CN117917874A - Communication method and device - Google Patents
Communication method and device Download PDFInfo
- Publication number
- CN117917874A CN117917874A CN202211294379.2A CN202211294379A CN117917874A CN 117917874 A CN117917874 A CN 117917874A CN 202211294379 A CN202211294379 A CN 202211294379A CN 117917874 A CN117917874 A CN 117917874A
- Authority
- CN
- China
- Prior art keywords
- network element
- address
- message
- target
- connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 143
- 238000004891 communication Methods 0.000 title claims abstract description 109
- 230000004044 response Effects 0.000 claims abstract description 165
- 238000012423 maintenance Methods 0.000 claims abstract description 7
- 238000012790 confirmation Methods 0.000 claims description 110
- 230000005540 biological transmission Effects 0.000 claims description 23
- 238000012545 processing Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 17
- 238000003860 storage Methods 0.000 claims description 16
- 235000008694 Humulus lupulus Nutrition 0.000 claims description 10
- 238000013461 design Methods 0.000 description 42
- 230000006870 function Effects 0.000 description 21
- 230000008569 process Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 10
- 230000009471 action Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000005304 joining Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a communication method and device. The method comprises the following steps: the first network element sends a multicast message; the first network element receives a response message from at least one proxy network element; the first network element selects a target proxy network element from at least one proxy network element according to the response message of the at least one proxy network element; the method comprises the steps that a first network element establishes an internet security protocol IPSec tunnel between the first network element and a target agent network element; the first network element establishes an operation and maintenance management channel OMCH between the first network element and the network management equipment through the IPSec tunnel. Thus, the first network element can establish the IPSec tunnel on the premise of zero contact network element, and safety OMCH self-establishment is realized between the IPSec tunnel and network management equipment.
Description
Technical Field
The present application relates to the field of terminals, and in particular, to a communication method and apparatus.
Background
An operation AND MANAGEMENT CHANNEL, OMCH is a management channel between a network element and a network management device. OMCH self-establishment refers to the process that after the hardware installation and power-on of the network element, the network element obtains configuration information such as an address, a network management configuration file and the like through a network under the condition of no transmission configuration, and automatically establishes OMCH with the network management equipment. OMCH self-setup can be implemented using plug and play (or PnP) technology.
OMCH's self-establishment is further divided into "unsafe OMCH self-establishment" and "safe OMCH self-establishment". Here, security OMCH is OMCH protected by internet security protocol (internet protocol security, IPSec) tunnel (tunnel), so an IPSec tunnel needs to be established before OMCH is established.
In the process of opening the network element, an IPSec tunnel needs to be established between the network element and the security gateway, so that key parameters can be exchanged between the network element and the network management equipment through the IPSec tunnel, thereby completing the self-establishment of OMCH between the network element and the network management equipment.
However, establishing an IPSec tunnel requires the network element and the security gateway to obtain the relevant parameters for establishing the IPSec tunnel. Therefore, how to obtain relevant parameters required for establishing an IPSec tunnel on the premise of a zero touch (zero touch) network element, so that safe OMCH self-establishment can be realized is a problem to be solved in the art.
Disclosure of Invention
The embodiment of the application provides a communication method and a communication device, which are used for acquiring relevant parameters of an IPSec tunnel on the premise of zero contact network element, so that safe OMCH self-establishment can be realized.
In a first aspect, an embodiment of the present application provides a communication method. The method specifically comprises the following steps: the first network element sends a multicast message; the first network element receives a response message from at least one proxy network element; the first network element selects a target proxy network element from at least one proxy network element according to the response message of the at least one proxy network element; the method comprises the steps that a first network element establishes an internet security protocol IPSec tunnel between the first network element and a target agent network element; the first network element establishes an operation and maintenance management channel OMCH between the first network element and the network management equipment through the IPSec tunnel.
By adopting the method, the first network element can perform data transmission through the IPSec tunnel on the premise of not directly contacting the gateway equipment, thereby establishing OMCH between the first network element and the network management equipment, and realizing safe OMCH self-establishment.
In one possible design, before the first network element sends the multicast message, the method further includes: the first network element obtains an Internet Protocol (IP) address of the first network element from the router; the source address of the multicast message is the IP address of the first network element, and the destination address is the multicast address; the source address of the response message of the first proxy network element is the IP address of the first proxy network element, and the destination address is the IP address of the first network element; wherein the first proxy network element is any one of the at least one proxy network element.
In this way, the first network element can realize data transmission with the first proxy network element through the IP addresses carried in the multicast message and the response message respectively.
In one possible design, the multicast message includes a time-to-live TTL field, where the TTL field has a value of n, and n is a positive integer; the value n of the TTL field is used for indicating n hops of multicast message transmission; at least one proxy network element is a network element reached by n hops of multicast message transmission.
Therefore, the number of hops of the multicast message is constrained through the TTL field, so that the survival time of the multicast message in the router is more reasonable, and the signaling overhead is saved.
In one possible design, after selecting the target proxy network element in the at least one proxy network element, the method further comprises: the first network element sends a confirmation message to the target proxy network element, the confirmation message being used to inform the target proxy network element to provide proxy services for the first network element, the confirmation message comprising the IP address of the certificate authority CA.
In this way, the target proxy network element is able to determine the proxy relationship with the first network element, thereby enabling secure OMCH self-establishment.
In one possible design, the first network element establishes an IPSec tunnel with the target proxy network element, including: the first network element sends a first certificate application message to the target proxy network element, wherein the first certificate application message is used for applying a certificate to the CA; the first network element receives a first certificate response message from the target proxy network element, wherein the first certificate response message comprises a certificate; the first network element sends a first certificate confirmation message to the target proxy network element according to the certificate, wherein the first certificate confirmation message is used for notifying the target proxy network element that the first network element has received the certificate; the first network element receives a first certificate completion message from the target proxy network element, wherein the first certificate completion message is used for notifying the first network element that the CA has received the first certificate completion message; the first network element establishes an IPSec tunnel according to a first IPSec configuration parameter determined by the first network element and the target proxy network element.
In this way, the target proxy network element is able to determine the proxy relationship with the first network element, thereby enabling secure OMCH self-establishment.
In one possible design, the source address of the first certificate application message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element; the source address of the first certificate response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
In one possible design, before the first network element sends the first certificate application message to the target proxy network element, the method further includes: the first network element sends a first connection request message to the target proxy network element; the first connection request message is used for requesting to establish a transmission control protocol (transmission control protocol, TCP) connection with the CA; the first network element receives a first connection response message from the target proxy network element; the first connection response message is used for confirming the receiving of the first connection request message; the first network element sends a first connection confirmation message to the target proxy network element; the first connection confirmation message is used for confirming that the TCP connection is established with the CA.
In one possible design, the source address of the first connection request message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element; the source address of the first connection response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element; the source address of the first connection confirmation message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element.
In one possible design, the establishing OMCH between the first network element and the network management device through the IPSec tunnel includes: the first network element sends a first OMCH application message to the target agent network element through the IPSec tunnel, the first OMCH application message is used for applying for building OMCH, and the first OMCH application message comprises an IP address of the first network element and a unique identification code of the first network element; and the first network element establishes OMCH with the network management equipment through the IPSec tunnel according to the IP address of the first network element and the unique identification code of the first network element.
In this way, the first network element can transmit data through the IPSec tunnel, so that OMCH between the first network element and the network management device is established, and the establishment of OMCH is safer and more reliable.
In one possible design, after the first network element sends the first OMCH application packet to the target proxy network element through the IPSec tunnel, the method further includes: the first network element receives a second connection request message from the target agent network element through the IPSec tunnel; the second connection request message is used for requesting to establish TCP connection between the network management equipment and the first network element; the first network element sends a second connection response message to the target agent network element through the IPSec tunnel; the second connection response message is used for confirming the receiving of the second connection request message; the first network element receives a second connection confirmation message from the target agent network element through the IPSec tunnel; the second connection confirmation message is used for confirming that the TCP connection is established with the network management equipment.
In one possible design, the source address of the second connection request message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element; the source address of the second connection response message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element; the source address of the second connection confirmation message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
In one possible design, after the first network element establishes OMCH with the network management device through the IPSec tunnel, the method further includes: the first network element sends a first downloading request message to the network management equipment through OMCH by the target agent network element, wherein the first downloading request message is used for requesting to download the configuration file, and the first downloading request message comprises the version number of the configuration file; the first network element obtains a configuration file from the network management equipment or the target agent network element.
In this way, the first network element can acquire the configuration file through the OMCH established, so that the security of acquiring the configuration file is improved; in addition, under certain specific conditions, the first network element can acquire the configuration file from the target proxy network element without passing through network management equipment, so that the consumption of transmission resources can be reduced, and the transmission efficiency is improved.
In one possible design, after the first network element sends the download request message to the target proxy network element through OMCH, the method further includes: the first network element sends a third connection request message to the target agent network element through OMCH; the third connection request message is used for requesting to establish TCP connection between the network management equipment and the first network element; the first network element receives a third connection response message from the target agent network element through OMCH; the third connection response message is used for confirming the receiving of the third connection request message; the first network element sends a third connection confirmation message to the target agent network element through OMCH; the third connection confirmation message is used for confirming that the TCP connection is established with the network management equipment.
In one possible design, the source address of the third connection request message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element; the source address of the third connection response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element; the source address of the third connection confirmation message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element.
In a second aspect, an embodiment of the present application provides a communication method. The method specifically comprises the following steps: the target agent network element receives the multicast message from the first network element; the target agent network element sends a response message to the first network element; the target agent network element establishes an internet security protocol IPSec tunnel between the target agent network element and the first network element; the target proxy network element establishes an operation and maintenance management channel OMCH between the first network element and the network management equipment through the IPSec tunnel.
In one possible design, the source address of the multicast message is an IP address of the first network element, and the destination address is a multicast address; the source address of the response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
In one possible design, the multicast message includes a time-to-live TTL field, where the TTL field has a value of n, and n is a positive integer; the value n of the TTL field is used for indicating n hops of multicast message transmission.
In one possible design, the method further comprises: the target proxy network element receives a confirmation message from the first network element, the confirmation message being for informing the target proxy network element to provide proxy services for the first network element, the confirmation message comprising the IP address of the certificate authority CA.
In one possible design, the target proxy network element establishes an IPSec tunnel with the first network element, including: the target proxy network element receives a first certificate application message from a first network element, wherein the first certificate application message is used for applying a certificate to a CA; the target proxy network element sends a second certificate application message to the CA according to the first certificate application message; the target proxy network element receives a second certificate response message from the CA; the target proxy network element sends a first certificate response message to the first network element according to the second certificate response message; the second certificate response message comprises a certificate, and the first certificate response message comprises a certificate; the target proxy network element receives a first certificate confirmation message from the first network element, wherein the first certificate confirmation message is used for notifying the target proxy network element that the first network element has received a certificate; the target proxy network element sends a second certificate confirmation message to the CA according to the first certificate confirmation message; the target proxy network element receives a second certificate completion message from the CA, wherein the second certificate completion message is used for notifying the target proxy network element that the CA has received the second certificate completion message; the target proxy network element sends a first certificate completion message to the first network element according to the second certificate completion message, wherein the first certificate completion message is used for informing the first network element that the CA has received the first certificate completion message; the target proxy network element establishes an IPSec tunnel according to a first IPSec configuration parameter determined by the first network element and the target proxy network element.
In one possible design, the source address of the first certificate application message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element; the source address of the second certificate application message is the IP address of the target proxy network element, and the target address is the IP address of the CA; the source address of the second certificate response message is the IP address of the CA, and the destination address is the IP address of the target proxy network element; the source address of the first certificate response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
In one possible design, before the target proxy network element receives the first certificate application message from the first network element, the method further includes: the target proxy network element receives a first connection request message from a first network element; the first connection request message is used for requesting to establish TCP connection between the first network element and the CA; the target proxy network element sends a fourth connection request message to the CA according to the first connection request message; the target agent network element receives a fourth connection response message from the CA; the target proxy network element sends a first connection response message to the first network element according to the fourth connection response message; the first connection response message is used for confirming the receiving of the first connection request message; the target proxy network element receives a first connection confirmation message from the first network element; the first connection confirmation message is used for confirming that the first network element establishes TCP connection with the CA; the target proxy network element sends a fourth connection confirmation message to the CA according to the first connection confirmation message; the first connection confirmation message is used for confirming that the first network element establishes TCP connection with the CA.
In one possible design, the source address of the first connection request message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element; the source address of the fourth connection request message is the IP address of the target proxy network element, and the destination address is the IP address of the CA; the original address of the fourth connection response message is the IP address of CA, and the destination address is the IP address of the target proxy network element; the source address of the first connection response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element; the source address of the first connection confirmation message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element; the source address of the fourth connection confirmation message is the IP address of the target proxy network element, and the destination address is the IP address of the CA.
In one possible design, the target proxy network element establishes OMCH between the first network element and the network management device through the IPSec tunnel, including: the target agent network element receives a first OMCH application message from a first network element through an IPSec tunnel, wherein the first OMCH application message is used for applying for establishing OMCH, and the first OMCH application message comprises an IP address of the first network element and a unique identification code of the first network element; and the target proxy network element establishes OMCH between the first network element and the network management equipment according to the IP address of the first network element and the unique identification code of the first network element through the IPSec tunnel.
In one possible design, after the target proxy network element receives the first OMCH application packet from the first network element through the IPSec tunnel, the method further includes: the target agent network element receives a fifth connection request message from the network management equipment through the IPSec tunnel; the fifth connection request message is used for TCP connection between the network management equipment and the first network element; the target agent network element sends a second connection request message to the first network element through the IPSec tunnel; the second connection request message is used for requesting to establish TCP connection between the network management equipment and the first network element; the target agent network element receives a second connection response message from the first network element through the IPSec tunnel; the second connection response message is used for confirming the receiving of the second connection request message; the target agent network element sends a fifth connection response message to the network management equipment according to the second connection response message through the IPSec tunnel; the target agent network element receives a fifth connection confirmation message from the network management equipment through the IPSec tunnel; the target agent network element sends a second connection confirmation message to the first network element according to the fifth connection confirmation message through the IPSec tunnel; the second connection confirmation message is used for confirming that the first network element and the network management equipment establish TCP connection.
In one possible design, the source address of the fifth connection request message is the IP address of the network management device, and the destination address is the IP address of the target proxy network element; the source address of the second connection request message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element; the source address of the second connection response message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element; the source address of the fifth connection response message is the IP address of the target proxy network element, and the destination address is the IP address of the network management equipment; the source address of the fifth connection confirmation message is the IP address of the network management equipment, and the destination address is the IP address of the target proxy network element; the source address of the second connection confirmation message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
In one possible design, after the target proxy network element establishes OMCH between the first network element and the network management device through the IPSec tunnel, the method further includes: the target agent network element receives a first downloading request message from a first network element through OMCH, wherein the first downloading request message is used for requesting to download a configuration file, and the downloading request message comprises a version number of the configuration file; when the version number of the configuration file is the same as the version number of the local configuration file of the target proxy network element, the target proxy network element sends the configuration file to the first network element; when the version number of the configuration file is different from the version number of the local configuration file of the target proxy network element, the target proxy network element sends a second download request message to the network management equipment according to the first download request message; the target agent network element receives the configuration file from the network management equipment; the target proxy network element sends the configuration file to the first network element.
In a third aspect, embodiments of the present application provide a communication apparatus comprising means for performing the steps of the above first to second aspects. Optionally, the communication device includes a communication unit and a processing unit; wherein the communication unit is used for receiving and transmitting data; the processing unit is configured to perform the method provided in any one of the above aspects. The communication device may be applied to a first network element or a target proxy network element, for example.
In a fourth aspect, an embodiment of the present application provides a communication device, including a processor, a memory, and a processor; the communication interface is used for receiving and transmitting data; the memory is used for storing program instructions and data; the processor is configured to read the program instructions and data in the memory, and implement the method provided in any one of the first aspect to the second aspect. The communication device may be, for example, a first network element or a target proxy network element.
In a fifth aspect, embodiments of the present application provide a communication device comprising at least one processing element and at least one storage element, wherein the at least one storage element is for storing programs and data, and the at least one processing element is for performing the method provided in any one of the above first to second aspects of the present application. The communication device may be, for example, a first network element or a target proxy network element.
In a sixth aspect, an embodiment of the present application further provides a communication system, where the communication system includes a first network element and a target agent network element; wherein the first network element is configured to implement the method provided in the first aspect, and the target proxy network element is configured to implement the method provided in the second aspect.
In a seventh aspect, embodiments of the present application also provide a computer program which, when run on a computer, causes the computer to perform the method provided in any of the above aspects. Alternatively, the computer may be a first network element or a target proxy network element; or the above communication apparatus or communication device.
In an eighth aspect, embodiments of the present application further provide a computer-readable storage medium having a computer program stored therein, which when executed by a computer, causes the computer to perform the method provided in any of the above aspects. Alternatively, the computer may be a first network element or a target proxy network element; or the above communication apparatus or communication device.
In a ninth aspect, an embodiment of the present application further provides a chip, where the chip is configured to read a computer program stored in a memory, and perform the method provided in any one of the above aspects. Optionally, the chip may include a processor and a memory, where the processor is coupled to the memory, and is configured to read a computer program stored in the memory, and implement a method provided in any one of the above aspects.
In a tenth aspect, an embodiment of the present application further provides a chip system, where the chip system includes a processor, and is configured to support a computer device to implement the method provided in any one of the above aspects. In one possible design, the chip system further includes a memory for storing programs and data necessary for the computer device. The chip system may be formed of a chip or may include a chip and other discrete devices.
The technical effects achieved by any one of the second to tenth aspects described above may be described with reference to any one of the possible designs of the first aspect described above, and the description will not be repeated.
Drawings
Fig. 1 is a schematic diagram of a communication system according to an embodiment of the present application;
Fig. 2 is a schematic flow chart of a communication method according to an embodiment of the present application;
fig. 3 is a flow chart of another communication method according to an embodiment of the present application;
Fig. 4 is a flow chart of another communication method according to an embodiment of the present application;
fig. 5 is a flow chart of another communication method according to an embodiment of the present application;
Fig. 6 is a flow chart of another communication method according to an embodiment of the present application;
fig. 7 is a flow chart of another communication method according to an embodiment of the present application;
Fig. 8 is a flow chart of another communication method according to an embodiment of the present application;
fig. 9 is a schematic flow chart of selecting a target proxy network element in a communication system according to an embodiment of the present application;
Fig. 10 is a flow chart of another communication method according to an embodiment of the present application;
Fig. 11 is a schematic flow chart of establishing an IPSec tunnel by another communication system according to an embodiment of the present application;
Fig. 12 is a flow chart of another communication method according to an embodiment of the present application;
fig. 13 is a flow chart of another communication method according to an embodiment of the present application;
fig. 14 is a schematic flow chart of another communication system setup OMCH according to an embodiment of the present application;
Fig. 15 is a flow chart of another communication method according to an embodiment of the present application;
Fig. 16 is a flow chart of another communication method according to an embodiment of the present application;
fig. 17 is a schematic structural diagram of a communication device according to an embodiment of the present application;
Fig. 18 is a schematic structural diagram of another communication device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantageous effects of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
In the following, some terms used in the present application are explained for easy understanding by those skilled in the art.
(1) And the network management equipment is responsible for checking and managing the communication quality and operation of the network, and recording and collecting various data in the whole network operation. It is capable of connecting devices within the network and performing the role of monitoring and controlling the devices. Illustratively, the network management device may be an operation support system (operation support system, OSS), which may include an operation maintenance center and a network management center.
(2) Network element: can independently complete certain transmission functions, and is an element in a network or a device in the network. The network element is the smallest unit that the gateway device can monitor and manage. For example, the network element may be a base station, or may be other devices in a network, which is not limited by the present application.
(3) Security gateway: the access and access control device before the user (or network element) enters the network trust domain of the network management device has the function of user identity authentication proxy, can interact with the certificate authentication service system, completes the identity authentication of the user (or network element), checks the trusted network access authority of the user (or network element) according to the authentication result, and completes the authentication control of network access.
In a communication system with a security gateway, a communication area between network management equipment and the security gateway is regarded as a trust domain of a network, so that the security is high; the area outside the security gateway is considered as an untrusted domain of the network, with less security.
(4) IPSec tunnel: the tunnel for transmitting data is realized through the security and confidentiality framework in the IPSec protocol packet, so that the network security can be ensured.
(5) Dynamic host configuration protocol (dynamic host configuration protocol, DHCP): is a network protocol of a local area network. The DHCP principle is that a server controls a range of internet protocol (internet protocol, IP) addresses, and a client can automatically obtain the IP address and subnet mask assigned by the server when logging on to the server.
(6) Multicast (multicast): the original intention was to send information in a "best effort" form in an IP network to a target group, which is called a multicast group. Thus, when the active host sends information demand to the multipoint target host, the active host only sends one data, and the destination address of the data is a multicast group address. Thus, all the members belonging to the group can receive a copy of the data sent by the source host, and in the multicast mode, only the members required by the real information can receive and process the information, and other hosts can directly ignore the information.
(7) Protocol independent multicast (protocol independent multicast, PIM): is a protocol for multicast forwarding. The PIM principle is that instead of maintaining a separate multicast routing table to implement multicast forwarding, a Reverse Path Forwarding (RPF) check function can be implemented using a unicast routing table established by various unicast routing protocols, without relying on a specific unicast routing protocol.
(8) Time To Live (TTL): is a field contained in the message that specifies the maximum number of segments that the message is allowed to pass before being discarded by the router, which serves to limit the time that the message can survive in the computer network.
(9) Unicast (unicast): a separate data channel needs to be established between the client and the media server, and each message sent from a server can only be transmitted to one client, and this transmission mode is called unicast. Unicast procedures refer to the process of transmitting data from a source device to a destination device in a network. The destination address of the unicast is the address of only one destination device.
(10) Certificate authority (certification authority, CA): is the issuing authority for certificates, which is the core of the public key infrastructure (public key infrastructure, PKI). The CA is the authority responsible for issuing certificates, authenticating certificates, managing issued certificates. The specific implementation of the method can be a certificate server, a certificate issuing platform and the like, and the method is not limited in this way.
(11) A single-chip multiprocessor (chip multiprocessors, CMP) is based on the principle of integrating Symmetric Multiprocessing (SMP) in a massively parallel processor into the same chip, with each processor executing different processes in parallel.
It should be appreciated that in the description of the present application, the words "first," "second," and the like are used merely for distinguishing between the descriptions and not be construed as indicating or implying a relative importance or order.
In the conventional station-opening scheme, the implementation of the method of near-end station-opening is strongly related to the deployment position of the equipment, so that the labor cost of station-opening becomes very high when the equipment is in a decentralized non-centralized machine room. The method for starting the station by adopting PnP does not need near-end operation of workers, so that the cost for starting the station is greatly saved, and the method is widely applied. And OMCH self-establishment can be applied to the technical implementation of PnP start-up.
Secure PnP start-up corresponds to "non-secure OMCH self-setup" and "secure OMCH self-setup", respectively, and is therefore more complex than non-secure PnP start-up. The biggest difficulty lies in how to firstly establish an IPSec tunnel between a network element and a security gateway on the premise of "zero contact" of the network element, then exchange transmission key parameters between the network element and network management equipment through the IPSec tunnel, and finally establish OMCH.
In order to acquire relevant parameters of an IPSec tunnel to establish the IPSec tunnel on the premise of zero contact network elements, so that safe OMCH self-establishment can be realized through the IPSec tunnel, and the embodiment of the application provides a communication method. The method is applicable to a communication system, and fig. 1 is a schematic diagram of a communication system architecture according to an embodiment of the present application. It can be seen that the communication system 100 includes a plurality of network elements and network management devices. For example, the plurality of network elements may include the first network element and m proxy network elements shown in fig. 1.
In order to facilitate the distinction, in the embodiment of the present application, the device that needs to perform the start-up processing is denoted as a first network element, and the network element that can be used as the proxy device of the first network element is denoted as a proxy network element. The routing between the first network element and the proxy network element is reachable, in other words, the first network element can perform data transmission with the proxy network element through the network.
Optionally, the communication system may further include a security gateway, where the security gateway may be used to replace a network management device to perform security authentication on a network element, so as to improve security of data communication.
The communication method provided by the application can establish OMCH between the first network element and the network management equipment through the proxy function of the target proxy network element. Fig. 2 is a flow chart of a communication method according to an embodiment of the present application. The method provided in the application embodiment is described below with reference to fig. 2.
S201: the first network element sends a multicast message; correspondingly, at least one proxy network element receives the multicast message.
Optionally, the message in the embodiment of the present application may include a source IP (src IP), a destination IP (dst IP).
Optionally, the message in the embodiment of the present application may include a source port (port) number and a destination port number.
The source port number and the destination port number are used for indicating the task category of the message carrying the port number. The source port number and the destination port number carried by the multicast message are used for indicating that the task class of the message is a proxy function of the first network element request proxy network element; the port numbers carried in the subsequent other messages may be the same or different, and are used to indicate task types of the messages carrying the port numbers, which will not be described in detail later.
The source port number carried in the multicast message is a port number of the first network element for sending the multicast message, and the destination port number is a port number of the proxy network element for receiving the multicast message. It should be understood that the source port numbers carried by different messages in the present application may be the same or different; similarly, the destination port numbers carried by different messages may be the same or different, and the application is not limited.
Alternatively, the port number may be custom, which is not limited by the present application. Illustratively, the first network element may customize a source port number in the multicast message; and/or, the first network element may customize the destination port number in the multicast message.
Optionally, when the communication between the first network element and the proxy network element needs to be implemented across routers, the PIM function of the router may be turned on, so as to implement an action of sending the multicast packet through the multicast technology. Illustratively, when communication between the first network element and the proxy network element requires forwarding via at least one router, determining that communication between the first network element and the proxy network element requires implementation across routers.
Optionally, when the first network element and the proxy network element are located in the same switch, the PIM function of the router may not be started, and the action of sending the multicast packet through the multicast technology is directly implemented by the first network element.
In one possible design, the multicast message includes a time-to-live TTL field, where the TTL field has a value of n, and n is a positive integer; the value n of the TTL field is used for indicating n hops of multicast message transmission; at least one proxy network element is a network element reached by n hops of the multicast message transmission.
Optionally, each network element in the communication system may transmit the multicast packet to a second proxy network element according to the value in the TTL field in the multicast packet, where the second proxy network element is a network element that arrives in n hops for transmitting the multicast packet in at least one proxy network element.
By adopting the design, the field can limit the routing range of the multicast message, and avoid the system burden such as network paralysis caused by a large number of redundant messages in the network.
In one possible design, when communication between the first network element and the proxy network element needs to be implemented across routers, the routers may determine the proxy network element that receives the multicast message based on a multicast listener discovery (multicast listener discover, MLD) protocol before the first network element sends the multicast message. Illustratively, the router may obtain an MLD join group (MLD join group) message from at least one proxy network element to determine that the receiving device of the multicast message includes the at least one proxy network element.
Illustratively, the third generation network element turns on the proxy function; the third generation network element determines an MLD join group message through an MLD protocol; the third proxy network element sends an MLD join group message to the router, where the MLD join group message is used to determine the third proxy network element as a proxy network element for receiving the multicast message. Wherein the third proxy network element is any one of the at least one proxy network element.
Optionally, the router may further determine, based on the MLD protocol, a port number at which the proxy network element receives the multicast packet; correspondingly, the first network element may use the port number acquired by the router as the destination port number of the multicast packet.
By adopting the design, the router can accurately acquire the proxy network element which needs to receive the multicast message, avoid unnecessary signaling transmission and save system resources.
In one possible design, the first network element obtains the IP address of the first network element before the first network element sends the multicast message. The source address of the multicast message is the IP address of the first network element, and the destination address is the multicast address.
Optionally, before the first network element sends the multicast packet, the first network element may obtain the IP address of the first network element from the router. Illustratively, when the version number of the internet protocol version used by the first network element is internet protocol version 6 (internet protocol version, ipv 6), the first network element sends a router solicitation (router solicitation, RS) message to the router; the router sends a router advertisement (router advertisement, RA) message to the first network element according to the RS message. The RA message carries a routing prefix, where the routing prefix is used to indicate an IP address of the first network element. Wherein, the value of the type (type) field in the RS message is 133; the value of the RA message type field is 134.
Optionally, before the first network element sends the multicast packet, the first network element may acquire the IP address of the first network element from the DHCP server. Illustratively, when the version number of the internet protocol version used by the first network element is internet protocol version 4 (internet protocol version, ipv 4), the first network element sends a message to the DHCP server to obtain the IP address of the first network element.
By adopting the design, the first network element can acquire the own IP address so as to conveniently send and receive the message.
S202: the first network element receives a response message from at least one proxy network element. Illustratively, the response message of the at least one proxy network element is a unicast message.
In fig. 2, a first proxy network element is described as an example. After receiving the multicast message from the first network element in S201, the first proxy network element sends a response message to the first network element according to the multicast message. Wherein the first proxy network element may be any one of the at least one proxy network element.
Optionally, the source address of the response message of the first proxy network element is the IP address of the first proxy network element, and the destination address is the IP address of the first network element.
Optionally, the response message of the first proxy network element may include a source port number and a destination port number. The source port number and the destination port number carried by the response message are used for indicating that the task class of the message is that the first proxy network element sends a response to the first network element.
Optionally, the response message of the first proxy network element may further include port information, where the port information includes at least one port number, and the at least one port number is used to indicate a task class of the message carrying the port number respectively.
Alternatively, the port number may be custom, which is not limited by the present application. Illustratively, the first proxy network element may customize a plurality of port numbers.
Optionally, the response message of the first proxy network element may further include an address of the CA.
Optionally, the response message of the first proxy network element may further include a first key parameter, where the first key parameter is used to establish an IPSec tunnel between the first network element and the first proxy network element. Illustratively, the first key parameter may include an algorithm for establishing an IPSec tunnel.
Optionally, the response message of the first proxy network element includes a unique identifier of the first proxy network element. For example, the unique identification code may be an electronic serial number (electronic serial number, ESN).
S203: the first network element selects a target proxy network element from the at least one proxy network element according to the response message of the at least one proxy network element.
As shown in fig. 2, the at least one proxy network element may comprise a target proxy network element and other proxy network elements.
Alternatively, the first network element may select a proxy network element as the target proxy network element according to a certain rule, which is exemplified below.
In example 1, the first network element may select, as the target proxy network element, the proxy network element with the smallest value of the unique identifier code in the at least one proxy network element.
In example 2, the first network element may select the proxy network element corresponding to the response message received first as the target proxy network element.
As is evident from the above description, the at least one proxy network element includes a target proxy network element. Accordingly, the operation shown in step S201 includes: the target proxy network element receives the multicast message from the first network element. The operation shown in step S202 includes: the target agent network element sends a response message to the first network element; correspondingly, the first network element receives a response message from the target proxy network element. Optionally, the source address of the response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
Optionally, the plurality of proxy network elements that receive the multicast packet in step S201 may further include other proxy network elements.
In one possible design, after selecting the target proxy network element in the at least one proxy network element, the first network element sends a confirmation message to the target proxy network element; accordingly, the target proxy network element receives an acknowledgement message from the first network element. The acknowledgement message is used to inform the target proxy network element to provide proxy services for the first network element, and the acknowledgement message includes the IP address of the CA.
Optionally, the acknowledgement message may further comprise a first key parameter, which is used to establish an IPSec tunnel between the first network element and the target proxy network element. Illustratively, the first key parameter may include an algorithm for establishing an IPSec tunnel.
Optionally, the acknowledgement message may comprise a unique identification code of the first network element.
S204: the first network element establishes an IPSec tunnel with the target proxy network element.
Optionally, before establishing the IPSec tunnel between the first network element and the target proxy network element, the first network element may establish a TCP connection with the CA through the target proxy network element. That is, the first network element may initiate a TCP handshake to apply for the operator credentials for the first network element before establishing the IPSec tunnel.
Alternatively, the first network element may apply for an operator certificate to the CA through a TCP connection with the CA, where the operator certificate is used to establish an IPSec tunnel between the first network element and the target proxy network element.
Alternatively, the target proxy element may establish an IPSec tunnel with the network management device.
S205: the first network element and the target agent network element establish OMCH between the first network element and the network management equipment through the IPSec tunnel.
Optionally, after establishing OMCH between the first network element and the network management device, the first network element may obtain a configuration file for communication. In one possible design, the first network element may send a channel stop message to the target proxy network element, where the channel stop message is used to instruct to stop OMCH the communication function between the first network element and the network management device.
Alternatively, the target proxy network element may tear down OMCH, thereby stopping proxy services for the target proxy network element.
Optionally, after the first network element is restarted, the foregoing OMCH communication function ends. It should be appreciated that the configuration file previously acquired by the first network element may still be validated locally.
By adopting the method, the first network element can acquire key parameters for establishing the IPSec tunnel on the premise of zero-contact network management equipment, so that safe OMCH self-establishment can be realized, and the communication safety of the first network element can be improved because OMCH is totally protected by the IPSec tunnel.
In S204 in the embodiment shown in fig. 2, the first network element and the target proxy network element may establish an IPSec tunnel through fig. 3. The method provided in the application embodiment is described below with reference to fig. 3.
S301: the first network element sends a first certificate application message to the target proxy network element; correspondingly, the target proxy network element receives a first certificate application message from the first network element. The first certificate application message is used for applying a certificate to the CA.
Optionally, the source address of the first certificate application message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element.
For example, the type of the first certificate application message may be cmp.ir.
As another example, the first certificate application message may include a field predefined by the first network element, which is used to determine that a TCP connection between the first network element and the CA is established.
Optionally, the first certificate application message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to apply a certificate to the CA. Illustratively, the source port number may be customized by the first network element. Illustratively, the destination port number may be included in the port information of the response message from the target proxy network element.
In one possible design, the TCP connection between the first network element and the CA is established by the method shown in fig. 4 before the first network element sends the first certificate application message to the target proxy network element. The method provided in the application embodiment is described below with reference to fig. 4.
S401: the first network element sends a first connection request message to the target proxy network element; correspondingly, the target proxy network element receives a first connection request message from the first network element. The first connection request message is used for requesting to establish TCP connection with the CA.
Optionally, the source address of the first connection request message is an IP address of the first network element, and the destination address is an IP address of the target proxy network element.
For example, the type of the first connection request message may be a synchronization sequence number (synchronize, SYN).
Optionally, the first connection request message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the connection request message to the target proxy network element. Illustratively, the source port number may be customized by the first network element. Illustratively, the destination port number may be included in the port information of the response message from the target proxy network element.
Optionally, after the first network element sends the first certificate application packet to the target proxy network element, the target proxy network element may send a second key parameter to the first network element, where the second key parameter indicates that a TCP connection between the first network element and the CA may be established.
Optionally, the first network element may determine the first connection request packet according to the second key parameter.
S402: and the target proxy network element sends a fourth connection request message to the CA according to the first connection request message.
Optionally, the source address of the fourth connection request message is the IP address of the target proxy network element, and the destination address is the IP address of the CA.
For example, the type of the fourth connection request message may be SYN.
Optionally, the fourth connection request packet may include a source port number and a destination port number, and the task class of the packet carrying the source port number and the destination port number is to send the connection request packet to the CA.
S403: the target proxy network element receives a fourth connection response message from the CA.
Optionally, the original address of the fourth connection response message is the IP address of the CA, and the destination address is the IP address of the target proxy network element.
For example, the fourth connection response message may be a syn+ acknowledgement message (ACK).
Optionally, the fourth connection response message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to receive the connection response message from the CA.
S404: the target proxy network element sends a first connection response message to the first network element according to the fourth connection response message; correspondingly, the first network element receives a first connection response message from the target proxy network element; the first connection response message is used for confirming the reception of the first connection request message.
Optionally, the source address of the first connection response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
For example, the type of the first connection response message may be syn+ack.
Optionally, the first connection response message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the first connection response message to the first network element.
S405: the first network element sends a first connection confirmation message to the target proxy network element; correspondingly, the target proxy network element receives a first connection acknowledgement message from the first network element. The first connection confirmation message is used for confirming that TCP connection is established with the CA.
Optionally, the source address of the first connection confirmation message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element.
For example, the type of the first connection acknowledgement message may be ACK.
Optionally, the first connection confirmation message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the connection confirmation message to the target proxy network element.
S406: the target proxy network element sends a fourth connection confirmation message to the CA according to the first connection confirmation message; the first connection confirmation message is used for confirming that the first network element establishes TCP connection with the CA.
Optionally, the source address of the fourth connection confirmation message is the IP address of the target proxy network element, and the destination address is the IP address of the CA.
For example, the type of the fourth connection acknowledgement message may be ACK.
Optionally, the fourth connection confirmation message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the connection confirmation message to the CA.
By adopting the design, the target proxy network element is used as proxy equipment to finish the replacement of the IP address, thereby realizing TCP three-way handshake between the first network element and the CA.
S302: and the target proxy network element sends a second certificate application message to the CA according to the first certificate application message.
Optionally, the source address of the second certificate application message is the IP address of the target proxy network element, and the destination address is the IP address of the CA.
For example, the type of the second certificate application message may be cmp.ir.
Optionally, the second certificate application packet may include a source port number and a destination port number, and the task class of the packet carrying the source port number and the destination port number is to send the certificate application packet to the CA.
S303: the target proxy network element receives a second certificate response message from the CA; wherein the second certificate response message contains a certificate.
Optionally, the source address of the second certificate response message is the IP address of the CA, and the destination address is the IP address of the target proxy network element.
Optionally, the second certificate response message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to receive the second certificate response message from the CA.
For example, the type of the second certificate response message may be cmp.ip.
S304: the target proxy network element sends a first certificate response message to the first network element according to the second certificate response message; correspondingly, the first network element receives a first certificate response message from the target proxy network element. The first certificate response message contains a certificate.
Optionally, the source address of the first certificate response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
For example, the type of the first certificate response message may be cmp.ip.
Optionally, the first certificate response message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the first certificate response message to the first network element.
Thus, the first network element can acquire the operator certificate through the TCP proxy function of the target proxy network element, thereby establishing the IPSec tunnel.
S305: the first network element sends a first certificate confirmation message to the target proxy network element according to the certificate, wherein the first certificate confirmation message is used for notifying the target proxy network element that the first network element has received the certificate; correspondingly, the target proxy network element receives a first certificate confirmation message from the first network element.
For example, the type of the first certificate confirm message may be cmp.
Optionally, the first certificate confirmation message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the first certificate confirmation message to the target proxy network element.
S306: and the target proxy network element sends a second certificate confirmation message to the CA according to the first certificate confirmation message.
For example, the type of the second certificate confirm message may be cmp.
Optionally, the second certificate confirmation message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the second certificate confirmation message to the CA.
S307: the target proxy network element receives a second certificate completion message from the CA, and the second certificate completion message is used for notifying the target proxy network element that the CA has received the second certificate completion message.
For example, the type of the second certificate completion message may be cmp. Pkiconf.
Optionally, the second certificate completion message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the second certificate completion message to the target proxy network element.
S308: the target proxy network element sends a first certificate completion message to the first network element according to the second certificate completion message, wherein the first certificate completion message is used for informing the first network element that the CA has received the first certificate completion message; correspondingly, the first network element receives a first certificate completion message from the target proxy network element.
For example, the format of the message carrying the first IPSec configuration parameter may be cmp.
Optionally, the first certificate completion message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the first certificate completion message to the first network element.
S309: the target proxy network element and the first network element determine a first IPSec configuration parameter.
Optionally, the first key parameter comprises a first IPSec configuration parameter.
Optionally, the first network element sends a first IPSec configuration parameter to the target proxy network element; accordingly, the target proxy network element receives the first IPSec configuration parameter from the first network element. For example, the first network element may send a packet with a UDP packet (packet) type to the target proxy network element, where the packet includes the first IPSec configuration parameter, and the source address of the packet is the IP address of the first network element, and the destination address is the IP address of the target proxy network element.
Optionally, the target proxy network element sends a first IPSec configuration parameter to the first network element; accordingly, the first network element receives the first IPSec configuration parameter from the target proxy network element.
S310: the first network element and the target agent network element establish an IPSec tunnel according to the first IPSec configuration parameters.
Optionally, the first IPSec configuration parameter comprises an algorithm after negotiation of the first network element and the target proxy network element. That is, the first network element and the target proxy network element can agree on an algorithm for establishing an IPSec tunnel by the first IPSec configuration parameter.
Optionally, before establishing the IPSec tunnel, the first network element and the target proxy network element may mutually perform certificate authentication.
By adopting the method, an IPSec tunnel is established between the first network element and the target agent network element, and the security of data transmission between the first network element and the target agent network element is improved.
In S204 in the embodiment shown in fig. 2, the first network element and the target proxy network element may be established OMCH through fig. 5. The method provided in the application embodiment is described below with reference to fig. 5.
S501: the first network element sends a first OMCH application message to the target agent network element through the IPSec tunnel; correspondingly, the target agent network element receives the first OMCH application message from the first network element through the IPSec tunnel. The first OMCH application packet is used for applying for establishment OMCH, and the first OMCH application packet includes an IP address of the first network element and a unique identification code of the first network element.
For example, the first OMCH application packet may be a packet in a user datagram protocol (user datagram protocol, UDP) packet format.
Optionally, the first OMCH application packet may include a source port number and a destination port number, and the task class of the packet carrying the source port number and the destination port number is to send the first OMCH application packet to the target proxy network element.
Optionally, the first OMCH application packet includes a third key parameter, where the third key parameter is used to request the proxy authority of the target proxy network element.
Optionally, the third key parameter may be included in an option (option) field of the first OMCH application packet.
Optionally, the target proxy network element may send a second OMCH application packet to the network management device according to the first OMCH application packet.
Optionally, the second OMCH application packet may include a source port number and a destination port number, and the task class of the packet carrying the source port number and the destination port number is to send the second OMCH application packet to the target proxy network element.
Optionally, the second OMCH application packet includes a third key parameter, where the third key parameter is used to request the proxy authority of the target proxy network element.
Optionally, the third key parameter may be included in an option field of the second OMCH application packet.
Optionally, the network management device determines the proxy authority of the target proxy network element through a secure socket layer (secure socket layer, SSL) authentication technology according to the third key parameter. That is, the network management device determines, through SSL authentication, that the target proxy network element only has the authority of the proxy network element, and in fact, the network element applying for establishing OMCH with the network management device is the first network element taking the target proxy network element as the proxy network element.
In one possible design, after the first network element sends the first OMCH application packet to the target proxy network element through the IPSec tunnel, the network management device establishes a TCP connection with the first network element by using the method shown in fig. 6. The method provided in the application example is described below with reference to fig. 6.
S601: the target agent network element receives a fifth connection request message from the network management equipment through the IPSec tunnel; the fifth connection request message is used for TCP connection between the network management equipment and the first network element.
Optionally, the source address of the fifth connection request message is an IP address of the network management device, and the destination address is an IP address of the target proxy network element.
For example, the type of the fifth connection request message may be SYN.
Optionally, the fifth connection request message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to receive the fifth connection request message from the network management device.
S602: the target agent network element sends a second connection request message to the first network element through the IPSec tunnel; correspondingly, the first network element receives a second connection request message from the target proxy network element through the IPSec tunnel; the second connection request message is used for requesting to establish a TCP connection between the network management equipment and the first network element.
Optionally, the source address of the second connection request message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
For example, the type of the second connection request message may be SYN.
Optionally, the second connection request packet may include a source port number and a destination port number, and the task class of the packet carrying the source port number and the destination port number is to send the second connection request packet to the first network element.
S603: the first network element sends a second connection response message to the target agent network element through the IPSec tunnel; correspondingly, the target agent network element receives the second connection response message from the first network element through the IPSec tunnel. The second connection response message is used for confirming the receiving of the second connection request message.
Optionally, the source address of the second connection response message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element.
For example, the type of the second connection response message may be syn+ack.
Optionally, the second connection response message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the second connection response message to the target proxy network element.
S604: and the target proxy network element sends a fifth connection response message to the network management equipment according to the second connection response message through the IPSec tunnel.
Optionally, the source address of the fifth connection response message is the IP address of the target proxy network element, and the destination address is the IP address of the network management device.
For example, the type of the fifth connection response message may be syn+ack.
Optionally, the fifth connection response message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the fifth connection response message to the network management device.
S605: the target agent network element receives the fifth connection confirmation message from the network management equipment through the IPSec tunnel.
Optionally, the source address of the fifth connection confirmation message is an IP address of the network management device, and the destination address is an IP address of the target proxy network element.
For example, the type of the fifth connection acknowledgement message may be ACK.
Optionally, the fifth connection acknowledgement message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to receive the fifth connection acknowledgement message from the network management device.
S606: the target agent network element sends a second connection confirmation message to the first network element according to the fifth connection confirmation message through the IPSec tunnel; correspondingly, the first network element receives a second connection confirmation message from the target proxy network element through the IPSec tunnel; the second connection confirmation message is used for confirming that the first network element and the network management equipment establish TCP connection.
Optionally, the source address of the second connection confirmation message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
For example, the type of the second connection acknowledgement message may be an ACK.
Optionally, the second connection confirmation message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the second connection confirmation message to the first network element.
By adopting the design, the target proxy network element is used as proxy equipment to finish the replacement of the IP address, thereby realizing TCP three-way handshake between the network management equipment and the first network element.
S502: and the first network element and the target agent network element establish OMCH between the first network element and the network management equipment through the IPSec tunnel according to the IP address of the first network element and the unique identification code of the first network element.
For example, the first network element establishes OMCH with the network management device according to the IP address of the first network element and the unique identification code of the first network element.
By adopting the method, the first network element and the network management equipment realize safe OMCH self-establishment, so that the first network element can download the configuration file in a safe environment, and the communication safety of the first network element is improved.
In S204 in the embodiment shown in fig. 2, the first network element and the target agent network element may obtain the configuration file through fig. 7. The method provided in the application embodiment is described below with reference to fig. 7.
S701: the first network element sends a first downloading request message to network management equipment through a target agent network element in OMCH; correspondingly, the target proxy network element receives a first download request message from the first network element through OMCH. The first download request message is used for requesting to download the configuration file, and the first download request message comprises a version number of the configuration file.
Optionally, the first download request message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the first download request message to the network management device.
In one possible design, after the first network element sends the download request message to the target proxy network element through OMCH, a TCP connection is established between the first network element and the network management device through the method shown in fig. 8. The method provided in the application embodiment is described below with reference to fig. 8.
S801: the first network element sends a third connection request message to the target agent network element in OMCH; correspondingly, the target proxy network element receives a third connection request message from the first network element through OMCH. The third connection request message is used for requesting to establish TCP connection between the network management equipment and the first network element.
Optionally, the source address of the third connection request message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element.
For example, the type of the third connection request message may be SYN.
Optionally, the third connection request message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the third connection request message to the target proxy network element.
S802: and the target proxy network element sends a sixth connection request message to the network management equipment according to the third connection request message through OMCH.
Optionally, the source address of the sixth connection request message is the IP address of the target proxy network element, and the destination address is the IP address of the network management device.
For example, the type of the sixth connection request message may be SYN.
Optionally, the sixth connection request message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the sixth connection request message to the network management device.
S803: the target proxy network element receives a sixth connection response message from the network management device through OMCH.
Optionally, the source address of the sixth connection response message is the IP address of the network management device, and the destination address is the IP address of the target proxy network element.
For example, the type of the sixth connection response message may be syn+ack.
Optionally, the sixth connection response message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to receive the sixth connection response message from the network management device.
S804: the target agent network element sends a third connection response message to the first network element according to the sixth connection response message through OMCH; correspondingly, the first network element receives a third connection response message from the target proxy network element through OMCH. The third connection response message is used for confirming the receiving of the third connection request message.
Optionally, the source address of the third connection response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
For example, the type of the third connection response message may be syn+ack.
Optionally, the third connection response message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the third connection response message to the first network element.
S805: the first network element sends a third connection confirmation message to the target agent network element through OMCH; correspondingly, the target proxy network element receives a third connection confirmation message from the first network element through OMCH. The third connection confirmation message is used for confirming that the first network element and the network management equipment establish TCP connection.
Optionally, the source address of the third connection confirmation message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element.
For example, the type of the third connection acknowledgement message may be ACK.
Optionally, the third connection confirmation message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the third connection confirmation message to the target proxy network element.
S806: the target agent network element sends a sixth connection confirmation message to the network management equipment according to the third connection request through OMCH; the third connection confirmation message is used for confirming that the TCP connection is established with the network management equipment.
Optionally, the source address of the sixth connection confirmation message is the IP address of the target proxy network element, and the destination address is the IP address of the network management device.
For example, the type of the sixth connection acknowledgement message may be ACK.
Optionally, the sixth connection acknowledgement message may include a source port number and a destination port number, and the task class of the message carrying the source port number and the destination port number is to send the sixth connection acknowledgement message to the network management device.
By adopting the design, the target proxy network element is used as proxy equipment to finish the replacement of the IP address, thereby realizing TCP three-way handshake between the first network element and the network management equipment.
S702: and when the version number of the configuration file is the same as the version number of the local configuration file of the target proxy network element, the target proxy network element sends the configuration file to the first network element. In this way, the downloading of the configuration file can be performed between the first network element and the target proxy network element as much as possible, so that the communication pressure between the first network element and the network management equipment is reduced, the FTP traffic in the area is reduced, and the potential safety hazard of data generated when a large amount of FTP traffic passes through the whole non-trust domain to reach the first network element through the security gateway is avoided.
S703: when the version number of the configuration file is different from the version number of the local configuration file of the target proxy network element, the target proxy network element sends a second download request message to the network management equipment according to the first download request message; the target agent network element receives the configuration file from the network management equipment; the target proxy network element sends the configuration file to the first network element.
It should be understood that the actions of step S802 and step S803 may alternatively be performed.
S704: the first network element obtains a configuration file from the network management equipment or the target agent network element.
By adopting the design, the first network element can download the configuration file through the safe OMCH, so that the communication security of the first network element is improved.
Based on the above communication method, the present application also provides the following specific examples, which can be applied to the communication system as shown in fig. 1 or fig. 9. This example will be described by taking the communication system shown in fig. 9 as an example.
In the example provided by the present application, the first network element may be denoted by BS1, the target proxy network element may be denoted by BS2, and the regular network element by BS. Before the first network element selects BS2, BS2 is one of the BSs. In addition, in the example provided by the application, the network management device is taken as an OSS for illustration.
In combination with the above communication method, in the communication system, the first network element and the conventional network element (including the target agent network element) can communicate through a router, and the router can serve as an intermediate device to forward data and messages. The network management equipment and the first network element, the conventional network element, the target agent network element and the router can communicate through the security gateway. The communication area between the security gateway and the network management equipment is regarded as a trust domain, so that the communication security is high; the area outside the security gateway is considered to be an untrusted domain. That is, devices other than the security gateway need to pass through the security gateway to communicate with the network management device.
The process by which BS1 selects BS2 as the proxy network element is also schematically illustrated in fig. 9. The BS1 and the BS communicate through a router; after BS1 selects BS2 as the proxy network element, BS1 and BS2 communicate with the OSS through the security gateway.
By way of example, fig. 11 schematically illustrates a process of establishing an IPSec tunnel between BS1 and BS 2. Wherein, the BS is one of a plurality of BSs which send response messages to the BS 1; BS2 is a proxy network element selected by BS 1. BS2 may communicate with the CA as a proxy network element.
By way of example, fig. 14 schematically illustrates a process of establishing OMCH between BS1 and OSS, and a process of BS1 acquiring a profile. Wherein, there is an IPSec tunnel between BS1 and BS 2; an IPSec tunnel exists between BS2 and the security gateway. OMCH between BS1 and OSS may be established based on the two IPSec tunnels described above. Because of the IPSec tunnel, BS1 may communicate with BS1, CA and network management equipment through the proxy function of BS 2.
The above communication method is implemented by a four-stage process in this example.
Stage one, BS1 selects BS2 as proxy network element:
Based on the communication system shown in fig. 9, a procedure in which BS1 selects BS2 as a proxy network element will be described below with reference to the flowchart shown in fig. 10:
Frame 1:
The present application assumes that BS1 and the BS (including BS 2) desiring to receive the multicast message are not in the service area of the same switch. Thus, communication between BS1 and BS2 is required across routers, which require PIM functionality to be turned on for forwarding multicast messages sent by BS1 to multiple BSs, including BS2.BS2 sends an MLD join group message to the router, the MLD join group message including a listening (Listen) multicast address, here exemplified as FF0X:: X; the MLD join group message also includes a fixed end number, which in this example is assumed to be 9000. That is, the destination port number of the multicast packet is 9000. In another possible example, BS1 may also apply for a multicast address to an internet digital distribution authority (THE INTERNET ASSIGNED numbers authority, IANA).
Frame 2:
The present application assumes that the version number of the internet protocol version is IPv6.BS1 sends RS message of internet control message protocol version 6 (internet control message protocol version, icmpv 6) type=133 to the router, thereby requesting the IP address from the router. The source address of the RS message is link local, the destination address is a multicast address, and in the example, it is assumed that FF0X is:: 2.
Correspondingly, the router sends an icmpv6type=134 RA message to BS1, so as to send the IP address of BS1 to BS1, where the source address of the RA message is local to the link, and the destination address is a multicast address, and in this example, FF0X::1 is assumed. In addition, the RA packet carries a routing prefix, where the routing prefix is used to carry the IP address of BS1, and in the present application, the example is 2001:100: : /64.
Frame 3:
the BS1 sends a multicast packet with a multicast UDP packet (multicast UDP packet) type, where the multicast packet carries a TTL field. This process is described below in conjunction with fig. 9:
As shown in ① of fig. 9, BS1 transmits a multicast message; correspondingly, the router receives the multicast message. The source address of the multicast message is the IP address of BS1, for example 2001:100: :1, a step of; the destination address is a multicast address, such as FF0X:: X. In the application, the source port number of the multicast message is assumed to be 6000; the destination port number of the multicast message is 9000.
As shown in ② in fig. 9, the router sends a multicast message with ttl=1. When the TTL field carried in the multicast message has a value of 1, the partial BS serving as the proxy base station in the area range of ttl=1 may receive the multicast message. Wherein the regular BS cannot act as a proxy base station, and thus the multicast message can be directly ignored, e.g., BS3 as the regular BS ignores the multicast message, i.e., does not receive a message for joining the network element group (cannot receive for not join the group). Accordingly, the BS, which may act as a proxy base station, may send a response message to the router after receiving the multicast message.
As shown in ③ in fig. 9, in the embodiment of the present application, it is assumed that no response message is obtained in the preset time node, and the router sends a multicast message with ttl=2. When the TTL field carried in the multicast message has a value of 2, the partial BS serving as the proxy base station in the area range of ttl=2 may receive the multicast message. In this embodiment, it is assumed that BS1 receives the response message in the area of ttl=2, and therefore, the router stops transmitting the multicast message.
Further, BS1 receives a response message from at least one BS, where the type of the response message is unicast UDP packet (unicast UDP packet), that is, the response message is a unicast message. Wherein, the source address of the response message received by BS1 from BS2 is the IP address of BS2, for example 2001:200:1; the destination address is the IP address of BS1, e.g., 2001:100:1. The response message may also carry the ESN of BS 2. The response message may also include a source port number and a destination port number, e.g., 9000, 6000. In addition, the response message may further include a key parameter, i.e., an IPSec configuration parameter, which is used to agree on an algorithm for establishing the IPSec tunnel by BS1 and BS 2.
Stage two, establishing an IPSec tunnel between BS1 and BS 2:
The procedure of establishing the IPSec tunnel between BS1 and BS2 will be described with reference to fig. 11:
step a (establish TCP connection between BS1 and CA):
as shown in ① of fig. 11, after BS1 receives the response message from at least one BS, BS1 selects one of the at least one BS as a proxy network element for BS1, and in the present application, it is assumed that BS1 selects BS2 as a proxy network element.
Further, BS1 sends an acknowledgement message to BS2 informing BS2 to provide proxy service for BS1, wherein the acknowledgement message may include the IP address of CA, the ESN of BS1, and IPSec configuration parameters for BS1 and BS2 to agree on an algorithm for establishing an IPSec tunnel. It should be appreciated that in this example, the response message includes IPSec configuration parameters; and/or the acknowledgment message includes IPSec configuration parameters.
As shown at ② in fig. 11, BS2 may communicate with the CA as a proxy network element for BS1 to establish a TCP connection between BS1 and the CA for application of the operator certificate. The following describes TCP three-way handshake between BS1 and CA with reference to the flowchart shown in fig. 12:
a. BS1 determines to send a message with type SYN to BS2 according to the key parameters acquired in ① in fig. 11. The source address of the message is the address of BS1, for example 2001:100: :1, a step of; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is 7000, and the destination port number is 8000.
B. BS2 modifies the source address and destination address of the message of type SYN and sends the modified message to CA, the modified message type still being SYN. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is the address of CA, e.g. 2002: :1. in the application, the source port number of the message is 9000, and the destination port number is 8080.
C. CA sends a message with SYN+ACK type to BS 2. The source address of the message is the address of CA, e.g. 2002: :1, a step of; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is assumed to be 8080, and the destination port number is assumed to be 9000.
D. BS2 modifies the source address and destination address of the message of which the type is syn+ack, and sends the modified message to BS1, the type of the modified message still being syn+ack. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is that of BS1, for example 2001:100: :1. in the application, the source port number of the message is assumed to be 8000, and the destination port number is assumed to be 7000.
E. BS1 sends a message of type ACK to BS 2. The source address of the message is the address of BS1, for example 2001:100: :1, a step of; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is 7000, and the destination port number is 8000.
F. BS2 modifies the source address and destination address of the message of type ACK and sends the modified message to the CA, the type of modified message still being ACK. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is the address of CA, e.g. 2002: :1. in the application, the source port number of the message is 9000, and the destination port number is 8080.
Step B (apply for operator certificate):
Still based on ② in the communication system shown in fig. 11, BS2 may communicate as a TCP proxy device (TCP proxy) for BS 1. The following describes a procedure in which BS1 applies for an operator certificate to CA with reference to block 1 in the flowchart shown in fig. 13:
a. BS1 sends a message of type cmp.ir to BS2 on the basis of the aforementioned TCP connection. The source address of the message is the address of BS1, for example 2001:100: :1, a step of; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is 7000, and the destination port number is 8000.
B. BS2 modifies the source address and destination address of the message of type cmp.ir and sends the modified message to the CA, the type of modified message still being cmp.ir. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is the address of CA, e.g. 2002: :1. in the application, the source port number of the message is 9000, and the destination port number is 8080.
C. The CA sends a message of the cmp.ip type to BS2, which includes the certificate of BS 1. The source address of the message is the address of CA, e.g. 2002: :1, a step of; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is assumed to be 8080, and the destination port number is assumed to be 9000.
D. BS2 modifies the source address and destination address of the message of the type cmp.ip and sends the modified message to BS1, the type of the modified message still being cmp.ip, the modified message still including the certificate of BS 1. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is that of BS1, for example 2001:100: :1. in the application, the source port number of the message is assumed to be 8000, and the destination port number is assumed to be 7000.
Further, the BS1 and BS2 may also perform identity authentication through the operator certificate of the other party. When both sides pass the authentication, it is determined that the IPSec tunnel can be established, and the description is continued with reference to block 1 in the flowchart shown in fig. 13:
e. BS1 sends a message of type cmp.certconf to BS 2. The source address of the message is the address of BS1, for example 2001:100: :1, a step of; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is 7000, and the destination port number is 8000.
F. BS2 modifies the source address and destination address of the message of the type cmp. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is the address of CA, e.g. 2002: :1. in the application, the source port number of the message is 9000, and the destination port number is 8080.
G. the CA sends a message of the type cmp.pkiconf to BS2, which includes key parameters for establishing the IPSec tunnel. The source address of the message is the address of CA, e.g. 2002: :1, a step of; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is assumed to be 8080, and the destination port number is assumed to be 9000.
H. BS2 modifies the source address and destination address of the message of the type cmp.pkiconf and sends the modified message to BS1, the type of the modified message still being cmp.pkiconf, the modified message still including key parameters for establishing the IPSec tunnel. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is that of BS1, for example 2001:100: :1. in the application, the source port number of the message is assumed to be 8080, and the destination port number is assumed to be 7000.
Step C (establish IPSec tunnel):
As shown in ③ of fig. 11, after BS1 acquires the operator certificate, an IPSec tunnel between BS1 and BS2 is established. The process of establishing the IPSec tunnel between BS1 and BS2 is described below with reference to block 2 in the flowchart shown in fig. 13:
BS1 sends a message of the UDP packet type to BS2, which includes key parameters (KEY PARAMETERS to establish IPSec) for establishing an IPSec tunnel. The source address of the message is the address of BS1, for example 2001:100: :1, a step of; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is assumed to be 6000, and the destination port number is assumed to be 6001. Further, an IPSec tunnel between BS1 and BS2 is established based on the aforementioned key parameters.
Stage three, establishing OMCH between BS1 and OSS:
Based on ① and ② in the communication system shown in fig. 14, a procedure of establishing OMCH between BS1 and OSS is described below with reference to a flowchart shown in fig. 15:
Step a (BS 1 transmit OMCH application):
a. BS1 sends a message of the UDP packet type (UDP packet) to BS2, which includes key parameters for requesting setup OMCH (KEY PARAMETERS to ask for OMCH establish). The source address of the message is the address of BS1, for example 2001:100: :1, a step of; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is 7001, and the destination port number is 8001.
B. BS2 determines, from the packet of type UDP packet, a packet of type TCP packet opinion 254 carrying ESN & IP (TCP PACKET open 254include BS1 ESN&IP) of BS1 and sends the modified packet to the OSS. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is the address of OSS, e.g. 2003: :1. in the application, the source port number of the message is 6007, and the destination port number is 63332.
Step B (establish TCP connection between BS1 and OSS):
a. The OSS sends a message of type SYN to BS 2. The source address of the message is the address of OSS, for example 2003:1; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is 63332, and the destination port number is 6007.
B. BS2 modifies the source address and destination address of the message of the type SYN and sends the modified message to BS1, the type of the modified message still being SYN. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is the address of BS1, for example 2001: :100:1. In the application, the source port number of the message is assumed to be 8001, and the destination port number is assumed to be 6007.
C. BS1 sends a message of type syn+ack to BS 2. The source address of the message is the address of BS1, for example 2001: :100:1; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is 6007 and the destination port number is 8001.
D. The BS2 modifies the source address and destination address of the message with the type syn+ack and sends the modified message to the OSS, where the modified message is still with the type syn+ack. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is the address of the OSS, e.g. 2003:1. In the application, the source port number of the message is 6007, and the destination port number is 63332.
E. The OSS sends a message of type ACK to BS 2. The source address of the message is the address of OSS, for example 2003:1; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is 63332, and the destination port number is 6007.
F. BS2 modifies the source address and destination address of the message of type ACK and sends the modified message to BS1, the type of modified message still being ACK. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is the address of BS1, for example 2001: :100:1. In the application, the source port number of the message is assumed to be 8001, and the destination port number is assumed to be 6007.
Step C (build OMCH):
The OSS determines the proxy authority of BS2 through SSL authentication technology.
Further, BS1 may establish a temporary OMCH with OSS (BS 1established temporary OMCH with OSS) through the TCP proxy function of BS 2.
Stage four, BS1 acquires a configuration file:
Based on ③ in the communication system shown in fig. 14, a procedure for BS1 to acquire a profile is described below with reference to the flowchart shown in fig. 16:
step A:
BS1 sends a download request to the OSS for downloading the configuration file.
Optionally, the download request includes a version number of the configuration file.
And (B) step (B):
a. BS1 sends a message of type SYN to BS 2. The source address of the message is the address of BS1, for example 2001:100: :1, a step of; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is 63333, and the destination port number is 21.
B. The BS2 modifies the source address and destination address of the message of the type SYN and sends the modified message to the OSS, the type of the modified message still being SYN. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is the address of the OSS, e.g. 2003:1. In the application, the source port number of the message is 8005, and the destination port number is 21.
C. The OSS sends a message of type syn+ack to BS 2. The source address of the message is the address of OSS, for example 2003:1; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is assumed to be 21, and the destination port number is assumed to be 8005.
D. BS2 modifies the source address and destination address of the message of which the type is syn+ack, and sends the modified message to BS1, the type of the modified message still being syn+ack. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is that of BS1, for example 2001:100: :1. in the application, the source port number of the message is assumed to be 21, and the destination port number is assumed to be 63332.
E. BS1 sends a message of type ACK to BS 2. The source address of the message is the address of BS1, for example 2001:100: :1, a step of; the destination address is the address of BS2, for example 2001:200:1. In the application, the source port number of the message is 63333, and the destination port number is 21.
F. the BS2 modifies the source address and destination address of the message of the type ACK and sends the modified message to the OSS, the type of the modified message still being ACK. The source address of the modified message is the address of BS2, for example 2001:200:1; the destination address is the address of the OSS, e.g. 2003:1. In the application, the source port number of the message is 8005, and the destination port number is 21.
Step C:
The configuration file is downloaded via OMCH based on the aforementioned TCP connection between BS1 and OSS.
As shown in fig. 16, when the version number of the configuration file in the download request is different from the version number of the local configuration file of BS2, BS1 may download the configuration file through OSS, for example, download software and configuration through FTPS (Download software and configuration via FTPS). Or when the version number of the profile is the same as the version number of the local profile of BS2, BS1 may download the profile through BS2, e.g., download software through BS2 (download software from BS 2).
Based on the same technical concept, the present application also provides a communication device, which can be applied to the communication system shown in fig. 1, for implementing the communication method provided in the above embodiment. Referring to fig. 17, the communication apparatus 1700 includes a communication module 1701 and a processing module 1702.
The communication module 1701 is configured to receive and transmit data. Optionally, a communication interface may be included in the communication module 1701.
The processing module 1702 is configured to execute the steps executed by the first network element or the target proxy network element in the communication method provided in the foregoing embodiments. The specific function of the processing module 1702 may refer to the related description in the above embodiments, which is not described herein.
In one embodiment, when the communication device is configured to implement the action of the aforementioned first network element, the communication module 1701 is configured to: sending a multicast message; receiving a response message from at least one proxy network element; the processing module 1702 is configured to: selecting a target proxy network element from the at least one proxy network element according to the response message of the at least one proxy network element; establishing an internet security protocol IPSec tunnel between the target agent network element and the target agent network element; and establishing an operation and maintenance management channel OMCH between the IPSec tunnel and the network management equipment through the IPSec tunnel.
In one embodiment, when the communication device is configured to implement the foregoing actions of the target proxy network element, the communication module 1701 is configured to: receiving a multicast message from a first network element; transmitting a response message to the first network element; the processing module 1702 is configured to: establishing an internet security protocol IPSec tunnel between the first network element and the second network element; and establishing an operation and maintenance management channel OMCH between the first network element and the network management equipment through the IPSec tunnel.
It should be noted that, in the embodiment of the present application, the division of the modules is merely schematic, and there may be another division manner in actual implementation, and in addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or may exist separately and physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Based on the same technical concept, the embodiment of the present application also provides another communication device 1800, which can implement the communication method provided in the above embodiment, and has the functions of the processor provided in the above embodiment. Referring to fig. 18, the communication apparatus 1800 includes: memory 1802, processor 1801. Optionally, the communication device 1800 further includes a communication interface 1803. Wherein the communication interface 1803, the processor 1801, and the memory 1802 are interconnected.
Optionally, the communication interface 1803, the processor 1801 and the memory 1802 are connected to each other through a bus 1804. The bus 1804 may be a peripheral component interconnect (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one thick line is shown in fig. 18, but not only one bus or one type of bus.
The communication interface 1803 is configured to receive and transmit data, and implement communication with other devices other than the communication apparatus.
The function of the processor 1801 may refer to the description in the above embodiment, which is not described herein. The processor 1801 may be a central processing unit (central processing unit, CPU), a network processor (network processor, NP) or a combination of CPU and NP, among others. The processor 1801 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (programmable logic device, PLD), or a combination thereof. The PLD may be a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (FPGA) GATE ARRAY, generic array logic (GENERIC ARRAY logic, GAL), or any combination thereof. The processor 1801 may be implemented by hardware when implementing the above functions, or may be implemented by executing corresponding software by hardware.
The memory 1802 is configured to store program instructions and the like. In particular, the program instructions may comprise program code comprising computer-operating instructions. The memory 1802 may include random access memory (random access memory, RAM) and may also include non-volatile memory (non-volatile memory), such as at least one disk memory. The processor 1801 executes program instructions stored in the memory 1802 to realize the functions described above, thereby realizing the methods provided in the above embodiments. The memory 1802 may include, for example, a first network element or a target proxy network element as shown in embodiments of the present application.
Based on the same technical idea, the embodiments of the present application also provide a computer program, which when run on a computer, causes the computer to perform the method provided in the above embodiments.
Based on the same technical idea, the embodiment of the present application further provides a computer-readable storage medium, in which a computer program is stored, which when run on a computer causes the computer to perform the method provided in the above embodiment.
Wherein a storage medium may be any available medium that can be accessed by a computer. Taking this as an example but not limited to: the computer-readable medium may include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.
Based on the above embodiments, the present application further provides a chip, where the chip is configured to read a computer program stored in a memory, and implement the method provided in the above embodiments. Optionally, the chip may include a processor and a memory, where the processor is coupled to the memory, and is configured to read a computer program stored in the memory, to implement the method provided in the foregoing embodiment.
Based on the above embodiments, the embodiments of the present application provide a chip system, which includes a processor for supporting a computer device to implement the functions related to the terminal device in the above embodiments. In one possible design, the chip system further includes a memory for storing programs and data necessary for the computer device. The chip system can be composed of chips, and can also comprise chips and other discrete devices.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (30)
1. A method of communication, the method comprising:
The first network element sends a multicast message;
The first network element receives a response message from at least one proxy network element;
The first network element selects a target proxy network element from the at least one proxy network element according to the response message of the at least one proxy network element;
The first network element establishes an internet security protocol IPSec tunnel between the first network element and the target agent network element;
And the first network element establishes an operation and maintenance management channel OMCH between the first network element and network management equipment through the IPSec tunnel.
2. The method of claim 1, wherein prior to the first network element sending the multicast message, the method further comprises: the first network element obtains an Internet Protocol (IP) address of the first network element from a router;
the source address of the multicast message is the IP address of the first network element, and the destination address is the multicast address;
The source address of the response message of the first proxy network element is the IP address of the first proxy network element, and the destination address is the IP address of the first network element; wherein the first proxy network element is any proxy network element of the at least one proxy network element.
3. The method of claim 1 or 2, wherein the multicast message includes a time-to-live TTL field, the TTL field having a value of n, n being a positive integer;
the value n of the TTL field is used for indicating n hops of multicast message transmission; the at least one proxy network element is a network element reached by n hops of the multicast message transmission.
4. A method according to any of claims 1-3, wherein after selecting a target proxy network element in the at least one proxy network element, the method further comprises:
The first network element sends a confirmation message to the target proxy network element, wherein the confirmation message is used for notifying the target proxy network element to provide proxy service for the first network element, and the confirmation message comprises an IP address of a certificate authority CA.
5. The method according to any of claims 1-4, wherein the first network element establishing an IPSec tunnel with the target proxy network element comprises:
the first network element sends a first certificate application message to the target proxy network element, wherein the first certificate application message is used for applying a certificate to a CA;
The first network element receives a first certificate response message from the target proxy network element, wherein the first certificate response message comprises the certificate;
The first network element sends a first certificate confirmation message to the target proxy network element according to the certificate, wherein the first certificate confirmation message is used for notifying the target proxy network element that the first network element has received the certificate;
the first network element receives a first certificate completion message from the target agent network element, wherein the first certificate completion message is used for notifying the first network element that the CA has received the first certificate completion message;
The first network element establishes the IPSec tunnel according to a first IPSec configuration parameter, wherein the first IPSec configuration parameter is determined by the first network element and the target agent network element.
6. The method of claim 5, wherein the source address of the first certificate application message is an IP address of the first network element, and the destination address is an IP address of the target proxy network element;
The source address of the first certificate response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
7. The method according to claim 5 or 6, wherein before the first network element sends a first certificate application message to the target proxy network element, the method further comprises:
the first network element sends a first connection request message to the target proxy network element; the first connection request message is used for requesting to establish a Transmission Control Protocol (TCP) connection with the CA;
The first network element receives a first connection response message from the target agent network element; the first connection response message is used for confirming the receiving of the first connection request message;
The first network element sends a first connection confirmation message to the target agent network element; the first connection confirmation message is used for confirming that TCP connection is established with the CA.
8. The method of claim 7, wherein the source address of the first connection request message is an IP address of the first network element, and the destination address is an IP address of the target proxy network element;
the source address of the first connection response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element;
the source address of the first connection confirmation message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element.
9. The method according to any of claims 1-8, wherein the first network element establishes OMCH with a network management device through the IPSec tunnel, comprising:
The first network element sends a first OMCH application message to the target proxy network element through the IPSec tunnel, the first OMCH application message is used for applying to establish the OMCH, and the first OMCH application message includes an IP address of the first network element and a unique identifier of the first network element;
and the first network element establishes OMCH with the network management equipment through the IPSec tunnel according to the IP address of the first network element and the unique identification code of the first network element.
10. The method of claim 9, wherein after the first network element sends a first OMCH application packet to the target proxy network element through the IPSec tunnel, the method further comprises:
The first network element receives a second connection request message from the target agent network element through the IPSec tunnel; the second connection request message is used for requesting to establish TCP connection between the network management equipment and the first network element;
The first network element sends a second connection response message to the target agent network element through the IPSec tunnel; the second connection response message is used for confirming the receiving of the second connection request message;
The first network element receives a second connection confirmation message from the target agent network element through the IPSec tunnel; the second connection confirmation message is used for confirming that TCP connection is established with the network management equipment.
11. The method of claim 10, wherein the source address of the second connection request message is an IP address of the target proxy network element, and the destination address is an IP address of the first network element;
The source address of the second connection response message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element;
The source address of the second connection confirmation message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
12. The method according to any of claims 1-11, wherein after the first network element establishes OMCH with a network management device through the IPSec tunnel, the method further comprises:
The first network element sends a first download request message to the network management equipment through the OMCH through the target agent network element, wherein the first download request message is used for requesting to download a configuration file, and the first download request message comprises a version number of the configuration file;
The first network element obtains the configuration file from the network management equipment or the target agent network element.
13. The method of claim 12, wherein after the first network element sends a download request message to the target proxy network element through the OMCH, the method further comprises:
The first network element sends a third connection request message to the target agent network element through the OMCH; the third connection request message is used for requesting to establish TCP connection between the network management equipment and the first network element;
The first network element receives a third connection response message from the target agent network element through the OMCH; the third connection response message is used for confirming the receiving of the third connection request message;
The first network element sends a third connection confirmation message to the target agent network element through the OMCH; and the third connection confirmation message is used for confirming that TCP connection is established with the network management equipment.
14. A method of communication, the method comprising:
the target agent network element receives the multicast message from the first network element;
The target agent network element sends a response message to the first network element;
The target agent network element establishes an internet security protocol IPSec tunnel between the target agent network element and the first network element;
And the target agent network element establishes an operation and maintenance management channel OMCH between the first network element and the network management equipment through the IPSec tunnel.
15. The method of claim 14, wherein the source address of the multicast message is an internet protocol, IP, address of the first network element and the destination address is a multicast address; the source address of the response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
16. The method of claim 14 or 15, wherein the multicast message includes a time-to-live TTL field, the TTL field having a value of n, n being a positive integer;
the value n of the TTL field is used to indicate n hops of the multicast message transmission.
17. The method of any one of claims 14-16, wherein the method further comprises:
The target proxy network element receives a confirmation message from the first network element, the confirmation message being used for notifying the target proxy network element to provide proxy services for the first network element, the confirmation message comprising an IP address of a certificate authority CA.
18. The method according to any of claims 14-17, wherein the target proxy network element establishes an IPSec tunnel with the first network element, comprising:
The target agent network element receives a first certificate application message from the first network element, wherein the first certificate application message is used for applying a certificate to a CA;
The target proxy network element sends a second certificate application message to the CA according to the first certificate application message;
The target agent network element receives a second certificate response message from the CA;
The target proxy network element sends a first certificate response message to the first network element according to the second certificate response message; the second certificate response message contains the certificate, and the first certificate response message contains the certificate;
The target proxy network element receives a first certificate confirmation message from the first network element, wherein the first certificate confirmation message is used for notifying the target proxy network element that the first network element has received the certificate;
the target proxy network element sends a second certificate confirmation message to the CA according to the first certificate confirmation message;
The target agent network element receives a second certificate completion message from the CA, wherein the second certificate completion message is used for notifying the target agent network element that the CA has received the second certificate completion message;
the target agent network element sends a first certificate completion message to the first network element according to the second certificate completion message, wherein the first certificate completion message is used for informing the first network element that the CA has received the first certificate completion message;
The target proxy network element establishes the IPSec tunnel according to a first IPSec configuration parameter determined by the first network element and the target proxy network element.
19. The method of claim 18, wherein the source address of the first certificate application message is an IP address of the first network element, and the destination address is an IP address of the target proxy network element;
The source address of the second certificate application message is the IP address of the target proxy network element, and the destination address is the IP address of the CA;
the source address of the second certificate response message is the IP address of the CA, and the destination address is the IP address of the target proxy network element;
The source address of the first certificate response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
20. The method according to claim 18 or 19, wherein before the target proxy network element receives the first certificate application message from the first network element, the method further comprises:
The target agent network element receives a first connection request message from the first network element; the first connection request message is used for requesting to establish a Transmission Control Protocol (TCP) connection between the first network element and the CA;
The target agent network element sends a fourth connection request message to the CA according to the first connection request message;
The target agent network element receives a fourth connection response message from the CA;
The target agent network element sends a first connection response message to the first network element according to the fourth connection response message; the first connection response message is used for confirming the receiving of the first connection request message;
The target agent network element receives a first connection confirmation message from the first network element; the first connection confirmation message is used for confirming that the first network element and the CA establish TCP connection;
The target agent network element sends a fourth connection confirmation message to the CA according to the first connection confirmation message; the first connection confirmation message is used for confirming that the first network element establishes TCP connection with the CA.
21. The method of claim 20, wherein the source address of the first connection request message is an IP address of the first network element, and the destination address is an IP address of the target proxy network element;
the source address of the fourth connection request message is the IP address of the target agent network element, and the destination address is the IP address of the CA;
The original address of the fourth connection response message is the IP address of the CA, and the destination address is the IP address of the target proxy network element;
the source address of the first connection response message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element;
The source address of the first connection confirmation message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element;
And the source address of the fourth connection confirmation message is the IP address of the target proxy network element, and the destination address is the IP address of the CA.
22. The method according to any of claims 14-21, wherein the establishing OMCH between the first network element and a network management device by the target proxy network element through the IPSec tunnel comprises:
The target agent network element receives a first OMCH application message from the first network element through the IPSec tunnel, the first OMCH application message is used for applying to establish the OMCH, and the first OMCH application message includes an IP address of the first network element and a unique identifier of the first network element;
and the target agent network element establishes OMCH between the first network element and the network management equipment according to the IP address of the first network element and the unique identification code of the first network element through the IPSec tunnel.
23. The method of claim 22, wherein after the target proxy network element receives the first OMCH application packet from the first network element via the IPSec tunnel, the method further comprises:
The target agent network element receives a fifth connection request message from the network management equipment through the IPSec tunnel; the fifth connection request message is used for TCP connection between the network management equipment and the first network element;
The target agent network element sends the second connection request message to the first network element through the IPSec tunnel; the second connection request message is used for requesting to establish TCP connection between the network management equipment and the first network element;
The target agent network element receives a second connection response message from the first network element through the IPSec tunnel; the second connection response message is used for confirming the receiving of the second connection request message;
The target agent network element sends a fifth connection response message to the network management equipment according to the second connection response message through the IPSec tunnel;
The target agent network element receives a fifth connection confirmation message from the network management equipment through the IPSec tunnel;
The target agent network element sends a second connection confirmation message to the first network element through the IPSec tunnel according to the fifth connection confirmation message; the second connection confirmation message is used for confirming that the first network element and the network management equipment establish TCP connection.
24. The method of claim 23, wherein the source address of the fifth connection request message is an IP address of the network management device, and the destination address is an IP address of the target proxy network element;
The source address of the second connection request message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element;
The source address of the second connection response message is the IP address of the first network element, and the destination address is the IP address of the target proxy network element;
The source address of the fifth connection response message is the IP address of the target proxy network element, and the destination address is the IP address of the network management equipment;
The source address of the fifth connection confirmation message is the IP address of the network management equipment, and the destination address is the IP address of the target agent network element;
The source address of the second connection confirmation message is the IP address of the target proxy network element, and the destination address is the IP address of the first network element.
25. The method according to any of claims 14-24, wherein after the target proxy network element establishes OMCH between the first network element and a network management device through the IPSec tunnel, the method further comprises:
The target agent network element receives a first download request message from the first network element through the OMCH, wherein the first download request message is used for requesting to download a configuration file, and the download request message comprises a version number of the configuration file;
When the version number of the configuration file is the same as the version number of the local configuration file of the target proxy network element, the target proxy network element sends the configuration file to the first network element;
When the version number of the configuration file is different from the version number of the local configuration file of the target proxy network element, the target proxy network element sends a second download request message to the network management equipment according to the first download request message; the target agent network element receives the configuration file from the network management equipment; and the target agent network element sends the configuration file to the first network element.
26. The method of claim 25, wherein after the target proxy network element receives the download request message from the first network element via the OMCH, the method further comprises:
The target agent network element receives a third connection request message from the first network element through the OMCH; the third connection request message is used for requesting to establish TCP connection between the network management equipment and the first network element;
The target agent network element sends a sixth connection request message to the network management equipment according to the third connection request message through the OMCH;
The target agent network element receives a sixth connection response message from the network management equipment through the OMCH;
The target agent network element sends a third connection response message to the first network element according to the sixth connection response message through the OMCH; the third connection response message is used for confirming the receiving of the third connection request message;
the target agent network element receives a third connection confirmation message from the first network element through the OMCH; the third connection confirmation message is used for confirming that TCP connection is established with the network management equipment;
The target agent network element sends a sixth connection confirmation message to the network management equipment according to the third connection request through the OMCH; and the third connection confirmation message is used for confirming that TCP connection is established with the network management equipment.
27. A communication device, the device comprising: a communication unit and a processing unit, wherein,
The communication unit is used for receiving and transmitting data;
The processing unit for performing the method of any of claims 1-26.
28. A communication device, comprising: a communication interface, a memory, and a processor; wherein,
The communication interface is used for receiving and transmitting data;
The memory is used for storing program instructions and data;
The processor being operative to read program instructions and data in the memory to implement the method of any one of claims 1-26.
29. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program which, when run on a computer, causes the computer to perform the method of any of claims 1-26.
30. A chip, wherein the chip comprises a processor and a memory; the processor being coupled to the memory for reading a computer program stored in the memory for performing the method of any of claims 1-26.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211294379.2A CN117917874A (en) | 2022-10-21 | 2022-10-21 | Communication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211294379.2A CN117917874A (en) | 2022-10-21 | 2022-10-21 | Communication method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117917874A true CN117917874A (en) | 2024-04-23 |
Family
ID=90729717
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211294379.2A Pending CN117917874A (en) | 2022-10-21 | 2022-10-21 | Communication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117917874A (en) |
-
2022
- 2022-10-21 CN CN202211294379.2A patent/CN117917874A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107580768B (en) | Message transmission method, device and system | |
| CN108551464B (en) | Connection establishment and data transmission method, device and system of hybrid cloud | |
| US9699270B2 (en) | Method for commissioning and joining of a field device to a network | |
| US20200120026A1 (en) | Overloading Address Space For Improved Routing, Diagnostics, And Content-Relay Network | |
| CN104780069B (en) | A kind of key-course towards SDN and data Layer communication port self-configuration method and its system | |
| CN102801623B (en) | Multi-access data transmitting method and device | |
| CN113841363B (en) | System and method for establishing communication between networks and devices of different routing protocols | |
| CN112583705B (en) | Communication method, equipment and system of hybrid network | |
| CN101515859B (en) | Method for multicast transport in Internet protocol secure tunnel and device | |
| CA2536457A1 (en) | Ttl exploration technique for determining capabilities and configuration of a peer router | |
| US9118588B2 (en) | Virtual console-port management | |
| WO2015081785A1 (en) | Method and device for virtualized access | |
| US7969933B2 (en) | System and method for facilitating a persistent application session with anonymity between a mobile host and a network host | |
| WO2020176021A1 (en) | Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp) | |
| WO2015157947A1 (en) | Software defined network based networking method and device | |
| CN117917874A (en) | Communication method and device | |
| WO2011064858A1 (en) | Wireless authentication terminal | |
| CN110932970B (en) | Processing method and device of Transmission Control Protocol (TCP) session | |
| US11606840B2 (en) | Connecting access point to mesh network | |
| JP2012517753A (en) | Method and apparatus for transmitting a mobile multicast service in a fixed network | |
| JP2019009637A (en) | Network monitoring device | |
| CN115802383A (en) | Mesh router pairing production method and system | |
| CN117749763A (en) | Communication system and communication method thereof | |
| CN111917746A (en) | Routing protocol access authentication method, device and medium | |
| JP2018133737A (en) | Network construction system, method, and wireless node |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |