CN117375862A - Message forwarding method, system, network device, storage medium and program product - Google Patents
Message forwarding method, system, network device, storage medium and program product Download PDFInfo
- Publication number
- CN117375862A CN117375862A CN202210763505.8A CN202210763505A CN117375862A CN 117375862 A CN117375862 A CN 117375862A CN 202210763505 A CN202210763505 A CN 202210763505A CN 117375862 A CN117375862 A CN 117375862A
- Authority
- CN
- China
- Prior art keywords
- address
- forwarding node
- message
- rule
- bit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 152
- 238000003860 storage Methods 0.000 title claims abstract description 25
- 230000008521 reorganization Effects 0.000 claims abstract description 107
- 238000004891 communication Methods 0.000 claims abstract description 68
- 238000012545 processing Methods 0.000 claims description 58
- 230000008569 process Effects 0.000 claims description 28
- 238000004590 computer program Methods 0.000 claims description 11
- 238000005516 engineering process Methods 0.000 abstract description 44
- 230000006870 function Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 14
- 238000005336 cracking Methods 0.000 description 13
- 238000004458 analytical method Methods 0.000 description 7
- 239000004744 fabric Substances 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 7
- 230000006399 behavior Effects 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 230000006798 recombination Effects 0.000 description 6
- 238000005215 recombination Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 230000002441 reversible effect Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 238000012098 association analyses Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000011084 recovery Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000032683 aging Effects 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 238000004549 pulsed laser deposition Methods 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000001495 anti-association Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000001627 detrimental effect Effects 0.000 description 1
- 230000005672 electromagnetic field Effects 0.000 description 1
- 230000005674 electromagnetic induction Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- RGNPBRKPHBKNKX-UHFFFAOYSA-N hexaflumuron Chemical compound C1=C(Cl)C(OC(F)(F)C(F)F)=C(Cl)C=C1NC(=O)NC(=O)C1=C(F)C=CC=C1F RGNPBRKPHBKNKX-UHFFFAOYSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A message forwarding method, system, network device, storage medium and program product are disclosed, which belong to the communication technical field. In the method, a first forwarding node acquires a first message, wherein the first message comprises a first address, a bit value of the first address at a reference position indicates first effective information, and the first effective information is related information of a communication end identified by the first address; the first forwarding node reorganizes the first address into a second address based on a first reorganization rule, wherein a bit value of the second address at a reference position does not indicate first valid information; the first forwarding node replaces the first address in the first message with the second address to obtain a second message, and sends the second message. The first address may be any address in the first message, so that effective information in any address in the message can be hidden. The problem that the IPsec technology cannot protect the source address and the destination address of the VPN tunnel is avoided.
Description
Technical Field
The embodiment of the application relates to the technical field of communication, in particular to a message forwarding method, a system, network equipment, a storage medium and a program product.
Background
The messages transmitted in the network generally carry addresses such as source addresses and destination addresses, and thus, when the forwarding node receives the messages, the forwarding node can process the messages based on the addresses. Such as determining a next hop based on the destination address and sending the message to the next hop. In order to avoid that these addresses are exposed in the network and thus utilized by malicious attackers, the forwarding node may process the message to hide the addresses in the message when forwarding the message.
In the related art, a forwarding node may previously establish a virtual private network (virtual private network, VPN) tunnel with other forwarding nodes. Thus, when the forwarding node receives a message, in order to avoid exposing the source address and the destination address of the inner layer load of the message in the network, network protocol security (internet protocol security, IPsec) encryption can be performed on the message, and then an outer layer message header is encapsulated on the outer layer of the encrypted message, wherein the outer layer message header carries the source address and the destination address of the VPN tunnel so as to transmit the message through the VPN tunnel.
After the source address and the destination address of the inner layer load of the message are protected by the technology, a malicious attacker in the network still can acquire information such as network topology by analyzing the source address and the destination address of the VPN tunnel, so that network security is threatened.
Disclosure of Invention
The embodiment of the application provides a message forwarding method, network equipment, a storage medium and a program product, which can improve network security in a message transmission process. The technical scheme is as follows:
in a first aspect, a method for forwarding a message is provided. In the method, a first forwarding node acquires a first message, wherein the first message comprises a first address, a bit value of the first address at a reference position indicates first effective information, and the first effective information is related information of a communication end identified by the first address; the first forwarding node reorganizes the first address into a second address based on a first reorganization rule, wherein a bit value of the second address at a reference position does not indicate first valid information; the first forwarding node replaces the first address in the first message with the second address to obtain a second message, and sends the second message.
In the embodiment of the application, when the first forwarding node receives the first message, the first effective information can be hidden only by recombining the first address. The first address can be any address in the first message, so that effective information in any address in the message can be hidden by the method provided by the embodiment of the application. The problem that the IPsec technology cannot protect the source address and the destination address of the VPN tunnel is avoided.
In addition, the first forwarding node can hide the first effective information without using IPsec technology or MACsec technology, so that the related problems caused by IPsec technology or MACsec technology are avoided, which are described in detail in the following embodiments.
Based on the method provided in the first aspect, in some embodiments, the first validity information includes a network prefix and/or a host identity.
Because the network prefix can indicate network topology information of the subnet where the communication terminal identified by the first address is located, and the host identifier can be used for distinguishing the communication terminal from other devices in the same subnet, in order to improve network security, the network prefix and/or the host identifier indicated by the address can be hidden when the address is reorganized.
Based on the method provided in the first aspect, in some embodiments, the implementation procedure of the first forwarding node to reorganize the first address into the second address based on the first reorganization rule may be: the first forwarding node mutually nests the preamble part and the postamble part of the first address based on a first reorganization rule to obtain a second address; the preamble part is a bit part near the left side in the first address, and the postamble part is a bit part near the right side in the first address.
Because the preamble of the first address includes some or all bits of the network prefix, the inherent sequence of the network prefix+the host identifier of the IP address can be disturbed by the above-mentioned first reorganization rule, so that the network prefix and the host identifier are reorganized and arranged in a bit nesting manner, and each bit of the reorganized and arranged second address cannot indicate the network prefix and the host identifier according to the sequence from front to back. Thereby hiding the network prefix and host identity.
Based on the method provided in the first aspect, in some embodiments, the first reorganization rule includes a first bit sequence, a number of bits of the first bit sequence is the same as a number of bits of the first address, and a bit value on n bits in the first bit sequence is a target bit value, where n is greater than 1 or equal to 1. In this scenario, the first forwarding node mutually nests the preamble and the postamble of the first address, and the implementation process of obtaining the second address is as follows: the first forwarding node obtains the first n bits in the first address, places bit values on the n bits at positions where the bit values in the first bit sequence are target bit values respectively, and places bit values on other bits in the first address at positions where the bit values in the first bit sequence are not target bit values respectively, so that the second address is obtained.
Since the n bits with the target bit value in the first bit sequence are not usually together, after the bit values of the first n bits in the first address are respectively placed at the positions with the target bit value in the first bit sequence, the first n bits in the first address can be scattered and placed at different positions, that is, the first n bits in the first address are scattered and placed at different positions, so that the first address preamble is nested in the subsequent part, and the first effective information can be hidden.
Based on the method provided in the first aspect, in some embodiments, before the first forwarding node reorganizes the first address into the second address based on the first reorganization rule, the first forwarding node may further randomly generate a bit sequence, to obtain a first bit sequence.
In order to improve the cracking difficulty of an attacker, the first forwarding node may randomly generate a bit sequence for reorganizing the address in the message to be sent, for the message to be sent.
Based on the method provided in the first aspect, in some embodiments, the first reorganization rule includes a first meta-confusion sequence including at least two bits. In this scenario, the implementation process of the first forwarding node reorganizing the first address into the second address based on the first reorganization rule may be: the first forwarding node performs bit operation on the first address based on the first meta-confusion sequence to obtain a second address.
By the method, bit operation can be carried out on each bit in a sequence and the first address, so that the purpose of reorganizing the first address is achieved. On one hand, the flexibility of the reorganization address is improved, and on the other hand, the reorganization mode can be realized through simple bit operation, and the cost is low.
Based on the method provided in the first aspect, in some embodiments, the first reorganization rule further includes a first shift number. In this scenario, the implementation process of the first forwarding node performing bit operation on the first address based on the first meta-confusion sequence to obtain the second address may be: the first forwarding node performs shifting operation on the first address based on the first shifting times to obtain an intermediate address; the first forwarding node performs bit operation on the intermediate address and the first meta-confusion sequence to obtain a second address.
The sequence of each original bit in the first address can be further disordered through the shift operation, and therefore the difficulty of an attacker in analyzing the first address based on the second address is improved.
Based on the method provided by the first aspect, in some embodiments, the bit operation is a bitwise exclusive-or operation.
Because the bit value on the bit is affected by the bitwise exclusive-or operation, the 0/1 statistical information in the second address and the 0/1 statistical information in the first address can be made different by the bitwise exclusive-or operation, so that an attacker is prevented from analyzing the communication behavior of the communication terminal identified by the first address based on the second address.
Based on the method provided in the first aspect, in some embodiments, before the first forwarding node reorganizes the first address into the second address based on the first reorganization rule, the first forwarding node may further obtain an address confusion table LOT, where the LOT includes a plurality of reorganization rules, each reorganization rule including a meta confusion sequence; the first forwarding node selects a reassembly rule from the LOT table as a first reassembly rule.
In an embodiment of the present application, in order to facilitate fast determination of the first reassembly rule, an addressing confusion table (locator obfuscate table, LOT) may be pre-configured on the first forwarding node.
Based on the method provided in the first aspect, in some embodiments, the first forwarding node may further obtain a third packet, where the third packet includes a third address, and a bit value of the third address at the reference location indicates second valid information, where the second valid information is related information of a communication end identified by the third address; the first forwarding node reorganizes the third address into a fourth address based on the second reorganization rule, the bit value of the fourth address at the reference position does not indicate the second valid information; the first forwarding node replaces the third address in the third message with a fourth address to obtain a fourth message, and sends the fourth message; wherein the second reorganization rule is different from the first reorganization rule.
In the embodiment of the application, different reorganization rules can be used for different messages so as to improve the cracking difficulty of an attacker.
Based on the method provided in the first aspect, in some embodiments, the third address is the same address as the first address, and the second valid information is the same valid information as the first valid information.
For messages of the same flow, the source address and the destination address of the inner layer load of the messages in the flow are the same. The first address and the third address are assumed to be destination addresses of the inner layer load of the messages in the stream, so that the same destination addresses of different messages in the same stream can be recombined into different addresses by the mode, and the cracking difficulty of an attacker on the destination addresses is further submitted.
Based on the method provided in the first aspect, in some embodiments, the second message further carries rule information, and the rule information indicates the first reassembly rule.
In order to facilitate the second forwarding node that receives the second packet to successfully restore the second address to the first address, the second packet may further carry rule information, where the rule information may indicate the first reassembly rule, so that the second forwarding node restores the second address to the first address based on the first reassembly rule.
Based on the method provided in the first aspect, in some embodiments, the second message includes an address field, and the address field is used to carry the second address and rule information. In other embodiments, the second message includes an extension field for carrying rule information.
On the one hand, rule information can be carried through the redundant address field, so that the difficulty of an attacker in analyzing a real first address from the address field is further improved. On the other hand, a new field can be expanded to bear rule information, so that the flexibility of the scheme provided by the embodiment of the application is improved.
In a second aspect, a method for forwarding a message is provided, in which a second forwarding node receives a second message, where the second message carries a second address, a bit value of the second address at a reference position does not indicate first valid information, the second message is generated by a first forwarding node based on the first message, the first message includes the first address, a bit value of the first address at the reference position indicates first valid information, and the first valid information is related information of a communication end identified by the first address; the second forwarding node restores the second address to the first address based on the first reorganization rule; the second forwarding node processes the second message based on the first address.
In a third aspect, a packet forwarding system is provided, where the system includes a first forwarding node and a second forwarding node:
the first forwarding node is used for acquiring a first message, the first message comprises a first address, a bit value of the first address at a reference position indicates first effective information, and the first effective information is related information of a communication end identified by the first address;
the first forwarding node is further configured to reorganize the first address into a second address based on a first reorganization rule, where a bit value of the second address at the reference location does not indicate the first valid information;
the first forwarding node is further configured to replace a first address in the first packet with a second address, obtain a second packet, and send the second packet;
the second forwarding node is used for receiving a second message;
the second forwarding node is further used for restoring the second address to the first address based on the first reorganization rule;
the second forwarding node is further configured to process a second message based on the first address.
In a fourth aspect, a network device is provided, the network device comprising a memory and a processor;
the memory is used for storing program instructions;
the processor is configured to invoke a program stored in the memory to cause the network device to perform the method of any of the above first aspects.
In a fifth aspect, a network device is provided, the network device comprising a memory and a processor;
the memory is used for storing program instructions;
the processor is configured to invoke the program stored in the memory to cause the network device to perform the method of the second aspect described above.
In a sixth aspect, a network device is provided, where the network device includes a transceiver module and a processing module:
the transceiver module is configured to perform a transceiver-related operation in the method according to any one of the first aspect;
the processing module is configured to perform operations of any one of the methods described in the first aspect except for the transceiver-related operations.
In a seventh aspect, a network device is provided, where the network device includes a transceiver module and a processing module:
the transceiver module is configured to perform a transceiver-related operation in the method according to the second aspect;
the processing module is configured to perform operations in the method according to the second aspect except for the transceiver-related operations.
In an eighth aspect, there is provided a computer readable storage medium having instructions stored therein which, when executed on a processor, implement the method of any of the first aspects above.
In a ninth aspect, a computer readable storage medium is provided, in which instructions are stored which, when run on a processor, implement the method of the second aspect described above.
In a tenth aspect, a computer program product is provided, comprising instructions which, when run on a processor, implement the method of any of the first aspects above.
In an eleventh aspect, a computer program product is provided, the computer program product comprising instructions which, when run on a processor, implement the method of the second aspect described above.
The technical effects obtained in the second to eleventh aspects are similar to the technical effects obtained in the corresponding technical means in the first aspect, and are not described in detail herein.
Drawings
Fig. 1 is a schematic flow chart of hiding an IP address based on an IPsec technology according to an embodiment of the present application;
fig. 2 is a schematic flow chart of hiding an IP address based on MACsec technology according to an embodiment of the present application;
fig. 3 is a schematic flow chart of a virtual IP technology provided in an embodiment of the present application;
fig. 4 is a schematic architecture diagram of a packet forwarding system according to an embodiment of the present application;
Fig. 5 is a flowchart of a message forwarding method provided in an embodiment of the present application;
FIG. 6 is a schematic diagram of a nesting method provided in embodiments of the present application;
FIG. 7 is a flow chart of a reorganization scheme provided in an embodiment of the present application;
FIG. 8 is a flow chart of another reorganization scheme provided by an embodiment of the present application;
FIG. 9 is a schematic diagram of a region-based deployment reorganization scheme provided by an embodiment of the present application;
fig. 10 is a schematic structural diagram of a network device according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of another network device according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of another network device according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of a packet forwarding system according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
It should be understood that reference herein to "a plurality" means two or more. In the description of the present application, "/" means or, unless otherwise indicated, for example, a/B may represent a or B; "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, in order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, the words "first", "second", and the like are used to distinguish the same item or similar items having substantially the same function and effect. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ.
Before explaining the embodiment of the present application in detail, an application scenario of the embodiment of the present application is described.
In a long-distance communication scenario, a message may be transmitted in some links such as optical fibers or ethernet that are exposed to unsafe environments. At this time, a malicious attacker may separate the messages transmitted in the link through devices such as a beam splitter or a Hub (Hub), so as to achieve the purposes of restoring and monitoring the link. Even more alarming, the prior art is capable of restoring the contents transmitted in the link by electromagnetic induction without damaging the wiring by utilizing the variation of the electromagnetic field when the code stream is transmitted in the link. This technique poses a threat to even short-range link communications such as on-campus communications.
Leakage of data transmitted over an unsecure link can jeopardize the privacy of both devices communicating and can also induce the appearance of complex network attacks. On one hand, the data leakage enables an attacker to steal application information in the message, so that key business data is exposed to the outside; on the other hand, information carried by the IP header itself, such as an IP address, may also be utilized by an attacker.
In network communications, IP addresses are used to perform global routing within the network, providing a network layer identifier for all network-connected devices. In addition, through the configuration of management personnel, the prefixes of the IP addresses in one subnet are often affiliated to the same IP prefix, so that the router can perform address aggregation, the number of address announcements of a routing protocol is reduced, and the routing efficiency is improved. Thus, the IP address represents, on the one hand, the identity information of the device, and on the other hand, the network prefix (network prefix) of the IP address can reflect the subnet, organization or even network topology location to which the device belongs. Based on this, an attacker can perform static association analysis at the device or subnet level according to the IP address, even identify progressive information in continuous data messages, analyze dynamic characteristics of communication between devices and user network behavior. And after the attacker analyzes the user network behavior, other network-destroying operations can be performed by utilizing the characteristics of the user network behavior.
Therefore, when the message is transmitted in the network, the addresses such as the IP address carried in the message need to be hidden. At present, ensuring the privacy of addresses such as IP addresses can be realized through encryption technology. Encryption techniques are exemplified by network protocol security (internet protocol security, IPsec) techniques and media access address (Media Access Control security, MACsec) techniques.
IPsec technology provides a scheme for the encryption protection of messages based on virtual private networks (virtual private network, VPN) at the network layer. Specifically, the data packet is repackaged in a VPN tunnel mode, and the outer layer address only exposes the IP address of the gateway of the VPN tunnel. IPsec automatically negotiates symmetric keys for both ends of VPN tunnels through network security connection and key management protocol (internet security association and key management protocol, ISAKMP) protocols, establishes security associations, and encrypts original messages (including original IP header and upper layer data) using encapsulation security payload (encapsulate security payload, ESP) protocol. After encryption, the IP address in the original IP header of the data packet is protected, the IP address in the original IP header is not exposed by the data transmitted between the two ends of the VPN tunnel, and even if interception occurs, only the IP addresses at the two ends of the VPN tunnel can be seen.
Fig. 1 is a schematic flow chart of hiding an IP address based on the IPsec technology according to an embodiment of the present application. As shown in fig. 1, communication is performed between a device a and a device B, where the IP address of the device a is IP A The IP address of device B is IP B . A forwarding node a and a forwarding node B are arranged between the equipment A and the equipment B, and the IP address of the forwarding node a is IP a The IP address of the forwarding node b is IP b . A VPN tunnel is established between the forwarding node a and the forwarding node b, and the source address and the destination address of the VPN tunnel are respectively IP a And IP b 。
The message sent by the device A to the device B carries the source address SA as IP A The destination address DA is IP B . When the forwarding node a receives the message, the message is encrypted based on the IPsec technology. And then packaging an outer layer message header on the encrypted message, wherein the outer layer message header comprises a source address and a destination address of the VPN tunnel so as to forward the message to the forwarding node B through the VPN tunnel, and then forwarding the message to the equipment B through the forwarding node B.
The IPsec technology has several problems as follows. On the one hand, the IPsec technology is not complete enough to hide the address information. The IP addresses at both ends of the VPN tunnel in IPsec technology are not hidden because of the need for addressing according to the outer address. However, the IP addresses at both ends of the VPN tunnel can also reflect the topology characteristics of the communication end/the sub-network to which the communication end/the sub-network belongs to a certain extent, so that the IP addresses at both ends of the VPN tunnel also need to be hidden. On the other hand, IPsec technology has scalability problems. Since secure negotiation of a key is required between arbitrary communication sites, configuration management of VPN tunnels is complicated as communication objects increase. IPsec technology, on the other hand, is detrimental to router performance. The packet length is increased, so that the message processing time of the router is correspondingly increased, and the effective utilization rate of the link bandwidth and the communication time delay are also lost.
MACsec technology provides a scheme for cryptographically protecting upper layer data at the link layer. Similar to IPsec technology, MACsec technology establishes a secure channel at the link layer through MACsec key agreement protocol (MACsec Key Agreement protocol, MKA) and negotiates encryption keys. And then the frame (the message transmitted by the link layer) is encrypted in its entirety (comprising the IP address in the original IP header), and the next hop device on the link recovers and verifies the encrypted frame. After MACsec technology is used, the IP address in the original IP header becomes ciphertext as upper layer data, and any information in the IP cannot be obtained by monitoring on the link.
Fig. 2 is a schematic flow chart of hiding an IP address based on MACsec technology according to an embodiment of the present application. Based on the architecture shown in fig. 1, as shown in fig. 2, assume that the MAC address of device a is MAC A The MAC address of the forwarding node a is MAC a 。
When the device A sends a message to the device B, the message carries a source address SA as IP A The destination address DA is IP B . The device A encrypts the message as an inner layer message, and encapsulates the MAC header on the outer layer of the encrypted inner layer message. The MAC header includes a source MAC address MAC A And destination MAC address MAC a To send the message to the forwarding node a via the MAC header.
The MACsec technique has several problems as follows. On one hand, MACsec technology has high cost and repeated encryption problem. Since MACsec technology can hide all the contents of a frame by encryption, the data to be encrypted is large; and MACsec technology is often reused with higher layer cryptographic technologies such as IPsec, transport layer security protocols (transport layer security, TLS), etc., resulting in excessive overhead. MACsec technology, on the other hand, places high demands on network deployment. Because MACsec technology is based on 802.1x authentication architecture, needs certificate mechanism support, and is difficult to be applied to networks composed of light terminals such as internet of things (internet of things, ioT); and all two-tier device support is required when traversing large two-tier networks. MACsec techniques, on the other hand, do not enable frame-level differentiated aliasing. Since the negotiated encryption keys on the same link are the same, the MACsec technique has no capability to change from frame to frame; and there is a risk that the key is broken.
In addition, in addition to hiding IP addresses through IPsec technology and MACsec technology, address hiding can also be performed through an "active target defense" architecture. Such as virtual IP hopping techniques, for example. In the virtual IP hopping technique, the address of the communication end is masked at the edge device of a local area network (local area network, LAN), the address of the communication end is associated to a virtual IP address by some mapping, and the virtual IP address has timeliness and is transformed after a period of time. The virtual IP hopping technique can prevent the exposure of the address of the communication end to a certain extent, and can disable the sustainable traffic analysis because the virtual IP address has timeliness.
Fig. 3 is a schematic flow chart of a virtual IP technology according to an embodiment of the present application. As shown in fig. 3, communication is performed between a device a and a device B, where the IP address of the device a is IP A The IP address of device B is IP B . And, the IP address IP of device a A Can be mapped to IP in a first time period A1 Mapped to IP during a second time period A2 Mapping to IP in a third time period A3 . IP address IP of device B B Can be mapped to IP in a first time period B1 Mapped to IP during a second time period B2 Mapping to IP in a third time period B3 . The first time period, the second time period and the third time period are respectively ageing of the corresponding IP addresses.
Thus, in the first period, the source address of the message sent by the device a to the device B is IP A1 The destination address is IP B1 . In the second period of time, the source address of the message sent by the device A to the device B is IP A2 The destination address is IP B2 . In the third time period, the source address of the message sent by the device A to the device B is IP A3 The destination address is IP B3 。
However, the virtual IP technology has several problems as follows. On the one hand, because the mapped virtual address needs to ensure that the address translation device can be addressed on the transmission network, the mapped virtual address can only protect the host address (suffix), which results in that the anti-association of the LAN level cannot be achieved. On the other hand, the complexity of routing is greatly improved, so that the virtual IP technology is difficult to apply on a large scale. On the other hand, in the jump period (i.e. in the aging of the mapped virtual address), the data packets of the same communication object still have the same IP address, the instantaneous characteristics of the data stream are not protected, and the association analysis of the data stream can still be performed. On the other hand, virtual IP technology requires more components such as domain name system (domain name system, DNS) to cooperate due to the virtual address assignment involved.
Based on this, the embodiment of the application provides a message forwarding method, which can reorganize the address in the message in the process of forwarding the message so as to hide the effective information such as the subnet identifier or the host identifier carried in the IP address.
In the implementation of the application, since any address in the message can be recombined, the problem of insufficient coverage of the IPsec technology is solved. And effective information can be hidden by only recombining addresses, so that the problem of expansibility and the problem of complex VPN tunnel management are avoided. In addition, only the addresses in the message are recombined, and the transformation of the original message is not great, so that the cost is small, the loss of the router is not increased basically, and the influence on the utilization rate of the link bandwidth and the communication delay is also not great. In addition, the scheme provided by the implementation of the application has no specified requirement on network deployment. In addition, in the embodiment of the application, different reorganization rules can be adopted packet by packet, so that the method provided by the embodiment of the application has the capability of changing packet by packet, and the cracking difficulty of an attacker is improved.
The following explains the message forwarding system, the message forwarding method and the related devices provided in the embodiments of the present application in detail.
Fig. 4 is a schematic diagram of a packet forwarding system architecture according to an embodiment of the present application. As shown in fig. 4, the packet forwarding system includes a plurality of secure addressing domains 40, and in fig. 4, three secure addressing domains 40 are taken as an example for illustration, and the number of secure addressing domains 40 included in the system is not limited in the embodiment of the present application. Each secure addressing domain 40 includes an intermediate forwarding node 401 and an edge forwarding node 402. The present embodiments likewise do not limit the number of intermediate forwarding nodes 401 and edge forwarding nodes 402 in the secure addressing domain 40.
Wherein for any one secure addressing domain 40, an intermediate forwarding node 401 in that secure addressing domain 40 is configured to communicate with an intermediate forwarding node 401 and an edge forwarding node 402 located within the same secure addressing domain 40, and an edge forwarding node 402 in that secure addressing domain 40 is configured to communicate with an intermediate forwarding node 401 located within the same secure addressing domain 40 or an edge forwarding node 402 located within another secure addressing domain 40.
The secure addressing domain 40 refers to a network area with a higher level of protection. Illustratively, such as a campus network, a machine room hub network, an operator network, etc. The network between the different security addressing domains 40 may have a risk of man-in-the-middle interception and analysis due to the low level of protection, so that the links between the edge forwarding nodes 402 of the different security addressing domains 40 may be referred to as risk links, as shown in fig. 4.
The message forwarding method provided by the embodiment of the invention can be applied to the edge forwarding nodes 402 at the two ends of the risk link so as to prevent the IP address of the message transmitted on the risk link from being utilized by an attacker.
For example, in a transmission network with a large span and high security requirements, there is a risk of man-in-the-middle monitoring and analysis, due to the large scale of the whole network, which makes it difficult to manage in real time on long-range exposed links. Based on this, the network can be divided into a plurality of security addressing domains 40 according to the protection level, and the network monitoring strength in the security addressing domains 40 is high, so that in order to maximize the transmission efficiency, the IP address of the message transmitted in the security addressing domains 40 can not be hidden, that is, the address is not recombined by adopting the method provided by the embodiment of the present application. The long-distance risk link (such as external optical fiber, wireless air interface, etc.) exists between the security addressing domains 40, and the risk link is monitored by others, so that on the edge forwarding node 402 of the previous security addressing domain 40 on the risk link, the edge forwarding node 402 can serve as a prefix hiding point, and based on the method provided by the embodiment of the application, the IP address is reorganized to achieve the purpose of hiding effective information such as network prefix in the IP address, and when a message arrives at the edge forwarding node 402 of the next security addressing domain 40 through the risk link, the edge forwarding node 402 can serve as a prefix restoring point to restore the effective information such as network prefix indicated by the original address, and perform conventional routing operation.
In addition, when three layers of network devices (such as devices at two ends of a VPN tunnel) exist on the risk link, the devices may also be used as prefix hiding points to reorganize source addresses or destination addresses of the VPN tunnel, so as to hide valid information such as network prefixes in the source addresses or destination addresses of the VPN tunnel.
Alternatively, the method for forwarding a packet provided in the embodiment of the present application may be applied between intermediate forwarding nodes 401 in the secure addressing domain 40, which is not described in detail herein. In this scenario, the secure addressing domain 40 does not need to be divided in the network in advance, and the method provided by the embodiment of the present application is adopted for all the messages transmitted in any area in the network.
Wherein the secure addressing domain 40 may be configured by an administrator. For example, an administrator may use a network area within a city as a secure addressing domain 40, and use a network area between cities as a network area corresponding to a risk link, that is, as a risk area. This is not described in detail in the embodiments of the present application.
In addition, the edge forwarding node 402 or the intermediate forwarding node 401 in fig. 4 may be a network element having a network layer function, such as a router, a three-layer switch, or the like. And are not illustrated herein.
Fig. 5 is a flowchart of a message forwarding method provided in an embodiment of the present application. As shown in fig. 5, the method includes the following steps 501-506.
Step 501: the first forwarding node acquires a first message, wherein the first message comprises a first address, a bit value of the first address at a reference position indicates first effective information, and the first effective information is related information of a communication terminal identified by the first address.
The first message may be understood as a message that needs to be sent to the second forwarding node. In some embodiments, the implementation process of the first forwarding node obtaining the first packet may be: the first forwarding node generates a first message, which is a message that needs to be sent to the second forwarding node. In other embodiments, the implementation process of the first forwarding node obtaining the first packet may also be: the first forwarding node receives messages from other forwarding nodes, and continuously packages the messages to obtain a first message, wherein the first message is the message which needs to be sent to the second forwarding node.
The first address may be an address in any header of the first message, where the address may be an IP address or a MAC address, etc. Illustratively, the source address and the destination address in the inner layer header of the first message are the source IP address and the destination IP address of the payload (payload) of the first message. Also by way of example, the source and destination addresses in the outer layer header of the first message may be source and destination IP addresses of a virtual link such as a VPN tunnel, pseudowire (PW), or the like.
It should be noted that the first address transmitted in the network is typically a bit sequence, and consecutive bit values of the bit sequence at certain positions can indicate some valid information.
For example, consecutive several bit values of the preamble of the IP address of any device in the network can indicate a network prefix, which can indicate attribute information such as the location of the subnet in which the device is located. Thus, an attacker can infer the operation mechanism of the adjacent address space according to the network prefix combination of the IP address and the address information of the public service. And an attacker can also combine the father prefix and the son prefix, and can infer the affiliation of the organization where the equipment is located, and the like, so that the exposure of the preamble part of the IP address to the network has a great influence.
While consecutive several bit values of the subsequent part of the IP can indicate the attribute information of the host of the device. So that an attacker can use the latter part of the IP address to distinguish between different hosts in the subnetwork, the information indicated by the latter part is refined to the user/service level as compared to the former part. Thus, exposure of the subsequent portion of the IP address can also have a major impact for some critical, well-known services.
For example, for a fourth generation network protocol (internet protocol version, IPv 4) address, the IPv4 address is a bit sequence comprising 32 bits. Wherein in some scenarios the first 8 bits of the 32 bits represent the identity (identity document, ID) of the network, i.e. the network prefix, and the last 24 bits represent the host ID. In other scenarios, the first 16 bits of the 32 bits represent the network ID and the last 16 bits represent the host ID. Or in other scenarios the first 24 bits of the 32 bits represent the network ID and the last 8 bits represent the host ID.
The above is described by taking an IPv4 address as an example, and optionally, for a sixth generation network protocol (internet protocol version, IPv 6) address, the IPv6 address includes 128 bits, and the bit values of the 128 bits at different positions also indicate different valid information, which is not described in detail herein.
Based on this, the reference position in step 501 may be any position in the first address that can indicate valid information by a bit value. For example, when the first validity information is a network prefix, the reference position is a bit capable of indicating the network prefix among bits of the first address. When the first valid information is the host identity, the reference position is a bit capable of indicating the host identity in each bit of the first address.
When the first effective information is the network prefix, the method provided by the embodiment of the application can be used for hiding the network prefix. When the first effective information is the host identity, the method provided by the embodiment of the application can be used for hiding the host identity. When the first effective information comprises the network prefix and the host identifier at the same time, the method provided by the embodiment of the application can simultaneously hide the network prefix and the host identifier.
In addition, the first forwarding node may be a prefix hidden point in fig. 4, so that based on the embodiment shown in fig. 5, security of effective information in an address in a packet transmitted on a risk link can be ensured. Alternatively, the first forwarding node may be any intermediate forwarding node in the secure address domain in fig. 4, so that based on the embodiment shown in fig. 5, the security of the effective information in the address in the packet transmitted in the secure address domain can be further ensured.
Step 502: the first forwarding node reassembles the first address into a second address based on a first reassembly rule, the bit value of the second address at the reference location not indicating the first valid information.
In order to avoid that the first effective information in the first address is exposed in the network when the first message is transmitted in the network, the first forwarding node may reorganize the first address into the second address based on the first reorganization rule, and the bit value of the reorganized second address at the reference position does not indicate the first effective information, so as to realize hiding of the first effective information.
After the first forwarding node reorganizes the first address into the second address, the first address in the first packet may be replaced with the second address through step 503 described below, so as to obtain a second packet to be sent.
Step 503: the first forwarding node replaces the first address in the first message with the second address to obtain a second message, and sends the second message.
After replacing the first address with the second address, the first forwarding node generally performs other processing on the message, such as adding rule information, etc., to obtain a second message, which will not be expanded herein.
Based on steps 501-503, when the first forwarding node obtains the first message, the first effective information can be hidden only by reorganizing the first address. The first address can be any address in the first message, so that effective information in any address in the message can be hidden by the method provided by the embodiment of the application. The problem that the IPsec technology cannot protect the source address and the destination address of the VPN tunnel is avoided. And the first forwarding node can hide the first effective information without using an IPsec technology or a MACsec technology, so that the related problems caused by the IPsec technology or the MACsec technology are avoided.
After the first forwarding node sends the second message, if the second forwarding node receives the second message, the second address may be restored to the real first address through steps 504 to 506 described below, so as to perform the next processing on the message.
Step 504: the second forwarding node receives a second message carrying a second address.
Step 505: the second forwarding node restores the second address to the first address based on a first reorganization rule, the bit value of the first address at the reference position indicating the first valid information, the first reorganization rule being a rule used for reorganizing the first address to the second address.
Step 506: the second forwarding node processes the second message based on the first address.
The procedure for the second forwarding node to restore the address is described in detail in the following context of the reassembly rules and will not be described here.
The reorganization rule provided in the embodiment of the present application is described in detail below.
(1) First implementation of the reorganization rule
In a first implementation, the first reorganization rule may be specifically understood as: and nesting the preamble part and the postamble part of the first address to obtain a second address. In this scenario, the process of the second forwarding node restoring the second address may be: and extracting the preamble of the first address from the second address based on the first reorganization rule, and combining the extracted preamble with the rest part (namely the subsequent part) in the second address to obtain the first address.
The first address in this embodiment of the present application includes a preamble portion and a successor portion. The preamble refers to a bit sequence formed by the first few bits of the first address, that is, the preamble is the bit part near the left side in the first address. The latter part refers to a bit sequence of the first address, which is formed by the latter several bits, i.e. the latter part is the bit part of the first address close to the right. Specifically, how many bits in front of the first address are divided into a preamble part, and how many bits in back are divided into a postamble part can be configured according to requirements. In other words, the preamble of the first address and the network prefix (network prefix) specified in the relevant protocol are not the same concept, the preamble comprising all or part of the bits in the network prefix.
Because the preamble of the first address includes some or all bits of the network prefix, the inherent sequence of the network prefix+the host identifier of the IP address can be disturbed by the reorganization rule of the first implementation manner, so that the network prefix and the host identifier are reorganized and arranged in a bit nesting manner, and each bit of the reorganized and arranged second address cannot indicate the network prefix and the host identifier in the sequence from front to back. Thereby realizing hiding of effective information such as network prefix, host identity and the like.
Fig. 6 is a schematic diagram of a nesting method according to an embodiment of the present application. As shown in fig. 6, the original address of the first address is 20/131.46, which is converted into a binary sequence of 00010100.10000011.00101110, for a total of 18 bits. Let us assume that the first eight bits of the first address 00010100 are the preamble of the first address and the last 16 bits are the postamble of the first address. As shown in fig. 6, these eight bits 00010100 are scattered and embedded in the other 16 bits of the first address, respectively, to obtain the second address. Thus, the original first address 20/131.46 is reorganized into the second address 65/44.150.
Based on the reorganization rule of the first implementation manner, in the network architecture shown in fig. 4, when the message including the first address passes through the risk link, the prefix hiding point breaks up and embeds the preamble part of the first address into the subsequent part of the first address, so that the bit sequence of the second address transmitted on the risk link has no structure of 'network prefix+host identifier', and therefore the effect of hiding effective information such as network prefix is achieved.
According to the embodiment of the application, the privacy information of the communication terminal identified by the first address can be hidden on the premise that a large amount of additional information is not introduced. Even if link monitoring occurs on the risk link, the network prefix and the host identity cannot be accurately resolved, and thus the local area network (local area network, LAN)/user of the communication end cannot be located.
In some embodiments, to enable nesting of the preamble and the postamble of the first address with each other, the first reorganization rule includes a first bit sequence having a same number of bits as the first address, and the bit values on n bits in the first bit sequence are target bit values, n being greater than or equal to 1.
Wherein the target bit value may be 1 or 0. For example, for ease of operation, the target bit value may be set to 1. That is, in the embodiment of the present application, the first reorganization rule may be a 01 bit sequence having the same length as the first address. In this scenario, the first reorganization rule may also be referred to as a rule string.
In addition, in order to improve the cracking difficulty of the second address after reorganization, n can be determined based on the division mode of the network prefix and the host identity of the IP address. For example, if the first 8 bits of the IPv4 address indicate a network prefix, n may be set to 8. For another example, if the first 16 bits of the IPv4 address indicate a network prefix, n may be set to 16. Alternatively, n may be arbitrarily specified by an administrator, and will not be illustrated here.
In this scenario, the implementation process of the first forwarding node reorganizing the first address into the second address based on the first reorganization rule is: the first forwarding node obtains the first n bits in the first address, places bit values on the n bits at positions where the bit values in the first bit sequence are target bit values respectively, and places bit values on other bits in the first address at positions where the bit values in the first bit sequence are not target bit values respectively, so that the second address is obtained.
The implementation process of the subsequent second forwarding node to restore the second address may be: and extracting bits which are positioned at the same position as the bits with the target bit value in the first bit sequence in the second address according to the sequence from front to back, taking the extracted bits as the preamble part of the first address in sequence, taking other bits in the second address as the postamble part of the first address in sequence from front to back, and placing the preamble part in front of the postamble part to obtain the first address.
Since the n bits with the target bit value in the first bit sequence are not usually together, after the bit values of the first n bits in the first address are respectively placed at the positions with the target bit value in the first bit sequence, the first n bits in the first address can be scattered and placed at different positions, that is, the first n bits in the first address are scattered and placed at different positions, so that the first address preamble is nested in the subsequent part, and the first effective information can be hidden.
In addition, at positions where the bit values on other bits in the first address are not the target bit values, respectively, bit values in the first address that are subsequent to the first n bits are also placed in a scrambled manner at different positions, thereby realizing concealment of the valid information indicated by the bit values of bit values in the first address that are subsequent to the first n bits, that is, concealment of the valid information indicated by the subsequent portion in the first address.
For example, the first address is 101011000101 and the first bit sequence is 110010110100. The first forwarding node breaks up the preamble of the corresponding length in the first address according to the number of 1 bits (i.e., n) in the first bit sequence. Specifically, there are 6 bit positions 1 in the first bit sequence, so n is 6, and the first forwarding node uses the first 6 bits in the first address 101011000101 as the preamble of the first address and uses the bits after the 7 th bit in the first address as the successor.
The nesting method comprises the following steps: bits of a subsequent part of the first address are sequentially placed in a position of 0 in the first bit sequence, and bits of a preceding part of the first address are sequentially placed in a position of 1 in the first bit sequence. Specifically, the extracted preamble 101011 of the first address is placed on bits 1, 2, 5, 7, 8, and 10 of the first bit sequence in bit order, and the remaining postamble of the first address is sequentially filled into the other bits of the first bit sequence. Thus, the original first address 101011000101 is translated to a new second address 100010011101. It can be seen that the second address has a large difference from the preamble of the first address, so that it is difficult to confirm the network prefix by using a conventional address analysis means, and further derive the relevant information of the communication end identified by the first address.
The first bit sequence may be randomly generated by the first forwarding node, or may be preconfigured on the first forwarding node, which is not limited in the embodiment of the present application. Further, in order to improve the cracking difficulty of the attacker, the first forwarding node may randomly generate the first bit sequence for the first message to be sent. For example, the first forwarding node may randomly generate the first bit sequence packet by packet or periodically generate the first bit sequence.
In addition, in order to facilitate the second forwarding node that receives the second packet to successfully restore the second address to the first address, rule information may also be carried in the second packet, where the rule information may indicate the first reassembly rule, so that the second forwarding node restores the second address to the first address based on the first reassembly rule.
In the case that the first reassembly rule includes the first bit sequence, the first bit sequence may be directly used as rule information, and the first bit sequence is directly carried in the second packet, that is, the first bit sequence may be carried with the packet.
In some embodiments, the address field in the first message used to carry the first address will typically have a redundant address field, so the first bit sequence may be placed in the redundant address field. In this scenario, after replacing the first address in the first packet with the second address, the first forwarding node further places the first bit sequence in the redundant address field, so as to obtain the second packet. That is, the second message includes an address field for carrying the second address and the first bit sequence.
In other embodiments, a new field may be extended to carry the first bit sequence. At this time, the second packet includes an extension field, where the extension field is used to carry the first bit sequence. The extension field may be a field that is extended in any manner, which is not limited in the embodiment of the present application.
In summary, in the embodiment of the present application, the first bit sequence may be carried along with the packet through a special extension field or a special field carrying an address, so as to indicate which bits in the second address are the preamble of the first address, and further restore the first address, and perform route forwarding.
In addition, in the scene that the first bit sequence is carried along with the packet, in order to improve the security of the first bit sequence carried along with the packet, to avoid the first bit sequence from being parsed and broken, the first forwarding node may encrypt the first bit sequence by using a regular KEY (KEY-rule), and then bear the encrypted first bit sequence in the second message. The encryption process can ensure that the semantics of the first bit sequence are not disclosed, and the safety of the first address is improved. At this time, the first bit sequences carried by the second message are all encrypted first bit sequences.
The rule key is pre-negotiated by both communication ends, for example, the prefix hidden point and the prefix recovery point at both risk links in fig. 4 may pre-negotiate the rule key. In addition, the two communication ends synchronize another update KEY (KEY-update) for updating the rule KEY in the process of initialization negotiation, considering that the rule KEY may be subject to cracking or leakage risk in long-term use. When the rule key is used for a certain period of time (for example, half an hour), the two communication ends perform rule key updating negotiation, and when in negotiation, the two communication ends encrypt the new rule key ready for use by using the updating key and transmit the new rule key to the neighbor opposite end so as to reply after the opposite end confirms the use.
Furthermore, if the first reorganization rule is simply to shuffle the bit order in the first address to obtain the second address, then the first reorganization rule does not change the 0/1 statistics of the first address. Wherein the 0/1 statistical information may be, for example, information about the number of bits with a bit value of 0 and the number of bits with a bit value of 1. At this time, on some links, the 0/1 statistical information may also be used by the attacker to perform identity association, so that a certain interference means may be used on the basis of rearranging the bit sequence of the first address, thereby reducing the possibility that the attacker obtains the 0/1 statistical information of the first address.
In some embodiments, in the scenario where the first bit sequence and the second address are placed together in the address field, since the 0/1 statistics of all bits in the address field are different from the 0/1 statistics in the first address, even if an attacker analyzes the 0/1 statistics of all bits in the address field, the 0/1 statistics in the first address cannot be deduced.
Therefore, in this scenario, the scheme provided by the embodiment of the present application may further improve the security of the first address by affecting the 0/1 statistics of the bits exposed on the address field in the network.
In addition, the second message carries an encrypted first bit sequence, and the first bit sequence and the second address are placed in the scene of the address field together, and as the ciphertext encrypted by the rule key is different for the same first bit sequence each time, the difficulty of an attacker in cracking the first address is further improved, and the safety of the first address is correspondingly improved.
In addition, in the scenario of the first implementation manner of the reassembly rule, different reassembly rules may be used for different messages, that is, different nesting manners between the preamble and the successor of the address in different messages, so as to improve the cracking difficulty of an attacker.
Therefore, in some embodiments, after the first forwarding node processes the first packet through steps 501 to 503, when the first forwarding node obtains a third packet, the third packet includes a third address, and a bit value of the third address at the reference location indicates second valid information, where the second valid information is related information of the communication end identified by the third address. At this time, the first forwarding node may reorganize the third address into a fourth address based on the second reorganization rule, the bit value of the fourth address at the reference position does not indicate the second valid information. And then the first forwarding node replaces the third address in the third message with the fourth address to obtain a fourth message, and sends the fourth message.
The second reorganization rule is different from the first reorganization rule so as to realize the nesting mode between the front part and the rear part of the address in the second reorganization rule, and the nesting mode between the front part and the rear part of the address in the second reorganization rule is different from the nesting mode between the front part and the rear part of the address in the second reorganization rule.
For example, in a scenario where the first reassembly rule comprises a first bit sequence, the second reassembly rule may comprise a second bit sequence, the first bit sequence and the second bit sequence being different. Wherein the first bit sequence and the second bit sequence being different can be understood as: the 0/1 statistics of the first bit sequence are the same as the 0/1 statistics of the second bit sequence, but the 0/1 distribution information of the two is different. The 0/1 distribution information specifically refers to where bits with bit values of 0 or 1 are distributed. Alternatively, the difference between the first bit sequence and the second bit sequence can also be understood as: the 0/1 statistics of the first bit sequence are not identical to the 0/1 statistics of the second bit sequence. For example, the first bit sequence includes a target bit value of bit values over n bits, the first bit sequence includes a target bit value of bit values over m bits, and n and m are different values.
When different messages use different recombination rules, the same addresses in different messages are recombined into different addresses for the messages of the same flow, so that the cracking difficulty of an attacker is further improved. That is, the third address in the third message and the first address in the first message are the same address, and the second effective information and the first effective information are the same effective information.
For example, for a message of the same flow, the source address and destination address of the inner layer payload of the message in the flow are the same. The first address and the third address are assumed to be destination addresses of the inner layer load of the messages in the stream, so that the same destination addresses of different messages in the same stream can be recombined into different addresses by the mode, and the cracking difficulty of an attacker on the destination addresses is further submitted.
In addition, in the case that different reassembly rules are used for different messages, and the reassembly rules include bit sequences, the first forwarding node may randomly generate a bit sequence for each message requiring reassembly addresses. The embodiment of the application does not limit the way in which the first forwarding node randomly generates the bit sequence.
A first implementation of the reassembly rules is illustrated below in the network architecture shown in fig. 7.
As shown in fig. 7, the network includes three forwarding nodes, which are respectively labeled as RTA, RTB and RTC, where a link between the RTA and the RTB belongs to a link in the secure addressing domain, a link between the RTB and the RTC belongs to a risk link, and a link after the RTC also belongs to a link in the secure addressing domain.
In fig. 7, the dashed arrows represent control signaling, and the solid arrows represent data traffic. The devices RTB and RTC located on both sides of the risk link first generate a temporary encrypted channel with a preset KEY (Pre-KEY) that is used for the subsequent negotiation process, only during the initialization phase. The preset key is shared between the RTB and the RTC. One of the RTB and the RTC generates a rule KEY (KEY-rule) for encrypting the reassembly rule and an update KEY (KEY-update) for updating the rule KEY (KEYrule). After receiving the corresponding KEY, the other device in RTB and RTC confirms whether to use the rule KEY according to self safety requirement, if so, the rule KEY is used to encrypt confirmation information, then the preset KEY (Pre-KEY) is used to encrypt back, and the negotiation of the rule KEY and the update KEY is completed.
And then, when the RTB or the RTC forwards any data traffic to the opposite party, any source/destination IP address in the message is recombined. The reorganization is to disturb the original bit characteristics of the address, so as to avoid that an attacker analyzes the topology position and flow characteristics of the receiving and transmitting object of the message through methods such as longest matching, history searching and the like.
As shown in fig. 7, when the RTA forwards a message to be forwarded to the RTC direction via the RTB, its real destination IP address is 10101000101, and the RTA does not perform prefix hiding through the reassembly rule because it forwards to another router RTB in the secure addressing domain. When the RTB receives the message, it first performs route lookup according to the destination address, finds that the next-hop neighbor is the RTC, and the link between the RTB and the RTC is located in the risk area, where there is a risk of being monitored or stolen, so that the destination IP address 101011000101 in the message is reorganized by the reorganization rule, so that the effective information such as the network prefix indicated by the destination IP address 101011000101 is hidden.
As shown in fig. 7, the first bit sequence used for reorganizing the destination IP address 101011000101 is 110010110100, the reorganized address is 100010011101, and the specific reorganization process refers to the foregoing and is not described herein. At this point, the RTB sends a message to the RTC carrying the reassembled address 100010011101, and the encrypted first bit sequence (110010110100) d6jn2$ty.
Continuing with FIG. 7, when a subsequent message of the same stream arrives at the RTB, the RTB randomly generates a new 01 bit sequence as a new reassembly rule. Thus, since the bit sequence included in the reassembly rule is switched from 110010110100 of the first packet to 010110010101, the destination IP address will also be different after final reassembly, and as shown in fig. 7, the destination IP address in the second packet will be 010010100111 after final reassembly. Similarly, the third packet has a destination IP address reorganization of 001010101011 due to the selected bit sequence of 001110000111.
It should be noted that the RTB may select different bit sequences from packet to packet. Alternatively, if the overhead of the RTB is reduced, different bit sequences may be adopted periodically or according to the number of data packets. For example, for a message in the same period, the RTB uses the same bit sequence to perform address reorganization, and for a message in the next period, the bit sequence used by the RTB is different from the bit sequence used in the period.
Through the address reorganization flow shown in fig. 7, different messages (destination IP addresses are 101011000101) of the same flow successfully display different destination addresses after RTB, and the displayed destination addresses are 100010011101, 010010100111 and 001010101011 respectively. Thus, on the risk link RTB-RTC, listeners cannot know the real destination IP addresses of the data packets, so that behavior analysis of the communication end cannot be performed; meanwhile, the messages of the same flow show completely different IP forms, and a listener can regard the messages as different data flows, so that the flow rule and the data characteristics of the messages cannot be analyzed by taking the flows as objects.
When the series of messages subjected to address recombination packet by packet reach a prefix recovery point RTC at the opposite end of the risk link, the RTC restores the destination IP address presented in the messages and carries out route forwarding. The recovery process is described as follows: the RTC judges the incoming direction of the message according to the incoming port, and decrypts the encrypted bit sequence by using a corresponding rule KEY (KEY-rule). And then, the RTC extracts bits which are positioned at the same position as bits 1 in the bit sequence in the presented destination IP address according to the sequence from front to back according to the decrypted bit sequence, sequentially uses the extracted bits as a preamble of the restored destination IP address, and uses other bits in the presented destination IP address as a postamble of the restored destination IP address, thereby obtaining the real destination IP address. After entering the secure addressing domain of the RTC, it can be seen that the destination IP addresses in the three aforementioned messages are all restored to the real destination IP address 101011000101 for table lookup forwarding.
The embodiment shown in fig. 7 uses 01 bit sequence as a reassembly rule to reassemble the destination IP address of the packet between risk links (RTB-RTC) to conceal the network prefix indicated by the destination IP address and other valid information, and prevent an attacker from performing address analysis and association. It should be noted that, fig. 7 illustrates the recombination of destination IP addresses, and the source IP address or any other address may be treated similarly in the practical implementation.
In addition, in the embodiment shown in fig. 7, by dividing the secure addressing domain, a better balance between deployment forwarding efficiency and security can be achieved. Each forwarding node in the secure addressing domain uses the real IP address to carry out routing forwarding, or carries out routing forwarding after temporarily recovering the recombined IP address, but does not recombine the addresses in the message, thereby reducing the calculation encapsulation cost. After the address is restored and route is searched for in each hop of the message transmitted in the risk area (crossing the security addressing domain), if the next hop is still in the risk area, the address in the message is recombined and then forwarded.
(2) Second implementation of the reorganization rule
In the first implementation manner, the bits in the first address are rearranged and combined to obtain the second address. In a second implementation, each bit in a sequence and the first address may be bit operated to achieve the goal of reorganizing the first address. On one hand, the flexibility of the reorganization address is improved, and on the other hand, the reorganization mode can be realized through simple bit operation, and the cost is low.
For ease of description, this sequence is referred to as a meta-confusion sequence. Based on this, for the second implementation, in some embodiments, the first reorganization rule includes a first meta-confusion sequence, and the first forwarding node performs a bit operation on the first address based on the first meta-confusion sequence, resulting in the second address.
The bit operation illustratively includes a shift operation and a bit operation, and the bit operation may further include a bit-wise negation operation, a bit-wise exclusive-or operation, and the like.
It should be noted that, since the bitwise exclusive or operation affects the bit value on the bit, the 0/1 statistic information in the second address and the 0/1 statistic information in the first address can be made different by the bitwise exclusive or operation, so as to avoid an attacker from analyzing the communication behavior of the communication end identified by the first address based on the second address. Based on this, in the embodiment of the present application, the bit operation may specifically be a bitwise exclusive or operation.
In order to facilitate the second forwarding node to successfully restore the correct first address, the foregoing bit operation is a reversible operation, that is, the second forwarding node can obtain the first address according to the reverse operation of the bit operation.
In addition, the first meta-confusion sequence may be temporarily generated or may be preconfigured, which is not limited in the embodiments of the present application.
In other embodiments, the first reorganization rule may further include a first shift number. In this scenario, the first forwarding node performs a bit operation on the first address based on the first meta-confusion sequence, and the implementation process for obtaining the second address is as follows: the first forwarding node performs shift operation on the first address based on the first shift times to obtain an intermediate address, and performs bit operation on the intermediate address and the first unary confusion sequence to obtain a second address.
The implementation process of the subsequent second forwarding node to restore the first address may be: the second forwarding node firstly carries out the inverse operation of the bit operation on the second address and the first meta-confusion sequence to obtain the intermediate address, and then carries out the inverse operation of the shift operation on the intermediate address to obtain the first address.
The shift operation may be, for example, a left shift operation or a right shift operation. When the shift operation is a left shift operation, the reverse operation of the shift operation is a right shift operation, and when the shift operation is a right shift operation, the reverse operation of the shift operation is a left shift operation.
The sequence of each original bit in the first address can be further disordered through the shift operation, and therefore the difficulty of an attacker in analyzing the first address based on the second address is improved.
It should be noted that, in the embodiment of the present application, the length of the first meta-confusion sequence is not limited, so when the first meta-confusion sequence and the intermediate address are subjected to the bit operation, if the length of the first meta-confusion sequence and the length of the intermediate address are the same, the bit operation may be directly performed. If the length of the first unary confusion sequence is different from the length of the intermediate address, the first unary confusion sequence can be processed first so that the length of the processed first unary confusion sequence is the same as the length of the intermediate address, and then the bit operation is carried out on the processed first unary confusion sequence and the intermediate address.
Among other things, there may be several implementations of processing a first meta-confusion sequence. For example, if the length of the first meta-confusion sequence is longer than the length of the intermediate address, a partial sequence in the first meta-confusion sequence may be truncated as a processed first meta-confusion sequence, which may be a preceding or a following or an intermediate portion in the first meta-confusion sequence. As another example, if the length of the first meta-confusion sequence is greater than the length of the intermediate address, the first meta-confusion sequence may be copied several times, and then a partial sequence may be truncated from the copied meta-confusion sequence as the processed first meta-confusion sequence.
For example, assume that the first address is 0010, the first unary confusion sequence 01100, the first shift number is 5, the shift operation is a left shift operation, and the bit operation is a bitwise exclusive or operation. In this scenario, the first forwarding node circularly shifts the first address 0010 to the left 5 times to obtain an intermediate address of 0100, then intercepts the last four bits of the first meta-confusion sequence 01100 to obtain a processed first meta-confusion sequence 1100, and performs a bitwise exclusive or operation on the processed first meta-confusion sequence 1100 and the intermediate address of 0100 to obtain a second address of 0111.
When receiving the second message, the second forwarding node firstly intercepts the last four bits of the first unary confusion sequence 01100 to obtain a processed first unary confusion sequence 1100, performs the inverse operation of bitwise exclusive OR operation on the processed first unary confusion sequence 1100 and the second address 0111 to obtain an intermediate address of 0100, and then circularly shifts the intermediate address 0100 to the right 5 times to obtain a first address 0010. Thereby completing the restoration work of the first address.
The above description is given taking the example of performing the shift operation and then the bit operation. Alternatively, in the embodiment of the present application, the first forwarding node may perform the shift operation after performing the bit logic operation, which is not described in detail herein. Alternatively, the bit logic operation may be performed only on the first meta-confusion sequence and the first address, which is not described in detail here again.
In a second implementation manner, in order to facilitate that the second forwarding node that receives the second packet can successfully restore the second address to the first address, rule information may also be carried in the second packet, where the rule information may indicate the first reassembly rule, so that the second forwarding node restores the second address to the first address based on the first reassembly rule.
In some embodiments, the first reassembly rule may be directly used as rule information, and the first reassembly rule is directly carried in the second message, that is, the first reassembly rule may be carried with the packet. In this case, the first reorganization rule is carried after encryption.
The encryption manner of the first reassembly rule and the position of the first reassembly rule in the second message may refer to the first implementation manner of the first reassembly rule, which is not described herein again.
In addition, in the embodiment of the present application, in order to facilitate quick determination of the first reassembly rule, an addressing confusion table (locator obfuscate table, LOT) may be configured in advance on the first forwarding node, where the LOT includes a plurality of reassembly rules, and each reassembly rule includes a meta-confusion sequence. In this way, the first forwarding node selects a reassembly rule from the LOT as the first reassembly rule before the first address is reassembled.
Optionally, in the case where the first reorganization rule further includes a first shift number, each reorganization rule in the LOT includes one meta-confusion sequence and one shift number.
In this scenario, the LOT may further configure a rule identifier (e.g., a rule sequence number) of each reassembly rule, where the first forwarding node may carry the rule identifier of the first reassembly rule as rule information with the packet, so that the second forwarding node determines the first reassembly rule based on the rule identifier.
It should be noted that, the first forwarding node and the second forwarding node may configure the LOT locally in advance, so that when the second forwarding node receives the second packet including the rule identifier, the second forwarding node may find the first reassembly rule based on the locally stored LOT and the rule identifier.
Further, in the embodiment of the present application, the first forwarding node and the second forwarding node may periodically negotiate to update the LOT, thereby improving the cracking difficulty of the attacker. In some embodiments, the first forwarding node and the second forwarding node may pre-configure a plurality of LOTs, and both trigger a handshake mechanism for updating when the same period or a certain number of data packets are forwarded, and synchronously migrate to a next LOT, thereby completing the updating of the LOT. Optionally, in other embodiments, the first forwarding node and the second forwarding node may also self-update the table entries in the LOT according to a certain rule. For example, every 5000 messages are sent, the first forwarding node and the second forwarding node handshake, and the shift number of each rule in the LOT is increased by 1, so that the LOT is updated.
In addition, in the second implementation scenario of the reassembly rule, different reassembly rules may be used for different messages, for example, different meta-confusion sequences may be used for reassembling different messages, so as to improve the cracking difficulty of an attacker. Specific implementation may refer to the first implementation of the reorganization rule, which is not described herein.
It should be noted that, at this time, the two reorganization rules are different may mean that the meta confusion sequences in the two reorganization rules are different, or the shift times in the two reorganization rules are different, or the meta confusion sequences and the shift times in the two reorganization rules are respectively different. And are not illustrated herein.
A second implementation of the reconstruction rules is described in detail below using fig. 8 as an example.
As shown in fig. 8, the forwarding nodes RTB and RTC at both ends of the risk link are respectively configured with a LOT. The LOT contains at least three columns, a rule number, a shift number (which may also be referred to as a shift indicator), a meta-confusion sequence, respectively. The rule number indicates the identifier of the corresponding reorganization rule, which can be regarded as the index of the table entry and carried along with the packet to inform the neighbor device which reorganization rule to use for address restoration. The shift number is a number indicating the shift amount of the address when the address is reorganized and restored. The meta-confusion sequence is a bit sequence used for confusing the statistical information of the bits of the address, and the sequence is aligned with the address and then is subjected to exclusive or operation. Because the shift and exclusive-or operations are reversible, and exclusive-or changes the value of bits 0 and 1, they can be used to perform address reorganization and restoration.
When the RTB in fig. 8 performs address reorganization, a rule number is randomly selected first, and the shift number w and the meta confusion sequence s are found in the LOT according to the rule number. And circularly leftwards shifting the address to be confused by w bits, and carrying out exclusive OR on the result and s to obtain the confused address. When s is too long, intercepting the rear part before exclusive or; when s is too short, it is repeated several times and then intercepted.
To facilitate an understanding of the first and second implementations of the reorganization rule, a comparison between the two implementations is described herein with reference to fig. 7 and 8.
The embodiment of fig. 7 is similar to the embodiment of fig. 8 in overall architecture, but differs in prefix hiding mechanism, confusion rule representation method, and rule updating.
Both the embodiment shown in fig. 7 and the embodiment shown in fig. 8 support the division of the addressing domain and the risk area, and only address reorganization and restoration are performed on each three-layer device of the risk area. The other two are used for hiding effective information such as the subnet topological position indicated by the address preamble part by breaking the sequence between the preamble part and the subsequent part. In addition, the rule information is randomly selected and carried, so that the effect of scattering by each stream is achieved, and association analysis is prevented.
The two differ in the following points:
the embodiment shown in fig. 7 is based on a 01 bit sequence, and the position corresponding to 1 in the bit sequence with equal address length indicates the position after the reorganization of the preamble, and the position corresponding to 0 indicates the position after the reorganization of the postamble, so that the mutual nesting between the preamble and the postamble is realized. The embodiment shown in fig. 8 is based on a table execution named address obfuscation table (Locator Obfuscate Table, LOT), implemented mainly using bit operations with lower overhead, such as shift and exclusive or.
The embodiment shown in fig. 7 adopts a mode that the complete 01 bit sequence is encrypted and then carried along with the packet through an extension field or an address redundancy part, the embodiment shown in fig. 8 carries the rule number through the extension field or the address redundancy part, the space use of the data packet is greatly compressed, and an attacker is basically impossible to crack the complete information of the reorganization rule from the datagram.
The obfuscation rules used in the embodiment shown in fig. 7 are fixed (the same bit sequence represents the same operation), encrypted by KEYrule in the datagram to prevent analysis, so the periodically updated object is a rule key. The embodiment shown in fig. 8 performs confusion based on the LOT, and when rule updating is performed, three layers of devices at two ends of a link need to use the same shift/exclusive or operation, and a periodically updated object is a LOT table.
The embodiment shown in fig. 8 is superior in performance to the embodiment shown in fig. 7. The reasons are as follows: the embodiment shown in fig. 8 only performs shift and exclusive or when the addresses are reorganized, does not need to perform complex password calculation, does not need to extract and rearrange according to bits, and only uses carrying rule numbers on the data surface, and does not carry complete reorganization rules.
But the embodiment shown in fig. 8 supports fewer kinds of rules than the embodiment shown in fig. 7. The rule types supported by the embodiment shown in fig. 8 are related to the LOT size, which is less flexible than the randomly generated bit sequence in the embodiment shown in fig. 7, so that the LOT can be refreshed in a smaller period.
In addition, embodiments of the present application support progressive and differentiated deployment by partitioning secure addressing domains. As shown in fig. 9, the secure addressing domain uses real IP addresses for forwarding, the technology of the embodiment shown in fig. 8 is used for reorganizing IP addresses in risk area 1, and the technology of the embodiment shown in fig. 7 is used for reorganizing IP addresses in risk area 2. Reference may be made to the previous embodiments with respect to the reorganization process in fig. 9, and the description will not be repeated here.
The embodiment of the application can be deployed according to the architecture in fig. 9 in actual use, so that part of high-risk areas can ensure link safety through a small amount of equipment. And a suitable recombination scheme can be selected according to the scale of the risk area and the risk level. Through the division of the areas, on one hand, information such as LOT and the like is prevented from being diffused in a large scale to reduce the safety, on the other hand, a specific recombination scheme can be flexibly selected in different areas, and the expandability is improved.
It should be noted that fig. 9 is for illustration, and in applying the embodiments of the present application, a suitable reorganization scheme may be adopted in different areas based on device performance and requirements. Alternatively, different recombination schemes may be employed in different time periods in the same region. And are not illustrated herein.
Based on the message forwarding method provided by the embodiment of the application, after the same message passes through the forwarding node, the IP address (such as the destination address and/or the source address of the load) in the message when the message goes out of the corresponding port is different from the original IP address in the message when the message goes into the corresponding port. In addition, after different messages of the same flow pass through the same forwarding node, the same IP address inside the same forwarding node when entering the corresponding port may also have a difference between the IP addresses recombined when exiting the port. In addition, if relevant configuration of the reorganization rule, such as a rule key, an addressing confusion table and the like, is required on the forwarding node, the configuration content can be described in detail in the specification of the pre-configured forwarding node.
Fig. 10 is a schematic structural diagram of a network device according to an embodiment of the present application, where the network device is any one of the forwarding nodes in the foregoing embodiments. Specifically, as shown in fig. 10, the network device 1000 includes a transceiver module 1001 and a processing module 1002.
When the network device 1000 is the first forwarding node in the foregoing embodiment, specific functions of the transceiver module 1001 and the processing module 1002 are as follows.
The processing module 1002 is configured to obtain a first packet, where the first packet includes a first address, and a bit value of the first address at a reference position indicates first effective information, where the first effective information is related information of a communication end identified by the first address. A specific implementation may refer to step 501 in the embodiment of fig. 5.
The processing module 1002 is further configured to reorganize the first address into a second address based on the first reorganization rule, where a bit value of the second address at the reference location does not indicate the first valid information. A specific implementation may refer to step 502 in the embodiment of fig. 5.
The transceiver module 1001 is configured to replace a first address in the first packet with a second address, obtain a second packet, and send the second packet. Specific implementations may refer to step 503 in the embodiment of fig. 5.
Optionally, the first validity information comprises a network prefix and/or a host identity.
Optionally, the processing module 1002 is configured to:
the first forwarding node mutually nests the preamble part and the postamble part of the first address based on a first reorganization rule to obtain a second address;
The preamble part is a bit part near the left side in the first address, and the postamble part is a bit part near the right side in the first address.
Optionally, the first reorganization rule includes a first bit sequence, the number of bits of the first bit sequence is the same as the number of bits of the first address, and the bit values on n bits in the first bit sequence are target bit values, where n is greater than 1 or equal to 1;
the processing module 1002 is configured to: and acquiring the first n bits in the first address, respectively placing bit values on the n bits at the positions of the first bit sequence, wherein the bit values are the target bit values, and respectively placing bit values on other bits in the first address at the positions of the first bit sequence, wherein the bit values are not the target bit values, so as to obtain the second address.
Optionally, the processing module 1002 is configured to: randomly generating a bit sequence to obtain a first bit sequence.
Optionally, the first reorganization rule includes a first unary confusion sequence including at least two bits;
the processing module 1002 is configured to: and performing bit operation on the first address based on the first meta-confusion sequence to obtain a second address.
Optionally, the first reorganization rule further includes a first shift number;
The processing module 1002 is configured to: performing shifting operation on the first address based on the first shifting times to obtain an intermediate address; and performing bit operation on the intermediate address and the first metadata confusion sequence to obtain a second address.
Alternatively, the bit operation is a bitwise exclusive or operation.
Optionally, the processing module 1002 is configured to: obtaining an addressing confusion table LOT, wherein the LOT comprises a plurality of reorganization rules, and each reorganization rule comprises a meta confusion sequence; one reassembly rule is selected from the LOT table as a first reassembly rule.
Optionally, the processing module 1002 is configured to:
acquiring a third message, wherein the third message comprises a third address, a bit value of the third address at a reference position indicates second effective information, and the second effective information is related information of a communication terminal identified by the third address;
reorganizing the third address into a fourth address based on a second reorganization rule, the bit value of the fourth address at the reference location not indicating the second valid information;
replacing the third address in the third message with a fourth address to obtain a fourth message, and sending the fourth message;
wherein the second reorganization rule is different from the first reorganization rule.
Optionally, the third address and the first address are the same address, and the second effective information and the first effective information are the same effective information.
Optionally, the second message further carries rule information, and the rule information indicates the first reassembly rule.
Optionally, the second message includes an address field, where the address field is used to carry the second address and rule information.
Optionally, the second message includes an extension field, where the extension field is used to carry rule information.
When the network device 1000 is the second forwarding node in the foregoing embodiment, specific functions of the transceiver module 1001 and the processing module 1002 are as follows.
The transceiver module 1001 is configured to: and receiving a second message, wherein the second message carries a second address, the bit value of the second address at the reference position does not indicate first effective information, the second message is generated by the first forwarding node based on the first message, the first message comprises the first address, the bit value of the first address at the reference position indicates the first effective information, and the first effective information is related information of a communication end identified by the first address. Specific implementations may refer to step 504 in the embodiment of fig. 5.
The processing module 1002 is configured to: the second address is restored to the first address based on the first reorganization rule. Specific implementations may refer to step 505 in the embodiment of fig. 5.
The processing module 1002 is configured to: and processing the second message based on the first address. A specific implementation may refer to step 506 in the fig. 5 embodiment.
It should be noted that: when the network device provided in the above embodiment performs message forwarding, only the division of the above functional modules is used for illustration, and in practical application, the above functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the network device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the network device provided in the foregoing embodiment and the message forwarding method embodiment belong to the same concept, and specific implementation processes of the network device and the message forwarding method embodiment are detailed in the method embodiment, which is not described herein again.
The following describes a hardware structure related to an embodiment of the present application.
Fig. 11 is a schematic structural diagram of an apparatus 1100 according to an embodiment of the present application. Fig. 12 is a schematic structural diagram of another apparatus 1200 according to an embodiment of the present application. The structure of these two devices is explained below.
It should be noted that the apparatus 1100 or the apparatus 1200 described below corresponds to the first forwarding node or the second forwarding node in the above-described method embodiment. For implementing various steps and methods implemented by the first forwarding node or the second forwarding node in the method embodiment, for details of how the device 1100 or the device 1200 processes the message, reference may be made to the above method embodiment for details, and details are not repeated herein for brevity. Wherein the steps of the above-described method embodiments are performed by integrated logic circuitry of hardware or instructions in software form in a processor of device 1100 or device 1200. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads information in the memory, and in combination with its hardware, performs the steps of the above method, which will not be described in detail here to avoid repetition.
When the device 1100 corresponds to the first forwarding node, each functional module in the first forwarding node is implemented by using software of the device 1100. In other words, the functional module included in the first forwarding node is generated after the processor of the device 1100 reads the program code stored in the memory.
When the device 1100 corresponds to the second forwarding node, each functional module in the second forwarding node is implemented using software of the device 1100. In other words, the functional module included in the second forwarding node is generated after the processor of the device 1100 reads the program code stored in the memory.
When the apparatus 1200 corresponds to the first forwarding node described above, each functional module in the first forwarding node is implemented in software of the apparatus 1200. In other words, the functional modules comprised by the first forwarding node are generated after the processor of the device 1200 reads the program code stored in the memory.
When the apparatus 1200 corresponds to the above-described second forwarding node, each functional module in the second forwarding node is implemented in software of the apparatus 1200. In other words, the functional module included in the second forwarding node is generated after the processor of the device 1200 reads the program code stored in the memory.
Referring to fig. 11, fig. 11 is a schematic structural diagram of an apparatus 1100 according to an embodiment of the present application. Optionally, the device 1100 is configured as the first forwarding node shown in fig. 1. In other words, the first forwarding node or the second forwarding node in the above-described method embodiments is optionally implemented by the apparatus 1100.
The device 1100 is, for example, a network device, such as the device 1100 is a switch, router, or the like. Alternatively, the device 1100 is, for example, a computing device, such as where the device 1100 is a host, server, personal computer, or the like. The device 1100 may be implemented by a general bus architecture.
The device 1100 includes at least one processor 1101, a communication bus 1102, a memory 1103, and at least one communication interface 1104.
The processor 1101 is, for example, a general purpose central processing unit (central processing unit, CPU), a network processor (network processer, NP), a graphics processor (Graphics Processing Unit, GPU), a neural-network processor (neural-network processing units, NPU), a data processing unit (Data Processing Unit, DPU), a microprocessor, or one or more integrated circuits for implementing the aspects of the present application. For example, the processor 1101 includes an application-specific integrated circuit (ASIC), a programmable logic device (programmable logic device, PLD), or a combination thereof. PLDs are, for example, complex programmable logic devices (complex programmable logic device, CPLD), field-programmable gate arrays (field-programmable gate array, FPGA), general-purpose array logic (generic array logic, GAL), or any combination thereof.
Communication bus 1102 is used to transfer information between the aforementioned components. Communication bus 1102 may be divided into address bus, data bus, control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 11, but not only one bus or one type of bus.
The Memory 1103 is, for example, but not limited to, a read-only Memory (ROM) or other type of static storage device that can store static information and instructions, as well as a random access Memory (random access Memory, RAM) or other type of dynamic storage device that can store information and instructions, as well as an electrically erasable programmable read-only Memory (electrically erasable programmable read-only Memory, EEPROM), compact disc read-only Memory (compact disc read-only Memory) or other optical disc storage, optical disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media, or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 1103 is, for example, independent and is connected to the processor 1101 through the communication bus 1102. The memory 1103 may also be integrated with the processor 1101.
The communication interface 1104 uses any transceiver-like device for communicating with other devices or communication networks. Communication interface 1104 includes a wired communication interface and may also include a wireless communication interface. The wired communication interface may be, for example, an ethernet interface. The ethernet interface may be an optical interface, an electrical interface, or a combination thereof. The wireless communication interface may be a wireless local area network (wireless local area networks, WLAN) interface, a cellular network communication interface, a combination thereof, or the like.
In a particular implementation, the processor 1101 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 11, as an example.
In a particular implementation, the device 1100 may include multiple processors, such as the processor 1101 and the processor 1105 shown in FIG. 11, as one embodiment. Each of these processors may be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
In a specific implementation, device 1100 may also include output devices and input devices, as one embodiment. The output device communicates with the processor 1101 and may display information in a variety of ways. For example, the output device may be a liquid crystal display (liquid crystal display, LCD), a light emitting diode (light emitting diode, LED) display device, a Cathode Ray Tube (CRT) display device, or a projector (projector), or the like. The input device(s) is in communication with the processor 1101 and may receive user input in a variety of ways. For example, the input device may be a mouse, a keyboard, a touch screen device, a sensing device, or the like.
In some embodiments, the memory 1103 is used to store program code 1110 that executes aspects of the present application, and the processor 1101 may execute the program code 1110 stored in the memory 1103. That is, the apparatus 1100 may implement the method for forwarding a packet provided by the method embodiment through the processor 1101 and the program code 1110 in the memory 1103.
The apparatus 1100 of the present embodiment may correspond to the first forwarding node or the second forwarding node in the foregoing respective method embodiments, and the processor 1101, the communication interface 1104, and the like in the apparatus 1100 may implement the functions and/or the implemented various steps and methods possessed by the first forwarding node or the second forwarding node in the foregoing respective method embodiments. For brevity, the description is omitted here.
In the case where the packet forwarding in the embodiment of the present application is implemented by using the device 1100, in some embodiments, the transceiver module and the processing module in the network device 1000 shown in fig. 10 are software modules in the program code 1110 in the device 1100, and the processor 1101 in the device 1100 implements the functions of the transceiver module and the processing module in the network device 1000 in fig. 10 by executing the program code 1110.
Referring to fig. 12, fig. 12 is a schematic structural diagram of an apparatus 1200 according to an embodiment of the present application, and optionally, the apparatus 1200 is configured as the first forwarding node or the second forwarding node shown in fig. 1. In other words, the first forwarding node or the second forwarding node in the above-described method embodiments is optionally implemented by the apparatus 1200.
The device 1200 is, for example, a network device, such as the device 1200 is a switch, router, or the like. The apparatus 1200 includes: a main control board 12010 and an interface board 12030.
The main control board 12010 is also called a main processing unit (main processing unit, MPU) or routing processing card (route processor card), and the main control board 12010 is used for controlling and managing various components in the device 1200, including routing computation, device management, device maintenance, and protocol processing functions. The main control board 12010 includes: a central processing unit 12011 and a memory 12012.
The interface board 12030 is also referred to as a line interface unit card (line processing unit, LPU), line card, or service board. The interface board 12030 is used to provide various service interfaces and to implement forwarding of data packets. The service interfaces include, but are not limited to, ethernet interfaces, such as flexible ethernet service interfaces (Flexible Ethernet Clients, flexE Clients), POS (Packet over SONET/SDH) interfaces, etc. The interface board 12030 includes: a central processor 12031, a network processor 12032, a forwarding table entry memory 12034, and a physical interface card (physical interface card, PIC) 12033.
The central processor 12031 on the interface board 12030 is configured to control and manage the interface board 12030 and communicate with the central processor 12011 on the main control board 12010.
The network processor 12032 is configured to implement forwarding processing of the packet. The network processor 12032 may be in the form of a forwarding chip. Specifically, the network processor 12032 is configured to forward the received message based on the forwarding table stored in the forwarding table entry memory 12034, and if the destination address of the message is the address of the device 1200, upload the message to a CPU (e.g. the central processing unit 12011) for processing; if the destination address of the message is not the address of the device 1200, the next hop and the outbound interface corresponding to the destination address are found from the forwarding table according to the destination address, and the message is forwarded to the outbound interface corresponding to the destination address. The processing of the uplink message comprises the following steps: processing a message input interface and searching a forwarding table; and (3) processing a downlink message: forwarding table lookup, etc.
The physical interface card 12033 is used to implement the docking function of the physical layer, from which the original traffic enters the interface board 12030, and from which the processed messages are sent out from the physical interface card 12033. The physical interface card 12033, also called a daughter card, may be mounted on the interface board 12030, and is responsible for converting the photoelectric signal into a message, performing validity check on the message, and forwarding the message to the network processor 12032 for processing. In some embodiments, the central processor may also perform the functions of the network processor 12032, such as implementing software forwarding based on a general purpose CPU, so that the network processor 12032 is not required in the physical interface card 12033.
Optionally, the device 1200 includes a plurality of interface boards, for example, the device 1200 further includes an interface board 12040, the interface board 12040 includes: a central processor 12041, a network processor 12042, a forwarding table entry memory 12044, and a physical interface card 12043.
Optionally, the device 1200 also includes a switch fabric 12020. The switch fabric 12020 may also be referred to as a switch fabric unit (switch fabric unit, SFU). In the case of a network device having a plurality of interface boards 12030, the switching fabric 12020 is used to complete data exchange between the interface boards. For example, communication between the interface board 12030 and the interface board 12040 may be through the switch fabric 12020.
The main control board 12010 is coupled to the interface board 12030. For example. The main control board 12010, the interface board 12030, the interface board 12040, and the switch board 12020 are connected to the system back board through a system bus to implement intercommunication. In one possible implementation, an inter-process communication protocol (IPC) channel is established between the main control board 12010 and the interface board 12030, and communication is performed between the main control board 12010 and the interface board 12030 through the IPC channel.
Logically, the device 1200 includes a control plane including a main control board 12010 and a central processor 12031, and a forwarding plane including various components performing forwarding, such as a forwarding table entry memory 12034, a physical interface card 12033, and a network processor 12032. The control plane performs the functions of router, generating forwarding table, processing signaling and protocol messages, configuring and maintaining the state of the device, etc., and the control plane issues the generated forwarding table to the forwarding plane, where the network processor 12032 performs table lookup forwarding on the messages received by the physical interface card 12033 based on the forwarding table issued by the control plane. The forwarding table issued by the control plane may be stored in forwarding table entry memory 12034. In some embodiments, the control plane and the forwarding plane may be completely separate and not on the same device.
In the case where the first forwarding node or the second forwarding node is implemented using the device 1200, in some embodiments, the transceiver module in the network device 1000 shown in fig. 10 corresponds to the physical interface card 12033 in the device 1200; the processing module of the network device 1000 corresponds to the network processor 12032, the central processor 12031, or the central processor 12011.
It should be understood that the operations on the interface board 12040 are consistent with the operations of the interface board 12030 in the embodiment of the present application, and are not repeated for brevity. It should be understood that the apparatus 1200 of the present embodiment may correspond to the first forwarding node in the foregoing method embodiments, and the main control board 12010, the interface board 12030 and/or the interface board 12040 in the apparatus 1200 may implement functions and/or various steps implemented by the first forwarding node in the foregoing method embodiments, which are not repeated herein for brevity.
It should be noted that the main control board may have one or more blocks, and the main control board and the standby main control board may be included when there are multiple blocks. The interface boards may have one or more, the more data processing capabilities the network device is, the more interface boards are provided. The physical interface card on the interface board may also have one or more pieces. The switching network board may not be provided, or may be provided with one or more blocks, and load sharing redundancy backup can be jointly realized when the switching network board is provided with the plurality of blocks. Under the centralized forwarding architecture, the network device may not need to exchange network boards, and the interface board bears the processing function of the service data of the whole system. Under the distributed forwarding architecture, the network device may have at least one switching fabric, through which data exchange between multiple interface boards is implemented, providing high-capacity data exchange and processing capabilities. Therefore, the data access and processing power of the network devices of the distributed architecture is greater than that of the devices of the centralized architecture. Alternatively, the network device may be in the form of only one board card, i.e. there is no switching network board, the functions of the interface board and the main control board are integrated on the one board card, and the central processor on the interface board and the central processor on the main control board may be combined into one central processor on the one board card, so as to execute the functions after stacking the two, where the data exchange and processing capability of the device in this form are low (for example, network devices such as a low-end switch or a router). The specific architecture employed is not limited in any way herein, depending on the specific networking deployment scenario.
In other embodiments, the embodiments of the present application further provide a packet forwarding system. As shown in fig. 13, the packet forwarding system 1300 includes a first forwarding node 1301 and a second forwarding node 1302.
The first forwarding node 1301 is configured to obtain a first packet, where the first packet includes a first address, a bit value of the first address at a reference position indicates first effective information, and the first effective information is related information of a communication end identified by the first address;
the first forwarding node 1301 is further configured to reorganize the first address into a second address based on a first reorganization rule, where a bit value of the second address at the reference location does not indicate the first valid information;
the first forwarding node 1301 is further configured to replace a first address in the first packet with a second address, obtain a second packet, and send the second packet;
a second forwarding node 1302, configured to receive a second packet;
the second forwarding node 1302 is further configured to restore the second address to the first address based on the first reassembly rule;
the second forwarding node 1302 is further configured to process a second packet based on the first address.
The detailed functions of the forwarding nodes in the foregoing packet forwarding system may refer to the embodiment shown in fig. 5, which is not described herein.
Those of ordinary skill in the art will appreciate that the various method steps and modules described in connection with the embodiments disclosed herein can be implemented as electronic hardware, computer software, or combinations of both, and in order to clearly illustrate the interchangeability of hardware and software, steps and components of various embodiments have been described above generally in terms of functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Those of ordinary skill in the art may implement the described functionality using different approaches for each particular application, but such implementation is not to be considered as beyond the scope of the present application.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described system, apparatus and module may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, e.g., the division of the modules is merely a logical function division, and there may be additional divisions of actual implementation, e.g., multiple modules or components may be combined or integrated into another system, or some features may be omitted, or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or modules, or may be an electrical, mechanical, or other form of connection.
The modules illustrated as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purposes of the embodiments of the present application.
In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules.
The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method in the various embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The terms "first," "second," and the like in this application are used for distinguishing between similar elements or items having substantially the same function and function, and it should be understood that there is no logical or chronological dependency between the terms "first," "second," and no limitation on the amount or order of execution. It will be further understood that, although the following description uses the terms first, second, etc. to describe various elements, these elements should not be limited by the terms. These terms are only used to distinguish one element from another element. For example, the first information may be referred to as second information, and similarly, the second information may be referred to as first information, without departing from the scope of the various examples. The first information and the second information may both be information and, in some cases, may be separate and distinct information.
The term "at least one" means one or more, and the term "plurality" means two or more. The terms "system" and "network" are often used interchangeably herein.
It should also be understood that the term "if" may be interpreted to mean "when" ("when" or "upon") or "in response to a determination" or "in response to detection". Similarly, the phrase "if determined" or "if [ a stated condition or event ] is detected" may be interpreted to mean "upon determination" or "in response to determination" or "upon detection of [ a stated condition or event ] or" in response to detection of [ a stated condition or event ] "depending on the context.
The foregoing description is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about various equivalent modifications or substitutions within the technical scope of the present application, and these modifications or substitutions are all covered by the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer program instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer program instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired or wireless means. The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., digital versatile disk (digital video disc, DVD), or a semiconductor medium (e.g., solid state disk), etc.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the above storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The foregoing description is only of alternative embodiments of the present application and is not intended to limit the present application, but any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the present application are intended to be included within the scope of the present application.
Claims (24)
1. A method for forwarding a message, the method comprising:
a first forwarding node acquires a first message, wherein the first message comprises a first address, a bit value of the first address at a reference position indicates first effective information, and the first effective information is related information of a communication terminal identified by the first address;
the first forwarding node reorganizes the first address into a second address based on a first reorganization rule, wherein a bit value of the second address at the reference position does not indicate the first valid information;
the first forwarding node replaces the first address in the first message with the second address to obtain a second message, and sends the second message.
2. The method of claim 1, wherein the first validity information comprises a network prefix and/or a host identity.
3. The method of claim 1 or 2, wherein the first forwarding node reorganizes the first address into a second address based on a first reorganization rule, comprising:
the first forwarding node mutually nests the preamble part and the postamble part of the first address based on a first reorganization rule to obtain the second address;
the preamble part is a bit part near the left side in the first address, and the postamble part is a bit part near the right side in the first address.
4. The method of claim 3, wherein the first reorganization rule includes a first bit sequence having a same number of bits as the first address, and wherein a bit value on n bits in the first bit sequence is a target bit value, the n being greater than or equal to 1;
the first forwarding node mutually nests the preamble and the postamble of the first address to obtain the second address, and the method comprises the following steps:
The first forwarding node obtains the first n bits in the first address, places bit values on the n bits at positions where the bit values in the first bit sequence are the target bit values, and places bit values on other bits in the first address at positions where the bit values in the first bit sequence are not the target bit values, so as to obtain the second address.
5. The method of claim 4, wherein prior to the first forwarding node reorganizing the first address into the second address based on a first reorganization rule, the method further comprises:
and the first forwarding node randomly generates a bit sequence to obtain the first bit sequence.
6. The method of claim 1 or 2, wherein the first reorganization rule comprises a first meta-confusion sequence including at least two bits;
the first forwarding node reorganizes the first address into a second address based on a first reorganization rule, including:
and the first forwarding node performs bit operation on the first address based on a first meta-confusion sequence to obtain the second address.
7. The method of claim 6, wherein the first reorganization rule further includes a first shift count;
the first forwarding node performs bit operation on the first address based on a first meta-confusion sequence to obtain the second address, and the method comprises the following steps:
the first forwarding node performs shifting operation on the first address based on the first shifting times to obtain an intermediate address;
and the first forwarding node performs bit operation on the intermediate address and the first unary confusion sequence to obtain the second address.
8. The method of claim 7, wherein the bit operation is a bitwise exclusive or operation.
9. The method of any of claims 6-8, wherein before the first forwarding node reassembles the first address into a second address based on the first reassembly rule, the method further comprises:
the first forwarding node acquires an addressing confusion table LOT, wherein the LOT comprises a plurality of reorganization rules, and each reorganization rule comprises a meta confusion sequence;
the first forwarding node selects a reorganization rule from the LOT table as the first reorganization rule.
10. The method of any one of claims 1-9, wherein the method further comprises:
The first forwarding node obtains a third message, wherein the third message comprises a third address, a bit value of the third address at the reference position indicates second effective information, and the second effective information is related information of a communication end identified by the third address;
the first forwarding node reorganizes the third address into a fourth address based on a second reorganization rule, a bit value of the fourth address at the reference location not indicating the second valid information;
the first forwarding node replaces the third address in the third message with the fourth address to obtain a fourth message, and sends the fourth message;
wherein the second reassembly rule is different from the first reassembly rule.
11. The method of claim 10, wherein the third address is the same address as the first address, and the second validity information is the same validity information as the first validity information.
12. The method according to any of claims 1-11, wherein the second message further carries rule information indicating the first reassembly rule.
13. The method of claim 12, wherein the second message includes an address field for carrying the second address and the rule information.
14. The method of claim 12, wherein the second message includes an extension field for carrying the rule information.
15. A method for forwarding a message, the method comprising:
the second forwarding node receives a second message, wherein the second message carries a second address, the bit value of the second address at a reference position does not indicate first effective information, the second message is generated by a first forwarding node based on a first message, the first message comprises a first address, the bit value of the first address at the reference position indicates the first effective information, and the first effective information is related information of a communication end identified by the first address;
the second forwarding node restores the second address to the first address based on a first reorganization rule;
the second forwarding node processes the second message based on the first address.
16. A message forwarding system, the system comprising a first forwarding node and a second forwarding node:
the first forwarding node is configured to obtain a first packet, where the first packet includes a first address, a bit value of the first address at a reference position indicates first valid information, and the first valid information is related information of a communication end identified by the first address;
The first forwarding node is further configured to reorganize the first address into a second address based on a first reorganization rule, where a bit value of the second address at the reference location does not indicate the first valid information;
the first forwarding node is further configured to replace the first address in the first packet with the second address, obtain a second packet, and send the second packet;
the second forwarding node is configured to receive the second packet;
the second forwarding node is further configured to restore the second address to the first address based on the first reassembly rule;
the second forwarding node is further configured to process the second packet based on the first address.
17. A network device comprising a memory and a processor;
the memory is used for storing program instructions;
the processor is configured to invoke a program stored in the memory to cause the network device to perform the method of any of claims 1-14.
18. A network device comprising a memory and a processor;
the memory is used for storing program instructions;
The processor is configured to invoke a program stored in the memory to cause the network device to perform the method of claim 15.
19. A network device, characterized in that,
the network device comprises a receiving and transmitting module and a processing module:
the transceiver module is configured to perform transceiver-related operations in a method according to any one of claims 1-14;
the processing module is configured to perform operations in any of the methods of claims 1-14 other than the transceiver-related operations.
20. A network device, characterized in that,
the network device comprises a receiving and transmitting module and a processing module:
the transceiver module is configured to perform the transceiver-related operations in the method of claim 15;
the processing module is configured to perform operations in the method of claim 15 other than the transceiver-related operations.
21. A computer readable storage medium having instructions stored therein which, when executed on a processor, implement the method of any one of claims 1-14.
22. A computer readable storage medium having instructions stored therein which, when executed on a processor, implement the method of claim 15.
23. A computer program product comprising instructions which, when run on a processor, implement the method of any one of claims 1 to 14.
24. A computer program product comprising instructions which, when run on a processor, implement the method of claim 15.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210763505.8A CN117375862A (en) | 2022-06-29 | 2022-06-29 | Message forwarding method, system, network device, storage medium and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210763505.8A CN117375862A (en) | 2022-06-29 | 2022-06-29 | Message forwarding method, system, network device, storage medium and program product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117375862A true CN117375862A (en) | 2024-01-09 |
Family
ID=89397075
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210763505.8A Pending CN117375862A (en) | 2022-06-29 | 2022-06-29 | Message forwarding method, system, network device, storage medium and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117375862A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117714219A (en) * | 2024-02-18 | 2024-03-15 | 中国电子科技集团公司第三十研究所 | Hidden restoring method for equipment address/identifier and message transmission method |
-
2022
- 2022-06-29 CN CN202210763505.8A patent/CN117375862A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117714219A (en) * | 2024-02-18 | 2024-03-15 | 中国电子科技集团公司第三十研究所 | Hidden restoring method for equipment address/identifier and message transmission method |
| CN117714219B (en) * | 2024-02-18 | 2024-04-23 | 中国电子科技集团公司第三十研究所 | Hidden restoring method for equipment address/identifier and message transmission method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10356054B2 (en) | Method for establishing a secure private interconnection over a multipath network | |
| US11595359B2 (en) | Method for establishing a secure private interconnection over a multipath network | |
| US11115391B2 (en) | Securing end-to-end virtual machine traffic | |
| US8155130B2 (en) | Enforcing the principle of least privilege for large tunnel-less VPNs | |
| US11706216B2 (en) | Application-based network security | |
| CN110048986B (en) | Method and device for ensuring ring network protocol operation safety | |
| US10439993B2 (en) | Mapping system assisted key refreshing | |
| US11665143B2 (en) | Method, device and medium for transmission of fragmented IP addresses and data packets through a network | |
| Tennekoon et al. | Prototype implementation of fast and secure traceability service over public networks | |
| CN106209401A (en) | A kind of transmission method and device | |
| CN117375862A (en) | Message forwarding method, system, network device, storage medium and program product | |
| CN117254976A (en) | National standard IPsec VPN realization method, device and system based on VPP and electronic equipment | |
| Meier et al. | itap: In-network traffic analysis prevention using software-defined networks | |
| US20120216036A1 (en) | Encryption methods and systems | |
| WO2019165235A1 (en) | Secure encrypted network tunnels using osi layer 2 protocol | |
| Kwon et al. | Mondrian: Comprehensive Inter-domain Network Zoning Architecture. | |
| Tennekoon et al. | On the effectiveness of IP-routable entire-packet encryption service over public networks (november 2018) | |
| CN116489638B (en) | Jumping type routing method for anonymous communication of mobile ad hoc network | |
| JP6075871B2 (en) | Network system, communication control method, communication control apparatus, and communication control program | |
| US20230179575A1 (en) | Secure communication system | |
| Yang | A Secure and Accountable Mesh Routing Algorithm | |
| Jara et al. | Secure mobility management scheme for 6lowpan id/locator split architecture | |
| Dilruba | Quantum-safe switch-controller communication in software-defined network | |
| CN115834090A (en) | Communication method and device | |
| WO2023098972A1 (en) | Devices and methods for isp-assisted ip address privacy protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |