash calculation according to the determined first checksum to obtain second check information; and performing matching verification on the first verification information and the second verification information. By adopting the method, for the intermediate node on the first message forwarding path, the matching verification can be carried out on the first verification information without analyzing the message payload of the first message, so that the extra resource overhead caused by analyzing the message payload of the first message is avoided.

In one implementation, if the second check-up information is calculated from the first information in the tunnel header. If the second communication device determines that the first check information and the second check information are not matched after performing matching check on the first check information and the second check information 2, it indicates that the source IP address in the tunnel header of the first packet or other content in the second target content, such as the SID list, is tampered.

In some embodiments, if the second check-up information is calculated from the first information in the tunnel header. If the second communication device determines that the first check information and the second check information match after performing matching check on the first check information and the second check information 2, it indicates that the source IP address in the tunnel header of the first packet or other content in the second target content, such as the SID list, has not been tampered with. However, this does not indicate that the message payload of the user message has not been tampered with. Because the first information in the tunnel header is used to indicate the first checksum, which is the checksum included in the original user packet. If the message payload of the user message is not tampered, the first checksum indicated by the first information in the tunnel header of the first message should be the same as the checksum1 in the user message. In view of this, in an example, to further determine whether the packet payload of the user packet is tampered, the second communication device may compare a first checksum indicated by the first information in the tunnel header of the first packet with a second checksum in the user packet, and if the first checksum and the second checksum are the same, may determine that the packet payload of the user packet is not tampered. If the first checksum indicated by the first information in the tunnel header of the first packet is different from the second checksum in the user packet, it indicates that the packet payload of the user packet may be tampered.

In one implementation, if the second communication device determines that the message payload of the user message is not tampered with, the second communication device may forward the first message.

In one implementation, if the second communication device determines that the packet payload of the user packet is tampered with, the second communication device may discard the first packet, thereby preventing the illegal packet from being continuously forwarded in the network. Alternatively, the second communication device may record the first check information and the second check information not matching and the related information of the first packet in a log.

In one implementation, the second communication device is an intermediate node or a tail node in a forwarding path of the first packet.

In the above first and second aspects:

in one implementation, the first check information is a key hash message authentication code HMAC. Namely, the first verification information is obtained by performing key hash calculation according to the first target content.

In one implementation, the tunnel header may include an extension header, and the extension header includes the first check information.

In one implementation, the tunnel header includes an extended type length value, TLV, field that includes the first check information.

In one implementation, it is contemplated that the source IP address of the first packet may be used to indicate a source node in the first packet forwarding path. In some embodiments, when the first message is tampered during forwarding, the source IP address of the first message can help analyze the attack behavior of the network hacker. In view of this, the first target content further includes a source IP address of the first packet. In this way, the first check information may also be used to verify the validity of the source IP address of the first packet.

In one implementation, the tunnel header further includes second information indicating a key and/or an algorithm used for performing the hash calculation. In this case, before calculating the second verification information from the second target content, the second communication device may determine a key and/or an algorithm used for calculating the second verification information from the second information, so as to calculate the second verification information using the determined key and/or algorithm and the second target content. In one example, when the first check information is HMAC, the second information is used to indicate an identifier of a key hashing algorithm that is used to calculate the first check information.

In an implementation manner, the tunnel header further includes third information, where the third information indicates target content used when performing hash check, and the hash check is used to perform matching verification on the first check information. For this case, the second communication apparatus may further determine the second target content based on the third information before calculating the second verification information based on the second target content.

In one implementation, the first message is an internet protocol version 6 IPv6 message.

In an implementation manner, when the first packet is an IPv6 packet, the tunnel header includes a segment routing header SRH, and the first check information may be carried in the SRH. At this time, the first message is SRv6 message.

In one implementation, when the first packet is an SRv6 packet, the SID list in the SRH of the first packet indicates a forwarding path of the first packet in the SRv6 network domain. Therefore, the SID list is key information for guiding the forwarding of the first packet. If the SID list is tampered with, the first packet is forwarded according to an incorrect path. In view of this, in an implementation, the first target content of which the first check information is calculated may further include the SID list. In this way, the first check information can also be used to determine whether the SID list has been tampered with.

In one implementation, the first message is a bit-indexed explicit replication version six internet protocol encapsulation BIERv6 message.

In an implementation manner, when the first packet is a BIERv6 packet, the tunnel header includes an extended destination option header DoH, and the first check information may be carried in the DoH.

In one implementation, the first message is an internet protocol version four IPv4 message.

In an implementation manner, the user packet includes an ICMP header, and at this time, the second checksum of the user packet may be carried in the ICMP header.

In an implementation manner, the user packet includes a TCP header, and at this time, the second checksum of the user packet may be carried in the TCP header.

In an implementation manner, the user packet includes a UDP header, and at this time, the second checksum of the user packet may be carried in the UDP header.

In a third aspect, the present application provides a first communications apparatus, comprising: a transceiving unit and a processing unit. The transceiver unit is configured to perform transceiver operations performed by the first communication device according to any one of the first aspect and the first aspect, and the processing unit is configured to perform other operations than the transceiver operations performed by the first communication device according to any one of the first aspect and the first aspect.

In a fourth aspect, the present application provides a first communications device comprising a memory and a processor; the memory for storing program code; the processor is configured to execute instructions in the program code to cause the first communication device to perform the method of any one of the first aspect and the first aspect.

In a fifth aspect, the present application provides a first communication device, which includes a communication interface and a processor, wherein the communication interface is configured to perform the transceiving operation performed by the first communication device according to any one of the above first aspect and the first aspect, and the processor is configured to perform other operations than the transceiving operation performed by the first communication device according to any one of the above first aspect and the first aspect.

In a sixth aspect, the present application provides a second communication device, comprising: a transceiving unit and a processing unit. The transceiver unit is configured to perform transceiver operations performed by the second communication apparatus according to any one of the second aspect and the second aspect, and the processing unit is configured to perform other operations than the transceiver operations performed by the second communication apparatus according to any one of the second aspect and the second aspect.

In a seventh aspect, the present application provides a second communication device comprising a memory and a processor; the memory for storing program code; the processor is configured to execute the instructions in the program code to cause the second communication device to perform the method of any one of the second aspect and the second aspect.

In an eighth aspect, the present application provides a second communication device, which includes a communication interface configured to perform transceiving operations performed by the second communication device according to any one of the above second aspect and the second aspect, and a processor configured to perform operations other than the transceiving operations performed by the second communication device according to any one of the above second aspect and the second aspect.

In a ninth aspect, the present application provides a computer-readable storage medium, wherein instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the instructions cause the computer to perform the method of any one of the above first aspect and the first aspect, or cause the computer to perform the method of any one of the above second aspect and the second aspect.

In a tenth aspect, the present application provides a communication system comprising the first communication apparatus of the third aspect, the fourth aspect, or the fifth aspect above, and the second communication apparatus of the sixth aspect, the seventh aspect, or the eighth aspect above.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art without creative efforts.

FIG. 1a is a schematic diagram of an exemplary application scenario;

fig. 1b is a schematic structural diagram of an IP packet according to an embodiment of the present application;

fig. 2 is a signaling interaction diagram of a message processing method according to an embodiment of the present application;

fig. 3a is a schematic diagram of an IPv4 extension header provided in an embodiment of the present application;

fig. 3b is a schematic diagram of a TLV field provided in an embodiment of the present application;

fig. 4 is a schematic flowchart of a message processing method according to an embodiment of the present application;

fig. 5 is a schematic flowchart of a message processing method according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a communication device according to an embodiment of the present application.

Detailed Description

The embodiment of the application provides a message processing method which can determine whether the message payload of an IP message is tampered.

For convenience of understanding, a possible application scenario of the embodiment of the present application is first described.

Referring to fig. 1a, an exemplary application scenario is shown.

As shown in FIG. 1a, host (host) H1 may send a message to host H2 through network domain 100. Wherein the network domain 100 is an IP network. In one example, the network domain 100 may be an operator network. H1 may send the user packet to a communication device R1 in the network domain 100 through a user edge (CE) device CE1, and after receiving the user packet, the communication device R1 may repackage the user packet to obtain an IP packet. In one example, R1 forwards the IP packet to a communication device R4 in the network domain 100, R4 decapsulates the received IP packet to obtain a user packet, and sends the user packet to H2 via CE 2. In yet another example, R1 forwards the IP packet to a communication device R5 in the network domain 100, R5 decapsulates the received IP packet to obtain a user packet, and sends the user packet to H3 via CE 3.

The network between host H1 and communicator R1 shown in fig. 1a may be a user network such as an enterprise network, and the network may also be an IP network. Similarly, the network between the communication device R4 and the host H2, and the network between the communication device R5 and the host H3 may also be IP networks. For this situation, the user packet may be an IP packet, where the user packet may be an Internet Protocol version 4 (Internet Protocol version 4, IPv4) packet or an Internet Protocol version 6 (Internet Protocol version 6, IPv6) packet, and the embodiment of the present application is not limited specifically. The technology of re-IP-encapsulating the user packet sent by H1 by the communication device R1 may be referred to as IPinIP IP technology.

In the embodiment of the present application, the network domain 100 may deploy an IPv4 network or an IPv6 network. When an IPv6 network is deployed in the network domain 100, the IP packet obtained after the communication device R1 encapsulates the user packet may be an IPv6 packet. In one example, the network domain 100 applies Segment Routing (SR) technology to forwarding IPv6 messages, and at this time, the forwarded IPv6 messages in the network domain 100 may also be referred to as SRv6 messages. In yet another example, the network 100 may also deploy a multicast network and apply a bit index explicit replication version six internet protocol encapsulation (IPv 6 encapsulation, BIERv6) protocol in multicast technology. At this time, the forwarded IPv6 message in the network domain 100 may also be referred to as BIERv6 message. The multicast technology refers to a communication technology in which a single data sender corresponds to multiple data receivers, and will not be described in detail herein.

As to the structure of the IP packet obtained by encapsulating the communication device R1, it can be understood with reference to fig. 1b, where fig. 1b is a schematic structural diagram of an IP packet provided in this embodiment of the present application. As shown in fig. 1b, after receiving the original user packet, the communication device R1 encapsulates a tunnel header to the original user packet, where the tunnel header may include an IPv6 and an IPv6 extension header if an IPv6 network is deployed in the network domain 100, and the tunnel header may include an IPv4 header and an extension header if an IPv4 network is deployed in the network domain 100. When the packet shown in fig. 1b is an SRv6 packet, the IPv6 extension header may be a Segment Routing Header (SRH); when the packet illustrated in fig. 1b is a BIERv6 packet, the IPv6 extension header may be a destination options header (DoH).

When a user message is transmitted through the network domain 100, it is important to determine whether the message payload of the user message is tampered with. For example, it is assumed that H1 is a server, H2 is a user terminal, and a user packet sent by H1 to H2 is a packet of a video service. If the message payload of the user message is tampered, the video picture watched by the user through the user terminal is the tampered picture, so that the user experience is poor.

In order to ensure the security of the transmission of the IP packet in the IP network, in one example, an Authentication Header (AH) may be used to determine whether the packet payload of the user packet is tampered when the user packet is transmitted in the IP network. As an example, when encapsulating the user packet, R1 may encapsulate an AH for the user packet, where the AH includes an Integrity Check Value (ICV) field, and the ICV field carries a value calculated by using a key and a hash algorithm to the entire user packet. The communication device R1 encapsulates the user packet to obtain an IP packet, and at this time, the entire user packet is the packet payload of the IP packet. After the communication device R1 forwards the IP packet carrying the AH, other communication devices (such as the intermediate node or the edge node) in the network domain 100 that receive the IP packet may perform integrity check on the IP packet by using the ICV field in the AH, so as to determine whether the packet payload of the IP packet is tampered. In an example, after the communication device R5 receives the IP packet, it may calculate the received entire user packet by using a key and a hash algorithm to obtain a calculation result, and compare the calculation result with the value of the ICV field in the IP packet, if the calculation result and the value of the ICV field in the IP packet are the same, it is determined that the packet payload of the IP packet is not tampered when the IP packet is transmitted in the network domain 100, and accordingly, the packet payload of the user packet is not tampered. If the two are different, it is determined that the message payload of the IP message is tampered while the IP message is transmitted in the network domain 100, and accordingly, the possibility that the message payload of the user message is tampered is very high.

It should be noted that, when encapsulating the user packet, the communication device R1 may also encapsulate an IPv4 or IPv6 header and other extension headers for the user packet, which is not described in detail herein.

In addition, for detailed description of AH, reference may be made to the description parts of request for comments (RFC) 4301 and RFC4302, which are not described in detail here.

Although it can be determined whether the payload of the IP packet is tampered with when the IP packet is transmitted in the IP network by using the AH, whether the communication device generating the AH, for example, the communication device R1, or the communication device checking the AH, for example, the communication device R2, or the communication device R4, or R5, needs to perform hash calculation on the entire payload of the IP packet (i.e., the entire user packet), and the hash calculation on the entire payload of the IP packet consumes a lot of computing resources.

In view of this, the embodiment of the present application provides a message processing method, which can determine whether a message payload of an IP message is tampered with, and consumes less computing resources. Next, a message processing method provided in the embodiment of the present application is described with reference to the drawings.

Fig. 2 is a signaling interaction diagram of a message processing method according to an embodiment of the present application.

The communication device 1 shown in fig. 2 may be the communication device R1 shown in fig. 1a, the communication device R1b shown in fig. 1a, the communication device R2 shown in fig. 1a or the communication device R3; the communication device 2 shown in fig. 2 may be the communication device R1b shown in fig. 1a, the communication device R2 shown in fig. 1a, the communication device R3 shown in fig. 1a, the communication device R4 shown in fig. 1a, or the communication device R5.

The communication device mentioned in this embodiment of the present application may be a network device such as a switch and a router, or may be a part of components on the network device, such as a board and a line card on the network device, or may be a functional module on the network device, which is not specifically limited in this embodiment of the present application. The communication devices may be directly connected to each other, for example, but not limited to, by ethernet wires or optical cables.

The method 100 shown in FIG. 2, for example, may include the following S101-S104.

S101: the communication device 1 obtains a packet 1, where the packet 1 includes a tunnel header and a user packet 1, the user packet 1 includes a checksum1 for verifying the user packet 1, the tunnel header includes check information 1, the check information 1 is obtained by performing hash calculation according to target content 1, and the target content 1 includes a checksum2 included in an original user packet.

In the embodiment of the present application, when the communication device 1 obtains the message 1, there may be a plurality of implementation manners.

In one example, the communication device 1 may generate the message 1 from an original user message. I.e. the communication device 1 is the head node performing tunnel encapsulation on the original user packet. For example, when the communication device 1 is an edge node of an IP network domain, such as the communication device R1 shown in fig. 1a, the communication device 1 may repackage the received original user message, such as the message 2, to obtain the message 1. At this time, message 2 may be used as the message payload of message 1. For this case, the user message 1 is the original user message (i.e. message 2). The message 2 may be an IPv4 message or an IPv6 message, which is not specifically limited in this embodiment of the present application. As shown in fig. 1b, packet 2 may also include an IP header and an IP packet payload. The original user message refers to a message sent by the user equipment and not tampered. For example, in the scenario shown in FIG. 1a, the original user message may be a message sent by host H1.

In one example, Message 2 may include an Internet Control Message Protocol (ICMP) header in addition to an IP header and an IP Message payload. When packet 2 includes an ICMP header, the ICMP header may include checksum2 for performing authentication on packet 2. The checksum2 may be obtained by adding and intercepting fields in the packet payload of packet 2. As described above, if the communication apparatus 1 is a header node for performing tunnel encapsulation on an original user packet, the user packet 1 is the packet 2, and for this case, the checksum1 in the user packet 1 is equal to the checksum2 included in the ICMP header of the packet 2. For the ICMP header and the checksum2 in the ICMP header, reference may be made to the RFC792 and RFC4443 descriptions, which are not described in detail here.

In one example, packet 2 may include a Transmission Control Protocol (TCP) header in addition to an IP header and an IP packet payload. When the packet 2 includes a TCP header, the TCP header may include a checksum2 for checking a packet payload of the packet 2, and the checksum2 is obtained by adding and intercepting fields in the packet payload of the packet 2. As described above, if the communication apparatus 1 is a header node for performing tunnel encapsulation on an original user packet, the user packet 1 is the packet 2, and for this case, the checksum1 in the user packet 1 is equal to the checksum2 included in the TCP header of the packet 2. For the TCP header and the checksum2 in the TCP header, reference may be made to the description part of RFC793, which is not described in detail here.

In yet another example, packet 2 may include a User Datagram Protocol (UDP) header in addition to an IP header and an IP packet payload. When the packet 2 includes a UDP header, the UDP header may include a checksum2 for checking a packet payload of the packet 2, and the checksum2 is obtained by adding and intercepting fields in the packet payload of the packet 2. As described above, if the communication apparatus 1 is the head node that performs tunnel encapsulation on the original user packet, the user packet 1 is the packet 2, and for this case, the checksum1 in the user packet 1 is equal to the checksum2 included in the UDP header of the packet 2. For the UDP header and the checksum2 in the UDP header, reference may be made to the description of RFC768, which is not described in detail here.

In yet another example, communication device 1 may receive message 1 from other communication devices. For example, if the communication device 1 is an intermediate node of the IP network domain, for example, the communication device R2 shown in fig. 1a, the communication device 1 may receive the message 1 from the communication device R1b or the communication device R1. It can be understood that, if the message 1 received by the communication device 1 is not tampered during the transmission process, the user message 1 is the original user message, and at this time, the content of the user message 1 is the same as that of the original user message. For this case, the checksum1 in the user packet 1 is the same as the aforementioned checksum 2. If the message payload of the message 1 is tampered in the transmission process of the message 1, the user message 1 may be different from the original user message, and at this time, the content of the user message 1 is different from that of the original user message. For this case, the checksum1 in the user packet 1 may be different from the checksum 2. In this embodiment of the present application, the packet 1 includes check information 1, where the check information 1 is obtained by performing hash calculation according to the target content 1, and the target content 1 includes the aforementioned checksum 2. It can be understood that, since the checksum2 can be used to verify the packet payload of the packet 2 (i.e. the original user packet), and the target content 1 of the calculated verification information 1 includes the checksum2, the verification information 1 can verify the packet payload of the packet 2.

In an example, the verification information 1 may be a key-Hashed Message Authentication Code (HMAC) obtained by performing a key hash calculation on the target content 1. There are many implementation ways to perform the key hash calculation according to the target content 1. In one implementation, the key hash calculation may be performed on the target content 1, so as to obtain the verification information 1. In another implementation manner, the target content 1 may be first subjected to a first calculation to obtain a calculation result 1, and then the calculation result 1 is subjected to a key hash calculation to obtain the verification information 1. The example is illustrated in which the target content 1 is the checksum 2.

Examples are 1: the key hash calculation can be directly performed on the checksum2, that is: and taking a key and the checksum2 as factors of hash calculation, thereby obtaining the verification information 1. For example, 2: a first calculation may be performed on checksum2 first, resulting in calculation 1. For example, inverting each bit of checksum2, assuming that checksum2 is 0x55, the calculation result 1 is 0 xAA. Then, the key hash calculation is performed on the calculation result 1, that is: and taking the key and the calculation result 1 as the factors of hash calculation, thereby obtaining the verification information 1.

In one example, the tunnel header of the packet 1 includes an extension header, and the check information 1 is carried in the extension header of the tunnel header. In yet another example, the extension header of the packet 1 includes an extended Type Length Value (TLV) field, and the check information 1 is carried in the extended TLV field. In yet another example, the extended TLV field may also be a field in an extension header of the tunnel header.

In an example, considering that the checksum2 of the check information 1 is located in the user packet 1, the communication apparatus that performs integrity check on the packet 1 by using the check information 1 must parse the user packet 1 to perform matching verification on the check information 1. If the function of integrity check of the message 1 is enabled for the intermediate node that forwards the message 1, then for the intermediate node that forwards the message in the IP network domain, the resource of the intermediate node needs to be consumed additionally for parsing the user message 1, because in general, the intermediate node parses the tunnel header of the message 1 and forwards the message according to the tunnel header.

To avoid this problem, in an implementation manner of the embodiment of the present application, a header node (e.g. the communication apparatus 1) that tunnels an original user packet may encapsulate information 3 into a tunnel header of packet 1, where information 3 is used to indicate the checksum2, so that the communication apparatus that receives packet 1 performs matching verification on check information 1 according to information 3 in the tunnel header of packet 1. The embodiment of the present application does not specifically limit the specific form of the information 3, and in an example, the information 3 may be checksum 2. In yet another example, the information 3 may be a value calculated according to a certain rule for checksum 2. For example, the information 3 may be obtained by performing a first calculation on checksum 2. In yet another example, the information 3 may be a value obtained by inverting one or more bits of checksum 2.

It can be understood that, if the information 3 in the tunnel header of the packet 1 is not tampered during transmission, the checksum value indicated by the information 3 included in the tunnel header of the packet 1 is checksum 2. In an example, if the information 3 is the checksum2, the tunnel header of the packet 1 includes the checksum 2. In another example, if the information 3 is a value obtained by calculating checksum2 according to a certain rule, the tunnel header of the packet 1 includes a value obtained by calculating checksum2 according to a certain rule. If the information 3 in the tunnel header of the packet 1 is tampered during transmission, the checksum value indicated by the information 3 included in the tunnel header of the packet 1 may be another checksum value, for example, checksum1, or, for example, checksum 3.

In the following description, if a checksum value is included in the tunnel header of packet 1, the checksum value included in the tunnel header of packet 1 is assumed to be checksum2, unless otherwise specified.

In one example, consider that for packet 1, the source IP address of packet 1 may be used to indicate the source node in the packet 1 forwarding path. When the message 1 is forwarded in the IP network domain, a network hacker may tamper with the message 1. In some embodiments, the attack behavior of the network hacker may be analyzed according to the source IP address of message 1. Taking the scenario shown in fig. 1a as an example, if the communication device R3 determines that the message 1 is tampered, the analysis device, for example, the control management entity may determine that the network hacker is tampered during the process of forwarding the message 1 from the communication device R1 to the communication device R3 according to the source IP address of the message 1 (i.e., the address of the communication device R1). However, if the source IP address of the packet 1 is also tampered, it is not beneficial to control the management entity to analyze the attack behavior of the network hacker. Therefore, in an example, the target content 1 for calculating the verification information 1 may further include a source IP address of the packet 1. In this way, the check information 1 can also be used to verify the validity of the source IP address of the packet 1.

In one example, the message 1 may include information 1 in the tunnel header, where the information 1 is used to indicate a key and/or an algorithm used for calculating the hash algorithm for obtaining the check information 1. In one example, the information 1 may be, for example, an index of the key and/or algorithm, and the communication device performing integrity check on the message 1 may locally acquire the key and/or algorithm according to the index, so as to perform integrity check on the message 1 by using the key and/or algorithm.

In one example, the message 1 may further include information 2 in the tunnel header, where the information 2 is used to indicate the target content 2 used in the hash check. The communication device receiving the message 1 may determine the target content 2 according to the information 2, and further perform matching verification on the verification information 1 according to the target content 2, thereby determining the integrity of the message 1.

In this embodiment of the present application, the check information 1 may be carried in an extension header of the packet 1. In one example, the aforementioned check information 1, information 3, information 1, and information 2 in the tunnel header may be carried in the extension header. Fig. 3a is a schematic diagram of an IPv4 extension header provided in an embodiment of the present application. The protocol field is used to indicate a type of a next packet header of the extension header, and in an example, the protocol field may be used to indicate a type of a packet 2; the checksum field is used for carrying information 3; the HMAC Key ID field is used to carry information 1, and in one example, if the verification information 1 is HMAC, the HMAC Key ID field is used to carry an identifier of a Key hash algorithm that is calculated to obtain the verification information 1; the HMAC field is used for carrying check information 1; the information 2 may be specified by the protocol, i.e. determined according to the protocol number of the extension header shown in fig. 3 a. In the embodiment of the present application, the extension header may also be an IPv6 extension header, and the format of the IPv6 extension header may be similar to that of the IPv4 extension header, except that in the IPv6 extension header, a protocol field is no longer included, but a next header field is included, and details regarding the IPv6 extension header are not described here. When the first check information is HMAC, the extension header shown in fig. 3a may also be referred to as an HMAC header.

In this embodiment of the application, when the packet 1 may be an IPv6 packet, the indication information 1 may also be carried by using an existing IPv6 extension header.

In one example, if the IP network domain applies SR technology, message 1 may be an SRv6 message. For this case, the aforementioned check information 1 may be carried in the SRH of the message 1. In an example, the check information 1, checksum2, information 1, and information 2 in the foregoing tunnel header may be carried by an extended TLV field in the SRH, and as for the TLV field, reference may be made to fig. 3b, where fig. 3b is a schematic diagram of a TLV field provided in an embodiment of the present application. Wherein, the type field can be used to carry information 2; the checksum field is used to carry checksum 2; the HMAC Key ID field is used for carrying information 1; the HMAC field is used to carry check information 1.

When the packet 1 is SRv6 packet, the segment identifier list (SID list) in the SRH of the packet 1 indicates the forwarding path of the packet 1 in the SRv6 network domain. Therefore, the SID list is key information for guiding the forwarding of the packet 1. If the SID list is tampered with, the message 1 is forwarded according to an incorrect path. In view of this, in an implementation manner, if the message 1 is the SRv6 message, the target content 1 of the calculated check information 1 may further include the SID list. In this way, the check information 1 can also be used to determine whether the SID list has been tampered with.

In another example, if the IP network domain deploys a multicast network and applies the BIERv6 protocol, the packet 1 may be a BIERv6 packet. For this case, the aforementioned check information 1 may be carried in the DoH of the message 1. In an example, the check information 1, checksum2, information 1, and information 2 in the foregoing tunnel header may be carried by an extended TLV field in the DoH, and as for the TLV field, reference may be made to fig. 3b, and a description thereof is not repeated here.

S102: the communication device 1 transmits the message 1.

S103: the communication device 2 receives the message 1.

After the communication device 1 acquires the message 1, the communication device 1 may forward the message 1, and the communication device 2 may receive the message 1 transmitted by the communication device 1.

S104: and the communication device 2 carries out integrity verification on the message 1 according to the verification information 1.

After receiving the message 1, the communication device 2 may perform integrity verification on the message 1 according to the check information 1 in the message 1 to determine whether the message payload of the user message 1 is tampered.

In an implementation manner of the embodiment of the present application, the communication device 2 may perform calculation according to the target content 2 in the message 1 to obtain the verification information 2, and perform matching verification on the verification information 1 and the verification information 2. After the verification information 1 and the verification information 2 are subjected to matching verification, the communication device 2 may process the message 1 according to a result of the matching verification.

The target content 2 includes a checksum value in the packet 1, where the checksum value in the packet 1 may be checksum1, checksum2, and information 3 for indicating the checksum 2. Specifically, see the following description part for calculating the verification information 2, which is not described in detail here. In some embodiments, the target content 2 may also include the source IP address of the message 1. In still other embodiments, if the message 1 is SRv6 messages, the target content 2 may also include SID list in SRH of the message 1.

In an implementation manner of the embodiment of the present application, the communication device 2 may first determine the target content 2 used in the hash check, and then perform hash calculation according to the target content 2 by using a key and/or an algorithm used by a hash algorithm corresponding to the hash check, so as to obtain the check information 2.

As described above in S101, in an example, the tunnel header of the packet 1 may include information 2, where the information 2 is used to indicate the target content 2 used in the hash check. For this case, the communication device 2 may determine the target content 2 based on the information 2 in the message 1. Of course, the target content 2 may also be configured on the communication device 2 in a pre-configured manner, and the communication device 2 may determine the target content 2 used for the hash check according to the configuration information.

As described above in S101, in an example, the tunnel header of packet 1 may include information 1, where information 1 is used to indicate a key and/or an algorithm used for performing the hash calculation. For this case, the communication device 2 may determine the key and/or algorithm used when performing the hash check from the information 1 in the message 1.

In the embodiment of the present application, the communication device 2 may have a plurality of implementation manners when calculating the verification information 2 according to the target content 2 to implement in detail. Several possible implementations are presented below by way of example.

In an implementation manner, the communication device 2 may obtain the checksum1 from the user packet 1, and calculate to obtain the verification information 2 by using the checksum 1. The calculation method of the communication apparatus 2 for calculating the verification information 2 by using checksum1 is the same as the calculation method of the communication apparatus 1 for calculating the verification information 1 by using checksum2, and specific reference may be made to the relevant description part of S101, and description thereof is not repeated. It can be understood that, considering that for an edge node of an IP network domain, it needs to decapsulate the packet 1 and parse the user packet 1 for packet forwarding. Therefore, this implementation is preferably implemented at an edge node of the IP network domain. The edge node of the IP network domain may be, for example, the communication device R4 or the communication device R5 shown in fig. 1 a. In one example, the edge node of the IP network domain may be the last node indicated by the SID list of the SRv6 message. Of course, for the intermediate node in the IP network domain that forwards the packet 1, the check information 2 may also be calculated in this way, but at this time, the intermediate node needs to consume additional resources to analyze the user packet 1.

In one implementation, if the tunnel header of message 1 includes information 3. The communication means 2 may obtain said check information 2 from the information 3 in the tunnel header of the message 1. For this situation, no matter the intermediate node in the IP network domain forwards the packet 1, or the edge node in the IP network domain, it is not necessary to consume extra resources to parse the user packet 1.

The communication device 2 may obtain the verification information 2 according to the information 3 in various ways in specific implementations.

In one implementation: when the header node that encapsulates the original user packet, the checksum2 is directly encapsulated into the tunnel header of the packet 1 (i.e. the aforementioned information 3 is the checksum2), and the check information 1 is obtained by performing key hash calculation according to the checksum 2. When the communication device receiving the message 1 performs matching verification on the verification information 1, the communication device may first obtain the information 3 in the tunnel header of the message 1, then perform key hash calculation according to the target content 2 indicated by the information 3 to obtain the verification information 2, and perform matching verification on the verification information 1 and the verification information 2.

In yet another implementation: when the head node that encapsulates the original user packet in the tunnel encapsulates the original user packet, the checksum2 is encapsulated into the tunnel head of the packet 1 (that is, the information 3 is the checksum2), and the check information 1 is obtained by performing the key hash calculation according to the calculation result 1 mentioned in the foregoing S101. When the communication device receiving the message 1 performs matching verification on the verification information 1, the communication device may first obtain the information 3 in the tunnel header of the message 1, then perform a first calculation on the information 3 to obtain a calculation result 1 ', and perform a key hash calculation according to the target content 2 including the calculation result 1' to obtain the verification information 2. And after the verification information 2 is obtained, matching verification is carried out on the verification information 1 and the verification information 2.

In another implementation: when the header node that performs tunnel encapsulation on the original user packet encapsulates the original user packet, a value obtained by performing a first calculation on checksum2 is encapsulated into a tunnel header of packet 1 (that is, information 3 is a value obtained by performing a first calculation on checksum2), and check information 1 is obtained by performing key hash calculation according to checksum 2. When the communication device receiving the message 1 performs matching verification on the verification information 1, the communication device may first obtain the information 3 in the tunnel header of the message 1, and then perform a second calculation according to the information 3 to obtain checksum 2. And then, performing key hash calculation according to the target content 2 comprising the checksum2 to obtain verification information 2, and performing matching verification on the verification information 1 and the verification information 2. The second calculation referred to herein may be the inverse of the first calculation.

In yet another implementation: when the head node for tunnel encapsulation of the original user packet encapsulates the original user packet, a value obtained by performing a first calculation on checksum2 is encapsulated into a tunnel head of packet 1 (that is, information 3 is a value obtained by performing a first calculation on checksum2), and check information 1 is obtained by performing a key hash calculation according to the calculation result 1. When the communication device receiving the message 1 performs matching verification on the verification information 1, the communication device may perform key hash calculation according to the target content 2 including the information 3 to obtain the verification information 2, and perform matching verification on the verification information 1 and the verification information 2.

In this embodiment of the application, if the check information 2 is obtained by calculation through checksum1, after the communication device 2 performs matching check on the check information 1 and the check information 2, it is determined that the check information 1 is the same as the check information 2, it may be determined that the user packet 1 is not tampered, that is, the user packet 1 is an original user packet, and it is further determined that the packet payload of the user packet is not tampered, and for this case, the communication device 2 may forward the packet 1. If the communication device 1 determines that the check information 1 is different from the check information 2, it indicates that the message payload of the user message 1 is tampered, and for this situation, the communication device 2 may discard the message 1, thereby preventing the illegal message from being continuously forwarded in the network. In some embodiments, the communication device 2 may also record the mismatch between the verification information 1 and the verification information 2 and the related information of the message 1 in a log.

In the embodiment of the present application, if the verification information 2 is calculated according to the information 3 indicating checksum2 in the tunnel header. If the communication device 2 performs matching check on the check information 1 and the check information 2, and then determines that the check information 1 is different from the check information 2, it indicates that the source IP address in the tunnel header of the message 1 or other content, such as the SID list, in the target content 2 is tampered. For this case, the communication device 2 may discard the message 1, thereby avoiding that the illegal message continues to be forwarded in the network. In some embodiments, the communication device 2 may also record the mismatch between the verification information 1 and the verification information 2 and the related information of the message 1 in a log. If the check information 1 is the same as the check information 2, this indicates that the source IP address in the tunnel header of the packet 1 and other contents in the target content 2 have not been tampered with. However, this does not indicate that the message payload of user message 1 has not been tampered with. Because the information 3 in the tunnel header of packet 1 is used to indicate checksum2, and the checksum2 is the checksum included in the original user packet (i.e., packet 2). If the packet payload of the user packet 1 is not tampered, the checksum2 indicated by the information 3 in the tunnel header of the packet 1 should be the same as the checksum1 in the user packet 1. In view of this, in the embodiment of the present application, in order to further determine whether the packet payload of the user packet 1 is tampered, the communication device 2 may compare the checksum2 indicated by the information 3 in the tunnel header of the packet 1 with the checksum1 in the user packet 1, and if the two are the same, may determine that the packet payload of the user packet 1 is not tampered. For this case, the communication device 2 may forward the message 1. If the checksum2 indicated by the information 3 in the tunnel header of the packet 1 is different from the checksum1 in the user packet 1, it indicates that the packet payload of the user packet 1 may be tampered, and at this time, the communication apparatus 2 may discard the packet 1, or record the verification information 1 and the verification information 2 which do not match and the related information of the packet 1 in a log.

It should be noted that, considering that, for an intermediate node in the IP network domain that forwards the packet 1, comparing the checksum2 indicated by the information 3 in the tunnel header of the packet 1 with the checksum1 in the user packet 1, the user packet 1 also needs to be analyzed, which consumes additional resources of the intermediate node. Therefore, in the embodiment of the present application, the step of comparing the checksum2 indicated by the information 3 in the tunnel header of the packet 1 with the checksum1 in the user packet 1 is preferably implemented on an edge node of the IP network domain. Of course, this step can also be implemented at an intermediate node in the IP network domain, without taking into account the resources that are additionally consumed by the intermediate node for parsing the user packet 1. It can be understood that, when the step is implemented on the intermediate node of the IP network domain, it can be determined whether the packet payload of the user packet 1 is tampered when the packet 1 passes through the intermediate node, so that when it is determined that the packet payload of the user packet 1 is tampered, the packet is discarded in time, thereby preventing the illegal packet from being continuously forwarded in the IP network domain.

Fig. 4 is a flowchart illustrating a message processing method according to an embodiment of the present application. The message processing method 200 shown in fig. 4 may be performed by a first communication device. The first communication device may be the communication device 1 in the above embodiment for performing the steps performed by the communication device 1 in the above method 100. The method 200 may include, for example, the following S201-S202.

S201: the method comprises the steps of obtaining a first message, wherein the first message is an Internet Protocol (IP) message, the first message comprises a tunnel head and a user message, the tunnel head comprises first check information, the first check information is obtained by performing hash calculation according to first target content, and the first target content comprises a first checksum of an original user message.

S202: and sending the first message.

The first packet mentioned here may correspond to packet 1 in method 100; the user message mentioned here may correspond to user message 1 in method 100; the first verification information mentioned here may correspond to verification information 1 in method 100; the first target content mentioned here may correspond to target content 1 in method 100; the first checksum, referred to herein, may correspond to checksum2 of method 100.

The first information mentioned here may correspond to information 3 in the method 100.

In an implementation manner, the user packet further includes a second checksum of the user packet, and the first checksum and the second checksum are the same.

The second checksum, referred to herein, may correspond to checksum1 in method 100.

In an implementation manner, the user packet further includes a second checksum of the user packet, where the first checksum and the second checksum are different.

In one implementation, the first communication device includes a head node that performs tunneling encapsulation on the original user packet.

In one implementation, the first communication device is an intermediate node in a forwarding path of the first packet.

Fig. 5 is a flowchart illustrating a message processing method according to an embodiment of the present application. The message processing method 300 shown in fig. 5 may be performed by the second communication device. The second communication device may be the communication device 2 in the above embodiment for performing the steps performed by the communication device 2 in the above method 100. The method 300 may include, for example, S301-S302 as follows.

S301: receiving a first message, wherein the first message is an Internet Protocol (IP) message, the first IP message comprises a tunnel header and a user message, the tunnel header comprises first check information, the first check information is obtained by performing hash calculation according to first target content, and the first target content comprises a first checksum of an original user message.

S302: and carrying out integrity verification on the first message according to the first verification information.

The first information mentioned here may correspond to information 3 in the above method 100.

In an implementation manner, the integrity verification of the first packet according to the first check information includes:

performing hash calculation according to the second target content of the first message to obtain second check information;

and performing matching verification on the first verification information and the second verification information.

The second target content mentioned here may correspond to target content 2 in method 100; the second check-up information mentioned here may correspond to the check-up information 2 in the method 100.

In an implementation manner, the user packet includes a second checksum of the user packet, and the second target content includes the second checksum.

determining the first checksum according to the first information;

performing hash calculation according to the determined first checksum to obtain second check information;

In the above method 200 and method 300:

in one implementation, the first check information is a key hash message authentication code HMAC.

In one implementation, the tunnel header includes an extension header, and the extension header includes the first check information.

In one implementation, the first target content further includes a source IP address of the first packet.

In one implementation, the tunnel header further includes second information indicating a key and/or an algorithm used for performing the hash calculation.

The second information mentioned here may correspond to information 1 in the method 100.

In an implementation manner, the tunnel header further includes third information, where the third information indicates target content used when performing hash check, and the hash check is used to perform matching verification on the first check information.

The third information mentioned here may correspond to information 3 in the method 100.

In one implementation, the tunnel header includes a segment routing header SRH, and the SRH includes the first check information.

In one implementation, the first target content further includes a segment identification SID list in the SRH.

In one implementation, the tunnel header includes an extended destination option header DoH, and the DoH includes the first check information.

With respect to the above method 200 and the specific implementation of the method 300, reference may be made to the above description of the method 100, which is not described in detail here.

In addition, the embodiment of the present application further provides a communication apparatus 600, which is shown in fig. 6. Fig. 6 is a schematic structural diagram of a communication device according to an embodiment of the present application. The communication device 600 includes a transceiver 601 and a processing unit 602. The communication device 600 may be used to perform the method 100, the method 200 or the method 300 in the above embodiments.

In one example, the communication device 600 may perform the method 100 in the above embodiment, and when the communication device 600 is used to perform the method 100 in the above embodiment, the communication device 600 is equivalent to the communication device 1 in the method 100. The transceiving unit 601 is configured to perform transceiving operations performed by the communication apparatus 1 in the method 100. The processing unit 602 is configured to perform operations other than transceiving operations performed by the communication apparatus 1 in the method 100. For example: the processing unit 602 is configured to generate a packet 1, where the packet 1 includes a tunnel header and a user packet 1, the user packet 1 includes a checksum1 for verifying the user packet 1, the tunnel header includes check information 1, the check information 1 is obtained by performing hash calculation according to a target content 1, and the target content 1 includes a checksum2 included in an original user packet; the transceiver 601 is configured to send the message 1.

In one example, the communication device 600 may perform the method 100 in the above embodiment, and when the communication device 600 is used to perform the method 100 in the above embodiment, the communication device 600 is equivalent to the communication device 2 in the method 100. The transceiving unit 601 is configured to perform transceiving operations performed by the communication apparatus 2 in the method 100. Processing unit 602 is configured to perform operations other than transceiving operations performed by communication device 2 in method 100. For example: the receiving and sending unit 601 is configured to receive a packet 1, where the packet 1 includes a tunnel header and a user packet 1, the user packet 1 includes a checksum1 for verifying the user packet 1, the tunnel header includes check information 1, the check information 1 is obtained by performing hash calculation according to a target content 1, and the target content 1 includes a checksum2 included in an original user packet. The processing unit 602 is configured to perform integrity verification on the packet 1 according to the check information 1.

In one example, the communication device 600 may perform the method 200 in the above embodiment, and when the communication device 600 is used to perform the method 200 in the above embodiment, the communication device 600 is equivalent to the first communication device in the method 200. The transceiving unit 601 is configured to perform transceiving operations performed by the first communication device in the method 200. The processing unit 602 is configured to perform operations other than transceiving operations performed by the first communication device in the method 200. For example: the processing unit 602 is configured to obtain a first packet, where the first packet is an internet protocol IP packet, the first packet includes a tunnel header and a user packet, the tunnel header includes first check information, the first check information is obtained by performing hash calculation according to first target content, and the first target content includes a first checksum of an original user packet; the transceiver 601 is configured to send the first packet.

In one example, the communication device 600 may perform the method 300 in the above embodiment, and when the communication device 600 is used to perform the method 300 in the above embodiment, the communication device 600 is equivalent to the second communication device in the method 300. The transceiving unit 601 is used for performing transceiving operations performed by the second communication device in the method 300. The processing unit 602 is configured to perform operations other than transceiving operations performed by the second communication device in the method 300. For example: the transceiving unit 601 is configured to receive a first packet, where the first packet is an internet protocol IP packet, the first IP packet includes a tunnel header and a user packet, the tunnel header includes first check information, the first check information is obtained by performing hash calculation according to first target content, and the first target content includes a first checksum of an original user packet; the processing unit 602 is configured to perform integrity verification on the first packet according to the first check information.

In addition, an embodiment of the present application further provides a communication apparatus 700, see fig. 7, where fig. 7 is a schematic structural diagram of the communication apparatus provided in the embodiment of the present application. The communication device 700 includes a communication interface 701 and a processor 702 coupled to the communication interface 701. The communication apparatus 700 may be used to perform the method 100, the method 200, or the method 300 in the above embodiments.

In one example, the communication device 700 may perform the method 100 in the above embodiment, and when the communication device 700 is used to perform the method 100 in the above embodiment, the communication device 700 is equivalent to the communication device 1 in the method 100. The communication interface 701 is used to perform the transceiving operation performed by the communication apparatus 1 in the method 100. The processor 702 is configured to perform operations other than transceiving operations performed by the communication apparatus 1 in the method 100. For example: the processor 702 is configured to generate a packet 1, where the packet 1 includes a tunnel header and a user packet 1, the user packet 1 includes a checksum1 for verifying the user packet 1, the tunnel header includes check information 1, the check information 1 is obtained by performing hash calculation according to a target content 1, and the target content 1 includes a checksum2 included in an original user packet; the communication interface 701 is configured to send the packet 1.

In one example, the communication device 700 may perform the method 100 in the above embodiment, and when the communication device 700 is used to perform the method 100 in the above embodiment, the communication device 700 is equivalent to the communication device 2 in the method 100. The communication interface 701 is used to perform transceiving operations performed by the communication apparatus 2 in the method 100. Processor 702 is configured to perform operations other than transceiving operations performed by communication device 2 in method 100. For example: the communication interface 701 is configured to receive a packet 1, where the packet 1 includes a tunnel header and a user packet 1, the user packet 1 includes a checksum1 for verifying the user packet 1, the tunnel header includes check information 1, the check information 1 is obtained by performing hash calculation according to target content 1, and the target content 1 includes a checksum2 included in an original user packet. The processor 702 is configured to perform integrity verification on the packet 1 according to the check information 1.

In one example, the communication device 700 can perform the method 200 in the above embodiment, and when the communication device 700 is used to perform the method 200 in the above embodiment, the communication device 700 is equivalent to the first communication device in the method 200. The communication interface 701 is used for performing transceiving operations performed by the first communication device in the method 200. The processor 702 is configured to perform operations other than transceiving operations performed by the first communication device in the method 200. For example: the processor 702 is configured to obtain a first packet, where the first packet is an internet protocol IP packet, the first packet includes a tunnel header and a user packet, the tunnel header includes first check information, the first check information is obtained by performing hash calculation according to first target content, and the first target content includes a first checksum of an original user packet; the communication interface 701 is configured to send the first packet.

In one example, the communication device 700 can perform the method 300 in the above embodiment, and when the communication device 700 is used to perform the method 300 in the above embodiment, the communication device 700 is equivalent to the second communication device in the method 300. The communication interface 701 is used for performing transceiving operations performed by the second communication device in the method 300. The processor 702 is configured to perform operations other than transceiving operations performed by the second communication device in the method 300. For example: the communication interface 701 is configured to receive a first packet, where the first packet is an internet protocol IP packet, the first IP packet includes a tunnel header and a user packet, the tunnel header includes first check information, the first check information is obtained by performing hash calculation according to first target content, and the first target content includes a first checksum of an original user packet; the processor 702 is configured to perform integrity verification on the first packet according to the first check information.

In addition, an embodiment of the present application further provides a communication device 800, referring to fig. 8, where fig. 8 is a schematic structural diagram of the communication device provided in the embodiment of the present application.

The communication device 1000 may be used to perform the method 100, the method 200, or the method 300 in the above embodiments.

As shown in fig. 8, the communications apparatus 800 can include a processor 810, a memory 820 coupled to the processor 810, and a transceiver 830. The transceiver 830 may be, for example, a communication interface, an optical module, etc. The processor 810 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP. The processor may also be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. Processor 810 may refer to a single processor or may include multiple processors. The memory 820 may include a volatile memory (RAM), such as a random-access memory (RAM); the memory may also include a non-volatile memory (ROM), such as a read-only memory (ROM), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD); the memory 820 may also comprise a combination of memories of the kind described above. The memory 820 may refer to one memory or may include a plurality of memories. In one embodiment, the memory 820 has stored therein computer-readable instructions including a plurality of software modules, such as a sending module 821, a processing module 822, and a receiving module 823. The processor 810, after executing each software module, may perform corresponding operations according to the instructions of each software module. In this embodiment, the operation performed by a software module actually refers to the operation performed by processor 810 according to the instruction of the software module.

In one example, the communication device 700 may perform the method 100 in the above embodiment, and when the communication device 700 is used to perform the method 100 in the above embodiment, the communication device 700 is equivalent to the communication device 1 in the method 100. The transceiver 830 is used for performing transceiving operations performed by the communication apparatus 1 in the method 100. Processor 810 is configured to perform operations other than transceiving operations performed by communication device 1 in method 100. For example: the processor 810 is configured to generate a packet 1, where the packet 1 includes a tunnel header and a user packet 1, the user packet 1 includes a checksum1 for verifying the user packet 1, the tunnel header includes check information 1, the check information 1 is obtained by performing hash calculation according to a target content 1, and the target content 1 includes a checksum2 included in an original user packet; the transceiver 830 is configured to transmit the message 1.

In one example, the communication device 700 may perform the method 100 in the above embodiment, and when the communication device 700 is used to perform the method 100 in the above embodiment, the communication device 700 is equivalent to the communication device 2 in the method 100. The transceiver 830 is used for performing transceiving operations performed by the communication apparatus 2 in the method 100. Processor 810 is configured to perform operations other than transceiving operations performed by communication device 2 in method 100. For example: the transceiver 830 is configured to receive a packet 1, where the packet 1 includes a tunnel header and a user packet 1, the user packet 1 includes a checksum1 for verifying the user packet 1, the tunnel header includes check information 1, the check information 1 is obtained by performing hash calculation according to a target content 1, and the target content 1 includes a checksum2 included in an original user packet. The processor 810 is configured to perform integrity verification on the packet 1 according to the check information 1.

In one example, the communication device 700 can perform the method 200 in the above embodiment, and when the communication device 700 is used to perform the method 200 in the above embodiment, the communication device 700 is equivalent to the first communication device in the method 200. The transceiver 830 is used for performing transceiving operations performed by the first communication device in the method 200. The processor 810 is configured to perform operations other than transceiving operations performed by the first communication device in the method 200. For example: the processor 810 is configured to obtain a first packet, where the first packet is an internet protocol IP packet, the first packet includes a tunnel header and a user packet, the tunnel header includes first check information, the first check information is obtained by performing hash calculation according to first target content, and the first target content includes a first checksum of an original user packet; the transceiver 830 is configured to transmit the first packet.

In one example, the communication device 700 can perform the method 300 in the above embodiment, and when the communication device 700 is used to perform the method 300 in the above embodiment, the communication device 700 is equivalent to the second communication device in the method 300. The transceiver 830 is used for performing transceiving operations performed by the second communication device in the method 300. The processor 810 is configured to perform operations other than transceiving operations performed by the second communication device in the method 300. For example: the transceiver 830 is configured to receive a first packet, where the first packet is an internet protocol IP packet, where the first IP packet includes a tunnel header and a user packet, the tunnel header includes first check information, the first check information is obtained by performing hash calculation according to first target content, and the first target content includes a first checksum of an original user packet; the processor 810 is configured to perform integrity verification on the first packet according to the first check information.

Embodiments of the present application also provide a computer-readable storage medium having stored therein instructions, which when executed on a computer, cause the computer to perform one or more operations of the method in any of the foregoing embodiments.

Embodiments of the present application also provide a computer program product, which stores a computer program and makes a computer perform one or more operations of the method described in any previous embodiment of the present application when the computer program runs on the computer. The embodiment of the present application further provides a communication system, including any one of the first communication devices and any one of the second communication devices mentioned in the above embodiments.

The present embodiments also provide a communication system, including at least one memory and at least one processor, where the at least one memory stores instructions, and the at least one processor executes the instructions, so that the communication system performs any one or more of the operations of the method (e.g., the method 100, the method 200, or the method 300) described in any of the foregoing embodiments of the present application.

The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is only a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, each service unit in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a hardware form, and can also be realized in a software service unit form.

The integrated unit, if implemented in the form of a software business unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Those skilled in the art will recognize that, in one or more of the examples described above, the services described in this disclosure may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the services may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

The above embodiments are intended to explain the objects, aspects and advantages of the present invention in further detail, and it should be understood that the above embodiments are merely illustrative of the present invention.

The above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.

Claims

1. A method of message processing, performed by a first communications device, the method comprising:

acquiring a first message, wherein the first message is an Internet Protocol (IP) message, the first message comprises a tunnel header and a user message, the tunnel header comprises first check information, the first check information is obtained by performing hash calculation according to first target content, and the first target content comprises first check and checksum of an original user message;

and sending the first message.

2. The method of claim 1, wherein the tunnel header further comprises first information indicating the first checksum.

3. The method according to claim 1 or 2, wherein the user packet further includes a second checksum of the user packet, and the first checksum and the second checksum are the same.

4. The method according to claim 1 or 2, wherein the user packet further includes a second checksum of the user packet, and the first checksum is different from the second checksum.

5. A method according to any of claims 1-3, wherein the first communication device comprises a head node that performs tunneling of the original user packet.

6. The method according to claims 1-4, wherein the first communication device is an intermediate node in a forwarding path of the first packet.

7. A method of message processing, performed by a second communications device, the method comprising:

receiving a first message, wherein the first message is an Internet Protocol (IP) message, the first message comprises a tunnel header and a user message, the tunnel header comprises first check information, the first check information is obtained by performing hash calculation according to first target content, and the first target content comprises first check and checksum of an original user message;

and carrying out integrity verification on the first message according to the first verification information.

8. The method of claim 7, wherein the tunnel header further comprises first information indicating the first checksum.

9. The method according to claim 7 or 8, wherein performing integrity verification on the first packet according to the first check information comprises:

10. The method of claim 9, wherein the user packet comprises a second checksum of the user packet, and wherein the second target content comprises the second checksum.

11. The method of claim 8, wherein performing integrity verification on the first packet according to the first check information comprises:

determining the first checksum according to the first information;

12. The method according to any one of claims 7 to 11,

the second communication device is an intermediate node or a tail node in a forwarding path of the first packet.

13. The method according to any of claims 1-12, wherein the first check-up information is a keyed-hash message authentication code, HMAC.

14. The method of any of claims 1-13, wherein the tunnel header comprises an extension header, and wherein the extension header comprises the first parity information.

15. The method of any of claims 1-14, wherein the tunnel header comprises an extended type-length-value, TLV, field, wherein the extended TLV field comprises the first check information.

16. The method of any of claims 1-15, wherein the first target content further comprises a source IP address of the first packet.

17. The method of any of claims 1-16, wherein the tunnel header further comprises second information indicating a key and/or algorithm used to perform the hash calculation.

18. The method according to any one of claims 1 to 17, wherein the tunnel header further comprises third information indicating target content used in performing hash check for matching verification of the first check information.

19. The method according to any of claims 1-18, wherein the first message is an internet protocol version 6 IPv6 message.

20. The method of claim 19, wherein the tunnel header comprises a Segment Routing Header (SRH), and wherein the SRH comprises the first check information.

21. The method of claim 20, wherein the first target content further comprises a list of segment identification SIDs in the SRH.

22. The method according to any of claims 1-18, wherein the first message is a bit-indexed explicit replication version six internet protocol encapsulation BIERv6 message.

23. The method of claim 22, wherein the tunnel header comprises an extended destination option header (DoH), and wherein the DoH comprises the first parity information.

24. The method according to any of claims 1-18, wherein the first message is an internet protocol version four IPv4 message.

25. A first communications device, wherein the first communications device comprises a memory and a processor;

the memory for storing program code;

the processor, configured to execute instructions in the program code to cause the first communication device to perform the method of any of claims 1-6 or any of claims 13-24.

26. A second communication device, wherein the second communication device comprises a memory and a processor;

the memory for storing program code;

the processor, configured to execute instructions in the program code to cause the second communication device to perform the method of any of the preceding claims 7-24.

27. A computer-readable storage medium having stored therein instructions which, when run on a computer, cause the computer to perform the method of any one of claims 1-24 above.

28. A communication system comprising the first communication apparatus of claim 25 and the second communication apparatus of claim 26.