CN116827651A - Communication security protection method, device, computer equipment and storage medium - Google Patents
Communication security protection method, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN116827651A CN116827651A CN202310833453.1A CN202310833453A CN116827651A CN 116827651 A CN116827651 A CN 116827651A CN 202310833453 A CN202310833453 A CN 202310833453A CN 116827651 A CN116827651 A CN 116827651A
- Authority
- CN
- China
- Prior art keywords
- target message
- message
- target
- data
- field
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 103
- 238000004891 communication Methods 0.000 title claims abstract description 70
- 238000012795 verification Methods 0.000 claims abstract description 122
- 238000012545 processing Methods 0.000 claims description 35
- 238000004590 computer program Methods 0.000 claims description 30
- 230000005540 biological transmission Effects 0.000 claims description 22
- 238000010586 diagram Methods 0.000 description 9
- 206010033799 Paralysis Diseases 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000008859 change Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a communication security protection method, a communication security protection device, computer equipment and a storage medium. The method can be applied to the technical field of data communication, and specifically comprises the following steps: the first check data are sent by the controller under the condition that the security check of the head node is passed, the first check data are added into the target message, and the target message is sent based on the message sending path after the first check data are added, wherein the first check data are used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on the verification information and the first check data.
Description
Technical Field
The present application relates to the field of data communications technologies, and in particular, to a communication security protection method, a device, a computer device, and a storage medium.
Background
SRv6 (Segment Routing IPv) is a source routing technology with path programmability, which is implemented by flexible IPv6 extension headers using existing IPv6 forwarding technology.
In order to realize SRv6 based on the IPv6 forwarding plane, an IPv6 extension header, namely SRH (Segment Routing Header) extension header, needs to be newly added, and the display path of IPv6 is stored in a Segment List in the SRH extension header, so that forwarding path controllability is realized.
However, SRv based on the source routing technology has an unavoidable security threat, if a malicious attack message is constructed at the head node, such as SRv Policy tunnel of the loop is constructed, the intermediate forwarding node passing through is severely congested, so that the network is paralyzed.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a communication security protection method, apparatus, computer device and storage medium capable of performing security check on a forwarding message.
In a first aspect, the present application provides a communication security protection method, applied to a head node in a message sending path of a target message, the method comprising:
receiving first check data sent by a controller, wherein the first check data is sent by the controller under the condition that the security check of a head node is passed;
Adding the first check data into the target message, and transmitting the target message based on a message transmission path after adding the first check data;
the first check data are used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on the verification information and the first check data, wherein the verification information is sent to the intermediate forwarding node by the controller under the condition that the head node passes the safety check.
In one embodiment, the first verification data includes contrast data and encrypted data obtained by encrypting the contrast data, and the verification information includes a decryption key for decrypting the encrypted data.
In one embodiment, the target message is a SRv message, and adding the verification data to the target message includes:
and adding the first check data into the segment routing extension header SRH of the target message.
In one embodiment, the SRH includes a target field, the target field includes a contrast field and an encryption field, and adding the first check data to the segmented routing extension header SRH of the target packet includes
The contrast data is loaded into the contrast field and the encryption field is loaded into the encryption field.
In one embodiment, the target field further comprises a forwarding mode check field, and the method further comprises:
before sending a target message, determining a forwarding mode of the target message according to an address segment list in the SRH, and configuring a value of a forwarding mode check field according to the forwarding mode;
wherein the forwarding mode includes a BE mode or a non-BE mode.
In one embodiment, determining a forwarding mode of the target packet according to the address field list in the SRH includes:
if the forwarding path exists in the address segment list, the forwarding mode of the target message is a non-BE mode;
if the forwarding path does not exist in the address segment list, the forwarding mode of the target message is a BE mode.
In one embodiment, the target field further comprises at least one of the following fields:
a length indication field for indicating a field length of the target field;
and a reserved field for adding the newly added content.
In a second aspect, the present application provides another communication security protection method, applied to an intermediate forwarding node in a message sending path of a target message, where the method includes:
receiving a target message sent by a previous node, and acquiring first check data from the target message;
Determining whether the target message is legal or not according to the verification information and the first verification data; the authentication information is sent to the intermediate forwarding node by the controller under the condition that the security check of the head node in the message sending path is passed.
In one embodiment, the verification information includes a decryption key, and determining whether the target message is legal according to the verification information and the first verification data includes:
decrypting the encrypted data included in the first verification data according to the decryption key;
determining whether the decryption result is consistent with the comparison data in the first check data;
and under the condition of coincidence, determining that the target message is legal, and under the condition of non-coincidence, determining that the target message is illegal.
In one embodiment, after determining whether the target message is legal, the method further includes:
under the condition that the target message is legal, executing a message processing flow on the target message, wherein the message processing flow comprises a flow of forwarding the target message to a next node or a flow of analyzing the target message;
and discarding the target message under the condition that the target message is illegal.
In one embodiment, the method further comprises:
if the first check data is not successfully obtained from the target message, determining that the target message is illegal.
In one embodiment, the target message is a SRv message, and the obtaining the first check data from the target message includes:
and acquiring first check data from the segment route extension header SRH of the target message.
In one embodiment, the SRH includes a target field, the target field includes a comparison field and an encryption field, and the obtaining the first check data from the segment routing extension header SRH of the target packet includes:
the contrast data is extracted from the contrast field and the encrypted data is extracted from the encrypted field.
In one embodiment, the target field further includes a forwarding mode check field, and determining whether the target packet is legal according to the verification information and the first check data includes:
and executing the step of determining whether the target message is legal or not according to the verification information and the first verification data under the condition that the value of the forwarding mode verification field indicates that the forwarding mode of the target message is a non-BE mode.
In one embodiment, the method further comprises:
and under the condition that the value of the forwarding mode check field indicates that the forwarding mode of the target message is the BE mode, directly executing a message processing flow on the target message, wherein the message processing flow comprises a flow of forwarding the target message to a next node or a flow of analyzing the target message.
In one embodiment, the target field further comprises at least one of the following fields:
a length indication field for indicating a field length of the target field;
and a reserved field for adding the newly added content.
In a third aspect, the present application provides a communication security protection method, applied to a controller, where the device includes:
under the condition that the safety check of the head node in the message sending path of the target message is confirmed to pass, first check data are sent to the head node;
and sending the verification information to the intermediate forwarding node.
In one embodiment, the first verification data includes contrast data and encrypted data.
In a fourth aspect, the present application provides a communication security protection apparatus, applied to a head node in a message transmission path of a target message, the apparatus comprising:
the first receiving module is used for receiving first check data sent by the controller, wherein the first check data is sent by the controller under the condition that the security check of the head node is passed;
the adding module is used for adding the first check data into the target message and sending the target message based on the message sending path after the first check data is added;
the first check data are used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on the verification information and the first check data, wherein the verification information is sent to the intermediate forwarding node by the controller under the condition that the head node passes the safety check.
In a fifth aspect, the present application provides another communication security protection apparatus, applied to an intermediate forwarding node in a message transmission path of a target message, the apparatus comprising:
the second receiving module is used for receiving a target message sent by a previous node and acquiring first check data from the target message;
the determining module is used for determining whether the target message is legal or not according to the verification information and the first verification data; the authentication information is sent to the intermediate forwarding node by the controller under the condition that the security check of the head node in the message sending path is passed.
In a sixth aspect, the present application provides a communications security apparatus for use in a controller, the apparatus comprising:
the first sending module is used for sending first check data to the head node under the condition that the head node in the message sending path of the target message is confirmed to pass the safety check;
and the second sending module is used for sending the verification information to the intermediate forwarding node.
In a seventh aspect, the present application also provides a computer device, where the computer device includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the communication security protection method described above when executing the computer program.
In an eighth aspect, the present application further provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the communication security protection method described above.
In a ninth aspect, the present application also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the communication security protection method described above.
The communication security protection method is applied to the head node in the message sending path of the target message, the first check data sent by the controller is received, the first check data is sent by the controller under the condition that the security check of the head node is passed, the first check data is added to the target message, and the target message is sent based on the message sending path after the first check data is added, wherein the first check data is used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on the verification information and the first check data, the verification information is sent to the intermediate forwarding node by the controller under the condition that the security check of the head node is passed, and the method can effectively verify the validity of the target message based on the first check data and the verification information, accurately identify illegal attack messages, and avoid the condition that the message sending path is blocked and network paralysis is caused.
Drawings
Fig. 1 is an application environment diagram of a communication security protection method provided in this embodiment;
fig. 2 is a flow chart of a first communication security protection method provided in this embodiment;
fig. 3 is a flow chart of a second communication security protection method provided in this embodiment;
fig. 4 is a flow chart of a third communication security protection method provided in the present embodiment;
fig. 5 is a schematic flow chart of determining whether a target message is legal or not according to the embodiment;
fig. 6 is a flow chart of a fourth communication security protection method provided in the present embodiment;
fig. 7 is a flow chart of a fifth communication security protection method provided in the present embodiment;
fig. 8 is a flow chart of a sixth communication security protection method provided in this embodiment;
fig. 9 is a flow chart of a seventh communication security protection method provided in this embodiment;
fig. 10 is a block diagram of a first communication safety device according to the present embodiment;
fig. 11 is a block diagram of a second communication safety device according to the present embodiment;
fig. 12 is a block diagram of a third communication safety device according to the present embodiment;
fig. 13 is an internal structural diagram of the computer device provided in the present embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The communication security protection method provided by the embodiment of the application can be applied to an application environment shown in figure 1. The controller 102 constructs a message sending path 104 for the target message according to the user requirement and the target address of the target message by using the collected network topology, and takes the message sending path 104 in fig. 1 as an example, where the message sending path includes a head node R1, an intermediate forwarding node R2, an intermediate forwarding node R3 and an intermediate forwarding node R4. In the present application, a head node R1 receives first check data sent by a controller 102, where the first check data is sent by the controller 102 when the security check of the head node passes, adds the first check data to a target packet, and sends the target packet based on a packet sending path after adding the first check data, where the first check data is used for each intermediate forwarding node (such as R2, R3, R4, etc. in fig. 1) except the head node R1 in the packet sending path to verify whether the target packet is legal or not based on verification information and the first check data, where the verification information is sent by the controller to the intermediate forwarding node when the security check of the head node passes.
Wherein the controller 102 gathers network topologies through BGP-LS. BGP-LS is a new way to collect network topology. The controller 102 may employ, but is not limited to, an SRV6 controller. If the controller 102 is an SRV6 controller, the message sending path may be a SRv6 Policy tunnel.
SRv6 (Segment Routing IPv, segment routing based on the IPv6 forwarding plane) is simply SR (Segment Routing) +ipv6, a new generation of IP bearer protocols. The method adopts the existing IPv6 forwarding technology, and realizes the network programming through a flexible IPv6 extension head.
In the application, a message sending path 104 for a target message is constructed according to the user demand and the target address of the target message, and the optional modes are as follows: according to the minimum delay or path shortest and other requirements and the target address of the target message, a message sending path 104 aiming at the target message is constructed
A message is a data unit exchanged and transmitted in the network, i.e. a data block to be sent by a station at one time. The message contains the complete data information to be sent, and the length of the message is not consistent, and the length of the message is unlimited and variable.
In one embodiment, fig. 2 is a flow chart of a communication security protection method according to an embodiment of the present application, where the method is applied to a head node in a message sending path of a target message, and the method is illustrated by taking the application of the method to the head node R1 in fig. 1 as an example, and the method includes the following steps:
S201, receiving first check data sent by a controller, wherein the first check data is sent by the controller under the condition that the security check of the head node is passed.
The controller is a master device for controlling the starting, speed regulation, braking and reversing of the motor by changing the wiring of a main circuit or a control circuit and changing the resistance value in the circuit according to a preset sequence, and at least comprises a function of sending first check data to a head node of a path sending path. The first check data refers to check data for verifying whether the target message is legal or not after the target message is forwarded. The head node refers to the first node of the message sending path, and is a communication device, and is configured to forward the target message to the next intermediate forwarding node according to the message sending path. The intermediate forwarding node is an intermediate node in the message transmission path and is also a communication device.
Optionally, in this embodiment, the head node receives, through the communication interface, first check data sent by the controller, where the first check data is sent by the controller when the security check of the head node passes.
The security check mode of the controller on the head node comprises the steps of checking whether the head node is unhooked or not, namely, checking whether the head node is maliciously controlled by other controllers, and if the head node is checked to be not maliciously controlled, passing the security check representation of the head node.
S202, adding the first check data into the target message, and sending the target message based on the message sending path after adding the first check data.
The first check data are used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on the verification information and the first check data, wherein the verification information is sent to the intermediate forwarding node by the controller under the condition that the head node passes the safety check. The target message refers to a message to be forwarded.
An alternative implementation manner of this embodiment is as follows: and adding the first check data into a message header or a message body of the target message, and transmitting the target message to a next node in the message transmission path based on the message transmission path after adding the first check data.
It should be noted that, if the first check data is added to the header or the body of the target message, it is preferable to add an identification field in the header or the body, where the identification field mainly plays a role in identification, and is used to identify the position of the first check data in the header or the body, so as to facilitate the subsequent extraction of the first check data from the header or the body.
Another alternative implementation of this embodiment is: and adding a target field in the target message, adding the first check data into the target field in the target message, and transmitting the target message based on a message transmission path after adding the first check data.
The method comprises the steps that first check data sent by a controller are received, the first check data are sent by the controller under the condition that the security check of a head node is passed, the first check data are added to a target message, and the target message is sent based on a message sending path after the first check data are added, wherein the first check data are used for enabling all intermediate forwarding nodes except the head node in the message sending path to verify whether the target message is legal or not based on verification information and the first check data, the verification information is sent to the intermediate forwarding nodes by the controller under the condition that the security check of the head node is passed.
In one embodiment, the first verification data includes contrast data and encrypted data obtained by encrypting the contrast data, and the corresponding verification information includes a decryption key for decrypting the encrypted data.
The comparison data is common data randomly generated by the controller, and the common data can be a character string consisting of numerical values and codes. It should be noted that, in order to save network resources, the comparison data of all the messages to be forwarded in the same message transmission path may be the same, and it is not necessary to randomly generate the comparison data for each message to be forwarded entering the message forwarding path, so that network and controller resources can be solved. The encrypted data is data obtained by encrypting the comparison data. The decryption key refers to a key that can decrypt encrypted data, and may be referred to as a private key in the present application.
The method for encrypting the comparison data can be as follows: and (3) encrypting the contrast data by using an encryption key (namely a public key) and a HASH algorithm to obtain encrypted data.
In this embodiment, the first verification data includes the comparison data and the encrypted data obtained after encrypting the comparison data, and the verification information includes the decryption key for decrypting the encrypted data.
On the basis of the above embodiment, the target message of the present application may be an SRV6 message, on the basis of which verification data is added to the target message, and optional embodiments include:
and adding the first check data into the segment routing extension header SRH of the target message.
The Segment Routing extension Header SRH refers to that in order to implement SRv based on the IPv6 forwarding plane, an IPv6 extension Header needs to be added, that is, the Segment Routing extension Header SRH, and generally includes fields such as a Next Header, an Hdr extract Len, a Routing Type, segments Left, a Last Entry, flags, tag, and Segment List.
Specifically, a target field may be newly added to the SRH, as shown in table 1, where the target field includes a comparison field and an encryption field, and on the basis of this, the first check data is added to the segment routing extension header SRH of the target packet. Alternatively, the contrast data may be loaded into the contrast field and the encryption field may be loaded into the encryption field.
TABLE 1
The target field is a field newly added in the SRH for checking whether the target message is legal, and the target field may be a TLV field. In addition to the above-described contrast field and encryption field, as shown in fig. 3, the target field may further include at least: a length indication field for indicating a field length of the target field; a reserved field for adding newly added content; and a content type field for characterizing the overall content of the target field. Wherein, the reserved field refers to that when the content needs to be added (for example, the content is newly added), the newly added content can be added into the reserved field without adding the newly added field.
In this embodiment, when the target message is a SRv6 message, the first check data can be quickly and accurately added into the contrast field and the encryption field in the target message through the target field of the segment routing extension header SRH in the SRv message.
Based on the above embodiment, an optional implementation manner of the communication security protection method includes: the target field further includes a forwarding mode check field, and before the target message is sent, a forwarding mode of the target message is determined according to the address field list in the SRH, and a value of the forwarding mode check field is configured according to the forwarding mode.
The forwarding mode check field refers to a field for characterizing a forwarding mode of the target message, and a value of the forwarding mode check field may be represented by "0" or "1".
The forwarding mode includes a BE mode or a non-BE mode. The BE mode is SRv BE mode, and is consistent with the common IP forwarding mode in the mode, so that the problem that the target message is attacked can BE avoided. If the subsequent intermediate forwarding node verifies that the forwarding mode of the target message is the BE mode, the target message can BE directly sent to the next node without checking the first check data in the target message. And in a non-BE mode, namely, the forwarding mode of the target message does not belong to the SRv BE mode, and if the forwarding mode of the target message is verified to BE the non-BE mode by the subsequent intermediate forwarding node, the first verification data in the target message needs to BE verified. If the forwarding mode is BE mode, the head node configures the value of the forwarding mode check field in the target field to BE '1', and if the forwarding mode is non-BE mode, the head node configures the value of the forwarding mode check field in the target field to BE '0', so that the subsequent intermediate forwarding nodes can determine the forwarding mode of the target message based on the value of the forwarding mode check field.
In this embodiment, the method for determining the forwarding mode of the target message by the head node according to the address field list in the SRH is as follows:
if the address Segment List (namely the Segment List in the SRH) has a forwarding path, the forwarding mode of the target message is a non-BE mode;
if there is no forwarding path or no address Segment List in the address Segment List (i.e. Segment List in SRH), the forwarding mode of the target message is BE mode.
The target field in this embodiment further includes a forwarding mode check field, and before the target packet is sent, the forwarding mode of the target packet is determined according to the address field list in the SRH, and the value of the forwarding mode check field is configured according to the forwarding mode. According to the value of the forwarding mode check field, the subsequent intermediate forwarding nodes can conveniently judge the forwarding mode of the target message, if the forwarding mode is the BE mode, the target message is a legal message, the first check data is not required to BE checked, and the check efficiency of the target message is improved.
In one embodiment, as shown in fig. 3, a communication security protection method is applied to a head node in a message sending path of a target message, and an optional implementation manner includes:
s301, receiving first check data sent by a controller, wherein the first check data is sent by the controller under the condition that the security check of the head node is passed. The first check data comprises comparison data and encryption data obtained by encrypting the comparison data, the first check data is used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on verification information and the first check data, and the verification information is sent to the intermediate forwarding node by the controller under the condition that the head node passes the safety verification. The authentication information includes a decryption key for decrypting the encrypted data.
S302, the contrast data is loaded into the contrast field of the target field in the segment routing extension header SRH, and the encryption field is loaded into the encryption field of the target field in the segment routing extension header SRH. The target message is SRv message, the target field comprises a forwarding mode check field used for representing a forwarding mode of the target message, and the forwarding mode comprises a BE mode or a non-BE mode; a length indication field for indicating a field length of the target field; and a reserved field for adding the newly added content.
S303, determining a forwarding mode of the target message according to the address segment list in the SRH, and configuring a value of a forwarding mode check field according to the forwarding mode. If a forwarding path exists in the address segment list, the forwarding mode of the target message is a non-BE mode; if the forwarding path does not exist in the address segment list, the forwarding mode of the target message is a BE mode.
S304, after the target field is configured, the target message is sent based on the message sending path.
The communication security protection method is applied to a head node in a message sending path of a target message, the first check data is sent by a controller under the condition that the head node passes the security check, the first check data is added to the target message by the controller, and the target message is sent based on the message sending path after the first check data is added, wherein the first check data is used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on verification information and the first check data, the verification information is sent to the intermediate forwarding node by the controller under the condition that the head node passes the security check, and the method can effectively verify the validity of the target message based on the first check data and the verification information, accurately identify illegal attack messages, and avoid the condition that the message sending path is blocked and network paralysis occurs.
In one embodiment, as shown in fig. 4, the method is applied to an intermediate forwarding node in a message sending path of a target message, and is described by taking as an example that the method is applied to head nodes R2, R3, and R4 in fig. 1, the method includes the following steps:
s401, receiving a target message sent by a previous node, and acquiring first check data from the target message.
Optionally, in this embodiment, a target message sent by a previous node is received, an identification field in the target message is determined, and first check data is obtained from the identification field in the target message. Wherein the identification field refers to a field for playing a role of identification, and the first check data can be added at the identification field. The identification field may be added in the header or in the body of the message.
S402, determining whether the target message is legal or not according to the verification information and the first verification data. The authentication information is sent to the intermediate forwarding node by the controller under the condition that the security check of the head node in the message sending path is passed.
Optionally, the verification information is matched with the first verification data, if the matching is successful, the target message is determined to be legal, and if the matching is failed, the target message is determined to be illegal.
In this embodiment, the intermediate forwarding node receives the target message sent by the previous node, acquires the first check data from the target message, and checks the first check data according to the verification information, so that whether the target message is legal or not can be accurately determined, illegal messages in the message sending path can be effectively identified, and the condition that the message sending path is blocked and network paralysis is caused can be avoided.
In one embodiment, the verification information includes a decryption key, and the first verification data includes decryption data and comparison data, as shown in fig. 5, and S402 is an alternative embodiment, including:
s501, decrypting the encrypted data included in the first check data according to the decryption key.
S502, determining whether the decryption result is consistent with the comparison data in the first check data.
S503, under the condition of coincidence, determining that the target message is legal, and under the condition of non-coincidence, determining that the target message is illegal.
When the encrypted data in the first verification data is decrypted according to the decryption key, if the decryption fails, that is, the decryption key does not correspond to the decryption data, the target message may be determined to be illegal.
In this embodiment, the decryption key is used to decrypt the encrypted data included in the first check data, and whether the determined decryption result obtained after decryption is consistent with the comparison data in the first check data or not determines that the target message is legal if the determined decryption result is consistent with the comparison data in the first check data, and whether the target message is illegal if the determined decryption result is inconsistent with the comparison data in the first check data, so that whether the target message is legal can be determined quickly and accurately.
In one embodiment, as shown in fig. 6, an alternative implementation manner of the communication security protection method includes:
s601, receiving a target message sent by a previous node, and acquiring first check data from the target message.
S602, determining whether the target message is legal or not according to the verification information and the first verification data. The authentication information is sent to the intermediate forwarding node by the controller under the condition that the security check of the head node in the message sending path is passed. If it is legal, S603 is executed, and if it is illegal, S604 is executed.
S603, executing a message processing flow on the target message, wherein the message processing flow comprises a flow of forwarding the target message to a next node or a flow of analyzing the target message.
An alternative implementation manner of this embodiment is as follows: and if the current intermediate forwarding node is not the last node of the message sending path, executing a process of forwarding the target message to the next node.
Another alternative implementation of this embodiment is: and if the current intermediate forwarding node is the last node of the message sending path, executing a flow for analyzing the target message.
S604, discarding the target message.
In this embodiment, a corresponding message processing flow is added when it is determined whether the target message is legal, and the message processing flow is executed on the target message when the target message is legal, where the message processing flow includes a flow of forwarding the target message to a next node or a flow of analyzing the target message, and the target message is discarded when the target message is illegal, so as to prevent the message sending path from being blocked due to illegal messages.
In one embodiment, as shown in fig. 7, an alternative implementation manner of the communication security protection method includes:
s701, receiving a target message sent by a previous node, and acquiring first check data from the target message.
S702, if the first check data is not successfully obtained from the target message, determining that the target message is illegal.
In this embodiment, when the first check data is acquired from the target packet, if the first check data cannot be successfully acquired from the target packet, it is indicated that the target packet is attacked illegally, so that the illegality of the target packet can be determined, and the illegal target packet can be quickly identified.
In one embodiment, if the target message is a SRv message, an optional implementation manner of acquiring the first check data from the target message includes:
And acquiring first check data from the segment route extension header SRH of the target message.
Specifically, a target field (i.e., TLV field) is created in advance in the SRH, and as shown in table 1, the target field includes a comparison field and an encryption field, and in this embodiment, the comparison data may be extracted from the comparison field and the encryption data may be extracted from the encryption field.
Optionally, the target field further includes at least one of the following fields: a length indication field for indicating a field length of the target field; a reserved field for adding newly added content; and a content type field for characterizing the overall content of the target field.
In this embodiment, the target message is a SRv6 message, the comparison data is extracted from the comparison field in the segment routing extension header SRH of the target message, and the encrypted data is extracted from the encrypted field, so as to improve the extraction efficiency of the comparison data and the encrypted data.
In one embodiment, the target field further includes a forwarding mode check field, and in S502, determining whether the target packet is legal according to the verification information and the first check data, an optional implementation manner includes:
and executing the step of determining whether the target message is legal or not according to the verification information and the first verification data under the condition that the value of the forwarding mode verification field indicates that the forwarding mode of the target message is a non-BE mode. For example, in the case that the value of the forwarding mode check field is "0", the forwarding mode of the target packet is represented as a non-BE mode, and in this case, the step of determining whether the target packet is legal according to the verification information and the first check data is performed.
In this embodiment, before the step of determining whether the target message is legal according to the verification information and the first verification data, the forwarding mode of the target message is determined according to the value of the forwarding mode verification field, and when the forwarding mode of the target message is the non-BE mode, the step is performed again, so that network resources can BE saved, and the forwarding efficiency of the target forwarding message can BE improved.
Based on the foregoing embodiment, an optional implementation manner of the communication security protection method includes:
and under the condition that the value of the forwarding mode check field indicates that the forwarding mode of the target message is the BE mode, directly executing a message processing flow on the target message, wherein the message processing flow comprises a flow of forwarding the target message to a next node or a flow of analyzing the target message. For example, when the value of the check field of the forwarding mode is "1", the forwarding mode of the target message is represented as BE mode, and in this mode, the target message is represented as legal message, the first check data is not required to BE checked, and the message processing flow is directly executed on the target message, where the message processing flow includes a flow of forwarding the target message to a next node or a flow of analyzing the target message. The manner of executing the message processing flow on the target message is described in the above embodiment, and is not described herein.
In this embodiment, when the value of the forwarding mode check field indicates that the forwarding mode of the target packet is the BE mode, it may BE determined that the target packet is legal, and the packet processing flow may BE directly executed on the target packet without further checking the first check data, thereby improving the processing efficiency of the target packet.
In one embodiment, as shown in fig. 8, a communication security protection method is applied to an intermediate forwarding node in a message sending path of a target message, and an optional implementation manner of the method includes:
s801, receiving a target message sent by a previous node, and acquiring a value of a transfer mode check field in a target field from a segment route extension header SRH of the target message. Wherein the target field further comprises a contrast field, an encryption field, a content type field, a length indication field, and a reserved field.
S802, judging whether the forwarding mode is a BE mode according to the value of the forwarding mode check field in the target field. If yes, S803 is executed, and if no, S804 is executed.
S803, directly executing a message processing flow on the target message, wherein the message processing flow comprises a flow of forwarding the target message to a next node or a flow of analyzing the target message.
S804, extracting the contrast data from the contrast field and extracting the encrypted data from the encrypted field.
S805, decrypting the encrypted data included in the first verification data according to the decryption key in the verification information. The authentication information is sent to the intermediate forwarding node by the controller under the condition that the security check of the head node in the message sending path is passed.
S806, determining whether the decryption result is consistent with the comparison data in the first check data. If yes, determining that the target message is legal, and executing S807; if not, determining that the target message is illegal, and executing S808.
S807, under the condition that the target message is legal, a message processing flow is executed on the target message, wherein the message processing flow comprises a flow of forwarding the target message to a next node or a flow of analyzing the target message.
S808, discarding the target message under the condition that the target message is illegal.
In this embodiment, the intermediate forwarding node receives the target message sent by the previous node, obtains the value of the forwarding mode check field from the target message, and determines whether the forwarding mode is the BE mode according to the value of the forwarding mode check field in the target field, if yes, directly executes a message processing procedure on the target message, where the message processing procedure includes a procedure of forwarding the target message to the next node or a procedure of analyzing the target message, and if no, checks the first check data according to the verification information, so that whether the target message is legal can BE accurately determined, illegal messages in the message sending path can BE effectively identified, and network paralysis caused by the blockage of the message sending path can BE avoided.
In one embodiment, as shown in fig. 9, the method is applied to a controller in a message sending path of a target message, and the method is described by taking the application of the method to the controller in fig. 1 as an example, the method includes the following steps:
s901, when the head node safety check in the message sending path of the target message is confirmed to pass, first check data are sent to the head node.
S902, sending verification information to the intermediate forwarding node.
In this embodiment, under the condition that the security check of the head node in the message sending path of the target message is determined to pass, the first check data is sent to the head node, and the verification information is sent to the intermediate forwarding node, so that the intermediate forwarding node in the message sending path can verify whether the target message is legal or not based on the verification information and the first check data, and the illegal attack message in the message sending path can be conveniently and quickly identified, and network congestion is avoided.
In one embodiment, the first verification data comprises contrast data and encrypted data, and the verification information comprises a decryption key.
In this embodiment, according to the decryption key in the verification information, it is convenient for the subsequent intermediate forwarding node to decrypt the encrypted data according to the decryption key when executing the verification process, and then match the decryption result with the comparison data, and verify whether the target message is legal according to the matching result.
It should be noted that, the controller of this embodiment is further configured to control opening or closing of the protection domain of the packet transmission path, and in the opening process, the head node and the intermediate forwarding node start the communication security protection method.
For a better understanding of the above embodiments, a detailed explanation is provided below in connection with a specific embodiment. In one embodiment, as shown in fig. 1, a controller constructs a message transmission path for a target message by collecting a network topology structure according to a user requirement and a target address of the target message, under the condition that a message transmission path protection domain is opened, the controller generates comparison data, encrypts the comparison data through a public key and an encryption algorithm (such as a HASH algorithm) to obtain the encryption data, sends the comparison data and the encryption data to a head node, sends a private key for decrypting the encryption data to each intermediate forwarding node, the head node adds the comparison data to a comparison field of an SHR, adds the encryption data to an encryption field of the SHR, and sends the target message to the intermediate forwarding node according to whether an address segment list is empty, the intermediate forwarding node receives the target message after the configuration of the target field is completed, firstly judges whether the value of the configuration forwarding mode indication field is '1', indicates that a forwarding mode of the target message is BE forwarding, defaults the target message, directly aims at a message processing flow (such as R2 and R3) for executing the target message, and if the decryption mode is not successfully executed, if the decryption mode is successfully executed, the target message is successfully executed, and if the decryption mode is successfully executed is not successfully, the forwarding is successfully executed, and the target message is not successfully is successfully executed, and if the decryption is not successfully is successfully executed, and the target message is successfully executed, and the forwarding is not successfully is determined by the forwarding a forwarding message by the forwarding mode, if the intermediate forwarding node fails to acquire the comparison data and the encrypted data and fails to decrypt the encrypted data, the intermediate forwarding node determines that the target message is illegal.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a communication safety protection device for realizing the above related communication safety protection method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation of one or more embodiments of the communication security protection device provided below may refer to the limitation of the communication security protection method hereinabove, and will not be repeated herein.
In one embodiment, a block diagram of the communication security guard in one embodiment is shown by figure 10. As shown in fig. 10, there is provided a communication security protection apparatus 1 applied to a head node in a message transmission path of a target message, the apparatus including: a first receiving module 11 and an adding module 12, wherein:
a first receiving module 11, configured to receive first check data sent by the controller, where the first check data is sent by the controller when the security check of the head node passes;
an adding module 12, configured to add the first check data to the target packet, and send the target packet based on the packet sending path after adding the first check data;
the first check data are used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on the verification information and the first check data, wherein the verification information is sent to the intermediate forwarding node by the controller under the condition that the head node passes the safety check.
According to the communication safety protection device, the first check data sent by the controller are received, the first check data are sent by the controller under the condition that the safety check of the head node is passed, the first check data are added to the target message, and the target message is sent based on the message sending path after the first check data are added, wherein the first check data are used for enabling all intermediate forwarding nodes except the head node in the message sending path to verify whether the target message is legal or not based on the verification information and the first check data, the verification information is sent to the intermediate forwarding nodes by the controller under the condition that the safety check of the head node is passed.
In one embodiment, the first verification data in the first receiving module 11 and the adding module 12 in fig. 10 includes the comparison data and the encrypted data obtained by encrypting the comparison data, and the verification information includes a decryption key for decrypting the encrypted data.
In one embodiment, the target message is a SRv message, and the adding module 12 is specifically configured to: and adding the first check data into the segment routing extension header SRH of the target message.
In one embodiment, the SRH includes a target field, which includes a contrast field and an encryption field, on which the adding module 12 is further specifically configured to: the contrast data is loaded into the contrast field and the encryption field is loaded into the encryption field.
In one embodiment, the target field further includes a forwarding mode check field, on the basis of which a communication security protection apparatus further includes:
the forwarding mode determining module is used for determining the forwarding mode of the target message according to the address segment list in the SRH before sending the target message, and configuring the value of the forwarding mode check field according to the forwarding mode;
wherein the forwarding mode includes a BE mode or a non-BE mode.
In one embodiment, the determining module is further specifically configured to: if the forwarding path exists in the address segment list, the forwarding mode of the target message is a non-BE mode; if the forwarding path does not exist in the address segment list, the forwarding mode of the target message is a BE mode.
In one embodiment, the target field in the communication security guard further comprises at least one of the following fields: a length indication field for indicating a field length of the target field; and a reserved field for adding the newly added content.
In one embodiment, a block diagram of the communication security guard in one embodiment is shown by figure 11. As shown in fig. 11, another communication security protection apparatus 2 is provided, which is applied to an intermediate forwarding node in a message transmission path of a target message, and includes: a second receiving module 21 and a determining module 22, wherein:
a second receiving module 21, configured to receive a target packet sent by a previous node, and obtain first check data from the target packet;
a determining module 22, configured to determine whether the target message is legal according to the verification information and the first verification data; the authentication information is sent to the intermediate forwarding node by the controller under the condition that the security check of the head node in the message sending path is passed.
In one embodiment, the authentication information includes a decryption key, on which the determination module 22 of fig. 11 above further includes:
a decryption unit configured to decrypt the encrypted data included in the first check data according to the decryption key;
the comparison unit is used for determining whether the decryption result is consistent with the comparison data in the first check data;
and the determining unit is used for determining that the target message is legal under the condition of coincidence and determining that the target message is illegal under the condition of non-coincidence.
In one embodiment, the communication security guard further comprises:
the execution module is used for executing a message processing flow on the target message under the condition that the target message is legal, wherein the message processing flow comprises a flow of forwarding the target message to a next node or a flow of analyzing the target message;
and the deleting module is used for discarding the target message under the condition that the target message is illegal.
In one embodiment, the communication security guard further comprises:
and the illegal determining module is used for determining that the target message is illegal if the first check data is not successfully obtained from the target message.
In one embodiment, the target message is a SRv message, and the second receiving module 21 is specifically configured to: and acquiring first check data from the segment route extension header SRH of the target message.
In one embodiment, the SRH includes a target field, where the target field includes a comparison field and an encryption field, and the second receiving module 21 is specifically configured to: the contrast data is extracted from the contrast field and the encrypted data is extracted from the encrypted field.
In one embodiment, the target field further includes a forwarding mode check field, on which the determining module 22 is further specifically configured to: and executing the step of determining whether the target message is legal or not according to the verification information and the first verification data under the condition that the value of the forwarding mode verification field indicates that the forwarding mode of the target message is a non-BE mode.
In one embodiment, the communication security guard further comprises:
and the direct processing module is used for directly executing a message processing flow on the target message under the condition that the value of the forwarding mode check field indicates that the forwarding mode of the target message is the BE mode, wherein the message processing flow comprises a flow of forwarding the target message to a next node or a flow of analyzing the target message.
In one embodiment, the target field in the communication security guard further comprises at least one of the following fields: a length indication field for indicating a field length of the target field; and a reserved field for adding the newly added content.
In one embodiment, a block diagram of the communication security guard in one embodiment is shown by figure 12. As shown in fig. 12, another communication safety protection device 3 is provided, which is applied to a controller in a message sending path of a target message, and includes: a first transmission module 31 and a second transmission module 32, wherein:
a first sending module 31, configured to send first check data to a head node if it is determined that the security check of the head node in the packet sending path of the target packet passes;
a second transmitting module 32, configured to transmit the authentication information to the intermediate forwarding node.
In one embodiment, the first check data in the first transmitting module 31 in fig. 12 above includes contrast data and encrypted data.
The various modules in the communication security guard described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a platform side, and the internal structure of which may be as shown in fig. 13. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used to store communication security data. The network interface of the computer device is used for communicating with an external user side through a network connection. The computer program is executed by a processor to implement a communication security protection method.
It will be appreciated by persons skilled in the art that the architecture shown in fig. 13 is merely a block diagram of some of the architecture relevant to the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements are applied, and in particular, a computer device may include more or less components than those shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory storing a computer program, the processor implementing the following steps when executing the computer program:
receiving first check data sent by a controller, wherein the first check data is sent by the controller under the condition that the security check of a head node is passed;
adding the first check data into the target message, and transmitting the target message based on a message transmission path after adding the first check data;
the first check data are used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on the verification information and the first check data, wherein the verification information is sent to the intermediate forwarding node by the controller under the condition that the head node passes the safety check.
In one embodiment, another computer device is provided, comprising a memory having a computer program stored therein and a processor that when executing the computer program performs the steps of:
receiving a target message sent by a previous node, and acquiring first check data from the target message;
determining whether the target message is legal or not according to the verification information and the first verification data; the authentication information is sent to the intermediate forwarding node by the controller under the condition that the security check of the head node in the message sending path is passed.
In one embodiment, there is provided a computer device comprising a memory and a processor, the memory having stored therein a computer program which when executed by the processor performs the steps of:
under the condition that the safety check of the head node in the message sending path of the target message is confirmed to pass, first check data are sent to the head node;
and sending the verification information to the intermediate forwarding node.
The principles and specific processes of implementing the foregoing embodiments of the computer device provided in the foregoing embodiments may be referred to the description of the embodiments of the communication security protection method in the foregoing embodiments, which are not repeated herein.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of:
receiving first check data sent by a controller, wherein the first check data is sent by the controller under the condition that the security check of a head node is passed;
adding the first check data into the target message, and transmitting the target message based on a message transmission path after adding the first check data;
the first check data are used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on the verification information and the first check data, wherein the verification information is sent to the intermediate forwarding node by the controller under the condition that the head node passes the safety check.
In one embodiment, another computer-readable storage medium is provided, having stored thereon a computer program which, when executed by a processor, performs the steps of:
receiving a target message sent by a previous node, and acquiring first check data from the target message;
determining whether the target message is legal or not according to the verification information and the first verification data; the authentication information is sent to the intermediate forwarding node by the controller under the condition that the security check of the head node in the message sending path is passed.
In one embodiment, there is provided a further computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
under the condition that the safety check of the head node in the message sending path of the target message is confirmed to pass, first check data are sent to the head node;
and sending the verification information to the intermediate forwarding node.
The principles and specific procedures of implementing the foregoing embodiments of the present invention in the foregoing embodiments of the target detection method may be referred to in the foregoing embodiments of the present invention, and are not described herein in detail.
In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:
receiving first check data sent by a controller, wherein the first check data is sent by the controller under the condition that the security check of a head node is passed;
adding the first check data into the target message, and transmitting the target message based on a message transmission path after adding the first check data;
the first check data are used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on the verification information and the first check data, wherein the verification information is sent to the intermediate forwarding node by the controller under the condition that the head node passes the safety check.
In one embodiment, another computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of:
receiving a target message sent by a previous node, and acquiring first check data from the target message;
determining whether the target message is legal or not according to the verification information and the first verification data; the authentication information is sent to the intermediate forwarding node by the controller under the condition that the security check of the head node in the message sending path is passed.
In one embodiment, there is provided a computer program product comprising a computer program which, when executed by a processor, performs the steps of:
under the condition that the safety check of the head node in the message sending path of the target message is confirmed to pass, first check data are sent to the head node;
and sending the verification information to the intermediate forwarding node.
The principles and specific procedures of implementing the foregoing embodiments of the present application in the foregoing embodiments of the target detection method may be referred to in the foregoing embodiments of the present application, and are not described herein in detail.
It should be noted that, the data related to the present application (including, but not limited to, data in the communication security protection process, etc.) are all data fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.
Claims (24)
1. A method of communication security protection, wherein the method is applied to a head node in a message transmission path of a target message, the method comprising:
receiving first check data sent by a controller, wherein the first check data is sent by the controller under the condition that the security check of the head node is passed;
adding the first check data into the target message, and sending the target message based on the message sending path after adding the first check data;
The first verification data is used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on verification information and the first verification data, wherein the verification information is sent to the intermediate forwarding node by the controller under the condition that the head node passes the safety verification.
2. The method of claim 1, wherein the first verification data includes contrast data and encrypted data obtained by encrypting the contrast data, and the verification information includes a decryption key for decrypting the encrypted data.
3. The method of claim 2, wherein the target message is a SRv message, and the adding the check data to the target message comprises:
and adding the first check data into a segment routing extension header SRH of the target message.
4. The method of claim 3, wherein the SRH comprises a target field, the target field comprising a contrast field and an encryption field, the adding the first check data to the segmented routing extension header SRH of the target message comprising
Loading the contrast data into the contrast field and loading the encrypted field into the encrypted field.
5. The method of claim 4, wherein the target field further comprises a forwarding mode check field, the method further comprising:
before the target message is sent, determining a forwarding mode of the target message according to an address segment list in the SRH, and configuring a value of a forwarding mode check field according to the forwarding mode;
wherein the forwarding mode includes a BE mode or a non-BE mode.
6. The method of claim 5, wherein determining the forwarding mode of the target message according to the address field list in the SRH comprises:
if the forwarding path exists in the address segment list, the forwarding mode of the target message is a non-BE mode;
if the forwarding path does not exist in the address segment list, the forwarding mode of the target message is a BE mode.
7. The method of claim 4, wherein the target field further comprises at least one of the following fields:
a length indication field for indicating a field length of the target field;
and a reserved field for adding the newly added content.
8. A method of communication security protection, wherein the method is applied to an intermediate forwarding node in a message transmission path of a target message, the method comprising:
receiving a target message sent by a previous node, and acquiring first check data from the target message;
determining whether the target message is legal or not according to the verification information and the first verification data; the authentication information is sent to the intermediate forwarding node by the controller under the condition that the security check of the head node in the message sending path is passed.
9. The method of claim 8, wherein the authentication information includes a decryption key, and wherein the determining whether the target message is legitimate based on the authentication information and the first verification data includes:
decrypting the encrypted data included in the first verification data according to the decryption key;
determining whether a decryption result is consistent with the comparison data in the first check data;
and under the condition of coincidence, determining that the target message is legal, and under the condition of non-coincidence, determining that the target message is illegal.
10. The method of claim 8, wherein after determining whether the target message is legitimate, the method further comprises:
Executing a message processing flow on the target message under the condition that the target message is legal, wherein the message processing flow comprises a flow of forwarding the target message to a next node or a flow of analyzing the target message;
and discarding the target message under the condition that the target message is illegal.
11. The method of claim 8, wherein the method further comprises:
and if the first check data is not successfully obtained from the target message, determining that the target message is illegal.
12. The method of claim 9, wherein the target message is a SRv message, and the obtaining the first check data from the target message comprises:
and acquiring the first check data from the segment route extension head SRH of the target message.
13. The method of claim 12, wherein the SRH includes a target field, the target field including a contrast field and an encryption field, the obtaining the first check data from the segment routing extension header SRH of the target message includes:
and extracting the contrast data from the contrast field and extracting the encrypted data from the encrypted field.
14. The method of claim 13, wherein the target field further comprises a forwarding mode check field, and wherein determining whether the target message is legitimate based on the authentication information and the first check data comprises:
and executing the step of determining whether the target message is legal according to the verification information and the first verification data under the condition that the value of the forwarding mode verification field indicates that the forwarding mode of the target message is a non-BE mode.
15. The method of claim 14, wherein the method further comprises:
and under the condition that the value of the forwarding mode check field indicates that the forwarding mode of the target message is a BE mode, directly executing a message processing flow on the target message, wherein the message processing flow comprises a flow of forwarding the target message to a next node or a flow of analyzing the target message.
16. The method of claim 13, wherein the target field further comprises at least one of the following fields:
a length indication field for indicating a field length of the target field;
and a reserved field for adding the newly added content.
17. A method of communication security protection, characterized by being applied to a controller, the method comprising:
under the condition that the safety check of a head node in a message sending path of a target message is confirmed to pass, first check data are sent to the head node;
and sending the verification information to the intermediate forwarding node.
18. The method of claim 17, wherein the first verification data comprises contrast data and encrypted data.
19. A communication security guard apparatus for a head node in a message transmission path of a target message, the apparatus comprising:
the first receiving module is used for receiving first check data sent by the controller, wherein the first check data is sent by the controller under the condition that the security check of the head node passes;
the adding module is used for adding the first check data to the target message and sending the target message based on the message sending path after adding the first check data;
the first verification data is used for each intermediate forwarding node except the head node in the message sending path to verify whether the target message is legal or not based on verification information and the first verification data, wherein the verification information is sent to the intermediate forwarding node by the controller under the condition that the head node passes the safety verification.
20. A communication security protection apparatus, characterized by an intermediate forwarding node applied in a message transmission path of a target message, the apparatus comprising:
the second receiving module is used for receiving a target message sent by a previous node and acquiring first check data from the target message;
the determining module is used for determining whether the target message is legal or not according to the verification information and the first verification data; the authentication information is sent to the intermediate forwarding node by the controller under the condition that the security check of the head node in the message sending path is passed.
21. A communication security guard for use in a controller, the apparatus comprising:
the first sending module is used for sending first check data to the head node under the condition that the head node in the message sending path of the target message is confirmed to pass the safety check;
and the second sending module is used for sending the verification information to the intermediate forwarding node.
22. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 18 when the computer program is executed.
23. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 18.
24. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the method of any one of claims 1 to 18.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310833453.1A CN116827651A (en) | 2023-07-07 | 2023-07-07 | Communication security protection method, device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310833453.1A CN116827651A (en) | 2023-07-07 | 2023-07-07 | Communication security protection method, device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116827651A true CN116827651A (en) | 2023-09-29 |
Family
ID=88139212
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310833453.1A Pending CN116827651A (en) | 2023-07-07 | 2023-07-07 | Communication security protection method, device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116827651A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117692106A (en) * | 2024-01-31 | 2024-03-12 | 北京中科网芯科技有限公司 | Communication data redundancy check method |
-
2023
- 2023-07-07 CN CN202310833453.1A patent/CN116827651A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117692106A (en) * | 2024-01-31 | 2024-03-12 | 北京中科网芯科技有限公司 | Communication data redundancy check method |
| CN117692106B (en) * | 2024-01-31 | 2024-05-03 | 北京中科网芯科技有限公司 | Communication data redundancy check method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Leurent et al. | {SHA-1} is a shambles: First {Chosen-Prefix} collision on {SHA-1} and application to the {PGP} web of trust | |
| Bellare et al. | Interactive message-locked encryption and secure deduplication | |
| JP4683383B2 (en) | Method and system for resilient packet reverse detection in wireless mesh and sensor networks | |
| CN107567704B (en) | Network path pass authentication using in-band metadata | |
| CN104023013B (en) | Data transmission method, server side and client | |
| Yang et al. | RIHT: a novel hybrid IP traceback scheme | |
| US8719938B2 (en) | Detecting network intrusion using a decoy cryptographic key | |
| EP2974171B1 (en) | A framework for dynamically programmed network packet processing | |
| Fan et al. | Spabox: Safeguarding privacy during deep packet inspection at a middlebox | |
| CN110891066B (en) | Proxy anonymous communication method based on homomorphic encryption scheme | |
| CN110048986B (en) | Method and device for ensuring ring network protocol operation safety | |
| EP3442195B1 (en) | Reliable and secure parsing of packets | |
| Lucena et al. | Syntax and semantics-preserving application-layer protocol steganography | |
| CN111726346B (en) | Data secure transmission method, device and system | |
| CN114389835A (en) | IPv6 option explicit source address encryption security verification gateway and verification method | |
| CN116827651A (en) | Communication security protection method, device, computer equipment and storage medium | |
| Wu | Analysis of the WireGuard protocol | |
| CN113395247A (en) | Method and equipment for preventing replay attack on SRv6HMAC verification | |
| Won et al. | A secure shuffling mechanism for white-box attack-resistant unmanned vehicles | |
| CN117828673A (en) | Block chain-based data circulation and privacy protection method and device | |
| CN105743863A (en) | Method and device used for processing message | |
| CN111556075B (en) | Data transmission path restoration method and system based on non-interactive key negotiation | |
| US20230283588A1 (en) | Packet processing method and apparatus | |
| CN115865524B (en) | Data security transmission method and system | |
| CN115664740B (en) | Data packet forwarding attack defense method and system based on programmable data plane |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |