CN117914519A - Space network data safety transmission method - Google Patents
Space network data safety transmission method Download PDFInfo
- Publication number
- CN117914519A CN117914519A CN202311658389.4A CN202311658389A CN117914519A CN 117914519 A CN117914519 A CN 117914519A CN 202311658389 A CN202311658389 A CN 202311658389A CN 117914519 A CN117914519 A CN 117914519A
- Authority
- CN
- China
- Prior art keywords
- data
- header
- packet
- space
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 49
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000003780 insertion Methods 0.000 claims description 8
- 230000037431 insertion Effects 0.000 claims description 8
- 238000004891 communication Methods 0.000 claims description 5
- 230000001360 synchronised effect Effects 0.000 claims description 3
- 239000000945 filler Substances 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 5
- 238000005538 encapsulation Methods 0.000 description 3
- 230000006855 networking Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 108091081062 Repeated sequence (DNA) Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Abstract
The invention discloses a space network data security transmission method, which is constructed based on a multi-layer security protocol according to the characteristics of a space network and is used for providing encryption authentication for space network information transmission, ensuring that network information is not known by unauthorized parties through encryption, ensuring the legality and correctness of information sources through authentication, adapting to various security protection requirements, improving the usability of security protection and improving the protection efficiency of a system.
Description
Technical Field
The invention belongs to the technical field of spacecraft network security, and particularly relates to a space network data security transmission method.
Background
With the progress of technology, satellites are gradually changed from single-satellite operation to constellation networking operation, and especially large-scale constellation networking operation brings subversion change to traditional space tasks. The space security threats faced by the constellation networking work are also more various, and the development of the space network-based security protection research is needed to improve the space network security protection efficiency.
Compared with the ground internet, the space network has the following characteristics: the open space results in the network node being vulnerable to attack; the network topology dynamic change causes frequent access and exit, and the specificity of the predictable dynamic network security requirement needs to be considered; under the condition of information fusion, the network security requirements are differentiated, and the security requirements of different nodes are not completely consistent; the constraint of link characteristics on security and confidentiality requires designing a protocol with as few negotiations and handshakes as possible; the satellite-borne resources are limited, and special situations of limited constellation transmission bandwidth, calculation capacity and the like need to be considered when safety protection design is carried out. However, the space network still lacks an effective data security transmission method.
Disclosure of Invention
In view of the above, the invention provides a space network data security transmission method, which realizes functions of encryption, authentication and the like of space network information transmission.
The invention provides a space network data safety transmission method, which comprises the following steps:
An AOS protocol is adopted at a link layer of the space network, IPoC protocol is adopted at a network layer, UDP protocol is adopted at a transmission layer, and a QUIC protocol and space packet protocol combined protocol is adopted at an application layer;
When a data frame is transmitted among space network satellites, a transmitting end encapsulates the data frame in a protocol nesting mode of each layer, wherein the data frame is encapsulated in a link layer according to structures of a synchronous head, a master header, an insertion domain, a safety head, a data domain, a safety tail, an operation control domain and an error control domain, the safety head is used for encryption or authentication, and the safety tail is used for authentication; the application layer encapsulates the data frame according to the structure of a plurality of Stream data frames, the Stream data frame consists of a Stream header and a space packet, and the Stream data frame contains an offset representing the offset of the current frame in the whole data;
After receiving the data frame, the receiving end detects the offset of the Stream data frame, if the offset is discontinuous, the lost Stream frame is positioned according to the offset, and meanwhile, the sending end is requested to retransmit the data frame.
Further, the encapsulating the data frame at the link layer according to the structure of the synchronization header, the master header, the insertion domain, the security header, the data domain, the security trailer, the operation control domain and the error control domain includes: the synchronization header is composed of fixed bytes and is used for identifying the beginning of a transmission data frame; the length of the master header is 6 bytes or 8 bytes and is used for identifying spacecraft identification and virtual channels, the length of the master header is 8 bytes when the frame header is checked, and the length of the master header is 6 bytes otherwise; the insertion domain is set according to the model; the data field is used for storing the communication data; configuring a safety tail by using a data frame of an authentication service, and reserving the position of the safety tail with other frames of the same transmission protocol used by the data frame; the operation control domain and the error control domain are matched as required.
Further, the frame type of the Stream data frame has a length of 1 byte, the most significant bit is set to 1, and the definition of other bits complies with the standard format constraint of the Stream frame.
Further, the space packet is composed of a packet main header and a data area, the data area comprises a packet auxiliary header, a security header, a data area and a security tail, the security tail is not added when the space packet only adopts encryption service, the security tail is needed to be added when the space packet adopts authentication service, and the length of the security tail is determined according to the selected encryption scheme.
Further, the security header includes an SPI, an IV, a sequence number, and a filler content, where the SPI is used to identify a synchronization algorithm and a key of the transmitting end and the receiving end, and if the data clear transmission SPI is 0; IV is the vector that the algorithm needs to use, IV is a selectable item; the sequence number is used for realizing the anti-replay function of the space packet, when the space packet only adopts the encryption service and the sequence number length is zero, the sequence number is added when the space packet adopts the authentication service, and the receiving end judges whether the space packet is a replayed space packet or not through the sequence number; the fill fields are set as needed.
The beneficial effects are that:
1. according to the characteristics of the space network, the data security transmission method based on the multi-layer security protocol is constructed and used for providing encryption authentication for the space network information transmission, the network information is ensured not to be learned by unauthorized parties through encryption, the legality and the correctness of the information source are ensured through authentication, various security protection requirements can be met, the security protection usability is improved, and the system protection efficiency is improved.
2. The invention adopts the general advanced on-orbit system AOS protocol at the link layer, can be compatible with the communication protocol of the main stream spacecraft, realizes the safe transmission of the link layer and improves the applicability of the method.
3. The invention uses QUIC protocol in application layer, which can reduce connection establishment time, improve congestion control, reduce retransmission times and improve transmission efficiency; the QUIC protocol can improve the unreliable defect of UDP transmission protocol, realize complete and orderly transmission of data, is suitable for inter-satellite communication with open transmission link and certain error rate, and provides stable and reliable inter-satellite transmission for space network.
Drawings
Fig. 1 is a schematic diagram of a space network data security transmission method according to the present invention.
Fig. 2 is a schematic diagram of multi-layer protocol encapsulation in a method for secure transmission of spatial network data according to the present invention.
Fig. 3 is a schematic diagram of Stream frame format in a method for securely transmitting spatial network data according to the present invention.
Fig. 4 is a schematic diagram of an application layer space packet format in a method for securely transmitting data in a space network according to the present invention.
Fig. 5 is a schematic diagram of a mechanism of space packet retransmission and anti-replay in a method for safely transmitting data in a space network according to the present invention.
Detailed Description
The present invention will be described in detail with reference to the following examples.
The invention provides a space network data safety transmission method, which has the following core ideas: by adopting protection measures such as encryption, authentication and the like at different levels of a link layer, an application layer and the like, the layered hierarchical information security protection of the space network is realized, a plurality of network attack means are dealt with while certain flexibility is maintained, and the information transmission security of the space vehicle is ensured.
The invention provides a space network data safety transmission method, the framework is shown in figure 1, the framework covers a link layer, a network layer, a transmission layer and an application layer, a safety protocol is used in the link layer and the application layer, a general protocol is used in the network layer and the transmission layer, and the method specifically comprises the following steps: the link layer protocol, the network layer protocol, the transmission layer protocol and the application layer protocol are designed by adopting the AOS protocol which is most widely applied, so that point-to-point connection of a large number of space nodes can be realized, the network layer protocol adopts IPoC protocols for providing end-to-end transmission for inter-satellite information, the transmission layer adopts connectionless UDP transmission protocol, the transmission efficiency is ensured, and the application layer uses the QUIC protocol and the space packet combined protocol, thereby not only meeting the space task requirement, but also having the characteristics of high efficiency and reliability.
When the space network inter-satellite transmission frames are packaged, the multi-layer protocols are in a layer-by-layer nested relationship, as shown in fig. 2.
Specifically, the link layer protocol adopts an AOS transmission frame, and consists of a transmission frame synchronization head, a master header, an insertion domain, a safety head, a data domain, a safety tail, an operation control domain and an error control domain. Wherein the synchronization header is generally composed of fixed bytes for identifying the start of a transmission frame; the length of the main header is generally 6 bytes or 8 bytes, the length of the main header is 8 bytes when the main header is checked, and the main header is otherwise 6 bytes, so that the main header is used for indicating information such as spacecraft identification, virtual channels and the like; the insertion domain is set according to the model; the security header is an essential attribute, and provides security association for link layer encryption or authentication, so that a sending end and a receiving end can synchronize information such as a secret key, an algorithm, an IV and the like, and encryption consistency is maintained; the data field is used for storing the communication data; the safety tail can be configured according to the requirement, for the transmission frames using the authentication service, the safety tail is reserved, and other frames using the same transmission protocol are used, and even if the authentication service is not needed, the position of the safety tail is reserved, so that all the transmission frames are consistent in format; the operation control domain and the error control domain are selected according to the need. The link layer protocol adopts a link layer security protocol designed based on CCSDS 732.0-B-3"AOS SPACE DATA LINK PROTOCOL 'and CCSDS 355.0-B-2"Space Data Link Security Protocol', and is adapted to an advanced on-orbit system (Advanced Orbiting Systems, AOS) protocol commonly used by inter-satellite networks.
The network layer protocol adopts IPoC protocol encapsulation service, and the encapsulated data packet mainly comprises an encapsulation packet header, an IPE header and an IP protocol data unit. The network layer protocol follows CCSDS 702.1-B-1"IP Over CCSDS Space Links". The network layer protocol uses IPoC protocol (IP over CCSDS) and IPSec protocol (Internet Protocol Security) may be employed if necessary.
The transport layer protocol uses a standard UDP protocol, and the UDP header is 8 bytes, including a source port, a destination port, a length, and 4 parts of checksum, each of 2 bytes.
The application layer protocol encrypts the space packet data domain in a mode of combining the QUIC protocol and the space packet protocol, and provides encryption service for transmission data through the space packet protocol, so that the application layer encryption from a transmitting end to a receiving end is realized. The data field of QUIC is composed of multiple Stream data frames, each of which is composed of a Stream header and 1 space packet.
The Stream frame length is variable, and the frame contains an offset parameter, which can be used for controlling retransmission of lost frames. The frame type length is 1 byte, the highest bit is set to 1, and the frame type is represented as a Stream frame; the definition of the other bits follows the standard format constraints of Stream frames. As shown in fig. 3.
The Stream ID in the Stream frame is used for identifying the Stream, and the offset represents the offset of the current frame in the whole data and is used for sorting; the data length represents the actual data area length. When the offset received by the receiving end is discontinuous, the lost Stream frame can be accurately positioned according to the offset, and the transmitting end can retransmit.
The space packet consists of a packet main header and a data area, wherein the data area comprises a packet auxiliary header, a safety header, a data field and a safety tail, the safety tail belongs to selectable items, and whether the safety tail is added or not is determined according to the requirement. When the space packet only adopts encryption service, the safety tail can not be added; when the space packet adopts the authentication service, a security tail is added, and the length of the security tail is determined according to the selected encryption scheme, and the structure is shown in figure 4.
The security header of the space packet includes SPI, IV, sequence number and padding. The SPI is used for the synchronous algorithm of the sending end and the receiving end and the key use, and if the data is transmitted in a clear state, the SPI fills in all 0's. IV is the vector that the algorithm needs to use, and if IV does not need to be delivered, the region may not be selected, where the length of the IV region is zero. The sequence number is used for realizing the anti-replay function of the space packet, if the space packet only adopts encryption service, the area can not be selected, and the length of the sequence number area is zero; when the space packet adopts the authentication service, the sequence number can be added, and the receiving end can judge the sequence number to judge whether the space packet is the replayed space packet. The padding field may be selected according to actual needs, and if padding is not required, the length is zero.
The space packet is used as the data area content of the QUIC protocol, and according to the offset, the receiving end can accurately identify whether the space packet has the packet loss phenomenon or not and requires the transmitting end to retransmit; when the sender retransmits, a sequence number is added to identify the replayed data packet, and the process is shown in fig. 5.
The packet header of the QUIC packet contains the QUIC packet number, the space packet serial number is arranged in the safety header of the space packet, the QUIC packet number and the space packet serial number are both increased unidirectionally, and the offset is unique in the same Stream transmission, so that when retransmission is requested, the transmitting end can accurately find the packet needing to be retransmitted, and the packet is packed and retransmitted. The sequence number of the space packet is increased unidirectionally during retransmission, and repeated sequence numbers are not used. When the anti-replay process is performed by attaching the sequence number, the sequence number is always increased, and the retransmitted data packet is not rejected.
In summary, the above embodiments are only preferred embodiments of the present invention, and are not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (5)
1. The space network data safety transmission method is characterized by comprising the following steps:
An AOS protocol is adopted at a link layer of the space network, IPoC protocol is adopted at a network layer, UDP protocol is adopted at a transmission layer, and a QUIC protocol and space packet protocol combined protocol is adopted at an application layer;
When a data frame is transmitted among space network satellites, a transmitting end encapsulates the data frame in a protocol nesting mode of each layer, wherein the data frame is encapsulated in a link layer according to structures of a synchronous head, a master header, an insertion domain, a safety head, a data domain, a safety tail, an operation control domain and an error control domain, the safety head is used for encryption or authentication, and the safety tail is used for authentication; the application layer encapsulates the data frame according to the structure of a plurality of Stream data frames, the Stream data frame consists of a Stream header and a space packet, and the Stream data frame contains an offset representing the offset of the current frame in the whole data;
After receiving the data frame, the receiving end detects the offset of the Stream data frame, if the offset is discontinuous, the lost Stream frame is positioned according to the offset, and meanwhile, the sending end is requested to retransmit the data frame.
2. The method for securely transmitting spatial network data according to claim 1, wherein said encapsulating data frames at the link layer according to the structure of a synchronization header, a primary header, an insertion field, a security header, a data field, a security tail, an operation control field, and an error control field comprises: the synchronization header is composed of fixed bytes and is used for identifying the beginning of a transmission data frame; the length of the master header is 6 bytes or 8 bytes and is used for identifying spacecraft identification and virtual channels, the length of the master header is 8 bytes when the frame header is checked, and the length of the master header is 6 bytes otherwise; the insertion domain is set according to the model; the data field is used for storing the communication data; configuring a safety tail by using a data frame of an authentication service, and reserving the position of the safety tail with other frames of the same transmission protocol used by the data frame; the operation control domain and the error control domain are matched as required.
3. The method according to claim 1, wherein the frame type of the Stream data frame has a length of 1 byte, the most significant bit is set to 1, and the definition of the other bits complies with the standard format constraint of the Stream frame.
4. The method for secure transmission of spatial network data according to claim 1, wherein the spatial packet is composed of a packet main header and a data area, the data area includes a packet sub header, a security header, a data field and a security trailer, the security trailer is not added when the spatial packet only adopts encryption service, the security trailer is added when the spatial packet adopts authentication service, and the length of the security trailer is determined according to the selected encryption scheme.
5. The method for securely transmitting spatial network data according to claim 4, wherein the security header comprises an SPI, an IV, a sequence number, and a filler, wherein the SPI is used to identify a sender and a receiver synchronization algorithm and a key, if the data clear transmission SPI is 0; IV is the vector that the algorithm needs to use, IV is a selectable item; the sequence number is used for realizing the anti-replay function of the space packet, when the space packet only adopts the encryption service and the sequence number length is zero, the sequence number is added when the space packet adopts the authentication service, and the receiving end judges whether the space packet is a replayed space packet or not through the sequence number; the fill fields are set as needed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311658389.4A CN117914519A (en) | 2023-12-05 | 2023-12-05 | Space network data safety transmission method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311658389.4A CN117914519A (en) | 2023-12-05 | 2023-12-05 | Space network data safety transmission method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117914519A true CN117914519A (en) | 2024-04-19 |
Family
ID=90682820
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311658389.4A Pending CN117914519A (en) | 2023-12-05 | 2023-12-05 | Space network data safety transmission method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117914519A (en) |
-
2023
- 2023-12-05 CN CN202311658389.4A patent/CN117914519A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1918558B (en) | Operation method of multiple network communication based on shared medium | |
| US6677888B2 (en) | Secure aircraft communications addressing and reporting system (ACARS) | |
| US7143282B2 (en) | Communication control scheme using proxy device and security protocol in combination | |
| Kumar et al. | The osi model: overview on the seven layers of computer networks | |
| EP2018755B1 (en) | Secure file transfer method | |
| EP2777217B1 (en) | Protocol for layer two multiple network links tunnelling | |
| EP2386186B1 (en) | System and method for transmitting over multiple simultaneous communication networks by using roaming profiles | |
| US20170359448A1 (en) | Methods and systems for creating protocol header for embedded layer two packets | |
| US8255680B1 (en) | Layer-independent security for communication channels | |
| CN109005179A (en) | Network security tunnel establishing method based on port controlling | |
| US9137216B2 (en) | Session layer data security | |
| CN111614538A (en) | Message forwarding method based on IPsec encapsulation protocol | |
| CN108924157B (en) | Message forwarding method and device based on IPSec VPN | |
| US20060280175A1 (en) | Method and system for tunneling data using a management protocol | |
| da Silva et al. | Delay and Disruption Tolerant Networks: Interplanetary and Earth-Bound--Architecture, Protocols, and Applications | |
| CN117914519A (en) | Space network data safety transmission method | |
| CN105553986B (en) | A kind of limited real time node communication means of multihoming based on UDP | |
| CN111683093A (en) | Dynamic covert communication method based on IPv6 network | |
| CN107135152A (en) | The safety encryption of key message is transmitted in a kind of Packet Transport Network | |
| Kim et al. | TCP-GEN framework to achieve high performance for HAIPE-encrypted TCP traffic in a satellite communication environment | |
| Birrane et al. | A Novel Approach to Transport-Layer Security for Spacecraft Constellations | |
| CN116032635B (en) | Data transmission method and system using public network to replace private line network | |
| Silva et al. | Delay and Disruption Tolerant Network Architecture | |
| CN107147650A (en) | A kind of AS2_EDI communication transfers control machine | |
| Fischer et al. | Making space-link security work: Auxiliary services to enable the CCSDS Space Data-Link Security Protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |