WO2010063242A1 - Clock synchronization method, device and network system - Google Patents

Clock synchronization method, device and network system Download PDF

Info

Publication number
WO2010063242A1
WO2010063242A1 PCT/CN2009/075353 CN2009075353W WO2010063242A1 WO 2010063242 A1 WO2010063242 A1 WO 2010063242A1 CN 2009075353 W CN2009075353 W CN 2009075353W WO 2010063242 A1 WO2010063242 A1 WO 2010063242A1
Authority
WO
WIPO (PCT)
Prior art keywords
path
terminal
clock
secure
clock server
Prior art date
Application number
PCT/CN2009/075353
Other languages
French (fr)
Chinese (zh)
Inventor
吕欣岩
聂爽
何纲
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2010063242A1 publication Critical patent/WO2010063242A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/14Multichannel or multilink protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J3/00Time-division multiplex systems
    • H04J3/02Details
    • H04J3/06Synchronising arrangements
    • H04J3/0635Clock or time synchronisation in a network
    • H04J3/0638Clock or time synchronisation among nodes; Internode synchronisation
    • H04J3/0658Clock or time synchronisation among packet nodes
    • H04J3/0661Clock or time synchronisation among packet nodes using timestamps
    • H04J3/0667Bidirectional timestamps, e.g. NTP or PTP for compensation of clock drift and for compensation of propagation delays

Definitions

  • the IEEE 1588 protocol is a precision clock synchronization protocol standard for network measurement and control systems.
  • the 1588 protocol packets can be classified into two categories: event messages and general messages.
  • the general message does not need a timestamp, and is used for sending information including clock information and configuration management information; the event message carries a time stamp for transmitting time and frequency information.
  • the transmission of 1588 protocol packets has two modes: unicast and multicast. Different transmission modes specify different sending addresses and ports.
  • the 1588 protocol is an adaptive network clock synchronization protocol. It can automatically complete the clock level division and reconstruction of the entire network through the source selection algorithm, and supports time synchronization and frequency synchronization.
  • the link is used in the time synchronization.
  • the clock server In the frequency synchronization, the clock server periodically sends clock synchronization packets to the terminal. The terminal calculates the difference between the two clock synchronization messages before and after, and the reference frequency can be obtained. .
  • the 1588 protocol provides a shared key based security mechanism that provides source authentication, information integrity protection, and anti-replay capabilities.
  • Figure 1 is a flow chart of the security mechanism of the shared key provided by the 1588 protocol.
  • the sender indicates that the sender of the message may be a clock server or a terminal; the receiver indicates that the receiver of the message may be a clock server or a terminal; the sender and the receiver each maintain a security association (SA), respectively Called output SA and input SA, each SA includes source port, source address, destination port, destination address, key, random number, and replay counter.
  • SA security association
  • the control port of the clock server is visible to all terminals and can receive messages sent by multiple terminals at the same time.
  • the security mechanism provided by the 1588 protocol is as follows: (1) The sender sends a 1588 protocol packet carrying the parameter AUTHENTICATION TLV, which is used to indicate the type, length, and value range (including the random number, the replay counter, the key identifier, the algorithm identifier, and the record) of the packet for verification. Summary) .
  • the receiver If the receiver supports the security verification of the packet, it first performs packet integrity check and source verification: Determines the packet verification algorithm according to the algorithm identifier, determines the packet verification key according to the key identifier, and calculates and receives the packet. The summary of the 1588 packet is compared with the summary of the recorded packet. If the packet is the same, the packet is verified and the packet is accepted. Otherwise, the packet fails to pass and the packet is discarded.
  • the receiving party searches for the local receiving SA list. If the receiving packet can be mapped to an SA, the replay counter performs anti-replay checking by the SA and the random number identifier carried in the packet. ; Otherwise discard 4 ⁇ .
  • the control port of the clock server is exposed to all terminals and is vulnerable to attacks.
  • SUMMARY OF THE INVENTION The technical problem to be solved by the embodiments of the present invention is to provide a method, a device, and a network system for clock synchronization, which can further improve the security performance of the clock server while realizing clock synchronization.
  • the embodiment of the present invention provides the following technical solutions:
  • An embodiment of the present invention provides a method for implementing clock synchronization, including:
  • the clock server establishes a secure path and a non-secure path with the terminal;
  • the control message is exchanged with the terminal through the security path, and the terminal sends a clock synchronization message through the non-secure path.
  • An embodiment of the present invention provides a method for implementing clock synchronization, including:
  • the terminal establishes a secure path and an unsecure path with the clock server
  • the embodiment of the invention provides a clock server, including:
  • a first interface module configured to establish a secure path and a non-secure path with the terminal
  • a first association module configured to associate an address of the security path of the terminal with an address of the non-secure path
  • a first control message interaction module configured to perform control message interaction with the terminal by using the secure path
  • the synchronization message sending module is configured to send a clock synchronization message to the terminal by using the non-secure path.
  • the embodiment of the invention provides a terminal, including:
  • a second interface module configured to establish a secure path and a non-secure path with the clock server; and a second association module, configured to associate an address of the secure path of the server with an address of the non-secure path;
  • a second control message interaction module configured to perform a control message interaction with the clock server by using the secure path
  • a clock synchronization module configured to perform clock synchronization with the server by using the non-secure path.
  • the embodiment of the invention further provides a network system, including:
  • a clock server configured to establish a secure path and a non-secure path with the terminal; associate the secure path with the non-secure path; perform control message interaction with the terminal through the secure path, and send clock synchronization to the terminal by using the non-secure path Message
  • a terminal configured to establish a secure path and a non-secure path with the clock server; associate the secure path with the non-secure path; perform control message interaction with the clock server through the secure path, and perform clock synchronization on the non-secure path.
  • the embodiment of the invention further provides another clock server, including:
  • a first path establishing module configured to establish a first path with the terminal, where the first path is a secure connection for transmitting data in a secure manner;
  • a second path establishing module configured to send, by using the first path, information required for establishing a second path to the terminal, to establish the second path with the terminal;
  • a clock message module configured to send a clock synchronization report to the terminal by using the second path Text.
  • the embodiment of the invention further provides another terminal, including:
  • a first path establishing module configured to establish a first path with a clock server, where the first path is a secure connection for transmitting data in a secure manner;
  • a second path establishing module configured to acquire, by using the first path, information required for establishing a second path from the clock server, and establish, by the clock server, the second path;
  • a clock message module configured to: Receiving, by the second path, a clock synchronization message sent by the clock server.
  • the embodiment of the invention further provides another method, including:
  • FIG. 1 is a schematic diagram showing a processing flow of a shared key security mechanism provided by the existing 1588 protocol;
  • FIG. 2 is a schematic flowchart of a method for clock synchronization according to Embodiment 1 of the present invention
  • FIG. 3 is a schematic flowchart of still another method for clock synchronization according to Embodiment 2 of the present invention
  • FIG. FIG. 5 is a schematic flowchart of a clock server and a terminal deployment framework
  • FIG. 5 is a schematic flowchart of a method for transmitting a clock synchronization message through a non-secure path and transmitting a control message through a secure path according to Embodiment 4 of the present invention
  • FIG. 6 is a schematic flowchart of a method for implementing clock synchronization according to Embodiment 5 of the present invention
  • FIG. 7 is a schematic flowchart of a method for implementing clock synchronization according to Embodiment 6 of the present invention
  • 8 is a schematic flowchart of a method for implementing clock synchronization according to Embodiment 7 of the present invention
  • FIG. 9 is a schematic structural diagram of a clock server according to Embodiment 8 of the present invention
  • FIG. 10 is a schematic diagram of a terminal provided by Embodiment 9 of the present invention; Schematic;
  • FIG. 11 is a schematic diagram of a network system according to Embodiment 10 of the present invention.
  • FIG. 12 is a schematic structural diagram of a clock synchronization network according to Embodiment 11 of the present invention
  • FIG. 13 is a schematic flowchart diagram of a clock synchronization method according to Embodiment 12 of the present invention.
  • the embodiments of the present invention provide a method, a device, and a network system for clock synchronization, which can further improve the security performance of the clock server while implementing clock synchronization.
  • FIG. 2 is a schematic flowchart of a method for clock synchronization according to an embodiment of the present invention. As shown in Figure 2, the method can include:
  • Step 201 The clock server establishes a secure path and a non-secure path with the terminal.
  • the clock server can establish a secure path with the terminal by adding a logical interface, such as an IPSec tunnel, or establish a secure path with the terminal by adding a physical link, such as a dedicated signaling link. .
  • a logical interface such as an IPSec tunnel
  • a physical link such as a dedicated signaling link.
  • the clock server can establish a non-secure path with the terminal by accessing the public communication network, such as accessing the Internet.
  • Step 202 Associate the secure path with the non-secure path.
  • each clock there is a globally unique identifier in each clock. This identifier is associated with the address of all interactions and the address of the non-secure path, and the association between the secure path and the non-secure path is implemented.
  • Step 203 Perform a control message exchange with the terminal through the secure path, and send a clock synchronization packet to the terminal through the non-secure path.
  • the interaction between the control message and the terminal through the security path may be:
  • the clock server receives the unicast request of the notification message sent by the terminal; Returning an announcement message unicast request authorization to the terminal;
  • the control message interaction with the terminal through the secure path may also be:
  • the clock server receives the security mechanism negotiation request sent by the terminal, where the security mechanism negotiation request carries the security mechanism negotiation parameter;
  • the clock server sends a security mechanism negotiation request to the terminal, where the security mechanism negotiation request carries a security mechanism negotiation parameter;
  • the security mechanism returned by the receiving terminal negotiates a request response, indicating the security mechanism used and the corresponding negotiation parameters.
  • the control message interaction with the terminal through the secure path may also be:
  • the clock server receives the point-to-point delay negotiation request sent by the terminal through the secure path; returns a point-to-point delay negotiation request authorization to the terminal, and the delay negotiation request authorization indicates the delay mechanism used;
  • the end-to-end delay negotiation request authorization returned to the terminal indicates the delay mechanism used.
  • the sending of the line clock synchronization packet on the non-secure path is specifically as follows:
  • the clock server sends a clock synchronization packet to the terminal in a unicast mode on the non-secure path.
  • the clock synchronization packet is sent to the terminal in a multicast manner on the non-secure path.
  • the method for implementing the clock synchronization security may also perform network address translation negotiation on the non-secure path, which may be:
  • the clock server receives the handshake request initiated by the terminal through the non-secure path to traverse the network address translation
  • a handshake request response returned to the terminal the handshake request response carrying the non-secure path address and the corresponding port after the network address translation.
  • the method for implementing clock synchronization security may further be that the clock server periodically sends an advertisement for the source selection to the terminal through the non-secure path. And periodically transmitting a clock synchronization message to the terminal by using a non-secure path in a multicast manner.
  • the method for clock synchronization provided by the embodiment of the present invention is described.
  • the clock server in the embodiment of the present invention establishes a secure path and a non-secure path between the terminal, and the clock server sends a clock to the terminal by establishing an unsecured path. Synchronizing the message, so that the terminal can perform clock synchronization according to the clock synchronization message.
  • the clock server interacts with the terminal through the control path on the secure path, the control message is not easily attacked, and the security performance of the clock server can be further improved.
  • FIG. 3 is a flow chart of still another method for clock synchronization according to an embodiment of the present invention. As shown in FIG. 3, the method may include:
  • Step 301 The terminal establishes two bearer paths connected to the clock server, which are a secure path and a non-secure path, respectively.
  • the terminal can establish a secure path with the clock server by adding a logical interface, such as an IPSec tunnel, or establish a secure path with the terminal by adding a physical link, such as a dedicated signaling link. .
  • a logical interface such as an IPSec tunnel
  • a physical link such as a dedicated signaling link.
  • the terminal can establish a non-secure path with the clock server by accessing the public communication network, such as accessing the Internet.
  • Step 302 Associate the secure path with the non-secure path.
  • the terminal can associate the secure path address of the clock server with the address of the non-secure path through the clock identifier sent by the clock server to implement association between the secure path and the non-secure path.
  • Step 303 Perform control message interaction with the clock server through the secure path, and perform clock synchronization on the non-secure path.
  • the control message interaction between the security path and the clock server may be: The terminal sends an advertisement message unicast request to the clock server;
  • the receiving unicast message sent by the clock server for selecting the source is received.
  • the control message interaction between the security path and the clock server may be: The terminal sends a security mechanism negotiation request to the clock server, where the security mechanism negotiation request carries the security mechanism negotiation parameter; Receiving a security mechanism negotiation request response returned by the clock server, indicating the security mechanism used and the corresponding negotiation parameters; or
  • the terminal accepts a security mechanism negotiation request sent by the clock server, where the security mechanism negotiation request carries a security mechanism negotiation parameter;
  • the control message interaction between the security path and the clock server may also be:
  • the terminal sends a point-to-point delay negotiation request to the clock server through the secure path; and receives the point-to-point delay negotiation request authorization returned by the clock server, and the delayed negotiation request authorization indication is used.
  • Delay mechanism
  • the clock synchronization on the non-secure path can be:
  • the terminal sends a clock synchronization packet through the non-secure path receiving clock server, or sends the clock synchronization packet through the non-secure path receiving clock server.
  • the clock synchronization packet is processed according to the negotiated security mechanism.
  • the method for implementing clock synchronization may also perform network address translation negotiation on an unsecure path, which may be:
  • the terminal initiates a handshake request to traverse the network address translation to the clock server through the non-secure path;
  • the handshake request response carries the non-secure path address and the corresponding port after the network address translation.
  • the method for implementing clock synchronization security may further be that the terminal periodically broadcasts an announcement multicast message for selecting a source through a non-secure path, and periodically transmits the non-secure path.
  • the clock synchronization message sent by the receiving clock server in multicast mode.
  • the terminal establishes a secure path and a non-secure path that are connected to the clock server, and can receive the clock synchronization message sent by the clock server on the established non-secure path. According to the clock synchronization message Clock synchronization. At the same time, because the control message interacts with the server through the secure path, the control message is not easily attacked, and the security performance of the clock server can be further improved.
  • networks can be divided into trusted networks and non-trusted networks. Different network elements are secure in communication within a trusted network. Conversely, when a network element is placed on a non-trusted network, communication between other network elements and it is not secure.
  • the trusted network mainly has the operator's core network or other private networks; the non-trusted networks mainly have public communication networks, such as the Internet.
  • FIG. 4 is a schematic diagram of a deployment architecture of a clock server and a terminal according to an embodiment of the present invention.
  • the clock server is deployed in a trusted network, and the terminal is deployed in an untrusted network.
  • the communication of the clock server in the trusted network is secure, and the communication between the clock server and the terminal is relatively unsecured.
  • Two communication paths are established between the clock server and the terminal, which are a secure path and an unsecure path.
  • the clock synchronization packets transmitted on the non-secure path need to be filtered by the security gateway, and the control message security gateway transmits the two-way transparent transmission on the secure path.
  • the security path can be established in various ways, such as an IPSec tunnel established by adding a logical interface or a dedicated signaling link established by adding a physical link.
  • the non-secure path can be accessed through the existing public.
  • the communication network is established.
  • FIG. 5 is a schematic flowchart of a method for transmitting a clock synchronization message through a non-secure path and transmitting a control message through a secure path between a terminal and a clock server according to Embodiment 1 of the present invention.
  • the dotted line indicates the change of the service packet address when the terminal and the clock server transmit the clock synchronization packet through the non-secure path.
  • the solid line indicates the service packet address when the terminal and the clock server pass the security path control message. Changes.
  • SIP indicates the source IP
  • DIP indicates the target IP
  • SPort indicates the source port
  • DPort indicates the destination port.
  • the terminal has two addresses: 10.10.2.20 is used for the secure path communication address, for example, the clock server is deployed on the core network, and the terminal allocates the address when accessing the core network through the secure path IPSec tunnel; 192.168.0.2 is used for non-secure path communication. Address, such as the address used by public network communications; the clock server also has two addresses: 10.10.2.2 is used for secure path communication address; 210.45.38.2 is used for non-secure path communication address, such as address used by public network communication.
  • S-S-IP The IP communication address assigned by the terminal when accessing the reliability network through the secure path, as shown in Figure 10.10.20.
  • S-U-IP The IP address assigned by the terminal when accessing the reliability network through the non-secure path, as shown in Figure 5, 192.168.0.2;
  • S-NAT-U-IP The IP communication address of the non-secure path of the terminal traversing the network address translation, as shown in Figure 5, 202.38.120.4; when there is no traversal network address translation, this address is the same as SU-IP ;
  • M-A-IP access IP address of the clock server, as shown in Figure 5, 210.45.38.2;
  • M-I-IP IP address of the intranet of the clock server, as shown in Figure 10.10.2.2.
  • the clock client sends a message to the clock server, and the second path (non-secure path) indicated by the dotted line, the source address in the message is SIP 192.168.0.2, the source port number.
  • the SIP in the packet is the intranet address 10.10.2.2 and the Sport is 319.
  • the DIP in the packet is the external address 202.38.120.4 of the clock client.
  • the DPort is 2345; After reaching the security gateway, the security gateway replaces the SIP in the packet with the external network address 210.45.38.2 of the clock server, and the DPort remains unchanged. After reaching the home gateway, the home gateway replaces the DIP with the intranet address of the clock client 192.168.0.2 and the DPort with the 319.
  • the first path (secure path) is established, and the clock client and the security gateway establish a secure connection, such as an IP Sec tunnel, in which the clock server and the local area network are in the same virtual local area network; or, through a dedicated physical link, Enables the clock client to establish a direct connection to the security gateway so that the clock server and clock client can be on the same local area network.
  • IP address of the clock client is 10.10.2.2.
  • SIP is 10.10.2.20
  • Sport 320 DIP is the intranet address 10.10.2.2 of the clock server
  • DPort is 320.
  • a path is sent to the clock server, and the SIP or DIP of the message is not changed during the transmission.
  • SIP is the clock server address 10.10.2.2
  • SPort is 320
  • DIP is the clock client address 10.10.2.20
  • DPort is 320
  • the packet is sent to the clock through the first path.
  • SIP, DIP, and the corresponding port number will not change during the delivery process.
  • the home gateway and the security gateway are regarded as two-way transparent transmission, so that the control message is not easily parsed, and the security performance of the clock server can be further improved.
  • the terminal can receive clock synchronization messages sent by the clock server on the established non-secure path, so that clock synchronization can be performed.
  • the network address can be flexibly converted, so that the network address translation can be realized.
  • FIG. 6 is a schematic flowchart of a method for implementing a clock synchronization security according to Embodiment 2 of the present invention. As shown in FIG. 6, this embodiment performs clock synchronization message transmission in a unicast manner, a broken line indicates a flow performed on an unsecured path, and a solid line indicates a flow performed on a secure path.
  • the process of this embodiment may include:
  • the terminal establishes a secure path with the security gateway to establish a secure path between the terminal and the clock server.
  • the security path between the clock server and the terminal may be established by adding a logical interface, such as an IPSec tunnel, or by adding a physical link, such as a dedicated signaling link.
  • a logical interface such as an IPSec tunnel
  • a physical link such as a dedicated signaling link.
  • an IPSec tunnel is used as an example to establish a secure path between the terminal and the clock server.
  • the terminal initiates a handshake request Handshake_Req for traversing the network address translation to the clock server through the non-secure path, and the handshake request carries an identifier (such as a random number) for message matching.
  • the address and port information carried in the handshake request are: SIP: S-S-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
  • the 1588 protocol specifies different sending addresses and ends. mouth.
  • Table 1 shows the mapping between the sending mode of a clock packet and the port.
  • the clock server responds to the handshake request, and responds according to the random number of the handshake request, the source IP, and the handshake request returned by the port Handshake_Resp; the handshake request response carries the non-secure path address and the corresponding port after the network address translation. If the clock server does not support the handshake request, no handshake request response is sent.
  • the address and port information carried in the handshake request response are: SIP: M-I-IP; SPort: 319; DIP: S-NAT-U-IP; DPort: Source port of the handshake request.
  • the terminal sends a Announce message unicast request to the clock server.
  • the address and port information carried in the Announce message unicast request sent by the terminal is:
  • SIP S-S-IP
  • SPort 320
  • DIP M-I-IP
  • DPort 320.
  • the clock server advertises the unicast authorization of the Announce message.
  • the address and port information carried by the unicast authorization of the Announce message sent by the clock server are:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the address and port information carried by the Announce unicast message periodically sent by the clock server are:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the terminal sends a unicast request for the clock synchronization message to the selected clock server, carries the converted network address S-NAT-U-IP and the corresponding port, and can carry the terminal branch Security mechanism parameters.
  • the address and port information carried by the unicast request for sending the clock synchronization packet to the selected clock server is:
  • SIP S-S-IP
  • SPort 320
  • DIP M-I-IP
  • DPort 320.
  • the clock server initiates a unicast authorization message to the terminal, and if the security mechanism is supported, the specified security mechanism parameters.
  • the address and port information carried by the clock server to the terminal to initiate the unicast authorization message are: SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
  • the terminal If the terminal is required to perform an independent security negotiation process, the terminal sends a clock signal to the clock server, which carries the security mechanism negotiation parameters.
  • the terminal sends a clock signal to the clock server.
  • the address and port information carried by the Signalin port is:
  • SIP S-S-IP
  • SPort 320
  • DIP M-I-IP
  • DPort 320.
  • the clock server If the clock server supports the security mechanism, it returns a clock signal to the terminal.
  • the Signaling indication packet indicates the security mechanism used and the corresponding negotiation parameters.
  • the clock server returns a clock signal to the terminal. Signaling indicates that the address and port information carried in the packet are:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the terminal If time synchronization is performed, the terminal sends a point-to-point delay negotiation request Delay_Req to the clock server.
  • the address and port information carried by the terminal to send a point-to-point delay negotiation request to the clock server is:
  • SIP S-S-IP
  • SPort 320
  • DIP M-I-IP
  • DPort 320.
  • the point-to-point delay negotiation request authorization Delay_Resp returned by the clock server to the terminal, the delay negotiation request authorization indication uses a delay mechanism.
  • the address and port information carried by the point-to-point delay negotiation request authorization returned by the clock server to the terminal is:
  • the terminal may also send an end-to-end delay negotiation request PDelay_Req to the clock server.
  • the address and port information carried by the terminal to send the end-to-end delay negotiation request to the clock server is:
  • SIP S-S-IP
  • SPort 320
  • DIP M-I-IP
  • DPort 320.
  • the delay negotiation request authorization indicates the delay mechanism used.
  • the address and port information carried in the end-to-end delay negotiation request authorization returned by the clock server to the terminal is:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the clock server periodically sends clock synchronization packets to the terminal in unicast mode for frequency or time synchronization. After receiving the packet, the terminal needs to perform the verification according to the previously negotiated security mechanism. Message.
  • the clock server periodically sends clock synchronization to the terminal in the unicast mode.
  • the address and port information carried in the file are:
  • SIP MI-IP
  • SPort 319
  • DIP If the IP address is indicated in the unicast negotiation, the indicated IP address is used, otherwise the source IP of the unicast request is used
  • DPort If the port is indicated in the unicast negotiation, the indication is used. Port, otherwise use 319.
  • the terminal may send a point-to-point delay request Delay_Req to the clock server according to the negotiated delay mechanism of processes (11) and (12).
  • the address and port information carried by the terminal to the clock server to send the point-to-point delay request are: SIP: S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
  • the clock server performs verification according to the negotiated security mechanism, processes the packet that passes the verification, and delays the request to the terminal to delay the request to delay_Resp.
  • the address and port information carried by the point-to-point delay request authorization returned by the clock server to the terminal is:
  • the terminal may send an end-to-end delay request PDelay_Req to the clock server according to the negotiated delay mechanism of processes (13) and (14).
  • the address and port information carried by the terminal to send the end-to-end delay request to the clock server are: SIP: S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
  • the clock server performs verification according to the negotiated security mechanism, processes the packet that passes the verification, and delays the end-to-end delay request request to the terminal to PDelay_Resp.
  • the address and port information carried by the clock server to the terminal end-to-end request authorization is:
  • SIP M-I-IP
  • SPort 319
  • DIP S-NAT-U-IP
  • DPort PDelay—Req port SPort.
  • the terminal is a clock client Slave.
  • the secure path is a path established between the terminal and the clock server to transfer data in a secure manner (referred to as a first path in this embodiment), and the non-secure path is established between the terminal and the clock server after the first path is established.
  • the second path (referred to as the second path in this embodiment).
  • Process 2 and Process 3 are used to negotiate some parameters of the terminal NAT traversal, such as the traversed address and the port number. These two processes need to be completed before the second path is established.
  • the second path is either a secure method or a connection that transfers data in a non-secure manner.
  • the Announce message is used in the IP Sec tunnel to transmit information for establishing the second path, where the information includes, for example, the address of the clock server and the port used by the clock server, and the terminal can establish the information according to the information.
  • the IP Sec tunnel delivers relevant information in a secure manner, critical information (such as the port of the clock server) is not easily accessed, improving security.
  • the security policy used by the second path is negotiated through the first path, thereby effectively simplifying the security negotiation process. If the two processes negotiate security parameters, the second path can pass the data using the negotiated security policy.
  • the method provided in this embodiment can be applied to transmit a clock report specified by the IEEE 1588 protocol. Text.
  • the method for implementing clock synchronization provided by the second embodiment of the present invention is described in detail above.
  • the clock server establishes a secure path and a non-secure path between the terminal and the terminal, and sends a clock synchronization message to the terminal on the established non-secure path, so that the terminal can perform clock synchronization according to the clock synchronization message.
  • the clock server interacts with the terminal through the security path, the control message is not easily attacked, and the security performance of the clock server can be further improved.
  • FIG. 7 is a flow chart of a method for implementing clock synchronization according to Embodiment 3 of the present invention.
  • a clock synchronization message is sent in a multicast manner, a broken line indicates a flow performed on an unsecured path, and a solid line indicates a flow performed on a secure path.
  • the flow of this embodiment may include:
  • the terminal establishes a secure path with the security gateway to establish a secure path between the terminal and the clock server.
  • the security path between the clock server and the terminal may be established by adding a logical interface, such as an IP Sec tunnel, or by adding a physical link, such as a dedicated signaling link.
  • a logical interface such as an IP Sec tunnel
  • a physical link such as a dedicated signaling link.
  • an IP Sec tunnel is taken as an example to establish a secure path between the terminal and the clock server.
  • the terminal sends a Announce message unicast request to the clock server.
  • the address and port information carried in the Announce message unicast request sent by the terminal is:
  • SIP S-S-IP
  • SPort 320
  • DIP M-I-IP
  • DPort 320.
  • the clock server advertises the unicast authorization of the Announce message.
  • the address and port information carried by the unicast authorization of the Announce message sent by the clock server is:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the address and port information carried in the Announce unicast message periodically sent by the clock server is: SIP: MI-IP; SPort: 320; DIP: SS-IP; DPort: 320.
  • the terminal If the terminal is required to perform security negotiation, the terminal sends a clock signal to the clock server, and carries the security mechanism negotiation parameters.
  • the terminal sends a clock signal to the clock server.
  • the address and port information carried by the Signaling ⁇ message is:
  • SIP S-S-IP
  • SPort 320
  • DIP M-I-IP
  • DPort 320.
  • the clock server If the clock server supports the security mechanism, it returns a clock signal Signaling indication message to the terminal, indicating the security mechanism used and the corresponding negotiation parameters.
  • the clock server returns a clock signal to the terminal. Signaling indicates that the address and port information carried in the packet are:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the terminal sends a point-to-point delay negotiation request Delay_Req to the clock server.
  • the address and port information carried by the terminal to send a point-to-point delay negotiation request to the clock server is:
  • SIP S-S-IP
  • SPort 320
  • DIP M-I-IP
  • DPort 320.
  • the address and port information carried by the clock server master to the point-to-point delay negotiation request returned by the terminal Slave is:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the terminal may also send an end-to-end delay negotiation request PDelay_Req to the clock server.
  • the address and port information carried by the terminal to send the end-to-end delay negotiation request to the clock server is:
  • SIP S-S-IP
  • SPort 320
  • DIP M-I-IP
  • DPort 320.
  • the delay negotiation request authorization indicates the delay mechanism used.
  • the address and port information carried in the end-to-end delay negotiation request authorization returned by the clock server to the terminal is:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the clock server periodically sends a clock synchronization message to the terminal for frequency or time synchronization. After receiving the message, the terminal needs to perform the verification according to the previously negotiated security mechanism. Message.
  • the clock server periodically sends clock synchronization to the terminal in a multicast manner.
  • the address and port information carried in the message are:
  • SIP M-I-IP
  • SPort 319
  • DIP 224.0.1.129
  • DPort 319.
  • the terminal may send a point-to-point delay request Delay_Req to the clock server according to the delay mechanism negotiated by processes (7) and (8).
  • the address and port information carried by the terminal to the point-to-point delay sent to the clock server is:
  • SIP S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
  • the clock server performs verification according to the negotiated security mechanism, processes the packet that passes the verification, and delays the request to the terminal to delay the request to delay_Resp.
  • the address and port information carried by the point-to-point delay request authorization returned by the clock server to the terminal is:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the terminal may send an end-to-end delay request PDelay_Req to the clock server according to the negotiated delay mechanism of processes (9) and (10).
  • the address and port information carried by the terminal to send the end-to-end delay request to the clock server are: SIP: S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
  • the clock server performs verification according to the negotiated security mechanism, processes the packets that pass the verification, and delays the end-to-end delay request request to the terminal to PDelay_Resp.
  • the address and port information carried by the end-to-end delay request authorization returned by the clock server to the terminal is:
  • SIP MI-IP
  • SPort 319
  • DIP S-NAT-U-IP
  • DPort PDelay—the end of Req Port SPort.
  • the clock synchronization message is sent in the multicast mode, and the home gateway is required to be supported. Therefore, the process in this embodiment is different from the unicast process in the first embodiment in that: The handshake process, the clock synchronization message is sent by multicast; the other process is the same as the unicast process of the first embodiment.
  • the clock server establishes a secure path and a non-secure path between the terminal and the terminal, and sends a clock synchronization message to the terminal on the established non-secure path, so that the terminal can perform clock synchronization according to the clock synchronization message.
  • the clock server interacts with the terminal through the security path, the control message is not easily attacked, and the security performance of the clock server can be further improved.
  • FIG. 8 is a flow chart of a method for implementing clock synchronization security according to Embodiment 4 of the present invention.
  • the Announce message and the clock synchronization message are sent in a multicast manner
  • the dotted line indicates the flow on the non-secure path
  • the solid line indicates the flow in the secure path.
  • the process of this embodiment may include:
  • the terminal establishes a secure path with the security gateway to establish a secure path between the terminal and the clock server.
  • the security path between the clock server and the terminal may be established by adding a logical interface, such as an IPSec tunnel, or by adding a physical link, such as a dedicated signaling link.
  • a logical interface such as an IPSec tunnel
  • a physical link such as a dedicated signaling link.
  • an IPSec tunnel is used as an example to establish a secure path between the terminal and the clock server.
  • the address and port information carried by the Announce multicast message sent by the clock server to the terminal periodically is: SIP: MI-IP; SPort: 320; DIP: 224.0.1.129; DPort: 320.
  • the terminal If the terminal is required to perform security negotiation, the terminal sends a clock signal to the clock server, and carries the security mechanism negotiation parameters.
  • the terminal sends a clock signal to the clock server.
  • the address and port information carried by the Signaling ⁇ message is:
  • SIP S-S-IP
  • SPort 320
  • DIP M-I-IP
  • DPort 320.
  • the clock server If the clock server supports the security mechanism, it returns a clock signal Signaling indication packet to the terminal, indicating the security mechanism used and the corresponding negotiation parameters.
  • the clock server returns a clock signal to the terminal. Signaling indicates that the address and port information carried in the packet are:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the terminal sends a point-to-point delay negotiation request Delay_Req to the clock server.
  • the address and port information carried by the terminal to send a point-to-point delay negotiation request to the clock server is:
  • SIP S-S-IP
  • SPort 320
  • DIP M-I-IP
  • DPort 320.
  • the address and port information carried by the point-to-point delay negotiation request authorization returned by the clock server to the terminal is:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the terminal may also send an end-to-end delay negotiation request PDelay_Req to the clock server.
  • the address and port information carried by the terminal to send the end-to-end delay negotiation request to the clock server is:
  • SIP S-S-IP
  • SPort 320
  • DIP M-I-IP
  • DPort 320.
  • the delay negotiation request authorization indicates the delay mechanism used.
  • the address and port information carried in the end-to-end delay negotiation request authorization returned by the clock server to the terminal is:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the clock server periodically sends a clock synchronization message to the terminal in a multicast manner for frequency or time synchronization. After receiving the message, the terminal needs to perform verification according to the previously negotiated security mechanism; Message.
  • the clock server periodically sends clock synchronization to the terminal in a multicast manner.
  • the address and port information carried in the message are:
  • SIP M-I-IP
  • SPort 319
  • DIP 224.0.1.129
  • DPort 319.
  • the terminal may send a point-to-point delay request Delay_Req to the clock server according to the delay mechanism negotiated by processes (5) and (6).
  • the address and port information carried by the terminal to the clock server to send the point-to-point delay request is:
  • SIP S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
  • the clock server performs verification according to the negotiated security mechanism, processes the packet that passes the verification, and delays the request to the terminal to delay the request to delay_Resp.
  • the address and port information carried by the point-to-point delay request authorization returned by the clock server to the terminal is:
  • SIP M-I-IP
  • SPort 320
  • DIP S-S-IP
  • DPort 320.
  • the terminal may send an end-to-end delay request PDelay_Req to the clock server according to the delay mechanism negotiated by processes (7) and (8).
  • the address and port information carried by the terminal to send the end-to-end delay request to the clock server are: SIP: S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
  • the clock server performs verification according to the negotiated security mechanism, processes the packet that passes the verification, and delays the end-to-end delay request request to the terminal to PDelay_Resp.
  • the address and port information carried by the end-to-end delay request authorization returned by the clock server to the terminal is:
  • SIP MI-IP
  • SPort 319
  • DIP S-NAT-U-IP
  • DPort PDelay—the end of Req Port SPort.
  • the process of this embodiment is different from the multicast process of the third embodiment in that: the terminal directly receives the advertisement multicast message sent by the clock server periodically, and is used for selecting the source of the clock server;
  • the broadcast process is the same.
  • the method for implementing clock synchronization provided by Embodiment 4 of the present invention is described in detail above.
  • the clock server establishes a secure path and a non-secure path between the terminal and the terminal, and sends a clock synchronization message to the terminal on the established non-secure path, so that the terminal can perform clock synchronization according to the clock synchronization message.
  • the clock server interacts with the terminal through the security path, the control message is not easily attacked, and the security performance of the clock server can be further improved.
  • FIG. 9 is a schematic structural diagram of a clock server according to Embodiment 5 of the present invention.
  • the clock server provided by the embodiment of the present invention may include:
  • the first interface module 901 is configured to establish a secure path and a non-secure path with the terminal;
  • the first association module 902 is configured to associate the address of the secure path and the non-secure path;
  • the first control message interaction module 903 is configured to perform control message interaction with the terminal through the secure path;
  • the synchronization message sending module 904 is configured to send a clock synchronization message to the terminal through the non-secure path.
  • the first control message interaction module 903 is further configured to receive, by using a secure path, a security mechanism negotiation request sent by the terminal, where the security mechanism negotiation request carries a security mechanism negotiation parameter; The security mechanism returned to the terminal negotiates a request response, the request response indicating the security mechanism used and the corresponding negotiation parameters.
  • the first control message interaction module 903 is further configured to receive, by using a secure path, a point-to-point delay negotiation request sent by the terminal;
  • the negotiation request authorization indicating a delay mechanism used
  • An end-to-end delay negotiation request authorization is returned to the terminal, the negotiation request authorization indicating a delay mechanism used.
  • the first control message interaction module 903 is further configured to receive, by using an unsecure path, a handshake request initiated by the terminal to traverse the network address translation;
  • the first control message interaction module 903 can also periodically send an announcement multicast message for selecting a source to the terminal through a non-secure path.
  • the synchronization message sending module 904 is configured to use a non-secure path to periodically transmit a clock synchronization message to the terminal in a multicast manner.
  • the first control message interaction module 903 does not negotiate with the terminal for security mechanism; if the terminal line is time synchronized, the first control message interaction module 903 does not communicate with the terminal. The deferred mechanism negotiation is performed. If the clock server sends the advertisement message for selecting the source to the terminal in a multicast manner, the first control message interaction module 903 may directly send the advertisement message for the clock source to the terminal.
  • the clock server provided in the fifth embodiment of the present invention is described in detail.
  • the control message interaction is performed on the secure path established by the first interface module 901, so that the control message is not easily attacked, thereby further improving the security performance of the clock server.
  • the clock synchronization message is sent to the terminal through the non-secure path established by the first interface module 901, so that the terminal can perform clock synchronization according to the clock synchronization.
  • FIG. 10 is a schematic structural diagram of a terminal according to Embodiment 6 of the present invention.
  • the terminal provided by the embodiment of the present invention may include:
  • the second interface module 1001 is configured to establish a secure path and a non-secure path with the clock server.
  • the second association module 1002 is configured to associate the secure path address with the address of the non-secure path.
  • the second control message interaction module 1003 is configured to perform control message interaction with the clock server through the secure path.
  • the clock synchronization module 1004 is configured to perform clock synchronization through the non-secure path.
  • the second control message interaction module 1003 is further configured to send a security mechanism negotiation request to the clock server through the security path, where the security mechanism negotiation request carries the security mechanism negotiation parameter;
  • the second control message interaction module 1003 is further configured to send a point-to-point delay negotiation request to the clock server through the secure path;
  • the second control message interaction module 1003 is further configured to initiate a handshake request to traverse the network address translation to the clock server through the non-secure path;
  • the receiving clock server returns a handshake request response, and the handshake request response carries the non-secure path address and the corresponding port after the network address translation.
  • the second control message interaction module 1003 may further receive, by using an unsecured path, an advertisement multicast message for selecting a source that is periodically sent by the clock server;
  • the clock synchronization module 1004 is configured to receive, by using an unsecured path, a clock synchronization packet periodically sent by the clock server in a multicast manner; and processing the clock synchronization packet according to the negotiated security mechanism.
  • the second control message interaction module 1003 does not perform security negotiation with the clock server; if time synchronization is performed with the clock server, the second control message interaction module 1003 does not. Will negotiate with the clock server for the delay mechanism; if the clock The server sends the advertisement message for selecting the source to the terminal in a multicast manner, and the second control message interaction module 1003 can directly perform the source selection of the clock server according to the advertisement message.
  • the terminal provided in the sixth embodiment of the present invention is described in detail.
  • the control message interaction is performed on the secure path established by the second interface module 1001, so that the control message is not easily attacked, thereby further improving the security performance of the clock server.
  • the clock synchronization message sent by the clock server is received by the non-secure path established by the second interface module 1001, so that clock synchronization can be performed according to the clock synchronization message.
  • FIG. 11 is a schematic diagram of a network system according to Embodiment 7 of the present invention.
  • the network system provided by the embodiment of the present invention may include:
  • the clock server 1101 is configured to establish a secure path and a non-secure path with the terminal 1102; associate the secure path with the non-secure path; perform control message interaction with the terminal through the secure path, and use the non-secure path to the terminal 1102. Send a clock synchronization packet.
  • the terminal 1102 is configured to establish a secure path and a non-secure path with the clock server 1101; associate the secure path with the non-secure path; perform control message interaction with the clock server 1101 through the secure path, and perform the control message on the non-secure path. Clock synchronization.
  • the terminal 1102 may also send a security mechanism negotiation request to the clock server 1101 through a secure path, where the security mechanism negotiation request carries a security mechanism negotiation parameter;
  • the security mechanism returned by the receiving clock server 1101 negotiates a request response, the request response indicating the security mechanism used and the corresponding negotiation parameters.
  • the clock server 1101 is further configured to receive, by using the secure path, a security mechanism negotiation request sent by the terminal, where the security mechanism negotiation request carries a security mechanism negotiation parameter;
  • the security mechanism returned to the terminal 1102 negotiates a request response, the request response indicating the security mechanism used and the corresponding negotiation parameters.
  • the terminal 1102 may also send a point-to-point delay negotiation request to the clock server 1101 through the secure path; receive the point-to-point delay negotiation request authorization returned by the clock server 1101, and the delay negotiation request authorization indicates the delay mechanism used;
  • the clock server 1101 is further configured to send a point-to-point delay negotiation request by the secure path receiving terminal, and return a point-to-point delay negotiation request authorization to the terminal, where the delayed negotiation request authorization indicates a delay mechanism used;
  • the terminal 1102 may also initiate a handshake request to traverse the network address translation to the clock server 1101 through the non-secure path.
  • the receiving clock server 1101 returns a handshake request response, and the handshake request response carries the non-secure path address and the corresponding port after the network address translation.
  • the clock server 1101 is further configured to receive, by using an unsecure path, a handshake request initiated by the terminal to traverse the network address;
  • a handshake request response is returned to the terminal 1102, and the handshake request response carries the non-secure path address and the corresponding port after the network address translation.
  • the clock server 1101 is further configured to periodically send an announcement multicast message for selecting a source to the terminal 1102 by using the non-secure path;
  • the clock synchronization message periodically sent by the multicast mode is used to the terminal 1102 through the non-secure path.
  • the terminal 1102 may also receive, by the non-secure path, the advertisement multicast message periodically sent by the clock server 1101 for selecting a source;
  • the clock server 1101 receives the clock synchronization packet periodically sent by the multicast mode; and processes the clock synchronization packet according to the negotiated security mechanism.
  • the embodiment of FIG. 12 provides a clock server 121 and a terminal 123.
  • the terminal 123 can access the clock server 121 through the security gateway 122.
  • the clock server 121 provided in this embodiment includes the following modules:
  • the first path establishing module 1211, the second path establishing module 1212, and the clock message module 1213 are the first path establishing module 1211, the second path establishing module 1212, and the clock message module 1213. among them,
  • the first path establishing module 1211 is configured to establish a first path with the terminal 123, where the first path is a secure connection for transmitting data in a secure manner.
  • the first path here can be a secure IP Sec tunnel, or a security special. Link, etc.
  • the first path establishing module 1211 can establish a secure connection with the terminal 123 through the security gateway 122.
  • the second path establishing module 1212 is configured to send, by using the first path, information for establishing the second path to the terminal 123, to establish the second path with the terminal.
  • the terminal 123 may return an authorization for the Announce message unicast request, where the authorization carries the corresponding information for establishing the second path. .
  • the address and port information carried by the Announce message sent by the terminal 123 is: SIP: SS-IP; SPort: 320; DIP: MI-IP; DPort: 320; sent by the second path establishing module 1212.
  • the address and port information carried in the unicast authorization of the Announce message is: SIP: MI-IP; SPort: 320; DIP: SS-IP; DPort: 320.
  • the clock message sending module 1213 is configured to send a clock synchronization message to the terminal 123 by using the second path.
  • the clock message can be sent in multicast mode or in unicast mode.
  • the clock server 121 may further include a first signaling module 1214, configured to send, by using the first path, a control message to the terminal 123, where the control message includes any one of the following messages or a combination thereof, and is used for selecting a source. Announcement message, end-to-end delay negotiation request authorization, security mechanism negotiation request response.
  • the second signaling module 1215 is configured to send, by using the second path, a control message to the terminal 123, where the control information includes any one of the following messages or a combination thereof, a point-to-point delay negotiation request, and an end-to-end delay negotiation request authorization. , an advertisement multicast message for selecting a source.
  • the terminal 123 includes the following modules:
  • the first path establishing module 1231 is configured to establish a first path with the clock server 121, where the first path is a secure connection for transmitting data in a secure manner;
  • the second path establishing module 1232 is configured to obtain information for establishing the second path from the clock server 121 by using the first path, and establish the second path by the clock server 121.
  • the clock message receiving module 1233 is configured to receive, by using the second path, a clock synchronization message sent by the clock server 121.
  • the clock server may further include the following modules:
  • the third signaling module 1234 is configured to send, by using the first path, a control message to the clock server 121, where the control information includes a security mechanism negotiation request.
  • the fourth signaling module 1235 is configured to send, by using the second path, a control message to the clock server 121, where the control information includes any one of the following messages or a combination thereof, a point-to-point delay negotiation request, and an end-to-end delay negotiation request. Wait.
  • the method provided in this embodiment can use the first path to transmit some key information, such as a port of the clock server, so that the information required to establish the second path is hidden and is not disclosed to all terminals.
  • the security of the clock server is improved.
  • the first path can also be used to transmit some key information, such as some important control messages, so that key information is not easily intercepted, and the security of the clock synchronization process is improved;
  • a path can also be used to negotiate the security mechanism used by the second path, simplifying the negotiation process of the security mechanism adopted by the second path.
  • Step 1301 establishes a first path between the clock server and the terminal.
  • IP Sec tunnel For example, through an IP Sec tunnel or a new physical link.
  • a secure connection can be established through a security gateway.
  • the connection may be initiated by the terminal, initiated by the security gateway, or initiated by the clock server.
  • Step 1302 establishes a second path by using the first path.
  • the information required to establish the second path such as the address of the clock server, the port, and the like.
  • the clock server receives the advertisement message unicast request sent by the terminal by using the first path
  • the clock server returns an advertised message unicast request authorization to the terminal by using the first path, so that the terminal establishes the second path according to the unicast request authorization information carried by the terminal; or Sending, by the terminal, an announcement message unicast request to the clock server by using the first path,
  • the terminal establishes a second path with the clock server according to the advertisement message unicast requesting authorization to carry the information.
  • the first path transmits the information required to establish the second path in a secure manner, for example, the port of the server, the information can be made difficult to be intercepted, so that the information required to establish the second path is not disclosed to all terminals, thereby improving The security of the clock server.
  • Step 1303 The clock message is transmitted through the second path.
  • the clock server transmits the clock synchronization message in a unicast manner on the second path; or the clock server transmits the clock synchronization message in the second path in a multicast manner.
  • the method may further include the following steps:
  • the security mechanism used by the second path is negotiated between the clock server and the terminal through the first path. Since the first path uses a secure way to pass security mechanisms, it is possible to centralize the negotiation process of the security mechanism.
  • the clock server receives the security mechanism negotiation request sent by the terminal by using the first path, where the security mechanism negotiation request carries the security mechanism negotiation parameter;
  • step 1303 returning the security mechanism negotiation request response to the terminal by using the security path, and indicating the security mechanism used by the second path to send the clock message in step 1303 and the corresponding negotiation parameter.
  • step 1303 the following steps may also be included:
  • the clock server receives the point-to-point delay negotiation request sent by the terminal by using the second path, and returns a point-to-point delay negotiation request authorization to the terminal by using the second path, where the second path is used in the delay negotiation request authorization indication step 1303.
  • Delay mechanism
  • step 1302 Or receiving an end-to-end delay negotiation request sent by the terminal by using the second path, and returning an end-to-end delay negotiation request authorization to the terminal by using the first path, where the delay negotiation request authorization indicates the delay of the second path used in step 1303. mechanism.
  • step 1302 after the NAT traversal can be negotiated for the second path to be established, The address and port of the terminal on the second path.
  • the clock server receives a handshake request initiated by the terminal to traverse the network address translation
  • the clock server returns a handshake request response to the terminal, and the handshake request response carries the address and the corresponding port on the second path after the terminal traverses the network address translation.
  • the method provided by this embodiment can use the first path to transmit some key information, such as a server port, or some important control messages, to improve the security of the clock synchronization process.
  • the network system provided in the seventh embodiment of the present invention is described in detail, and the control message is exchanged on the established security path, so that the control message is not easily attacked, thereby further improving the security performance of the clock server.
  • the clock can be transmitted through the established non-secure path.
  • all or part of the steps of implementing the foregoing method embodiments may be performed by hardware related to the program instructions, and the foregoing program may be stored in a computer readable storage.
  • the medium when the program is executed, the steps including the foregoing method embodiments are performed; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.

Abstract

A clock synchronization method, device and network system are provided. The method includes: a clock server establishes the first path and the second path to the terminal, wherein the first path is a secure connection transmitting data in the secure manner and the second path is a connection transmitting data in the secure manner or the insecure manner; the first path and the second path are associated; the control message is interacted with the terminal through the first path, and the clock synchronization message is transmitted to the terminal through the second path. The invention can improve the security performance of the clock synchronization while implementing clock synchronization.

Description

时钟同步的方法、 设备以及网络系统 本申请要求于 2008 年 12 月 5 日提交中国专利局、 申请号为 200810182902.6, 发明名称为 "一种时钟同步的方法、 设备以及网络系统" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域 本发明涉及通信技术领域, 特别涉及一种时钟同步的方法、 设备以及 网络系统。 背景技术  Method, device and network system for clock synchronization This application claims to Chinese Patent Application No. 200810182902.6, filed on December 5, 2008, entitled "A Method, Device and Network System for Clock Synchronization" Priority is hereby incorporated by reference in its entirety. The present invention relates to the field of communications technologies, and in particular, to a method, device, and network system for clock synchronization. Background technique
IEEE 1588协议是网络测量和控制系统的精密时钟同步协议标准。 1588协议报文可以分为事件消息和一般消息两大类。 其中, 一般消息无需 时间戳, 用于包括时钟信息以及配置管理信息等的发送; 事件消息携带时 间戳, 用于时间、 频率信息的发送。 另外, 1588协议报文的发送有单播和 多播两种模式, 不同的发送模式规定了不同的发送地址和端口。 The IEEE 1588 protocol is a precision clock synchronization protocol standard for network measurement and control systems. The 1588 protocol packets can be classified into two categories: event messages and general messages. The general message does not need a timestamp, and is used for sending information including clock information and configuration management information; the event message carries a time stamp for transmitting time and frequency information. In addition, the transmission of 1588 protocol packets has two modes: unicast and multicast. Different transmission modes specify different sending addresses and ports.
1588协议是一种自适应网络时钟同步协议,可以通过选源算法自动完 成整网的时钟层级划分和重构, 支持时间同步和频率同步。 在时间同步中 使用链路对等延迟假设; 在频率同步中, 时钟服务器周期性的向终端发送 时钟同步报文, 终端计算前后两个时钟同步报文之间的差值, 可以获取到 基准频率。  The 1588 protocol is an adaptive network clock synchronization protocol. It can automatically complete the clock level division and reconstruction of the entire network through the source selection algorithm, and supports time synchronization and frequency synchronization. The link is used in the time synchronization. In the frequency synchronization, the clock server periodically sends clock synchronization packets to the terminal. The terminal calculates the difference between the two clock synchronization messages before and after, and the reference frequency can be obtained. .
现有的技术中, 1588协议提供了一种基于共享密钥的安全机制, 该机制 可以提供源认证、 信息完整性保护和防重放功能。 请参阅图 1, 图 1为 1588协 议提供的共享密钥的安全机制的处理流程图。 其中, 发送方表示消息的发出 者, 可以是时钟服务器或终端; 接收方表示消息的接收者, 可以是时钟服务 器或终端;发送方和接收方各自维护一个安全联盟( SA, Security Association ), 分别称为输出 SA和输入 SA, 每个 SA包括源端口、 源地址、 目标端口、 目标 地址、 密钥、 随机数、 重放计数器。 时钟服务器的控制端口对于所有终端是 可见的, 可以同时接收多个终端发送的消息。  In the prior art, the 1588 protocol provides a shared key based security mechanism that provides source authentication, information integrity protection, and anti-replay capabilities. Please refer to Figure 1. Figure 1 is a flow chart of the security mechanism of the shared key provided by the 1588 protocol. The sender indicates that the sender of the message may be a clock server or a terminal; the receiver indicates that the receiver of the message may be a clock server or a terminal; the sender and the receiver each maintain a security association (SA), respectively Called output SA and input SA, each SA includes source port, source address, destination port, destination address, key, random number, and replay counter. The control port of the clock server is visible to all terminals and can receive messages sent by multiple terminals at the same time.
如图 1所示, 1588协议提供的安全机制的处理流程如下: ( 1 )发送方发送 1588协议报文, 携带参数 AUTHENTICATION TLV, 用于表示报文进行验证的类型、 长度、 值域 (包含随机数、 重放计数器、 密钥标识、 算法标识、 记录 4艮文摘要) 。 As shown in Figure 1, the security mechanism provided by the 1588 protocol is as follows: (1) The sender sends a 1588 protocol packet carrying the parameter AUTHENTICATION TLV, which is used to indicate the type, length, and value range (including the random number, the replay counter, the key identifier, the algorithm identifier, and the record) of the packet for verification. Summary) .
( 2 )接收方如果支持报文的安全验证, 则先进行报文的完整性检查及 源验证: 根据算法标识确定报文的验证算法, 根据密钥标识确定报文的验 证密钥, 计算接收到的 1588报文摘要, 然后与记录报文摘要比较, 如果 相同, 则报文验证通过, 接受报文; 否则报文验证不通过, 丢弃该报文。  (2) If the receiver supports the security verification of the packet, it first performs packet integrity check and source verification: Determines the packet verification algorithm according to the algorithm identifier, determines the packet verification key according to the key identifier, and calculates and receives the packet. The summary of the 1588 packet is compared with the summary of the recorded packet. If the packet is the same, the packet is verified and the packet is accepted. Otherwise, the packet fails to pass and the packet is discarded.
( 3 )接收方查找本地的接收 SA列表,如果接收报文能映射到一个 SA, 则通过 SA和报文中携带的随机数标识, 重放计数器进行防重放检查, 检 查通过, 则处理 文; 否则丢弃 4艮文。  (3) The receiving party searches for the local receiving SA list. If the receiving packet can be mapped to an SA, the replay counter performs anti-replay checking by the SA and the random number identifier carried in the packet. ; Otherwise discard 4 艮.
( 4 ) 如果报文不能映射到一个已有的 SA, 则创建新的输入 SA, 然后 进行验证响应过程, 用以确认 SA中参数的有效性。 当 SA记录的重放计 数器达到最大值时, 重新进行验证响应过程, 以确认 SA中新的参数。  (4) If the message cannot be mapped to an existing SA, a new input SA is created, and then a verification response process is performed to confirm the validity of the parameters in the SA. When the playback counter of the SA record reaches the maximum value, the verification response process is re-executed to confirm the new parameters in the SA.
发明人发现, 上述 1588协议提供的安全机制至少存在以下问题: 时钟服务器的控制端口暴露给所有的终端, 易受到攻击。 发明内容 本发明实施例所要解决的技术问题是提供一种时钟同步的方法、 设备 以及网络系统, 可以在实现时钟同步的同时, 进一步提高时钟服务器的安 全性能。  The inventor found that the security mechanism provided by the above 1588 protocol has at least the following problems: The control port of the clock server is exposed to all terminals and is vulnerable to attacks. SUMMARY OF THE INVENTION The technical problem to be solved by the embodiments of the present invention is to provide a method, a device, and a network system for clock synchronization, which can further improve the security performance of the clock server while realizing clock synchronization.
为实现上述目的, 本发明实施例提供如下技术方案:  To achieve the above objective, the embodiment of the present invention provides the following technical solutions:
本发明实施例提供了一种实现时钟同步的方法, 包括:  An embodiment of the present invention provides a method for implementing clock synchronization, including:
时钟服务器建立与终端的安全路径和非安全路径;  The clock server establishes a secure path and a non-secure path with the terminal;
将所述安全路径和所述非安全路径进行关联;  Associating the secure path with the non-secure path;
通过所述安全路径与所述终端进行控制消息交互, 通过所述非安全路 径向所述终端发送时钟同步报文。  The control message is exchanged with the terminal through the security path, and the terminal sends a clock synchronization message through the non-secure path.
本发明实施例提供了一种实现时钟同步的方法, 包括:  An embodiment of the present invention provides a method for implementing clock synchronization, including:
终端与时钟服务器建立安全路径和非安全路径;  The terminal establishes a secure path and an unsecure path with the clock server;
将所述安全路径和所述非安全路径进行关联;  Associating the secure path with the non-secure path;
通过所述安全路径与所述时钟服务器进行控制消息交互, 在所述非安 全路径进行时钟同步。 Controlling message interaction with the clock server through the secure path, in the non-an Full path for clock synchronization.
本发明实施例提供了一种时钟服务器, 包括:  The embodiment of the invention provides a clock server, including:
第一接口模块, 用于和终端建立安全路径和非安全路径;  a first interface module, configured to establish a secure path and a non-secure path with the terminal;
第一关联模块, 用于将所述终端的安全路径的地址和所述非安全路径 的地址进行关联;  a first association module, configured to associate an address of the security path of the terminal with an address of the non-secure path;
第一控制消息交互模块, 用于通过所述安全路径与所述终端进行控制 消息交互;  a first control message interaction module, configured to perform control message interaction with the terminal by using the secure path;
同步报文发送模块, 用于通过所述非安全路径向所述终端发送时钟同 步报文。  The synchronization message sending module is configured to send a clock synchronization message to the terminal by using the non-secure path.
本发明实施例提供了一种终端, 包括:  The embodiment of the invention provides a terminal, including:
第二接口模块, 用于与时钟服务器建立安全路径和非安全路径; 第二关联模块, 用于将所述服务器的安全路径的地址和非安全路径的 地址进行关联;  a second interface module, configured to establish a secure path and a non-secure path with the clock server; and a second association module, configured to associate an address of the secure path of the server with an address of the non-secure path;
第二控制消息交互模块, 用于通过所述安全路径与所述时钟服务器进 行控制消息交互;  a second control message interaction module, configured to perform a control message interaction with the clock server by using the secure path;
时钟同步模块, 用于通过所述非安全路径与所述服务器进行时钟同 步。  And a clock synchronization module, configured to perform clock synchronization with the server by using the non-secure path.
本发明实施例还提供了一种网络系统 , 包括:  The embodiment of the invention further provides a network system, including:
时钟服务器, 用于与终端建立安全路径和非安全路径; 将所述安全路 径和非安全路径进行关联; 通过所述安全路径与终端进行控制消息交互, 通过所述非安全路径向终端发送时钟同步报文;  a clock server, configured to establish a secure path and a non-secure path with the terminal; associate the secure path with the non-secure path; perform control message interaction with the terminal through the secure path, and send clock synchronization to the terminal by using the non-secure path Message
终端, 用于与时钟服务器建立安全路径和非安全路径; 将所述安全路 径和非安全路径进行关联; 通过所述安全路径与时钟服务器进行控制消息 交互, 在所述非安全路径进行时钟同步。  a terminal, configured to establish a secure path and a non-secure path with the clock server; associate the secure path with the non-secure path; perform control message interaction with the clock server through the secure path, and perform clock synchronization on the non-secure path.
本发明实施例还提供了另一时钟服务器, 包括:  The embodiment of the invention further provides another clock server, including:
第一路径建立模块, 用于建立与终端的第一路径, 所述第一路径为采 用安全方式传递数据的安全连接;  a first path establishing module, configured to establish a first path with the terminal, where the first path is a secure connection for transmitting data in a secure manner;
第二路径建立模块, 用于通过所述第一路径向所述终端发送用于建立 第二路径所需的信息, 以和所述终端建立所述第二路径;  a second path establishing module, configured to send, by using the first path, information required for establishing a second path to the terminal, to establish the second path with the terminal;
时钟报文模块, 用于通过所述第二路径向所述终端发送时钟同步报 文。 a clock message module, configured to send a clock synchronization report to the terminal by using the second path Text.
本发明实施例还提供了另一终端, 包括:  The embodiment of the invention further provides another terminal, including:
第一路径建立模块, 用于建立与时钟服务器的第一路径, 所述第一路 径为采用安全方式传递数据的安全连接;  a first path establishing module, configured to establish a first path with a clock server, where the first path is a secure connection for transmitting data in a secure manner;
第二路径建立模块, 用于通过所述第一路径从所述时钟服务器获取用 于建立第二路径所需的信息, 和所述时钟服务器建立所述第二路径; 时钟报文模块, 用于通过所述第二路径接收所述时钟服务器发送的时 钟同步报文。  a second path establishing module, configured to acquire, by using the first path, information required for establishing a second path from the clock server, and establish, by the clock server, the second path; a clock message module, configured to: Receiving, by the second path, a clock synchronization message sent by the clock server.
本发明实施例还提供了另一方法, 包括:  The embodiment of the invention further provides another method, including:
在时钟服务器和终端之间建立第一路径, 所述第一路径为釆用安全方 式传输数据的安全连接;  Establishing a first path between the clock server and the terminal, where the first path is a secure connection for transmitting data in a secure manner;
通过所述第一路径传输建立第二路径的信息, 根据所述建立第二路径 的信息, 在所述时钟服务器和所述终端之间建立所述第二路径;  And establishing information about the second path by using the first path, and establishing the second path between the clock server and the terminal according to the information about establishing the second path;
通过所述第二路径传输时钟报文。  Transmitting a clock message through the second path.
本发明实施例的时钟服务器建立与终端之间的安全路径和非安全路 径, 通过在建立的非安全路径上向终端发送时钟同步报文, 使得终端根据 所述时钟同步报文可以进行时钟同步。 同时, 由于通过安全路径上与终端 进行控制消息交互, 使得控制消息不易被解析, 因而可以进一步提高时钟 服务器的安全性能。 附图说明 图 1 为现有的 1588协议提供的共享密钥的安全机制的处理流程示意 图;  The clock server of the embodiment of the present invention establishes a secure path and a non-secure path between the terminal and the terminal, and sends a clock synchronization message to the terminal on the established non-secure path, so that the terminal can perform clock synchronization according to the clock synchronization message. At the same time, since the control message interacts with the terminal through the secure path, the control message is not easily parsed, so the security performance of the clock server can be further improved. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a schematic diagram showing a processing flow of a shared key security mechanism provided by the existing 1588 protocol;
图 2 为本发明实施例 1提供的一种时钟同步的方法的流程示意图; 图 3 为本发明实施例 2提供的又一种时钟同步的方法的流程示意图; 图 4 为本发明实施例 3提供的时钟服务器和终端的部署构架示意图; 图 5 为本发明实施例 4提供的终端和时钟服务器之间通过非安全路径 传输时钟同步报文, 通过安全路径传输控制消息的流程示意图;  FIG. 2 is a schematic flowchart of a method for clock synchronization according to Embodiment 1 of the present invention; FIG. 3 is a schematic flowchart of still another method for clock synchronization according to Embodiment 2 of the present invention; FIG. FIG. 5 is a schematic flowchart of a clock server and a terminal deployment framework; FIG. 5 is a schematic flowchart of a method for transmitting a clock synchronization message through a non-secure path and transmitting a control message through a secure path according to Embodiment 4 of the present invention;
图 6 为本发明实施例 5提供的实现时钟同步的方法流程示意图; 图 7 为本发明实施例 6提供的实现时钟同步的方法流程示意图; 图 8 为本发明实施例 7提供的实现时钟同步的方法流程示意图; 图 9 为本发明实施例 8提供的一种时钟服务端的结构示意图; 图 10 为本发明实施例 9提供的一种终端的结构示意图; FIG. 6 is a schematic flowchart of a method for implementing clock synchronization according to Embodiment 5 of the present invention; FIG. 7 is a schematic flowchart of a method for implementing clock synchronization according to Embodiment 6 of the present invention; 8 is a schematic flowchart of a method for implementing clock synchronization according to Embodiment 7 of the present invention; FIG. 9 is a schematic structural diagram of a clock server according to Embodiment 8 of the present invention; FIG. 10 is a schematic diagram of a terminal provided by Embodiment 9 of the present invention; Schematic;
图 11 为本发明实施例 10提供的一种网络系统的示意图;  11 is a schematic diagram of a network system according to Embodiment 10 of the present invention;
图 12 为本发明实施例 11提供的一种时钟同步网络的结构示意图; 图 13 为本发明实施例 12提供的一种时钟同步方法的流程示意图。 具体实施方式 本发明实施例提供了一种时钟同步的方法、 设备以及网络系统, 可以 在实现时钟同步的同时, 进一步提高时钟服务器的安全性能。  FIG. 12 is a schematic structural diagram of a clock synchronization network according to Embodiment 11 of the present invention; FIG. 13 is a schematic flowchart diagram of a clock synchronization method according to Embodiment 12 of the present invention. The embodiments of the present invention provide a method, a device, and a network system for clock synchronization, which can further improve the security performance of the clock server while implementing clock synchronization.
为了便于本发明实施例进一步的理解, 下面结合附图说明对本发明实施 例进行进详的介绍。  For a better understanding of the embodiments of the present invention, the embodiments of the present invention are described in detail below with reference to the accompanying drawings.
实施例 1  Example 1
请参阅图 2, 图 2为本发明实施例提供的一种时钟同步的方法的流程示 意图。 如图 2所述, 该方法可以包括:  Referring to FIG. 2, FIG. 2 is a schematic flowchart of a method for clock synchronization according to an embodiment of the present invention. As shown in Figure 2, the method can include:
步骤 201 : 时钟服务器与终端建立安全路径和非安全路径。  Step 201: The clock server establishes a secure path and a non-secure path with the terminal.
其中, 时钟服务器可以通过新增逻辑接口的方式建立与终端之间的安 全路径, 比如 IPSec隧道; 或通过新增物理链路的方式建立与终端之间的安 全路径, 比如专用信令链路等。  The clock server can establish a secure path with the terminal by adding a logical interface, such as an IPSec tunnel, or establish a secure path with the terminal by adding a physical link, such as a dedicated signaling link. .
时钟服务器可以通过接入公共通信网的方式建立与终端之间的非安 全路径, 比如接入因特网等。  The clock server can establish a non-secure path with the terminal by accessing the public communication network, such as accessing the Internet.
步骤 202: 将安全路径和非安全路径进行关联。  Step 202: Associate the secure path with the non-secure path.
一般来说, 每个时钟中有一个全局唯一标识, 此标识在所有交互的消 全路径地址和非安全路径的地址进行关联, 实现安全路径和非安全路径的 关联。  Generally, there is a globally unique identifier in each clock. This identifier is associated with the address of all interactions and the address of the non-secure path, and the association between the secure path and the non-secure path is implemented.
步骤 203: 通过安全路径与终端进行控制消息交互, 通过非安全路径 向终端发送时钟同步报文。  Step 203: Perform a control message exchange with the terminal through the secure path, and send a clock synchronization packet to the terminal through the non-secure path.
其中, 通过安全路径与终端进行控制消息交互具体可以为: 时钟服务器接收终端发送的通告消息单播请求; 向终端返回通告消息单播请求授权; The interaction between the control message and the terminal through the security path may be: The clock server receives the unicast request of the notification message sent by the terminal; Returning an announcement message unicast request authorization to the terminal;
周期性的向终端发送用于选源的通告单播消息;  Periodically sending an announcement unicast message for selecting a source to the terminal;
通过安全路径与终端进行控制消息交互具体还可以为:  The control message interaction with the terminal through the secure path may also be:
时钟服务器接收终端发送的安全机制协商请求, 所述安全机制协商请 求携带安全机制协商参数;  The clock server receives the security mechanism negotiation request sent by the terminal, where the security mechanism negotiation request carries the security mechanism negotiation parameter;
向终端返回安全机制协商请求响应, 指示使用的安全机制以及相应的 协商参数; 或  Returning a security mechanism negotiation request response to the terminal, indicating the security mechanism used and the corresponding negotiation parameters; or
时钟服务器向终端发送安全机制协商请求, 该安全机制协商请求携带 安全机制协商参数;  The clock server sends a security mechanism negotiation request to the terminal, where the security mechanism negotiation request carries a security mechanism negotiation parameter;
接收终端返回的安全机制协商请求响应, 指示使用的安全机制以及相 应的协商参数。  The security mechanism returned by the receiving terminal negotiates a request response, indicating the security mechanism used and the corresponding negotiation parameters.
通过安全路径与终端进行控制消息交互具体还可以为:  The control message interaction with the terminal through the secure path may also be:
时钟服务器通过安全路径接收终端发送的点到点延迟协商请求; 向终端返回点到点延迟协商请求授权, 该延迟协商请求授权指示使用 的延迟机制;  The clock server receives the point-to-point delay negotiation request sent by the terminal through the secure path; returns a point-to-point delay negotiation request authorization to the terminal, and the delay negotiation request authorization indicates the delay mechanism used;
或, 通过安全路径接收终端发送的端到端延迟协商请求;  Or, receiving an end-to-end delay negotiation request sent by the terminal through the secure path;
向终端返回的端到端延迟协商请求授权, 该延迟协商请求授权指示使 用的延迟机制。  The end-to-end delay negotiation request authorization returned to the terminal, the delay negotiation request authorization indicates the delay mechanism used.
其中, 在非安全路径发送行时钟同步报文具体为:  The sending of the line clock synchronization packet on the non-secure path is specifically as follows:
时钟服务器在非安全路径上采用单播方式向终端发送时钟同步报文; 或, 在非安全路径上采用多播方式向终端发送时钟同步报文。  The clock server sends a clock synchronization packet to the terminal in a unicast mode on the non-secure path. Alternatively, the clock synchronization packet is sent to the terminal in a multicast manner on the non-secure path.
到端延迟协商请求;  Delay the negotiation request to the end;
更进一步地, 本发明实施例提供的实现时钟同步安全的方法还可以在非 安全路径上进行网络地址转换的协商, 具体可以为:  Further, the method for implementing the clock synchronization security provided by the embodiment of the present invention may also perform network address translation negotiation on the non-secure path, which may be:
时钟服务器通过非安全路径接收终端发起的穿越网络地址转换的握 手请求;  The clock server receives the handshake request initiated by the terminal through the non-secure path to traverse the network address translation;
向终端返回的握手请求响应, 该握手请求响应携带穿越网络地址转换 后的非安全路径地址和相应的端口。  A handshake request response returned to the terminal, the handshake request response carrying the non-secure path address and the corresponding port after the network address translation.
更进一步地, 本发明实施例提供的实现时钟同步安全的方法还可以是 时钟服务器通过非安全路径周期性的向终端发送用于选源的通告多播消 息, 并且通过非安全路径采用多播方式周期性的向终端发送时钟同步报 文。 Further, the method for implementing clock synchronization security provided by the embodiment of the present invention may further be that the clock server periodically sends an advertisement for the source selection to the terminal through the non-secure path. And periodically transmitting a clock synchronization message to the terminal by using a non-secure path in a multicast manner.
上述对本发明实施例提供的一种时钟同步的方法进行介绍, 本发明实 施例的时钟服务器建立与终端之间的安全路径和非安全路径, 时钟服务器 通过在建立的非安全路径上向终端发送时钟同步报文, 使得终端根据所述 时钟同步报文可以进行时钟同步。 同时, 由于时钟服务器通过安全路径上 与终端进行控制消息交互, 使得控制消息不易被攻击, 可以进一步提高时 钟服务器的安全性能。  The method for clock synchronization provided by the embodiment of the present invention is described. The clock server in the embodiment of the present invention establishes a secure path and a non-secure path between the terminal, and the clock server sends a clock to the terminal by establishing an unsecured path. Synchronizing the message, so that the terminal can perform clock synchronization according to the clock synchronization message. At the same time, because the clock server interacts with the terminal through the control path on the secure path, the control message is not easily attacked, and the security performance of the clock server can be further improved.
实施例 2  Example 2
请参阅图 3, 图 3为本发明实施例提供的又一种时钟同步的方法的流 程图。 如图 3所示, 该方法可以包括:  Referring to FIG. 3, FIG. 3 is a flow chart of still another method for clock synchronization according to an embodiment of the present invention. As shown in FIG. 3, the method may include:
步骤 301 : 终端建立与时钟服务器连接的两条承载路径, 分别是安全 路径和非安全路径。  Step 301: The terminal establishes two bearer paths connected to the clock server, which are a secure path and a non-secure path, respectively.
其中, 终端可以通过新增逻辑接口的方式建立与时钟服务器之间的安 全路径, 比如 IPSec隧道; 或通过新增物理链路的方式建立与终端之间的安 全路径, 比如专用信令链路等。  The terminal can establish a secure path with the clock server by adding a logical interface, such as an IPSec tunnel, or establish a secure path with the terminal by adding a physical link, such as a dedicated signaling link. .
终端可以通过接入公共通信网的方式建立与时钟服务器之间的非安 全路径, 比如接入因特网等。  The terminal can establish a non-secure path with the clock server by accessing the public communication network, such as accessing the Internet.
步骤 302: 将安全路径和非安全路径进行关联。  Step 302: Associate the secure path with the non-secure path.
终端可以通过时钟服务器发送的时钟标识将时钟服务器的安全路径 地址和非安全路径的地址进行关联, 实现安全路径和非安全路径的关联。  The terminal can associate the secure path address of the clock server with the address of the non-secure path through the clock identifier sent by the clock server to implement association between the secure path and the non-secure path.
步骤 303: 通过安全路径与时钟服务器进行控制消息交互, 在非安全 路径进行时钟同步。  Step 303: Perform control message interaction with the clock server through the secure path, and perform clock synchronization on the non-secure path.
其中, 通过安全路径与时钟服务器进行控制消息交互具体可以是: 终端向时钟服务器发送通告消息单播请求;  The control message interaction between the security path and the clock server may be: The terminal sends an advertisement message unicast request to the clock server;
接收时钟服务器返回的通告消息单播请求授权;  Receiving the notification message unicast request authorization returned by the clock server;
周期性的接收时钟服务器发送的用于选源的通告单播消息。  Periodically, the receiving unicast message sent by the clock server for selecting the source is received.
通过安全路径与时钟服务器进行控制消息交互具体还可以是: 终端向时钟服务器发送安全机制协商请求, 该安全机制协商请求携带 安全机制协商参数; 接收时钟服务器返回的安全机制协商请求响应, 指示使用的安全机制 以及相应的协商参数; 或 The control message interaction between the security path and the clock server may be: The terminal sends a security mechanism negotiation request to the clock server, where the security mechanism negotiation request carries the security mechanism negotiation parameter; Receiving a security mechanism negotiation request response returned by the clock server, indicating the security mechanism used and the corresponding negotiation parameters; or
终端接受时钟服务器发送的安全机制协商请求, 该安全机制协商请求 携带安全机制协商参数;  The terminal accepts a security mechanism negotiation request sent by the clock server, where the security mechanism negotiation request carries a security mechanism negotiation parameter;
向时钟服务器返回安全机制协商请求响应, 指示使用的安全机制以及 相应的协商参数。  Returns a security mechanism negotiation request response to the clock server, indicating the security mechanism used and the corresponding negotiation parameters.
通过安全路径与时钟服务器进行控制消息交互具体还可以是: 终端通过安全路径向时钟服务器发送点到点延迟协商请求; 接收时钟服务器返回的点到点延迟协商请求授权, 该延迟协商请求授 权指示使用的延迟机制;  The control message interaction between the security path and the clock server may also be: The terminal sends a point-to-point delay negotiation request to the clock server through the secure path; and receives the point-to-point delay negotiation request authorization returned by the clock server, and the delayed negotiation request authorization indication is used. Delay mechanism
或, 通过安全路径向时钟服务器发送端到端延迟协商请求; 接收时钟服务器返回的端到端延迟协商请求授权, 该延迟协商请求授 权指示使用的延迟机制。  Or, sending an end-to-end delay negotiation request to the clock server through the secure path; receiving an end-to-end delay negotiation request authorization returned by the clock server, the delay negotiation requesting the delay mechanism used by the authorization indication.
其中, 在非安全路径进行时钟同步具体可以是:  The clock synchronization on the non-secure path can be:
终端通过非安全路径接收时钟服务器釆用单播方式发送时钟同步报 文; 或通过非安全路径接收时钟服务器采用多播方式发送时钟同步报文; 根据协商的安全机制处理该时钟同步报文。  The terminal sends a clock synchronization packet through the non-secure path receiving clock server, or sends the clock synchronization packet through the non-secure path receiving clock server. The clock synchronization packet is processed according to the negotiated security mechanism.
更进一步地 , 本发明实施例提供的实现时钟同步的方法还可以在非安全 路径上进行网络地址转换的协商, 具体可以为:  Further, the method for implementing clock synchronization provided by the embodiment of the present invention may also perform network address translation negotiation on an unsecure path, which may be:
终端通过非安全路径向时钟服务器发起穿越网络地址转换的握手请 求;  The terminal initiates a handshake request to traverse the network address translation to the clock server through the non-secure path;
接收时钟服务器返回的握手请求响应, 该握手请求响应携带穿越网络 地址转换后的非安全路径地址和相应的端口。  Receiving a handshake request response returned by the clock server, the handshake request response carries the non-secure path address and the corresponding port after the network address translation.
更进一步地, 本发明实施例提供的实现时钟同步安全的方法还可以是 终端通过非安全路径周期性的接收时钟服务器发送的用于选源的通告多 播消息, 并且通过非安全路径周期性的接收时钟服务器釆用多播方式发送 的时钟同步报文。  Further, the method for implementing clock synchronization security provided by the embodiment of the present invention may further be that the terminal periodically broadcasts an announcement multicast message for selecting a source through a non-secure path, and periodically transmits the non-secure path. The clock synchronization message sent by the receiving clock server in multicast mode.
上述对本发明实施例提供的一种时钟同步的方法进行介绍, 终端建立 和时钟服务器连接的安全路径和非安全路径, 通过在建立的非安全路径上 可以接收时钟服务器发送的时钟同步报文, 从而根据该时钟同步报文进行 时钟同步。 同时, 由于通过安全路径与服务器进行控制消息交互, 使得控 制消息不易被攻击, 可以进一步提高时钟服务器的安全性能。 The foregoing describes a method for clock synchronization provided by the embodiment of the present invention. The terminal establishes a secure path and a non-secure path that are connected to the clock server, and can receive the clock synchronization message sent by the clock server on the established non-secure path. According to the clock synchronization message Clock synchronization. At the same time, because the control message interacts with the server through the secure path, the control message is not easily attacked, and the security performance of the clock server can be further improved.
实施例 3  Example 3
下面, 在介绍实现本发明实施例提供的方法的具体实施例之前, 首先 介绍本发明实施例讨论的网络构架。 从安全的角度考虑, 网络可以分为可 信赖网络和非可信赖网络。 不同的网元在可信赖网络内的通信是安全的, 反之当某个网元置于非可信赖网络时, 其它网元与它的通信是不安全的。 可信赖的网络主要有运营商的核心网或其它专用网络; 非可信赖网络主要 有公共通信网, 比如因特网等。  In the following, before describing a specific embodiment of implementing the method provided by the embodiment of the present invention, the network architecture discussed in the embodiment of the present invention is first introduced. From a security perspective, networks can be divided into trusted networks and non-trusted networks. Different network elements are secure in communication within a trusted network. Conversely, when a network element is placed on a non-trusted network, communication between other network elements and it is not secure. The trusted network mainly has the operator's core network or other private networks; the non-trusted networks mainly have public communication networks, such as the Internet.
请参阅图 4, 图 4为本发明实施例提供的时钟服务器和终端的部署构架 示意图。 如图 4所示, 时钟服务器部署在可信赖网络中, 终端部署在非可信 赖网络中。 其中, 时钟服务器在可信赖网络内的通信是有安全保障的, 时钟 服务器与终端之间的通信是相对无安全保证的。 时钟服务器与终端之间建立 两条通信路径, 分别是安全路径和非安全路径。 在非安全路径上传输时钟同 步报文需要经过安全网关的过滤, 在安全路径上传输控制消息安全网关双向 透传。 其中, 安全路径可以采用多种方式建立, 比如新增逻辑接口的方式建 立的 IPSec 隧道或者新增物理链路的方式建立的专用信令链路等, 非安全路 径可以通过接入现有的公共通信网建立。  Referring to FIG. 4, FIG. 4 is a schematic diagram of a deployment architecture of a clock server and a terminal according to an embodiment of the present invention. As shown in Figure 4, the clock server is deployed in a trusted network, and the terminal is deployed in an untrusted network. Among them, the communication of the clock server in the trusted network is secure, and the communication between the clock server and the terminal is relatively unsecured. Two communication paths are established between the clock server and the terminal, which are a secure path and an unsecure path. The clock synchronization packets transmitted on the non-secure path need to be filtered by the security gateway, and the control message security gateway transmits the two-way transparent transmission on the secure path. The security path can be established in various ways, such as an IPSec tunnel established by adding a logical interface or a dedicated signaling link established by adding a physical link. The non-secure path can be accessed through the existing public. The communication network is established.
实施例 4:  Example 4:
本实施例是时钟服务器部署在可信赖网络, 且家庭网关作路由模式时, 终端和时钟服务器之间通过非安全路径传输时钟同步报文, 通过安全路径传 输控制消息的实施例。 请参阅图 5, 图 5 为本发明实施例一提供的终端和时 钟服务器之间通过非安全路径传输时钟同步报文, 通过安全路径传输控制消 息的流程示意图。 如图 5所示, 虚线表示终端与时钟服务器通过非安全路径 传输时钟同步报文时, 业务报文地址的变化情况; 实线表示终端与时钟服务 器通过安全路径控制消息时, 业务报文地址的变化情况。 SIP表示源 IP, DIP 表示目标 IP; SPort表示源端口, DPort表示目标端口。 其中, 终端拥有两个 地址: 10.10.2.20用于安全路径通信地址, 比如时钟服务器部署在核心网, 终 端通过安全路径 IPSec隧道接入核心网时分配的地址; 192.168.0.2用于非安 全路径通信地址, 比如公网通信使用的地址; 时钟服务器同样拥有两个地址: 10.10.2.2用于安全路径通信地址; 210.45.38.2用于非安全路径通信地址, 比 如公网通信使用的地址。 In this embodiment, when the clock server is deployed on the trusted network, and the home gateway is in the routing mode, the terminal and the clock server transmit the clock synchronization message through the non-secure path, and the control message is transmitted through the secure path. Referring to FIG. 5, FIG. 5 is a schematic flowchart of a method for transmitting a clock synchronization message through a non-secure path and transmitting a control message through a secure path between a terminal and a clock server according to Embodiment 1 of the present invention. As shown in Figure 5, the dotted line indicates the change of the service packet address when the terminal and the clock server transmit the clock synchronization packet through the non-secure path. The solid line indicates the service packet address when the terminal and the clock server pass the security path control message. Changes. SIP indicates the source IP, DIP indicates the target IP, SPort indicates the source port, and DPort indicates the destination port. The terminal has two addresses: 10.10.2.20 is used for the secure path communication address, for example, the clock server is deployed on the core network, and the terminal allocates the address when accessing the core network through the secure path IPSec tunnel; 192.168.0.2 is used for non-secure path communication. Address, such as the address used by public network communications; the clock server also has two addresses: 10.10.2.2 is used for secure path communication address; 210.45.38.2 is used for non-secure path communication address, such as address used by public network communication.
为了便于后续对本发明实施例的介绍, 先将本发明实施例中的网络地址 进行约定如下:  To facilitate the subsequent description of the embodiments of the present invention, the network addresses in the embodiments of the present invention are first agreed as follows:
( 1 ) S-S-IP: 终端通过安全路径接入可靠性网路时分配的 IP通信地 址, 如图 5中的 10.10.2.20;  (1) S-S-IP: The IP communication address assigned by the terminal when accessing the reliability network through the secure path, as shown in Figure 10.10.20.
( 2 ) S-U-IP: 终端通过非安全路径接入可靠性网络时分配的 IP通信 地址, 如图 5中的 192.168.0.2;  (2) S-U-IP: The IP address assigned by the terminal when accessing the reliability network through the non-secure path, as shown in Figure 5, 192.168.0.2;
( 3 ) S-NAT-U-IP: 终端穿越网络地址转换后的非安全路径的 IP通信 地址, 如图 5中的 202.38.120.4; 当没有穿越网络地址转换时, 此地址与 S-U-IP相同;  (3) S-NAT-U-IP: The IP communication address of the non-secure path of the terminal traversing the network address translation, as shown in Figure 5, 202.38.120.4; when there is no traversal network address translation, this address is the same as SU-IP ;
( 4 )M-A-IP:时钟服务器的访问 IP通信地址,如图 5中的 210.45.38.2; ( 5 ) M-I-IP: 时钟服务器的内网 IP通信地址, 如图 5中的 10.10.2.2。 在如图 5所示的流程图中, 时钟客户端向时钟服务器发送报文, 在虚 线表示的第二路径(非安全路径), 4艮文中的源地址为 SIP为 192.168.0.2, 源端口号 Sport:319, 目的地址 DIP为 210.45.38.2 , 目的端口 DPort为 319; 到达家庭网关后, 家庭网关将 SIP替换为时钟客户端的外网地址(即家庭 网关的地址) 202.30.120.4 , SPort为 2345; 到达安全网关后, 安全网关将 报文中的 DIP替换为时钟服务器的内网地址 10.10.2.2, DPort保持不变, 然后将报文发送给时钟服务器。  (4) M-A-IP: access IP address of the clock server, as shown in Figure 5, 210.45.38.2; (5) M-I-IP: IP address of the intranet of the clock server, as shown in Figure 10.10.2.2. In the flowchart shown in FIG. 5, the clock client sends a message to the clock server, and the second path (non-secure path) indicated by the dotted line, the source address in the message is SIP 192.168.0.2, the source port number. Sport: 319, destination address DIP is 210.45.38.2, destination port DPort is 319; After arriving at the home gateway, the home gateway replaces SIP with the external network address of the clock client (ie, the address of the home gateway) 202.30.120.4, SPort is 2345; After the security gateway is reached, the security gateway replaces the DIP in the packet with the intranet address 10.10.2.2 of the clock server. The DPort remains unchanged and then sends the packet to the clock server.
时钟服务器向时钟客户端发送报文时, 报文中的 SIP为时钟服务其的 内网地址 10.10.2.2, Sport为 319; 报文中的 DIP为时钟客户端的外网地址 202.38.120.4, DPort为 2345; 到达安全网关后, 安全网关将报文中的 SIP 替换为时钟服务器的外网地址 210.45.38.2, DPort保持不变。 到达家庭网 关后, 家庭网关将 DIP替换为时钟客户端的内网地址 192.168.0.2, DPort 修改为 319。  When the clock server sends a packet to the clock client, the SIP in the packet is the intranet address 10.10.2.2 and the Sport is 319. The DIP in the packet is the external address 202.38.120.4 of the clock client. The DPort is 2345; After reaching the security gateway, the security gateway replaces the SIP in the packet with the external network address 210.45.38.2 of the clock server, and the DPort remains unchanged. After reaching the home gateway, the home gateway replaces the DIP with the intranet address of the clock client 192.168.0.2 and the DPort with the 319.
在实线表示的为第一路径 (安全路径) , 时钟客户端和安全网关建立 安全连接如 IP Sec隧道, 在该连接中, 时钟服务器和局域网处于同一虚拟 局域网; 或者, 通过专用物理链路, 使时钟客户端可以建立和安全网关的 直接连接, 从而时钟服务器和时钟客户端可以处于同一局域网中。 在第一 路径中, 时钟客户端的 IP地址为 10.10.2.2, 在向时钟服务器发送的报文 中, SIP为 10.10.2.20, Sport 320, DIP为时钟服务器的内网地址 10.10.2.2, DPort为 320, 通过第一路径发送给时钟服务器, 在传输过程中, 报文的 SIP或 DIP都不会被改变。 如果时钟服务器向时钟客户端发送时钟报文, SIP为时钟服务器的地址 10.10.2.2, SPort为 320, DIP为时钟客户端的地 址 10.10.2.20, DPort为 320 , 通过第一路径将报文发送到时钟客户端, 在 才艮文传递过程中, SIP、 DIP以及相应的端口号都不会发生改变。 In the solid line, the first path (secure path) is established, and the clock client and the security gateway establish a secure connection, such as an IP Sec tunnel, in which the clock server and the local area network are in the same virtual local area network; or, through a dedicated physical link, Enables the clock client to establish a direct connection to the security gateway so that the clock server and clock client can be on the same local area network. At first In the path, the IP address of the clock client is 10.10.2.2. In the packet sent to the clock server, SIP is 10.10.2.20, Sport 320, DIP is the intranet address 10.10.2.2 of the clock server, and DPort is 320. A path is sent to the clock server, and the SIP or DIP of the message is not changed during the transmission. If the clock server sends a clock packet to the clock client, SIP is the clock server address 10.10.2.2, SPort is 320, DIP is the clock client address 10.10.2.20, DPort is 320, and the packet is sent to the clock through the first path. On the client side, SIP, DIP, and the corresponding port number will not change during the delivery process.
从图 5可以看出, 本发明实施例通过安全路径传输控制消息时, 家庭 网关和安全网关视为双向透明传输, 使得控制消息不易被解析, 可以进一 步提高时钟服务器的安全性能。 同时, 终端通过在建立的非安全路径上可 以接收时钟服务器发送的时钟同步报文, 从而可以进行时钟同步。 另外, 时钟同步报文在非安全路径传输时, 网络地址可以灵活的发生转换, 从而 可以实现穿越网络地址转换。  It can be seen from FIG. 5 that when the control message is transmitted through the secure path in the embodiment of the present invention, the home gateway and the security gateway are regarded as two-way transparent transmission, so that the control message is not easily parsed, and the security performance of the clock server can be further improved. At the same time, the terminal can receive clock synchronization messages sent by the clock server on the established non-secure path, so that clock synchronization can be performed. In addition, when the clock synchronization message is transmitted on the non-secure path, the network address can be flexibly converted, so that the network address translation can be realized.
实施例 5:  Example 5
请参阅图 6, 图 6为本发明实施例二提供的实现时钟同步安全方法的流 程示意图。 如图 6所示, 本实施例以单播的方式进行时钟同步报文的发送, 虚线表示在非安全路径上进行的流程, 实线表示在安全路径进行的流程。 本 实施例流程可以包括:  Referring to FIG. 6, FIG. 6 is a schematic flowchart of a method for implementing a clock synchronization security according to Embodiment 2 of the present invention. As shown in FIG. 6, this embodiment performs clock synchronization message transmission in a unicast manner, a broken line indicates a flow performed on an unsecured path, and a solid line indicates a flow performed on a secure path. The process of this embodiment may include:
( 1 ) 终端与安全网关建立安全路径, 从而实现终端和时钟服务器之 间的安全路径的建立。  (1) The terminal establishes a secure path with the security gateway to establish a secure path between the terminal and the clock server.
其中, 时钟服务器与终端之间的安全路径可以是通过新增逻辑接口的 方式建立, 比如 IPSec隧道; 或通过新增物理链路的方式建立, 比如专用信 令链路等。在本实施例中, 以 IPSec隧道为例建立终端和时钟服务器之间安 全路径。  The security path between the clock server and the terminal may be established by adding a logical interface, such as an IPSec tunnel, or by adding a physical link, such as a dedicated signaling link. In this embodiment, an IPSec tunnel is used as an example to establish a secure path between the terminal and the clock server.
( 2 ) 终端通过非安全路径向时钟服务器发起用于穿越网络地址转换 的握手请求 Handshake_Req, 该握手请求携带一个标识 (比如随机数) , 用于消息匹配。  (2) The terminal initiates a handshake request Handshake_Req for traversing the network address translation to the clock server through the non-secure path, and the handshake request carries an identifier (such as a random number) for message matching.
其中, 握手请求携带的地址和端口信息为: SIP:S-S-IP; SPort: 319; DIP: M-A-IP; DPort: 319。  The address and port information carried in the handshake request are: SIP: S-S-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
针对时钟报文的不同发送方式, 1588协议规定了不同的发送地址和端 口。 表 1表示时钟报文的发送方式和端口的对应关系。 For the different sending methods of clock packets, the 1588 protocol specifies different sending addresses and ends. mouth. Table 1 shows the mapping between the sending mode of a clock packet and the port.
Figure imgf000014_0002
Figure imgf000014_0002
Figure imgf000014_0001
Figure imgf000014_0001
( 3 )时钟服务器对握手请求进行应答, 根据握手请求的随机数、 源 IP 和端口返回的握手请求响应 Handshake_Resp; 该握手请求响应携带穿越网 络地址转换后的非安全路径地址和相应的端口。 如果时钟服务器不支持握 手请求, 则不发送握手请求响应。  (3) The clock server responds to the handshake request, and responds according to the random number of the handshake request, the source IP, and the handshake request returned by the port Handshake_Resp; the handshake request response carries the non-secure path address and the corresponding port after the network address translation. If the clock server does not support the handshake request, no handshake request response is sent.
其中, 握手请求响应携带的地址和端口信息为: SIP:M-I-IP; SPort: 319; DIP: S-NAT-U-IP; DPort: 握手请求的源端口。  The address and port information carried in the handshake request response are: SIP: M-I-IP; SPort: 319; DIP: S-NAT-U-IP; DPort: Source port of the handshake request.
( 4 ) 终端向时钟服务器发送通告 Announce消息单播请求。  (4) The terminal sends a Announce message unicast request to the clock server.
其中, 终端发送的通告 Announce消息单播请求携带的地址和端口信息 为:  The address and port information carried in the Announce message unicast request sent by the terminal is:
SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320。  SIP: S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320.
( 5 ) 时钟服务器进行通告 Announce消息的单播授权。  (5) The clock server advertises the unicast authorization of the Announce message.
其中, 时钟服务器发送的通告 Announce消息的单播授权携带的地址和端 口信息为:  The address and port information carried by the unicast authorization of the Announce message sent by the clock server are:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
( 6 ) 时钟服务器周期性向终端发送的通告 Announce单播消息, 用于 时钟服务器的选源。  (6) The Announce unicast message sent by the clock server to the terminal periodically for selecting the source of the clock server.
其中, 时钟服务器周期性发送的通告 Announce单播消息携带的地址和端 口信息为:  The address and port information carried by the Announce unicast message periodically sent by the clock server are:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
( 7 )终端向选定的时钟服务器发送时钟同步报文的单播请求, 携带握手 应答告知的转换后网络地址 S-NAT-U-IP和相应的端口, 另外可以携带终端支 持的安全机制参数。 (7) The terminal sends a unicast request for the clock synchronization message to the selected clock server, carries the converted network address S-NAT-U-IP and the corresponding port, and can carry the terminal branch Security mechanism parameters.
其中, 终端向选定的时钟服务器发送时钟同步报文的单播请求携带的地 址和端口信息为:  The address and port information carried by the unicast request for sending the clock synchronization packet to the selected clock server is:
SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320。  SIP: S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320.
( 8 )时钟服务器向终端发起单播授权消息, 如果支持安全机制, 则指定 的安全机制参数。  (8) The clock server initiates a unicast authorization message to the terminal, and if the security mechanism is supported, the specified security mechanism parameters.
其中, 时钟服务器向终端发起单播授权消息携带的地址和端口信息为: SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  The address and port information carried by the clock server to the terminal to initiate the unicast authorization message are: SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
( 9 ) 如果终端期望进行独立的安全协商过程, 终端向时钟服务器发 送时钟信号 Signaling报文, 携带安全机制协商参数。  (9) If the terminal is required to perform an independent security negotiation process, the terminal sends a clock signal to the clock server, which carries the security mechanism negotiation parameters.
其中, 终端向时钟服务器发送时钟信号 Signalin 艮文携带的地址和端口 信息为:  The terminal sends a clock signal to the clock server. The address and port information carried by the Signalin port is:
SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320。  SIP: S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320.
( 10 ) 时钟服务器若支持安全机制, 则向终端返回时钟信号 Signaling 指示报文, 指示使用的安全机制以及相应的协商参数。  (10) If the clock server supports the security mechanism, it returns a clock signal to the terminal. The Signaling indication packet indicates the security mechanism used and the corresponding negotiation parameters.
其中, 时钟服务器向终端返回时钟信号 Signaling指示报文携带的地址和 端口信息为:  The clock server returns a clock signal to the terminal. Signaling indicates that the address and port information carried in the packet are:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
需要说明的是, 若终端和 /或时钟服务器不实现安全性, 则没有流程(9 ) 和流程( 10 ) 。  It should be noted that if the terminal and/or the clock server do not implement security, there is no process (9) and process (10).
( 11 )如果进行的是时间同步, 则终端向时钟服务器发送点到点延迟 协商请求 Delay— Req。  (11) If time synchronization is performed, the terminal sends a point-to-point delay negotiation request Delay_Req to the clock server.
其中, 终端向时钟服务器发送点到点延迟协商请求携带的地址和端口信 息为:  The address and port information carried by the terminal to send a point-to-point delay negotiation request to the clock server is:
SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320。  SIP: S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320.
( 12 )时钟服务器向终端返回的点到点延迟协商请求授权 Delay_Resp, 该延迟协商请求授权指示使用的延迟机制。  (12) The point-to-point delay negotiation request authorization Delay_Resp returned by the clock server to the terminal, the delay negotiation request authorization indication uses a delay mechanism.
其中, 时钟服务器向终端返回的点到点延迟协商请求授权携带的地址和 端口信息为:  The address and port information carried by the point-to-point delay negotiation request authorization returned by the clock server to the terminal is:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。 ( 13 )如果进行的是时间同步, 终端也可以向时钟服务器发送端到端 延迟协商请求 PDelay— Req。 SIP: MI-IP; SPort: 320; DIP: SS-IP; DPort: 320. (13) If time synchronization is performed, the terminal may also send an end-to-end delay negotiation request PDelay_Req to the clock server.
其中, 终端向时钟服务器发送端到端延迟协商请求携带的地址和端口信 息为:  The address and port information carried by the terminal to send the end-to-end delay negotiation request to the clock server is:
SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320。  SIP: S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320.
( 14 ) 时钟服务器向终端返回的端到端延迟协商请求授权  ( 14 ) End-to-end delay negotiation request authorization returned by the clock server to the terminal
PDelay_Resp, 该延迟协商请求授权指示使用的延迟机制。 PDelay_Resp, the delay negotiation request authorization indicates the delay mechanism used.
其中, 时钟服务器向终端返回的端到端延迟协商请求授权携带的地址和 端口信息为:  The address and port information carried in the end-to-end delay negotiation request authorization returned by the clock server to the terminal is:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
需要说明的是, 流程 ( 11 ) 、 ( 12 ) 、 ( 13 ) 和 ( 14 ) 用于时间同步 时进行延迟机制的协商, 如果是频率同步, 则没有流程 ( 11 ) 、 ( 12 ) 、 ( 13 ) 和 ( 14 ) 。  It should be noted that the processes (11), (12), (13) and (14) are used for the negotiation of the delay mechanism in time synchronization. If it is frequency synchronization, there is no process (11), (12), (13). ) and (14).
( 15 ) 时钟服务器采用单播的方式向终端周期性发送时钟同步报文, 用 于频率或时间同步; 终端收到此报文后需要根据前面协商好的安全机制进行 检验; 只处理检验通过的报文。  (15) The clock server periodically sends clock synchronization packets to the terminal in unicast mode for frequency or time synchronization. After receiving the packet, the terminal needs to perform the verification according to the previously negotiated security mechanism. Message.
其中, 时钟服务器采用单播的方式向终端周期性发送时钟同步> ^文携带 的地址和端口信息为:  The clock server periodically sends clock synchronization to the terminal in the unicast mode. The address and port information carried in the file are:
SIP: M-I-IP; SPort: 319; DIP: 若单播协商中指示 IP地址, 则使用指 示的 IP地址, 否则使用单播请求的源 IP; DPort: 若单播协商中指示端口, 则使用指示的端口, 否则使用 319。  SIP: MI-IP; SPort: 319; DIP: If the IP address is indicated in the unicast negotiation, the indicated IP address is used, otherwise the source IP of the unicast request is used; DPort: If the port is indicated in the unicast negotiation, the indication is used. Port, otherwise use 319.
( 16 )如果是时间同步, 终端可以根据流程( 11 )和 ( 12 )协商好的延 迟机制向时钟服务器发送点到点延迟请求 Delay— Req。  (16) If it is time synchronization, the terminal may send a point-to-point delay request Delay_Req to the clock server according to the negotiated delay mechanism of processes (11) and (12).
其中,终端向时钟服务器发送点到点延迟请求携带的地址和端口信息为: SIP:S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319。  The address and port information carried by the terminal to the clock server to send the point-to-point delay request are: SIP: S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
( 17 )时钟服务器根据协商的安全机制进行检验, 处理检验通过的报文, 向终端返回的点到点延迟请求授权 Delay_Resp 。  (17) The clock server performs verification according to the negotiated security mechanism, processes the packet that passes the verification, and delays the request to the terminal to delay the request to delay_Resp.
其中 , 时钟服务器向终端返回的点到点延迟请求授权携带的地址和端口 信息为:  The address and port information carried by the point-to-point delay request authorization returned by the clock server to the terminal is:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。 ( 18 )如果是时间同步, 终端可以根据流程( 13 )和 ( 14 )协商好的延 迟机制向时钟服务器发送端到端延迟请求 PDelay_Req。 SIP: MI-IP; SPort: 320; DIP: SS-IP; DPort: 320. (18) If it is time synchronization, the terminal may send an end-to-end delay request PDelay_Req to the clock server according to the negotiated delay mechanism of processes (13) and (14).
其中,终端向时钟服务器发送端到端延迟请求携带的地址和端口信息为: SIP:S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319。  The address and port information carried by the terminal to send the end-to-end delay request to the clock server are: SIP: S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
( 19 )时钟服务器根据协商的安全机制进行检验, 处理检验通过的报文, 向终端返回的端到端延迟请求授权 PDelay— Resp 。  (19) The clock server performs verification according to the negotiated security mechanism, processes the packet that passes the verification, and delays the end-to-end delay request request to the terminal to PDelay_Resp.
其中 , 时钟服务器向终端返回的端到端延近请求授权携带的地址和端口 信息为:  The address and port information carried by the clock server to the terminal end-to-end request authorization is:
SIP: M-I-IP; SPort: 319; DIP: S-NAT-U-IP; DPort: PDelay— Req的端 口 SPort。  SIP: M-I-IP; SPort: 319; DIP: S-NAT-U-IP; DPort: PDelay—Req port SPort.
需要说明的是, 当进行时间同步时, 流程 ( 16 ) 、 ( 17 ) 、 ( 18 ) 和 ( 19 ) 用于根据流程 ( 11 ) 、 ( 12 ) 、 ( 13 ) 和 ( 14 )协商好的延迟机制 进行时间同步; 如果是频率同步时, 则没有流程( 11 ) 、 ( 12 ) 、 ( 13 ) 、 ( 14 ) 、 ( 16 ) 、 ( 17 ) , ( 18 ) 和 ( 19 ) 。  It should be noted that when time synchronization is performed, the processes (16), (17), (18) and (19) are used for the negotiated delay according to the processes (11), (12), (13) and (14). The mechanism performs time synchronization; if it is frequency synchronization, there are no processes (11), (12), (13), (14), (16), (17), (18) and (19).
可以理解的是, 在本实施例中, 终端为时钟客户端 Slave。 安全路径为 终端和时钟服务器之间建立的以安全方式传递数据的路径(在本实施例中 称为第一路径) , 非安全路径为在第一路径建立之后, 终端和时钟服务器 之间建立的第二个路径 (在本实施例中称为第二路径) 。  It can be understood that, in this embodiment, the terminal is a clock client Slave. The secure path is a path established between the terminal and the clock server to transfer data in a secure manner (referred to as a first path in this embodiment), and the non-secure path is established between the terminal and the clock server after the first path is established. The second path (referred to as the second path in this embodiment).
流程 2和流程 3用于协商终端 NAT穿越的一些参数, 如穿越后的地址以 及端口号, 这 2个流程需要在建立第二路径之前完成。 第二路径为可以采 用安全方式, 也可以釆用非安全方式传递数据的连接。  Process 2 and Process 3 are used to negotiate some parameters of the terminal NAT traversal, such as the traversed address and the port number. These two processes need to be completed before the second path is established. The second path is either a secure method or a connection that transfers data in a non-secure manner.
在流程 4、 5、 6中, 在 IP Sec隧道中通过 Announce消息, 传递用于建立 第二路径的信息, 该信息包括, 例如时钟服务器的地址、 时钟服务器使用 的端口, 终端可以根据这些信息建立一个第二路径。 由于 IP Sec隧道采用 安全的方式传递相关的信息, 使得关键信息 (如时钟服务器的端口) 不易 被获取, 提高了安全性。  In the process 4, 5, and 6, the Announce message is used in the IP Sec tunnel to transmit information for establishing the second path, where the information includes, for example, the address of the clock server and the port used by the clock server, and the terminal can establish the information according to the information. A second path. Because the IP Sec tunnel delivers relevant information in a secure manner, critical information (such as the port of the clock server) is not easily accessed, improving security.
在流程 9和 10中 (可选流程) , 通过第一路径协商第二路径使用的安 全策略, 从而可以有效的简化安全协商过程。 如果这两个流程协商了安全 参数, 则第二路径可以采用协商后的安全策略传递数据。  In processes 9 and 10 (optional process), the security policy used by the second path is negotiated through the first path, thereby effectively simplifying the security negotiation process. If the two processes negotiate security parameters, the second path can pass the data using the negotiated security policy.
本实施例提供的方法, 可以应用于传递 IEEE 1588协议规定的时钟报 文。 The method provided in this embodiment can be applied to transmit a clock report specified by the IEEE 1588 protocol. Text.
上述对本发明实施例二提供的实现时钟同步的方法进行详细的介绍。 时钟服务器建立与终端之间的安全路径和非安全路径, 通过在建立的非安 全路径上向终端发送时钟同步报文, 使得终端根据所述时钟同步报文可以 进行时钟同步。 同时, 由于时钟服务器通过安全路径上与终端进行控制消 息交互, 使得控制消息不易被攻击, 可以进一步提高时钟服务器的安全性 能。  The method for implementing clock synchronization provided by the second embodiment of the present invention is described in detail above. The clock server establishes a secure path and a non-secure path between the terminal and the terminal, and sends a clock synchronization message to the terminal on the established non-secure path, so that the terminal can perform clock synchronization according to the clock synchronization message. At the same time, because the clock server interacts with the terminal through the security path, the control message is not easily attacked, and the security performance of the clock server can be further improved.
实施例 6:  Example 6:
请参阅图 7, 图 7为本发明实施例三提供的实现时钟同步的方法的流程 图。 如图 7所示, 本实施例以多播的方式进行时钟同步报文的发送, 虚线表 示在非安全路径上进行的流程, 实线表示在安全路径进行的流程。 本实施例 流程可以包括:  Referring to FIG. 7, FIG. 7 is a flow chart of a method for implementing clock synchronization according to Embodiment 3 of the present invention. As shown in FIG. 7, in this embodiment, a clock synchronization message is sent in a multicast manner, a broken line indicates a flow performed on an unsecured path, and a solid line indicates a flow performed on a secure path. The flow of this embodiment may include:
( 1 ) 终端与安全网关建立安全路径, 从而实现终端和时钟服务器之 间的安全路径的建立。  (1) The terminal establishes a secure path with the security gateway to establish a secure path between the terminal and the clock server.
其中, 时钟服务器与终端之间的安全路径可以是通过新增逻辑接口的 方式建立, 比如 IP Sec隧道; 或通过新增物理链路的方式建立, 比如专用 信令链路等。 在本实施例中, 以 IP Sec隧道为例建立终端和时钟服务器之 间安全路径。  The security path between the clock server and the terminal may be established by adding a logical interface, such as an IP Sec tunnel, or by adding a physical link, such as a dedicated signaling link. In this embodiment, an IP Sec tunnel is taken as an example to establish a secure path between the terminal and the clock server.
( 2 ) 终端向时钟服务器发送通告 Announce消息单播请求。  (2) The terminal sends a Announce message unicast request to the clock server.
其中, 终端发送的通告 Announce消息单播请求携带的地址和端口信息 为:  The address and port information carried in the Announce message unicast request sent by the terminal is:
SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320。  SIP: S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320.
( 3 ) 时钟服务器进行通告 Announce消息的单播授权。  (3) The clock server advertises the unicast authorization of the Announce message.
其中, 时钟服务器发送的 Announce消息的单播授权携带的地址和端口信 息为:  The address and port information carried by the unicast authorization of the Announce message sent by the clock server is:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
( 4 ) 时钟服务器周期性向终端发送的通告 Announce单播消息, 用于 时钟服务器的选源。  (4) The Announce unicast message sent by the clock server to the terminal periodically for the source of the clock server.
其中, 时钟服务器周期性发送的通告 Announce单播消息携带的地址和端 口信息为: SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。 The address and port information carried in the Announce unicast message periodically sent by the clock server is: SIP: MI-IP; SPort: 320; DIP: SS-IP; DPort: 320.
( 5 ) 如果终端期望进行安全协商, 终端向时钟服务器发送时钟信号 Signaling报文, 携带安全机制协商参数。  (5) If the terminal is required to perform security negotiation, the terminal sends a clock signal to the clock server, and carries the security mechanism negotiation parameters.
其中, 终端向时钟服务器发送时钟信号 Signaling^艮文携带的地址和端口 信息为:  The terminal sends a clock signal to the clock server. The address and port information carried by the Signaling^ message is:
SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320。  SIP: S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320.
( 6 ) 时钟服务器若支持安全机制, 则向终端返回时钟信号 Signaling 指示报文, 指示使用的安全机制以及相应的协商参数。  (6) If the clock server supports the security mechanism, it returns a clock signal Signaling indication message to the terminal, indicating the security mechanism used and the corresponding negotiation parameters.
其中, 时钟服务器向终端返回时钟信号 Signaling指示报文携带的地址和 端口信息为:  The clock server returns a clock signal to the terminal. Signaling indicates that the address and port information carried in the packet are:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
需要说明的是, 若终端和 /或时钟服务器不实现安全性, 则没有流程(5 ) 和流程(6 ) 。  It should be noted that if the terminal and/or the clock server do not implement security, there is no process (5) and process (6).
( 7 ) 如果进行的是时间同步, 则终端向时钟服务器发送点到点延迟 协商请求 Delay—Req。  (7) If time synchronization is performed, the terminal sends a point-to-point delay negotiation request Delay_Req to the clock server.
其中, 终端向时钟服务器发送点到点延迟协商请求携带的地址和端口信 息为:  The address and port information carried by the terminal to send a point-to-point delay negotiation request to the clock server is:
SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320。  SIP: S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320.
( 8 ) 时钟服务器向终端返回的点到点延迟协商请求授权 Delay— Resp, 该延迟协商请求授权指示使用的延迟机制。  (8) The point-to-point delay negotiation request authorization Delay_Resp returned by the clock server to the terminal, the delay negotiation request authorization indication uses a delay mechanism.
其中, 时钟服务器 Master向终端 Slave返回的点到点延迟协商请求授权携 带的地址和端口信息为:  The address and port information carried by the clock server master to the point-to-point delay negotiation request returned by the terminal Slave is:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
( 9 ) 如果进行的是时间同步, 终端也可以向时钟服务器发送端到端 延迟协商请求 PDelay— Req。  (9) If time synchronization is performed, the terminal may also send an end-to-end delay negotiation request PDelay_Req to the clock server.
其中, 终端向时钟服务器发送端到端延迟协商请求携带的地址和端口信 息为:  The address and port information carried by the terminal to send the end-to-end delay negotiation request to the clock server is:
SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320。  SIP: S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320.
( 10 ) 时钟服务器向终端返回的端到端延迟协商请求授权  (10) End-to-end delay negotiation request authorization returned by the clock server to the terminal
PDelay— Resp, 该延迟协商请求授权指示使用的延迟机制。 其中, 时钟服务器向终端返回的端到端延迟协商请求授权携带的地址和 端口信息为: PDelay—Resp, the delay negotiation request authorization indicates the delay mechanism used. The address and port information carried in the end-to-end delay negotiation request authorization returned by the clock server to the terminal is:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
需要说明的是, 流程 (7 ) 、 (8 ) 、 (9 ) 和 ( 10 ) 用于时间同步时 进行延迟机制的协商, 如果是频率同步, 则没有流程 (7 ) 、 ( 8 ) 、 ( 9 ) 和 ( 10 ) 。  It should be noted that the processes (7), (8), (9) and (10) are used for the negotiation of the delay mechanism for time synchronization. If the frequency is synchronized, there are no processes (7), (8), (9). ) and (10).
( 11 ) 时钟服务器采用多播的方式向终端周期性发送时钟同步报文, 用 于频率或时间同步; 终端收到此报文后需要根据前面协商好的安全机制进行 检验; 只处理检验通过的报文。  (11) The clock server periodically sends a clock synchronization message to the terminal for frequency or time synchronization. After receiving the message, the terminal needs to perform the verification according to the previously negotiated security mechanism. Message.
其中, 时钟服务器采用多播的方式向终端周期性发送时钟同步 ·^艮文携带 的地址和端口信息为:  The clock server periodically sends clock synchronization to the terminal in a multicast manner. The address and port information carried in the message are:
SIP: M-I-IP; SPort: 319; DIP: 224.0.1.129; DPort: 319。  SIP: M-I-IP; SPort: 319; DIP: 224.0.1.129; DPort: 319.
( 12 )如果是时间同步, 终端可以根据流程(7 ) 和(8 )协商好的延迟 机制向时钟服务器发送点到点延迟请求 Delay— Req。  (12) If it is time synchronization, the terminal may send a point-to-point delay request Delay_Req to the clock server according to the delay mechanism negotiated by processes (7) and (8).
其中, 终端向时钟服务器发送点到点延迟请携带的地址和端口信息为: The address and port information carried by the terminal to the point-to-point delay sent to the clock server is:
SIP:S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319。 SIP: S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
( 13 )时钟服务器根据协商的安全机制进行检验, 处理检验通过的报文, 向终端返回的点到点延迟请求授权 Delay_Resp 。  (13) The clock server performs verification according to the negotiated security mechanism, processes the packet that passes the verification, and delays the request to the terminal to delay the request to delay_Resp.
其中, 时钟服务器向终端返回的点到点延迟请求授权携带的地址和端口 信息为:  The address and port information carried by the point-to-point delay request authorization returned by the clock server to the terminal is:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
( 14 )如果是时间同步, 终端可以根据流程( 9 )和( 10 )协商好的延迟 机制向时钟服务器发送端到端延迟请求 PDelay— Req。  (14) If it is time synchronization, the terminal may send an end-to-end delay request PDelay_Req to the clock server according to the negotiated delay mechanism of processes (9) and (10).
其中,终端向时钟服务器发送端到端延迟请求携带的地址和端口信息为: SIP:S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319。  The address and port information carried by the terminal to send the end-to-end delay request to the clock server are: SIP: S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
( 15 )时钟服务器根据协商的安全机制进行检验, 处理检验通过的报文, 向终端返回的端到端延迟请求授权 PDelay— Resp 。  (15) The clock server performs verification according to the negotiated security mechanism, processes the packets that pass the verification, and delays the end-to-end delay request request to the terminal to PDelay_Resp.
其中 , 时钟服务器向终端返回的端到端延迟请求授权携带的地址和端口 信息为:  The address and port information carried by the end-to-end delay request authorization returned by the clock server to the terminal is:
SIP: M-I-IP; SPort: 319; DIP: S-NAT-U-IP; DPort: PDelay— Req的端 口 SPort。 SIP: MI-IP; SPort: 319; DIP: S-NAT-U-IP; DPort: PDelay—the end of Req Port SPort.
需要说明的是, 当进行时间同步时, 流程 ( 12) 、 ( 13) 、 ( 14) 和 ( 15 ) 用于根据流程 ( 7 ) 、 ( 8 ) 、 ( 9 ) 和 ( 10 ) 协商好的延迟机制进 行时间延迟; 如果是频率同步时, 则没有流程(7)、 (8)、 (9)、 ( 10)、 ( 12) 、 ( 13) 、 ( 14) 和 ( 15) 。  It should be noted that when time synchronization is performed, processes (12), (13), (14), and (15) are used to negotiate delays according to processes (7), (8), (9), and (10). The mechanism performs time delay; if it is frequency synchronization, there are no processes (7), (8), (9), (10), (12), (13), (14) and (15).
本实施例以多播的方式进行时钟同步报文的发送, 需要家庭网关的支 持, 所以本实施例的流程与实施例一的单播流程的不同之处在于: 无需进 行网络地址转换穿越中引入的握手流程, 时钟同步报文由多播方式发送; 其它过程与实施例一的单播流程相同。  In this embodiment, the clock synchronization message is sent in the multicast mode, and the home gateway is required to be supported. Therefore, the process in this embodiment is different from the unicast process in the first embodiment in that: The handshake process, the clock synchronization message is sent by multicast; the other process is the same as the unicast process of the first embodiment.
上述对本发明实施例三提供的实现时钟同步安全方法的流程进行详 细的介绍。 时钟服务器建立与终端之间的安全路径和非安全路径, 通过在 建立的非安全路径上向终端发送时钟同步报文, 使得终端根据所述时钟同 步报文可以进行时钟同步。 同时, 由于时钟服务器通过安全路径上与终端 进行控制消息交互, 使得控制消息不易被攻击, 可以进一步提高时钟服务 器的安全性能。  The flow of implementing the clock synchronization security method provided in the third embodiment of the present invention is described in detail above. The clock server establishes a secure path and a non-secure path between the terminal and the terminal, and sends a clock synchronization message to the terminal on the established non-secure path, so that the terminal can perform clock synchronization according to the clock synchronization message. At the same time, because the clock server interacts with the terminal through the security path, the control message is not easily attacked, and the security performance of the clock server can be further improved.
实施例 5:  Example 5
请参阅图 8, 图 8为本发明实施例四提供的实现时钟同步安全方法的流 程图。如图 8所示, 本实施例以多播的方式进行通告 Announce报文和时钟同 步报文的发送, 虚线表示在非安全路径上进行的流程, 实线表示在安全路径 进行的流程。 本实施例流程可以包括:  Referring to FIG. 8, FIG. 8 is a flow chart of a method for implementing clock synchronization security according to Embodiment 4 of the present invention. As shown in FIG. 8, in this embodiment, the Announce message and the clock synchronization message are sent in a multicast manner, the dotted line indicates the flow on the non-secure path, and the solid line indicates the flow in the secure path. The process of this embodiment may include:
( 1 ) 终端他与安全网关建立安全路径, 从而实现终端和时钟服务器 之间的安全路径的建立。  (1) The terminal establishes a secure path with the security gateway to establish a secure path between the terminal and the clock server.
其中, 时钟服务器与终端之间的安全路径可以是通过新增逻辑接口的 方式建立, 比如 IPSec隧道; 或通过新增物理链路的方式建立, 比如专用信 令链路等。在本实施例中, 以 IPSec隧道为例建立终端和时钟服务器之间安 全路径。  The security path between the clock server and the terminal may be established by adding a logical interface, such as an IPSec tunnel, or by adding a physical link, such as a dedicated signaling link. In this embodiment, an IPSec tunnel is used as an example to establish a secure path between the terminal and the clock server.
(2) 时钟服务器周期性的向终端发送的通告 Announce多播消息, 用 于时钟服务器的选源。  (2) Announcement Announce Multicast message sent by the clock server to the terminal periodically for the source of the clock server.
其中, 时钟服务器周期性的向终端发送的通告 Announce多播消息携带 的地址和端口信息为: SIP:M-I-IP; SPort: 320; DIP: 224.0.1.129; DPort: 320。 The address and port information carried by the Announce multicast message sent by the clock server to the terminal periodically is: SIP: MI-IP; SPort: 320; DIP: 224.0.1.129; DPort: 320.
( 3 ) 如果终端期望进行安全协商, 终端向时钟服务器发送时钟信号 Signaling报文, 携带安全机制协商参数。  (3) If the terminal is required to perform security negotiation, the terminal sends a clock signal to the clock server, and carries the security mechanism negotiation parameters.
其中, 终端向时钟服务器发送时钟信号 Signaling^艮文携带的地址和端口 信息为:  The terminal sends a clock signal to the clock server. The address and port information carried by the Signaling^ message is:
SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320。  SIP: S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320.
( 4 ) 时钟服务器若支持安全机制, 则向终端返回时钟信号 Signaling 指示报文, 指示使用的安全机制以及相应的协商参数。  (4) If the clock server supports the security mechanism, it returns a clock signal Signaling indication packet to the terminal, indicating the security mechanism used and the corresponding negotiation parameters.
其中, 时钟服务器向终端返回时钟信号 Signaling指示报文携带的地址和 端口信息为:  The clock server returns a clock signal to the terminal. Signaling indicates that the address and port information carried in the packet are:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
需要说明的是, 若终端和 /或时钟服务器不实现安全性, 则没有流程(3 ) 和流程(4 ) 。  It should be noted that if the terminal and/or the clock server do not implement security, there is no process (3) and process (4).
( 5 ) 如果进行的是时间同步, 则终端向时钟服务器发送点到点延迟 协商请求 Delay—Req。  (5) If time synchronization is performed, the terminal sends a point-to-point delay negotiation request Delay_Req to the clock server.
其中, 终端向时钟服务器发送点到点延迟协商请求携带的地址和端口信 息为:  The address and port information carried by the terminal to send a point-to-point delay negotiation request to the clock server is:
SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320。  SIP: S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320.
( 6 ) 时钟服务器向终端返回的点到点延迟协商请求授权 Delay— Resp, 该延迟协商请求授权指示使用的延迟机制。  (6) The point-to-point delay negotiation request authorization Delay_Resp returned by the clock server to the terminal, the delay negotiation request authorization indication uses a delay mechanism.
其中, 时钟服务器向终端返回的点到点延迟协商请求授权携带的地址和 端口信息为:  The address and port information carried by the point-to-point delay negotiation request authorization returned by the clock server to the terminal is:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
( 7 ) 如果进行的是时间同步, 终端也可以向时钟服务器发送端到端 延迟协商请求 PDelay— Req。  (7) If time synchronization is performed, the terminal may also send an end-to-end delay negotiation request PDelay_Req to the clock server.
其中, 终端向时钟服务器发送端到端延迟协商请求携带的地址和端口信 息为:  The address and port information carried by the terminal to send the end-to-end delay negotiation request to the clock server is:
SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320。  SIP: S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320.
( 8 ) 时钟服务器向终端返回的端到端延迟协商请求授权  (8) End-to-end delay negotiation request authorization returned by the clock server to the terminal
PDelay— Resp, 该延迟协商请求授权指示使用的延迟机制。 其中, 时钟服务器向终端返回的端到端延迟协商请求授权携带的地址和 端口信息为: PDelay—Resp, the delay negotiation request authorization indicates the delay mechanism used. The address and port information carried in the end-to-end delay negotiation request authorization returned by the clock server to the terminal is:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
需要说明的是, 流程 (5 ) 、 (6 ) 、 (7 ) 和 (8 ) 用于时间同步时进 行延迟机制的协商, 如果是频率同步, 则没有流程 (5 ) 、 ( 6 ) 、 ( 7 ) 和 ( 8 ) 。  It should be noted that the processes (5), (6), (7) and (8) are used for the negotiation of the delay mechanism for time synchronization. If it is frequency synchronization, there are no processes (5), (6), (7). ) and (8).
( 9 )时钟服务器采用多播的方式向终端周期性发送时钟同步报文, 用于 频率或时间同步; 终端收到此报文后需要根据前面协商好的安全机制进行检 验; 只处理检验通过的报文。  (9) The clock server periodically sends a clock synchronization message to the terminal in a multicast manner for frequency or time synchronization. After receiving the message, the terminal needs to perform verification according to the previously negotiated security mechanism; Message.
其中, 时钟服务器采用多播的方式向终端周期性发送时钟同步 ·^艮文携带 的地址和端口信息为:  The clock server periodically sends clock synchronization to the terminal in a multicast manner. The address and port information carried in the message are:
SIP: M-I-IP; SPort: 319; DIP: 224.0.1.129; DPort: 319。  SIP: M-I-IP; SPort: 319; DIP: 224.0.1.129; DPort: 319.
( 10 )如果是时间同步, 终端可以根据流程(5 ) 和(6 )协商好的延迟 机制向时钟服务器发送点到点延迟请求 Delay— Req。  (10) If it is time synchronization, the terminal may send a point-to-point delay request Delay_Req to the clock server according to the delay mechanism negotiated by processes (5) and (6).
其中,终端向时钟服务器发送点到点延迟请求携带的地址和端口信息为: The address and port information carried by the terminal to the clock server to send the point-to-point delay request is:
SIP:S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319。 SIP: S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
( 11 )时钟服务器根据协商的安全机制进行检验, 处理检验通过的报文, 向终端返回的点到点延迟请求授权 Delay_Resp 。  (11) The clock server performs verification according to the negotiated security mechanism, processes the packet that passes the verification, and delays the request to the terminal to delay the request to delay_Resp.
其中, 时钟服务器向终端返回的点到点延迟请求授权携带的地址和端口 信息为:  The address and port information carried by the point-to-point delay request authorization returned by the clock server to the terminal is:
SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320.
( 12 )如果是时间同步, 终端可以根据流程(7 ) 和(8 )协商好的延迟 机制向时钟服务器发送端到端延迟请求 PDelay— Req。  (12) If it is time synchronization, the terminal may send an end-to-end delay request PDelay_Req to the clock server according to the delay mechanism negotiated by processes (7) and (8).
其中,终端向时钟服务器发送端到端延迟请求携带的地址和端口信息为: SIP:S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319。  The address and port information carried by the terminal to send the end-to-end delay request to the clock server are: SIP: S-U-IP; SPort: 319; DIP: M-A-IP; DPort: 319.
( 13 )时钟服务器根据协商的安全机制进行检验, 处理检验通过的报文, 向终端返回的端到端延迟请求授权 PDelay— Resp 。  (13) The clock server performs verification according to the negotiated security mechanism, processes the packet that passes the verification, and delays the end-to-end delay request request to the terminal to PDelay_Resp.
其中 , 时钟服务器向终端返回的端到端延迟请求授权携带的地址和端口 信息为:  The address and port information carried by the end-to-end delay request authorization returned by the clock server to the terminal is:
SIP: M-I-IP; SPort: 319; DIP: S-NAT-U-IP; DPort: PDelay— Req的端 口 SPort。 SIP: MI-IP; SPort: 319; DIP: S-NAT-U-IP; DPort: PDelay—the end of Req Port SPort.
需要说明的是, 当进行时间同步时, 流程 ( 10 ) 、 ( 11 ) 、 ( 12 ) 和 ( 13 ) 用于根据流程 ( 5 ) 、 ( 6 ) 、 ( 7 ) 和 ( 8 ) 协商好的延迟机制进行 时间延迟; 如果是频率同步时, 则没有流程(5 ) 、 (6 ) 、 (7 ) 、 (8 ) 、 ( 10 ) 、 ( 11 ) 、 ( 12 ) 和 ( 13 ) 。  It should be noted that when time synchronization is performed, the processes (10), (11), (12) and (13) are used for the negotiated delay according to the processes (5), (6), (7) and (8). The mechanism performs time delay; if it is frequency synchronization, there are no processes (5), (6), (7), (8), (10), (11), (12) and (13).
本实施例的流程与实施例三的多播流程的不同之处在于: 终端直接周 期性的接收时钟服务器发送的通告多播消息, 用于时钟服务器的选源; 其 它过程与实施例三的多播流程相同。  The process of this embodiment is different from the multicast process of the third embodiment in that: the terminal directly receives the advertisement multicast message sent by the clock server periodically, and is used for selecting the source of the clock server; The broadcast process is the same.
上述对本发明实施例四提供的实现时钟同步的方法进行详细的介绍。 时钟服务器建立与终端之间的安全路径和非安全路径, 通过在建立的非安 全路径上向终端发送时钟同步报文, 使得终端根据所述时钟同步报文可以 进行时钟同步。 同时, 由于时钟服务器通过安全路径上与终端进行控制消 息交互, 使得控制消息不易被攻击, 可以进一步提高时钟服务器的安全性 能。  The method for implementing clock synchronization provided by Embodiment 4 of the present invention is described in detail above. The clock server establishes a secure path and a non-secure path between the terminal and the terminal, and sends a clock synchronization message to the terminal on the established non-secure path, so that the terminal can perform clock synchronization according to the clock synchronization message. At the same time, because the clock server interacts with the terminal through the security path, the control message is not easily attacked, and the security performance of the clock server can be further improved.
以上结合附图说明对本发明实施例提供的一种时钟同步的方法及实 施例进行了详细的介绍, 下面再结合附图说明介绍本发明实施例提供的设 备。  The method and the embodiment of the clock synchronization provided by the embodiment of the present invention are described in detail with reference to the accompanying drawings, and the device provided by the embodiment of the present invention is described below with reference to the accompanying drawings.
实施例 6:  Example 6:
请参阅图 9, 图 9为本发明实施例五提供的一种时钟服务器的结构示意 图。 如图 9所示, 本发明实施例提供的时钟服务器可以包括:  Referring to FIG. 9, FIG. 9 is a schematic structural diagram of a clock server according to Embodiment 5 of the present invention. As shown in FIG. 9, the clock server provided by the embodiment of the present invention may include:
第一接口模块 901, 用于和终端建立安全路径和非安全路径; 第一关联模块 902, 用于将所述安全路径和非安全路径的地址进行关 联;  The first interface module 901 is configured to establish a secure path and a non-secure path with the terminal; the first association module 902 is configured to associate the address of the secure path and the non-secure path;
第一控制消息交互模块 903 , 用于通过安全路径与终端进行控制消息 交互;  The first control message interaction module 903 is configured to perform control message interaction with the terminal through the secure path;
同步报文发送模块 904, 用于通过非安全路径向终端发送时钟同步报 文。  The synchronization message sending module 904 is configured to send a clock synchronization message to the terminal through the non-secure path.
其中, 所述第一控制消息交互模块 903还用于通过安全路径接收终端 发送的安全机制协商请求, 所述安全机制协商请求携带安全机制协商参 数; 向终端返回的安全机制协商请求响应, 所述请求响应指示使用的安全 机制以及相应的协商参数。 The first control message interaction module 903 is further configured to receive, by using a secure path, a security mechanism negotiation request sent by the terminal, where the security mechanism negotiation request carries a security mechanism negotiation parameter; The security mechanism returned to the terminal negotiates a request response, the request response indicating the security mechanism used and the corresponding negotiation parameters.
所述第一控制消息交互模块 903还用于通过安全路径接收终端发送的 点到点延迟协商请求;  The first control message interaction module 903 is further configured to receive, by using a secure path, a point-to-point delay negotiation request sent by the terminal;
向终端返回点到点延迟协商请求授权, 所述协商请求授权指示使用的 延迟机制;  Returning a point-to-point delay negotiation request authorization to the terminal, the negotiation request authorization indicating a delay mechanism used;
或, 通过安全路径接收终端发送的端到端延迟协商请求;  Or, receiving an end-to-end delay negotiation request sent by the terminal through the secure path;
向终端返回端到端延迟协商请求授权, 所述协商请求授权指示使用的 延迟机制。  An end-to-end delay negotiation request authorization is returned to the terminal, the negotiation request authorization indicating a delay mechanism used.
所述第一控制消息交互模块 903还用于通过非安全路径接收终端发起 的穿越网络地址转换的握手请求;  The first control message interaction module 903 is further configured to receive, by using an unsecure path, a handshake request initiated by the terminal to traverse the network address translation;
向终端返回握手请求响应, 所述握手请求响应携带穿越网络地址转换 后的非安全路径地址和相应的端口。  And returning a handshake request response to the terminal, where the handshake request response carries the non-secure path address and the corresponding port after the network address translation.
其中, 所述第一控制消息交互模块 903还可以通过非安全路径向终端 周期性发送的用于选源的通告多播消息;  The first control message interaction module 903 can also periodically send an announcement multicast message for selecting a source to the terminal through a non-secure path.
所述同步报文发送模块 904用于通过非安全路径向终端采用多播方式 周期性发送的时钟同步报文。  The synchronization message sending module 904 is configured to use a non-secure path to periodically transmit a clock synchronization message to the terminal in a multicast manner.
更进一步地,若时钟服务器不实现安全性,则第一控制消息交互模块 903 不会与终端进行安全机制协商; 若和终端行的是时间同步, 则第一控制消息 交互模块 903不会与终端进行延返机制协商; 若时钟服务器以多播的方式向 终端发送用于选源的通告消息, 则第一控制消息交互模块 903可以直接将用 于时钟选源的通告消息发送给终端。  Further, if the clock server does not implement security, the first control message interaction module 903 does not negotiate with the terminal for security mechanism; if the terminal line is time synchronized, the first control message interaction module 903 does not communicate with the terminal. The deferred mechanism negotiation is performed. If the clock server sends the advertisement message for selecting the source to the terminal in a multicast manner, the first control message interaction module 903 may directly send the advertisement message for the clock source to the terminal.
上述对本发明实施例五提供的一种时钟服务器进行详细的介绍, 通过 在第一接口模块 901建立的安全路径上进行控制消息交互, 使得控制消息 不易被攻击, 从而进一步提高时钟服务器的安全性能。 此外, 通过在第一 接口模块 901建立的非安全路径向终端发送时钟同步报文, 使得终端根据 所述时钟同步 艮文可以进行时钟同步。  The clock server provided in the fifth embodiment of the present invention is described in detail. The control message interaction is performed on the secure path established by the first interface module 901, so that the control message is not easily attacked, thereby further improving the security performance of the clock server. In addition, the clock synchronization message is sent to the terminal through the non-secure path established by the first interface module 901, so that the terminal can perform clock synchronization according to the clock synchronization.
实施例 7:  Example 7
请参阅图 10, 图 10为本发明实施例六提供的一种终端的结构示意图。 如图 10所示, 本发明实施例提供的终端可以包括: 第二接口模块 1001 , 用于与时钟服务器建立安全路径和非安全路径。 第二关联模块 1002 , 用于将所述安全路径地址和非安全路径的地址进 行关联。 Referring to FIG. 10, FIG. 10 is a schematic structural diagram of a terminal according to Embodiment 6 of the present invention. As shown in FIG. 10, the terminal provided by the embodiment of the present invention may include: The second interface module 1001 is configured to establish a secure path and a non-secure path with the clock server. The second association module 1002 is configured to associate the secure path address with the address of the non-secure path.
第二控制消息交互模块 1003, 用于通过所述安全路径与时钟服务器 进行控制消息交互。  The second control message interaction module 1003 is configured to perform control message interaction with the clock server through the secure path.
时钟同步模块 1004 , 用于通过所述非安全路径进行时钟同步。  The clock synchronization module 1004 is configured to perform clock synchronization through the non-secure path.
其中, 所述第二控制消息交互模块 1003还用于通过安全路径向时钟服 务器发送安全机制协商请求, 所述安全机制协商请求携带安全机制协商参 数;  The second control message interaction module 1003 is further configured to send a security mechanism negotiation request to the clock server through the security path, where the security mechanism negotiation request carries the security mechanism negotiation parameter;
接收时钟服务器返回的安全机制协商请求响应, 所述请求响应指示使 用的安全机制以及相应的协商参数。  Receiving a security mechanism negotiation request response returned by the clock server, the request response indicating a security mechanism used and a corresponding negotiation parameter.
所述第二控制消息交互模块 1003还用于通过安全路径向时钟服务器 发送点到点延迟协商请求;  The second control message interaction module 1003 is further configured to send a point-to-point delay negotiation request to the clock server through the secure path;
接收时钟服务器返回的点到点延迟协商请求授权, 所述协商请求授权 指示使用的延迟机制;  Receiving a point-to-point delay negotiation request authorization returned by the clock server, the negotiation request authorization indicating a delay mechanism used;
或, 通过安全路径向时钟服务器发送端到端延迟协商请求; 接收时钟服务器返回的端到端延迟协商请求授权, 所述协商请求授权 指示使用的延迟机制。  Or, sending an end-to-end delay negotiation request to the clock server through the secure path; receiving an end-to-end delay negotiation request authorization returned by the clock server, where the negotiation request authorization indicates a delay mechanism used.
所述第二控制消息交互模块 1003还用于通过非安全路径向时钟服务 器发起穿越网络地址转换的握手请求;  The second control message interaction module 1003 is further configured to initiate a handshake request to traverse the network address translation to the clock server through the non-secure path;
接收时钟服务器返回握手请求响应, 所述握手请求响应携带穿越网络 地址转换后的非安全路径地址和相应的端口。  The receiving clock server returns a handshake request response, and the handshake request response carries the non-secure path address and the corresponding port after the network address translation.
其中, 所述第二控制消息交互模块 1003还可以通过非安全路径接收时 钟服务器周期性发送的用于选源的通告多播消息;  The second control message interaction module 1003 may further receive, by using an unsecured path, an advertisement multicast message for selecting a source that is periodically sent by the clock server;
所述时钟同步模块 1004用于通过非安全路径接收时钟服务器采用多 播方式周期性发送的时钟同步报文; 根据协商的安全机制处理所述时钟同 步报文。  The clock synchronization module 1004 is configured to receive, by using an unsecured path, a clock synchronization packet periodically sent by the clock server in a multicast manner; and processing the clock synchronization packet according to the negotiated security mechanism.
更进一步地, 若终端不实现安全性, 则第二控制消息交互模块 1003不会 与时钟服务器进行安全机制协商; 若和时钟服务器之间进行的是时间同步, 则第二控制消息交互模块 1003不会与时钟服务器进行延迟机制协商;若时钟 服务器以多播的方式向终端发送用于选源的通告消息, 则第二控制消息交互 模块 1003可以根据该通告消息直接进行时钟服务器的选源。 Further, if the terminal does not implement security, the second control message interaction module 1003 does not perform security negotiation with the clock server; if time synchronization is performed with the clock server, the second control message interaction module 1003 does not. Will negotiate with the clock server for the delay mechanism; if the clock The server sends the advertisement message for selecting the source to the terminal in a multicast manner, and the second control message interaction module 1003 can directly perform the source selection of the clock server according to the advertisement message.
上述对本发明实施例六提供的一种终端进行详细的介绍, 通过在第二 接口模块 1001建立的安全路径上进行控制消息交互, 使得控制消息不易 被攻击, 从而进一步提高时钟服务器的安全性能。 此外, 通过在第二接口 模块 1001建立的非安全路径接收时钟服务器发送的时钟同步报文, 从而 可以根据该时钟同步报文进行时钟同步。  The terminal provided in the sixth embodiment of the present invention is described in detail. The control message interaction is performed on the secure path established by the second interface module 1001, so that the control message is not easily attacked, thereby further improving the security performance of the clock server. In addition, the clock synchronization message sent by the clock server is received by the non-secure path established by the second interface module 1001, so that clock synchronization can be performed according to the clock synchronization message.
实施例 8:  Example 8
请参阅图 11 , 图 11为本发明实施例七提供的一种网络系统的示意图。如 图 11所示, 本发明实施例提供的网络系统可以包括:  Referring to FIG. 11, FIG. 11 is a schematic diagram of a network system according to Embodiment 7 of the present invention. As shown in FIG. 11, the network system provided by the embodiment of the present invention may include:
时钟服务器 1101 , 用于与终端 1102建立安全路径和非安全路径; 将所 述安全路径和非安全路径进行关联; 通过所述安全路径与终端进行控制消 息交互, 通过所述非安全路径向终端 1102发送时钟同步报文。  The clock server 1101 is configured to establish a secure path and a non-secure path with the terminal 1102; associate the secure path with the non-secure path; perform control message interaction with the terminal through the secure path, and use the non-secure path to the terminal 1102. Send a clock synchronization packet.
终端 1102, 用于与时钟服务器 1101建立安全路径和非安全路径; 将所 述安全路径和非安全路径进行关联; 通过所述安全路径与时钟服务器 1101 进行控制消息交互, 在所述非安全路径进行时钟同步。  The terminal 1102 is configured to establish a secure path and a non-secure path with the clock server 1101; associate the secure path with the non-secure path; perform control message interaction with the clock server 1101 through the secure path, and perform the control message on the non-secure path. Clock synchronization.
其中, 终端 1102还可以通过安全路径向时钟服务器 1101发送安全机制 协商请求, 所述安全机制协商请求携带安全机制协商参数;  The terminal 1102 may also send a security mechanism negotiation request to the clock server 1101 through a secure path, where the security mechanism negotiation request carries a security mechanism negotiation parameter;
接收时钟服务器 1101返回的安全机制协商请求响应, 所述请求响应指 示使用的安全机制以及相应的协商参数。  The security mechanism returned by the receiving clock server 1101 negotiates a request response, the request response indicating the security mechanism used and the corresponding negotiation parameters.
时钟服务器 1101还用于通过所述安全路径接收终端发送的安全机制 协商请求, 所述安全机制协商请求携带安全机制协商参数;  The clock server 1101 is further configured to receive, by using the secure path, a security mechanism negotiation request sent by the terminal, where the security mechanism negotiation request carries a security mechanism negotiation parameter;
向终端 1102返回的安全机制协商请求响应, 所述请求响应指示使用的 安全机制以及相应的协商参数。  The security mechanism returned to the terminal 1102 negotiates a request response, the request response indicating the security mechanism used and the corresponding negotiation parameters.
其中, 终端 1102还可以通过安全路径向时钟服务器 1101发送点到点延 迟协商请求; 接收时钟服务器 1101返回的点到点延迟协商请求授权, 所述 延迟协商请求授权指示使用的延迟机制;  The terminal 1102 may also send a point-to-point delay negotiation request to the clock server 1101 through the secure path; receive the point-to-point delay negotiation request authorization returned by the clock server 1101, and the delay negotiation request authorization indicates the delay mechanism used;
或, 通过安全路径向时钟服务器 1101发送端到端延迟协商请求; 接收 时钟服务器返回的端到端延迟协商请求授权, 所述延迟协商请求授权指示 使用的延迟机制。 时钟服务器 1101还用于通过安全路径接收终端发送点到点延迟协商 请求; 向终端返回点到点延迟协商请求授权, 所述延迟协商请求授权指示 使用的延迟机制; Or, sending an end-to-end delay negotiation request to the clock server 1101 through the secure path; receiving an end-to-end delay negotiation request authorization returned by the clock server, the delay negotiation request authorization indicating a delay mechanism used. The clock server 1101 is further configured to send a point-to-point delay negotiation request by the secure path receiving terminal, and return a point-to-point delay negotiation request authorization to the terminal, where the delayed negotiation request authorization indicates a delay mechanism used;
或, 通过安全路径接收终端发送的端到端延迟协商请求; 向终端返回 端到端延迟协商请求授权, 所述延迟协商请求授权指示使用的延迟机制。  Or, receiving an end-to-end delay negotiation request sent by the terminal through the secure path; returning an end-to-end delay negotiation request authorization to the terminal, where the delayed negotiation request authorization indicates a delay mechanism used.
其中, 终端 1102还可以通过非安全路径向时钟服务器 1101发起穿越网 络地址转换的握手请求;  The terminal 1102 may also initiate a handshake request to traverse the network address translation to the clock server 1101 through the non-secure path.
接收时钟服务器 1101返回握手请求响应, 所述握手请求响应携带穿越 网络地址转换后的非安全路径地址和相应的端口。  The receiving clock server 1101 returns a handshake request response, and the handshake request response carries the non-secure path address and the corresponding port after the network address translation.
时钟服务器 1101还用于通过非安全路径接收终端发起的穿越网络地 址转换的握手请求;  The clock server 1101 is further configured to receive, by using an unsecure path, a handshake request initiated by the terminal to traverse the network address;
向终端 1102返回握手请求响应, 所述握手请求响应携带穿越网络地址 转换后的非安全路径地址和相应的端口。  A handshake request response is returned to the terminal 1102, and the handshake request response carries the non-secure path address and the corresponding port after the network address translation.
其中, 时钟服务器 1101还用于通过所述非安全路径向终端 1102周期性 发送的用于选源的通告多播消息;  The clock server 1101 is further configured to periodically send an announcement multicast message for selecting a source to the terminal 1102 by using the non-secure path;
通过所述非安全路径向终端 1102采用多播方式周期性发送的时钟同 步报文。  The clock synchronization message periodically sent by the multicast mode is used to the terminal 1102 through the non-secure path.
终端 1102还可以通过非安全路径接收时钟服务器 1101周期性发送的 用于选源的通告多播消息;  The terminal 1102 may also receive, by the non-secure path, the advertisement multicast message periodically sent by the clock server 1101 for selecting a source;
通过非安全路径接收时钟服务器 1101采用多播方式周期性发送的时 钟同步报文; 根据协商的安全机制处理所述时钟同步报文。  The clock server 1101 receives the clock synchronization packet periodically sent by the multicast mode; and processes the clock synchronization packet according to the negotiated security mechanism.
实施例 9  Example 9
请参见图 12, 图 12的实施例提供了一个时钟服务器 121和一个终端 123。 其中, 终端 123可以通过安全网关 122接入时钟服务器 121。  Referring to FIG. 12, the embodiment of FIG. 12 provides a clock server 121 and a terminal 123. The terminal 123 can access the clock server 121 through the security gateway 122.
本实施例提供的时钟服务器 121, 包括如下模块:  The clock server 121 provided in this embodiment includes the following modules:
第一路径建立模块 1211、 第二路径建立模块 1212以及时钟报文模块 1213。 其中,  The first path establishing module 1211, the second path establishing module 1212, and the clock message module 1213. among them,
第一路径建立模块 1211、 用于建立与终端 123的第一路径, 所述第一 路径为采用安全方式传递数据的安全连接。  The first path establishing module 1211 is configured to establish a first path with the terminal 123, where the first path is a secure connection for transmitting data in a secure manner.
例如, 这里的第一路径可以为安全的 IP Sec隧道, 或者安全的专用物 理链路等。 For example, the first path here can be a secure IP Sec tunnel, or a security special. Link, etc.
其中, 第一路径建立模块 1211 , 可以通过安全网关 122建立与终端 123 的安全连接。  The first path establishing module 1211 can establish a secure connection with the terminal 123 through the security gateway 122.
第二路径建立模块 1212, 用于通过所述第一路径向终端 123发送用于 建立第二路径的信息, 以和所述终端建立所述第二路径。  The second path establishing module 1212 is configured to send, by using the first path, information for establishing the second path to the terminal 123, to establish the second path with the terminal.
例如, 可以在通过第一路径接收到终端 123的通告 (Announce ) 消息 单播请求后, 向终端 123返回对应通告(Announce ) 消息单播请求的授权, 该授权携带相应的建立第二路径的信息。  For example, after receiving the Announce message unicast request of the terminal 123 through the first path, the terminal 123 may return an authorization for the Announce message unicast request, where the authorization carries the corresponding information for establishing the second path. .
作为一个示例, 终端 123发送的通告 Announce消息单 ·请求携带的地 址和端口信息为: SIP:S-S-IP; SPort: 320; DIP: M-I-IP; DPort: 320; 第二路径建立模块 1212发送的通告 Announce消息的单播授权携带的 地址和端口信息为: SIP: M-I-IP; SPort: 320; DIP: S-S-IP; DPort: 320。  As an example, the address and port information carried by the Announce message sent by the terminal 123 is: SIP: SS-IP; SPort: 320; DIP: MI-IP; DPort: 320; sent by the second path establishing module 1212. The address and port information carried in the unicast authorization of the Announce message is: SIP: MI-IP; SPort: 320; DIP: SS-IP; DPort: 320.
具体可参见上述实施例的描述, 不再赘述。  For details, refer to the description of the foregoing embodiments, and details are not described herein.
时钟报文发送模块 1213 , 用于通过所述第二路径向终端 123发送时钟 同步报文。  The clock message sending module 1213 is configured to send a clock synchronization message to the terminal 123 by using the second path.
该时钟报文可以以多播的方式发送, 亦可以单播的方式发送。  The clock message can be sent in multicast mode or in unicast mode.
可选的, 时钟服务器 121还可以包括第一信令模块 1214, 用于通过所 述第一路径向终端 123发送控制消息, 所述控制消息包括下述任一消息或 其组合, 用于选源的通告消息、 端到端延迟协商请求授权、 安全机制协商 请求响应。  Optionally, the clock server 121 may further include a first signaling module 1214, configured to send, by using the first path, a control message to the terminal 123, where the control message includes any one of the following messages or a combination thereof, and is used for selecting a source. Announcement message, end-to-end delay negotiation request authorization, security mechanism negotiation request response.
第二信令模块 1215 , 用于通过所述第二路径向终端 123发送控制消息, 所述控制信息包括下述任一消息或其組合, 点到点延迟协商请求、 端到端 延迟协商请求授权、 用于选源的通告多播消息。  The second signaling module 1215 is configured to send, by using the second path, a control message to the terminal 123, where the control information includes any one of the following messages or a combination thereof, a point-to-point delay negotiation request, and an end-to-end delay negotiation request authorization. , an advertisement multicast message for selecting a source.
而终端 123 , 包括如下模块:  The terminal 123 includes the following modules:
第一路径建立模块 1231, 用于建立与时钟服务器 121的第一路径, 所 述第一路径为釆用安全方式传递数据的安全连接;  The first path establishing module 1231 is configured to establish a first path with the clock server 121, where the first path is a secure connection for transmitting data in a secure manner;
第二路径建立模块 1232, 用于通过所述第一路径从时钟服务器 121获 取用于建立第二路径的信息, 和时钟服务器 121建立所述第二路径;  The second path establishing module 1232 is configured to obtain information for establishing the second path from the clock server 121 by using the first path, and establish the second path by the clock server 121.
时钟报文接收模块 1233 , 用于通过所述第二路径接收时钟服务器 121 发送的时钟同步报文。 可选的, 时钟服务器还可以包括如下模块: The clock message receiving module 1233 is configured to receive, by using the second path, a clock synchronization message sent by the clock server 121. Optionally, the clock server may further include the following modules:
第三信令模块 1234 , 用于通过所述第一路径向时钟服务器 121发送控 制消息, 所述控制信息包括安全机制协商请求。  The third signaling module 1234 is configured to send, by using the first path, a control message to the clock server 121, where the control information includes a security mechanism negotiation request.
第四信令模块 1235 , 用于通过所述第二路径向时钟服务器 121发送控 制消息,所述控制信息包括下述任一消息或其组合,点到点延迟协商请求、 端到端延迟协商请求等。  The fourth signaling module 1235 is configured to send, by using the second path, a control message to the clock server 121, where the control information includes any one of the following messages or a combination thereof, a point-to-point delay negotiation request, and an end-to-end delay negotiation request. Wait.
关于时钟服务器 121和终端 123之间控制信息的交互流程, 可以参见上 述实施例的描述。  For the flow of the control information between the clock server 121 and the terminal 123, reference may be made to the description of the above embodiment.
由上述描述可知, 本实施例提供的方法, 可以用第一路径来传递一些 关键信息, 例如时钟服务器的端口, 使得建立第二路径所需的信息被隐藏 起来, 不会对所有的终端公开, 提高了时钟服务器的安全性; 进一步的, 第一路径还可以用于传输一些关键信息, 如一些重要的控制消息, 使得关 键信息不易被截取, 提高了时钟同步过程的安全性; 进一步的, 第一路径 还可以用于协商第二路径使用的安全机制, 简化了第二路径采用的安全机 制的协商过程。  It can be seen from the above description that the method provided in this embodiment can use the first path to transmit some key information, such as a port of the clock server, so that the information required to establish the second path is hidden and is not disclosed to all terminals. The security of the clock server is improved. Further, the first path can also be used to transmit some key information, such as some important control messages, so that key information is not easily intercepted, and the security of the clock synchronization process is improved; further, A path can also be used to negotiate the security mechanism used by the second path, simplifying the negotiation process of the security mechanism adopted by the second path.
实施例 10  Example 10
本实施例提供的方法包括如下步骤  The method provided in this embodiment includes the following steps
步骤 1301 在时钟服务器和终端之间建立第一路径。  Step 1301 establishes a first path between the clock server and the terminal.
例如通过 IP Sec隧道或者新增物理链路。  For example, through an IP Sec tunnel or a new physical link.
示例性的,可以通过安全网关建立安全连接。该连接可以由终端发起, 也可以由安全网关发起, 或者由时钟服务器发起。  Illustratively, a secure connection can be established through a security gateway. The connection may be initiated by the terminal, initiated by the security gateway, or initiated by the clock server.
步骤 1302 通过第一路径建立第二路径。  Step 1302 establishes a second path by using the first path.
通过所述第一路径传输建立第二路径所需的信息, 根据所述建立第二 路径所需的信息, 在所述时钟服务器和所述终端之间建立所述第二路径。 该建立第二路径所需的信息, 例如时钟服务器的地址, 端口等。  And transmitting, by the first path, information required to establish the second path, and establishing the second path between the clock server and the terminal according to the information required to establish the second path. The information required to establish the second path, such as the address of the clock server, the port, and the like.
作为一个示例, 所述时钟服务器通过所述第一路径接收所述终端发送 的通告消息单播请求,  As an example, the clock server receives the advertisement message unicast request sent by the terminal by using the first path,
所述时钟服务器通过所述第一路径向所述终端返回通告消息单播请 求授权, 以便于所述终端根据所述通告消息单播请求授权携带的信息建立 所述第二路径; 或者, 所述终端通过所述第一路径向所述时钟服务器发送通告消息单播请 求, The clock server returns an advertised message unicast request authorization to the terminal by using the first path, so that the terminal establishes the second path according to the unicast request authorization information carried by the terminal; or Sending, by the terminal, an announcement message unicast request to the clock server by using the first path,
所述终端接收所述时钟服务器通过所述第一路径返回的通告消息单 播请求授权,  Receiving, by the terminal, the notification message unicast request authorization returned by the clock server by using the first path,
根据所述通告消息单播请求授权携带的信息, 所述终端建立与所述时 钟服务器的第二路径。  And the terminal establishes a second path with the clock server according to the advertisement message unicast requesting authorization to carry the information.
由于第一路径采用安全的方式传输建立第二路径所需的信息, 例如, 服务器的端口, 因此可以使得这些信息不易被截取, 使得建立第二路径所 需得信息不会对所有终端公开, 提高了时钟服务器的安全性。  Since the first path transmits the information required to establish the second path in a secure manner, for example, the port of the server, the information can be made difficult to be intercepted, so that the information required to establish the second path is not disclosed to all terminals, thereby improving The security of the clock server.
步骤 1303 通过第二路径传输时钟报文。  Step 1303: The clock message is transmitted through the second path.
例如, 时钟服务器在第二路径上以单播方式传输时钟同步报文; 或时 钟服务器在第二路径以多播方式传输时钟同步报文。  For example, the clock server transmits the clock synchronization message in a unicast manner on the second path; or the clock server transmits the clock synchronization message in the second path in a multicast manner.
其中, 在步骤 1302之后, 步骤 1303之前, 还可以包括如下步骤: 时钟服务器和终端之间通过第一路径协商第二路径使用的安全机制。 由于第一路径使用安全的方式传递安全机制, 因此可以筒化安全机制的协 商过程。  After the step 1303, before the step 1303, the method may further include the following steps: The security mechanism used by the second path is negotiated between the clock server and the terminal through the first path. Since the first path uses a secure way to pass security mechanisms, it is possible to centralize the negotiation process of the security mechanism.
作为一个示例, 时钟服务器通过第一路径接收终端发送的安全机制协 商请求, 所述安全机制协商请求携带安全机制协商参数;  As an example, the clock server receives the security mechanism negotiation request sent by the terminal by using the first path, where the security mechanism negotiation request carries the security mechanism negotiation parameter;
通过所述安全路径向所述终端返回安全机制协商请求响应, 指示步骤 1303中第二路径发送时钟报文使用的安全机制以及相应的协商参数。 此外, 在步骤 1303之前, 还可以包括如下步骤:  And returning the security mechanism negotiation request response to the terminal by using the security path, and indicating the security mechanism used by the second path to send the clock message in step 1303 and the corresponding negotiation parameter. In addition, before step 1303, the following steps may also be included:
所述时钟服务器通过第二路径接收终端发送的点到点延迟协商请求, 通过第二路径向所述终端返回点到点延迟协商请求授权, 所述延迟协 商请求授权指示步骤 1303中第二路径使用的延迟机制;  The clock server receives the point-to-point delay negotiation request sent by the terminal by using the second path, and returns a point-to-point delay negotiation request authorization to the terminal by using the second path, where the second path is used in the delay negotiation request authorization indication step 1303. Delay mechanism
或, 通过第二路径接收所述终端发送的端到端延迟协商请求, 通过第 一路径向终端返回端到端延迟协商请求授权, 所述延迟协商请求授权指示 步骤 1303中第二路径使用的延迟机制。 此外,在步骤 1302之前,还可以为拟建立的第二路径协商 NAT穿越后, 终端在第二路径上的地址和端口。 Or receiving an end-to-end delay negotiation request sent by the terminal by using the second path, and returning an end-to-end delay negotiation request authorization to the terminal by using the first path, where the delay negotiation request authorization indicates the delay of the second path used in step 1303. mechanism. In addition, before step 1302, after the NAT traversal can be negotiated for the second path to be established, The address and port of the terminal on the second path.
作为一个示例, 时钟服务器接收终端发起的穿越网络地址转换的握手 请求;  As an example, the clock server receives a handshake request initiated by the terminal to traverse the network address translation;
时钟服务器向终端返回握手请求响应, 所述握手请求响应携带所述终 端穿越网络地址转换后, 在第二路径上的地址和相应的端口。  The clock server returns a handshake request response to the terminal, and the handshake request response carries the address and the corresponding port on the second path after the terminal traverses the network address translation.
可以理解的是, 本实施例提供的方法, 可以用第一路径来传递一些关 键信息, 例如服务器的端口, 或者一些重要的控制消息, 以提高时钟同步 过程的安全性。  It can be understood that the method provided by this embodiment can use the first path to transmit some key information, such as a server port, or some important control messages, to improve the security of the clock synchronization process.
上述对本发明实施例七提供的一种网络系统进行详细的介绍, 通过在 建立的安全路径上进行控制消息交互, 使得控制消息不易被攻击, 从而进 一步提高时钟服务器的安全性能。 此外, 通过建立的非安全路径发送时钟 本领域普通技术人员可以理解: 实现上述方法实施例的全部或部分步 骤可以通过程序指令相关的硬件来完成, 前述的程序可以存储于一计算机 可读取存储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而前述的存储介质包括: ROM、 RAM, 磁碟或者光盘等各种可以存储程 序代码的介质。  The network system provided in the seventh embodiment of the present invention is described in detail, and the control message is exchanged on the established security path, so that the control message is not easily attacked, thereby further improving the security performance of the clock server. In addition, the clock can be transmitted through the established non-secure path. It can be understood by those skilled in the art that all or part of the steps of implementing the foregoing method embodiments may be performed by hardware related to the program instructions, and the foregoing program may be stored in a computer readable storage. In the medium, when the program is executed, the steps including the foregoing method embodiments are performed; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
以上对本发明实施例所提供的一种时钟同步的方法、 设备以及网络系 行了阐述, 以上实施例的说明只是用于帮助理解本发明的方法及其核心思 想; 同时, 对于本领域的一般技术人员, 依据本发明的思想, 在具体实施 方式及应用范围上均会有改变之处, 综上所述, 本说明书内容不应理解为 对本发明的限制。  The foregoing describes a method, device, and network system for clock synchronization provided by the embodiments of the present invention. The description of the above embodiments is only for helping to understand the method and core idea of the present invention. Meanwhile, the general technology in the field In the following, the description of the present invention is not limited to the scope of the present invention.

Claims

权 利 要 求 Rights request
1、 一种实现时钟同步的方法, 其特征在于, 包括: A method for implementing clock synchronization, comprising:
时钟服务器建立与终端的安全路径和非安全路径;  The clock server establishes a secure path and a non-secure path with the terminal;
将所述安全路径和所述非安全路径进行关联;  Associating the secure path with the non-secure path;
通过所述安全路径与所述终端进行控制消息交互, 通过所述非安全路 径向所述终端发送时钟同步报文。  The control message is exchanged with the terminal through the security path, and the terminal sends a clock synchronization message through the non-secure path.
2、 根据权利要求 1所述的方法, 其特征在于, 所述建立时钟服务器与 终端的安全路径和非安全路径, 包括:  The method according to claim 1, wherein the establishing a secure path and a non-secure path of the clock server and the terminal include:
所述时钟服务器通过新增逻辑接口的方式或新增物理链路的方式建 立与所述终端之间的安全路径;  The clock server establishes a secure path with the terminal by adding a logical interface or adding a physical link.
通过接入公共通信网的方式建立与所述终端的非安全路径。  An unsecure path with the terminal is established by accessing a public communication network.
3、 根据权利要求 1所述的方法, 其特征在于, 所述将所述安全路径和 所述非安全路径进行关联包括:  3. The method according to claim 1, wherein the associating the secure path with the non-secure path comprises:
所述时钟服务器通过所述终端发送的时钟标识将该终端的所述安全 路径的地址和所述非安全路径的地址进行关联。  The clock server associates the address of the secure path of the terminal with the address of the non-secure path by using a clock identifier sent by the terminal.
4、 根据权利要求 1所述的方法, 其特征在于, 所述通过所述安全路径 与所述终端进行控制消息交互包括:  The method according to claim 1, wherein the performing control message interaction with the terminal by using the secure path includes:
所述时钟服务器通过所述安全路径接收所述终端发送的通告消息单 播请求;  Receiving, by the clock server, the advertisement message unicast request sent by the terminal by using the secure path;
通过所述安全路径向所述终端返回通告消息单播请求授权; 通过所述安全路径周期性的向所述终端发送用于选源的通告单播消 息。  And returning, by using the security path, an advertisement message unicast request authorization to the terminal; and periodically sending, by the security path, the advertisement unicast message for selecting a source to the terminal.
5、 根据权利要求 1所述的方法, 其特征在于, 所述通过所述安全路径 与所述终端进行控制消息交互还包括:  The method according to claim 1, wherein the performing the control message interaction with the terminal by using the secure path further includes:
所述时钟服务器通过所述安全路径接收所述终端发送的安全机制协 商请求, 所述安全机制协商请求携带安全机制协商参数;  Receiving, by the clock server, the security mechanism negotiation request sent by the terminal by using the security path, where the security mechanism negotiation request carries a security mechanism negotiation parameter;
通过所述安全路径向所述终端返回安全机制协商请求响应, 指示使用 的安全机制以及相应的协商参数。  Returning, by the secure path, a security mechanism negotiation request response to the terminal, indicating a security mechanism used and corresponding negotiation parameters.
6、 根据权利要求 1所述的方法, 其特征在于, 所述通过所述安全路径 与所述终端进行控制消息交互包括: 通过所述非安全路径接收所述终端发送的端到端延迟协商请求; 通过所述安全路径向所述终端返回端到端延迟协商请求授权, 所述延 迟协商请求授权指示使用的延迟机制。 The method according to claim 1, wherein the performing control message interaction with the terminal by using the secure path includes: Receiving, by the non-secure path, an end-to-end delay negotiation request sent by the terminal; returning an end-to-end delay negotiation request authorization to the terminal by using the security path, where the delayed negotiation request authorization indicates a delay mechanism used.
7、 根据权利要求 1至 6任一项所述的方法, 其特征在于, 所述通过所 述非安全路径发送行时钟同步报文包括:  The method according to any one of claims 1 to 6, wherein the sending the line clock synchronization message through the non-secure path comprises:
所述时钟服务器在所述非安全路径上采用单播方式周期性的向所述 终端发送时钟同步报文; 或  The clock server periodically sends a clock synchronization message to the terminal in a unicast manner on the non-secure path; or
所述时钟服务器在所述非安全路径上采用多播方式周期性的向所述 终端发送时钟同步报文。  The clock server periodically sends a clock synchronization message to the terminal in a multicast manner on the non-secure path.
8、 根据权利要求 1、 2、 3、 5或 6所述的方法, 其特征在于, 还包括: 所述时钟服务器在所述非安全路径上周期性的向所述终端发送用于 选源的通告多播消息;  The method according to claim 1, 2, 3, 5 or 6, further comprising: the clock server periodically transmitting the source for selecting the source to the terminal on the non-secure path Advertise multicast messages;
所述时钟服务器在在所述非安全路径上采用多播方式周期性的向所 述终端发送时钟同步报文。  The clock server periodically sends a clock synchronization message to the terminal in a multicast manner on the non-secure path.
9、 根据权利要求 1至 6任一项所述的方法, 其特征在于, 所述通过所 述安全路径与所述终端进行控制消息交互还包括:  The method according to any one of claims 1 to 6, wherein the performing the control message interaction with the terminal by using the secure path further comprises:
所述时钟服务器通过所述非安全路径接收所述终端发起的穿越网络 地址转换的握手请求;  The clock server receives, by using the non-secure path, a handshake request initiated by the terminal to traverse a network address translation;
所述时钟服务器通过所述非安全路径向所述终端返回握手请求响应, 所述握手请求响应携带所述终端穿越网络地址转换后的的非安全路径的 IP地址和相应的端口。  The clock server returns a handshake request response to the terminal by using the non-secure path, and the handshake request response carries the IP address of the non-secure path and the corresponding port of the terminal traversing the network address translation.
10、 一种实现时钟同步的方法, 其特征在于, 包括:  10. A method for implementing clock synchronization, comprising:
终端与时钟服务器建立安全路径和非安全路径;  The terminal establishes a secure path and an unsecure path with the clock server;
将所述安全路径和所述非安全路径进行关联;  Associating the secure path with the non-secure path;
通过所述安全路径与所述时钟服务器进行控制消息交互, 在所述非安 全路径进行时钟同步。  Controlling message interaction with the clock server through the secure path, and clock synchronization is performed on the non-secure path.
11、 根据权利要求 10所述的方法, 其特征在于, 所述将所述安全路径 和所述非安全路径进行关联包括: 全路径的地址和非安全路径的地址进行关联 The method according to claim 10, wherein the associating the secure path with the non-secure path comprises: associating an address of a full path with an address of a non-secure path
12、 根据权利要求 10所述的方法, 其特征在于, 所述通过所述安全路 径与所述时钟服务器进行控制消息交互包括: The method according to claim 10, wherein the performing control message interaction with the clock server through the secure path comprises:
所述终端通过所述安全路径向所述时钟服务器发送通告消息单播请 求;  Sending, by the terminal, a notification message unicast request to the clock server by using the secure path;
接收所述时钟服务器通过所述安全路径返回的通告消息单播请求授 权;  Receiving, by the clock server, the unicast request authorization by the advertisement message returned by the security path;
周期性的通过所述安全路径接收所述时钟服务器发送的用于选源的 通告单播消息。  Periodically, the advertisement unicast message sent by the clock server for selecting a source is received through the secure path.
13、 根据权利要求 10至 12任一项所述的方法, 其特征在于, 所述在所 述非安全路径进行时钟同步包括:  The method according to any one of claims 10 to 12, wherein the clock synchronization on the non-secure path comprises:
所述终端通过所述非安全路径接收所述时钟服务器采用单播方式周 期性发送的时钟同步报文, 或  Receiving, by the non-secure path, the clock synchronization message periodically sent by the clock server in a unicast manner, or
所述终端通过所述非安全路径接收所述时钟服务器采用多播方式周 期性发送的时钟同步报文;  Receiving, by the non-secure path, the clock synchronization message periodically sent by the clock server by using the multicast mode;
根据协商的安全机制处理所述时钟同步报文。  The clock synchronization message is processed according to the negotiated security mechanism.
14、 一种时钟服务器, 其特征在于, 包括:  14. A clock server, comprising:
第一接口模块, 用于和终端建立安全路径和非安全路径;  a first interface module, configured to establish a secure path and a non-secure path with the terminal;
第一关联模块, 用于将所述终端的安全路径的地址和所述非安全路径 的地址进行关联;  a first association module, configured to associate an address of the security path of the terminal with an address of the non-secure path;
第一控制消息交互模块, 用于通过所述安全路径与所述终端进行控制 消息交互;  a first control message interaction module, configured to perform control message interaction with the terminal by using the secure path;
同步报文发送模块, 用于通过所述非安全路径向所述终端发送时钟同 步报文。  The synchronization message sending module is configured to send a clock synchronization message to the terminal by using the non-secure path.
15、 根据权利要求 14所述的时钟服务器, 其特征在于, 所述第一控制 消息交互模块还用于通过安全路径接收所述终端发送的安全机制协商请 求, 所述安全机制协商请求携带安全机制协商参数,  The clock server according to claim 14, wherein the first control message interaction module is further configured to receive, by using a secure path, a security mechanism negotiation request sent by the terminal, where the security mechanism negotiation request carries a security mechanism. Negotiate parameters,
向所述终端返回安全机制协商请求响应, 所述请求响应指示使用的安 全机制以及相应的协商参数。  A security mechanism negotiation request response is returned to the terminal, the request response indicating a security mechanism used and corresponding negotiation parameters.
16、 根据权利要求 14或 15所述的时钟服务器, 其特征在于, 所述第一 控制消息交互模块还用于通过所述非安全路径接收所述终端发送的点到 点延迟协商请求, 向所述终端返回点到点延迟协商请求授权, 所述协商请 求授权指示使用的延迟机制; The clock server according to claim 14 or 15, wherein the first control message interaction module is further configured to receive, by using the non-secure path, a point sent by the terminal to Point delay negotiation request, returning a point-to-point delay negotiation request authorization to the terminal, where the negotiation request authorization indicates a delay mechanism used;
或, 通过所述非安全路径接收终端发送的端到端延迟协商请求, 通过 所述安全路径向终端返回端到端延迟协商请求授权, 所述协商请求授权指 示使用的延迟机制。  Or, the end-to-end delay negotiation request sent by the terminal is received by the non-secure path, and the end-to-end delay negotiation request authorization is returned to the terminal by the security path, where the negotiation request authorization indicates a delay mechanism used.
17、 根据权利要求 14或 15所述的时钟服务器, 其特征在于, 所述第一 控制消息交互模块还用于通过所述非安全路径接收所述终端发起的穿越 网络地址转换的握手请求, 向所述终端返回握手请求响应, 所述握手请求 响应携带所述终端穿越网络地址转换后的非安全路径的地址和相应的端 口。  The clock server according to claim 14 or 15, wherein the first control message interaction module is further configured to receive, by using the non-secure path, a handshake request initiated by the terminal to traverse a network address translation, The terminal returns a handshake request response, and the handshake request response carries the address of the non-secure path and the corresponding port of the terminal traversing the network address translation.
18、 根据权利要求 14或 15所述的时钟服务器, 其特征在于, 所述第一 控制消息交互模块还用于通过所述非安全路径向所述终端周期性地发送 用于选源的通告多播消息;  The clock server according to claim 14 or 15, wherein the first control message interaction module is further configured to periodically send, by using the non-secure path, the notification for selecting a source to the terminal. Broadcast message
所述同步报文发送模块还用于通过所述非安全路径向所述终端采用 多播方式周期性的发送时钟同步报文。  The synchronization packet sending module is further configured to periodically send a clock synchronization packet to the terminal in a multicast manner by using the non-secure path.
19、 一种终端, 其特征在于, 包括:  19. A terminal, comprising:
第二接口模块, 用于与时钟服务器建立安全路径和非安全路径; 第二关联模块, 用于将所述服务器的安全路径的地址和非安全路径的 地址进行关联;  a second interface module, configured to establish a secure path and a non-secure path with the clock server; and a second association module, configured to associate an address of the secure path of the server with an address of the non-secure path;
第二控制消息交互模块, 用于通过所述安全路径与所述时钟服务器进 行控制消息交互;  a second control message interaction module, configured to perform a control message interaction with the clock server by using the secure path;
时钟同步模块, 用于通过所述非安全路径与所述服务器进行时钟同 步。  And a clock synchronization module, configured to perform clock synchronization with the server by using the non-secure path.
20、 根据权利要求 19所述的终端, 其特征在于, 所述第二控制消息交 互模块还用于通过所述安全路径向所述时钟服务器发送安全机制协商请 求, 所述安全机制协商请求携带安全机制协商参数, 接收所述时钟服务器 返回的安全机制协商请求响应, 所述请求响应指示使用的安全机制以及相 应的协商参数。  The terminal according to claim 19, wherein the second control message interaction module is further configured to send a security mechanism negotiation request to the clock server by using the security path, where the security mechanism negotiation request carries security The mechanism negotiation parameter receives a security mechanism negotiation request response returned by the clock server, where the request response indicates a security mechanism used and a corresponding negotiation parameter.
21、 根据权利要求 19或 20所述的终端, 其特征在于, 所述第二控制消 息交互模块还用于通过所述安全路径向所述时钟服务器发送点到点延迟 协商请求, 接收所述时钟服务器返回的点到点延迟协商请求授权, 所述协 商请求授权指示使用的延迟机制; The terminal according to claim 19 or 20, wherein the second control message interaction module is further configured to send a point-to-point delay to the clock server by using the secure path. Receiving, by the negotiation request, a point-to-point delay negotiation request authorization returned by the clock server, where the negotiation request authorization indicates a delay mechanism used;
或, 通过所述非安全路径向时钟服务器发送端到端延迟协商请求, 通 过所述安全路径接收时钟服务器返回的端到端延迟协商请求授权, 所述协 商请求授权指示使用的延迟机制。  Or, sending, by the non-secure path, an end-to-end delay negotiation request to the clock server, and receiving, by the secure path, an end-to-end delay negotiation request authorization returned by the clock server, where the negotiation request authorization indicates a delay mechanism used.
22、 根据权利要求 19或 20所述的终端, 其特征在于, 所述第二控制消 息交互模块还用于通过所述非安全路径向所述时钟服务器发起穿越网络 地址转换的握手请求, 接收所述时钟服务器返回握手请求响应, 所述握手 请求响应携带所述终端穿越网络地址转换后的非安全路径的地址和相应 的端口。  The terminal according to claim 19 or 20, wherein the second control message interaction module is further configured to initiate, by the non-secure path, a handshake request to traverse the network address translation to the clock server, and receive the location The clock server returns a handshake request response, and the handshake request response carries the address of the non-secure path and the corresponding port of the terminal traversing the network address translation.
23、 根据权利要求 19或 20所述的终端, 其特征在于, 所述第二控制消 息交互模块还用于通过所述非安全路径接收所述时钟服务器周期性发送 的用于选源的通告多播消息;  The terminal according to claim 19 or 20, wherein the second control message interaction module is further configured to receive, by using the non-secure path, an advertisement that is periodically sent by the clock server for selecting a source. Broadcast message
所述时钟同步模块还用于通过所述非安全路径接收所述时钟服务器 采用多播方式周期性发送的时钟同步报文, 根据协商的安全机制处理所述 时钟同步报文。  The clock synchronization module is further configured to receive, by using the non-secure path, a clock synchronization packet periodically sent by the clock server in a multicast manner, and process the clock synchronization packet according to the negotiated security mechanism.
24、 一种网络系统, 其特征在于, 包括:  24. A network system, comprising:
时钟服务器, 用于与终端建立安全路径和非安全路径; 将所述安全路 径和非安全路径进行关联; 通过所述安全路径与终端进行控制消息交互, 通过所述非安全路径向终端发送时钟同步报文;  a clock server, configured to establish a secure path and a non-secure path with the terminal; associate the secure path with the non-secure path; perform control message interaction with the terminal through the secure path, and send clock synchronization to the terminal by using the non-secure path Message
终端, 用于与时钟服务器建立安全路径和非安全路径; 将所述安全路 径和非安全路径进行关联; 通过所述安全路径与时钟服务器进行控制消息 交互, 在所述非安全路径进行时钟同步。  a terminal, configured to establish a secure path and a non-secure path with the clock server; associate the secure path with the non-secure path; perform control message interaction with the clock server through the secure path, and perform clock synchronization on the non-secure path.
25、 一种时钟服务器, 其特征在于, 包括:  25. A clock server, comprising:
第一路径建立模块, 用于建立与终端的第一路径, 所述第一路径为采 用安全方式传递数据的安全连接;  a first path establishing module, configured to establish a first path with the terminal, where the first path is a secure connection for transmitting data in a secure manner;
第二路径建立模块, 用于通过所述第一路径向所述终端发送用于建立 第二路径所需的信息, 以和所述终端建立所述第二路径;  a second path establishing module, configured to send, by using the first path, information required for establishing a second path to the terminal, to establish the second path with the terminal;
时钟报文发送模块, 用于通过所述第二路径向所述终端发送时钟同步 报文。 The clock message sending module is configured to send a clock synchronization message to the terminal by using the second path.
26、 如权利要求 25所述的时钟服务器, 其特征在于, 还包括: 第一信令模块, 用于通过所述第一路径向所述终端发送控制消息, 所 述控制消息包括下述任一消息或其组合, 用于选源的通告消息、 端到端延 迟协商请求授权、 安全机制协商请求响应。 The clock server according to claim 25, further comprising: a first signaling module, configured to send, by using the first path, a control message to the terminal, where the control message includes any one of the following The message or a combination thereof, the advertisement message for selecting the source, the end-to-end delay negotiation request authorization, and the security mechanism negotiation request response.
27、 如权利要求 26所述的时钟服务器, 其特征在于, 还包括: 第二信令模块, 用于通过所述第二路径向所述终端发送控制消息, 所 述控制信息包括下述任一消息或其组合, 点到点延迟协商请求、 端到端延 迟协商请求授权、 用于选源的通告多播消息。  The clock server according to claim 26, further comprising: a second signaling module, configured to send, by using the second path, a control message to the terminal, where the control information includes any one of the following The message or a combination thereof, a point-to-point delay negotiation request, an end-to-end delay negotiation request authorization, an announcement multicast message for selecting a source.
28、 一种终端, 其特征在于, 包括:  28. A terminal, comprising:
第一路径建立模块, 用于建立与时钟服务器的第一路径, 所述第一路 径为采用安全方式传递数据的安全连接;  a first path establishing module, configured to establish a first path with a clock server, where the first path is a secure connection for transmitting data in a secure manner;
第二路径建立模块, 用于通过所述第一路径从所述时钟服务器获取用 于建立第二路径所需的信息, 和所述时钟服务器建立所述第二路径; 时钟报文接收模块, 用于通过所述第二路径接收所述时钟服务器发送 的时钟同步报文。  a second path establishing module, configured to acquire, by using the first path, information required for establishing a second path from the clock server, and establish, by the clock server, the second path; a clock message receiving module, Receiving, by using the second path, a clock synchronization message sent by the clock server.
29、 如权利要求 28所述的终端, 其特征在于, 还包括:  The terminal according to claim 28, further comprising:
第三信令模块, 用于通过所述第一路径向所述时钟服务器发送控制消 息, 所述控制信息包括安全机制协商请求。  And a third signaling module, configured to send, by using the first path, a control message to the clock server, where the control information includes a security mechanism negotiation request.
30、 如权利要求 28所述的终端, 其特征在于, 还包括:  The terminal according to claim 28, further comprising:
第四信令模块, 用于通过所述第二路径向所述时钟服务器发送控制消 息, 所述控制信息包括下述任一消息或其组合, 点到点延迟协商请求、 端 到端延迟协商请求。  a fourth signaling module, configured to send, by using the second path, a control message to the clock server, where the control information includes any one of the following messages or a combination thereof, a point-to-point delay negotiation request, and an end-to-end delay negotiation request .
31、 一种实现时钟同步的方法, 其特征在于, 包括:  31. A method for implementing clock synchronization, comprising:
在时钟服务器和终端之间建立第一路径, 所述第一路径为采用安全方 式传输数据的安全连接;  Establishing a first path between the clock server and the terminal, where the first path is a secure connection for transmitting data in a secure manner;
通过所述第一路径传输建立第二路径所需的信息, 根据所述建立第二 路径所需的信息, 在所述时钟服务器和所述终端之间建立所述第二路径; 通过所述第二路径传输时钟报文。  Transmitting, by the first path, information required to establish a second path, establishing, according to the information required to establish the second path, the second path between the clock server and the terminal; The second path transmits clock packets.
32、 根据权利要求 31所述的方法, 其特征在于, 所述在时钟服务器和 终端之间建立第一路径, 包括: 所述时钟服务器通过家庭网关和所述终端建立所述第一路径; 或所述 终端通过家庭网关和所述时钟服务器建立第一路径。 The method according to claim 31, wherein the establishing a first path between the clock server and the terminal comprises: The clock server establishes the first path by using a home gateway and the terminal; or the terminal establishes a first path by using a home gateway and the clock server.
33、 根据权利要求 31 - 32任一所述的方法, 其特征在于, 所述通过所 述第一路径传输建立第二路径所需的信息, 根据所述建立第二路径所需的 信息, 在所述时钟服务器和所述终端之间建立所述第二路径, 包括: 所述时钟服务器通过所述第一路径接收所述终端发送的通告消息单 播请求,  The method according to any one of claims 31 to 32, wherein the information required to establish the second path by the first path is transmitted according to the information required to establish the second path, Establishing the second path between the clock server and the terminal, the method includes: receiving, by the clock server, the unicast request of the advertisement message sent by the terminal by using the first path,
所述时钟服务器通过所述第一路径向所述终端返回通告消息单播请 求授权, 以便于所述终端根据所述通告消息单播请求授权携带的信息建立 所述第二路径; 或者,  The clock server returns an advertised message unicast request authorization to the terminal by using the first path, so that the terminal establishes the second path according to the unicast request authorization information carried by the terminal; or
所述终端通过所述第一路径向所述时钟服务器发送通告消息单播请 求,  Sending, by the terminal, a notification message unicast request to the clock server by using the first path,
所述终端接收所述时钟服务器通过所述第一路径返回的通告消息单 播请求授权,  Receiving, by the terminal, the notification message unicast request authorization returned by the clock server by using the first path,
根据所述通告消息单播请求授权携带的信息, 所述终端建立与所述时 钟服务器的第二路径。  And the terminal establishes a second path with the clock server according to the advertisement message unicast requesting authorization to carry the information.
34、 根据权利要求 31所述的方法, 其特征在于, 在所述时钟服务器和 所述终端之间建立所述第二路径之前 , 所述方法还包括,  The method according to claim 31, wherein before the establishing the second path between the clock server and the terminal, the method further includes:
通过所述第一路径在所述时钟服务器和所述终端之间协商所述第二 路径发送时钟报文使用的安全机制。  And the security mechanism used by the second path to send a clock message is negotiated between the clock server and the terminal by using the first path.
35、 根据权利要求 31所述的方法, 其特征在于, 所述方法还包括: 通过所述第一路径传输控制信息, 所述控制信息包括下述任一消息或 其组合, 用于选源的通告消息、 端到端延迟协商请求授权;  The method according to claim 31, wherein the method further comprises: transmitting control information by using the first path, where the control information includes any one of the following messages or a combination thereof, and is used for selecting a source. Announcement message, end-to-end delay negotiation request authorization;
或, 通过所述第二路径传输点到点延迟协商请求和点到点延迟协商请 求授权, 所述点到点延迟协商请求授权指示所述第二路径传输时钟报文时 使用的延迟机制;  Or, transmitting, by using the second path, a point-to-point delay negotiation request and a point-to-point delay negotiation request authorization, where the point-to-point delay negotiation request is used to indicate a delay mechanism used when the second path transmits a clock message;
或, 通过所述第一路径传输端到端延迟协商请求, 通过所述第二路径 传输端到端延迟协商请求授权, 所述端到端延迟协商请求授权指示所述第 二路径传输时钟报文时使用的延迟机制。  Or transmitting an end-to-end delay negotiation request by using the first path, and transmitting an end-to-end delay negotiation request authorization by using the second path, where the end-to-end delay negotiation request authorization indicates that the second path transmits a clock message The delay mechanism used when.
36、 根据权利要求 31至 35任一所述的方法, 其特征在于, 所述通过所 述第二路径传输时钟报文包括: 36. The method according to any one of claims 31 to 35, characterized in that The second path transmission clock message includes:
所述第二路径以单播方式传输时钟同步报文; 或 所述第二路径以多播方式传输时钟同步报文。  The second path transmits a clock synchronization message in a unicast manner; or the second path transmits a clock synchronization message in a multicast manner.
PCT/CN2009/075353 2008-12-05 2009-12-07 Clock synchronization method, device and network system WO2010063242A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810182902.6 2008-12-05
CN 200810182902 CN101436923B (en) 2008-12-05 2008-12-05 Method, equipment and network system for synchronizing clock

Publications (1)

Publication Number Publication Date
WO2010063242A1 true WO2010063242A1 (en) 2010-06-10

Family

ID=40711165

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/075353 WO2010063242A1 (en) 2008-12-05 2009-12-07 Clock synchronization method, device and network system

Country Status (2)

Country Link
CN (1) CN101436923B (en)
WO (1) WO2010063242A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9369224B2 (en) 2013-01-30 2016-06-14 Huawei Technologies Co., Ltd. Clock synchronization method and device
CN114520707A (en) * 2022-01-24 2022-05-20 中银金融科技有限公司 Clock synchronization method and related equipment

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436923B (en) * 2008-12-05 2012-01-25 华为技术有限公司 Method, equipment and network system for synchronizing clock
CN101997671B (en) * 2010-11-25 2014-12-10 中兴通讯股份有限公司 Clock synchronization method and system of master/salve clock equipment
CN102013969B (en) * 2010-12-02 2015-06-03 中兴通讯股份有限公司 Method and device for realizing time synchronization
CN102098154A (en) * 2011-01-29 2011-06-15 华为技术有限公司 Method for transmitting precision clock synchronization protocol messages, apparatus and system thereof
CN102404104B (en) * 2011-11-24 2018-01-19 中兴通讯股份有限公司 Adaptive synchronicity method and system based on different delayed time mechanism
CN103166729B (en) * 2013-01-30 2015-11-25 华为技术有限公司 Clock synchronizing method and equipment
CN106411446B (en) * 2016-08-29 2018-08-31 烽火通信科技股份有限公司 A kind of adaptive approach for realizing 1588 time synchronizations under unicast mode
CN106446590A (en) * 2016-11-23 2017-02-22 武汉联影医疗科技有限公司 Announcement and notification generating method and system
CN106559779B (en) * 2016-11-30 2020-10-30 上海斐讯数据通信技术有限公司 Data transmission method, device and system
CN110120846B (en) * 2018-02-05 2020-11-13 大唐移动通信设备有限公司 Clock synchronization method and system
CN115175177B (en) * 2022-06-16 2024-04-16 烽火通信科技股份有限公司 Message transmission method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060190403A1 (en) * 2004-09-25 2006-08-24 Vix Technologies Inc. Method and Apparatus for Content Protection and Copyright Management in Digital Video Distribution
CN1863003A (en) * 2005-05-10 2006-11-15 西门子(中国)有限公司 Down link special physical channel allocating method for use when time division duplex high-speed down link pocket access
CN101136777A (en) * 2007-10-18 2008-03-05 网经科技(苏州)有限公司 Security management method of dual-encryption channel cooperation in network management system
CN101436923A (en) * 2008-12-05 2009-05-20 华为技术有限公司 Method, equipment and network system for synchronizing clock

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6377690B1 (en) * 1998-09-14 2002-04-23 Lucent Technologies Inc. Safe transmission of broadband data messages
CN1157664C (en) * 2001-11-29 2004-07-14 上海格尔软件股份有限公司 SSLL proxy method with MIME data type filter technology

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060190403A1 (en) * 2004-09-25 2006-08-24 Vix Technologies Inc. Method and Apparatus for Content Protection and Copyright Management in Digital Video Distribution
CN1863003A (en) * 2005-05-10 2006-11-15 西门子(中国)有限公司 Down link special physical channel allocating method for use when time division duplex high-speed down link pocket access
CN101136777A (en) * 2007-10-18 2008-03-05 网经科技(苏州)有限公司 Security management method of dual-encryption channel cooperation in network management system
CN101436923A (en) * 2008-12-05 2009-05-20 华为技术有限公司 Method, equipment and network system for synchronizing clock

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9369224B2 (en) 2013-01-30 2016-06-14 Huawei Technologies Co., Ltd. Clock synchronization method and device
CN114520707A (en) * 2022-01-24 2022-05-20 中银金融科技有限公司 Clock synchronization method and related equipment

Also Published As

Publication number Publication date
CN101436923B (en) 2012-01-25
CN101436923A (en) 2009-05-20

Similar Documents

Publication Publication Date Title
WO2010063242A1 (en) Clock synchronization method, device and network system
CN112911027B (en) Method and apparatus for establishing a media session
US9131026B2 (en) Method and system for establishing media channel based on relay
US6101543A (en) Pseudo network adapter for frame capture, encapsulation and encryption
JP5335886B2 (en) Method and apparatus for communicating data packets between local networks
US8364772B1 (en) System, device and method for dynamically securing instant messages
JP4579934B2 (en) Addressing method and apparatus for establishing a Host Identity Protocol (HIP) connection between a legacy node and a HIP node
US8015402B2 (en) Address-authentification-information issuing apparatus, address-authentification-information adding apparatus, false-address checking apparatus, and network system
JP6345816B2 (en) Network communication system and method
WO2010127610A1 (en) Method, equipment and system for processing visual private network node information
CN109587450A (en) Method of transmitting video data and system
US8955088B2 (en) Firewall control for public access networks
WO2011044808A1 (en) Method and system for tracing anonymous communication
JP2009163546A (en) Gateway, repeating method and program
WO2010081380A1 (en) Method and gateway device for local area network access control
WO2007019809A1 (en) A method and ststem for establishing a direct p2p channel
US9419891B2 (en) Virtual private network communication system, routing device and method thereof
US8819790B2 (en) Cooperation method and system between send mechanism and IPSec protocol in IPV6 environment
US20120300776A1 (en) Method for creating virtual link, communication network element, and ethernet network system
WO2011044807A1 (en) Method for registration and communication of anonymous communication and transceiver system for data message
CN111586017A (en) Method and device for authenticating communication user
WO2011044810A1 (en) Method, device and system for implementing multiparty communication
JP5592564B2 (en) Local routing apparatus and method in mobile communication system
JP2008236275A (en) Communication system, packet transfer processing unit, and communication session control method therefor
CN111866865A (en) Data transmission method, wireless private network establishment method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09830026

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09830026

Country of ref document: EP

Kind code of ref document: A1