WO2012174901A1 - Rsvp authentication method and device - Google Patents

Rsvp authentication method and device Download PDF

Info

Publication number
WO2012174901A1
WO2012174901A1 PCT/CN2012/072717 CN2012072717W WO2012174901A1 WO 2012174901 A1 WO2012174901 A1 WO 2012174901A1 CN 2012072717 W CN2012072717 W CN 2012072717W WO 2012174901 A1 WO2012174901 A1 WO 2012174901A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication information
packet
next hop
authentication
address
Prior art date
Application number
PCT/CN2012/072717
Other languages
French (fr)
Chinese (zh)
Inventor
付志涛
许浩
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012174901A1 publication Critical patent/WO2012174901A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/72Admission control; Resource allocation using reservation actions during connection setup
    • H04L47/724Admission control; Resource allocation using reservation actions during connection setup at intermediate nodes, e.g. resource reservation protocol [RSVP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of communications, and in particular to a RSVP (Resource Reservation Protocol) authentication method and apparatus.
  • RSVP Resource Reservation Protocol
  • BACKGROUND OF THE INVENTION Traffic engineering authentication technology is a password authentication mechanism for making RSVP messages not maliciously tampering.
  • RSVP Cryptographic Authentication is a password authentication mechanism for making RSVP messages not maliciously tampering.
  • RFC2747 the end-to-end authentication protocol standard
  • a hop-by-hop mechanism for protecting RSVP message integrity is defined.
  • the sender and receiver of the message need to configure an identical key and the same HASH algorithm to generate For the same summary information, the sender of the message needs to carry the summary information as an object (INTEGRITY) in the message, and the receiver receives the message and authenticates the message integrity by carrying the summary information.
  • the RSVP authentication interface is called the RSVP authentication interface.
  • the RSVP authentication interface needs to encapsulate the authentication object (INTEGRITY) when sending packets.
  • the packets that do not contain the authentication object must be discarded.
  • the interface that does not enable RSVP authentication is called.
  • Non-RSVP authentication interface When a non-RSVP authentication interface sends a packet, it does not need to encapsulate the authentication object. Packets that contain the authentication object must be discarded.
  • Traffic Engineering-Fast Re-Route (TE-FRR) technology is a local protection technology that performs local repair when local links or nodes fail. In RFC4090 (the end-to-end authentication protocol standard), two types of local protection, link protection and node protection, are defined.
  • FIG. 1 shows the node protection topology of TE-FRR.
  • the topology diagram includes: nodes R1, R2, and R3 (R1 as a PLR node and R3 as an MP node), links L12, L23, and L13, wherein when the link L12 fails, the path is switched to L13, forming node protection.
  • Figure 2 shows the link protection topology of TE-FRR. As shown in FIG.
  • the topology diagram includes: nodes R1, R2, and R3 (R2 as a PLR node and R3 as an MP node), links L12, L23, and L32, where when the link L23 fails, the path is switched to L32, forming link protection.
  • the MP node processes the PATH (path packet) and PATH-TEAR (a type of teardown packet in the RSVP-TE protocol) sent from the backup tunnel inbound interface (that is, the start entry of the backup tunnel).
  • the protocol packet does not process the protocol packets of the original tunnel.
  • the primary tunnel passes R1, R2, and R3, and the same RSVP authentication information is configured on the fei2/l of R1 and fei2/l of R2.
  • the backup tunnel passes through R2 and R1.
  • R4 and R3 perform link protection on the link L23 between R2 and R3 in the primary tunnel.
  • the two authentication parties refer to two parties in one hop.
  • FRR switching fei2/l on R2 and fei3/3 on R3 in the primary tunnel are also in one hop. Both sides of the certification.
  • the link L23 fails, the TE-FRR switch occurs on the primary tunnel on R2.
  • the RESV message sent by the primary tunnel on R3 is sent through the fei3/3 port, and the destination is the fei2/l port of R2. .
  • the switched RESV message should be fei2/l after R4, R1 and R2. mouth.
  • the RESV packet received by R2 from the fei2/l port is constructed on R3.
  • the authentication information is not configured on the outgoing interface fei3/3 of R3. Therefore, there is no need for fei2/l on R2 in the packet.
  • the packet is discarded.
  • the tunnel is removed due to aging, which causes the protection to fail. In response to the above problems, no effective solution has been proposed yet.
  • an RSVP authentication method including: setting a group of authentication information for a node interface corresponding to each next hop address of a node interface, where the authentication information in the group of authentication information is All the next hop addresses of the node interface are one-to-one correspondence.
  • the authentication information corresponding to the next hop address sent by the packet is selected in the group of authentication information to fill the packet content of the packet.
  • Authentication information When receiving a message, the authentication information corresponding to the sending address of the packet is selected from the group of authentication information to perform packet authentication on the packet.
  • Each of the next hop addresses of the node interface includes: an address of a next hop directly connected to the node interface, and an address of a next hop that is not directly connected to the node interface.
  • the authentication information set for the peer is the same for the two node ports of the directly connected next hop or the indirectly connected next hop.
  • the receiving interface address of the packet is obtained through the RSVP_HOP (ie, the next address) object when receiving the packet.
  • the above authentication information includes: HASH (hash, also transliterated as hash) algorithm, key, challenge (challenge) negotiation.
  • an RS VP authentication apparatus including: an authentication setting module, configured to correspond to each next hop address of a node interface, and set a set of authentication information for the node interface, where the foregoing one
  • the authentication information in the group authentication information is in one-to-one correspondence with all the next hop addresses of the node interface.
  • the message sending module is configured to select and send the message in the group of authentication information when the message is sent.
  • the authentication information corresponding to the one-hop address is filled with the packet content authentication information of the packet.
  • the packet receiving module is configured to: when receiving the packet, select the authentication information corresponding to the sending address of the packet in the group of authentication information. Perform packet authentication on the packet.
  • Each of the next hop addresses of the node interface includes: an address of a next hop directly connected to the node interface, and an address of a next hop that is not directly connected to the node interface.
  • the authentication setting module corresponding to the two node ports of the directly connected next hop or the indirectly connected next hop is the same for the authentication information set by the peer.
  • the packet receiving module is configured to obtain the sending interface address of the packet through the RSVP_H0P object when receiving the packet.
  • the above authentication information includes: a hash HASH algorithm, a key, and a challenge negotiation.
  • a group of authentication messages are set for the node port, and when the packet is sent to a different next hop address, the authentication information of the authentication message corresponding to the address is selected, and when the message is received, the message is selected.
  • a scheme for authenticating the packet by the authentication information corresponding to the address of the packet which solves the problem that the protection fails due to the authentication failure after the FRR switch in the prior art, thereby preventing the loss of the data service carried on the tunnel. effect.
  • FIG. 1 is a schematic diagram of a topology of a TE-FRR node protection
  • FIG. 2 is a topology diagram of a TE-FRR link protection
  • FIG. 3 is a topology diagram of TE-FRR link protection and RSVP authentication;
  • a flowchart of an RSVP authentication method according to an embodiment of the present invention is a flowchart of a sender constructing an RSVP message according to an example of the present invention
  • FIG. 6 is a flowchart of a receiver processing an RSVP message according to an example of the present invention
  • FIG. 7 is a structure of an RSVP authentication apparatus according to an embodiment of the present invention; block diagram. BEST MODE FOR CARRYING OUT THE INVENTION
  • the RSVP authentication method includes: Step S402: Set a group of authentication information for a node interface corresponding to each next hop address of the node interface, where The authentication information is in one-to-one correspondence with all the next hop addresses of the node interface.
  • Step S404 when the packet is sent, the authentication information corresponding to the next hop address sent by the packet is selected in the set of authentication information. The packet content authentication information of the packet is sent.
  • step S406 when the packet is received, the authentication information corresponding to the sending address of the packet is selected in the group of authentication information to perform packet authentication on the packet.
  • each next hop address of the node interface may include: an address of a next hop directly connected to the node interface, and an address of a next hop not directly connected to the node interface.
  • Each next hop address of the node interface shall include all possible next hop addresses, including the address of the next hop directly connected to the node interface and the address of the next hop that is not directly connected to the node interface.
  • the two node ports of the directly connected next hop or the indirectly connected next hop are the same for the authentication information set by the opposite end.
  • the entire authentication process can be successfully completed only when both parties (sending interface and receiving interface) in the first hop use the same authentication information. Therefore, when setting the authentication information of the interface, the authentication information set for each other must be the same whether it is both the directly connected next hop or the indirectly connected next hop.
  • the sending interface address of the packet can be obtained through the RSVP_HOP object when receiving the packet.
  • the RSVP_HOP object contains the IP address of the previous node. Therefore, the address of the sending interface of the received packet can be obtained through the RSVP_HOP object, which is convenient to implement.
  • the foregoing authentication information may include: a HASH algorithm, a key, and a challenge negotiation.
  • the authentication information may be extended according to specific conditions, including but not limited to the above three items. The above preferred embodiments will be described in detail below with reference to examples. Take the topology shown in Figure 3 as an example. As shown in Figure 3, the direct hop of the interface feil/1 on the primary tunnel path R1 is (fei2/l of R2), and the authentication information based on this next hop is AUTH21 (including HASH algorithm, key, challenge).
  • the interface fei2/l of the primary tunnel path R2 has a direct next hop (feil/1 of R1) and a potential indirect next hop (fei3/3 of R3).
  • the corresponding interface authentication information is based on the configuration of the next hop. Therefore, two sets of authentication information are configured, one group is based on the related authentication information AUTH21 of the feil/1 with the next hop R1 (including the HASH algorithm, the key, the challenge negotiation, etc.), and the other group is based on the next hop R3.
  • Related authentication information AUTH243 of fei3/3 including HASH algorithm, key, challenge negotiation, etc.).
  • next hop For the interface fei3/3 of R3, there is a direct next hop (fei4/3 of R4) and a non-direct next hop (fei2/l of R2). Similarly, two groups are configured according to two different next hops. Authentication information, based on the authentication information AUTH43 of the next hop R4fei4/3 (including HASH algorithm, key, challenge negotiation, etc.), based on the authentication information AUTH243 of the non-direct next hop R2fei2/1 (including the HASH algorithm, the key, Challenge negotiation, etc.). The two sides of the next-hop or non-directly connected next-hop mutual configuration authentication information must be the same. In this example, "AUTH21”, “AUTH43”, "AUTH243”, etc.
  • the interface fei3/2 of R3 is also AUTH23 based on the fei2/2 configuration authentication information of the next hop R2.
  • Table 1 The authentication relationship between the corresponding interface and the next hop is as shown in Table 1: Table 1
  • the outbound interface of the PATH packet sent by the primary tunnel on R2 is fei2/2, and the corresponding next hop information is fei3/2 of R3. Therefore, the AUTH23 in the R2fei2/2 interface is used to generate the PATH packet.
  • the summary information, the fei3/2 of the peer R3 receives the PATH packet, and the corresponding next hop authentication information in the fei3/2 interface of the interface is matched by the RSVP_HOP object (the interface address carrying the fei2/2). Certification, certification passed.
  • the PATH packet sent by the primary tunnel R2 the outgoing interface is fei2/l, and the corresponding next hop information is fei3/3 of R3. Therefore, AUTH243 is used to generate the summary information of the PATH packet, and the fei3/ of the opposite end R3/ After receiving the PATH packet, the RSVP_HOP object (the address of the fei2/l interface) matches the next hop authentication information in the fei3/3 interface, and the AUTH 243 authenticates the authentication.
  • the RSVP_HOP object the address of the interface carrying fei3/3 matches the next hop authentication information in the fei2/l interface, and is authenticated by AUTH243. , the certification passed. As shown in FIG.
  • Step S502 Configure next hop authentication information
  • Step S504 construct a sending packet
  • Step S506 determine whether it is necessary to generate packet digest information, if necessary, Go to step S508, if not, end
  • step S508, generate summary information according to the authentication information of the next hop of the interface, and end.
  • the process of processing the received RSVP packet includes: Step S602, receiving an RSVP message; Step S604, storing an address in the RSVP_HOP object in the message; Step S606, determining whether there is an INTEGRITY object in the message, if yes, proceeding to step S608, if not, then transferring Step S612; Step S608, authenticating the message according to the authentication information of the next hop of the interface; Step S610, determining whether the authentication is passed, if yes, proceeding to step S614, if not, proceeding to step S616; Step S612 Check whether the corresponding RSVP_HOP address in the inbound interface of the packet (that is, the interface that receives the packet) has an authentication configuration. If yes, go to step S616.
  • FIG. 7 is a structural block diagram of an RSVP authentication apparatus according to an embodiment of the present invention.
  • the RSVP authentication apparatus includes: an authentication setting module 702, configured to correspond to each next hop address of the node interface, and set a group of authentication information for the node interface, where the foregoing group The authentication information in the authentication information is in one-to-one correspondence with all the next hop addresses of the node interface.
  • the message sending module 704 is connected to the authentication setting module 702, and is configured to select one of the foregoing group of authentication information when sending the message.
  • the authentication information corresponding to the next hop address sent by the packet is filled with the packet content authentication information of the packet.
  • the packet receiving module 706 is connected to the authentication setting module 702, and is configured to receive the packet when the packet is received.
  • the authentication information corresponding to the sending address of the packet is selected in the authentication information to perform packet authentication on the packet.
  • the device sets a set of authentication messages corresponding to all the next hop addresses of the node port for the node port, and selects the authentication information corresponding to the address according to the corresponding address to send and receive the message. Processing. In this way, even if the protection switchover occurs, the next hop address is changed, and the authentication fails.
  • each next hop address of the node interface may include: an address of a next hop directly connected to the node interface, and an address of a next hop not directly connected to the node interface.
  • Each next hop address of the node interface shall include all possible next hop addresses, including the address of the next hop directly connected to the node interface and the address of the next hop that is not directly connected to the node interface.
  • the authentication setting module corresponding to the two node ports of the directly connected next hop or the indirectly connected next hop is the same for the authentication information set by the peer.
  • the authentication information set for each other must be the same whether it is the two sides of the directly connected next hop or the non-directly connected next hop.
  • the message receiving module 706 is configured to obtain the sending interface address of the message through the RSVP_H0P object when receiving the message.
  • the RSVP_H0P object includes the IP address of the previous node. Therefore, the packet receiving module 706 can obtain the sending interface address of the received packet through the RSVP_H0P object.
  • the foregoing authentication information may include: a HASH algorithm, a key, and a challenge negotiation.
  • the authentication information may be extended according to a specific situation, including but not limited to the above three items. From the above description, it can be seen that the technical solution provided by the present invention can implement an interface management based on a group of next hops. Authentication information, when sending and receiving packets, the packets are authenticated by matching the authentication information of the directly connected or indirectly connected next hops.

Abstract

Disclosed are an RSVP authentication method and device. The method comprises: in correspondence with each next-hop address of a node interface, setting a set of authentication information for the node interface, the authentication information in the set of authentication information being in one-to-one correspondence with all next-hop addresses of the node interface; during transmission of a message, selecting the authentication information corresponding to the next-hop address which is sent by the message from the set of authentication information, to fill message content authentication information of the message; and during reception of the message, selecting the authentication information corresponding to a sending address of the message from the set of authentication information, to authenticate the message. By means of the technical solutions provided by the present invention, the problem of protection failure caused by authentication failure after FRR is switched in the prior art is solved, and an effect of preventing a data service borne on a tunnel from being lost is further achieved.

Description

RSVP认证方法及装置 技术领域 本发明涉及通信领域, 具体而言, 涉及一种 RSVP (Resource Reservation Protocol, 资源预留协议) 认证方法及装置。 背景技术 流量工程的认证技术 (RSVP Cryptographic Authentication, 资源预留协议密码认证) 是为了使 RSVP消息不被恶意篡改而进行的一种密码认证机制。 在 RFC2747 (—种端 到端的认证协议标准) 中定义了一种逐跳式保护 RSVP消息完整性的机制, 消息的发 送方和接收方需要配置一个相同的密钥以及相同的 HASH算法, 以产生相同的摘要信 息, 在消息发送方需要将这个摘要信息作为一个对象 (INTEGRITY)携带在报文中, 接 收方接收到报文, 通过携带的摘要信息来进行报文完整性的认证。 使能了 RSVP认证的接口称为 RSVP认证接口, RSVP认证接口发送报文的时候 需要封装认证对象 (INTEGRITY), 接收到不含认证对象的报文必须丢弃; 没有使能 RSVP认证的接口称为非 RSVP认证接口, 非 RSVP认证接口发送报文的时候不需要 封装认证对象, 接收到含有认证对象的报文必须丢弃。 流量工程快速重路由 (Traffic Engineering-Fast Re-Route, 简称为 TE-FRR) 技术 是一种当局部链路或节点失效进行本地修复的本地保护技术。 在 RFC4090 (—种端到 端的认证协议标准) 中定义了链路保护和节点保护两种本地保护类型, 同时也定义了 在形成保护过程中的两种特殊的节点类型: 本地修复点 (Point Local Repair, 简称为 PLR)节点和汇聚点 (Merge Point, 简称为 MP)节点。 图 1为 TE-FRR的节点保护拓扑图。 如图 1所示, 该拓扑图包括: 节点 Rl、 R2、 R3 (Rl作为 PLR节点, R3作为 MP节点), 链路 L12、 L23、 L13 , 其中, 当链路 L12 失效时, 将路径切换至 L13, 形成节点保护。 图 2为 TE-FRR的链路保护拓扑图。 如图 2所示, 该拓扑图包括: 节点 Rl、 R2、 R3 (R2作为 PLR节点, R3作为 MP节点), 链路 L12、 L23、 L32, 其中, 当链路 L23 失效时, 将路径切换至 L32, 形成链路保护。 切换过后, 在 MP节点处理从备份隧道 入接口(即备份隧道的起始入口)上发送的 PATH (路径报文)、 PATH-TEAR (RSVP-TE 协议中的一种拆除报文)等上游发送的协议报文,对于原隧道的协议报文不进行处理。 在实际工程部署中, 如图 3所示, 主隧道经过 Rl、 R2、 R3, 并且在 R1的 feil/1 和 R2的 fei2/l上配置了相同的 RSVP认证信息, 备份隧道是经过 R2、 Rl、 R4、 R3, 对主隧道进行 R2和 R3之间的链路 L23进行链路保护。根据 RFC2747 (—种端到端的 认证协议标准)中的定义, 认证双方是指一跳中的两方, FRR切换之后, 主隧道上 R2 的 fei2/l和 R3上的 fei3/3也是一跳中的认证双方。 当链路 L23发生故障后, 在 R2上主隧道发生 TE-FRR切换, 切换后主隧道在 R3 上发送的 RESV消息是经过 fei3/3 口发出去的, 并且目的地是 R2的 fei2/l 口。 由于 RESV 消息中没有携带告警选项, 所以沿途该报文不会上送协议处理, 直接按路由转 发, 按照上述的拓扑, 切换后的 RESV报文应该是经过 R4、 R1再到 R2的 fei2/l口。 切换后 R2从 fei2/l口接收到的 RESV报文, 是在 R3上构造的,在 R3的出接口 fei3/3 并没有配置认证信息,所以报文中不会有 R2上 fei2/l所需要的认证摘要信息, 从而丢 弃报文, 几个周期之后, 隧道会因为老化而拆除, 从而导致保护失效。 针对上述问题, 目前尚未提出有效的解决方案。 发明内容 本发明提供了一种 RSVP认证方法及装置, 以解决上述问题。 根据本发明的一个方面, 提供了一种 RSVP认证方法, 包括: 对应于节点接口的 每一个下一跳地址, 为节点接口设置一组认证信息, 其中, 上述一组认证信息中的认 证信息与节点接口的所有下一跳地址是一一对应的; 在发送报文时, 在上述一组认证 信息中选择与该报文发送的下一跳地址对应的认证信息填充该报文的报文内容认证信 息; 在接收报文时, 在上述一组认证信息中选择与该报文的发送地址对应的认证信息 对该报文进行报文认证。 上述节点接口的每一个下一跳地址包括: 与节点接口直连的下一跳的地址、 与节 点接口非直连的下一跳的地址。 直连的下一跳或非直连的下一跳的两个节点端口为对端设置的认证信息是相同 的。 在接收报文时通过 RSVP_HOP (即下一条地址)对象获取该报文的发送接口地址。 上述认证信息包括: HASH (散列, 也音译为哈希)算法、密钥、 challenge (挑战) 协商。 根据本发明的另一方面, 提供了一种 RS VP认证装置, 包括: 认证设置模块, 设 置为对应于节点接口的每一个下一跳地址, 为节点接口设置一组认证信息, 其中, 上 述一组认证信息中的认证信息与节点接口的所有下一跳地址是一一对应的; 报文发送 模块, 设置为在发送报文时, 在上述一组认证信息中选择与该报文发送的下一跳地址 对应的认证信息填充该报文的报文内容认证信息; 报文接收模块, 设置为在接收报文 时, 在上述一组认证信息中选择与该报文的发送地址对应的认证信息对该报文进行报 文认证。 上述节点接口的每一个下一跳地址包括: 与节点接口直连的下一跳的地址、 与节 点接口非直连的下一跳的地址。 直连的下一跳或非直连的下一跳的两个节点端口对应的认证设置模块为对端设置 的认证信息是相同的。 报文接收模块,设置为在接收报文时通过 RSVP_H0P对象获取该报文的发送接口 地址。 上述认证信息包括: 散列 HASH算法、 密钥、 challenge协商。 通过本发明, 采用为节点端口设置一组认证消息, 在向不同的下一跳地址发送报 文时选择与该地址对应的认证消息填写报文的认证信息, 在接收报文时, 选择与该报 文发送接口地址对应的认证信息对该报文进行认证的方案,解决了现有技术中 FRR切 换后会由于认证失效而导致保护失效的问题, 进而达到了防止隧道上承载的数据业务 丢失的效果。 附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部分, 本发 明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的不当限定。 在附图 中: 图 1是 TE-FRR节点保护的拓扑示意图; 图 2是 TE-FRR链路保护的拓扑示意图; 图 3是 TE-FRR链路保护以及 RSVP认证的拓扑示意图; 图 4是根据本发明实施例的 RSVP认证方法的流程图; 图 5是根据本发明实例的发送方构建 RSVP报文的流程图; 图 6是根据本发明实例的接收方处理 RSVP报文的流程图; 图 7是根据本发明实施例的 RSVP认证装置的结构框图。 具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在不冲突的 情况下, 本申请中的实施例及实施例中的特征可以相互组合。 图 4是根据本发明实施例的 RSVP认证方法的流程图。 如图 4所示, 根据本发明 实施例的 RSVP认证方法包括: 步骤 S402,对应于节点接口的每一个下一跳地址,为节点接口设置一组认证信息, 其中, 上述一组认证信息中的认证信息与节点接口的所有下一跳地址是一一对应的; 步骤 S404, 在发送报文时, 在上述一组认证信息中选择与该报文发送的下一跳地 址对应的认证信息填充该报文的报文内容认证信息; 步骤 S406, 在接收报文时, 在上述一组认证信息中选择与该报文的发送地址对应 的认证信息对该报文进行报文认证。 通过上述方法, 为节点端口设置了一组与该节点端口的所有下一跳地址一一对应 的认证消息, 在发送和接收报文时会根据相应的地址选择与该地址对应的认证信息来 进行后续的处理。 这样, 即使发生的保护切换, 导致了下一跳地址的改变, 也不会造 成认证失败, 从而避免了网络中由于认证失效, 导致 TE-FRR切换失效, 进而引起的 隧道上承载的数据业务丢失问题的出现。 优选地, 上述节点接口的每一个下一跳地址可以包括: 与节点接口直连的下一跳 的地址、 与节点接口非直连的下一跳的地址。 节点接口的每一个下一跳地址应该包括所有可能的下一跳地址, 包括与节点接口 直连的下一跳的地址以及与节点接口非直连的下一跳的地址。 优选地, 直连的下一跳或非直连的下一跳的两个节点端口为对端设置的认证信息 是相同的。 目前, 只有当一跳中的双方 (发送接口和接收接口) 都采用相同的认证信息时, 整个认证过程才能顺利完成。 因此, 在设置接口的认证信息时, 不管是直连的下一跳 的双方, 还是非直连的下一跳的双方, 互相为对方设置的认证信息都必须是相同的。 优选地, 在接收报文时可以通过 RSVP_HOP对象获取该报文的发送接口地址。 RSVP_HOP对象中包含有上一个节点的 IP地址, 因此, 可以通过 RSVP_HOP对 象获取接收到的报文的发送接口地址, 实现起来也较为方便。 优选地, 上述认证信息可以包括: HASH算法、 密钥、 challenge协商。 在具体实施过程中, 认证信息可以根据具体情况进行扩展, 包括但不限于上述三 项。 下面结合实例对上述优选实施例进行详细说明。 以图 3所示的拓扑结构为例。如图 3所示, 主隧道路径 R1上的接口 feil/1的直连 下一跳是 (R2的 fei2/l), 基于这个下一跳配置认证信息为 AUTH21(包括 HASH算法、 密钥、 challenge协商等)。 主隧道路径 R2的接口 fei2/l存在直连下一跳 (R1的 feil/1)和潜在非直连下一跳 (R3 的 fei3/3), 对应的接口认证信息是基于下一跳的配置, 所以会配置两组认证信息, 一 组是基于下一跳为 R1 的 feil/1 的相关认证信息 AUTH21(包括 HASH算法、 密钥、 challenge协商等), 另一组是基于下一跳 R3的 fei3/3的相关认证信息 AUTH243(包括 HASH算法、 密钥、 challenge协商等;)。 对于 R3的接口 fei3/3,存在直连下一跳 (R4的 fei4/3)和非直连下一跳 (R2的 fei2/l), 同理, 根据两个不同的下一跳配置两组认证信息, 基于下一跳为 R4fei4/3的认证信息 AUTH43(包括 HASH算法、 密钥、 challenge协商等), 基于非直连下一跳 R2fei2/1的 认证信息 AUTH243(包括 HASH算法、 密钥、 challenge协商等)。 两两为直连或者非直连的下一跳双方互相配置认证信息必须是一样的, 在本实例 中用" AUTH21"、 "AUTH43"、 "AUTH243"等来标识认证信息, 例如, R2的接口 fei2/2 基于下一跳 R3的 fei3/2配置认证信息 AUTH23 , R3的接口 fei3/2基于下一跳 R2的 fei2/2配置认证信息也为 AUTH23。 对应的接口和下一跳的认证关系, 如表 1所示: 表 1 TECHNICAL FIELD The present invention relates to the field of communications, and in particular to a RSVP (Resource Reservation Protocol) authentication method and apparatus. BACKGROUND OF THE INVENTION Traffic engineering authentication technology (RSVP Cryptographic Authentication) is a password authentication mechanism for making RSVP messages not maliciously tampering. In RFC2747 (the end-to-end authentication protocol standard), a hop-by-hop mechanism for protecting RSVP message integrity is defined. The sender and receiver of the message need to configure an identical key and the same HASH algorithm to generate For the same summary information, the sender of the message needs to carry the summary information as an object (INTEGRITY) in the message, and the receiver receives the message and authenticates the message integrity by carrying the summary information. The RSVP authentication interface is called the RSVP authentication interface. The RSVP authentication interface needs to encapsulate the authentication object (INTEGRITY) when sending packets. The packets that do not contain the authentication object must be discarded. The interface that does not enable RSVP authentication is called. Non-RSVP authentication interface. When a non-RSVP authentication interface sends a packet, it does not need to encapsulate the authentication object. Packets that contain the authentication object must be discarded. Traffic Engineering-Fast Re-Route (TE-FRR) technology is a local protection technology that performs local repair when local links or nodes fail. In RFC4090 (the end-to-end authentication protocol standard), two types of local protection, link protection and node protection, are defined. Two special node types in the protection process are also defined: Local Repair Point (Point Local) Repair, referred to as PLR) node and Merge Point (MP) node. Figure 1 shows the node protection topology of TE-FRR. As shown in FIG. 1, the topology diagram includes: nodes R1, R2, and R3 (R1 as a PLR node and R3 as an MP node), links L12, L23, and L13, wherein when the link L12 fails, the path is switched to L13, forming node protection. Figure 2 shows the link protection topology of TE-FRR. As shown in FIG. 2, the topology diagram includes: nodes R1, R2, and R3 (R2 as a PLR node and R3 as an MP node), links L12, L23, and L32, where when the link L23 fails, the path is switched to L32, forming link protection. After the switchover, the MP node processes the PATH (path packet) and PATH-TEAR (a type of teardown packet in the RSVP-TE protocol) sent from the backup tunnel inbound interface (that is, the start entry of the backup tunnel). The protocol packet does not process the protocol packets of the original tunnel. In the actual project deployment, as shown in Figure 3, the primary tunnel passes R1, R2, and R3, and the same RSVP authentication information is configured on the fei2/l of R1 and fei2/l of R2. The backup tunnel passes through R2 and R1. R4 and R3 perform link protection on the link L23 between R2 and R3 in the primary tunnel. According to the definition in RFC2747 (End-to-End Authentication Protocol Standard), the two authentication parties refer to two parties in one hop. After FRR switching, fei2/l on R2 and fei3/3 on R3 in the primary tunnel are also in one hop. Both sides of the certification. After the link L23 fails, the TE-FRR switch occurs on the primary tunnel on R2. After the switchover, the RESV message sent by the primary tunnel on R3 is sent through the fei3/3 port, and the destination is the fei2/l port of R2. . Since the RESV message does not carry the alarm option, the message will not be sent to the protocol for processing along the way, and the route will be forwarded directly. According to the above topology, the switched RESV message should be fei2/l after R4, R1 and R2. mouth. After the switchover, the RESV packet received by R2 from the fei2/l port is constructed on R3. The authentication information is not configured on the outgoing interface fei3/3 of R3. Therefore, there is no need for fei2/l on R2 in the packet. After the authentication summary information is discarded, the packet is discarded. After several cycles, the tunnel is removed due to aging, which causes the protection to fail. In response to the above problems, no effective solution has been proposed yet. SUMMARY OF THE INVENTION The present invention provides an RSVP authentication method and apparatus to solve the above problems. According to an aspect of the present invention, an RSVP authentication method is provided, including: setting a group of authentication information for a node interface corresponding to each next hop address of a node interface, where the authentication information in the group of authentication information is All the next hop addresses of the node interface are one-to-one correspondence. When the packet is sent, the authentication information corresponding to the next hop address sent by the packet is selected in the group of authentication information to fill the packet content of the packet. Authentication information: When receiving a message, the authentication information corresponding to the sending address of the packet is selected from the group of authentication information to perform packet authentication on the packet. Each of the next hop addresses of the node interface includes: an address of a next hop directly connected to the node interface, and an address of a next hop that is not directly connected to the node interface. The authentication information set for the peer is the same for the two node ports of the directly connected next hop or the indirectly connected next hop. The receiving interface address of the packet is obtained through the RSVP_HOP (ie, the next address) object when receiving the packet. The above authentication information includes: HASH (hash, also transliterated as hash) algorithm, key, challenge (challenge) negotiation. According to another aspect of the present invention, an RS VP authentication apparatus is provided, including: an authentication setting module, configured to correspond to each next hop address of a node interface, and set a set of authentication information for the node interface, where the foregoing one The authentication information in the group authentication information is in one-to-one correspondence with all the next hop addresses of the node interface. The message sending module is configured to select and send the message in the group of authentication information when the message is sent. The authentication information corresponding to the one-hop address is filled with the packet content authentication information of the packet. The packet receiving module is configured to: when receiving the packet, select the authentication information corresponding to the sending address of the packet in the group of authentication information. Perform packet authentication on the packet. Each of the next hop addresses of the node interface includes: an address of a next hop directly connected to the node interface, and an address of a next hop that is not directly connected to the node interface. The authentication setting module corresponding to the two node ports of the directly connected next hop or the indirectly connected next hop is the same for the authentication information set by the peer. The packet receiving module is configured to obtain the sending interface address of the packet through the RSVP_H0P object when receiving the packet. The above authentication information includes: a hash HASH algorithm, a key, and a challenge negotiation. According to the present invention, a group of authentication messages are set for the node port, and when the packet is sent to a different next hop address, the authentication information of the authentication message corresponding to the address is selected, and when the message is received, the message is selected. A scheme for authenticating the packet by the authentication information corresponding to the address of the packet, which solves the problem that the protection fails due to the authentication failure after the FRR switch in the prior art, thereby preventing the loss of the data service carried on the tunnel. effect. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the drawings: FIG. 1 is a schematic diagram of a topology of a TE-FRR node protection; FIG. 2 is a topology diagram of a TE-FRR link protection; FIG. 3 is a topology diagram of TE-FRR link protection and RSVP authentication; A flowchart of an RSVP authentication method according to an embodiment of the present invention; 5 is a flowchart of a sender constructing an RSVP message according to an example of the present invention; FIG. 6 is a flowchart of a receiver processing an RSVP message according to an example of the present invention; FIG. 7 is a structure of an RSVP authentication apparatus according to an embodiment of the present invention; block diagram. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict. 4 is a flow chart of an RSVP authentication method according to an embodiment of the present invention. As shown in FIG. 4, the RSVP authentication method according to the embodiment of the present invention includes: Step S402: Set a group of authentication information for a node interface corresponding to each next hop address of the node interface, where The authentication information is in one-to-one correspondence with all the next hop addresses of the node interface. In step S404, when the packet is sent, the authentication information corresponding to the next hop address sent by the packet is selected in the set of authentication information. The packet content authentication information of the packet is sent. In step S406, when the packet is received, the authentication information corresponding to the sending address of the packet is selected in the group of authentication information to perform packet authentication on the packet. Through the above method, a set of authentication messages corresponding to all the next hop addresses of the node port are set for the node port, and the authentication information corresponding to the address is selected according to the corresponding address when sending and receiving the message. Subsequent processing. In this way, even if the protection switchover occurs, the next hop address is changed, and the authentication fails. This prevents the TE-FRR switch from being invalidated due to the authentication failure in the network, and the data service carried on the tunnel is lost. The problem arises. Preferably, each next hop address of the node interface may include: an address of a next hop directly connected to the node interface, and an address of a next hop not directly connected to the node interface. Each next hop address of the node interface shall include all possible next hop addresses, including the address of the next hop directly connected to the node interface and the address of the next hop that is not directly connected to the node interface. Preferably, the two node ports of the directly connected next hop or the indirectly connected next hop are the same for the authentication information set by the opposite end. Currently, the entire authentication process can be successfully completed only when both parties (sending interface and receiving interface) in the first hop use the same authentication information. Therefore, when setting the authentication information of the interface, the authentication information set for each other must be the same whether it is both the directly connected next hop or the indirectly connected next hop. Preferably, the sending interface address of the packet can be obtained through the RSVP_HOP object when receiving the packet. The RSVP_HOP object contains the IP address of the previous node. Therefore, the address of the sending interface of the received packet can be obtained through the RSVP_HOP object, which is convenient to implement. Preferably, the foregoing authentication information may include: a HASH algorithm, a key, and a challenge negotiation. In the specific implementation process, the authentication information may be extended according to specific conditions, including but not limited to the above three items. The above preferred embodiments will be described in detail below with reference to examples. Take the topology shown in Figure 3 as an example. As shown in Figure 3, the direct hop of the interface feil/1 on the primary tunnel path R1 is (fei2/l of R2), and the authentication information based on this next hop is AUTH21 (including HASH algorithm, key, challenge). Negotiation, etc.). The interface fei2/l of the primary tunnel path R2 has a direct next hop (feil/1 of R1) and a potential indirect next hop (fei3/3 of R3). The corresponding interface authentication information is based on the configuration of the next hop. Therefore, two sets of authentication information are configured, one group is based on the related authentication information AUTH21 of the feil/1 with the next hop R1 (including the HASH algorithm, the key, the challenge negotiation, etc.), and the other group is based on the next hop R3. Related authentication information AUTH243 of fei3/3 (including HASH algorithm, key, challenge negotiation, etc.). For the interface fei3/3 of R3, there is a direct next hop (fei4/3 of R4) and a non-direct next hop (fei2/l of R2). Similarly, two groups are configured according to two different next hops. Authentication information, based on the authentication information AUTH43 of the next hop R4fei4/3 (including HASH algorithm, key, challenge negotiation, etc.), based on the authentication information AUTH243 of the non-direct next hop R2fei2/1 (including the HASH algorithm, the key, Challenge negotiation, etc.). The two sides of the next-hop or non-directly connected next-hop mutual configuration authentication information must be the same. In this example, "AUTH21", "AUTH43", "AUTH243", etc. are used to identify the authentication information, for example, the interface of R2. Fei2/2 Based on the next hop R3 fei3/2 configuration authentication information AUTH23, the interface fei3/2 of R3 is also AUTH23 based on the fei2/2 configuration authentication information of the next hop R2. The authentication relationship between the corresponding interface and the next hop is as shown in Table 1: Table 1
Figure imgf000008_0001
Figure imgf000008_0001
没有 FRR切换的时候, 主隧道在 R2发出的 PATH报文出接口是 fei2/2,对应的下 一跳信息是 R3的 fei3/2,所以用 R2fei2/2接口中的认证 AUTH23产生 PATH报文的摘 要信息, 对端 R3的 fei3/2接收到了该 PATH报文, 通过 RSVP_HOP对象 (;携带 fei2/2 的接口地址;), 匹配本接口 fei3/2中对应的下一跳认证信息, 用 AUTH23进行认证, 认 证通过。  When there is no FRR switchover, the outbound interface of the PATH packet sent by the primary tunnel on R2 is fei2/2, and the corresponding next hop information is fei3/2 of R3. Therefore, the AUTH23 in the R2fei2/2 interface is used to generate the PATH packet. The summary information, the fei3/2 of the peer R3 receives the PATH packet, and the corresponding next hop authentication information in the fei3/2 interface of the interface is matched by the RSVP_HOP object (the interface address carrying the fei2/2). Certification, certification passed.
FRR切换之后, 主隧道 R2发出的 PATH报文, 出接口是 fei2/l, 对应的下一跳信 息是 R3的 fei3/3, 所以使用 AUTH243产生 PATH报文的摘要信息, 对端 R3的 fei3/3 接收到该 PATH报文之后, 通过 RSVP_HOP对象 (携带 fei2/l的接口地址), 匹配本接 口 fei3/3中对应的下一跳认证信息, 用 AUTH243进行认证, 认证通过。 After the FRR switchover, the PATH packet sent by the primary tunnel R2, the outgoing interface is fei2/l, and the corresponding next hop information is fei3/3 of R3. Therefore, AUTH243 is used to generate the summary information of the PATH packet, and the fei3/ of the opposite end R3/ After receiving the PATH packet, the RSVP_HOP object (the address of the fei2/l interface) matches the next hop authentication information in the fei3/3 interface, and the AUTH 243 authenticates the authentication.
FRR切换之后, 主隧道在 R3上发送的 RESV报文, 出接口是 fei3/3, 报文对应的 需要上送处理的下一跳信息 R2的 fei2/l接口, 所以 RESV报文使用 AUTH243产生 RESV报文的摘要信息,待报文从 fei2/l接口接收的时候,通过 RSVP_HOP对象 (携带 fei3/3的接口地址),匹配本接口 fei2/l中对应的下一跳认证信息, 用 AUTH243进行认 证, 认证通过。 具体构建 RSVP报文的流程, 如图 5所示, 包括: 步骤 S502, 配置下一跳认证信息; 步骤 S504, 构建发送报文; 步骤 S506, 判断是否需要产生报文摘要信息, 如果需要, 转至步骤 S508, 如果 不需要, 结束; 步骤 S508, 根据接口的下一跳的认证信息产生摘要信息, 结束。 处理接收到的 RSVP报文的流程, 如图 6所示, 包括: 步骤 S602, 接收到一个 RSVP报文; 步骤 S604, 保存报文中的 RSVP_HOP对象中的地址; 步骤 S606, 判断报文中是否有 INTEGRITY对象, 如果有, 则转至步骤 S608, 如 果没有, 则转至步骤 S612; 步骤 S608, 根据接口的下一跳的认证信息认证该报文; 步骤 S610, 判断是否通过认证, 如果通过, 则转至步骤 S614, 如果没通过, 则 转至步骤 S616; 步骤 S612, 检查报文入接口 (即接收报文的接口) 中对应的 RSVP_HOP地址是 否有认证配置, 如果有则转至步骤 S616, 如果没有, 则转至步骤 S614; 步骤 S614, 继续处理报文, 结束; 步骤 S616, 丢弃报文, 结束。 图 7是根据本发明实施例的 RSVP认证装置的结构框图。 如图 7所示, 根据本发 明实施例的 RSVP认证装置包括: 认证设置模块 702, 设置为对应于节点接口的每一个下一跳地址, 为节点接口设 置一组认证信息, 其中, 上述一组认证信息中的认证信息与节点接口的所有下一跳地 址是一一对应的; 报文发送模块 704, 连接至认证设置模块 702, 设置为在发送报文时, 在上述一组 认证信息中选择与该报文发送的下一跳地址对应的认证信息填充该报文的报文内容认 证信息; 报文接收模块 706, 连接至认证设置模块 702, 设置为在接收报文时, 在上述一组 认证信息中选择与该报文的发送地址对应的认证信息对该报文进行报文认证。 上述装置为节点端口设置了一组与该节点端口的所有下一跳地址一一对的应认证 消息, 在发送和接收报文时会根据相应的地址选择与该地址对应的认证信息来进行后 续的处理。 这样, 即使发生的保护切换, 导致了下一跳地址的改变, 也不会造成认证 失败, 从而避免了网络中由于认证失效, 导致 TE-FRR切换失效, 进而引起的隧道上 承载的数据业务丢失问题的出现。 优选地, 上述节点接口的每一个下一跳地址可以包括: 与节点接口直连的下一跳 的地址、 与节点接口非直连的下一跳的地址。 节点接口的每一个下一跳地址应该包括所有可能的下一跳地址, 包括与节点接口 直连的下一跳的地址以及与节点接口非直连的下一跳的地址。 优选地, 直连的下一跳或非直连的下一跳的两个节点端口对应的认证设置模块为 对端设置的认证信息是相同的。 为了使认证过程才能顺利完成, 在设置接口的认证信息时, 不管是直连的下一跳 的双方, 还是非直连的下一跳的双方, 互相为对方设置的认证信息都必须是相同的。 优选地, 报文接收模块 706, 设置为在接收报文时通过 RSVP_H0P对象获取该报 文的发送接口地址。 After the FRR switchover, the RESV packet sent by the primary tunnel on R3, the outgoing interface is fei3/3, and the fei2/l interface of the next hop information R2 that needs to be sent to the packet is sent, so the RESV packet uses AUTH243 to generate RESV. Summary information of the packet. When the packet is received from the fei2/l interface, the RSVP_HOP object (the address of the interface carrying fei3/3) matches the next hop authentication information in the fei2/l interface, and is authenticated by AUTH243. , the certification passed. As shown in FIG. 5, the process of constructing an RSVP packet is as follows: Step S502: Configure next hop authentication information; Step S504, construct a sending packet; Step S506, determine whether it is necessary to generate packet digest information, if necessary, Go to step S508, if not, end; step S508, generate summary information according to the authentication information of the next hop of the interface, and end. The process of processing the received RSVP packet, as shown in Figure 6, includes: Step S602, receiving an RSVP message; Step S604, storing an address in the RSVP_HOP object in the message; Step S606, determining whether there is an INTEGRITY object in the message, if yes, proceeding to step S608, if not, then transferring Step S612; Step S608, authenticating the message according to the authentication information of the next hop of the interface; Step S610, determining whether the authentication is passed, if yes, proceeding to step S614, if not, proceeding to step S616; Step S612 Check whether the corresponding RSVP_HOP address in the inbound interface of the packet (that is, the interface that receives the packet) has an authentication configuration. If yes, go to step S616. If not, go to step S614. Step S614, continue processing the packet, and end. Step S616, discarding the message, and ending. FIG. 7 is a structural block diagram of an RSVP authentication apparatus according to an embodiment of the present invention. As shown in FIG. 7, the RSVP authentication apparatus according to the embodiment of the present invention includes: an authentication setting module 702, configured to correspond to each next hop address of the node interface, and set a group of authentication information for the node interface, where the foregoing group The authentication information in the authentication information is in one-to-one correspondence with all the next hop addresses of the node interface. The message sending module 704 is connected to the authentication setting module 702, and is configured to select one of the foregoing group of authentication information when sending the message. The authentication information corresponding to the next hop address sent by the packet is filled with the packet content authentication information of the packet. The packet receiving module 706 is connected to the authentication setting module 702, and is configured to receive the packet when the packet is received. The authentication information corresponding to the sending address of the packet is selected in the authentication information to perform packet authentication on the packet. The device sets a set of authentication messages corresponding to all the next hop addresses of the node port for the node port, and selects the authentication information corresponding to the address according to the corresponding address to send and receive the message. Processing. In this way, even if the protection switchover occurs, the next hop address is changed, and the authentication fails. This prevents the TE-FRR switch from being invalidated due to the authentication failure in the network, and the data service carried on the tunnel is lost. The problem arises. Preferably, each next hop address of the node interface may include: an address of a next hop directly connected to the node interface, and an address of a next hop not directly connected to the node interface. Each next hop address of the node interface shall include all possible next hop addresses, including the address of the next hop directly connected to the node interface and the address of the next hop that is not directly connected to the node interface. Preferably, the authentication setting module corresponding to the two node ports of the directly connected next hop or the indirectly connected next hop is the same for the authentication information set by the peer. In order to complete the authentication process successfully, when setting the authentication information of the interface, the authentication information set for each other must be the same whether it is the two sides of the directly connected next hop or the non-directly connected next hop. . Preferably, the message receiving module 706 is configured to obtain the sending interface address of the message through the RSVP_H0P object when receiving the message.
RSVP_H0P对象中包含有上一个节点的 IP地址, 因此, 报文接收模块 706可以 通过 RSVP_H0P对象获取接收到的报文的发送接口地址。 优选地, 上述认证信息可以包括: HASH算法、 密钥、 challenge协商。 在具体实施过程中, 认证信息可以根据具体情况进行扩展, 包括但不限于上述三 项 从以上的描述中, 可以看出, 本发明提供的技术方案可以实现一个接口管理基于 下一跳的一组认证信息, 发送和接收报文的时候, 通过匹配直连或者非直连下一跳的 认证信息进行报文的认证,从而解决了报文跨节点接收时的认证问题以及 FRR切换后 由于认证失效导致的保护失效问题, 避免了网络中由于认证失效, 导致 TE-FRR切换 失效, 进而引起隧道上承载的数据业务丢失问题的出现。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可以用通用 的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布在多个计算装置所 组成的网络上, 可选地, 它们可以用计算装置可执行的程序代码来实现, 从而, 可以 将它们存储在存储装置中由计算装置来执行, 并且在某些情况下, 可以以不同于此处 的顺序执行所示出或描述的步骤, 或者将它们分别制作成各个集成电路模块, 或者将 它们中的多个模块或步骤制作成单个集成电路模块来实现。 这样, 本发明不限制于任 何特定的硬件和软件结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本领域的技 术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和原则之内, 所作的 任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。 The RSVP_H0P object includes the IP address of the previous node. Therefore, the packet receiving module 706 can obtain the sending interface address of the received packet through the RSVP_H0P object. Preferably, the foregoing authentication information may include: a HASH algorithm, a key, and a challenge negotiation. In the specific implementation process, the authentication information may be extended according to a specific situation, including but not limited to the above three items. From the above description, it can be seen that the technical solution provided by the present invention can implement an interface management based on a group of next hops. Authentication information, when sending and receiving packets, the packets are authenticated by matching the authentication information of the directly connected or indirectly connected next hops. This solves the authentication problem when the packets are received across nodes and the authentication fails after the FRR switchover. The problem of protection failure caused by the failure of the authentication failure in the network causes the TE-FRR handover to fail, which in turn causes the loss of data services carried on the tunnel. Obviously, those skilled in the art should understand that the above modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

1. 一种资源预留协议 RSVP认证方法, 包括: 1. A resource reservation protocol RSVP authentication method, including:
对应于节点接口的每一个下一跳地址,为所述节点接口设置一组认证信息, 其中, 所述一组认证信息中的认证信息与所述节点接口的所有下一跳地址是一 一对应的;  Corresponding to each next hop address of the node interface, a set of authentication information is set for the node interface, where the authentication information in the set of authentication information is in one-to-one correspondence with all next hop addresses of the node interface. of;
在发送报文时, 在所述一组认证信息中选择与该报文发送的下一跳地址对 应的认证信息填充该报文的报文内容认证信息;  When the packet is sent, the authentication information corresponding to the next hop address sent by the packet is selected in the set of authentication information to fill the packet content authentication information of the packet.
在接收报文时, 在所述一组认证信息中选择与该报文的发送地址对应的认 证信息对该报文进行报文认证。  When the packet is received, the authentication information corresponding to the sending address of the packet is selected from the set of authentication information to perform packet authentication on the packet.
2. 根据权利要求 1所述的方法, 其中, 所述节点接口的每一个下一跳地址包括: 与所述节点接口直连的下一跳的地址、与所述节点接口非直连的下一跳的地址。 2. The method according to claim 1, wherein each next hop address of the node interface comprises: an address of a next hop directly connected to the node interface, and a non-direct connection with the node interface One hop address.
3. 根据权利要求 2所述的方法, 其中, 直连的下一跳或非直连的下一跳的两个节 点端口为对端设置的认证信息是相同的。 The method according to claim 2, wherein the two node ports of the directly connected next hop or the indirectly connected next hop are the same for the authentication information set by the peer end.
4. 根据权利要求 1至 3任一项所述的方法, 其中, 在接收报文时通过下一跳地址 RSVP_H0P对象获取该报文的发送接口地址。 The method according to any one of claims 1 to 3, wherein the sending interface address of the message is obtained by the next hop address RSVP_H0P object when receiving the message.
5. 根据权利要求 1至 3任一项所述的方法,其中,所述认证信息包括:散列 HASH 算法、 密钥、 挑战 challenge协商。 The method according to any one of claims 1 to 3, wherein the authentication information comprises: a hash HASH algorithm, a key, and a challenge challenge negotiation.
6. 一种资源预留协议 RSVP认证装置, 包括: 6. A resource reservation protocol RSVP authentication device, including:
认证设置模块, 设置为对应于节点接口的每一个下一跳地址, 为所述节点 接口设置一组认证信息, 其中, 所述一组认证信息中的认证信息与所述节点接 口的所有下一跳地址是一一对应的;  An authentication setting module, configured to correspond to each next hop address of the node interface, and set a set of authentication information for the node interface, where the authentication information in the set of authentication information and all the next interfaces of the node interface The hop addresses are one-to-one correspondence;
报文发送模块, 设置为在发送报文时, 在所述一组认证信息中选择与该报 文发送的下一跳地址对应的认证信息填充该报文的报文内容认证信息;  a packet sending module, configured to: when the packet is sent, select, in the set of authentication information, the authentication information corresponding to the next hop address sent by the packet to fill the packet content authentication information of the packet;
报文接收模块, 设置为在接收报文时, 在所述一组认证信息中选择与该报 文的发送地址对应的认证信息对该报文进行报文认证。  The message receiving module is configured to: when receiving the message, select the authentication information corresponding to the sending address of the message in the set of authentication information to perform packet authentication on the packet.
7. 根据权利要求 6所述的装置, 其中, 所述节点接口的每一个下一跳地址包括: 与所述节点接口直连的下一跳的地址、与所述节点接口非直连的下一跳的地址。 根据权利要求 7所述的装置, 其中, 直连的下一跳或非直连的下一跳的两个节 点端口对应的认证设置模块为对端设置的认证信息是相同的。 根据权利要求 6至 8任一项所述的装置, 其中, 所述报文接收模块, 设置为在 接收报文时通过下一跳地址 RSVP_HOP对象获取该报文的发送接口地址。 根据权利要求 6至 8任一项所述的装置,其中,所述认证信息包括:散列 HASH 算法、 密钥、 挑战 challenge协商。 The device according to claim 6, wherein each next hop address of the node interface comprises: an address of a next hop directly connected to the node interface, and an interface directly connected to the node interface One hop address. The device according to claim 7, wherein the authentication setting module corresponding to the two node ports of the directly connected next hop or the indirectly connected next hop is the same for the authentication information set by the peer. The device according to any one of claims 6 to 8, wherein the message receiving module is configured to obtain a sending interface address of the message by using a next hop address RSVP_HOP object when receiving the message. The apparatus according to any one of claims 6 to 8, wherein the authentication information comprises: a hash HASH algorithm, a key, a challenge challenge negotiation.
PCT/CN2012/072717 2011-06-21 2012-03-21 Rsvp authentication method and device WO2012174901A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110167285.4 2011-06-21
CN2011101672854A CN102223372A (en) 2011-06-21 2011-06-21 Resource reservation protocol (RSVP) authentication method and RSVP authentication device

Publications (1)

Publication Number Publication Date
WO2012174901A1 true WO2012174901A1 (en) 2012-12-27

Family

ID=44779801

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/072717 WO2012174901A1 (en) 2011-06-21 2012-03-21 Rsvp authentication method and device

Country Status (2)

Country Link
CN (1) CN102223372A (en)
WO (1) WO2012174901A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102223372A (en) * 2011-06-21 2011-10-19 中兴通讯股份有限公司 Resource reservation protocol (RSVP) authentication method and RSVP authentication device
CN103023821B (en) * 2012-12-04 2016-06-08 杭州华三通信技术有限公司 The maintaining method of authentication relationship and equipment in a kind of RSVP
CN109257110A (en) * 2018-08-27 2019-01-22 国网山西省电力公司阳泉供电公司 Optical-fiber network lightweight security signaling exchange method towards wide area energy internet

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1841999A (en) * 2005-03-30 2006-10-04 华为技术有限公司 Realization method for information interaction between entitys in separate loaded control layer network
CN101635648A (en) * 2009-08-05 2010-01-27 中兴通讯股份有限公司 Method for managing and rapidly switching virtual redundant route protocol group
CN101640888A (en) * 2009-09-07 2010-02-03 华为技术有限公司 Authentication method of fast reroute resource reservation, device and system thereof
CN101820425A (en) * 2010-04-16 2010-09-01 杭州华三通信技术有限公司 RSVP (Respondez Sil Vous Plait) authentication method and system
CN102223372A (en) * 2011-06-21 2011-10-19 中兴通讯股份有限公司 Resource reservation protocol (RSVP) authentication method and RSVP authentication device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101369958A (en) * 2007-08-15 2009-02-18 华为技术有限公司 Fast rerouting method and label exchange router

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1841999A (en) * 2005-03-30 2006-10-04 华为技术有限公司 Realization method for information interaction between entitys in separate loaded control layer network
CN101635648A (en) * 2009-08-05 2010-01-27 中兴通讯股份有限公司 Method for managing and rapidly switching virtual redundant route protocol group
CN101640888A (en) * 2009-09-07 2010-02-03 华为技术有限公司 Authentication method of fast reroute resource reservation, device and system thereof
CN101820425A (en) * 2010-04-16 2010-09-01 杭州华三通信技术有限公司 RSVP (Respondez Sil Vous Plait) authentication method and system
CN102223372A (en) * 2011-06-21 2011-10-19 中兴通讯股份有限公司 Resource reservation protocol (RSVP) authentication method and RSVP authentication device

Also Published As

Publication number Publication date
CN102223372A (en) 2011-10-19

Similar Documents

Publication Publication Date Title
US10616379B2 (en) Seamless mobility and session continuity with TCP mobility option
US8281383B2 (en) Secured IPv6 traffic preemption
ES2746044T3 (en) Cross stratum optimization protocol
CN106209897B (en) Agent-based secure communication method for distributed multi-granularity controller of software defined network
EP2329621B1 (en) Key distribution to a set of routers
US20050021946A1 (en) System and method for nodes communicating in a shared network segment
US20130205025A1 (en) Optimized Virtual Private Network Routing Through Multiple Gateways
EP1133132A1 (en) Method to perfom end-to-end authentication, and related customer premises network termination and access network server
WO2013182059A1 (en) Method and device for establishing multi-protocol label switching traffic engineering tunnel
TW201134151A (en) RSVP-TE graceful restart under fast re-route conditions
US9288686B2 (en) Topology discovery based on SCTP/X2 snooping
CN101515859B (en) Method for multicast transport in Internet protocol secure tunnel and device
CN101572644B (en) Data encapsulation method and equipment thereof
Pana et al. A Survey on the Evolution of RSVP
US20210288803A1 (en) Secured protection of advertisement parameters in a zero trust low power and lossy network
WO2010054542A1 (en) Cga public key identification, cga public key determination method, system and device
CN114095423B (en) MPLS-based power communication backbone network data security protection method and system
WO2012174901A1 (en) Rsvp authentication method and device
Liyanage et al. Secure hierarchical virtual private LAN services for provider provisioned networks
Wyss et al. Secure and scalable QoS for critical applications
WO2012040971A1 (en) Key management method and system for routing protocol
EP3713185B1 (en) Authentication method, device, and system
Goodrich Efficient and secure network routing algorithms
CN111866865B (en) Data transmission method, 5G private network establishment method and system
Hohendorf et al. Secure End-to-End Transport Over SCTP.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12802068

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12802068

Country of ref document: EP

Kind code of ref document: A1