WO2009143739A1 - 管理和查询映射信息的方法、设备及通信系统 - Google Patents
管理和查询映射信息的方法、设备及通信系统 Download PDFInfo
- Publication number
- WO2009143739A1 WO2009143739A1 PCT/CN2009/071660 CN2009071660W WO2009143739A1 WO 2009143739 A1 WO2009143739 A1 WO 2009143739A1 CN 2009071660 W CN2009071660 W CN 2009071660W WO 2009143739 A1 WO2009143739 A1 WO 2009143739A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- signature
- pair
- mapping
- information
- mapping pair
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
- H04L45/04—Interdomain routing, e.g. hierarchical routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/46—Cluster building
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
Definitions
- the present invention relates to communication network data transmission technologies, and in particular, to a method, device and communication system for managing and querying mapping information. Background technique
- the Internet (Internet) is divided into two parts, one part is a transit network, which is at the center of the network; the other part is a boundary (edge The network is connected to the transit network through a border router (BR).
- the BR knows the routing information in the edge network and the transit network to which it is connected, but does not penetrate each other.
- the routing prefix information inside the border network does not spread to the transmission network, but the BR of the edge network is responsible for registering the prefix information (prefix) in the edge network to the registration agent (hereinafter referred to as RA) in the transit network.
- the mapping relationship between the prefix and the BR that registers the prefix is called mapping information, and each RA maintains a database that stores mapping information, which is called a mapping information database.
- Multiple RAs in the Transit network synchronize the information in the respective mapping information databases through communication protocols (such as BGP protocol extension), so that the databases remain synchronized and maintain the same mapping information records. After the synchronization is completed, any RA in the Transit network knows which BR needs to be relayed to reach one of the prefixes.
- the traffic of Edge network A to edge network B will first arrive at BR-A, BR-A connecting edge network A, and then go to RA to query the mapping information of the prefix matching the longest destination IP address.
- Registering the BR information of the mapping information that is, BR-B, and then the BR-A forwards the data packet through the tunnel that reaches the BR-B (such as MPLS tunnel, IP in IP, GRE, etc.)
- BR-B knows the routing information inside the edge network to which it is connected, so it forwards it according to the routing table inside the Edge network, and finally the packet arrives at the destination.
- This forwarding scheme is called a forwarding and lookup separation scheme. That is, the RA only performs the response function of the mapping information query, and the traffic between the edges does not need to be transited by the RA.
- Mapping information registration security An attacker may spoof other people's identity to register incorrect mapping information to the RA, such as registering a prefix that is not his own.
- Mapping information query security An attacker may impersonate the RA to provide incorrect mapping information to the querier.
- the RA may also tamper with certain mapping information pairs for some purpose, such as prefix length or entry address, as shown in Figure 1.
- prefix length or entry address as shown in Figure 1.
- the entry of the Edge B network is changed from BR-B to BR-B'.
- mapping information database synchronization security When each RA synchronizes the mapping information database, some RAs may advertise untrue mapping information, such as modifying the prefix length of the existing mapping information record and then publishing it, or simply forging the mapping information that does not exist.
- An object of the embodiments of the present invention is to provide a method for managing mapping information in a network route, a method for querying mapping information, a border network device, a registration proxy device, and a communication system, and implementing mapping information in network routing. Registration, query and synchronization security.
- the embodiment of the present invention provides a method for managing mapping information in a network route, including: signing the mapping information pair by using a private key of a certificate corresponding to the prefix in the mapping information pair to generate a signature mapping pair;
- the registration agent shares the signature mapping pair with other registration agents through data synchronization.
- the embodiment of the invention provides a method for querying mapping information, including:
- the first border network owner queries the registration agent according to the prefix of the second border network owner, and obtains the signature mapping pair of the second border network owner fed back by the registration agent;
- the first border network owner checks whether the signature mapping pair is valid according to the signature control information in the signature mapping pair;
- the first border network owner After determining that the signature mapping pair is valid by the check, the first border network owner extracts The mapping information in the signature mapping pair.
- an embodiment of the present invention provides a border network device, including:
- a signature mapping pair generating unit configured to sign the mapping information pair according to a private key of a certificate corresponding to the prefix in the mapping information pair, to generate a signature mapping pair;
- a submitting unit configured to submit the signature mapping pair to a registered agent in the transport network.
- An embodiment of the present invention provides a registration proxy device, including:
- a receiving unit configured to receive a signature mapping pair submitted by a boundary network owner
- the signature mapping pair database unit is configured to save the signature mapping pair received by the receiving unit, and the synchronization unit is configured to synchronize the signature mapping pair saved by the signature mapping to the database unit to other registration agents.
- an embodiment of the present invention further provides a communication system, including:
- a border network device configured to sign the mapping information pair according to a private key of a certificate corresponding to the prefix in the mapping information pair, generate a signature mapping pair, and submit the signature mapping pair to the registration proxy device; the registration proxy device And receiving a signature mapping pair submitted by the border network device, and sharing the signature mapping pair with other registration agents by using data synchronization.
- a method for managing mapping information, a method for querying mapping information, a device, and a communication system which are proposed by the embodiments of the present invention, use a certificate private key to sign a mapping information pair, thereby ensuring mapping information in registration, query, and synchronization.
- the reliability eliminates the security risks of the prior art and, accordingly, improves the reliability of the communication network or system.
- 1 is a schematic diagram of an existing Internet architecture
- FIG. 2 is a main flowchart of a method for managing mapping information according to an embodiment of the present invention
- FIG. 3 is a schematic diagram of prefix and certificate allocation according to an embodiment of the present invention.
- FIG. 4 is a schematic diagram of an application scenario provided by an embodiment of the present invention.
- FIG. 5 is a first embodiment of a method for managing mapping information according to the present invention.
- FIG. 6 is a second embodiment of a method for managing mapping information according to the present invention.
- mapping information 7 is a flow chart of a method for querying mapping information according to the present invention.
- FIG. 8 is a third embodiment of a method for managing mapping information according to the present invention.
- 9 is a schematic diagram of a certificate of Organization A in the embodiment of the present invention.
- 10 is a schematic diagram of a certificate of a transport network owner in an embodiment of the present invention.
- FIG. 11 is a structural block diagram of a communication system according to an embodiment of the present invention.
- Figure 12 is a first embodiment of a border network device of the present invention.
- Figure 13 is a second embodiment of a border network device of the present invention.
- Figure 14 is a third embodiment of a border network device of the present invention.
- Figure 15 is a fourth embodiment of a border network device of the present invention.
- Figure 16 is a first embodiment of a registered agent device of the present invention.
- Figure 17 is a second embodiment of a registered agent device of the present invention.
- Figure 18 is a third embodiment of a registered agent device of the present invention.
- Figure 19 is a fourth embodiment of a registered agent device of the present invention. detailed description
- mapping information in network routing a method for managing mapping information in network routing, a method for querying mapping information, and a boundary network according to an embodiment of the present invention will be described in detail below with reference to the accompanying drawings.
- a device, a registered agent device, and a communication system A device, a registered agent device, and a communication system.
- the boundary network owner and the border network device refer to the same object; the registration agent (RA ) and the registered agent device refer to the same object;
- the first border network owner and Organization A refer to the same object, and the second border network owner and Organization B refer to the same object.
- the method includes:
- mapping information pair is signed by using a private key of a certificate corresponding to the prefix in the mapping information pair to generate a signature mapping pair.
- the mapping information pair includes at least the following information: a prefix, an IP address of the transport network, and mapping control information.
- the signature mapping pair includes at least the following information: a prefix, an IP address of the transport network, mapping control information, signature control information, and a signature;
- the signature control information includes: certificate information for signature, the signature mapping for the withdrawal point, and the validity Date, signature algorithm information.
- the registration agent shares the signature mapping pair with other registration agents by using data synchronization.
- the registration agent (RA) can set a separate signature mapping pair database to hold the signature pair.
- Each RA synchronizes its signature mapping pair database with the signature mapping pair as the basic recording unit, and provides a signature mapping pair in response to the query.
- Each signature mapping pair has embedded lifetime information. The signature mapping pair that exceeds the lifetime should be discarded.
- the RA should not accept and distribute signature mapping pairs beyond the lifetime range.
- the querier After receiving the signature mapping pair, the querier performs signature check on the mapping pair according to the certificate information and the signature algorithm information, and then performs subsequent processing after passing.
- steps S101 to S102 can be implemented as follows:
- the prefix and the autonomous system number of the transport network are signed by using the private key of the certificate corresponding to the prefix, and a first signature mapping pair is generated and submitted to the transport network owner;
- the transport network owner signs the first signature mapping pair by using a certificate including the autonomous system number, generates a second signature mapping pair, and submits it to the registration proxy in the network.
- mapping information in a network route is described above.
- Those skilled in the art should understand that the embodiment of the present invention ensures that the mapping is performed by using a certificate private key to sign the mapping information pair.
- the reliability of information in registration, query and synchronization eliminates the security risks of the prior art.
- the international top-level prefix and AS management agency is the Internet Assigned Numbers Authority (IANA), which has five first-level regional agents.
- the agent for the Asia-Pacific region is the Asia-Pacific Internet Information Center (Asia). - Pacific Network Information Center, APNIC).
- APNIC -Pacific Network Information Center
- operators in the Asia-Pacific region such as China Mobile, China Telecom, China Netcom, etc., and organizations that require network prefixes and autonomous system numbers (AS # ), such as China Education Network, can submit IP address prefixes to APNIC.
- AS# autonomous system numbers
- Operators can also assume agency functions for the coverage of their networks. For example, China Netcom can accept prefix applications from organizations in the Beijing area.
- Figure 3 takes the 10.0.0.0/8 network segment as an example to demonstrate the prefix allocation process from IANA to the terminal organization, and the corresponding resource certificate-risk path.
- the Certificate Authority is IANA, APNIC, China Netcom and China Telecom.
- the resource certificate is owned by China Education Network, First Border Network Owner (Organization A) and Second Border Network. ( Organization B ). Because China Netcom and China Telecom have their own actual transit network, they need to allocate the actual IP prefix and AS #, so they will assign corresponding resource certificates to their own transit network as needed. Before each resource certificate The suffixes and 8 # are mutually exclusive, ie: As shown in Figure 3, China Netcom has assigned the prefix 10.2.1.0/24 to Organization A, then it can no longer be assigned to Organization B, nor can it allocate China Netcom's own transit network.
- the user network can also apply for an independent IP address segment from the IANA directly. When the user replaces the access carrier, the internal network address does not need to be renumbered.
- the organization A obtains the certificate according to the certificate distribution method described in FIG. Assuming that Organization A and B are connected to the transit network of China Netcom and China Telecom respectively in the manner of Figure 4, the prefixes of Organization A and B will not be distributed to the transit network, and the prefix 10.2.1.0/24 of Organization A will be mapped to The 192.168.1.2 address in the transit network, Organization B prefix 10.3.1.0/24 will be mapped to the 192.168.2.2 address in the transit network. As shown in Figure 5, the steps for Organization A and Organization B to register and synchronize mapping information include:
- 5200 Generate a mapping information pair according to the prefix and the egress ID corresponding to the prefix.
- the RA is submitted to the nearest RA, such as:
- the signature mapping of Organization A is submitted to RA1
- the signature mapping of Organization B is submitted to RA2.
- the registration agent shares the signature mapping pair with other registration agents through data synchronization. Specifically, RA1 and RA2 perform database synchronization. Finally, the signature mapping database of RA1 will have a signature mapping pair of Organization B, and the database of RA2 also has Organization A's signature mapping pair.
- steps S201 to S203 may specifically adopt the following manners.
- Organization A is the same as jHl, as shown in Figure 6, including:
- RA1 shares the signature mapping pair with other registered agents (RA2) through data synchronization.
- the coupling of management is reduced, and the flexibility of the redistribution border router in the routable address of the transit network is improved:
- Organizations only need to know the AS# of the transit network authorized by the organization. This AS# does not change frequently; the address of the specific border router that is routable in the transit network is completely determined by the transit network itself, and can be dynamically reassigned multiple times. As long as AS# is unchanged, no prefix is required. Re-signature.
- the embodiment of the present invention proposes a method for querying mapping information, which is described in detail below with reference to FIG.
- Organization A When Organization A wants to send data to the Organization B network, it first detects whether the border router A (BR-A) has mapping information corresponding to the prefix of the Organization B, and if so, directly sends data to the Organization B according to the mapping information. Otherwise, perform the steps described in Figure 7:
- BR-A border router A
- Organization A here queries the RA1 or RA2 according to the prefix of Organization B ( 10.3.1.0/24) to obtain the signature mapping pair of Organization B.
- the organization A checks whether the signature mapping pair is valid according to the signature control information in the signature mapping pair. Specifically, the method includes:
- BR-A Only when the above passes the check, BR-A considers the signature mapping pair to be valid.
- the organization A After determining, by the checking, that the signature mapping pair is valid, the organization A sends data to the Organization B according to the mapping information in the signature mapping pair.
- the method for querying mapping information proposed by the embodiment of the present invention signs the mapping information pair by using the private key of the X.509 v3 certificate, and performs signature verification on the signature mapping pair when querying the mapping information.
- the verified signature mapping pair is effective, preventing the attacker from impersonating the RA to provide error information to the querier, and also solving the problem of RA tampering mapping information, improving the reliability of the mapping information query, and eliminating the security risks of the prior art. Accordingly, the reliability of the communication network or system is improved.
- the boundary network owner can perform the withdrawal process on the signature mapping pair registered on the RA.
- the organization A is taken as an example, as shown in FIG. :
- Organization A will generate a signature map to the withdrawal record to the RA1 signature mapping pair to withdraw the database; in fact, the signature mapping generated by Organization A here sends the withdrawal record to the RA1 or RA2 signature mapping to the withdrawal database can.
- RA1 deletes the signature mapping pair corresponding to the record pair record from the signature mapping pair database, and synchronizes the revocation record to other RA (such as RA2) signature mapping pair to withdraw the database, RA (such as RA2) will record the corresponding signature
- RA such as RA2
- mapping information pair is signed by using the private key of the X.509v3 certificate, thereby ensuring the reliability of the mapping information in registration, query, and synchronization, and eliminating the present There are technical security risks, and accordingly, the reliability of the communication network or system is improved.
- a method for managing and querying mapping information the embodiment of the present invention provides a communication system, as shown in FIG.
- a border network device configured to sign the mapping information pair according to a private key of a certificate corresponding to the prefix in the mapping information pair, generate a signature mapping pair, and submit the signature mapping pair to the registration proxy device; the registration proxy device And receiving a signature mapping pair submitted by the border network device, and sharing the signature mapping pair with other registration agents by using data synchronization.
- a border network device of the present invention which includes:
- the signature mapping pair generation unit 1100 is configured to sign the mapping information pair according to a private key of a certificate corresponding to the prefix in the mapping information pair, and generate a signature mapping pair;
- the submitting unit 1200 is configured to submit the signature mapping pair to a registration agent in the transport network.
- a registration agent in the transport network.
- FIG. 13 a second embodiment of a border network device of the present invention is illustrated.
- the method further includes:
- the query unit 1300 is configured to query the registration proxy according to the prefix information of the second border network owner, and obtain a signature mapping pair of the second border network owner fed back by the registration proxy;
- the checking unit 1400 is coupled to the query unit 1300, and configured to check whether a signature mapping pair of the second border network owner is valid;
- the data sending unit 1500 is configured to: after the checking unit 1400 determines that the signature mapping pair is valid, send data to the second border network owner according to the mapping information in the signature mapping pair.
- the border network device includes: in addition to the same structure as the boundary network device embodiment 2, the method further includes:
- the withdrawal record generation unit 1600 is configured to generate a signature mapping pair to withdraw the record
- the revocation record submitting unit 1700 is configured to submit the signature mapping to the registration agent to withdraw the signature mapping pair corresponding to the revocation record.
- the border network device may include a revocation record generating unit 1600 and a revocation record submitting unit 1700 in addition to the same structure as the border network device.
- Registered proxy devices include:
- the receiving unit 2100 is configured to receive a signature mapping pair submitted by a boundary network owner
- the signature mapping pair database unit 2200 is configured to save the signature mapping pair received by the receiving unit 2100; to synchronize with other registered agents.
- a second embodiment of a registration proxy device of the present invention is illustrated.
- the method further includes:
- the query response unit 2400 is configured to query a signature mapping pair corresponding to the prefix information according to a prefix provided by a border network owner, and feed back to the border network owner.
- the registered proxy device has the second embodiment except the registered proxy device. In addition to the same structure, it also includes:
- the revocation response unit 2500 is configured to delete the signature mapping pair corresponding to the revocation record from the signature mapping pair to the database unit according to the signature mapping provided by the boundary network owner, and withdraw the signature mapping pair Log synchronization to other registered agents;
- the record database unit 2600 is withdrawn to hold the signature map pair deleted by the recall response unit 2500.
- the registration proxy device includes a revocation response in addition to the same configuration as the registration proxy device embodiment 1.
- mapping information pair is signed by using a certificate private key to ensure that the mapping information is registered and queried.
- the reliability in synchronization eliminates the security risks of the prior art and accordingly improves the reliability of the communication network or system.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Description
管理和查询映射信息的方法、 设备及通信系统 本申请要求于 2008年 5月 29日提交中国专利局、申请号为 200810028535.4、 发明名称为"管理和查询映射信息的方法、设备及通信系统"的中国专利申请的优 先权, 其全部内容通过引用结合在本申请中。 技术领域
本发明涉及通信网络数据传输技术, 尤其涉及一种管理和查询映射信息的 方法、 设备及通信系统。 背景技术
目前 , 随着多归属网络( multi-homing )和流量工程 (traffic engineering)的广 泛部署, Internet路由数量增长迅速。 一方面由于需要更大容量的路由表存储芯 片导致路由器设备成本上升, 另一方面导致路由收敛变的更加緩慢。
为了緩解上述路由数量激增导致路由表过大的问题, 如图 1所示, 将因特网 ( Internet )分为两部分, 一部分为传输 ( transit ) 网络, 处于网络的中心位置; 另一部分为边界 ( edge )网络,通过边界路由器( border router, BR )连接到 transit 网络。 BR知道其所连接的 edge网络和 transit网络中的路由信息, 但是不会相互渗 透。
边界网络内部的路由前缀信息不扩散到传输网络, 而是由 edge网络的 BR负 责将 edge网络中的前缀信息( prefix )注册到 transit网络中的注册代理( registration agent, 以下简称为 RA )上, 所述 prefix和注册该 prefix的 BR的映射关系信息称为 映射信息, 每个 RA维护一个保存映射信息的数据库, 称为映射信息数据库。 Transit网络中的多个 RA通过通信协议(比如: BGP协议扩展)来同步各自映射 信息数据库中的信息, 使得各个数据库保持同步, 维持一样的映射信息记录。 同步完成之后 , Transit网络中的任何一个 RA都知道到达其中一个 prefix需要通过 哪个 BR进行中转。 例如: 在图 1中, Edge网络 A到达 edge网络 B的流量, 将首先 到达连接 edge网络 A的 BR-A, BR-A然后到 RA查询与目的 IP地址最长匹配的 prefix的映射信息, 得到注册该映射信息的 BR的信息, 即 BR-B, 然后 BR-A通过 到达 BR-B的隧道(如 MPLS隧道, IP in IP,GRE等各种隧道均可)将数据包转发
到 BR-B。 BR-B知道它所连接的 edge网络内部的路由信息, 因此在 Edge网络内部 根据路由表进行转发, 最终数据包到达目的地。 这种转发方案称为转发和查找 分离方案, 即 RA只完成映射信息查询的响应功能, edge之间的流量不需要经过 RA中转。
发明人在实现本发明的过程中发现, 在上述分离方案中存在一些潜在的安 全问题:
映射信息注册安全:攻击者可能会仿冒他人身份向 RA注册错误的映射信息, 比如注册不属于自己的 prefix。
映射信息查询安全: 攻击者可能会假冒 RA向查询者提供错误的映射信息, RA也可能会出于某种目的篡改某些映射信息对中的信息, 如前缀长度或入口地 址,比如在图 1示例的场景中, 将 Edge B网络的入口从 BR-B改成 BR-B'。
映射信息数据库同步安全: 在各个 RA同步映射信息数据库时, 某些 RA可 能会发布不真实的映射信息, 比如修改已有映射信息记录的前缀长度然后再发 布, 或者干脆伪造不存在的映射信息对。 发明内容
本发明实施例的目的在于提供一种管理网络路由中映射信息的方法、 一种 查询映射信息的方法、 一种边界网络设备、 一种注册代理设备以及一种通信系 统, 实现网络路由中映射信息的注册、 查询及同步安全。
为此, 本发明实施例提出了一种管理网络路由中映射信息的方法, 包括: 利用映射信息对中的前缀对应的证书的私钥对所述映射信息对进行签名 , 生成签名映射对;
向传输网络中的注册代理提交所述签名映射对;
所述注册代理通过数据同步与其它注册代理共享所述签名映射对。
本发明实施例提出了一种查询映射信息的方法, 包括:
第一边界网络所有者根据第二边界网络所有者的前缀查询注册代理 , 并获 取注册代理反馈的第二边界网络所有者的签名映射对;
第一边界网络所有者根据所述签名映射对中的签名控制信息检查所述签名 映射对是否有效;
当通过所述检查确定所述签名映射对有效后 , 第一边界网络所有者提取所
述签名映射对中的映射信息。
相应地, 本发明实施例提出了一种边界网络设备, 包括:
签名映射对生成单元, 用于根据映射信息对中的前缀对应的证书的私钥对 所述映射信息对进行签名, 生成签名映射对;
提交单元, 用于将所述签名映射对提交给传输网络中的注册代理。
本发明实施例提出了一种注册代理设备, 包括:
接收单元, 用于接收边界网络所有者提交的签名映射对;
签名映射对数据库单元, 用于保存所述接收单元接收的签名映射对; 同步单元, 用于将所述签名映射对数据库单元保存的签名映射对同步到其 它注册代理。
相应地, 本发明实施例还提出了一种通信系统, 包括:
边界网络设备, 用于根据映射信息对中的前缀对应的证书的私钥对所述映 射信息对进行签名, 生成签名映射对, 并将该签名映射对提交给注册代理设备; 所述注册代理设备, 用于接收所述边界网络设备提交的签名映射对, 通过 数据同步与其它注册代理共享所述签名映射对。
通过实施本发明实施例提出的一种管理映射信息的方法、 查询映射信息的方法、 设备及通信系统, 通过利用证书私钥对映射信息对进行签名, 保证了映射信息 在注册、 查询及同步中的可靠性, 消除了现有技术的安全隐患, 相应地, 提高 了通信网络或系统的可靠性。 附图说明
图 1是现有的因特网架构示意图;
图 2是本发明实施例提供的一种管理映射信息的方法主流程图;
图 3是本发明实施例提供的前缀以及证书分配示意图;
图 4是本发明实施例提供的一种应用场景示意图;
图 5是本发明的一种管理映射信息的方法中实施例一;
图 6是本发明的一种管理映射信息的方法实施例二;
图 7是本发明的一种查询映射信息的方法的流程图;
图 8是本发明的一种管理映射信息的方法实施例三;
图 9是本发明实施例中 Organization A的证书的示意图;
图 10是本发明实施例中传输网络所有者的证书的示意图;
图 11是本发明实施例提出的一种通信系统的结构框图;
图 12是本发明的一种边界网络设备的实施例一;
图 13是本发明的一种边界网络设备的实施例二;
图 14是本发明的一种边界网络设备的实施例三;
图 15是本发明的一种边界网络设备的实施例四;
图 16是本发明的一种注册代理设备的实施例一;
图 17是本发明的一种注册代理设备的实施例二;
图 18是本发明的一种注册代理设备的实施例三;
图 19是本发明的一种注册代理设备的实施例四。 具体实施方式
为了清楚、 完整地展现本发明实施例的技术方案, 下面将结合附图详细阐 述本发明实施例提出的一种管理网络路由中映射信息的方法、 一种查询映射信 息的方法、 一种边界网络设备、 一种注册代理设备以及一种通信系统。
在对技术方案进行阐述之前, 需要说明的是, 在本发明实施例的描述中, 边界网络所有者(Organization ) 与边界网络设备指同一对象; 注册代理(RA ) 与注册代理设备指同一对象;第一边界网络所有者和 Organization A指同一对象, 第二边界网络所有者和 Organization B指同一对象。
参考图 2,图示了本发明实施例的一种管理网络路由中映射信息的方法的注 流程图, 所述方法包括:
5101 , 利用映射信息对中的前缀对应的证书的私钥对所述映射信息对进行 签名, 生成签名映射对;
其中, 所述映射信息对至少包括以下信息: 前缀、 传输网络的 IP地址、 映 射控制信息。
所述签名映射对至少包括以下信息: 前缀、 传输网络的 IP地址、 映射控制 信息、 签名控制信息、 签名; 所述签名控制信息包括: 用于签名的证书信息、 本签名映射对撤回点、 有效日期、 签名算法信息。
5102, 向传输网络中的注册代理提交所述签名映射对;
S 103, 所述注册代理通过数据同步与其它注册代理共享所述签名映射对,
具体地, 注册代理(RA )可以设置单独的签名映射对数据库来保存签名对。 各个 RA以签名映射对为基本的记录单位来同步各自的签名映射对数据库, 并响应查询对外提供签名映射对。 每个签名映射对都内嵌了生命有效期信息 , 超出生命期的签名映射对应该被丢弃, RA不应该接受和分发超出生命期范围的 签名映射对。 当查询者接收到签名映射对后, 根据其中的证书信息和签名算法 信息对这个映射对进行签名检查, 通过后才会进行后续的处理。
需要说明的是, 步骤 S101〜S102可以由下述方式实现:
a、 利用所述前缀对应的证书的私钥对该前缀和传输网络的自治系统编号进 行签名, 生成第一签名映射对, 并提交给所述传输网络所有者;
b、 所述传输网络所有者利用包含有所述自治系统编号的证书对所述第一签 名映射对进行签名, 生成第二签名映射对, 并提交给网络中的注册代理。
以上从整体上对本发明实施例的一种管理网络路由中映射信息的方法进行 了阐述, 本领域的技术人员应该理解, 本发明实施例通过利用证书私钥对映射 信息对进行签名, 保证了映射信息在注册、 查询及同步中的可靠性, 消除了现 有技术的安全隐患。
下面以采用公钥基础设施( Public Key Infrastructure , ΡΚΙ )证书为例, 具体 阐述本发明实施例的技术方案。如图 3所示, 国际上顶级前缀和 AS管理机构是 国际因特网地址分配委员会 ( Internet Assigned Numbers Authority , IANA ) , 下 设五个一级地区代理,对应亚太地区的代理是亚太互联网信息中心(Asia-Pacific Network Information Center, APNIC )。 这样, 亚太地区的运营商, 如: 中国移 动、 中国电信、 中国网通等, 以及各个需要网络前缀和自治系统编号 (AS # ) 的组织, 如: 中国教育网, 就可以向 APNIC提出 IP地址前缀和 AS#申请。 运 营商也可以承担其网络所覆盖范围的代理功能 , 比如中国网通可以受理北京地 区范围内的各个组织的前缀申请。 图 3以 10.0.0.0/8网段为例, 示范了从 IANA 到终端组织的前缀分配过程, 以及相应的资源证书—险证路径。
图 3中担任认证中心(Certificate Authority, CA )的分别是 IANA、 APNIC, 中国网通和中国电信, 获得资源证书的是中国教育网、 第一边界网络所有者 ( Organization A )和第二边界网络所有者( Organization B )。 中国网通和中国电 信因为有自己实际运行的 transit网络,需要分配实际的 IP前缀和 AS # ,所以他 们会根据需要给自身的 transit 网络也分配相应的资源证书。 各个资源证书的前
缀和 8 #是互相排斥的, 即: 如图 3中, 中国网通已经将前缀 10.2.1.0/24分配 给 Organization A, 那么就不能再分配给 Organization B , 也不能分配中国网通自 己的 transit网络。 用户网络也可以直接从 IANA申请运营商独立的 IP地址段, 当用户更换接入运营商, 不需要对内部网络地址重新编址( renumbering )。
下面在图 4所述的一种网络架构下, 下面结合图 5、 图 6、 图 7、 图 8所示 的方法步骤, 具体伴细阐述本发明实施例的技术方案。
在本例中假设采用 PKI中的 X.509 v3证书格式, 如图 9所示, Organization A按照图 3所述证书分发方式获得的证书。假设 Organization A和 B按照图 4的 方式分别连接到中国网通和中国电信的 transit网络,那么 Organization A和 B的 前缀将不会分发到 transit网络中, Organization A的前缀 10.2.1.0/24将映射到 transit网络中的 192.168.1.2地址, Organization B的前缀 10.3.1.0/24将映射到 transit网络中的 192.168.2.2地址。 如图 5所示, Organization A和 Organization B 注册和同步映射信息的步骤包括:
5200, 才艮据前缀以及前缀对应的出口 ID生成映射信息对。
其中 , Organization A对应的映射信息对为: {prefix = 10.2.1.0/24, transit IP = 192.168.1.2, 映射控制信息 }; Organization B对应的映射信息对为: { prefix = 10.3.1.0/24, transit IP = 192.168.2.2, 映射控制信息 }
5201 , Organization A用其资源证书对应的私钥为其映射信息对签名并生成 签名映射对: { prefix = 10.2.1.0/24, transit IP = 192.168.1.2, 映射控制信息, 签名 控制信息 , Signature A};
相应地, Organization B 也用同样的方法生成签名映射对: { prefix = 10.3.1.0/24, transit IP = 192.168.2.2,映射控制信息,签名控制信息, Signature B};
5202, 向传输网络中的注册代理提交所述签名映射对;
优选地, 提交到就近的 RA, 如: Organization A的签名映射对就近提交到 RA1, Organization B的签名映射对就近提交到 RA2。
5203 , 所述注册代理通过数据同步与其它注册代理共享所述签名映射对 , 具体地, RA1 和 RA2 进行数据库同步, 最终 RA1 的签名映射数据库将拥有 Organization B的签名映射对, RA2的数据库也拥有 Organization A的签名映射 对。
需要说明的是, 在具体实施时, 步骤 S201〜S203具体可以采用下述方式实
现, 下面以 Organization A为例 , Organization B与 jHl相同, 图 6所示, 包括:
5301 , Organization A利用映射信息对中的前缀( 10.2.1.0/24 )对应证书的私 钥对 { 10.2.1.0/24, 100}, 生成签名映射对 1 : { prefix= 10.2.1.0/24, AS# =100, 签 名控制信息 1 , signaturel } ,提交给 transit网络所有者(图 4的中国网通传输网络);
5302, 中国网通传输网络利用包含自己 AS# ( 100 )的资源证书 (证书格式 如图 10所示 )对 Organization A提交的签名映射对 1进行签名, 生成签名映射 对 2: {{ prefix=10.2.1.0/24, AS# =100, 签名控制信息 1, signaturel } , transit IP =192.168.1.2, 映射控制信息, 签名控制信息 2, signature2} , 提交给 RA1。
5303 , RA1通过数据同步与其它注册代理(RA2 )共享签名映射对 2。
根据图 6所述的技术方案, 降低了管理的耦合性, 提高了重分配边界路由 器在 transit网络中可路由地址方面的灵活性: Organizations只需要知道自己所授 权的 transit网络的 AS#即可, 这个 AS#—般不会频繁改变; 而具体的边界路由 器的在 transit network中可路由的地址完全由 transit网络自己决定, 而且可以多 次动态重分配, 只要 AS#不变, 就不需要前缀拥有者重新签名。
相应地, 本发明实施例提出了一种查询映射信息的方法, 下面结合图 7详 细阐述。
当 Organization A要向 Organization B网络发送数据时, 首先检测边界路由 器 A ( BR-A)是否有 Organization B的前缀所对应的映射信息, 若有, 则直接根 据所述映射信息向 Organization B发送数据, 否则, 执行图 7所述的步骤:
5401 , Organization A才艮据 Organization B的前缀( 10.3.1.0/24 ) 查询 RA1 , 并获取 RA1反馈的 Organization B的签名映射对: { prefix = 10.3.1.0/24, transit IP = 192.168.2.2 , 映射控制信息, 签名控制信息, Signature B} ; 实际上, 此处 Organization A才 据 Organization B的前缀( 10.3.1.0/24 )查询 RA1或 RA2均可 获取 Organization B的签名映射对。
5402 , Organization A根据所述签名映射对中的签名控制信息检查所述签名 映射对是否有效, 具体地, 包括:
检查证书的格式是否合格;
检查该签名映射对的有效期是否过期;
检查 Organization B的证书是否可信和是否过期;
利用 Organization B 的证书中的公钥验证该签名映射对的签名字段是否有
效;
只有上述都通过检查, BR-A才认为所述签名映射对有效。
S403 , 当通过所述检查确定所述签名映射对有效后, Organization A根据所 述签名映射对中的映射信息向所述 Organization B发送数据。
由上述可知, 本发明实施例提出的一种查询映射信息的方法, 通过利用 X.509v3证书的私钥对映射信息对进行签名, 在查询映射信息时, 通过对签名映 射对进行签名验证,只有通过验证的签名映射对才有效,避免攻击者假冒 RA向 查询者提供错误信息, 同时也解决了 RA篡改映射信息的问题,提高了映射信息 查询的可靠性, 消除了现有技术的安全隐患, 相应地, 提高了通信网络或系统 的可靠性。 在本发明实施例提出的一种管理网络路由的方法中, 边界网络所有者可以 对其注册到 RA上的签名映射对撤回处理, 具体地, 以 Organization A为例, 如 图 8所示, 包括:
5501 , 边界网络所有者( Organization A )生成签名映射对撤回记录, 基本 形式如下: {{ prefix = 10.2.1.0/24, transit IP = 192.168.1.2, 映射控制信息 },撤回签 名控制信息 , Revocation Signature A};
5502, Organization A将生成的签名映射对撤回记录就近发送到 RA1的签名 映射对撤回数据库; 实际上, 此处 Organization A将生成的签名映射对撤回记录 发送到 RA1或 RA2的签名映射对撤回数据库均可。
5503 , RA1将该签名映射对记录对应的签名映射对从签名映射对数据库中 删除, 并将撤回记录同步到其它 RA (如 RA2 )签名映射对撤回数据库, RA (如 RA2 )将记录对应的签名映射对从其签名映射对数据库中删除。
若 Organization B要撤回自己的签名映射对, 将执行与上述类似的步骤, 这 里不再赞述。
通过实施本发明实施例提出的一种管理映射信息的方法,通过利用 X.509v3 证书的私钥对映射信息对进行签名, 保证了映射信息在注册、 查询及同步中的 可靠性, 消除了现有技术的安全隐患, 相应地, 提高了通信网络或系统的可靠 性。
基于上述实施例的一种管理和查询映射信息的方法, 本发明实施例提出了 一种通信系统, 如图 11所示, 包括:
边界网络设备, 用于根据映射信息对中的前缀对应的证书的私钥对所述映 射信息对进行签名, 生成签名映射对, 并将该签名映射对提交给注册代理设备; 所述注册代理设备, 用于接收所述边界网络设备提交的签名映射对, 通过 数据同步与其它注册代理共享所述签名映射对。
其中, 如图 12所示, 图示了本发明的一种边界网络设备的实施例一, 其包 括:
签名映射对生成单元 1100, 用于根据映射信息对中的前缀对应的证书的私 钥对所述映射信息对进行签名 , 生成签名映射对;
提交单元 1200, 用于将所述签名映射对提交给传输网络中的注册代理。 在具体实施时, 如图 13所示, 图示了本发明的一种边界网络设备的实施例 二, 其除了具有签名映射对生成单元 1100和提交单元 1200外, 还包括:
查询单元 1300, 用于根据第二边界网络所有者的前缀信息查询注册代理, 并获取该注册代理反馈的第二边界网络所有者的签名映射对;
检查单元 1400, 与所述查询单元 1300耦接, 用于检查所述第二边界网络所 有者的签名映射对是否有效;
数据发送单元 1500,用于当所述检查单元 1400确定所述签名映射对有效后, 根据所述签名映射对中的映射信息向所述第二边界网络所有者发送数据。
在具体实施时, 如图 14所示, 图示了本发明的一种边界网络设备的实施例 三。 在边界网络设备实施例三中, 所述边界网络设备除了具有与边界网络设备 实施例二相同的结构外, 还包括:
撤回记录生成单元 1600, 用于生成签名映射对撤回记录;
撤回记录提交单元 1700, 用于将所述签名映射对撤回记录提交给注册代理 以撤回该签名映射对撤回记录对应的签名映射对。
在具体实施时, 如图 15所示, 图示了本发明的一种边界网络设备的实施例 四。 在边界网络设备实施例四中, 所述边界网络设备除了具有与边界网络设备 实施一相同的结构外, 还可以包括撤回记录生成单元 1600和撤回记录提交单元 1700。
其中, 如图 16所示, 图示了本发明的一种注册代理设备的实施例一, 所述
注册代理设备包括:
接收单元 2100 , 用于接收边界网络所有者提交的签名映射对;
签名映射对数据库单元 2200,用于保存所述接收单元 2100接收的签名映射 对; 同步到其它注册代理。
在具体实施时, 如图 17所示, 图示了本发明的一种注册代理设备的实施例 二, 除了包括接收单元 2100、签名映射对数据库单元 2200和同步单元 2300外, 还包括:
查询响应单元 2400, 用于 据边界网络所有者提供的前缀查询与所述前缀 信息相对应的签名映射对, 并反馈给所述边界网络所有者。
在具体实施时, 如图 18所示, 图示了本发明的一种注册代理设备的实施例 三 , 在注册代理设备实施例三中 , 所述注册代理设备除了与注册代理设备实施 例二具有相同结构外, 还包括:
撤回响应单元 2500, 用于根据边界网络所有者提供的签名映射对撤回记录 从所述签名映射对数据库单元中删除所述签名映射对撤回记录对应的签名映射 对, 并将所述签名映射对撤回记录同步到其它注册代理;
撤回记录数据库单元 2600,用于保存被撤回响应单元 2500删除的签名映射 对。
如图 19所示, 图示了本发明的一种注册代理设备的实施例四, 在实施例四 中, 所述注册代理设备除了与注册代理设备实施例一具有相同结构外, 还包括 撤回响应单元 2500和撤回记录数据库单元 2600。
综上所述, 本发明实施例提出的一种管理映射信息的方法、 查询映射信息 的方法、 设备及通信系统, 通过利用证书私钥对映射信息对进行签名, 保证了 映射信息在注册、 查询及同步中的可靠性, 消除了现有技术的安全隐患, 相应 地, 提高了通信网络或系统的可靠性。
通过以上的实施方式的描述, 本领域的技术人员可以清楚地了解到本发明 可借助软件加必需的硬件平台的方式来实现, 当然也可以全部通过硬件来实施。 基于这样的理解, 本发明的技术方案对背景技术做出贡献的全部或者部分可以 以软件产品的形式体现出来, 该计算机软件产品可以存储在存储介质中, 如
ROM/RAM,磁碟、 光盘等, 包括若干指令用以使得一台计算机设备(可以是个 人计算机, 服务器, 或者网络设备等)执行本发明各个实施例或者实施例的某 些部分所述的方法。
以上所揭露的仅为本发明一种较佳实施例而已, 当然不能以此来限定本发 明之权利范围, 因此依本发明权利要求所作的等同变化, 仍属本发明所涵盖的 范围。
Claims
1、 一种管理网络路由中映射信息的方法, 其特征在于, 包括:
利用映射信息对中的前缀对应的证书的私钥对所述映射信息对进行签名 , 生成签名映射对;
向传输网络中的注册代理提交所述签名映射对;
所述注册代理通过数据同步与其它注册代理共享所述签名映射对。
2、 如权利要求 1所述的方法, 其特征在于, 所述映射信息对至少包括以下 信息: 前缀、 传输网络的 IP地址、 映射控制信息;
所述签名映射对至少包括以下信息: 前缀、 传输网络的 IP地址、 映射控制 信息、 签名控制信息、 签名;
其中, 所述签名控制信息包括: 用于签名的证书信息、 所述签名映射对撤 回点、 有效日期、 签名算法信息。
3、 如权利要求 1所述的方法, 其特征在于, 所述利用映射信息对中的前缀 对应的证书的私钥对所述映射信息对进行签名, 生成签名映射对, 具体包括: 利用所述前缀对应的证书的私钥对该前缀和传输网络的自治系统编号进行 签名, 生成第一签名映射对, 并将所述第一签名映射对提交给传输网络所有者; 所述传输网络所有者利用包含有所述自治系统编号的证书对所述第一签名 映射对和所述传输网络的 IP地址进行签名 , 生成第二签名映射对。
4、 如权利要求 3所述的方法, 其特征在于, 所述第一签名映射对至少包括 以下信息: 前缀、 自治系统编号、 第一签名控制信息、 第一签名;
其中, 第一签名控制信息包括: 所述边界网络所有者的证书信息、 第一签 名映射对撤回点、 有效日期、 签名算法信息。
5、 如权利要求 3所述的方法, 其特征在于, 所述第二签名映射对至少包括 以下信息: 第一签名映射对、 所述传输网络的 IP地址、 映射控制信息、 第二签 名控制信息、 第二签名;
其中, 所述第二签名控制信息包括: 所述传输网络所有者的证书信息、 所 述第二签名映射对的撤回点、 有效日期、 签名算法信息。
6、 如权利要求 1或 3所述的方法, 其特征在于, 进一步包括:
边界网络所有者生成签名映射对撤回记录, 其中, 所述签名映射对撤回记 录包括: 前缀、 可用的传输网络 IP地址、 映射控制信息、 撤回签名控制信息、 撤回签名;
将生成的所述签名映射对撤回记录提交给传输网络中的注册代理; 所述注册代理将所述签名映射对撤回记录对应的签名映射对删除, 并将所 述签名映射对撤回记录同步到其它注册代理。
7、 一种查询映射信息的方法, 其特征在于, 包括:
第一边界网络所有者根据第二边界网络所有者的前缀查询注册代理 , 并获 取注册代理反馈的第二边界网络所有者的签名映射对;
第一边界网络所有者根据所述签名映射对中的签名控制信息检查所述签名 映射对是否有效;
当通过所述检查确定所述签名映射对有效后 , 第一边界网络所有者提取所 述签名映射对中的映射信息。
8、 如权利要求 7所述的方法, 其特征在于, 所述第一边界网络所有者根据 所述签名映射对中的签名控制信息检查所述签名映射对是否有效包括:
检查证书的格式是否合格;
检查该签名映射对的有效期是否过期;
检查第二边界网络所有者的证书是否可信和是否过期;
利用第二边界网络所有者的证书中的公钥验证该签名映射对的签名字段是 否有效。
9、 一种边界网络设备, 其特征在于, 包括:
签名映射对生成单元 , 用于根据映射信息对中的前缀对应的证书的私钥对 所述映射信息对进行签名, 生成签名映射对;
提交单元, 用于将所述签名映射对提交给传输网络中的注册代理。
10、 如权利要求 9所述的边界网络设备, 其特征在于, 还包括:
查询单元, 用于才 据第二边界网络所有者的前缀信息查询注册代理, 并获 取该注册代理反馈的第二边界网络所有者的签名映射对;
检查单元, 与所述查询单元耦接, 用于检查所述第二边界网络所有者的签 名映射对是否有效;
数据发送单元, 用于当所述检查单元确定所述签名映射对有效后, 根据所 述签名映射对中的映射信息向所述第二边界网络所有者发送数据。
11、 如权利要求 9或 10所述的边界网络设备, 其特征在于, 还包括: :回记录生成单元, 用于生成签名映射对 <撤回记录;
撤回记录提交单元, 用于将所述签名映射对撤回记录提交给注册代理以撤 回该签名映射对 <撤回记录对应的签名映射对。
12、 一种注册代理设备, 其特征在于, 包括:
接收单元, 用于接收边界网络所有者提交的签名映射对;
签名映射对数据库单元, 用于保存所述接收单元接收的签名映射对; 同步单元, 用于将所述签名映射对数据库单元保存的签名映射对同步到其 它注册代理。
13、 如权利要求 12所述的注册代理设备, 其特征在于, 还包括: 查询响应单元, 用于根据边界网络所有者提供的前缀查询与所述前缀信息 相对应的签名映射对, 并反馈给所述边界网络所有者。
14、 如权利要求 12或 13所述的注册代理设备, 其特征在于, 还包括: 撤回响应单元, 用于根据边界网络所有者提供的签名映射对撤回记录从所 述签名映射对数据库单元中删除所述签名映射对撤回记录对应的签名映射对 , 并将所述签名映射对撤回记录同步到其它注册代理;
撤回记录数据库单元, 用于保存被撤回响应单元删除的签名映射对。
15、 一种通信系统, 其特征在于, 包括:
边界网络设备, 用于根据映射信息对中的前缀对应的证书的私钥对所述映 射信息对进行签名, 生成签名映射对, 并将该签名映射对提交给注册代理设备; 所述注册代理设备, 用于接收所述边界网络设备提交的签名映射对, 通过 数据同步与其它注册代理共享所述签名映射对。
16、如权利要求 15所述的通信系统,其特征在于, 所述边界网络设备包括: 签名映射对生成单元, 用于映射信息对中的前缀对应的证书的私钥对所述 映射信息对进行签名, 生成签名映射对;
提交单元, 用于将所述签名映射对提交给所述注册代理设备。
17、如权利要求 16所述的通信系统,其特征在于, 所述注册代理设备包括: 接收单元, 用于接收边界网络所有者提交的签名映射对;
签名映射对数据库单元, 用于保存所述接收单元接收的签名映射对; 同步单元, 用于将所述签名映射对同步到其它注册代理。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
ES09753457.2T ES2614853T3 (es) | 2008-05-29 | 2009-05-06 | Un método, un dispositivo y un sistema de comunicación para gestionar y solicitar información de mapeado |
EP09753457.2A EP2276206B1 (en) | 2008-05-29 | 2009-05-06 | A method, device and communication system for managing and inquiring mapping information |
US12/955,658 US8539100B2 (en) | 2008-05-29 | 2010-11-29 | Method, device, and communications system for managing querying mapping information |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200810028535.4 | 2008-05-29 | ||
CN2008100285354A CN101594339B (zh) | 2008-05-29 | 2008-05-29 | 管理和查询映射信息的方法、设备及通信系统 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/955,658 Continuation US8539100B2 (en) | 2008-05-29 | 2010-11-29 | Method, device, and communications system for managing querying mapping information |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2009143739A1 true WO2009143739A1 (zh) | 2009-12-03 |
Family
ID=41376596
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2009/071660 WO2009143739A1 (zh) | 2008-05-29 | 2009-05-06 | 管理和查询映射信息的方法、设备及通信系统 |
Country Status (5)
Country | Link |
---|---|
US (1) | US8539100B2 (zh) |
EP (1) | EP2276206B1 (zh) |
CN (1) | CN101594339B (zh) |
ES (1) | ES2614853T3 (zh) |
WO (1) | WO2009143739A1 (zh) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8621093B2 (en) * | 2007-05-21 | 2013-12-31 | Google Inc. | Non-blocking of head end initiated revocation and delivery of entitlements non-addressable digital media network |
US8635448B2 (en) * | 2011-12-06 | 2014-01-21 | Cisco Technology, Inc. | Secure prefix authorization with untrusted mapping services |
KR20150084221A (ko) | 2014-01-13 | 2015-07-22 | 삼성전자주식회사 | 어플리케이션 패키지의 재서명 장치, 방법 및 상기 어플리케이션 패키지를 실행하는 단말장치 |
DE102014212210A1 (de) * | 2014-06-25 | 2015-12-31 | Siemens Aktiengesellschaft | Kontrolle eines Zugriffs auf über ein Datennetz abrufbare Inhalte |
US11469903B2 (en) * | 2019-02-28 | 2022-10-11 | Microsoft Technology Licensing, Llc | Autonomous signing management operations for a key distribution service |
CN114172838A (zh) * | 2021-11-10 | 2022-03-11 | 中盈优创资讯科技有限公司 | 一种虚假ip路由实时监测方法及装置 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007121787A1 (en) * | 2006-04-25 | 2007-11-01 | Telefonaktiebolaget Lm Ericsson (Publ) | Ip mobility within a communication system |
CN101123536A (zh) * | 2007-09-19 | 2008-02-13 | 北京交通大学 | 实现一体化网络位置管理的方法 |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6192051B1 (en) * | 1999-02-26 | 2001-02-20 | Redstone Communications, Inc. | Network router search engine using compressed tree forwarding table |
US7162539B2 (en) * | 2000-03-16 | 2007-01-09 | Adara Networks, Inc. | System and method for discovering information objects and information object repositories in computer networks |
US6871236B2 (en) * | 2001-01-26 | 2005-03-22 | Microsoft Corporation | Caching transformed content in a mobile gateway |
US7406526B2 (en) * | 2001-09-28 | 2008-07-29 | Uri Benchetrit | Extended internet protocol network address translation system |
ATE503357T1 (de) * | 2003-08-06 | 2011-04-15 | Motorola Inc | Verfahren zur validierten kommunikation |
US7646775B2 (en) * | 2005-03-08 | 2010-01-12 | Leaf Networks, Llc | Protocol and system for firewall and NAT traversal for TCP connections |
EP1764970A1 (en) * | 2005-09-19 | 2007-03-21 | Matsushita Electric Industrial Co., Ltd. | Multiple interface mobile node with simultaneous home- and foreign network connection |
US7853687B2 (en) * | 2007-03-05 | 2010-12-14 | Alcatel Lucent | Access control list generation and validation tool |
CN101340356B (zh) * | 2007-07-05 | 2012-07-11 | 华为技术有限公司 | 转发信息的方法和信息转发设备 |
-
2008
- 2008-05-29 CN CN2008100285354A patent/CN101594339B/zh not_active Expired - Fee Related
-
2009
- 2009-05-06 ES ES09753457.2T patent/ES2614853T3/es active Active
- 2009-05-06 EP EP09753457.2A patent/EP2276206B1/en not_active Not-in-force
- 2009-05-06 WO PCT/CN2009/071660 patent/WO2009143739A1/zh active Application Filing
-
2010
- 2010-11-29 US US12/955,658 patent/US8539100B2/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007121787A1 (en) * | 2006-04-25 | 2007-11-01 | Telefonaktiebolaget Lm Ericsson (Publ) | Ip mobility within a communication system |
CN101123536A (zh) * | 2007-09-19 | 2008-02-13 | 北京交通大学 | 实现一体化网络位置管理的方法 |
Non-Patent Citations (2)
Title |
---|
BIJUN ET AL.: "A source address validation test-bed in CNGI-CERNET", TELECOMMUNICATIONS SCIENCE, 2008 YEAR, no. 1, 15 January 2008 (2008-01-15), pages 12 - 13, XP008147014 * |
See also references of EP2276206A4 * |
Also Published As
Publication number | Publication date |
---|---|
EP2276206A4 (en) | 2011-05-04 |
US20110072157A1 (en) | 2011-03-24 |
CN101594339A (zh) | 2009-12-02 |
ES2614853T3 (es) | 2017-06-02 |
CN101594339B (zh) | 2012-07-04 |
EP2276206A1 (en) | 2011-01-19 |
EP2276206B1 (en) | 2016-11-23 |
US8539100B2 (en) | 2013-09-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10785037B2 (en) | Managing secure content in a content delivery network | |
US11368450B2 (en) | Method for bidirectional authorization of blockchain-based resource public key infrastructure | |
JP6144783B2 (ja) | 情報中心のネットワークにおけるトラストアンカーを用いたプロトコルのルーティングに基づく名前/プレフィックスの増加 | |
US7925027B2 (en) | Secure address proxying using multi-key cryptographically generated addresses | |
CN108366137A (zh) | 基于区块链对域名进行处理的方法以及根域名系统 | |
US20040107234A1 (en) | Addressing method and system for using an anycast address | |
JP5804439B2 (ja) | Id/ロケータ分離ベースのネットワークにおいてネームレジストリ,ネットワークアクセスおよびデータ通信を安全に行う方法 | |
WO2010118666A1 (zh) | 节点注册方法、路由更新方法、通讯系统以及相关设备 | |
JP2000349747A (ja) | 公開鍵管理方法 | |
WO2011041967A1 (zh) | 匿名通信的方法、注册方法、信息收发方法及系统 | |
WO2009143739A1 (zh) | 管理和查询映射信息的方法、设备及通信系统 | |
WO2013040957A1 (zh) | 单点登录的方法、系统和信息处理方法、系统 | |
WO2010063242A1 (zh) | 时钟同步的方法、设备以及网络系统 | |
WO2011095039A1 (zh) | 一种端对端会话密钥协商方法、系统和装置 | |
WO2013013481A1 (zh) | 接入认证方法、设备、服务器及系统 | |
WO2013004174A1 (zh) | 一种基于p2p的证书管理方法及其装置 | |
CN112132581B (zh) | 基于iota的pki身份认证系统及方法 | |
CN102546523B (zh) | 一种互联网接入的安全认证方法、系统和设备 | |
Liu et al. | Secure name resolution for identifier-to-locator mappings in the global internet | |
KR20120094952A (ko) | 공공설비에서 네트워크에 접속하는 방법 및 시스템 | |
WO2011120365A1 (zh) | 多穴终端建立连接的方法和系统 | |
WO2010133127A1 (zh) | 主机标识标签获取方法及系统 | |
WO2011120276A1 (zh) | 一种终端实现连接建立的方法及系统 | |
CN115580498B (zh) | 融合网络中的跨网通信方法及融合网络系统 | |
Kafle et al. | An integrated security scheme for ID/locator split architecture of future network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09753457 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REEP | Request for entry into the european phase |
Ref document number: 2009753457 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 4630/KOLNP/2010 Country of ref document: IN Ref document number: 2009753457 Country of ref document: EP |