CN114520751A - Tunnel transmission method and device based on software defined wide area network - Google Patents

Tunnel transmission method and device based on software defined wide area network Download PDF

Info

Publication number
CN114520751A
CN114520751A CN202111632725.9A CN202111632725A CN114520751A CN 114520751 A CN114520751 A CN 114520751A CN 202111632725 A CN202111632725 A CN 202111632725A CN 114520751 A CN114520751 A CN 114520751A
Authority
CN
China
Prior art keywords
information
srv6
tenant
configuration information
routing header
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111632725.9A
Other languages
Chinese (zh)
Inventor
牛佳
颜永明
张慷
张届新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202111632725.9A priority Critical patent/CN114520751A/en
Publication of CN114520751A publication Critical patent/CN114520751A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/34Source routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a tunnel transmission method and a device based on a software-defined wide area network, which are suitable for a plane forwarding segmented routing SRv6 bearer protocol based on IPv6, and comprise the following steps: the source node equipment receives the tunnel configuration information sent by the controller; when determining that the tunnel configuration information is provided with a tenant isolation function, the source node device sets a tenant isolation flag bit in a segment routing header of the SRv6 message and sets tenant information in a TLV optional field of the segment routing header; the source node device tunnels the SRv6 message to the destination node device. According to the invention, the tenant isolation flag bit is set in the segment routing header of the SRv6 message, and the tenant information is set in the TLV optional field of the segment routing header, so that the SRv6 message realizes the tenant isolation function, and further the security of SRv6 message transmission is improved.

Description

Tunnel transmission method and device based on software defined wide area network
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a tunnel transmission method and apparatus based on a software defined wide area network.
Background
In the prior art, a Software Defined wide area Network (wan) under an IPv6(Internet Protocol Version 6, Version 6 of the Internet Protocol) environment is a method formed by applying an SDN (Software Defined Network) technology to a wan scenario.
Further, SRv6 in IPv6 is an SR (segment routing) source routing technology implemented based on the IPv6 data plane. SRv6 records prefix column of IPv6 forwarding address through Segment list, and generates massive SRv6 path through combination of limited link and node Segment, thus realizing tunnel forwarding function of IPv 6.
However, the current tunnel forwarding function of SRv6 cannot implement tenant isolation function, anti-replay function, authentication mechanism function, and SLA function, resulting in low security of SRv6 message transmission.
Disclosure of Invention
The embodiment of the invention provides a tunnel transmission method and device based on a software-defined wide area network (SDWAN), which are used for improving SRv6 message transmission safety by realizing a tenant isolation function, a replay prevention function, an authentication mechanism function and an SLA function of SRv6 messages.
In a first aspect, an embodiment of the present invention provides a tunneling method based on a software-defined wide area network, which is applicable to a plane forwarding segment routing SRv6 bearer protocol based on IPv6, and includes:
the source node equipment receives the tunnel configuration information sent by the controller;
when determining that the tunnel configuration information is provided with a tenant isolation function, the source node device sets a tenant isolation flag bit in a segment routing header of an SRv6 message and sets tenant information in a TLV optional field of the segment routing header;
and the source node equipment transmits the SRv6 message to the target node equipment through a tunnel.
In the technical scheme, the tenant isolation flag bit is set in the segment routing header of the SRv6 message, and the tenant information is set in the TLV optional field of the segment routing header, so that the SRv6 message realizes the tenant isolation function, and further the security of SRv6 message transmission is improved.
Optionally, the method further includes:
when determining that the tunnel configuration information is provided with an anti-replay function, the source node device sets an anti-replay flag bit in a segment routing header of an SRv6 message and sets a sending timestamp and time interval information in a TLV optional field of the segment routing header; the sending timestamp and the time interval information are used for the target node device to discard the SRv6 message when determining that the SRv6 message is a replay-prevention message.
In the above technical solution, the anti-replay function is realized by setting the anti-replay flag bit in the segment routing header of the SRv6 packet and setting the transmission timestamp and the time interval information in the TLV optional field of the segment routing header, thereby improving the security of SRv6 packet transmission.
Optionally, the method further includes:
when the source node equipment determines that the tunnel configuration information is provided with an authentication mechanism function, an authentication mechanism flag bit is set in a segment routing header of an SRv6 message, and first encryption information aiming at the TLV optional field is set in an HMAC TLV field of the segment routing header; the first encryption information is used for the target node device to authenticate the SRv6 message.
In the above technical solution, the authentication mechanism function is implemented by setting the authentication mechanism flag bit in the segment routing header of the SRv6 packet and setting the first encryption information for the TLV optional field in the HMAC TLV field of the segment routing header, thereby improving the security of SRv6 packet transmission.
Optionally, the method further includes:
when determining that the tunnel configuration information is provided with a service level flag bit, the source node device sets service level agreement SLA information in a TLV optional field of the segmented routing header; the SLA information is used to provide the SRv6 message with the quality of tunnel transmission that meets the SLA information.
In the technical scheme, the SLA function is realized by setting the SLA information in the TLV optional field of the segmented routing header, and the flexibility of SRv6 message transmission is improved.
Optionally, the tenant information includes a tenant indication and a department indication;
the tenant information further includes at least one of the following information: administrative region instructions, country instructions, and operator instructions.
In a second aspect, an embodiment of the present invention provides a tunneling method based on a software-defined wide area network, which is applicable to a plane forwarding segment routing SRv6 bearer protocol based on IPv6, and includes:
the target node equipment receives SRv6 messages sent by the source node equipment;
the target node device determines that a segment routing header of the SRv6 message is provided with a tenant isolation flag bit and an authentication mechanism flag bit, and a TLV optional field of the segment routing header is provided with tenant information and first encryption information;
when the target node equipment determines that the first encryption information is consistent with the second encryption information, processing the SRv6 message; the second encryption information is generated by the target node device based on the tunnel configuration information sent by the controller.
Optionally, the method further includes:
the target node equipment determines that a segment routing header of the SRv6 message is provided with a replay-preventing flag bit and a TLV optional field of the segment routing header is provided with a sending timestamp and time interval information;
and the target node equipment determines the transmission time length between the receiving time stamp and the sending time stamp of the SRv6 message, and processes the SRv6 message when the transmission time length meets the time interval information.
In a third aspect, an embodiment of the present invention provides a tunneling method based on a software-defined wide area network, which is applicable to a plane forwarding segment routing SRv6 bearer protocol based on IPv6, and includes:
the controller receives a tenant isolation indication set by a user;
and the controller generates tunnel configuration information carrying the tenant isolation function based on the tenant isolation indication and respectively sends the tunnel configuration information to the source node equipment and the target node equipment.
Optionally, the method further includes:
the controller generates tunnel configuration information carrying an anti-replay function and/or an authentication mechanism function based on an anti-replay indication and/or an authentication mechanism indication of a user.
In a fourth aspect, an embodiment of the present invention provides a tunneling apparatus based on a software-defined wide area network, which is applicable to a plane forwarding segment routing SRv6 bearer protocol based on IPv6, and includes:
the first acquisition module is used for receiving the tunnel configuration information sent by the controller;
a first processing module, configured to set a tenant isolation flag in a segment routing header of the SRv6 packet and set tenant information in a TLV optional field of the segment routing header when determining that a tenant isolation function is set in the tunnel configuration information;
and transmitting the SRv6 message to a target node device through a tunnel.
Optionally, the first processing module is further configured to:
when the tunnel configuration information is determined to be provided with the anti-replay function, setting an anti-replay flag bit in a segment routing header of an SRv6 message and setting a sending timestamp and time interval information in a TLV optional field of the segment routing header; the sending timestamp and the time interval information are used for the target node device to discard the SRv6 message when determining that the SRv6 message is a replay-prevention message.
Optionally, the first processing module is further configured to:
when the tunnel configuration information is determined to be provided with the authentication mechanism function, an authentication mechanism flag bit is set in a segment routing header of the SRv6 message, and first encryption information aiming at the TLV optional field is set in an HMAC TLV field of the segment routing header; the first encryption information is used for the target node device to authenticate the SRv6 message.
Optionally, the first processing module is further configured to:
setting service level agreement SLA information in TLV selectable field of the segmented routing head when determining that the tunnel configuration information is provided with service level flag bit; the SLA information is used to provide the SRv6 message with the quality of tunnel transmission that meets the SLA information.
Optionally, the tenant information includes a tenant indication and a department indication;
the tenant information further includes at least one of the following information: administrative region instructions, country instructions, and operator instructions.
In a fifth aspect, an embodiment of the present invention provides a tunneling apparatus based on a software-defined wide area network, which is applicable to a plane forwarding segment routing SRv6 bearer protocol based on IPv6, and includes:
the second obtaining module is used for receiving SRv6 messages sent by the source node equipment;
a second processing module, configured to determine that a segment routing header of the SRv6 packet is provided with a tenant isolation flag and an authentication mechanism flag, and a TLV optional field of the segment routing header is provided with tenant information and first encryption information;
when the first encryption information is determined to be consistent with the second encryption information, processing the SRv6 message; the second encryption information is generated by the target node device based on the tunnel configuration information sent by the controller.
Optionally, the second processing module is further configured to:
determining that an anti-replay flag bit is set in a segment routing header of the SRv6 message and a sending timestamp and time interval information are set in a TLV optional field of the segment routing header;
and determining the transmission time length between the receiving time stamp and the sending time stamp of the SRv6 message, and processing the SRv6 message when the transmission time length meets the time interval information.
In a sixth aspect, an embodiment of the present invention provides a tunneling apparatus based on a software-defined wide area network, which is applicable to a plane forwarding segment routing SRv6 bearer protocol based on IPv6, and includes:
the receiving module is used for receiving a tenant isolation indication set by a user;
and the generation module is used for generating tunnel configuration information carrying the tenant isolation function based on the tenant isolation indication and respectively sending the tunnel configuration information to the source node equipment and the target node equipment.
Optionally, the generating module is further configured to:
and generating tunnel configuration information carrying the anti-replay function and/or the authentication mechanism function based on the anti-replay indication and/or the authentication mechanism indication of the user.
In a seventh aspect, an embodiment of the present invention further provides a computer device, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the tunneling method based on the software-defined wide area network according to the obtained program.
In an eighth aspect, an embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are configured to cause a computer to execute the above tunneling method based on a software-defined wide area network.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a system architecture diagram according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a tunneling method based on a software-defined wide area network according to an embodiment of the present invention;
fig. 3 is a diagram illustrating an Optional TLV field according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating a tunneling method based on a software-defined wide area network according to an embodiment of the present invention;
fig. 5 is a flowchart illustrating a tunneling method based on a software-defined wide area network according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a tunneling apparatus based on a software-defined wide area network according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a tunneling apparatus based on a software-defined wide area network according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a tunneling apparatus based on a software-defined wide area network according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to better explain the technical solution of the present invention, the following explains possible terms.
The replay attack means that a packet received by a normal destination address is obtained by packet capture, and then the packet data is copied to cheat a destination address device, the destination address device can receive the cheated data packet as a normal data packet, and a network device can discard the normal service data packet when receiving more cheated data packets.
An SD-WAN (Software Defined Wide Area Network) in the SDN is a service formed by applying an SDN technology to a Wide Area Network scenario, and the service is used for connecting enterprise networks, data centers, internet applications, and cloud services in a Wide geographic range. The service is characterized in that the network control capability is 'clouded' in a software mode, and the network capability which can be sensed by the application is supported to be opened.
The SD-WAN inherits the concept of 'transfer control separation', and realizes the unified control of each CPE (Customer Premise Equipment) device through a unified central controller. The newly opened CPE can be automatically connected with the controller through the Call Home to download configuration and strategies, so that zero-contact quick opening is really realized, the configuration is changed only by once modification on the controller, and all branch sites are automatically synchronized. The flexibility of a flow routing strategy is improved through the deep identification of the CPE on the flow and the link condition detection based on the probe, and the strategy and the network quality follow-up and dynamic flow scheduling are realized.
Based on the above description, the software defined wide area network in IPv6 environment is a method formed by applying SDN technology to a wide area network scenario. SRv6 in IPv6 is an SR source routing technique implemented based on the IPv6 data plane. SRv6 records prefix column of IPv6 forwarding address through Segment list, and generates massive SRv6 path through combination of limited link and node Segment, so as to realize tunnel forwarding function of IPv 6; specifically, the header is shown in table 1 below.
TABLE 1
Figure BDA0003441514650000071
Figure BDA0003441514650000081
In table 1, the first 3 rows of information are IPv6 headers, and the rest of information are SRHs (segment routing headers) of SRv6 messages. The Source Address is the Address of a Source node device, the Destination Address is the Address of a target node device, and the Segment list records the prefix column of the IPv6 forwarding Address, so that the tunnel forwarding function is realized.
However, in the prior art, the current tunnel forwarding function of SRv6 cannot implement a tenant isolation function, an anti-replay function, an authentication mechanism function, and an SLA function, which results in low security of SRv6 message transmission. Therefore, a tunnel transmission method is needed to improve the security of SRv6 message transmission by implementing the tenant isolation function, the anti-replay function, the authentication mechanism function and the SLA function of SRv6 message.
Fig. 1 illustrates an exemplary system architecture to which an embodiment of the present invention is applicable, which includes a controller 110, a source node device 120, and a target node device 130.
The controller 110 is configured to receive indication information set by a user, and generate tunnel configuration information, where the indication information includes a tenant isolation indication, a replay prevention indication, an LSA indication, and/or an authentication mechanism indication; the tunnel configuration information is then sent to the source node device 120 and the target node device 130.
The source node device 120 is configured to receive the tunnel configuration information sent by the controller 110, set a tenant isolation flag bit in a segment routing header of the SRv6 packet and set tenant information in a TLV optional field of the segment routing header according to the tunnel configuration information, set a replay prevention flag bit in the segment routing header of the SRv6 packet and set a sending timestamp and time interval information in the TLV optional field of the segment routing header, set an authentication mechanism flag bit in the segment routing header of the SRv6 packet and set first encryption information for the TLV optional field in an HMAC TLV field of the segment routing header and/or set Service Level Agreement (SLA) information in the TLV optional field of the segment routing header, thereby generating the SRv6 packet; the SRv6 message is tunneled to the target node device 130.
The target node device 130 is configured to receive the tunnel configuration information sent by the controller 110 and the SRv6 message sent by the source node device 120, and verify the SRv6 message according to the tunnel configuration information; the source node device 120 and the target node device 130 may be CPE devices, such as routers.
It should be noted that the structure shown in fig. 1 is only an example, and the embodiment of the present invention does not limit this.
Based on the above description, fig. 2 exemplarily illustrates a flowchart of a tunneling method based on a software-defined wide area network according to an embodiment of the present invention, where the flowchart may be executed by a tunneling apparatus based on a software-defined wide area network.
As shown in fig. 2, the process specifically includes:
in step 210, the source node device receives the tunnel configuration information sent by the controller.
In the embodiment of the present invention, the controller may also send the tunnel configuration information to the target node device, where the tunnel configuration information is used to instruct the source node device to implement a specific function.
Step 220, when determining that the tunnel configuration information is provided with the tenant isolation function, the source node device sets a tenant isolation flag bit in the segment routing header of the SRv6 packet and sets tenant information in the TLV optional field of the segment routing header.
In the embodiment of the present invention, the TLV Optional field is an Optional TLV field in table 1, that is, a field following the last segment listk [ n ] in the SRH in table 1.
Step 230, the source node device tunnels the SRv6 packet to a destination node device.
In step 210, the tunnel configuration information is generated by the controller by the indication information set by the user; specifically, the controller receives a tenant isolation indication set by a user; generating tunnel configuration information carrying a tenant isolation function based on the tenant isolation indication;
illustratively, the indication information further comprises an anti-replay indication and/or an authentication mechanism indication, and tunnel configuration information carrying an anti-replay function and/or an authentication mechanism function is generated.
As another example, the indication information further includes an SLA indication, and tunnel configuration information carrying the SLA function is generated.
For example, 4-bit (byte) information is used as indication information, wherein a value of byte 0 represents a tenant isolation indication, a value of byte 1 represents a replay protection indication, a value of byte 2 represents an authentication mechanism indication, and a value of byte 3 represents an SLA indication.
Further, when the value of the 0 th byte is 1, indicating the source node device to add tenant information to realize a tenant isolation function; when the value of the 1 st byte is 1, indicating the source node equipment to add a sending timestamp and time interval information to realize the anti-replay function; when the value of the 2 nd byte is 1, indicating the source node equipment to add first encryption information to realize the function of an authentication mechanism; and when the value of the byte 3 is 1, indicating the source node equipment to add SLA information to realize the SLA function.
In step 220, the source node device sets flag bit information according to the tunnel configuration information; the zone bit information comprises a tenant isolation zone bit, a replay prevention zone bit, an authentication mechanism zone bit and a service level zone bit.
Further, when the tenant isolation function is determined to be set in the tunnel configuration information, a tenant isolation flag bit is set in the segment routing header of the SRv6 message; when the anti-replay function is set in the tunnel configuration information, an anti-replay flag bit is set in a segment routing header of an SRv6 message; when the authentication mechanism function is set in the tunnel configuration information, setting an authentication mechanism flag bit in a segment routing header of an SRv6 message; and when the tunnel configuration information is determined to be provided with the service level flag bit, setting the service level flag bit in the segmented routing header of the SRv6 message.
In one practical manner, the source node device may set a flag bit in any optional field.
In the embodiment of the present invention, the source node device sets flag bit information in the Flags field of table 1; the Flags field has 8bit (byte) flag bits, and 4bit bytes are selected to respectively correspond to the tenant isolation flag bit, the anti-replay flag bit, the authentication mechanism flag bit and the service level flag bit.
For example, the 0 th byte in the Flags field corresponds to the tenant isolation flag bit, the 1 st byte in the Flags field corresponds to the anti-replay flag bit, the 2 nd byte in the Flags field corresponds to the authentication mechanism flag bit, and the 3 rd byte in the Flags field corresponds to the service level flag bit.
That is, when it is determined that the tenant separation function is set in the configuration information, the value of the 0 th byte in the Flags field is set to 1; when the anti-replay function is set in the configuration information, setting the value of the 1 st byte in the Flags field as 1; when the authentication mechanism function is set in the configuration information, setting the value of the 2 nd bit byte in the Flags field as 1; and when the service level flag bit is set in the configuration information, setting the value of the 3 rd bit byte in the Flags field to be 1.
Equivalently, when the value of the corresponding bitbyte is 1, representing and setting corresponding information; for example, when the value of the 0 th bit byte is 1, the source node device sets tenant information in the TLV optional field of the segment routing header, which is equivalent to enabling a tenant isolation function; when the value of the 1 st bit byte is 1, the source node device sets a sending time stamp and time interval information in a TLV optional field of the segmented routing header, which is equivalent to starting the anti-replay function; when the value of the 2 nd bit byte is 1, the source node device sets first encryption information aiming at the TLV optional field in the HMAC TLV field of the segment routing header, which is equivalent to starting the tenant isolation function; when the value of the 3 rd bit byte is 1, the source node device sets tenant information in the TLV optional field of the segmented routing header, which is equivalent to starting a tenant isolation function;
wherein, the TLV selectable field is an Optional TLV field in table 1, and 128-bit bytes are selected from the Optional TLV field to set tenant information, a timestamp, time interval information, and SLA information; the tenant information comprises a tenant instruction and a department instruction; the tenant information further comprises at least one of the following information: administrative region instructions, country instructions, and operator instructions.
To better illustrate the above technical solution, fig. 3 is a schematic diagram of an Optional TLV field exemplarily shown in the present invention, as shown in fig. 3, which includes a tenant indication, a department indication, a postal number, a city indication, operator information, a timestamp, a time interval, and SLA information. The postal number and the city indication represent a country indication and an administrative region indication, for example, the city indication may select whether to distinguish administrative regions, districts, prefectures, city administration regions, city-level administrative regions, and provincial administrative regions.
It should be noted that the number of bytes occupied by each indication is preset and is not limited herein, for example, the tenant indication is a 16-bit byte, the SLA information is a 9-bit byte, and the like.
In the embodiment of the invention, the first encryption information is obtained by preset hash operation of the set information and preset source information, wherein the preset source information is the address of the target node device, the address of the source node device and each address in the segmengt list; the predetermined hash operation includes a shared key and a selected plurality of hash algorithms, which is not limited herein.
Specifically, information to be configured (such as tenant information, timestamp, and the like) in the tunnel configuration information is determined, first encryption information is obtained through preset hash operation according to the information to be configured and preset source information, and then when the value of the authentication mechanism flag bit is determined to be 1, the first encryption information is set in the HMAC TLV field in table 1.
In the embodiment of the present invention, information to be configured may be divided into a mandatory option and an optional option, for example, tenant information is a mandatory option, and a timestamp is an optional option, which is not limited herein. That is, the information to be configured must include tenant information, but the time stamp may be selected by the user whether to use the time stamp as the information to be configured.
For SLA information, the SLA information comprises different levels of line quality and line; specifically, the SLA information is classified into the following 4 levels.
The first stage is an optimal path (low delay, short route), and is accessed to an operator pop point for carrying enterprise core services (voice, video and the like need high quality real-time transmission).
And the second stage, which is a suboptimal path (without low delay mandatory requirement, namely reaching as a benchmark), accesses to the operator pop point. The method is used for bearing enterprise-level important business.
And the third stage is an excellent path (low delay and short circuit), has no access to an operator pop point, and is used for bearing enterprise-level common services or household-level services.
In the fourth year, the network is a common path (without low delay mandatory requirement, namely reaching the reference), and has no access to the pop point of the operator, and is used for bearing home services.
In step 230, the source node device generates SRv6 a message based on the tenant information, the timestamp, the time interval information, the first encryption information, and the SLA information, and sends SRv6 the message to the target node device, so that the target node device executes SRv6 the message after verifying SRv6 the message.
To better illustrate the target node device verification SRv6 message, fig. 4 is a schematic flowchart of a tunneling method based on a software-defined wide area network exemplarily shown in the embodiment of the present invention, and as shown in fig. 4, the flowchart includes:
in step 410, the target node device receives the SRv6 message sent by the source node device.
In this embodiment of the present invention, the tunnel configuration information is used to instruct the target node device to verify SRv6 packets.
Step 420, the target node device determines that a segment routing header of the SRv6 packet is provided with a tenant isolation flag and an authentication mechanism flag, and a TLV optional field of the segment routing header is provided with tenant information and first encryption information.
In the embodiment of the invention, the segment routing header of the SRv6 message is also provided with a replay-prevention flag bit and an SLA flag bit.
Step 430, when the target node device determines that the first encryption information is consistent with the second encryption information, the SRv6 message is processed.
In this embodiment of the present invention, the second encryption information is generated by the target node device based on the tunnel configuration information sent by the controller.
In step 420, if the anti-replay flag bit is determined to be set, a sending timestamp set in a TLV optional field is determined in the SRv6 message; wherein the sending timestamp is recorded in the TLV optional field by the source node device at sending SRv6 the message.
Before verifying the first encryption information, the target node device determines a transmission duration between a reception timestamp and a transmission timestamp of the reception SRv6 message, and processes the SRv6 message when the transmission duration satisfies the time interval information.
For example, if it is determined that the transmission duration of the SRv6 message is 1ms and the time interval is 2ms according to the receiving timestamp and the sending timestamp, it is determined that the transmission duration of the SRv6 message satisfies the time interval information, and further the SRv6 message is further processed, that is, the time interval information is a preset threshold, which may be a value preset according to experience, such as 3ms, 2.5ms, and the like, which is not limited herein.
In step 430, the target node device determines information to be configured (such as tenant information, a timestamp, and the like) added by the source node device according to the tunnel configuration information, performs hash operation by using a preset hash algorithm corresponding to the source node device in combination with preset source information (such as an address of the source node device, and the like) to obtain a second hash value, and if the first encryption information is consistent with the second encryption information, it is represented that the SRv6 packet is not tampered, because the encryption information includes the timestamp, playback of the SRv6 packet is prevented, and it is determined that the SRv6 packet passes verification.
In an implementable manner, in order to ensure accuracy of packet transmission between the source node device and the target node device, the controller may further send an NTP instruction to the source node device and the target node device, for indicating time synchronization of the source node device and the target node device.
In the embodiment of the present invention, the device corresponding to each address in the segment list may also verify the SRv6 message, which is not limited and described herein.
To better illustrate the technical solution of the present invention, fig. 5 exemplarily shows a flowchart of a tunneling method based on a software-defined wide area network, as shown in fig. 5, the flowchart is as follows.
And step 501, sending tunnel configuration information.
The controller determines the tunnel configuration information according to the indication information (including the flag bit information, the tenant isolation indication, the anti-replay indication, the authentication mechanism indication and the SLA indication) set by the user, and then sends the tunnel configuration information to the source node device and the target node device respectively.
Step 502, determining whether the tenant isolation function is enabled.
The source node equipment sets the value of the 0 th bit of the flag bit in the tunnel configuration information into a Flags field of an SRv6 message SRH correspondingly based on the value of the 0 th bit of the flag bit in the tunnel configuration information, and determines whether to start a tenant isolation function; if the value of the 0 th bit of the flag bit is 1, enabling representation, and adding tenant information (including tenant indication, department indication, administrative region indication, country indication, operator indication and the like) into an Optional TLV field of an SRv6 message SRH; if the value of the 0 th bit of the flag bit is 0, the representation is not enabled, namely, tenant information is not added.
Step 503, determine whether the anti-replay function is enabled.
The source node equipment sets the value of the 1 st bit of the flag bit in the tunnel configuration information into a Flags field of an SRv6 message SRH corresponding to the value of the 1 st bit of the flag bit in the tunnel configuration information based on the value of the 1 st bit of the flag bit in the tunnel configuration information, and determines whether to start a replay-proof function or not; if the value of the 1 st bit of the flag bit is 1, starting representation, and adding a timestamp and time interval information to an Optional TLV field of an SRv6 message SRH; if the value of the 1 st bit of the flag bit is 0, the representation is not enabled, namely, the timestamp and the time interval information are not added.
Step 504, determine whether to enable the authentication mechanism function.
The source node equipment sets the flag bit 2 value in the tunnel configuration information into a Flags field of an SRv6 message SRH corresponding to the flag bit 2 value in the tunnel configuration information based on the flag bit 2 value in the tunnel configuration information, and determines whether to start an authentication mechanism function; if the value of the 2 nd bit of the flag bit is 1, enabling the characterization, and adding the information (including tenant information, timestamp and time interval information) added in the Optional TLV field into the HMAC TLV field; if the value of the 2 nd bit of the flag bit is 0, the characterization is not enabled, i.e., the information in the Optional TLV field is not added to the HMAC TLV field.
Step 505, determine whether to activate the SLA function.
The source node equipment sets the flag bit 3 value in the tunnel configuration information into a Flags field of an SRv6 message SRH corresponding to the flag bit 3 value in the tunnel configuration information based on the flag bit 3 value in the tunnel configuration information, and determines whether to start an SLA function; if the value of the 3 rd bit of the flag bit is 1, enabling representation, and adding SLA information to an Optional TLV field of an SRv6 message SRH; if the value of the 3 rd bit of the flag bit is 0, the representation is not enabled, namely the SLA information is not added.
Step 506, determining the first encryption information.
The source node device generates first encryption information according to the value in the HMAC TLV field (including preset source information (such as a target node address, addresses in segment list, etc.) and/or information added in the Optional TLV field (including tenant information, timestamp, and time interval information)), and adds the first encryption information to the HMAC TLV field of the SRv6 message SRH.
And step 507, determining SRv6 the message.
And the source node equipment encapsulates SRv6 the message header and the service data of the message to generate SRv6 message.
And step 508, sending SRv6 message.
The source node equipment distinguishes tunnels according to the tenant information, determines tunnel transmission quality according to the SLA information, sends SRv6 messages to the target node equipment based on the distinguished tunnels and the tunnel transmission quality, and records a sending time stamp in an Optional TLV field.
Step 509, determine whether the time interval information is satisfied.
The target node equipment receives SRv6 messages sent by the source node equipment and records SRv6 message receiving timestamps;
the target node equipment decrypts the SRv6 message to obtain a sending timestamp of the SRv6 message, then determines the transmission time length of the SRv6 message according to the sending timestamp and the receiving timestamp, and if the transmission time length is smaller than the preset time interval information, the SRv6 message is reserved; otherwise, the SRv6 message is discarded.
Step 510, determining whether a verification condition is satisfied.
The target node equipment determines to-be-configured information of the SRv6 message, namely information which should be added into an Optional TLV field, of the SRv6 message meeting the time interval information based on the tunnel configuration information, and then generates second encryption information by combining preset source information; determining whether the first encryption information is consistent with the second encryption information, if so, processing the SRv6 message; otherwise, the SRv6 message is discarded.
In the embodiment of the invention, different tenants, even different departments in a tenant, establish links in different tunnel isolation modes through the tenant isolation function, each tunnel is invisible relative to other tunnels, transmission data information in the same tenant is visible only in the tunnel, the data transmission of a user between a headquarter and a branch office is met, the data in the tunnel is ensured not to be detected by other tenants, and the security of SRv6 message transmission is further improved.
Through the function of the authentication mechanism, whether the version information of the two-end equipment is compatible is confirmed before the tunnel is established, that is, whether the source node equipment and the target node equipment are suitable for establishing tunnel link or not and whether the equipment is legal equipment for establishing the tunnel or not, so that the security of SRv6 message transmission is ensured.
Through the anti-replay function, the timestamp is verified on the target node device, the forged packet is discarded before being received, the resource consumption of the target node device is saved, the forged packet is prevented from being received, and the security of SRv6 message transmission is improved.
Through SLA function, network quality grade is distinguished, further tunnel transmission quality is distinguished, users with higher requirements for network quality are achieved, and idle lines are scheduled preferentially to give high-quality requirements when the network is congested; under the condition of ensuring the minimum network quality requirement of a common user, the SLA function flexibly changes and customizes the network requirements of different users. The flexibility of SRv6 message transmission is improved.
Based on the same technical concept, fig. 6 exemplarily shows a schematic structural diagram of a tunneling apparatus based on a software-defined wide area network according to an embodiment of the present invention, and the tunneling apparatus may execute a flow of a tunneling method based on a software-defined wide area network.
As shown in fig. 6, the apparatus specifically includes:
a first obtaining module 610, configured to receive tunnel configuration information sent by a controller;
a first processing module 620, configured to set a tenant isolation flag in a segment routing header of the SRv6 packet and set tenant information in a TLV optional field of the segment routing header when it is determined that a tenant isolation function is set in the tunnel configuration information;
and transmitting the SRv6 message to a target node device through a tunnel.
Optionally, the first processing module 620 is further configured to:
when the tunnel configuration information is determined to be provided with the anti-replay function, setting an anti-replay flag bit in a segment routing header of an SRv6 message and setting a sending timestamp and time interval information in a TLV optional field of the segment routing header; the sending timestamp and the time interval information are used for the target node device to discard the SRv6 message when determining that the SRv6 message is a replay-prevention message.
Optionally, the first processing module 620 is further configured to:
when the tunnel configuration information is determined to be provided with the authentication mechanism function, an authentication mechanism flag bit is set in a segment routing header of the SRv6 message, and first encryption information aiming at the TLV optional field is set in an HMAC TLV field of the segment routing header; the first encryption information is used for the target node device to authenticate the SRv6 message.
Optionally, the first processing module 620 is further configured to:
setting service level agreement SLA information in TLV selectable field of the segmented routing head when determining that the tunnel configuration information is provided with service level flag bit; the SLA information is used to provide the SRv6 message with the quality of tunnel transmission that meets the SLA information.
Optionally, the tenant information includes a tenant indication and a department indication;
the tenant information further includes at least one of the following information: administrative region instructions, country instructions, and operator instructions.
Based on the same technical concept, fig. 7 exemplarily shows a schematic structural diagram of a tunneling apparatus based on a software-defined wide area network according to an embodiment of the present invention, and the tunneling apparatus may execute a flow of a tunneling method based on a software-defined wide area network.
As shown in fig. 7, the apparatus specifically includes:
a second obtaining module 710, configured to receive an SRv6 message sent by a source node device;
a second processing module 720, configured to determine that a segment routing header of the SRv6 packet is provided with a tenant isolation flag and an authentication mechanism flag, and a TLV optional field of the segment routing header is provided with tenant information and first encryption information;
when the first encryption information is determined to be consistent with the second encryption information, processing the SRv6 message; the second encryption information is generated by the target node device based on the tunnel configuration information sent by the controller.
Optionally, the second processing module 720 is further configured to:
determining that an anti-replay flag bit is set in a segment routing header of the SRv6 message and a sending timestamp and time interval information are set in a TLV optional field of the segment routing header;
and determining the transmission time length between the receiving time stamp and the sending time stamp of the SRv6 message, and processing the SRv6 message when the transmission time length meets the time interval information.
Based on the same technical concept, fig. 8 exemplarily shows a schematic structural diagram of a tunneling apparatus based on a software-defined wide area network according to an embodiment of the present invention, and the tunneling apparatus may execute a flow of a tunneling method based on a software-defined wide area network.
As shown in fig. 8, the apparatus specifically includes:
a receiving module 810, configured to receive a tenant isolation indication set by a user;
a generating module 820, configured to generate tunnel configuration information carrying a tenant isolation function based on the tenant isolation instruction, and send the tunnel configuration information to the source node device and the destination node device, respectively.
Optionally, the generating module 820 is further configured to:
and generating tunnel configuration information carrying the anti-replay function and/or the authentication mechanism function based on the anti-replay indication and/or the authentication mechanism indication of the user.
Based on the same technical concept, an embodiment of the present invention further provides a computer device, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the tunneling method based on the software-defined wide area network according to the obtained program.
Based on the same technical concept, the embodiment of the present invention further provides a computer-readable storage medium, where computer-executable instructions are stored, and the computer-executable instructions are configured to enable a computer to execute the tunneling method based on the software-defined wide area network.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (14)

1. A tunneling method based on a software-defined Wide Area Network (WAN), which is applicable to an IPv 6-based plane forwarding segmented routing SRv6 bearer protocol, and comprises the following steps:
the source node equipment receives the tunnel configuration information sent by the controller;
when determining that the tunnel configuration information is provided with a tenant isolation function, the source node device sets a tenant isolation flag bit in a segment routing header of an SRv6 message and sets tenant information in a TLV optional field of the segment routing header;
and the source node equipment transmits the SRv6 message to the target node equipment through a tunnel.
2. The method of claim 1, further comprising:
when determining that the tunnel configuration information is provided with an anti-replay function, the source node device sets an anti-replay flag bit in a segment routing header of an SRv6 message and sets a sending timestamp and time interval information in a TLV optional field of the segment routing header; the sending timestamp and the time interval information are used for the target node device to discard the SRv6 message when determining that the SRv6 message is a replay-prevention message.
3. The method of claim 1 or 2, further comprising:
when determining that the tunnel configuration information is provided with an authentication mechanism function, the source node device sets an authentication mechanism flag bit in a segment routing header of an SRv6 message and sets first encryption information for the TLV optional field in an HMAC TLV field of the segment routing header; the first encryption information is used for the target node device to authenticate the SRv6 message.
4. The method of claim 3, further comprising:
when the source node equipment determines that the tunnel configuration information is provided with a service level flag bit, service level agreement SLA information is set in a TLV optional field of the segmented routing header; the SLA information is used to provide the SRv6 message with the quality of tunnel transmission that meets the SLA information.
5. The method of claim 4, wherein the tenant information comprises a tenant indication and a department indication;
the tenant information further includes at least one of the following information: administrative region instructions, country instructions, and operator instructions.
6. A tunneling method based on a software-defined Wide Area Network (WAN), which is applicable to an IPv 6-based plane forwarding segmented routing SRv6 bearer protocol, and comprises the following steps:
the target node equipment receives SRv6 messages sent by the source node equipment;
the target node device determines that a segment routing header of the SRv6 message is provided with a tenant isolation flag bit and an authentication mechanism flag bit, and a TLV optional field of the segment routing header is provided with tenant information and first encryption information;
when the target node equipment determines that the first encryption information is consistent with the second encryption information, processing the SRv6 message; the second encryption information is generated by the target node device based on the tunnel configuration information sent by the controller.
7. The method of claim 6, further comprising:
the target node equipment determines that a segment routing header of the SRv6 message is provided with a replay-preventing flag bit and a TLV optional field of the segment routing header is provided with a sending timestamp and time interval information;
and the target node equipment determines the transmission time length between the receiving time stamp of the SRv6 message and the sending time stamp, and processes the SRv6 message when the transmission time length meets the time interval information.
8. A tunneling method based on a software-defined Wide Area Network (WAN), which is applicable to an IPv 6-based plane forwarding segmented routing SRv6 bearer protocol, and comprises the following steps:
the controller receives a tenant isolation indication set by a user;
and the controller generates tunnel configuration information carrying the tenant isolation function based on the tenant isolation indication and respectively sends the tunnel configuration information to the source node equipment and the target node equipment.
9. The method of claim 8, further comprising:
the controller generates tunnel configuration information carrying an anti-replay function and/or an authentication mechanism function based on an anti-replay indication and/or an authentication mechanism indication of a user.
10. A tunneling device based on a software-defined Wide Area Network (WAN) is characterized in that the tunneling device is suitable for a plane forwarding segmented routing SRv6 bearer protocol based on IPv6, and the tunneling device comprises:
the first acquisition module is used for receiving the tunnel configuration information sent by the controller;
a first processing module, configured to set a tenant isolation flag in a segment routing header of the SRv6 packet and set tenant information in a TLV optional field of the segment routing header when determining that a tenant isolation function is set in the tunnel configuration information;
and transmitting the SRv6 message to a target node device through a tunnel.
11. A tunneling device based on a software-defined Wide Area Network (WAN) is characterized in that the tunneling device is suitable for a plane forwarding segmented routing SRv6 bearer protocol based on IPv6, and the tunneling device comprises:
the second obtaining module is used for receiving SRv6 messages sent by the source node equipment;
a second processing module, configured to determine that a segment routing header of the SRv6 packet is provided with a tenant isolation flag and an authentication mechanism flag, and a TLV optional field of the segment routing header is provided with tenant information and first encryption information;
when the first encryption information is determined to be consistent with the second encryption information, processing the SRv6 message; the second encryption information is generated by the target node device based on the tunnel configuration information sent by the controller.
12. A tunneling device based on a software-defined Wide Area Network (WAN) is characterized in that the tunneling device is suitable for a plane forwarding segmented routing SRv6 bearer protocol based on IPv6, and the tunneling device comprises:
the receiving module is used for receiving a tenant isolation indication set by a user;
and the generation module is used for generating tunnel configuration information carrying the tenant isolation function based on the tenant isolation indication and respectively sending the tunnel configuration information to the source node equipment and the target node equipment.
13. A computer device, comprising:
a memory for storing program instructions;
a processor for calling program instructions stored in said memory to perform the method of any one of claims 1 to 5, 6 to 7 or 8 to 9 in accordance with the obtained program.
14. A computer-readable storage medium having stored thereon computer-executable instructions for causing a computer to perform the method of any one of claims 1 to 5, 6 to 7 or 8 to 9.
CN202111632725.9A 2021-12-29 2021-12-29 Tunnel transmission method and device based on software defined wide area network Pending CN114520751A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111632725.9A CN114520751A (en) 2021-12-29 2021-12-29 Tunnel transmission method and device based on software defined wide area network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111632725.9A CN114520751A (en) 2021-12-29 2021-12-29 Tunnel transmission method and device based on software defined wide area network

Publications (1)

Publication Number Publication Date
CN114520751A true CN114520751A (en) 2022-05-20

Family

ID=81596390

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111632725.9A Pending CN114520751A (en) 2021-12-29 2021-12-29 Tunnel transmission method and device based on software defined wide area network

Country Status (1)

Country Link
CN (1) CN114520751A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115499392A (en) * 2022-08-22 2022-12-20 中国电信股份有限公司 Tenant isolation service method and device, and electronic equipment
CN115549983A (en) * 2022-09-14 2022-12-30 电子科技大学 Safety authentication device and method of IPv6 network transmission equipment based on time synchronization
CN116248507A (en) * 2023-05-05 2023-06-09 北京全路通信信号研究设计院集团有限公司 Comprehensive bearing-oriented railway communication bearing network slice dividing method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104067565A (en) * 2012-01-20 2014-09-24 思科技术公司 Connectivity system for multi-tenant access networks
WO2020063500A1 (en) * 2018-09-29 2020-04-02 华为技术有限公司 Method, device, and system for obtaining information of srv6 tunnel
CN113691448A (en) * 2020-05-18 2021-11-23 华为技术有限公司 SRv6 method for forwarding message in service chain, SFF and SF device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104067565A (en) * 2012-01-20 2014-09-24 思科技术公司 Connectivity system for multi-tenant access networks
WO2020063500A1 (en) * 2018-09-29 2020-04-02 华为技术有限公司 Method, device, and system for obtaining information of srv6 tunnel
CN113691448A (en) * 2020-05-18 2021-11-23 华为技术有限公司 SRv6 method for forwarding message in service chain, SFF and SF device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
胡晓宇等: "云网IPv6实现技术分析", 电信科学, no. 1, 30 April 2020 (2020-04-30) *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115499392A (en) * 2022-08-22 2022-12-20 中国电信股份有限公司 Tenant isolation service method and device, and electronic equipment
CN115549983A (en) * 2022-09-14 2022-12-30 电子科技大学 Safety authentication device and method of IPv6 network transmission equipment based on time synchronization
CN116248507A (en) * 2023-05-05 2023-06-09 北京全路通信信号研究设计院集团有限公司 Comprehensive bearing-oriented railway communication bearing network slice dividing method and system
CN116248507B (en) * 2023-05-05 2023-09-01 北京全路通信信号研究设计院集团有限公司 Comprehensive bearing-oriented railway communication bearing network slice dividing method and system

Similar Documents

Publication Publication Date Title
CN114520751A (en) Tunnel transmission method and device based on software defined wide area network
US11050664B2 (en) Encapsulation method, device and node
CN101099320B (en) Clock-based replay protection
EP3633949B1 (en) Method and system for performing ssl handshake
CN106878199B (en) Configuration method and device of access information
CN107135190B (en) Data flow attribution identification method and device based on transport layer secure connection
US20190166042A1 (en) Method for data transmitting, centralized controller, forwarding plane device and communication apparatus
CN112637183B (en) Data message transmission method and device
US20190068762A1 (en) Packet Parsing Method and Device
US20140115154A1 (en) Linked Identifiers for Multiple Domains
US7237113B2 (en) Keyed authentication rollover for routers
CN116527405B (en) SRV6 message encryption transmission method and device and electronic equipment
CN112291072A (en) Secure video communication method, device, equipment and medium based on management plane protocol
CN109167774B (en) Data message and data stream safety mutual access method on firewall
CN108965309B (en) Data transmission processing method, device, system and equipment
CN109195160B (en) Tamper-proof storage system of network equipment resource detection information and control method thereof
CN104219160A (en) Method and device for generating input parameter
CN107426452B (en) Internet call method and device
CN113055535B (en) Method and system for generating 5G end-to-end call ticket
CN117375838A (en) Verification method, terminal device, network device and medium
CN108055262A (en) Video conference terminal register method, terminal and gatekeeper
CN114884667A (en) Communication authentication method, device and storage medium
CN106067864B (en) Message processing method and device
CN106506495B (en) Terminal online control method and device
CN117240900B (en) Block chain node discovery and networking method and device based on software defined network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination