CN117201639A - Message transmission method, network virtualization edge device and storage medium - Google Patents

Abstract

The application discloses a message transmission method, which comprises the following steps: receiving a service message sent by any one of a plurality of subnets connected with a first network virtual edge device, and assembling an NVGRE header for the service message; under the condition that the VSID in the VSID field and the key version number in the key version field indicate that the service message needs to be encrypted together, obtaining the service message meeting the length threshold, and encrypting the service message meeting the length threshold to obtain the encrypted service message; and sending the encrypted service message to the second network virtual edge equipment. The application also discloses a message transmission device, a first network virtual edge device, a second network virtual edge device and a computer readable storage medium.

Description

Message transmission method, network virtualization edge device and storage medium

Technical Field

The present application relates to the field of, but is not limited to, computers, and in particular, to a message transmission method, a first network virtualized edge device, a second network virtualized edge device, and a computer readable storage medium.

Background

Network virtualization (Network Virtualization using Generic Routing Encapsulation, NVGRE) using generic routing encapsulation is a two-layer virtual private network (Virtual Private Network, VPN) technology in the form of media access control address (Media Access Control Address, MAC) in GRE encapsulation. Two local area networks distributed in different geographic locations can be communicated into a virtual large two-layer local area network by using NVGRE protocol. Network virtualization edge equipment (Network virtualliziton edge, NVE) is edge equipment of the NVGRE network, and encapsulates or decapsulates service messages transmitted in the NVGRE tunnel; the NVGRE protocol itself does not have security capabilities.

In the related art, if the transmission security of the service message in the NVGRE tunnel is to be ensured, before transmission, an internet protocol security (Internet Protocol Security, IPsec) technology is adopted to encapsulate the service message data, for example, one more encapsulation security load (Encapsulating Security Payload, ESP) header, one more internet protocol (Internet Protocol, IP) header and one more ESP tail are encapsulated; thus, the packaged message has more layers, and the problem of high network overhead in the transmission process is further caused.

Disclosure of Invention

The application provides a message transmission method, first network virtual edge equipment, second network virtual edge equipment and a computer readable storage medium.

In a first aspect, a method for transmitting a message is provided, including:

receiving a service message sent by any one of a plurality of subnets connected with the first network virtual edge equipment, and assembling a network virtualization NVGRE header which uses a universal routing package for the service message, wherein the NVGRE header comprises a virtual subnet identifier VSID field and a key version field;

under the condition that the VSID in the VSID field and the key version number in the key version field indicate that the service message needs to be encrypted together, obtaining the service message meeting the length threshold, and encrypting the service message meeting the length threshold to obtain the encrypted service message;

And sending the encrypted service message to second network virtual edge equipment.

In a second aspect, a method for transmitting a message is provided, including:

receiving a service message sent by first network virtualization edge equipment; the service message is provided with an NVGRE header, and the NVGRE header is assembled by the first network virtualization edge device for the received service message sent by any subnet;

and if the value of the second bit of the marking bit field in the NVGRE header is 1, determining that the service message is obtained by encrypting the service message meeting the length threshold by the first network virtualization edge device under the condition that the VSID in the VSID field included in the NVGRE header and the key version number in the key version field indicate that the service message needs to be encrypted together.

In a third aspect, a first network virtualized edge device is provided, the first network virtualized edge device comprising:

the first receiving module is used for receiving a service message sent by any one of a plurality of subnets connected with the first network virtual edge device;

a first processing module, configured to assemble, for the service packet, a network virtualized NVGRE header that uses a generic routing encapsulation, where the NVGRE header includes a virtual subnet identifier VSID field and a key version field;

The first processing module is further configured to obtain a service packet meeting a length threshold when the VSID in the VSID field and the key version number in the key version field indicate that the service packet needs to be encrypted, and encrypt the service packet meeting the length threshold to obtain an encrypted service packet;

and the first sending module is used for sending the encrypted service message to the second network virtual edge equipment.

In a fourth aspect, a second network virtualized edge device is provided, the second network virtualized edge device comprising:

the second receiving module is used for receiving a service message sent by the first network virtualization edge device, wherein the service message is provided with an NVGRE header, and the NVGRE header is assembled by the first network virtualization edge device for the service message sent by any one of the received sub-networks;

and the second processing module is configured to determine that the service packet is obtained by encrypting the service packet meeting the length threshold by the first network virtualization edge device when the value of the second bit of the flag bit field in the NVGRE header is 1 and the VSID in the VSID field included in the NVGRE header and the key version number in the key version field indicate that the service packet needs to be encrypted together.

In a fifth aspect, there is provided a first network virtualized edge device comprising: the first processor is used for calling and running the computer program stored in the first memory, and executing the message transmission method.

In a sixth aspect, there is provided a second network virtualized edge device comprising: the second processor is used for calling and running the computer program stored in the second memory, and executing the message transmission method.

In a seventh aspect, a computer-readable storage medium is provided for storing a computer program that causes a computer to execute the above-described message transmission method.

The application provides a message transmission method, a first network virtualization edge device, a second network virtualization edge device and a computer readable storage medium, which are used for receiving a service message sent by any one of a plurality of subnets connected with the first network virtualization edge device and assembling a network virtualization NVGRE header packaged by using a general route for the service message, wherein the NVGRE header comprises a virtual subnet identifier VSID field and a key version field; under the condition that the VSID in the VSID field and the key version number in the key version field indicate that the service message needs to be encrypted together, obtaining the service message meeting the length threshold, and encrypting the service message meeting the length threshold to obtain the encrypted service message; and sending the encrypted service message to the second network virtual edge equipment. That is, when the first network virtualization edge device receives the service message, only encrypts the service message meeting the length threshold value under the condition that the service message needs to be encrypted, and one or more layers of message heads or message tails are not additionally added, so that the message hierarchy after encapsulation is reduced, and the cost of network resources is reduced in the transmission process; the encrypted transmission of the first network virtual edge device and the second network virtual edge device is realized.

Drawings

Fig. 1 is a schematic diagram of a network architecture for implementing a message transmission method according to an embodiment of the present application;

FIG. 2 is a diagram of a packet encapsulation format of NVGRE in the related art;

FIG. 3 is a schematic diagram of a packet encapsulation format of an NVGRE encapsulated using an ESP tunnel mode encapsulation without HMAC authentication only in the related art;

fig. 4 is a schematic flow chart of one implementation of the message transmission method according to the embodiment of the present application;

fig. 5 is a second schematic flow chart of an implementation of the message transmission method according to the embodiment of the present application;

FIG. 6 is a schematic diagram of a packet encapsulation format of NVGRE according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a first network virtualized edge device according to an embodiment of the present application;

fig. 8 is a schematic diagram ii of a first network virtualized edge device according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a second network virtualized edge device according to an embodiment of the present application;

fig. 10 is a schematic diagram of a second network virtualized edge device according to an embodiment of the present application.

Detailed Description

The following description of the technical solutions according to the embodiments of the present application will be given with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

Referring to fig. 1, fig. 1 is a schematic diagram of a network architecture for implementing a message transmission method according to the present application, where the network architecture at least includes a first network virtualized edge device 100, a second network virtualized edge device 200, and a network 300; wherein the first network virtualized edge device 100 and the second network virtualized edge device 200 are connected by a network 300. The network virtualization edge device is a network entity for realizing a network virtualization function, and can identify an NVGRE network to which the Ethernet data frame belongs, and perform two-layer forwarding, encapsulation/decapsulation on the data frame based on the NVGRE. When the network virtualization edge device encapsulates the service message, an 8-byte NVGRE header, an IP header and a data link layer header are added outside the service message. Fig. 2 is a schematic diagram of a packet format of NV GRE in the related art. As shown in fig. 2, the NVGRE header includes a tag bit field, a reserved field, a version field, a protocol type field, a virtual subnet identifier (Virtual Subnet Identifier, VSID) field, and a Flow (Flow) ID field; the marking bit field occupies 4 bits, the first bit is a check sum (check sum Present) bit, the value is constant to 0, and the GRE header does not carry G RE check sum; the second bit is undefined; the third bit is a Key Present bit, the value is constant 1, and the bit indicates that the GRE header carries the VSID; the fourth bit has a sequence number (Seque nceNumber Present) bit, and the value is constant at 0, which indicates that the GRE header does not carry a sequence number. The reserved field occupies 9 bits. The version field occupies 3 bits and is used to characterize the GRE protocol version number. The protocol type field occupies 16 bits, and is used for characterizing the protocol type of the payload data encapsulated in the GRE header, and the value is constant at 0x6558, which represents transparent ethernet bridging, that is, encapsulating two-layer ethernet data frames in the GRE header. The VSID field occupies 24 bits and is used to identify an NVGRE subnet. The Flow ID field takes 8 bits and is used to identify a Flow.

Network virtualized edge devices are distributed throughout the network 300 coverage area, either stationary or mobile. Network virtualized edge devices include, but are not limited to, smartphones, tablet computers, notebook computers, palm computers, personal digital assistants (Personal Digital Assistant, PDAs), navigation devices, user Equipment (UE), single servers or server clusters made up of multiple servers, cloud computing centers. The network 300 may be a wireless communication network using any communication standard or protocol, including but not limited to the global system for mobile communications (Global System of Mobile communi cation, GSM), general packet radio service (General Packet Radio Service, GPRS), code Division multiple access 2000 (Code Division Multiple Access 2000, cdma 2000), wideband code Division multiple access (Wide band Code Division Multiple Access, WCDMA), time Division-Synchronous Code Division Multiple Access, TD-SCDMA), long term evolution (Long Term Evolution, LTE), fourth generation mobile communication technology (the 4th Gene ration Mobile Communication Technology,4G), fifth generation mobile communication technology (5th G eneration Mobile Communication Technology,5G).

In the related art, if the transmission safety of the service message in the NVGRE tunnel is to be ensured, before the service message is transmitted, the IPsec technology is adopted to encapsulate the service message data, so that the security of the data communication between the two virtual layers is ensured by using the NVGRE over IPsec. Taking as an example the encapsulation mode of the ESP tunnel mode authenticated by the encryption-only keyless-related Hash operation message authentication code (Hash-based Message Authentication Code, HMAC) in IPSec, fig. 3 is a schematic diagram of the packet encapsulation format of encapsulating NVGRE in the related art by using the encapsulation mode of the encryption-only keyless-authenticated ESP tunnel mode, as shown in fig. 3, after the encapsulation of the NVGRE tunnel is completed (i.e., after the encapsulation of the outer IP header by the NVGRE), a layer of ESP header and a layer of IP header are encapsulated outside, and an ESP tail is encapsulated at the tail. Therefore, in order to make the NVGRE tunnel have the transmission safety characteristic, at least one more ESP header, one more IP header and one more ESP tail need to be packaged during encryption packaging. Thus, the problems of multiple message packaging layers, long processing flow and high network overhead are caused. In addition, NVGRE header is also encrypted and encapsulated in an NVGRE over IPSec encapsulation manner, and since the IPSec tunnel is a point-to-point encrypted tunnel, the forwarding device cannot know the key of IPSec. Then, the forwarding devices such as the load balancing device, the firewall, the router and the like in the transmission process cannot extract the VSID of the NVGRE tunnel because the forwarding devices cannot know the IPSec key of the NVGRE, and therefore cannot participate in the routing preference of the NVGRE network, and cannot perform effective flow control on the NVGRE service. And NVE equipment can only extract the whole IPSec message after decrypting when the VSID extraction is required, and can not be rapidly extracted from the message at the first time when the message arrives, so that the NVGRE network identification efficiency is low.

Referring to fig. 4, fig. 4 is a schematic flow chart of an implementation of a message transmission method according to an embodiment of the present application, where the message transmission method may be applied to the network architecture shown in fig. 1; the message transmission method comprises the following steps:

step 401, a first network virtualization edge device receives a service packet sent by any one of a plurality of subnets connected to the first network virtualization edge device.

In the embodiment of the application, the devices connected to the second layer switch port or the third layer switch port are logically segmented, i.e. different subnets are divided. The first network virtual edge device receives a service message sent by a device in any one of a plurality of subnets connected with the first network virtual edge device. The service message is also referred to herein as a service payload or original two-layer data frame.

Step 402, the first network virtualization edge device assembles an NVGRE header for the service message.

Wherein the NVGRE header includes a VSID field and a key version field.

In the embodiment of the application, after receiving the service message, the first network virtualization edge device queries the MAC table, identifies the subnet to which the service message belongs, and records the VSID of the subnet to which the service message belongs. Further, the first network virtualization edge device sends the service message to an encapsulation flow of the NVGRE. The NVGRE encapsulation module assembles an NVGRE header for the service message.

In step 403, the first network virtualization edge device obtains the service message that meets the length threshold when the VSID in the VSID field and the key version number in the key version field collectively indicate that the service message needs to be encrypted.

In the embodiment of the application, the VSID indicates that the service message needs to be encrypted, and the VSID can be used for indexing the key information of the subnet to which the service message belongs; namely, the application multiplexes the VSID, and can not only indicate the sub-network to which the service message belongs, but also index the key information of the sub-network to which the service message belongs.

In other embodiments of the present application, when the service packet needs to be encrypted, the NVGRE encapsulation module assembles an NVGRE header for the service packet, where the NVGRE header includes at least a flag bit field, a key version field, a protocol type field, a VSID field, and a stream ID field; wherein the second bit in the flag bit field is used to indicate whether the message is encrypted.

In some embodiments, in the case that the VSID in the VSID field is not associated with the corresponding key information, the encapsulation module assembles an NVGRE header for the service packet including a flag bit field, a reserved field, a version field, a protocol type field, a VSID field, a flow ID field; wherein the second bit in the flag bit field takes a value of 0.

In the embodiment of the application, the service message meeting the length threshold comprises an original message of the service message sent by any subnet under the condition that the length threshold is met, or the service message meeting the length threshold is obtained by filling the original message under the condition that the length threshold is not met.

In the embodiment of the present application, step 402 may be performed before step 403, that is, the first network virtualization edge device may package a NVGRE header for the service packet, and adjust the NVGRE header after the service packet needs to be encrypted; of course, step 402 may be performed after step 403, that is, after assembling the NVGRE header for the service packet in the case where the service packet needs to be encrypted; the present application is not particularly limited in this regard.

Step 404, the first network virtualization edge device encrypts the service message meeting the length threshold to obtain an encrypted service message.

In the embodiment of the application, the first network virtualization edge device encrypts the service message meeting the length threshold by adopting an encryption algorithm to obtain the encrypted service message. Here, the encryption algorithm includes a symmetric encryption algorithm and an asymmetric encryption algorithm.

In some embodiments, when the value of the second bit in the identified bit in the NVGRE header is 1, the service message is cryptographically encapsulated using an encryption technique.

And step 405, the first network virtualization edge device sends the encrypted service message to the second network virtualization edge device.

In the embodiment of the application, after the encryption of the service message is completed, the first network virtualization edge device encapsulates an outer layer IP header and an outer layer two-layer header of the encrypted service message, and sends the encapsulated message to the second network virtualization edge device.

In some embodiments, in the case that the VSID in the VSID field is not associated with the corresponding key information, the first network virtualization edge device sends the service message in a clear manner, or blocks waiting for the arrival of the key information, or directly discards the service message.

Step 406, the second network virtual edge device receives the service message sent by the first network virtual edge device.

The service message has an NVGRE header, and the NVGRE header is assembled by the first network virtualization edge device for the service message sent by any one of the received subnets.

Step 407, if the value of the second bit of the flag bit field in the NVGRE header is 1, the second network virtual edge device determines that the service packet is obtained by encrypting the service packet meeting the length threshold when the VSID in the VSID field included in the NVGRE header and the key version number in the key version field indicate that the service packet needs to be encrypted together.

In the embodiment of the application, after the second network virtual edge equipment receives the service message, the service message is checked, and after the service message passes the check, the decapsulation module strips the outer layer two-layer header and the outer layer IP header. Further, the second network virtual edge device checks the NVGRE tunnel, and after the NVGRE tunnel passes the check, the decapsulation module strips the fields in the NVGRE header, for example, the flag bit field, the version field, the VSID field, and the protocol type field.

In the embodiment of the application, the NVGRE tunnel is a point-to-point logical tunnel between two NVEs. After the NVE encapsulates the NVGRE header and the IP header for the data frame, the encapsulated message is transparently forwarded to the remote NVE through the NVGRE tunnel, and the remote NVE decapsulates the encapsulated message.

Here, if the value of the second bit of the flag bit field is 1, the service message is an encrypted service message; if the value of the second bit of the flag bit field is 0, the service message is an unencrypted service message. Here, the present application indicates whether the service message is encrypted using the second bit, which is not defined in the NVGRE header tag bit field in the related art, with the value of the second bit. That is, the present application is implemented by means of the existing NVGRE header without introducing additional overhead when informing the second network virtual edge device whether the service message is encrypted.

The embodiment of the application provides a message transmission method, which is used for receiving a service message sent by any one of a plurality of subnets connected with first network virtual edge equipment and assembling a network virtualization NVGRE header packaged by using a universal route for the service message, wherein the NVGRE header comprises a virtual subnet identifier VSID field and a key version field; under the condition that the VSID in the VSID field and the key version number in the key version field indicate that the service message needs to be encrypted together, obtaining the service message meeting the length threshold, and encrypting the service message meeting the length threshold to obtain the encrypted service message; and sending the encrypted service message to the second network virtual edge equipment. That is, when the first network virtualization edge device receives the service message, if the service message needs to be encrypted, only the service message meeting the length threshold is encrypted, and one or more layers of message heads or message tails are not additionally added, so that the message hierarchy after encapsulation is reduced, and the cost of network resources is reduced in the transmission process; the encrypted transmission of the first network virtual edge device and the second network virtual edge device is realized, and the data interacted between the internal networks corresponding to the network virtual edge devices cannot be exposed on the public network in the clear; the safety in the transmission process is ensured. Meanwhile, the encryption mode of the application does not encrypt and encapsulate the NVGRE header, so that the forwarding equipment such as load balancing equipment, a firewall, a router and the like in the transmission process can extract the VSID of the NVGRE header, so that the forwarding equipment can participate in the route selection optimization of the NVGRE network, and the forwarding equipment can effectively control the flow of NVGRE service. And when the NVE equipment has the VSID extraction requirement, the VSID is extracted without decrypting the whole message, and the VSID can be extracted rapidly without decrypting the whole message at the first time when the message arrives, so that the NVGRE network identification efficiency is high.

Referring to fig. 5, fig. 5 is a schematic flow chart of an implementation of a message transmission method according to an embodiment of the present application, where the message transmission method may be applied to the network architecture shown in fig. 1; the message transmission method comprises the following steps:

step 501, a first network virtualization edge device receives a service packet sent by any one of a plurality of subnets connected to the first network virtualization edge device.

Step 502, the first network virtualization edge device assembles an NVGRE header for the service message.

Wherein the NVGRE header includes a virtual subnet identifier VSID field and a key version field.

In step 503, when the VSID in the VSID field and the key version number in the key version field collectively indicate that the service packet needs to be encrypted, the first network virtualization edge device determines key information of the service packet indexed by the VSID.

Wherein the key information includes a block length of the encryption algorithm.

In the embodiment of the application, the key information used for encrypting and decrypting the service message (namely, the key information used by an encryption algorithm for encrypting and decrypting the service message) is marked by a VSID, and the VSID is multiplexed into the ID of the index key. The same NVGRE subnet (i.e., NVGRE network with the same VSID) uses the same key information. The keys are not differentiated in direction, and the keys used for encryption and decryption of all NVEs in the same NVGRE subnet are identical.

In the embodiment of the application, the VSID is used for marking one NVGRE subnet and indexing key information used by the NVGRE subnet.

In the embodiment of the application, the encapsulation module in the first network virtualization edge device uses the VSID to index the key information of the subnet to which the service message belongs. That is, the present application multiplexes the VSID, and by using the VSID, not only the subnet to which the service packet belongs can be indicated, but also the key information of the subnet to which the service packet belongs can be indexed.

In the embodiment of the application, the key information in each network virtual edge device is distributed in a centralized distribution mode, can be distributed for each network virtual edge device in a static configuration mode, and can also be dynamically distributed to each network virtual edge device through a key management platform. The key information obtained by each network virtual edge device is identical. The key version numbers used for different rounds of key distribution need to be differentiated.

Step 504, the first network virtualization edge device obtains a service message meeting a length threshold based on the block length.

In the embodiment of the application, under the condition that the service message needs to be encrypted, the encapsulation module extracts a specific symmetric encryption algorithm from the key information and the block length of the symmetric encryption algorithm. Further, according to the block length, obtaining the service message meeting the length threshold.

It should be noted that the encapsulation module may also extract the key version number from the key information, whether it is a Cipher block chain mode (Cipher Block Chaining, CBC) or a CounTeR mode (CounTeR, CTR) or an Output-Feedback (OFB) or a Cipher text Feedback (CFB).

For example, when the length of the original service message sent by any subnet is an integer multiple of the block length, the service message meeting the length threshold is the original service message sent by any subnet; when the length of the original service message sent by any sub-network is not integral multiple of the block length, the service message meeting the length threshold is the service message obtained by filling the original service message. That is, the length of the service message satisfying the length threshold is greater than or equal to the length of the original service message sent by any subnet.

For example, when the length of the original service message sent by any subnet is equal to the block length, the service message meeting the length threshold is the original service message sent by any subnet; and when the length of the original service message sent by any sub-network is not equal to the block length, the service message meeting the length threshold is the service message obtained by filling the original service message.

In the embodiment of the present application, step 504 obtains a service packet meeting a length threshold based on a block length, and may be implemented by the following steps:

and A1, obtaining a first length of the service message.

And A2, if the first remainder obtained by dividing the first length by the block length is not 0, obtaining a padding data length value and padding data.

In the embodiment of the application, if the first remainder obtained by dividing the first length by the block length is not 1, a filling data length value and filling data are obtained; that is, the original service message sent by any subnet is not an integer multiple of the block length, so that the original service message sent by any subnet is not a service message meeting the length threshold, a filling data length value and filling data need to be obtained, and the filling data is filled into the original service message sent by any subnet to obtain the service message meeting the length threshold. If the first remainder obtained by dividing the first length by the block length is 0, no padding data need to be obtained; that is, the original service message sent by any subnet is an integer multiple of the block length, and then the original service message sent by any subnet is the service message meeting the length threshold.

In some embodiments, FIG. 6 is a schematic diagram of the packet encapsulation format of NVGRE in the present application. As shown in fig. 6, the NVGRE header includes a pad data length field and a pad data field. The length filling of the service message is carried out by combining the filling data length field and the filling data field, and the purpose is to ensure that the length of the encrypted and decrypted service message is an integral multiple of the block length of the encryption algorithm. The filling data length field occupies one byte, and takes a value of 0x0 to 0xF. The padding data field is a variable length field. And when the service message needs to be encrypted and the first remainder obtained by dividing the first length by the block length is not 0, filling data into the filling data field and filling a data length value into the filling data length field. The length of the data filled in the filling data field is the same as the length indicated in the filling data length field. Here, the padding data is padding data in a padding data field and length data in a padding data length field.

It should be noted that the padding data field in fig. 6 is optional. If the first remainder obtained by dividing the first length by the block length is 0, the padding data field does not exist, and the padding data length field takes a value of 0x0.

In the embodiment of the present application, the NVGRE header includes a padding field, and the obtaining padding data in step A2 may be implemented by the following steps:

and B1, determining length indication information and starting position indication information.

The length indication information is used for indicating the length of filling data filled in the service message; the start position indication information is used to indicate a start position of the padding data in the padding field.

The length indication information includes a length in the padding data length field plus a padding data length value.

And B2, acquiring filling data from the filling field according to the length indication information and the initial position indication information.

In the embodiment of the application, after the length indication information and the initial position indication information are determined, the first network virtualization edge device acquires the filling data from the filling field according to the initial position indicated by the initial position indication information and the length indicated by the length indication information. Here, the padding data in the padding field may be pre-padded, and the first network virtualization edge device may obtain the required padding data in the padding field as long as it is guaranteed that the padding field is pre-padded with data greater than the block length.

In some embodiments, the padding fields include a padding data length field and a padding data field; the padding data length value is used to indicate the length of the data in the padding data field.

And A3, filling the filling data into the service message to obtain the service message meeting the length threshold.

As shown in fig. 6, the service message satisfying the length threshold is data obtained by padding the padding data in the padding data field and the length data in the padding data length field into the service message.

Step 505, the first network virtualization edge device encrypts the service message meeting the length threshold with the key to obtain an encrypted service message.

In the embodiment of the application, the key comprises an encryption key and a decryption key. Here, the first network virtualization edge device encrypts the service message meeting the length threshold by using the encryption key, and obtains the encrypted service message.

In the embodiment of the present application, the key information further includes a packet mode of an encryption algorithm, and step 505 encrypts the service packet meeting the length threshold with the key to obtain the encrypted service packet, which may be implemented by the following steps:

and step C1, if the grouping mode is a first type grouping mode, acquiring IV data from an initialization vector IV field included in the NVGRE header.

In embodiments of the present application, the encryption algorithms for the first type of packet mode include, but are not limited to CBC, CTR, OFB and CFB.

In the embodiment of the present application, if the packet mode is a first type of packet mode, such as CBC/CTR/OFB/CFB mode, the encapsulation module fills the IV field in the NVGRE header.

As shown in fig. 6, the NVGRE header includes an IV field for storing an IV required for the symmetric encryption algorithm of the first type of packet mode, which is equal in length to the encryption algorithm block length. The IV field is optional and should be included when the packet mode of the encryption algorithm used is a first type of packet mode. When the packet mode of the encryption algorithm used is the second type of packet mode, this field is not contained, i.e., the encapsulation module does not need to fill the IV field in the NVGRE header. Among the second class of encryption algorithms for packet modes include, but are not limited to, codebooks (Electronic Codebook, ECB).

In the embodiment of the application, IV data is used for assisting an encryption algorithm of a first type of grouping mode to encrypt; namely, when the encryption algorithm of the first type of packet mode is used for encrypting the message, the message can be encrypted only by taking the IV data, and if the IV data is not available, the message can not be encrypted.

And C2, carrying out encryption operation on each piece of block data in the service message meeting the length threshold based on the IV data and the secret key to obtain an encrypted service message.

Step 506, the first network virtualization edge device defines a second bit in the tag bit field in the NVGRE header as an encrypted tag bit.

Wherein, the value of the encryption mark bit is 1 indicates that the service message is encrypted, and the value of the encryption mark bit is 0 indicates that the service message is not encrypted.

In an embodiment of the present application, as shown in fig. 6, the first network virtualization edge device defines the second bit 601 in the tag bit field in the NVGRE header as an encrypted tag bit.

In some embodiments, step 506 may be performed before step 503, that is, when the NVGRE header is assembled for the service packet in step 502, and the value of the second bit in the flag bit field in the NVGRE header is directly set to 1, then the first network virtualization edge device directly uses the encryption technology to encrypt and encapsulate the service packet, without using the VSID to indicate whether the service packet needs encryption. And during encryption, the service message is processed by directly adopting the key information indexed by the VSID.

In step 507, the first network virtualization edge device adds a key version number in the NVGRE header including a key version field.

As shown in fig. 6, the NVGRE header of the present application includes a key version field. The key version field is a reserved field in the NVGRE header multiplexed in the related art. The present application uses the reserved field of 9 bits, 5 th to 13 th bits, in the NVGRE header in the related art, named a key version field, for marking the key version of the same NVGRE subnet (i.e., NVGRE network with the same VSID). The key has a validity period, and when the NVGRE subnet changes the key, the key version changes. The key version field is used to solve the key-change key alignment problem.

It should be noted that, each time a round of key information distribution is performed, the key version number will also change. The key version numbers obtained by the NVEs are the same in the key information distributed in the same round.

In the embodiment of the application, when a service message needs to be encrypted, a first remainder obtained by dividing a first length of the service message by a block length is not 0, and a packet mode of an encryption algorithm is a first type packet mode, an NVGRE header of the service message comprises a marking bit field, a key version field, a protocol type field, a VSID field, a stream ID field, an IV field, a filling data length field and a filling data field; wherein, the second bit of the mark bit field is used for indicating whether the service message is encrypted or not; when the service message needs to be encrypted and the first remainder obtained by dividing the first length of the service message by the block length is not 0, the NVGRE header of the service message comprises a marking bit field, a key version field, a protocol type field, a VSID field, a stream ID field, a filling data length field and a filling data field; wherein, the second bit of the mark bit field is used for indicating whether the service message is encrypted or not; or in the case that the first remainder obtained by dividing the first length of the service message by the partition length is 0, the NVGRE header of the service message includes a flag bit field, a key version field, a protocol type field, a VSID field, a stream ID field, and a padding data length field; wherein the second bit of the flag bit field is used to indicate whether the service message is encrypted. That is, the present application extends the NVGRE header.

In the embodiment of the application, when the VSID in the VSID field is not associated with the corresponding key information, the NVGRE header of the service message comprises a marking bit field, a reserved field, a version field, a protocol type field, a VSID field and a stream ID field. Obviously, the modified NVGRE protocol provided by the application is compatible with the standard NVGRE protocol, can be communicated with the NVE of the standard NVGRE, does not set a second identification bit in the NVGRE header, does not set a key version field, does not encapsulate an IV field, does not encapsulate a filling data length field, does not encapsulate a filling data field, and does not encrypt and encapsulate a service load when being communicated with the NVE of the standard NVGRE.

And step 508, the first network virtualization edge device sends the encrypted service message to the second network virtualization edge device.

Step 509, the second network virtual edge device receives the service packet sent by the first network virtual edge device.

The service message has an NVGRE header, and the NVGRE header is assembled by the first network virtualization edge device for the service message sent by any one of the received subnets.

Step 510, if the value of the second bit of the flag bit field in the NVGRE header is 1, the second network virtual edge device determines that the service packet is obtained by encrypting the service packet meeting the length threshold when the VSID in the VSID field included in the NVGRE header and the key version number in the key version field indicate that the service packet needs to be encrypted together.

In the embodiment of the application, the second network virtual edge equipment decapsulation module checks whether the value of the second bit of the second identification bit in the NVGRE header is 1; if the encryption value is not set to 1, the encryption value is not set, the service message is directly sent to the service terminal in the back-end intranet in a mode of receiving the plaintext service message as required, or the service message is discarded.

Step 511, the second network virtual edge device obtains the key version number in the key version field in the NVGRE header.

And step 512, the second network virtual edge device determines the key information of the service message based on the VSID and the key version number.

In the embodiment of the application, the second network virtual edge equipment decapsulation module uses the VSID and the key version number to jointly index the key information corresponding to the subnet to which the service message belongs.

And 513, the second network virtual edge device decrypts the service message based on the key information to obtain the decrypted service message.

In the embodiment of the application, the second network virtual edge device decapsulation module acquires the specific symmetric encryption algorithm, the block length and whether the specific symmetric encryption algorithm is CBC/CTR/OFB/CFB mode information or not when the first network virtual edge device encrypts the service message from the key information.

In the embodiment of the application, the second network virtual edge equipment decapsulation module decrypts the service message according to the key information and strips the filling data. After the decryption is completed, the second network virtual edge device obtains the original service message sent by the first network virtual edge device at the opposite end. And the second network virtual edge equipment forwards the unpacked original service message to a service terminal in the back-end intranet.

In this embodiment, the key information includes a packet mode, a key, a block length and IV data of an encryption algorithm used by the first network virtualization edge device when encrypting the service packet; in step 513, the service message is decrypted based on the key information, and the decrypted service message is obtained, which may be implemented by the following steps:

and decrypting the service message based on the grouping mode, the secret key, the blocking length and the IV data to obtain the decrypted service message.

In the embodiment of the application, when the value of the second bit marked as the field in the NVGRE header is 1 and the encryption algorithm used is the first mode, the NVGRE header contains the IV field.

In the embodiment of the application, when the value of the second bit marked as the field in the NVGRE header is 1, the NVGRE header contains the filling data length field.

In the embodiment of the application, when the value of the second bit marked as the field in the NVGRE header is 1, and the service message length is less than the integral multiple of the block length or the value of the filling data length field is not 0, the NVGRE header contains the filling data field.

It should be noted that, in this embodiment, the descriptions of the same steps and the same content as those in other embodiments may refer to the descriptions in other embodiments, and are not repeated here.

An embodiment of the present application provides a first network virtual edge device, where the first network virtual edge device may be used to implement the message transmission method provided in the embodiments corresponding to fig. 4 to 5, and referring to fig. 7, the first network virtual edge device 100 includes:

a first receiving module 701, configured to receive a service packet sent by any one of a plurality of subnets connected to a first network virtual edge device;

a first processing module 702 configured to assemble a network virtualized NVGRE header for a service packet using a generic routing encapsulation, where the NVGRE header includes a virtual subnet identifier VSID field and a key version field;

the first processing module 702 is further configured to obtain a service packet meeting a length threshold when the VSID in the VSID field and the key version number in the key version field indicate that the service packet needs to be encrypted, and encrypt the service packet meeting the length threshold to obtain an encrypted service packet;

The first sending module 703 is configured to send the encrypted service packet to the second network virtual edge device.

In other embodiments of the present application, the first processing module 702 is configured to determine key information of a service packet indexed by a VSID; the key information comprises the block length of the encryption algorithm; based on the block length, obtaining the service message meeting the length threshold.

In other embodiments of the present application, the first processing module 702 is configured to obtain a first length of a service packet; if the first remainder obtained by dividing the first length by the block length is not 1, obtaining a padding data length value and padding data; filling the filling data into the service message to obtain the service message meeting the length threshold.

In other embodiments of the present application, the first processing module 702 is configured to encrypt a service packet that meets a length threshold with a key, to obtain an encrypted service packet; the key information includes a key.

In other embodiments of the present application, the first processing module 702 is configured to determine length indication information and start position indication information; the length indication information is used for indicating the length of the filling data filled in the service message; the initial position indication information is used for indicating the initial position of the filling data in the filling field; and obtaining padding data from the NVGRE header further including a padding field according to the length indication information and the start position indication information.

In other embodiments of the present application, the first processing module 702 is configured to obtain IV data from an IV field of an initialization vector included in the NVGRE header if the packet mode is a first type packet mode; wherein the key information further includes a packet mode of an encryption algorithm; and carrying out encryption operation on each piece of block data in the service message meeting the length threshold based on the IV data and the secret key to obtain an encrypted service message.

In other embodiments of the present application, first processing module 702 is configured to define a second bit in a tag bit field in the NVGRE header as an encrypted tag bit; wherein, the value of the encryption mark bit is 1 indicates that the service message is encrypted, and the value of the encryption mark bit is 0 indicates that the service message is not encrypted.

In other embodiments of the present application, the first processing module 702 is configured to add a key version number to the key version field, so that when the second network virtualization edge device decrypts the encrypted service message, based on the key version number and the VSID corresponding to the encrypted service message, the packet mode, the key, the block length and the IV data of the encryption algorithm adopted by the first network virtualization edge device when encrypting the service message are determined.

The description of the apparatus embodiments above is similar to that of the method embodiments above, with similar advantageous effects as the method embodiments. For technical details not disclosed in the embodiments of the apparatus of the present application, please refer to the description of the embodiments of the method of the present application.

It should be noted that, in the embodiment of the present application, if the above-mentioned test data generating method is implemented in the form of a software functional module, and sold or used as a separate product, the test data generating method may also be stored in a computer readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or partly contributing to the related art, embodied in the form of a software product stored in a storage medium, including several instructions for causing a terminal device to execute all or part of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, an optical disk, or other various media capable of storing program codes. Thus, embodiments of the application are not limited to any specific combination of hardware and software.

An embodiment of the present application provides a first network virtual edge device, which may be applied to a message transmission method provided in the embodiments corresponding to fig. 4 to 5, and referring to fig. 8, the first network virtual edge device 100 includes: a first processor 801, a first memory 802, and a first communication bus 803, wherein: the first communication bus 803 is used to enable a communication connection between the first processor 801 and the first memory 802.

The first processor 801 is configured to execute an unlocking program stored in the first memory 802, so as to implement a message transmission method according to the embodiment corresponding to fig. 4 to 5.

An embodiment of the present application provides a second network virtual edge device, where the second network virtual edge device may be used to implement the message transmission method provided in the embodiments corresponding to fig. 4 to 5, and as shown in fig. 9, the second network virtual edge device 200 includes:

the second receiving module 901 is configured to receive a service packet sent by the first network virtualization edge device, where the service packet has an NVGRE header, and the NVGRE header is assembled by the first network virtualization edge device for a service packet sent by any one of the received subnets;

and the second processing module 902 is configured to, if the value of the second bit of the flag bit field in the NVGRE header is 1, determine that the service packet is obtained by encrypting the service packet that meets the length threshold when the VSID in the VSID field included in the NVGRE header and the key version number in the key version field indicate that the service packet needs to be encrypted together.

In other embodiments of the present application, second processing module 902 is configured to obtain a key version number in a key version field in the NVGRE header;

The second processing module 902 is further configured to determine key information of the service packet based on the VSID and the key version number;

the second processing module 902 is further configured to decrypt the service message based on the key information, to obtain a decrypted service message.

In other embodiments of the present application, the key information includes a packet mode, a key, a block length, and IV data of an encryption algorithm used by the first network virtualization edge device when encrypting the service packet.

In other embodiments of the present application, the second processing module 902 is configured to decrypt the service packet based on the packet mode, the key, the block length, and the IV data, to obtain a decrypted service packet.

The description of the apparatus embodiments above is similar to that of the method embodiments above, with similar advantageous effects as the method embodiments. For technical details not disclosed in the embodiments of the apparatus of the present application, please refer to the description of the embodiments of the method of the present application.

It should be noted that, in the embodiment of the present application, if the above-mentioned test data generating method is implemented in the form of a software functional module, and sold or used as a separate product, the test data generating method may also be stored in a computer readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or partly contributing to the related art, embodied in the form of a software product stored in a storage medium, including several instructions for causing a terminal device to execute all or part of the methods of the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a magnetic disk or an optical disk. Thus, embodiments of the application are not limited to any specific combination of hardware and software.

An embodiment of the present application provides a second network virtual edge device, which may be applied to a message transmission method provided in the embodiments corresponding to fig. 4 to 5, and referring to fig. 10, the second network virtual edge device 200 includes: a second processor 1001, a second memory 1002, and a second communication bus 1003, wherein: the second communication bus 1003 is used to implement a communication connection between the second processor 1001 and the second memory 1002.

The second processor 1001 is configured to execute an unlocking program stored in the second memory 1002, so as to implement a message transmission method according to the embodiment corresponding to fig. 4 to 5.

Embodiments of the present application provide a computer readable storage medium storing a computer program executable by one or more processors to implement a method for transmitting a message according to the embodiments corresponding to fig. 4 to 5.

It should be noted here that: the description of the storage medium and apparatus embodiments above is similar to that of the method embodiments described above, with similar benefits as the method embodiments. For technical details not disclosed in the embodiments of the storage medium and the apparatus of the present application, please refer to the description of the method embodiments of the present application.

The computer readable storage medium may be a Memory such as a ROM, a programmable read-Only Memory (Programmable Read-Only Memory, PROM), an erasable programmable read-Only Memory (Erasable Programmable Read-Only Memory, EPROM), an electrically erasable programmable read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), a magnetic random access Memory (Ferromagnetic Random Access Memory, FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a read-Only optical disk (Compact Disc Read-Only Memory, CD-ROM); but may be various electronic devices such as mobile phones, computers, tablet devices, personal digital assistants, etc., that include one or any combination of the above-mentioned memories.

It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment of the present application" or "the foregoing embodiments" or "some implementations" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" or "an embodiment of the application" or "the foregoing embodiment" or "some embodiments" or "some implementations" in various places throughout this specification are not necessarily referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application. The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method described in the embodiments of the present application.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer application products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer application instructions. These computer application instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer application instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer application instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The foregoing description is only of the preferred embodiments of the present application, and is not intended to limit the scope of the application, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims (11)

1. A method for transmitting a message, which is applied to a first network virtualized edge device, the method comprising:

receiving a service message sent by any one of a plurality of subnets connected with the first network virtual edge equipment, and assembling a network virtualization NVGRE header which uses a universal routing package for the service message, wherein the NVGRE header comprises a virtual subnet identifier VSID field and a key version field;

Under the condition that the VSID in the VSID field and the key version number in the key version field indicate that the service message needs to be encrypted together, obtaining the service message meeting the length threshold, and encrypting the service message meeting the length threshold to obtain the encrypted service message;

and sending the encrypted service message to second network virtual edge equipment.

2. The method according to claim 1, wherein obtaining the service message satisfying the length threshold comprises:

determining key information of the service message indexed by the VSID; the key information comprises the block length of an encryption algorithm;

and obtaining the service message meeting the length threshold based on the block length.

3. The method according to claim 2, wherein the obtaining, based on the block length, a service packet satisfying a length threshold includes:

obtaining a first length of the service message;

if the first remainder obtained by dividing the first length by the block length is not 0, obtaining a padding data length value and padding data;

and filling the filling data into the service message to obtain the service message meeting the length threshold.

4. A method according to claim 2 or 3, wherein the key information includes a key, and the encrypting the service message satisfying the length threshold to obtain an encrypted service message includes:

and encrypting the service message meeting the length threshold by using the key to obtain the encrypted service message.

5. The method of claim 3, wherein the NVGRE header further comprises a padding field, the obtaining padding data comprising:

determining length indication information and initial position indication information; the length indication information is used for indicating the length of the filling data filled in the service message; the initial position indication information is used for indicating the initial position of the filling data in the filling field;

and obtaining the filling data from the filling field according to the length indication information and the starting position indication information.

6. The method of claim 4, wherein the key information further includes a packet mode of the encryption algorithm, and the encrypting the service message meeting the length threshold with the key to obtain an encrypted service message includes:

If the packet mode is a first type packet mode, IV data is obtained from an initialization vector IV field included in the NVGRE header;

and carrying out encryption operation on each piece of block data in the service message meeting the length threshold based on the IV data and the secret key to obtain an encrypted service message.

7. The method according to any one of claims 1 to 3 or 5 to 6, wherein the NVGRE header further includes a flag bit field, and the encrypting the service message that satisfies the length threshold, after obtaining the encrypted service message, further includes:

defining a second bit in a tag bit field in the NVGRE header as an encrypted tag bit;

and when the value of the encryption mark bit is 1, the service message is indicated to be encrypted, and when the value of the encryption mark bit is 0, the service message is indicated to be unencrypted.

8. The method of any of claims 2 to 3 or 5 to 6, wherein the key information comprises a key version number, the method further comprising:

and adding the key version number in the key version field, so that when the second network virtualization edge device decrypts the encrypted service message, the grouping mode, the key, the block length and the IV data of an encryption algorithm adopted by the first network virtualization edge device when encrypting the service message are determined based on the key version number and the VSID corresponding to the encrypted service message.

9. A method for transmitting a message, which is applied to a second network virtualized edge device, the method comprising:

receiving a service message sent by first network virtualization edge equipment; the service message is provided with an NVGRE header, and the NVGRE header is assembled by the first network virtualization edge device for the received service message sent by any subnet;

and if the value of the second bit of the marking bit field in the NVGRE header is 1, determining that the service message is obtained by encrypting the service message meeting the length threshold by the first network virtualization edge device under the condition that the VSID in the VSID field included in the NVGRE header and the key version number in the key version field indicate that the service message needs to be encrypted together.

10. The method according to claim 9, wherein the method further comprises:

acquiring a key version number in a key version field in the NVGRE header;

determining key information of the service message based on the VSID and the key version number;

and decrypting the service message based on the key information to obtain a decrypted service message.

11. The method of claim 10, wherein the key information includes a packet mode, a key, a block length, and IV data of an encryption algorithm employed by the first network virtualization edge device when encrypting the traffic message; the step of obtaining the decrypted service message from the service message based on the key information comprises the following steps:

And decrypting the service message based on the grouping mode, the secret key, the blocking length and the IV data to obtain the decrypted service message.