WO2019037685A1 - Quic业务控制方法及网络设备 - Google Patents

Quic业务控制方法及网络设备 Download PDF

Info

Publication number
WO2019037685A1
WO2019037685A1 PCT/CN2018/101332 CN2018101332W WO2019037685A1 WO 2019037685 A1 WO2019037685 A1 WO 2019037685A1 CN 2018101332 W CN2018101332 W CN 2018101332W WO 2019037685 A1 WO2019037685 A1 WO 2019037685A1
Authority
WO
WIPO (PCT)
Prior art keywords
interaction
network device
intermediate entity
frame
quic
Prior art date
Application number
PCT/CN2018/101332
Other languages
English (en)
French (fr)
Inventor
韦安妮
熊春山
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2019037685A1 publication Critical patent/WO2019037685A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Definitions

  • the embodiments of the present invention relate to the field of communications, and in particular, to a User Datagram Protocol (UDP) network connection (Quick UDP Internet Connection, QUIC) service control method and a network device.
  • UDP User Datagram Protocol
  • QUIC Quick UDP Internet Connection
  • the QUIC protocol is a transport protocol based on UDP that enables multiplexing and security protection.
  • the QUIC protocol not only integrates the advantages of HyperText Transfer Protocol (HTTP) 2.0, Transport Layer Security (TLS), and Transmission Control Protocol (TCP), but also reduces access. Delay, more convenient traffic congestion control, better error correction mechanism, etc.
  • Figure 1 is a comparison diagram of protocol stacks of QUIC protocol, HTTP2.0 protocol, and speedy (SPDY) protocol.
  • SPDY is defined on top of TLS.
  • the top-down protocol levels are: HTTP, SPDY, TLS, TCP, and Internet Protocol (IP).
  • IP Internet Protocol
  • the common HTTP/2.0 protocol layers are: HTTP, Secure Socket Layer (SSL)/TLS, TCP, IP, where the TLS protocol layer is optional, and HTTP can be directly TCP.
  • SSL Secure Socket Layer
  • TCP Internet Protocol
  • IP Internet Protocol
  • the lower layer of QUIC is UDP, and the upper layer can be SPDY and HTTP, or it can be other application layer protocols.
  • Figure 2 is a schematic diagram of the QUIC header format, and the QUIC header is also called the QUIC common header.
  • the format of the general header includes: PublicFlags, Connection ID, QUIC Version, Packet Number, Private Flag, Forward Error Correction (FEC). ).
  • FIG. 3 is a schematic diagram of QUIC header integrity protection and encryption. Referring to Figure 3, the QUIC header is fully protected, and the private flag and the payload portion of the header are encrypted.
  • the network needs to distinguish QUIC traffic or distinguish a Service Node Interface (SNI) and limit its flow to ensure that communication of other services is not affected.
  • SNI Service Node Interface
  • the packet rate is controlled by deploying a TCP proxy to control the server. Because of its encryption and integrity protection features, QUIC cannot perform service control through a proxy, so transmission optimization cannot be performed.
  • the embodiment of the invention provides a QUIC service control method and a network device, which can perform service control through an intermediate entity, thereby performing transmission optimization.
  • an embodiment of the present invention provides a QUIC service control method.
  • the interaction information of the network device to the intermediate entity the interaction information is used to indicate that the intermediate entity performs QUIC service control according to the interaction information, where the QUIC service is between the first network device and the second network device.
  • the business of the intermediate entity The service path of the first network device and the second network device passes through an intermediate entity, and the intermediate entity may be a data forwarding device, for example, a base station, a gateway, or the like.
  • the first network device receives the public key of the intermediate entity from the intermediate entity, and the first network device sends the interaction frame encrypted by the public key of the intermediate entity to the intermediate entity,
  • the interaction frame is configured to carry the interaction information of the first network device to the intermediate entity, so that the intermediate entity can parse the interaction frame according to the private key of the intermediate entity, and correspondingly use the interaction information to the first network device and the first
  • the service control is performed between the two network devices through the QUIC service of the intermediate entity.
  • the first network device receives a public key of the intermediate entity from the intermediate entity during a QUIC connection establishment phase between the first network device and the second network device .
  • the first network device receives the public key of the intermediate entity from the intermediate entity, facilitating QUIC
  • communication between the first network device and the intermediate entity can be realized, thereby performing QUIC service control in the entire QUIC service process.
  • the interaction frame belongs to an interaction stream, and the interaction frame has a preset frame type, and the interaction stream has a preset flow identifier.
  • a method for identifying an interaction frame is provided, and the interaction frame is obtained by combining the stream identifier and the frame type to obtain the interaction information carried in the interaction frame, and the recognition manner utilizes the existing QUIC frame structure. , simple and fast.
  • the interaction frame belongs to an interaction stream, and the first two bits of the QUIC header of the interaction frame are used to identify the interaction frame, and the interaction stream has a preset flow identifier.
  • another way of identifying an interaction frame is provided.
  • the interaction frame is identified by combining the stream identifier with the first two bits of the QUIC header to obtain the interaction information carried in the interaction frame.
  • This identification method utilizes the QUIC header.
  • the first two digits that are usually not used are simple and fast.
  • the interaction frame includes a type of a frame, a flow identifier, an origin and a means of the interaction information, and content of the interaction information.
  • a frame format of the interaction frame is provided.
  • the type of the frame and the stream identifier can be used for the intermediate entity to identify the interaction frame.
  • the origin and the means of the interaction information and the content of the interaction information can be used in the middle.
  • the entity performs QUIC service control.
  • the first network device after the first network device sends the interaction frame encrypted by the public key of the intermediate entity to the intermediate entity, the first network device receives a window from the second network device. Update the frame.
  • the intermediate entity may further send the updated interaction frame to the second network device, so that the second network device may perform the interaction information according to the interaction information carried in the interaction frame.
  • a network device performs transmission control.
  • a QUIC service control method sends the public key of the intermediate entity to the first network device; the intermediate entity receives, from the first network device, an interaction frame encrypted with a public key of the intermediate entity, the interaction frame carrying the first The interaction information of the network device to the intermediate entity; the intermediate entity performs QUIC service control according to the interaction information, where the QUIC service is the intermediate entity between the first network device and the second network device business.
  • the intermediate entity sends the public key of the intermediate entity to the first network device, and receives the interaction frame sent by the first network device and encrypted by the public key of the intermediate entity, so that the intermediate entity can
  • the interaction frame is parsed according to the private key of the intermediate entity, and the QUIC service control is performed according to the interaction information.
  • the intermediate entity performs network transmission adjustment on the QUIC service according to the interaction information, and temporarily camps the interaction frame; and the intermediate entity needs to send the QUIC service to the second network device.
  • the interaction frame is modified and then encrypted with the private key of the intermediate entity, and the encrypted interaction frame is sent to the second network device.
  • the intermediate entity not only performs network transmission adjustment on the QUIC service according to the interaction information, but also temporarily retains the interaction frame, so that when the intermediate entity needs to send an interaction message to the second network device, the interaction message is carried in the The interaction frame is sent to the second network device, so that the second network device can perform QUIC service control according to the interaction information.
  • the intermediate entity sends the public key of the intermediate entity to the first network device during a QUIC connection establishment phase between the first network device and the second network device.
  • the intermediate entity in the QUIC connection establishment phase between the first network device and the second network device, sends the public key of the intermediate entity to the first network device, facilitating QUIC
  • communication between the first network device and the intermediate entity can be realized, thereby performing QUIC service control in the entire QUIC service process.
  • the intermediate entity in a QUIC connection establishment phase between the first network device and the second network device, the intermediate entity sends the public key of the intermediate entity to the second network device.
  • the intermediate entity in the QUIC connection establishment phase between the first network device and the second network device, the intermediate entity sends the public key of the intermediate entity to the second network device, facilitating QUIC
  • the communication between the second network device and the intermediate entity can be realized at the initial stage of connection establishment, thereby performing QUIC service control in the entire QUIC service process.
  • the intermediate entity receives an interaction flow from the first network device, where the interaction flow has a preset flow identifier; the intermediate entity uses a private key of the intermediate entity
  • the interaction key of the intermediate entity's public key encryption is parsed, and the interaction frame belongs to the interaction stream, and the interaction frame has a preset frame type.
  • a method for identifying an interaction frame is provided, and the interaction frame is obtained by combining the stream identifier and the frame type to obtain the interaction information carried in the interaction frame, and the recognition manner utilizes the existing QUIC frame structure. , simple and fast.
  • the intermediate entity receives an interaction flow from the first network device, where the interaction flow has a preset flow identifier; the intermediate entity uses a private key of the intermediate entity
  • the interaction frame of the public key of the intermediate entity is parsed, and the interaction frame belongs to the interaction stream, and the first two bits of the QUIC header of the interaction frame are used to identify the interaction frame.
  • another way of identifying an interaction frame is provided.
  • the interaction frame is identified by combining the stream identifier with the first two bits of the QUIC header to obtain the interaction information carried in the interaction frame.
  • This identification method utilizes the QUIC header.
  • the first two digits that are usually not used are simple and fast.
  • the interaction frame includes a type of a frame, a flow identifier, an origin and a means of the interaction information, and content of the interaction information.
  • a frame format of the interaction frame is provided.
  • the intermediate entity can identify the interaction frame according to the type of the frame and the flow identifier.
  • the intermediate entity can perform the content according to the originating and means of the interaction information and the content of the interaction information.
  • a QUIC service control method receives the public key of the intermediate entity from the intermediate entity; the second network device receives, from the intermediate entity, an interaction frame encrypted with the private key of the intermediate entity, the interaction frame carrying the intermediate entity An interaction information of the second network device, where the second network device performs QUIC service control according to the interaction information, where the QUIC service is between the second network device and the first network device business.
  • the second network device since the second network device receives the public key of the intermediate entity from the intermediate entity, when the second network device receives the interaction frame encrypted by the private key of the intermediate entity from the intermediate entity, The second network device can parse the interaction frame by using the public key of the intermediate entity, and perform QUIC service control according to the interaction information carried in the interaction frame.
  • the interaction information indicates a downlink congestion
  • the second network device lowers a transmission rate according to the interaction information; or the interaction information indicates an uplink congestion
  • the second The network device sends a window update frame to the first network device according to the interaction information.
  • the interaction information indicates a downlink congestion
  • the second network device may downgrade its own transmission rate according to the interaction information; or when the interaction information indicates an uplink congestion, The second network device may send a window update frame to the first network device according to the interaction information, and instruct the first network device to lower the transmission rate of the first network device, so as to implement QUIC service control according to the interaction information.
  • the second network device receives the public key of the intermediate entity from the intermediate entity during a QUIC connection establishment phase between the second network device and the first network device .
  • the second network device receives the public key of the intermediate entity from the intermediate entity, facilitating QUIC
  • the communication between the second network device and the intermediate entity can be realized at the initial stage of connection establishment, thereby performing QUIC service control in the entire QUIC service process.
  • the interaction frame belongs to an interaction stream, and the interaction frame has a preset frame type, and the interaction stream has a preset flow identifier.
  • the interaction frame belongs to an interaction stream, and the first two bits of the QUIC header of the interaction frame are used to identify the interaction frame, and the interaction stream has a preset flow identifier.
  • a method for identifying an interaction frame is provided, and the interaction frame is obtained by combining the stream identifier and the frame type to obtain the interaction information carried in the interaction frame, and the recognition manner utilizes the existing QUIC frame structure. , simple and fast.
  • the interaction frame includes a type of a frame, a flow identifier, an origin and a means of the interaction information, and content of the interaction information.
  • a frame format of the interaction frame is provided.
  • the type of the frame and the flow identifier can be used by the second network device to identify the interaction frame.
  • the origin and the means of the interaction information and the content of the interaction information can be used. Perform QUIC service control on the second network device.
  • the embodiment of the present invention provides a network device, where the network device is used as the first network device, and the functions performed by the first network device in the foregoing method example of the first aspect are implemented, and the functions may be implemented by using hardware.
  • the corresponding software implementation can also be performed by hardware.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the first network device includes a processor and a communication interface configured to support the first network device to perform a corresponding function in the above method.
  • the communication interface is for supporting communication between the first network device and an intermediate entity or other network element.
  • the first network device can also include a memory for coupling with the processor that retains the program instructions and data necessary for the first network device.
  • the first network device includes: a memory, a processor, and a communication interface; the memory is configured to store program instructions; and the processor is configured to: according to program instructions stored in the memory Performing an operation of: receiving, by the communication interface, a public key of the intermediate entity from an intermediate entity; and transmitting, by the communication interface, an interaction frame encrypted by a public key of the intermediate entity to the intermediate entity, where the interaction frame carries The interaction information of the first network device to the intermediate entity, the interaction information is used to indicate that the intermediate entity performs QUIC service control according to the interaction information, where the QUIC service is the first network device and the second The traffic between the network devices through the intermediate entity.
  • the processor performs the operation of receiving, by the communication interface, a public key of the intermediate entity from an intermediate entity, including: at the first network device and the second network device A QUIC connection establishment phase between which the public key of the intermediate entity is received from the intermediate entity.
  • the interaction frame belongs to an interaction stream, and the interaction frame has a preset frame type, and the interaction stream has a preset flow identifier.
  • the interaction frame belongs to an interaction stream, and the first two bits of the QUIC header of the interaction frame are used to identify the interaction frame, and the interaction stream has a preset flow identifier.
  • the interaction frame includes a type of a frame, a stream identifier, an originating and means of the interaction information, and content of the interaction information.
  • the processor after the processor performs the sending of the interaction frame encrypted by the public key of the intermediate entity to the intermediate entity through the communication interface, the processor is further configured to perform according to the The program instructions stored in the memory perform operations of receiving a window update frame from the second network device over the communication interface.
  • an embodiment of the present invention provides an intermediate entity, where the intermediate entity can implement the functions performed by the intermediate entity in the foregoing method example of the second aspect, where the function can be implemented by hardware, or the corresponding software can be executed by hardware.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the intermediate entity includes a processor and a communication interface configured to support the intermediate entity to perform the corresponding functions of the above methods.
  • the communication interface is for supporting communication between the intermediate entity and the first network device or the second network device or other network element.
  • the intermediate entity can also include a memory for coupling with the processor that holds the necessary program instructions and data for the intermediate entity.
  • the intermediate entity includes: a memory, a processor, and a communication interface; the memory is configured to store program instructions; the processor is configured to execute the following according to program instructions stored in the memory Manipulating: transmitting, by the communication interface, a public key of the intermediate entity to a first network device; receiving, by the communication interface, an interaction frame encrypted by a public key of the intermediate entity from the first network device, the interaction The frame carries the interaction information of the first network device to the intermediate entity, and performs QUIC service control according to the interaction information, where the QUIC service is between the first network device and the second network device.
  • the business of the entity is configured to store program instructions; the processor is configured to execute the following according to program instructions stored in the memory Manipulating: transmitting, by the communication interface, a public key of the intermediate entity to a first network device; receiving, by the communication interface, an interaction frame encrypted by a public key of the intermediate entity from the first network device, the interaction The frame carries the interaction information of the first network device to the intermediate entity, and perform
  • the processor performs the operation of performing QUIC service control according to the interaction information, including: performing network transmission adjustment on the QUIC service according to the interaction information, and persisting the interaction frame;
  • the intermediate entity needs to send a QUIC service control message to the second network device
  • the interaction frame is modified and then encrypted by using the private key of the intermediate entity, and the encrypted interaction frame is passed through the communication.
  • the interface is sent to the second network device.
  • the processor performs the operation of transmitting the public key of the intermediate entity to the first network device by using the communication interface, including: at the first network device and the second A QUIC connection establishment phase between the network devices, through which the public key of the intermediate entity is transmitted to the first network device.
  • the processor performs the receiving, by the communication interface, an interaction frame encrypted by the public key of the intermediate entity from the first network device, including: The first network device receives an interaction stream, where the interaction stream has a preset flow identifier, and parses an interaction frame encrypted by the public key of the intermediate entity with a private key of the intermediate entity, where the interaction frame belongs to The interaction stream, the interaction frame has a preset frame type.
  • the processor performs the receiving, by the communication interface, an interaction frame encrypted by the public key of the intermediate entity from the first network device, including: The first network device receives an interaction stream, where the interaction stream has a preset flow identifier, and parses an interaction frame encrypted by the public key of the intermediate entity with a private key of the intermediate entity, where the interaction frame belongs to The interaction stream, the first two bits of the QUIC header of the interaction frame are used to identify the interaction frame.
  • the interaction frame includes a type of a frame, a stream identifier, an originating and means of the interaction information, and content of the interaction information.
  • the embodiment of the present invention provides a network device, where the network device is used as the second network device, and the function performed by the second network device in the foregoing method example of the third aspect is implemented, and the function may be implemented by using a hardware.
  • the corresponding software implementation can also be performed by hardware.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • the structure of the second network device includes a processor and a communication interface, and the processor is configured to support the second network device to perform a corresponding function in the foregoing method.
  • the communication interface is configured to support communication between the second network device and an intermediate entity or other network element.
  • the second network device can also include a memory for coupling with the processor that retains the necessary program instructions and data for the second network device.
  • the second network device includes: a memory, a processor, and a communication interface; the memory is configured to store program instructions; and the processor is configured to execute, according to the program instructions stored in the memory Performing an operation of: receiving, by the communication interface, a public key of the intermediate entity from an intermediate entity; receiving, by the communication interface, an interaction frame encrypted with a private key of the intermediate entity, where the interaction frame carries the And the QUIC service control is performed by the intermediate entity to the second network device, where the QUIC service is a service between the second network device and the first network device that passes through the intermediate entity.
  • the processor performs the operation of performing QUIC service control according to the interaction information, including: the interaction information indicates a downlink congestion, and the transmission rate is lowered according to the interaction information; or The interaction information indicates an uplink congestion, and the window update frame is sent to the first network device by using the communication interface according to the interaction information.
  • the processor performs the operation of receiving, by the communication interface, a public key of the intermediate entity from an intermediate entity, including: at the second network device and the first network device A QUIC connection establishment phase between which the public key of the intermediate entity is received from the intermediate entity.
  • the interaction frame belongs to an interaction stream, and the interaction frame has a preset frame type, and the interaction stream has a preset flow identifier.
  • the interaction frame belongs to an interaction stream, and the first two bits of the QUIC header of the interaction frame are used to identify the interaction frame, and the interaction stream has a preset flow identifier.
  • the interaction frame includes a type of a frame, a stream identifier, an originating and means of the interaction information, and content of the interaction information.
  • an embodiment of the present invention provides a communication system, where the system includes the first network device, the second network device, and an intermediate entity.
  • an embodiment of the present invention provides a computer storage medium for storing computer software instructions for use in the first network device, including a program designed to execute the first aspect.
  • an embodiment of the present invention provides a computer storage medium for storing computer software instructions for use as the intermediate entity, including a program designed to execute the second aspect.
  • an embodiment of the present invention provides a computer storage medium for storing computer software instructions for use in the second network device, including a program designed to execute the third aspect.
  • an embodiment of the present invention provides a computer program product, comprising instructions, when executed by a computer, causing a computer to perform the functions performed by the first network device in the method design of the first aspect above. .
  • embodiments of the present invention provide a computer program product comprising instructions that, when executed by a computer, cause the computer to perform the functions performed by the intermediate entity in the method design of the second aspect above.
  • an embodiment of the present invention provides a computer program product, comprising instructions, when executed by a computer, causing a computer to perform a function performed by a second network device in the method design of the third aspect above .
  • an embodiment of the present invention provides a computer program product, comprising instructions that, when executed by a computer, cause the computer to perform any one of the first aspect or the first aspect of the first aspect The method described in the above.
  • an embodiment of the present invention provides a computer program product, comprising instructions, when executed by a computer, causing a computer to perform any one of the foregoing second aspect or the second aspect of the possible design The method described in the above.
  • an embodiment of the present invention provides a computer program product, comprising: instructions that, when executed by a computer, cause the computer to perform any one of the possible aspects of the third aspect or the third aspect described above The method described in the above.
  • Figure 1 is a comparison diagram of protocol stacks of QUIC protocol, HTTP2.0 protocol, and speedy (SPDY) protocol;
  • FIG. 2 is a schematic diagram of a QUIC general header format
  • Figure 3 is a schematic diagram of QUIC header integrity protection and encryption
  • FIG. 4 is a schematic diagram of an application scenario on which a QUIC service control method is provided according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of communication of a QUIC service control method according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a frame according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic diagram of a QUIC universal packet header format with interactive frame indication information according to an embodiment of the present disclosure
  • FIG. 8 is a schematic diagram of another QUIC service control method according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of communication of a QUIC interactive frame extension negotiation method according to an embodiment of the present invention.
  • FIG. 10 is a schematic structural diagram of a first network device according to an embodiment of the present disclosure.
  • FIG. 11 is a schematic structural diagram of another first network device according to an embodiment of the present disclosure.
  • FIG. 12 is a schematic structural diagram of an intermediate entity according to an embodiment of the present disclosure.
  • FIG. 13 is a schematic structural diagram of another intermediate entity according to an embodiment of the present disclosure.
  • FIG. 14 is a schematic structural diagram of a second network device according to an embodiment of the present disclosure.
  • FIG. 15 is a schematic structural diagram of another second network device according to an embodiment of the present invention.
  • a specific flow is added in the QUIC service to indicate the interaction between the application (Application, APP) and the network, so as to achieve the purpose of transmission optimization.
  • the newly added stream is encrypted by the public key of the intermediate entity (Carrier); the APP pre-configures the public key information of the intermediate entity.
  • FIG. 4 is a schematic diagram of an application scenario based on a QUIC service control method according to an embodiment of the present disclosure.
  • the application scenario mainly involves a client 401, an intermediate 402, and a server 403, where the client
  • the terminal can also be called a QUIC client, such as a browser, which can be set on a network device.
  • the network device where the client is located is referred to as a first network device;
  • the intermediate entity is a legal intermediate entity, such as a carrier device.
  • the server is a QUIC server, such as a web server.
  • a network device that is a server is referred to as a second network device.
  • the service path of the first network device and the second network device passes through an intermediate entity, and the intermediate entity may be a data forwarding device, for example, a base station, a gateway, or the like.
  • FIG. 5 is a schematic diagram of communication of a QUIC service control method according to an embodiment of the present invention. The method can be based on the application scenario shown in FIG. The method includes:
  • Step 501 The intermediate entity sends the public key of the intermediate entity to the first network device.
  • the intermediate entity adds the public key of the intermediate entity in a message in which the first network device negotiates an interactive frame extension feature with the second network device.
  • the first network device receives the public key of the intermediate entity from the intermediate entity.
  • the first network device negotiates an interaction frame extension characteristic with the second network device and acquires a public key of the intermediate entity.
  • Step 502 The first network device sends, to the intermediate entity, an interaction frame encrypted by a public key of the intermediate entity.
  • the interaction frame is used to carry the interaction information of the first network device to the intermediate entity, and the interaction information is used to indicate that the intermediate entity performs QUIC service control according to the interaction information, where the QUIC service is the first network device and the second network device.
  • interaction frame may be used to carry the interaction information of the first network device to the intermediate entity
  • interaction frame sent by the first network device may carry the interaction information, or may not carry the interaction information.
  • the interaction frame has a specific frame structure, for example, the interaction frame includes a frame type, a stream ID, and an origin and means of interaction information (Interaction). Index), the content of the interaction information (Interaction content).
  • the origin and means of interaction information such as server to network, network to client, network to server ( Network to server); the content of the interactive information, such as the network state of the network to the server (network state), the interaction frame sending frequency (Interaction Frame sending friquency); another example, the server to the network (server to network) Time bit rate request (bitrate request), application information (application info), and the like.
  • the interaction frame may be identified by the frame type, and/or the interaction frame may be identified by the first two digits of the QUIC universal header.
  • FIG. 7 is a schematic diagram of a QUIC universal header format with an interactive frame indication information, where the first two bits of the common tag field are not currently used.
  • the two bits are used as the interaction frame indication information.
  • the interaction frame belongs to an interaction stream, the interaction frame having a particular frame type, the interaction stream having a particular flow identification.
  • the interaction frame belongs to an interaction stream, and the first two bits of the QUIC universal header of the interaction frame are used to identify the interaction frame, and the interaction stream has a specific flow identifier.
  • the intermediate entity receives an interaction frame sent by the first network device to the second network device and encrypted by a public key of the intermediate entity.
  • the intermediate entity receives an interaction flow from the first network device, the interaction flow having a specific flow identification; the intermediate entity uses a private key of the intermediate entity to use the public entity of the intermediate entity
  • the key-encrypted interaction frame is parsed, and the interaction frame belongs to the interaction stream, and the interaction frame has a specific frame type.
  • the intermediate entity receives an interaction stream from the first network device, the interaction stream having a specific flow identifier; the intermediate entity using a private key of the intermediate entity to use the intermediate entity
  • the public key encrypted interaction frame is parsed, and the interaction frame belongs to the interaction stream, and the first two bits of the QUIC universal header of the interaction frame are used to identify the interaction frame.
  • Step 503 The intermediate entity performs QUIC service control according to the interaction information.
  • step 503 further includes:
  • Step 5031 The intermediate entity performs network transmission adjustment on the QUIC service according to the interaction information, and temporarily retains the interaction frame.
  • the adjusting, by the intermediate entity, the network transmission adjustment of the QUIC service according to the interaction information comprises: increasing or decreasing the transmission rate of the QUIC service flow, for example, adjusting the transmission window and/or adjusting the transmission rate.
  • Step 5032 when the intermediate entity needs to send a QUIC service control message to the second network device, modify the interaction frame, encrypt the private key of the intermediate entity, and send the encrypted interaction frame. Giving the second network device.
  • the intermediate entity may add the interaction information to the interaction frame parked in step 503 to enable communication with the second network device.
  • the method further includes:
  • Step 504 The intermediate entity sends the public key of the intermediate entity to the second network device.
  • the embodiment of the present invention does not limit the execution sequence of the step 504 and the step 501.
  • the step 504 may be performed before the step 504 is performed, or the step 504 may be performed first, and then the step 501 and the step 504 may be performed at the same time.
  • the intermediate entity adds the public key of the intermediate entity in a message in which the first network device negotiates an interactive frame extension feature with the second network device.
  • the second network device receives the public key of the intermediate entity from the intermediate entity.
  • the second network device negotiates an interaction frame extension characteristic with the first network device and acquires a public key of the intermediate entity.
  • Step 505 The second network device receives, from the intermediate entity, an interaction frame that is encrypted by using the private key of the intermediate entity, where the interaction frame carries the interaction information of the intermediate entity to the second network device.
  • Step 506 The second network device performs QUIC service control according to the interaction information, where the QUIC service is a service between the second network device and the first network device that passes through the intermediate entity.
  • step 506 further includes:
  • Step 5061 the interaction information indicates a downlink congestion, and the second network device lowers the transmission rate according to the interaction information
  • Step 5062 the interaction information indicates an uplink congestion, and the second network device sends a window update frame to the first network device according to the interaction information.
  • the first network device receives a window update frame from the second network device, and adjusts a value of an uplink transmission window according to the window update frame, thereby alleviating the problem of uplink congestion.
  • the first network device can obtain the public key of the intermediate entity, and the first network device sends the interaction frame encrypted by the public key of the intermediate entity to the second network device, thereby making the middle
  • the entity may use the private key of the intermediate entity to parse the interaction frame to obtain the interaction information in the interaction frame. Accordingly, the intermediate entity may perform QUIC service control according to the interaction information in the interaction frame.
  • the second network device is also capable of obtaining the public key of the intermediate entity, the second network device receiving, from the intermediate entity, an interaction frame encrypted with the private key of the intermediate entity; the second network device using the public key of the intermediate entity
  • the interaction frame is parsed to obtain the interaction information in the interaction frame, and correspondingly, the second network device performs QUIC service control according to the interaction information.
  • FIG. 8 is a schematic diagram of another QUIC service control method according to an embodiment of the present invention.
  • the method may be based on the application scenario shown in FIG. 4.
  • the first phase client is an APP originator
  • the second phase server is an APP originator.
  • the method includes:
  • Step 801 In the QUIC connection creation phase, the client performs an interaction frame extension negotiation with the intermediate entity and the server, and the intermediate entity inserts the public key information of the intermediate entity in the negotiation message.
  • step 802 the client sends an interaction frame 1 encrypted with the public key of the intermediate entity to the server according to a setting policy (such as timer 1).
  • the interaction frame 1 includes an interaction frame indication information, a connection ID, and a stream ID.
  • step 803 the intermediate entity terminates the transmission of the interactive frame 1 until the intermediate entity needs to send the interactive content to the server.
  • the intermediate entity intercepts the interaction frame 1 and parses it with the private key. If the interaction frame 1 carries the information of the APP to the network, the intermediate entity performs network transmission adjustment according to the information included in the interaction frame 1. After that, the intermediate entity temporarily stores the interaction frame 1. When the intermediate entity needs to send the network message to the APP peer, the interaction frame 1 is modified and then encrypted by the intermediate entity's private key.
  • Step 804 The intermediate entity sends the updated interaction frame encrypted by the private key of the intermediate entity to the server.
  • step 805 the server performs QUIC flow control.
  • This step 805 is an optional step.
  • step 806 the server sends a window update frame to the client.
  • This step 806 is an optional step.
  • Step 807 The server sends the interaction frame 2 encrypted by the public key of the intermediate entity to the client according to a setting policy (such as timer 2).
  • the interaction frame 2 includes interaction frame indication information, a connection ID, and a stream ID.
  • step 808 the intermediate entity terminates the transmission of the interaction frame 2 until the intermediate entity needs to send the interaction content to the client.
  • the intermediate entity intercepts the interaction frame 2 and parses it with the private key. If the interaction frame 2 carries the information of the APP to the network, the intermediate entity performs network transmission adjustment according to the information included in the interaction frame 2. After the intermediate entity needs to leave the interaction frame 2, when the intermediate entity needs to send the network message to the APP peer, the interaction frame 2 is modified and then encrypted by the private key of the intermediate entity and then sent.
  • Step 809 The intermediate entity sends the updated interaction frame encrypted by the private key of the intermediate entity to the client.
  • step 810 the client performs QUIC flow control.
  • This step 810 is an optional step.
  • step 811 the client sends a window update frame to the server.
  • This step 811 is an optional step.
  • the APP originator (client or server) sends an interaction frame encrypted by the public key of the intermediate entity to the server according to a setting policy (such as a timer).
  • the intermediate entity intercepts the information and parses it with the private key. If the message carries the information of the APP to the network, the intermediate entity performs network transmission adjustment according to the interaction information of the interaction frame. After that, the intermediate entity temporarily stores the interaction frame.
  • the interaction frame is modified and then encrypted by the intermediate entity's private key.
  • the APP peer decrypts the interactive frame with the public key of the intermediate entity.
  • the front and back interaction frames keep the serial number unchanged. This embodiment enables transmission optimization of the QUIC service.
  • FIG. 9 is a schematic diagram of communication of a QUIC interaction frame extension negotiation method according to an embodiment of the present disclosure, where the method includes:
  • Step 901 The client adds an interaction frame extension indication message to the client hello message.
  • Step 902 After intercepting the Client hello message, the intermediate entity adds the intermediate entity's own information, such as digital certificate information, and the digital certificate has the public key of the intermediate entity, and then sends the information to the server.
  • the intermediate entity's own information such as digital certificate information
  • the digital certificate has the public key of the intermediate entity
  • Step 903 After receiving the Client hello message, the server verifies the legality of the intermediate entity and the service authority. If the verification succeeds, the server hello message carries the extended extension frame negotiation confirmation information. This message can carry the digital certificate information of the intermediate entity.
  • Step 904 After the intermediate entity intercepts the Server hello message, if the Server hello message does not carry the digital certificate information of the intermediate entity, the digital certificate information of the intermediate entity is added therein, and the digital certificate has the public key of the intermediate entity.
  • step 905 the client returns a negotiation success confirmation message to the server.
  • the client and the server in the QUIC connection creation phase, can obtain the public key of the intermediate entity, so that the subsequent client and the server can communicate with the intermediate entity, so that the intermediate entity can perform QUIC service control and perform transmission optimization.
  • each network element such as the first network device, the intermediate entity, the second network device, etc.
  • each network element includes corresponding hardware structures and/or software modules for performing the respective functions.
  • the present invention can be implemented in a combination of hardware or hardware and computer software in combination with the elements and algorithm steps of the various examples described in the embodiments disclosed herein. Whether a function is implemented in hardware or computer software to drive hardware depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
  • the embodiments of the present invention may divide the function modules of the first network device, the intermediate entity, and the second network device according to the foregoing method.
  • each function module may be divided according to each function, or two or more functions may be used.
  • the functions are integrated in one processing module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional modules. It should be noted that the division of the module in the embodiment of the present invention is schematic, and is only a logical function division, and the actual implementation may have another division manner.
  • FIG. 10 shows a possible structural diagram of the first network device involved in the above embodiment.
  • the first network device 1000 includes a processing module 1002 and a communication module 1003.
  • the processing module 1002 is configured to perform control management on the actions of the first network device.
  • the processing module 1002 is configured to support the first network device to perform the process 502 in FIG. 5, the processes 801, 802, 810, and 811 in FIG. Processes 901 and 905 in 9, and/or other processes for the techniques described herein.
  • the communication module 1003 is configured to support communication of the first network device with other network entities, such as with intermediate entities.
  • the first network device may further include a storage module 1001 for storing program codes and data of the first network device.
  • the processing module 1002 may be a processor or a controller, such as a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (Application-Specific). Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication module 1003 may be a communication interface, a transceiver, a transceiver circuit, etc., wherein the communication interface is a collective name and may include one or more interfaces.
  • the storage module 1001 may be a memory.
  • the first network device involved in the embodiment of the present invention may be the first network device shown in FIG.
  • the first network device 1100 includes a processor 1102, a communication interface 1103, and a memory 1101.
  • the communication interface 1103, the processor 1102, and the memory 1101 can be connected to each other through a communication connection.
  • FIG. 12 shows a possible structural diagram of the intermediate entity involved in the above embodiment.
  • the intermediate entity 1200 includes a processing module 1202 and a communication module 1203.
  • the processing module 1202 is configured to control and manage the actions of the intermediate entity.
  • the processing module 1202 is configured to support the intermediate entity to perform the processes 501, 503, and 504 in FIG. 5, and the processes 801, 803, 804, 808, and 809 in FIG. Processes 902 and 904 in Figure 9, and/or other processes for the techniques described herein.
  • the communication module 1203 is configured to support communication between the intermediate entity and other network entities, such as with the first network device or the second network device.
  • the intermediate entity may also include a storage module 1201 for storing program code and data of the intermediate entity.
  • the processing module 1202 may be a processor or a controller, such as a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (Application-Specific). Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication module 1203 may be a communication interface, a transceiver, a transceiver circuit, etc., wherein the communication interface is a collective name and may include one or more interfaces.
  • the storage module 1201 may be a memory.
  • the processing module 1202 is a processor
  • the communication module 1203 is a communication interface
  • the storage module 1201 is a memory
  • the intermediate entity involved in the embodiment of the present invention may be the intermediate entity shown in FIG.
  • the intermediate entity 1300 includes a processor 1302, a communication interface 1303, and a memory 1301.
  • the communication interface 1303, the processor 1302, and the memory 1301 may be connected to each other through a communication connection.
  • FIG. 14 shows a possible structural diagram of the second network device involved in the above embodiment.
  • the second network device 1400 includes a processing module 1402 and a communication module 1403.
  • the processing module 1402 is configured to perform control management on the actions of the second network device.
  • the processing module 1402 is configured to support the second network device to perform the processes 505 and 506 in FIG. 5, the processes 801, 805 to 807 in FIG. Process 903 in 9, and/or other processes for the techniques described herein.
  • the communication module 1403 is configured to support communication of the second network device with other network entities, such as with intermediate entities.
  • the second network device may further include a storage module 1401 for storing program codes and data of the second network device.
  • the processing module 1402 may be a processor or a controller, such as a central processing unit (CPU), a general-purpose processor, a digital signal processor (DSP), and an application-specific integrated circuit (Application-Specific). Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. It is possible to implement or carry out the various illustrative logical blocks, modules and circuits described in connection with the present disclosure.
  • the processor may also be a combination of computing functions, for example, including one or more microprocessor combinations, a combination of a DSP and a microprocessor, and the like.
  • the communication module 1403 can be a communication interface, a transceiver, a transceiver circuit, etc., wherein the communication interface is a collective name and can include one or more interfaces.
  • the storage module 1401 may be a memory.
  • the second network device involved in the embodiment of the present invention may be the second network device shown in FIG.
  • the second network device 1500 includes a processor 1502, a communication interface 1503, and a memory 1501.
  • the communication interface 1503, the processor 1502, and the memory 1501 may be connected to each other through a communication connection.
  • the steps of a method or algorithm described in connection with the present disclosure may be implemented in a hardware, or may be implemented by a processor executing software instructions.
  • the software instructions may be composed of corresponding software modules, which may be stored in a random access memory (RAM), a flash memory, a read only memory (ROM), an erasable programmable read only memory ( Erasable Programmable ROM (EPROM), electrically erasable programmable read only memory (EEPROM), registers, hard disk, removable hard disk, compact disk read only (CD-ROM) or any other form of storage medium known in the art.
  • An exemplary storage medium is coupled to the processor to enable the processor to read information from, and write information to, the storage medium.
  • the storage medium can also be an integral part of the processor.
  • the processor and the storage medium can be located in an ASIC. Additionally, the ASIC can be located in a core network interface device.
  • the processor and the storage medium may also exist as discrete components in the core network interface device.
  • the functions described herein can be implemented in hardware, software, firmware, or any combination thereof.
  • the functions may be stored in a computer readable medium or transmitted as one or more instructions or code on a computer readable medium.
  • Computer readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one location to another.
  • a storage medium may be any available media that can be accessed by a general purpose or special purpose computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本发明实施例涉及QUIC业务控制方法、网络设备及中间实体,该方法包括:第一网络设备从中间实体接收所述中间实体的公钥;所述第一网络设备向所述中间实体发送用所述中间实体的公钥加密的交互帧,所述交互帧携带所述第一网络设备给所述中间实体的交互信息,所述交互信息用于指示所述中间实体根据所述交互信息进行QUIC业务控制,所述QUIC业务为所述第一网络设备与第二网络设备之间的经过所述中间实体的业务。本发明实施例,能够实现对QUIC业务进行传输优化。

Description

QUIC业务控制方法及网络设备
本申请要求于2017年08月23日提交中国专利局、申请号为201710729529.0、申请名称为“QUIC业务控制方法及网络设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本发明实施例涉及通信领域,尤其涉及快速用户数据报(User Datagram Protocol,UDP)网络连接(Quick UDP Internet Connection,QUIC)业务控制方法及网络设备。
背景技术
QUIC协议是基于UDP的一种传输协议,能够实现多路复用以及安全性保护。QUIC协议不仅集成了超文本传输协议(HyperText Transfer Protocol,HTTP)2.0、安全传输层协议(Transport Layer Security,TLS)、传输控制协议(Transmission Control Protocol,TCP)的优点,还实现了减小接入时延、更便捷的流量拥塞控制、更好的纠错机制等。
图1为QUIC协议、HTTP2.0协议、快速(speedy,SPDY)协议的协议栈对比图。参照图1,基于安全的考虑,SPDY规定建立在TLS之上,由上到下的协议层次分别为:HTTP、SPDY、TLS、TCP、网络协议(Internet Protocol,IP)。普通的HTTP/2.0的协议层次分别为:HTTP、安全套接层协议(Security Socket Layer,SSL)/TLS、TCP、IP,其中,TLS协议层为可选的,HTTP下面可以直接为TCP。QUIC的下层为UDP,上层可以为SPDY和HTTP,也可以为其他的应用层协议。
图2为QUIC包头格式示意图,QUIC包头也称为QUIC通用(common)包头。参照图2,传输的所有QUIC包以一个大小介于1至51个字节之间的通用包头开始。通用包头的格式包括:公共标记(PublicFlags)、连接标识(Connection ID)、QUIC版本(Version)、包号(Packet Number)、私有标记(Private Flag)、前向纠错码(Forward Error Correction,FEC)。
图3为QUIC包头完整性保护和加密示意图。参照图3,QUIC包头全部经过完整性保护,包头的私有标记(private flag)之后以及载荷(payload)部分经过加密。
随着QUIC流量越来越大,从而提出需要网络区分QUIC流量或者区分某一业务节点接口(Service Node Interface,SNI),并对其进行限流,以保证其他业务的通信不受影响。
在现有技术基于TCP的时候,通过部署TCP代理(proxy)控制服务器(server)发包速率。而QUIC因为其加密与完整性保护的特性,无法通过代理进行业务控制,因此无法进行传输优化。
发明内容
本发明实施例提供了QUIC业务控制方法及网络设备,能够通过中间实体进行业务控制,从而进行传输优化。
第一方面,本发明实施例提供了一种QUIC业务控制方法。第一网络设备从中间实体接收所述中间实体的公钥;所述第一网络设备向所述中间实体发送用所述中间实体的公钥加密的交互帧,所述交互帧携带所述第一网络设备给所述中间实体的交互信息,所述交互信息用于指示所述中间实体根据所述交互信息进行QUIC业务控制,所述QUIC业务为所述第一网络设备与第二网络设备之间的经过所述中间实体的业务。其中,第一网络设备和第二网络设备的业务路径经过中间实体,中间实体可以为数据转发设备,例如,基站、网关等。
本发明实施例中,由于第一网络设备从中间实体接收了中间实体的公钥,并且所述第一网络设备向所述中间实体发送用所述中间实体的公钥加密的交互帧,所述交互帧用于携带所述第一网络设备给所述中间实体的交互信息,从而中间实体可以根据该中间实体的私钥解析该交互帧,相应地根据交互信息对所述第一网络设备与第二网络设备之间的经过所述中间实体的QUIC业务进行业务控制。
在一种可能的实施方式中,在所述第一网络设备与所述第二网络设备之间的QUIC连接建立阶段,所述第一网络设备从所述中间实体接收所述中间实体的公钥。根据该实施方式,在所述第一网络设备与所述第二网络设备之间的QUIC连接建立阶段,所述第一网络设备就从所述中间实体接收所述中间实体的公钥,便于QUIC连接建立初期就能够实现第一网络设备与中间实体的通信,从而在整个QUIC业务过程中进行QUIC业务控制。
在一种可能的实施方式中,所述交互帧属于交互流,所述交互帧具有预先设定的帧类型,所述交互流具有预先设定的流标识。根据该实施方式,提供了识别交互帧的一种方式,通过流标识和帧类型相结合来识别交互帧,从而获取交互帧中携带的交互信息,这种识别方式利用了现有的QUIC帧结构,简单快速。
在一种可能的实施方式中,所述交互帧属于交互流,所述交互帧的QUIC包头的前两位用于标识所述交互帧,所述交互流具有预先设定的流标识。根据该实施方式,提供了识别交互帧的另一种方式,通过流标识和QUIC包头的前两位相结合来识别交互帧,从而获取交互帧中携带的交互信息,这种识别方式利用了QUIC包头中通常未被使用的前两位,简单快速。
在一种可能的实施方式中,所述交互帧包括帧的类型、流标识、交互信息的发端和手段、交互信息的内容。根据该实施方式,提供了交互帧的一种帧格式,一方面帧的类型、流标识可以用于中间实体识别交互帧,另一方面交互信息的发端和手段、交互信息的内容可以用于中间实体进行QUIC业务控制。
在一种可能的实施方式中,所述第一网络设备向所述中间实体发送用所述中间实体的公钥加密的交互帧之后,所述第一网络设备从所述第二网络设备接收窗口更新帧。根据该实施方式,第一网络设备向中间实体发送交互帧后,中间实体还可以向第二网络设备发送更新后的交互帧,从而可以由第二网络设备根据交互帧中携带的交互信息对第一网络设备进行传输控制。
第二方面,提供了一种QUIC业务控制方法。中间实体向第一网络设备发送所述中间实体的公钥;所述中间实体从所述第一网络设备接收用所述中间实体的公钥加密的交互帧,所述交互帧携带所述第一网络设备给所述中间实体的交互信息;所述中间实体根据所述交互信息进行QUIC业务控制,所述QUIC业务为所述第一网络设备与第二网络设备之间的经 过所述中间实体的业务。
本发明实施例中,由中间实体向第一网络设备发送了中间实体的公钥,并且接收了所述第一网络设备发送的用所述中间实体的公钥加密的交互帧,从而中间实体可以根据该中间实体的私钥解析该交互帧,相应地根据交互信息进行QUIC业务控制。
在一种可能的实施方式中,所述中间实体根据所述交互信息对QUIC业务进行网络传输调整,并暂留所述交互帧;在所述中间实体需要向所述第二网络设备发送QUIC业务控制消息时,对所述交互帧进行修改后用所述中间实体的私钥加密,将加密后的所述交互帧发送给所述第二网络设备。根据该实施方式,中间实体不仅根据所述交互信息对QUIC业务进行网络传输调整,而且暂留所述交互帧,以便后续中间实体需要向第二网络设备发送交互消息时,将交互消息携带于该交互帧中发送给第二网络设备,从而使得第二网络设备可以根据交互信息进行QUIC业务控制。
在一种可能的实施方式中,在所述第一网络设备与所述第二网络设备之间的QUIC连接建立阶段,所述中间实体向所述第一网络设备发送所述中间实体的公钥。根据该实施方式,在所述第一网络设备与所述第二网络设备之间的QUIC连接建立阶段,所述中间实体就向所述第一网络设备发送所述中间实体的公钥,便于QUIC连接建立初期就能够实现第一网络设备与中间实体的通信,从而在整个QUIC业务过程中进行QUIC业务控制。
可选地,在所述第一网络设备与所述第二网络设备之间的QUIC连接建立阶段,所述中间实体向所述第二网络设备发送所述中间实体的公钥。根据该实施方式,在所述第一网络设备与所述第二网络设备之间的QUIC连接建立阶段,所述中间实体就向所述第二网络设备发送所述中间实体的公钥,便于QUIC连接建立初期就能够实现第二网络设备与中间实体的通信,从而在整个QUIC业务过程中进行QUIC业务控制。
在一种可能的实施方式中,所述中间实体从所述第一网络设备接收交互流,所述交互流具有预先设定的流标识;所述中间实体用所述中间实体的私钥对用所述中间实体的公钥加密的交互帧进行解析,所述交互帧属于所述交互流,所述交互帧具有预先设定的帧类型。根据该实施方式,提供了识别交互帧的一种方式,通过流标识和帧类型相结合来识别交互帧,从而获取交互帧中携带的交互信息,这种识别方式利用了现有的QUIC帧结构,简单快速。
在一种可能的实施方式中,所述中间实体从所述第一网络设备接收交互流,所述交互流具有预先设定的流标识;所述中间实体用所述中间实体的私钥对用所述中间实体的公钥加密的交互帧进行解析,所述交互帧属于所述交互流,所述交互帧的QUIC包头的前两位用于标识所述交互帧。根据该实施方式,提供了识别交互帧的另一种方式,通过流标识和QUIC包头的前两位相结合来识别交互帧,从而获取交互帧中携带的交互信息,这种识别方式利用了QUIC包头中通常未被使用的前两位,简单快速。
在一种可能的实施方式中,所述交互帧包括帧的类型、流标识、交互信息的发端和手段、交互信息的内容。根据该实施方式,提供了交互帧的一种帧格式,一方面中间实体可以根据帧的类型、流标识识别交互帧,另一方面中间实体可以根据交互信息的发端和手段、交互信息的内容进行QUIC业务控制。
第三方面,提供了一种QUIC业务控制方法。第二网络设备从中间实体接收所述中间实体的公钥;所述第二网络设备从中间实体接收用所述中间实体的私钥加密的交互帧,所 述交互帧携带所述中间实体给所述第二网络设备的交互信息;所述第二网络设备根据所述交互信息进行QUIC业务控制,所述QUIC业务为所述第二网络设备与第一网络设备之间的经过所述中间实体的业务。
本发明实施例中,由于第二网络设备从中间实体接收了中间实体的公钥,因此当所述第二网络设备从中间实体接收到用所述中间实体的私钥加密的交互帧时,所述第二网络设备能够用所述中间实体的公钥解析该交互帧,并根据所述交互帧中携带的交互信息进行QUIC业务控制。
在一种可能的实施方式中,所述交互信息指示下行链路堵塞,所述第二网络设备根据所述交互信息将传送率下调;或所述交互信息指示上行链路堵塞,所述第二网络设备根据所述交互信息向所述第一网络设备发送窗口更新帧。根据该实施方式,当所述交互信息指示下行链路堵塞时,所述第二网络设备可以根据所述交互信息将自身的传送率下调;或当所述交互信息指示上行链路堵塞时,所述第二网络设备可以根据所述交互信息向所述第一网络设备发送窗口更新帧,指示第一网络设备将自身的传送率下调,从而实现根据交互信息进行QUIC业务控制。
在一种可能的实施方式中,在所述第二网络设备与所述第一网络设备之间的QUIC连接建立阶段,所述第二网络设备从所述中间实体接收所述中间实体的公钥。根据该实施方式,在所述第一网络设备与所述第二网络设备之间的QUIC连接建立阶段,所述第二网络设备就从所述中间实体接收所述中间实体的公钥,便于QUIC连接建立初期就能够实现第二网络设备与中间实体的通信,从而在整个QUIC业务过程中进行QUIC业务控制。
在一种可能的实施方式中,所述交互帧属于交互流,所述交互帧具有预先设定的帧类型,所述交互流具有预先设定的流标识。
在一种可能的实施方式中,所述交互帧属于交互流,所述交互帧的QUIC包头的前两位用于标识所述交互帧,所述交互流具有预先设定的流标识。根据该实施方式,提供了识别交互帧的一种方式,通过流标识和帧类型相结合来识别交互帧,从而获取交互帧中携带的交互信息,这种识别方式利用了现有的QUIC帧结构,简单快速。
在一种可能的实施方式中,所述交互帧包括帧的类型、流标识、交互信息的发端和手段、交互信息的内容。根据该实施方式,提供了交互帧的一种帧格式,一方面帧的类型、流标识可以用于第二网络设备识别交互帧,另一方面交互信息的发端和手段、交互信息的内容可以用于第二网络设备进行QUIC业务控制。
又一方面,本发明实施例提供了一种网络设备,该网络设备作为第一网络设备,可以实现上述第一方面方法示例中第一网络设备所执行的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个上述功能相应的模块。
在一种可能的设计中,该第一网络设备的结构中包括处理器和通信接口,该处理器被配置为支持该第一网络设备执行上述方法中相应的功能。该通信接口用于支持该第一网络设备与中间实体或其他网元之间的通信。该第一网络设备还可以包括存储器,该存储器用于与处理器耦合,其保存该第一网络设备必要的程序指令和数据。
在一种可能的设计中,所述第一网络设备包括:存储器、处理器和通信接口;所述存储器,用于存储程序指令;所述处理器,用于根据所述存储器中存储的程序指令执行以 下操作:通过所述通信接口从中间实体接收所述中间实体的公钥;通过所述通信接口向所述中间实体发送用所述中间实体的公钥加密的交互帧,所述交互帧携带所述第一网络设备给所述中间实体的交互信息,所述交互信息用于指示所述中间实体根据所述交互信息进行QUIC业务控制,所述QUIC业务为所述第一网络设备与第二网络设备之间的经过所述中间实体的业务。
在一种可能的设计中,所述处理器执行所述通过所述通信接口从中间实体接收所述中间实体的公钥的操作,包括:在所述第一网络设备与所述第二网络设备之间的QUIC连接建立阶段,通过所述通信接口从所述中间实体接收所述中间实体的公钥。
在一种可能的设计中,所述交互帧属于交互流,所述交互帧具有预先设定的帧类型,所述交互流具有预先设定的流标识。
在一种可能的设计中,所述交互帧属于交互流,所述交互帧的QUIC包头的前两位用于标识所述交互帧,所述交互流具有预先设定的流标识。
在一种可能的设计中,所述交互帧包括帧的类型、流标识、交互信息的发端和手段、交互信息的内容。
在一种可能的设计中,所述处理器在执行所述通过所述通信接口向所述中间实体发送用所述中间实体的公钥加密的交互帧之后,所述处理器还用于根据所述存储器中存储的程序指令执行以下操作:通过所述通信接口从所述第二网络设备接收窗口更新帧。
又一方面,本发明实施例提供了一种中间实体,该中间实体可以实现上述第二方面方法示例中中间实体所执行的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个上述功能相应的模块。
在一种可能的设计中,该中间实体的结构中包括处理器和通信接口,该处理器被配置为支持该中间实体执行上述方法中相应的功能。该通信接口用于支持该中间实体与第一网络设备或第二网络设备或其他网元之间的通信。该中间实体还可以包括存储器,该存储器用于与处理器耦合,其保存该中间实体必要的程序指令和数据。
在一种可能的设计中,所述中间实体包括:存储器、处理器和通信接口;所述存储器,用于存储程序指令;所述处理器,用于根据所述存储器中存储的程序指令执行以下操作:通过所述通信接口向第一网络设备发送所述中间实体的公钥;通过所述通信接口从所述第一网络设备接收用所述中间实体的公钥加密的交互帧,所述交互帧携带所述第一网络设备给所述中间实体的交互信息;根据所述交互信息进行QUIC业务控制,所述QUIC业务为所述第一网络设备与第二网络设备之间的经过所述中间实体的业务。
在一种可能的设计中,所述处理器执行所述根据所述交互信息进行QUIC业务控制的操作,包括:根据所述交互信息对QUIC业务进行网络传输调整,并暂留所述交互帧;在所述中间实体需要向所述第二网络设备发送QUIC业务控制消息时,对所述交互帧进行修改后用所述中间实体的私钥加密,将加密后的所述交互帧通过所述通信接口发送给所述第二网络设备。
在一种可能的设计中,所述处理器执行所述通过所述通信接口向第一网络设备发送所述中间实体的公钥的操作,包括:在所述第一网络设备与所述第二网络设备之间的QUIC连接建立阶段,通过所述通信接口向所述第一网络设备发送所述中间实体的公钥。
在一种可能的设计中,所述处理器执行所述通过所述通信接口从所述第一网络设备 接收用所述中间实体的公钥加密的交互帧,包括:通过所述通信接口从所述第一网络设备接收交互流,所述交互流具有预先设定的流标识;用所述中间实体的私钥对用所述中间实体的公钥加密的交互帧进行解析,所述交互帧属于所述交互流,所述交互帧具有预先设定的帧类型。
在一种可能的设计中,所述处理器执行所述通过所述通信接口从所述第一网络设备接收用所述中间实体的公钥加密的交互帧,包括:通过所述通信接口从所述第一网络设备接收交互流,所述交互流具有预先设定的流标识;用所述中间实体的私钥对用所述中间实体的公钥加密的交互帧进行解析,所述交互帧属于所述交互流,所述交互帧的QUIC包头的前两位用于标识所述交互帧。
在一种可能的设计中,所述交互帧包括帧的类型、流标识、交互信息的发端和手段、交互信息的内容。
又一方面,本发明实施例提供了一种网络设备,该网络设备作为第二网络设备,可以实现上述第三方面方法示例中第二网络设备所执行的功能,所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个上述功能相应的模块。
在一种可能的设计中,该第二网络设备的结构中包括处理器和通信接口,该处理器被配置为支持该第二网络设备执行上述方法中相应的功能。该通信接口用于支持该第二网络设备与中间实体或其他网元之间的通信。该第二网络设备还可以包括存储器,该存储器用于与处理器耦合,其保存该第二网络设备必要的程序指令和数据。
在一种可能的设计中,所述第二网络设备包括:存储器、处理器和通信接口;所述存储器,用于存储程序指令;所述处理器,用于根据所述存储器中存储的程序指令执行以下操作:通过所述通信接口从中间实体接收所述中间实体的公钥;通过所述通信接口从中间实体接收用所述中间实体的私钥加密的交互帧,所述交互帧携带所述中间实体给所述第二网络设备的交互信息;根据所述交互信息进行QUIC业务控制,所述QUIC业务为所述第二网络设备与第一网络设备之间的经过所述中间实体的业务。
在一种可能的设计中,所述处理器执行所述根据所述交互信息进行QUIC业务控制的操作,包括:所述交互信息指示下行链路堵塞,根据所述交互信息将传送率下调;或所述交互信息指示上行链路堵塞,根据所述交互信息通过所述通信接口向所述第一网络设备发送窗口更新帧。
在一种可能的设计中,所述处理器执行所述通过所述通信接口从中间实体接收所述中间实体的公钥的操作,包括:在所述第二网络设备与所述第一网络设备之间的QUIC连接建立阶段,通过所述通信接口从所述中间实体接收所述中间实体的公钥。
在一种可能的设计中,所述交互帧属于交互流,所述交互帧具有预先设定的帧类型,所述交互流具有预先设定的流标识。
在一种可能的设计中,所述交互帧属于交互流,所述交互帧的QUIC包头的前两位用于标识所述交互帧,所述交互流具有预先设定的流标识。
在一种可能的设计中,所述交互帧包括帧的类型、流标识、交互信息的发端和手段、交互信息的内容。
又一方面,本发明实施例提供了一种通信系统,该系统包括上述方面所述的第一网络设备、第二网络设备和中间实体。
再一方面,本发明实施例提供了一种计算机存储介质,用于储存为上述第一网络设备所用的计算机软件指令,其包含用于执行上述第一方面所设计的程序。
再一方面,本发明实施例提供了一种计算机存储介质,用于储存为上述中间实体所用的计算机软件指令,其包含用于执行上述第二方面所设计的程序。
再一方面,本发明实施例提供了一种计算机存储介质,用于储存为上述第二网络设备所用的计算机软件指令,其包含用于执行上述第三方面所设计的程序。
再一方面,本发明实施例提供了一种计算机程序产品,其包含指令,当所述程序被计算机所执行时,该指令使得计算机执行上述第一方面方法设计中第一网络设备所执行的功能。
再一方面,本发明实施例提供了一种计算机程序产品,其包含指令,当所述程序被计算机所执行时,该指令使得计算机执行上述第二方面方法设计中中间实体所执行的功能。
再一方面,本发明实施例提供了一种计算机程序产品,其包含指令,当所述程序被计算机所执行时,该指令使得计算机执行上述第三方面方法设计中第二网络设备所执行的功能。
再一方面,本发明实施例提供了一种计算机程序产品,其包含指令,当所述程序被计算机所执行时,该指令使得计算机执行上述第一方面或第一方面的任意一种可能的设计中所述的方法。
再一方面,本发明实施例提供了一种计算机程序产品,其包含指令,当所述程序被计算机所执行时,该指令使得计算机执行上述第二方面或第二方面的任意一种可能的设计中所述的方法。
再一方面,本发明实施例提供了一种计算机程序产品,其包含指令,当所述程序被计算机所执行时,该指令使得计算机执行上述第三方面或第三方面的任意一种可能的设计中所述的方法。
附图说明
图1为QUIC协议、HTTP2.0协议、快速(speedy,SPDY)协议的协议栈对比图;
图2为QUIC通用包头格式示意图;
图3为QUIC包头完整性保护和加密示意图;
图4为本发明实施例提供的一种QUIC业务控制方法所基于的应用场景示意图;
图5为本发明实施例提供的一种QUIC业务控制方法通信示意图;
图6为本发明实施例提供的一种帧结构示意图;
图7为本发明实施例提供的一种带有交互帧指示信息的QUIC通用包头格式示意图;
图8为本发明实施例提供的另一种QUIC业务控制方法通信示意图;
图9为本发明实施例提供的一种QUIC交互帧扩展协商方法通信示意图;
图10为本发明实施例提供的一种第一网络设备的结构示意图;
图11为本发明实施例提供的另一种第一网络设备的结构示意图;
图12为本发明实施例提供的一种中间实体的结构示意图;
图13为本发明实施例提供的另一种中间实体的结构示意图;
图14为本发明实施例提供的一种第二网络设备的结构示意图;
图15为本发明实施例提供的另一种第二网络设备的结构示意图。
具体实施方式
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行描述。
本发明实施例中,可以通过扩展QUIC协议,在QUIC业务中,增加特定流来用于指示应用(Application,APP)和网络的交互,以达到传输优化的目的。在本发明实施例中,可以采用如下的一项或多项手段相结合:新增的流用于APP和网络的消息协商;新增的流用特定的帧类型和流标识(如stream ID=X);新增的流通过中间实体(Carrier)的公钥进行加密;APP预先配置中间实体的公钥信息。
图4为本发明实施例提供的一种QUIC业务控制方法所基于的应用场景示意图,该应用场景中主要涉及客户端(client)401、中间实体(carrier)402和服务器(server)403,其中客户端也可称为QUIC客户端,如浏览器,其可以设置于网络设备上,为方便描述,将客户端所在的网络设备称为第一网络设备;中间实体为合法中间实体,如运营商设备,服务器为QUIC服务器端,如网站服务器,为方便描述,将作为服务器的网络设备称为第二网络设备。其中,第一网络设备和第二网络设备的业务路径经过中间实体,中间实体可以为数据转发设备,例如,基站、网关等。
图5为本发明实施例提供的一种QUIC业务控制方法通信示意图。该方法可以基于图4所示的应用场景。该方法包括:
步骤501,中间实体向第一网络设备发送所述中间实体的公钥。
在一个示例中,在QUIC连接建立阶段,所述中间实体在所述第一网络设备与所述第二网络设备协商交互帧扩展特性的消息中增加所述中间实体的公钥。
相应地,第一网络设备从中间实体接收所述中间实体的公钥。例如,在QUIC连接建立阶段,所述第一网络设备与所述第二网络设备协商交互帧扩展特性并获取所述中间实体的公钥。
步骤502,所述第一网络设备向所述中间实体发送用所述中间实体的公钥加密的交互帧。
所述交互帧用于携带第一网络设备给中间实体的交互信息,交互信息用于指示中间实体根据该交互信息进行QUIC业务控制,所述QUIC业务为所述第一网络设备与第二网络设备之间的经过所述中间实体的业务。
需要说明的是,虽然交互帧可以用于携带第一网络设备给中间实体的交互信息,但 是第一网络设备发送的交互帧可以携带上述交互信息,也可以不携带上述交互信息。
可选地,参照图6所示的帧结构示意图,所述交互帧具有特定的帧结构,例如交互帧包括帧的类型(Type)、流标识(Stream ID)、交互信息的发端和手段(Interaction index)、交互信息的内容(Interaction content)。其中,帧的类型,用于标识当前帧为交互帧(Interaction Frame),用于中间实体识别帧的类型;流标识,其具体取值可以表示为Stream ID=X,X可以为目前没有被用于特殊用途的流ID,如流ID=5、7、9等等;交互信息的发端和手段,如服务器到网络(server to network),网络到客户端(network to client),网络到服务器(network to server)等;交互信息的内容,如网络到服务器(network to server)时的网络状态(network state),交互帧发送频率(Interaction Frame sending friquency);又如服务器到网络(server to network)时,比特率请求(bitrate request),应用信息(application info)等。
本发明实施例中,可以通过帧类型来标识交互帧,和/或,可以通过QUIC通用包头的前两位来标识交互帧。
可选地,图7为带有交互帧指示信息的QUIC通用包头格式示意图,其中,公共标记字段的前两位当前未使用,本发明实施例中,使用这两位来作为交互帧指示信息。
在一个示例中,所述交互帧属于交互流,所述交互帧具有特定的帧类型,所述交互流具有特定的流标识。
在另一个示例中,所述交互帧属于交互流,所述交互帧的QUIC通用包头的前两位用于标识所述交互帧,所述交互流具有特定的流标识。
相应地,所述中间实体接收所述第一网络设备向所述第二网络设备发送的用所述中间实体的公钥加密的交互帧。
在一个示例中,所述中间实体从所述第一网络设备接收交互流,所述交互流具有特定的流标识;所述中间实体用所述中间实体的私钥对用所述中间实体的公钥加密的交互帧进行解析,所述交互帧属于所述交互流,所述交互帧具有特定的帧类型。
在另一个示例中,所述中间实体从所述第一网络设备接收交互流,所述交互流具有特定的流标识;所述中间实体用所述中间实体的私钥对用所述中间实体的公钥加密的交互帧进行解析,所述交互帧属于所述交互流,所述交互帧的QUIC通用包头的前两位用于标识所述交互帧。
步骤503,中间实体根据所述交互信息进行QUIC业务控制。
在一个示例中,步骤503进一步包括:
步骤5031,所述中间实体根据所述交互信息对QUIC业务进行网络传输调整,并暂留所述交互帧;
在一个示例中,中间实体根据所述交互信息对QUIC业务进行网络传输调整具体包括:提升或降低此QUIC业务流的传输速率,例如,对发送窗口的调整和/或传送率的调整。
步骤5032,在所述中间实体需要向所述第二网络设备发送QUIC业务控制消息时,对所述交互帧进行修改后用所述中间实体的私钥加密,将加密后的所述交互帧发送给所述第二网络设备。
也就是说,中间实体可以将交互信息添加到步骤503暂留的交互帧中,以便实现与第二网络设备的通信。
与步骤5032相对应,可选地,该方法还包括:
步骤504,中间实体向第二网络设备发送所述中间实体的公钥。
其中,本发明实施例对于步骤504与步骤501的执行顺序不做限定,可以先执行步骤501再执行步骤504,也可以先执行步骤504再执行步骤501,还可以同时执行步骤501和步骤504。
在一个示例中,在QUIC连接建立阶段,所述中间实体在所述第一网络设备与所述第二网络设备协商交互帧扩展特性的消息中增加所述中间实体的公钥。
相应地,第二网络设备从中间实体接收所述中间实体的公钥。例如,在QUIC连接建立阶段,所述第二网络设备与所述第一网络设备协商交互帧扩展特性并获取所述中间实体的公钥。
步骤505,所述第二网络设备从中间实体接收用所述中间实体的私钥加密的交互帧,所述交互帧携带所述中间实体给所述第二网络设备的交互信息。
步骤506,第二网络设备根据所述交互信息进行QUIC业务控制,所述QUIC业务为所述第二网络设备与第一网络设备之间的经过所述中间实体的业务。
在一个示例中,步骤506进一步包括:
步骤5061,所述交互信息指示下行链路堵塞,所述第二网络设备根据所述交互信息将传送率下调;或
步骤5062,所述交互信息指示上行链路堵塞,所述第二网络设备根据所述交互信息向所述第一网络设备发送窗口更新帧。
相应地,所述第一网络设备从所述第二网络设备接收窗口更新帧,根据窗口更新帧调整上行链路的发送窗口的数值,从而缓解上行链路堵塞的问题。
本发明实施例中,由于第一网络设备能够获得中间实体的公钥,并且所述第一网络设备向所述第二网络设备发送用所述中间实体的公钥加密的交互帧,从而使得中间实体可以利用中间实体的私钥对交互帧进行解析,从而获取交互帧中的交互信息,相应地,中间实体可以根据所述交互帧中的交互信息进行QUIC业务控制。可选地,第二网络设备也能够获得中间实体的公钥,所述第二网络设备从中间实体接收用所述中间实体的私钥加密的交互帧;第二网络设备用中间实体的公钥对交互帧进行解析,从而获得交互帧中的交互信息,相应地,所述第二网络设备根据所述交互信息进行QUIC业务控制。
图8为本发明实施例提供的另一种QUIC业务控制方法通信示意图。该方法可以基于图4所示的应用场景,本实施例中,第一阶段客户端为APP发端,第二阶段服务器为APP发端。该方法包括:
步骤801,在QUIC连接创建阶段,客户端与中间实体和服务器进行交互帧扩展协商,中间实体在协商消息中插入中间实体的公钥信息。
步骤802,客户端按照设定策略(如定时器(timer)1)向服务器发送用中间实体的公钥加密的交互帧1。
例如,交互帧1包括交互帧指示信息、连接ID和流ID。
步骤803,中间实体终止交互帧1的传输,直到中间实体需要发送交互内容给服务器。
在一个示例中,中间实体截获交互帧1后用私钥进行解析,如果交互帧1中携带APP给网络的信息,中间实体根据交互帧1包括的信息进行网络传输调整。之后中间实体暂留 交互帧1,在中间实体需要向APP对端发送网络消息时,对交互帧1进行修改后用中间实体的私钥加密后发送。
步骤804,中间实体将用中间实体的私钥加密后的更新后的交互帧发送给服务器。
步骤805,服务器进行QUIC流控。
例如,如果交互内容指示下行链路堵塞,则减慢传送率。该步骤805为可选步骤。
步骤806,服务器向客户端发送窗口更新帧。
例如,如果交互内容指示上行链路堵塞,则发送窗口更新帧。该步骤806为可选步骤。
步骤807,服务器按照设定策略(如定时器(timer)2)向客户端发送用中间实体的公钥加密的交互帧2。
例如,交互帧2包括交互帧指示信息、连接ID和流ID。
步骤808,中间实体终止交互帧2的传输,直到中间实体需要发送交互内容给客户端。
在一个示例中,中间实体截获交互帧2后用私钥进行解析,如果交互帧2中携带APP给网络的信息,中间实体根据交互帧2包括的信息进行网络传输调整。之后中间实体暂留交互帧2,在中间实体需要向APP对端发送网络消息时,对交互帧2进行修改后用中间实体的私钥加密后发送。
步骤809,中间实体将用中间实体的私钥加密后的更新后的交互帧发送给客户端。
步骤810,客户端进行QUIC流控。
例如,如果交互内容指示上行链路堵塞,则减慢传送率。该步骤810为可选步骤。
步骤811,客户端向服务器发送窗口更新帧。
例如,如果交互内容指示下行链路堵塞,则发送窗口更新帧。该步骤811为可选步骤。
本发明实施例中,在完成交互帧扩展协商之后,APP发端(客户端或服务器)按照设定策略(如定时器)向服务器发送用中间实体的公钥加密的交互帧。中间实体截获信息后用私钥进行解析,如果消息中携带APP给网络的信息,中间实体根据交互帧的交互信息进行网络传输调整。之后中间实体暂留交互帧,在中间实体需要向APP对端发送网络消息时,对交互帧进行修改后用中间实体的私钥加密后发送。APP对端对于交互帧用中间实体的公钥解密。前后交互帧保持序列号不变。该实施方式能够实现QUIC业务的传输优化。
图9为本发明实施例提供的一种QUIC交互帧扩展协商方法通信示意图,该方法包括:
步骤901,客户端在客户端打招呼(Client hello)消息中增加交互帧扩展指示信息。
步骤902,中间实体截获Client hello消息后,在其中增加中间实体自己的信息,如数字证书信息,数字证书中有中间实体的公钥,再发送给服务器。
步骤903,服务器收到Client hello消息后,验证中间实体的合法性以及服务权限,如验证通过,则在服务器打招呼(server hello)消息中携带增加扩展帧协商确认信息。此消息可以携带中间实体的数字证书信息。
步骤904,中间实体截获Server hello消息后,如果Server hello消息没有携带中间实体的数字证书信息,则在其中增加中间实体的数字证书信息,数字证书中有中间实体的公钥。
步骤905,客户端向服务器返回协商成功确认信息。
本发明实施例中,在QUIC连接创建阶段,客户端和服务器可以获得中间实体的公钥,从而后续客户端和服务器均可与中间实体进行通信,便于中间实体进行QUIC业务控制,进行传输优化。
上述主要从各个网元之间交互的角度对本发明实施例的方案进行了介绍。可以理解的是,各个网元,例如第一网络设备,中间实体,第二网络设备等为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,本发明能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。
本发明实施例可以根据上述方法示例对第一网络设备、中间实体和第二网络设备等进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。需要说明的是,本发明实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。
在采用集成的模块的情况下,图10示出了上述实施例中所涉及的第一网络设备的一种可能的结构示意图。第一网络设备1000包括:处理模块1002和通信模块1003。处理模块1002用于对第一网络设备的动作进行控制管理,例如,处理模块1002用于支持第一网络设备执行图5中的过程502,图8中的过程801、802、810和811,图9中的过程901和905,和/或用于本文所描述的技术的其它过程。通信模块1003用于支持第一网络设备与其他网络实体的通信,例如与中间实体之间的通信。第一网络设备还可以包括存储模块1001,用于存储第一网络设备的程序代码和数据。
其中,处理模块1002可以是处理器或控制器,例如可以是中央处理器(Central Processing Unit,CPU),通用处理器,数字信号处理器(Digital Signal Processor,DSP),专用集成电路(Application-Specific Integrated Circuit,ASIC),现场可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本发明公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信模块1003可以是通信接口、收发器、收发电路等,其中,通信接口是统称,可以包括一个或多个接口。存储模块1001可以是存储器。
当处理模块1002为处理器,通信模块1003为通信接口,存储模块1001为存储器时,本发明实施例所涉及的第一网络设备可以为图11所示的第一网络设备。
参阅图11所示,该第一网络设备1100包括:处理器1102、通信接口1103、存储器1101。其中,通信接口1103、处理器1102以及存储器1101可以通过通信连接相互连接。
在采用集成的模块的情况下,图12示出了上述实施例中所涉及的中间实体的一种可能的结构示意图。中间实体1200包括:处理模块1202和通信模块1203。处理模块1202用于对中间实体的动作进行控制管理,例如,处理模块1202用于支持中间实体执行图5中的过程501、503和504,图8中的过程801、803、804、808和809,图9中的过程902 和904,和/或用于本文所描述的技术的其它过程。通信模块1203用于支持中间实体与其他网络实体的通信,例如与第一网络设备或第二网络设备之间的通信。中间实体还可以包括存储模块1201,用于存储中间实体的程序代码和数据。
其中,处理模块1202可以是处理器或控制器,例如可以是中央处理器(Central Processing Unit,CPU),通用处理器,数字信号处理器(Digital Signal Processor,DSP),专用集成电路(Application-Specific Integrated Circuit,ASIC),现场可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本发明公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信模块1203可以是通信接口、收发器、收发电路等,其中,通信接口是统称,可以包括一个或多个接口。存储模块1201可以是存储器。
当处理模块1202为处理器,通信模块1203为通信接口,存储模块1201为存储器时,本发明实施例所涉及的中间实体可以为图13所示的中间实体。
参阅图13所示,该中间实体1300包括:处理器1302、通信接口1303、存储器1301。其中,通信接口1303、处理器1302以及存储器1301可以通过通信连接相互连接。
在采用集成的模块的情况下,图14示出了上述实施例中所涉及的第二网络设备的一种可能的结构示意图。第二网络设备1400包括:处理模块1402和通信模块1403。处理模块1402用于对第二网络设备的动作进行控制管理,例如,处理模块1402用于支持第二网络设备执行图5中的过程505和506,图8中的过程801、805至807,图9中的过程903,和/或用于本文所描述的技术的其它过程。通信模块1403用于支持第二网络设备与其他网络实体的通信,例如与中间实体之间的通信。第二网络设备还可以包括存储模块1401,用于存储第二网络设备的程序代码和数据。
其中,处理模块1402可以是处理器或控制器,例如可以是中央处理器(Central Processing Unit,CPU),通用处理器,数字信号处理器(Digital Signal Processor,DSP),专用集成电路(Application-Specific Integrated Circuit,ASIC),现场可编程门阵列(Field Programmable Gate Array,FPGA)或者其他可编程逻辑器件、晶体管逻辑器件、硬件部件或者其任意组合。其可以实现或执行结合本发明公开内容所描述的各种示例性的逻辑方框,模块和电路。所述处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。通信模块1403可以是通信接口、收发器、收发电路等,其中,通信接口是统称,可以包括一个或多个接口。存储模块1401可以是存储器。
当处理模块1402为处理器,通信模块1403为通信接口,存储模块1401为存储器时,本发明实施例所涉及的第二网络设备可以为图15所示的第二网络设备。
参阅图15所示,该第二网络设备1500包括:处理器1502、通信接口1503、存储器1501。其中,通信接口1503、处理器1502以及存储器1501可以通过通信连接相互连接。
结合本发明公开内容所描述的方法或者算法的步骤可以硬件的方式来实现,也可以是由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成,软件模块可以被存放于随机存取存储器(Random Access Memory,RAM)、闪存、只读存储器(Read  Only Memory,ROM)、可擦除可编程只读存储器(Erasable Programmable ROM,EPROM)、电可擦可编程只读存储器(Electrically EPROM,EEPROM)、寄存器、硬盘、移动硬盘、只读光盘(CD-ROM)或者本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于ASIC中。另外,该ASIC可以位于核心网接口设备中。当然,处理器和存储介质也可以作为分立组件存在于核心网接口设备中。
本领域技术人员应该可以意识到,在上述一个或多个示例中,本发明所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。
以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本发明的保护范围之内。

Claims (21)

  1. 一种快速用户数据报网络连接QUIC业务控制方法,其特征在于,所述方法包括:
    第一网络设备从中间实体接收所述中间实体的公钥;
    所述第一网络设备向所述中间实体发送用所述中间实体的公钥加密的交互帧,所述交互帧携带所述第一网络设备给所述中间实体的交互信息,所述交互信息用于指示所述中间实体根据所述交互信息进行QUIC业务控制,所述QUIC业务为所述第一网络设备与第二网络设备之间的经过所述中间实体的业务。
  2. 如权利要求1所述的方法,其特征在于,所述第一网络设备从中间实体接收所述中间实体的公钥,包括:
    在所述第一网络设备与所述第二网络设备之间的QUIC连接建立阶段,所述第一网络设备从所述中间实体接收所述中间实体的公钥。
  3. 如权利要求1或2所述的方法,其特征在于,所述交互帧属于交互流,所述交互帧具有预先设定的帧类型,所述交互流具有预先设定的流标识。
  4. 如权利要求1或2所述的方法,其特征在于,所述交互帧属于交互流,所述交互帧的QUIC包头的前两位用于标识所述交互帧,所述交互流具有预先设定的流标识。
  5. 如权利要求1至4中任一项所述的方法,其特征在于,所述交互帧包括帧的类型、流标识、交互信息的发端和手段、交互信息的内容。
  6. 如权利要求1至5中任一项所述的方法,其特征在于,所述第一网络设备向所述中间实体发送用所述中间实体的公钥加密的交互帧之后,所述方法还包括:
    所述第一网络设备从所述第二网络设备接收窗口更新帧。
  7. 一种快速用户数据报网络连接QUIC业务控制方法,其特征在于,所述方法包括:
    中间实体向第一网络设备发送所述中间实体的公钥;
    所述中间实体从所述第一网络设备接收用所述中间实体的公钥加密的交互帧,所述交互帧携带所述第一网络设备给所述中间实体的交互信息;
    所述中间实体根据所述交互信息进行QUIC业务控制,所述QUIC业务为所述第一网络设备与第二网络设备之间的经过所述中间实体的业务。
  8. 如权利要求7所述的方法,其特征在于,所述中间实体根据所述交互信息进行QUIC业务控制,包括:
    所述中间实体根据所述交互信息对QUIC业务进行网络传输调整,并暂留所述交互帧;
    在所述中间实体需要向所述第二网络设备发送QUIC业务控制消息时,对所述交互帧进行修改后用所述中间实体的私钥加密,将加密后的所述交互帧发送给所述第二网络设备。
  9. 如权利要求7或8所述的方法,其特征在于,所述中间实体向第一网络设备发送所述中间实体的公钥,包括:
    在所述第一网络设备与所述第二网络设备之间的QUIC连接建立阶段,所述中间实体向所述第一网络设备发送所述中间实体的公钥。
  10. 如权利要求7至9中任一项所述的方法,其特征在于,所述中间实体从所述第一网络设备接收用所述中间实体的公钥加密的交互帧,包括:
    所述中间实体从所述第一网络设备接收交互流,所述交互流具有预先设定的流标识;
    所述中间实体用所述中间实体的私钥对用所述中间实体的公钥加密的交互帧进行解析,所述交互帧属于所述交互流,所述交互帧具有预先设定的帧类型。
  11. 如权利要求7至9中任一项所述的方法,其特征在于,所述中间实体从所述第一网络设备接收用所述中间实体的公钥加密的交互帧,包括:
    所述中间实体从所述第一网络设备接收交互流,所述交互流具有预先设定的流标识;
    所述中间实体用所述中间实体的私钥对用所述中间实体的公钥加密的交互帧进行解析,所述交互帧属于所述交互流,所述交互帧的QUIC包头的前两位用于标识所述交互帧。
  12. 如权利要求7至11中任一项所述的方法,其特征在于,所述交互帧包括帧的类型、流标识、交互信息的发端和手段、交互信息的内容。
  13. 一种快速用户数据报网络连接QUIC业务控制方法,其特征在于,所述方法包括:
    第二网络设备从中间实体接收所述中间实体的公钥;
    所述第二网络设备从中间实体接收用所述中间实体的私钥加密的交互帧,所述交互帧携带所述中间实体给所述第二网络设备的交互信息;
    所述第二网络设备根据所述交互信息进行QUIC业务控制,所述QUIC业务为所述第二网络设备与第一网络设备之间的经过所述中间实体的业务。
  14. 如权利要求13所述的方法,其特征在于,所述第二网络设备根据所述交互信息进行QUIC业务控制,包括:
    所述交互信息指示下行链路堵塞,所述第二网络设备根据所述交互信息将传送率下调;或
    所述交互信息指示上行链路堵塞,所述第二网络设备根据所述交互信息向所述第一网络设备发送窗口更新帧。
  15. 如权利要求13或14所述的方法,其特征在于,所述第二网络设备从中间实体接收所述中间实体的公钥,包括:
    在所述第二网络设备与所述第一网络设备之间的QUIC连接建立阶段,所述第二网络设备从所述中间实体接收所述中间实体的公钥。
  16. 如权利要求13至15中任一项所述的方法,其特征在于,所述交互帧属于交互流,所述交互帧具有预先设定的帧类型,所述交互流具有预先设定的流标识。
  17. 如权利要求13至15中任一项所述的方法,其特征在于,所述交互帧属于交互流,所述交互帧的QUIC包头的前两位用于标识所述交互帧,所述交互流具有预先设定的流标识。
  18. 如权利要求13至17中任一项所述的方法,其特征在于,所述交互帧包括帧的类型、流标识、交互信息的发端和手段、交互信息的内容。
  19. 一种网络设备,其特征在于,所述网络设备用于执行权利要求1-6任一所述的方法。
  20. 一种网络设备,其特征在于,所述网络设备用于执行权利要求7-12任一所述的方法。
  21. 一种网络设备,其特征在于,所述网络设备用于执行权利要求13-18任一所述的方法。
PCT/CN2018/101332 2017-08-23 2018-08-20 Quic业务控制方法及网络设备 WO2019037685A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710729529.0 2017-08-23
CN201710729529.0A CN109428828A (zh) 2017-08-23 2017-08-23 Quic业务控制方法及网络设备

Publications (1)

Publication Number Publication Date
WO2019037685A1 true WO2019037685A1 (zh) 2019-02-28

Family

ID=65438394

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/101332 WO2019037685A1 (zh) 2017-08-23 2018-08-20 Quic业务控制方法及网络设备

Country Status (2)

Country Link
CN (1) CN109428828A (zh)
WO (1) WO2019037685A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113134237A (zh) * 2021-05-20 2021-07-20 腾讯科技(深圳)有限公司 虚拟奖励资源的分配方法、装置、电子设备及存储介质
WO2022069024A1 (en) * 2020-09-29 2022-04-07 Telefonaktiebolaget Lm Ericsson (Publ) Methods and apparatuses for providing communication between a server and a client device via a proxy node

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101325519B (zh) * 2008-06-05 2011-02-16 成都市华为赛门铁克科技有限公司 基于安全协议的内容审计方法、系统和内容审计设备
CN105827537A (zh) * 2016-06-01 2016-08-03 四川大学 一种基于quic协议的拥塞改进方法
US20170118314A1 (en) * 2015-10-21 2017-04-27 Realtek Semiconductor Corp. Transmission apparatus and transmission method thereof
CN106656909A (zh) * 2015-10-28 2017-05-10 瑞昱半导体股份有限公司 传输装置及其传输方法

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442522B (zh) * 2008-12-25 2011-08-10 中国电子科技集团公司第五十四研究所 一种基于组合公钥的通信实体标识认证方法
US9026783B2 (en) * 2013-03-07 2015-05-05 Google Inc. Low latency server-side redirection of UDP-based transport protocols traversing a client-side NAT firewall
WO2015080661A1 (en) * 2013-11-28 2015-06-04 Telefonaktiebolaget L M Ericsson (Publ) Method and arrangements for intermediary node discovery during handshake
EP3164973B1 (en) * 2014-07-04 2019-05-08 Telefonaktiebolaget LM Ericsson (publ) Methods and first, second and network nodes for managing traffic characteristics
CN107026689B (zh) * 2016-01-29 2019-08-16 华为技术有限公司 一种帧格式配置方法、装置和系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101325519B (zh) * 2008-06-05 2011-02-16 成都市华为赛门铁克科技有限公司 基于安全协议的内容审计方法、系统和内容审计设备
US20170118314A1 (en) * 2015-10-21 2017-04-27 Realtek Semiconductor Corp. Transmission apparatus and transmission method thereof
CN106656909A (zh) * 2015-10-28 2017-05-10 瑞昱半导体股份有限公司 传输装置及其传输方法
CN105827537A (zh) * 2016-06-01 2016-08-03 四川大学 一种基于quic协议的拥塞改进方法

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022069024A1 (en) * 2020-09-29 2022-04-07 Telefonaktiebolaget Lm Ericsson (Publ) Methods and apparatuses for providing communication between a server and a client device via a proxy node
CN113134237A (zh) * 2021-05-20 2021-07-20 腾讯科技(深圳)有限公司 虚拟奖励资源的分配方法、装置、电子设备及存储介质
CN113134237B (zh) * 2021-05-20 2023-06-20 腾讯科技(深圳)有限公司 虚拟奖励资源的分配方法、装置、电子设备及存储介质

Also Published As

Publication number Publication date
CN109428828A (zh) 2019-03-05

Similar Documents

Publication Publication Date Title
CN108601043B (zh) 用于控制无线接入点的方法和设备
US9301193B2 (en) Service data flow detection in a conforming 3GPP access network having a packet modification function
WO2021000827A1 (zh) 数据传输链路建立方法、装置以及计算机可读存储介质
CN107852411B (zh) 在多路径环境下对IPsec隧道的高效使用
US8671273B2 (en) Method of performance-aware security of unicast communication in hybrid satellite networks
US20140092723A1 (en) Methods and apparatus for controlling wireless access points
US10897509B2 (en) Dynamic detection of inactive virtual private network clients
US20160156597A1 (en) Method, System and Device for Sending Configuration Information
WO2021037216A1 (zh) 一种报文传输方法及设备、计算机存储介质
US11418951B2 (en) Method for identifying encrypted data stream, device, storage medium and system
WO2013113171A1 (zh) 流识别的方法、设备和系统
US11343786B2 (en) Method for broadcast gateway signaling using cloud network and apparatus for the same
WO2017148419A1 (zh) 数据传输方法及服务器
US20220014553A1 (en) Secure communications using secure sessions
US20220150059A1 (en) Forwarding device, key management server device, communication system, forwarding method, and computer program product
CN111355698B (zh) 一种传输方法、装置、报文发送端和接收端
WO2018045590A1 (en) A method for secure link layer connection over wireless local area networks
WO2012130068A1 (zh) 数据包传输方法和相关装置
WO2019037685A1 (zh) Quic业务控制方法及网络设备
US20140207958A1 (en) Virtual private network communication system, routing device and method thereof
US20090073971A1 (en) Per-packet quality of service support for encrypted ipsec tunnels
WO2017143538A1 (zh) 语音数据传输方法以及装置
US20170126849A1 (en) Header redundancy removal for tunneled media traffic
CN111866865A (zh) 一种数据传输方法、无线专网建立方法及系统
CN114040389B (zh) 一种适用于物联网应用场景的高速安全传输方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18848134

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18848134

Country of ref document: EP

Kind code of ref document: A1