WO2019137554A1 - Method and device for ensuring operation security of ring network protocol - Google Patents

Method and device for ensuring operation security of ring network protocol Download PDF

Info

Publication number
WO2019137554A1
WO2019137554A1 PCT/CN2019/071745 CN2019071745W WO2019137554A1 WO 2019137554 A1 WO2019137554 A1 WO 2019137554A1 CN 2019071745 W CN2019071745 W CN 2019071745W WO 2019137554 A1 WO2019137554 A1 WO 2019137554A1
Authority
WO
WIPO (PCT)
Prior art keywords
ring
node
protocol
ring network
packet
Prior art date
Application number
PCT/CN2019/071745
Other languages
French (fr)
Chinese (zh)
Inventor
许进林
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2019137554A1 publication Critical patent/WO2019137554A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/42Loop networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the present invention relates to the field of network communications, and in particular, to a method and apparatus for ensuring the security of a ring network protocol.
  • An Ethernet ring network is an Ethernet network consisting of a physical ring structure that avoids logical ringing by blocking the backup link in the Ethernet ring network. If it is logically looped, it will cause the broadcast information to propagate in an infinite loop in the ring network, making the ring network full of broadcast information.
  • the method for ensuring the security of the ring network protocol is provided by the embodiment of the present invention, and solves the problem of stability of the ring network operation.
  • the embodiment of the present invention provides a method for ensuring the security of the operation of the ring network protocol, including: receiving, by the ring node in the Ethernet ring network, the protocol packet, and obtaining the ring network protocol carried in the protocol packet.
  • the secure operation of the encrypted information the ring node determines, according to the encryption information, that the source node of the protocol packet is another ring node or a non-ring network node of the Ethernet ring network; if the source of the protocol packet is determined
  • the node is the other ring node of the Ethernet ring network, and the ring node processes and forwards the protocol packet. If the source node of the protocol packet is determined to be a non-ring network node, the ring node discards the node. Said protocol message.
  • a second aspect of the present invention provides an apparatus for ensuring the security of a ring network protocol, comprising: a packet receiving module, configured to receive a protocol packet, and obtain a ring network protocol carried by the protocol packet
  • the source node determining module is configured to determine, according to the encryption information, that the source node of the protocol packet is another ring node or a non-ring network node of the Ethernet ring network; and processing and forwarding modules, If the source node of the protocol packet is determined to be another ring node of the Ethernet ring network, the protocol packet is processed and forwarded; and the packet discarding module is configured to determine the source of the protocol packet. If the node is a non-ring network node, the protocol packet is discarded.
  • an embodiment of the present invention further provides an electronic device, including: at least one processor; and a memory communicably connected to the at least one processor; wherein the memory is stored by the at least An instruction executed by a processor, the instructions being executed by the at least one processor to cause the at least one processor to perform the methods described in the various aspects above.
  • an embodiment of the present invention further provides a non-transitory computer readable storage medium storing computer executable instructions for executing The method described in the various aspects above.
  • an embodiment of the present invention further provides a computer program product, the computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions When the program instructions are executed by a computer, the computer is caused to perform the methods described in the various aspects above.
  • FIG. 1 is a flowchart of a security operation of a guaranteed ring network protocol according to an embodiment of the present invention
  • FIG. 2 is a block diagram of a device for ensuring operation security of a ring network protocol according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a physical topology of a ring network according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of an effective path of a forward network EP of a ring network according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of an effective path of a reverse EP of a ring network according to an embodiment of the present invention.
  • FIG. 6 is a schematic diagram of the use of a message reservation field according to an embodiment of the present invention.
  • FIG. 7 is a schematic structural diagram of hardware of an electronic device for performing a method for ensuring operation security of a ring network protocol according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of ensuring the security of a ring network protocol according to an embodiment of the present invention. As shown in FIG. 1 , the steps include:
  • Step S101 The ring node in the Ethernet ring network receives the protocol packet, and obtains the encrypted information carried in the protocol packet to ensure the secure operation of the ring network protocol.
  • the ring node in the Ethernet ring network obtains the encrypted information from the reserved field of the protocol packet by parsing the received protocol packet.
  • Step S102 The ring node determines, according to the encryption information, that the source node of the protocol packet is another ring node or a non-ring network node of the Ethernet ring network.
  • the ring node decrypts the encrypted information to obtain information for ensuring the safe operation of the ring network protocol, and performs legality verification on the information about the safe operation of the ring network protocol. If the verification succeeds, the The ring node determines that the source node of the protocol packet is another ring node of the Ethernet ring network. If the check fails, the ring node determines that the source node of the protocol packet is the acyclic network node.
  • the information used to ensure the safe operation of the ring network protocol includes a MAC address of the source node, an effective path (EP) that represents the number of relative paths between the source node and the ring node, and an Ethernet ring network.
  • Ring ID (ringID) and message type The source MAC address and the EP of the protocol packet are determined by the network physical topology. Therefore, after the ring network is deployed, the EP between each ring node and other ring nodes can be determined.
  • the ring node When the ring node performs the validity check, if the MAC address and the corresponding EP obtained by the decryption are found in the pre-configured MAC address and the EP entry, the pre-configured ring identifier and the ring identifier obtained by the decryption are obtained. If the packet type of the protocol packet matches the packet type obtained by the decryption, the ring node determines that the information about the secure operation of the ring network protocol is successfully verified, otherwise the ring node determines the pair. The information verification of the ring network protocol security operation fails.
  • Step S103 If it is determined that the source node of the protocol packet is another ring node of the Ethernet ring network, the ring node processes and forwards the protocol packet.
  • the ring node adds 1 to the decrypted EP as a new EP, and encrypts the MAC address, the new EP, the ring identifier, and the packet type to obtain a guarantee ring.
  • the network protocol runs securely with new encrypted information. Then, the ring node fills the new encrypted information into a reserved field of the protocol packet, and forwards the protocol packet carrying the new encrypted information.
  • the ring node performs an exclusive-OR operation on the MAC address and the preset key to obtain first encryption information, and the new EP, the ring identifier, and the packet type. Performing a shift operation to obtain second encrypted information, and then combining the first encrypted information and the second encrypted information to obtain the new encrypted information.
  • the first part of the encrypted information (ie, the first encrypted information) is XORed with the preset key to obtain the MAC address, and the encrypted information is obtained.
  • the second part (ie, the second encrypted information) performs a reverse shift operation to obtain the new EP, the ring identifier, and the message type.
  • Step S104 If it is determined that the source node of the protocol packet is a non-ring network node, the ring node discards the protocol packet.
  • the present invention may further provide a storage medium, where the storage medium is disposed on a ring node of an Ethernet ring network, and the storage medium stores a program for ensuring operation security of the ring network protocol, and the guaranteed ring network protocol runs safely.
  • the storage medium may include a ROM/RAM, a magnetic disk, an optical disk, and a USB flash drive.
  • FIG. 2 is a block diagram of a device for ensuring the security of a ring network protocol according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
  • the packet receiving module is configured to receive the protocol packet, and obtain the encrypted information carried in the protocol packet to ensure the secure operation of the ring network protocol. Specifically, the packet receiving module obtains the encrypted information from the reserved field of the protocol packet by parsing the received protocol packet.
  • the source node determining module is configured to determine, according to the encryption information, that the source node of the protocol packet is another ring node or a non-ring network node of the Ethernet ring network. Specifically, the source node determining module decrypts the encrypted information to obtain information for ensuring the secure operation of the ring network protocol, including the MAC address of the source node, and characterizing the source node and the ring node.
  • the source node determining module performs legality verification on the information about the security operation of the ring network protocol, and if the MAC address and the corresponding EP obtained by the decryption are found in the pre-configured MAC address and the EP entry, The pre-configured ring identifier matches the decrypted ring identifier, and the packet type of the protocol packet matches the decrypted packet type, the verification succeeds, and the source node of the protocol packet is determined. It is the other ring node of the Ethernet ring network. Otherwise, the check fails. The source node of the protocol packet is determined to be the non-ring network node.
  • the processing and forwarding module is configured to process and forward the protocol packet if the source node of the protocol packet is determined to be another ring node of the Ethernet ring network. Specifically, the processing and forwarding module adds 1 to the decrypted EP as a new EP, and encrypts the MAC address, the new EP, the ring identifier, and the packet type. Obtaining new encrypted information for ensuring the secure operation of the ring network protocol, and then filling the new encrypted information into a reserved field of the protocol packet, and forwarding the protocol packet carrying the new encrypted information .
  • the packet discarding module is configured to discard the protocol packet if the source node of the protocol packet is a non-ring network node.
  • the functions of the packet receiving module, the source node determining module, the processing and forwarding module, and the packet discarding module may be set on a ring node of an Ethernet ring, and may be executed by a processor of the ring node.
  • the program for ensuring the safe operation of the ring network protocol stored in the memory realizes the functions of each module.
  • the present invention may also provide an apparatus for ensuring the security of operation of a ring network protocol, comprising: a processor, and a memory coupled to the processor; the memory is stored on the processor and operable to run on the processor A program for ensuring that the ring network protocol runs safely, and the method for ensuring the security operation of the ring network protocol is implemented when the program for ensuring the security operation of the ring network protocol is executed by the processor.
  • the embodiments of the present invention provide a general Ethernet ring network protocol packet processing algorithm to ensure that only packets sent by nodes (or ring nodes) in the ring network are processed and forwarded, for non-ring nodes.
  • the packets sent by the (or non-ring network nodes) are directly discarded.
  • the source MAC address (Medium Access Control) of each ring node is also fixed.
  • these two elements are invariant and can be extracted as invariant elements of the universal ring network protocol.
  • the use of these two invariant elements, combined with elements unique to different protocols (or variable items, variable elements), through a certain encryption algorithm, can ensure the security of protocol messages.
  • an ERPS Ethernet Ring Protection Switching
  • G.8032 an ERPS (Ethernet Ring Protection Switching) protocol described in G.8032
  • a ring identifier (ring identification, logical ring identifier) and a packet type are selected as variable elements, and the description is The application of the invention in engineering.
  • the ring source source MAC address and the EP are combined with the ringId and the packet type of the ERPS instance, and the generated algorithm is filled in the reserved field of the ERPS protocol packet by using an encryption algorithm.
  • Cipher text Suppose a ring node sends a protocol packet, and the neighboring ring node receives the packet and parses the ciphertext, calculates the above four elements, and checks the legality of the four elements. The packets passing the legality are processed. Protocol packets that do not pass are discarded directly. This can greatly improve the difficulty of spoofing attack packets, ensure the security of packets in the ring network, and avoid malicious damage to the ring network.
  • All ring nodes complete the configuration of the ERPS ring network service and ensure correctness according to the role requirements of the ring network deployment.
  • the included work includes creating an ERPS instance, configuring the ringId of the ERPS instance, and configuring the port role.
  • each ring node also needs to configure the source MAC address, forward EP, and reverse EP of other ring nodes.
  • the so-called forward EP here refers to the number of paths between two ring nodes that do not enable RPL links (Ring Protection Link).
  • the so-called reverse EP refers to the number of paths between two ring nodes that enable RPL links.
  • the EP effective path of the same ring node on other ring nodes is different, which is determined by the network physical topology.
  • An entry is generated on each ring node, which is called a MAC-EP entry, based on the source MAC address of the invariant element ring and the valid path of the EP. For a deployed physical ring topology, this entry is unique on each ring node. Since multiple logical rings (configured with multiple ERPS instances) may be configured on one physical ring network, it is necessary to select ringId as a variable element to participate in generating ciphertext. In addition, the message type is selected to participate in the ciphertext calculation to increase the difficulty of cracking the ciphertext. Even if someone maliciously intercepts a message, it is very difficult to tamper with the message.
  • the destination MAC is 01-19-a8-00-00-[instance id], Ethernet type 8902, version, opcode (corresponding message number in Ethernet, defined in Y.1731) and ERPS standard protocol report
  • the text is completely consistent. The difference is that a field is reserved in the reserved field Reserved 2 (24octets) of the message. The size of the field is determined by the length of the ciphertext. The field is filled with the source MAC address, the EP valid path, the ringId, and the packet type. Synthetic ciphertext, as shown in Figure 6.
  • the ring node When receiving the protocol packet, the ring node calculates the source MAC address, EP, ringId, and packet type by parsing the ciphertext of the reserved field. According to the MAC address, the EP searches for the local MAC-EP entry. If the match is passed, the next ringId and packet type check are performed. If there is no problem with these checks, after the packet processing is completed, the EP value in the ciphertext is incremented by one, and then re-encrypted and packaged for forwarding, otherwise the discard does not respond.
  • a specific encryption algorithm is not limited, and the user can flexibly select according to his own needs.
  • the MAC address occupies 6 bytes, selects a specific number as the key, and uses the XOR algorithm to generate the ciphertext.
  • the generated ciphertext also occupies 6 bytes.
  • the EP can be represented by one byte, the ringId occupies one byte, the protocol message type occupies 1 byte, and is encrypted by a shift operation, and the size occupies 4 bytes.
  • the rule of the key is that the EP is shifted 20 bits to the left, the ringId is shifted to the left by 12 bits, and the message type is shifted to the left by 4 bits.
  • the comma of the two parts is filled in the reserved field of the protocol message.
  • FIG. 3 The general networking state implemented by the present invention is shown in FIG. 3.
  • Several devices form a ring network (assuming that the number of ring nodes is eight, that is, node1 to node8), and according to the physical topology in FIG. 3, the relative forward direction of all ring nodes is determined. , reverse EP effective path.
  • node4 the forward EP on the node1 node to node4 is as shown in Figure 4.
  • the RPL link is not enabled, the number of paths between node4 and each ring node, for example, the forward EP between node4 and node2 is calculated.
  • the link between node4 and node2 is normal.
  • the RPL link between node1 and node8 is not enabled.
  • the forward EP between node4 and node2 is 2; the reverse EP is as shown in Figure 5.
  • the number of paths between node4 and each ring node for example, calculating the reverse EP between node4 and node2, disconnecting the link between node4 and node2, enabling the RPL link between node1 and node8, so between node4 and node2
  • the reverse EP is 6.
  • the EP is set to 1 on the ring node that sends the message, and the EP value is incremented by one each time a ring node is passed. Therefore, the EP effective path of other ring nodes in the local is the relative number of paths between the two ring nodes.
  • the adjacent ring node EP value is 1.
  • a MAC-EP entry is generated locally, as shown in Table 1, which is the MAC-EP entry on node4.
  • Table 1 is the MAC-EP entry on node4.
  • the lifetime of this entry is the same as the ERPS instance. After the instance is deleted, the entry is destroyed.
  • the source MAC address, forward EP, and reverse EP of the ring node need to be deployed, the user is configured to all ring nodes.
  • the location of other ring nodes in the entries of the node4 node may be indefinite, according to the order of configuration, but the contents of the entries must be unique.
  • the ERPS protocol encryption function is enabled.
  • the current node4 node is transmitting protocol packets with the packet type being 0xb.
  • the reserved field is filled, the first 6 bytes are filled with the ciphertext generated by the local source MAC address, and the last 4 bytes are stored by the EP valid path, ringId, and packet type.
  • the source MAC address encrypts 6 bytes using a " ⁇ " XOR operation.
  • the source MAC address of node4 is 52-54-00-94-78-3C, the plaintext is 52540094783C, and the key is set to the number 6 (0110).
  • the result of XOR is 545206927E3A----this is Ciphertext (obtained by bytewise exclusive OR operation).
  • the EP4 of the Node4 node, the logical ring identifier ringId (assumed to be 50, that is, 0x32), and the message type (0xb) are encrypted by the shift operation.
  • the ciphertext size is 4 bytes, the upper 4 bits can be filled with any value, the EP valid path is shifted to the left by 20 bits, the ringId is shifted to the left by 12 bits, the message type is shifted to the left by 4 bits, and the lower 4 bits can be filled with any value, and the generated size is occupied. 4-byte integer.
  • the high and low 4 bits can introduce random values, which increases the difficulty of cracking ciphertext. Assuming that the upper 4 bits and the lower 4 bits are filled with 0, the calculated ciphertext is 001320B0. According to the overall encryption scheme, the final ciphertext is 545206927E3A001320B0.
  • the adjacent node node3 After receiving the protocol packet sent by the node4 node, the adjacent node node3 first takes out the ciphertext with the reserved field size of 10 bytes and decrypts it.
  • the first 6 bytes are the ciphertext 545206927E3A of the MAC address, and the XOR operation is performed by using the key number 6 (0110) to calculate the MAC address 52540094783C - this is the source MAC address of the node4 node.
  • the Node3 node will find the valid path of the EP and find its own MAC-EP entry in combination with the source MAC address 52-54-00-94-78-3C. See Table 2.
  • the third line can match, indicating that the validity check of the MAC-EP entry is passed. It should be noted here that if the forward EP and the reverse EP in the entry match any one, the entry check is considered legal.
  • the next step is to verify the ringId and message type.
  • the ringId must be the same as the ringId of the local ERPS instance.
  • the packet type (0xb) must be the same as the Request/Sate in the protocol packet. After the ciphertext check is passed, the machine performs other processing of the message.
  • the node3 ring node increments the EP value of the ciphertext part by one (ie 2), the MAC address 52-54-00-94-78-3C, the ringId 50, the message type 0xb, and then re-encrypts according to the above encryption rules.
  • the generated ciphertext 545206927E3A002320B0 is again packaged and forwarded.
  • the Node2 node receives the forwarding packet of the node3 node. Similarly, the ciphertext of the reserved field is first taken out for parsing, and the parsing process is the same as the node3 node.
  • the calculated result source MAC address is 52-54-00-94-78-3C, EP is valid path 2, ringId is 50, and message type is 0xb. Find the local MAC-EP entry, as shown in Table 3.
  • the first case tampers with the source MAC address of the packet. It assumes that the protocol packet is intercepted from the node4 node and is sent from the node4 node. The MAC address is modified to be the source of the attacker's local device. The MAC address is 02-54-00-04-78-48. If the other content of the packet is unchanged, the ring node that receives the packet traverses to find the MAC-EP entry of the local device. The MAC address of the entry can be the same as the MAC address of the attack packet. The packets from the unknown source are discarded. The second case assumes that the attacker catches a normal message on the node4 node.
  • the attacker wants to send the message on the node6 node.
  • the content of the message is completely consistent.
  • the node7 node passes the attack packet when it receives the attack packet.
  • the EP value calculated by the ciphertext parsing is 1, and the forward EP value of the 52-54-00-94-78-3C MAC address in the MAC-EP entry is 3, and the reverse EP value is 5 (see Table 4), and If the EP value is 1, the packet cannot be matched. The location of the packet is incorrect. This is also an abnormal packet and is discarded.
  • the last case is to modify the packet type and forge the ring network fault packet.
  • the packet is captured from node4 and sent from the node4 node. The other parts remain unchanged.
  • the node3 node selects the packet type. The test will fail and the message will be discarded.
  • All the nodes in the ring network follow the above packet processing rules to avoid responding to the spoofed protocol attack packets, thus greatly improving the stability of the ring network.
  • the embodiment of the present invention is a general processing algorithm for ensuring security of a ring network protocol in the field of network communication.
  • the protocol message is encrypted and decrypted, which can effectively
  • the security of the operation of the ring network protocol is improved, and the stability of the ring network is affected by the response to the spoofed attack packets, and the hidden dangers of the ring network protocol packets in the engineering application are solved.
  • Embodiments of the present invention provide a non-transitory (non-volatile) computer storage medium storing computer-executable instructions that can perform the methods of any of the foregoing method embodiments.
  • Embodiments of the present invention provide a computer program product, the computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer
  • the computer is caused to perform the method of any of the above method embodiments.
  • FIG. 7 is a schematic diagram of a hardware structure of an electronic device for performing a method for ensuring operation security of a ring network protocol according to an embodiment of the present invention.
  • the device includes one or more processors 610 and a memory 620. Take a processor 610 as an example.
  • the device may also include an input device 630 and an output device 640.
  • the processor 610, the memory 620, the input device 630, and the output device 640 may be connected by a bus or other means, as exemplified by a bus connection in FIG.
  • the memory 620 is a non-transitory computer readable storage medium for storing non-transitory software programs, non-transitory computer executable programs, and modules.
  • the processor 610 executes various functional applications and data processing of the electronic device by running non-transitory software programs, instructions, and modules stored in the memory 620, that is, the processing method of the above method embodiments.
  • the memory 620 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function; the storage data area may store data or the like.
  • memory 620 can include high speed random access memory, and can also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device.
  • memory 620 can optionally include memory remotely located relative to processor 610, which can be connected to the processing device over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
  • Input device 630 can receive input digital or character information and generate a signal input.
  • the output device 640 can include a display device such as a display screen.
  • the one or more modules are stored in the memory 620, and when executed by the one or more processors 610, perform the methods of any of the above method embodiments.
  • the above product can perform the method provided by the embodiment of the present invention, and has the corresponding functional modules and beneficial effects of the execution method.
  • the above product can perform the method provided by the embodiment of the present invention, and has the corresponding functional modules and beneficial effects of the execution method.
  • the electronic device of the embodiments of the present invention exists in various forms including, but not limited to, the following devices.
  • Server A device that provides computing services.
  • the server consists of a processor, hard disk, memory, system bus, etc.
  • the server is similar to a general-purpose computer architecture, but because of the need to provide highly reliable services, processing power, stability, and reliability. Security, scalability, manageability and other aspects are high. Other electronic devices with data interaction capabilities.
  • the device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention relates to the field of network communications, and provides a method and device for ensuring operation security of a ring network protocol. The method comprises: a ring node in an Ethernet ring network receives a protocol packet, and obtains encryption information carried in the protocol packet for ensuring operation security of the ring network protocol; the ring node determines that a source node of the protocol packet is other ring node of the Ethernet ring network or a non-ring network node according to the encryption information; if it is determined that the source node of the protocol packet is other ring node of the Ethernet ring network, the ring node processes and forwards the protocol packet; if it is determined that the source node of the protocol packet is a non-ring network node, the ring node discards the protocol packet.

Description

一种保证环网协议运行安全的方法及装置Method and device for ensuring safe operation of ring network protocol
交叉引用cross reference
本发明要求在2018年1月15日提交中国专利局、申请号为201810034033.6、发明名称为“一种保证环网协议运行安全的方法及装置”的中国专利申请的优先权,该申请的全部内容通过引用结合在本发明中。The present invention claims the priority of a Chinese patent application filed on January 15, 2018, the Chinese Patent Office, Application No. 201810034033.6, entitled "A Method and Apparatus for Assuring Operational Safety of a Ring Network Protocol", the entire contents of which is hereby incorporated by reference. The invention is incorporated by reference.
技术领域Technical field
本发明涉及网络通信领域,特别涉及一种保证环网协议运行安全的方法及装置。The present invention relates to the field of network communications, and in particular, to a method and apparatus for ensuring the security of a ring network protocol.
背景技术Background technique
以太环网是指物理上环形结构组成的以太网,它通过阻塞掉以太环网中的备用链路避免逻辑成环。如果在逻辑上成环,会导致广播信息在环网中无限循环的传播下去,使环网中充斥着大量的广播信息。An Ethernet ring network is an Ethernet network consisting of a physical ring structure that avoids logical ringing by blocking the backup link in the Ethernet ring network. If it is logically looped, it will cause the broadcast information to propagate in an infinite loop in the ring network, making the ring network full of broadcast information.
在实际工程应用中,有时会出现一些极端情况,譬如受到协议报文的攻击。这些伪装的报文会导致环网状态发生激烈变化,链路快速震荡,并产生大量协议报文,最严重的后果就是协议包逻辑成环,网络瘫痪。因此保证环网运行的稳定性是非常关键的。In practical engineering applications, there are sometimes extreme situations, such as attacks by protocol packets. These spoofed packets will cause a drastic change in the state of the ring network. The link will oscillate rapidly and generate a large number of protocol packets. The most serious consequence is that the protocol packets are logically looped and the network is down. Therefore, it is very important to ensure the stability of the operation of the ring network.
发明内容Summary of the invention
本发明实施例提供的一种保证环网协议运行安全的方法,解决环网运行的稳定性问题。The method for ensuring the security of the ring network protocol is provided by the embodiment of the present invention, and solves the problem of stability of the ring network operation.
第一方面,本发明实施例提供了一种保证环网协议运行安全的方法,包括:以太环网中的环节点接收协议报文,并获取所述协议报文携带的用来保证环网协议安全运行的加密信息;所述环节点根据所 述加密信息,确定所述协议报文的源节点是所述以太环网的其它环节点或是非环网节点;若确定所述协议报文的源节点是所述以太环网的其它环节点,则所述环节点对所述协议报文进行处理和转发;若确定所述协议报文的源节点是非环网节点,则所述环节点丢弃所述协议报文。In a first aspect, the embodiment of the present invention provides a method for ensuring the security of the operation of the ring network protocol, including: receiving, by the ring node in the Ethernet ring network, the protocol packet, and obtaining the ring network protocol carried in the protocol packet. The secure operation of the encrypted information; the ring node determines, according to the encryption information, that the source node of the protocol packet is another ring node or a non-ring network node of the Ethernet ring network; if the source of the protocol packet is determined The node is the other ring node of the Ethernet ring network, and the ring node processes and forwards the protocol packet. If the source node of the protocol packet is determined to be a non-ring network node, the ring node discards the node. Said protocol message.
第二方面,本发明实施例提供了一种保证环网协议运行安全的装置,包括:报文接收模块,用于接收协议报文,并获取所述协议报文携带的用来保证环网协议安全运行的加密信息;源节点确定模块,用于根据所述加密信息,确定所述协议报文的源节点是所述以太环网的其它环节点或是非环网节点;处理和转发模块,用于若确定所述协议报文的源节点是所述以太环网的其它环节点,则对所述协议报文进行处理和转发;报文丢弃模块,用于若确定所述协议报文的源节点是非环网节点,则丢弃所述协议报文。A second aspect of the present invention provides an apparatus for ensuring the security of a ring network protocol, comprising: a packet receiving module, configured to receive a protocol packet, and obtain a ring network protocol carried by the protocol packet The source node determining module is configured to determine, according to the encryption information, that the source node of the protocol packet is another ring node or a non-ring network node of the Ethernet ring network; and processing and forwarding modules, If the source node of the protocol packet is determined to be another ring node of the Ethernet ring network, the protocol packet is processed and forwarded; and the packet discarding module is configured to determine the source of the protocol packet. If the node is a non-ring network node, the protocol packet is discarded.
为实现上述发明目的,本发明实施例还提供了一种电子设备,包括:至少一个处理器;以及与所述至少一个处理器通信连接的存储器;其中,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器执行以上各个方面所述的方法。In order to achieve the above object, an embodiment of the present invention further provides an electronic device, including: at least one processor; and a memory communicably connected to the at least one processor; wherein the memory is stored by the at least An instruction executed by a processor, the instructions being executed by the at least one processor to cause the at least one processor to perform the methods described in the various aspects above.
为实现上述发明目的,本发明实施例还提供了一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储有计算机可执行指令,所述计算机可执行指令用于执行以上各个方面所述的方法。In order to achieve the above object, an embodiment of the present invention further provides a non-transitory computer readable storage medium storing computer executable instructions for executing The method described in the various aspects above.
为实现上述发明目的,本发明实施例还提供了一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行以上各个方面所述的方法。In order to achieve the above object, an embodiment of the present invention further provides a computer program product, the computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions When the program instructions are executed by a computer, the computer is caused to perform the methods described in the various aspects above.
附图说明DRAWINGS
一个或多个实施例通过与之对应的附图中的图片进行示例性说明,这些示例性说明并不构成对实施例的限定,附图中具有相同参 考数字标号的元件表示为类似的元件,除非有特别申明,附图中的图不构成比例限制。The one or more embodiments are exemplified by the accompanying drawings in the accompanying drawings, and FIG. The figures in the drawings do not constitute a scale limitation unless otherwise stated.
图1是本发明实施例提供的保证环网协议运行安全的流程图;FIG. 1 is a flowchart of a security operation of a guaranteed ring network protocol according to an embodiment of the present invention; FIG.
图2是本发明实施例提供的保证环网协议运行安全的装置框图;2 is a block diagram of a device for ensuring operation security of a ring network protocol according to an embodiment of the present invention;
图3是本发明实施例提供的环网物理拓扑示意图;3 is a schematic diagram of a physical topology of a ring network according to an embodiment of the present invention;
图4是本发明实施例提供的环网正向EP有效路径示意图;4 is a schematic diagram of an effective path of a forward network EP of a ring network according to an embodiment of the present invention;
图5是本发明实施例提供的环网逆向EP有效路径示意图;FIG. 5 is a schematic diagram of an effective path of a reverse EP of a ring network according to an embodiment of the present invention; FIG.
图6是本发明实施例提供的报文保留字段使用示意图;FIG. 6 is a schematic diagram of the use of a message reservation field according to an embodiment of the present invention; FIG.
图7为本发明实施例提供的执行保证环网协议运行安全的方法的电子设备的硬件结构示意图。FIG. 7 is a schematic structural diagram of hardware of an electronic device for performing a method for ensuring operation security of a ring network protocol according to an embodiment of the present invention.
具体实施方式Detailed ways
以下结合附图对本发明的实施例进行说明,应当理解,此处所描述的实施例仅用于说明和解释本发明,并不用于限定本发明。The embodiments of the present invention are described below in conjunction with the accompanying drawings, and the embodiments described herein are intended to illustrate and explain the invention.
图1是本发明实施例提供的保证环网协议运行安全的流程图,如图1所示,步骤包括:FIG. 1 is a flowchart of ensuring the security of a ring network protocol according to an embodiment of the present invention. As shown in FIG. 1 , the steps include:
步骤S101:以太环网中的环节点接收协议报文,并获取所述协议报文携带的用来保证环网协议安全运行的加密信息。Step S101: The ring node in the Ethernet ring network receives the protocol packet, and obtains the encrypted information carried in the protocol packet to ensure the secure operation of the ring network protocol.
所述以太环网中的环节点通过解析收到的所述协议报文,从所述协议报文的保留字段中获取所述加密信息。The ring node in the Ethernet ring network obtains the encrypted information from the reserved field of the protocol packet by parsing the received protocol packet.
步骤S102:环节点根据所述加密信息,确定所述协议报文的源节点是所述以太环网的其它环节点或是非环网节点。Step S102: The ring node determines, according to the encryption information, that the source node of the protocol packet is another ring node or a non-ring network node of the Ethernet ring network.
所述环节点对所述加密信息进行解密处理,得到用来保证环网协议安全运行的信息,并对所述环网协议安全运行的信息进行合法性校验,若校验成功,则所述环节点确定所述协议报文的源节点是所述 以太环网的其它环节点,若校验失败,则所述环节点确定所述协议报文的源节点是所述非环网节点。The ring node decrypts the encrypted information to obtain information for ensuring the safe operation of the ring network protocol, and performs legality verification on the information about the safe operation of the ring network protocol. If the verification succeeds, the The ring node determines that the source node of the protocol packet is another ring node of the Ethernet ring network. If the check fails, the ring node determines that the source node of the protocol packet is the acyclic network node.
所述用来保证环网协议安全运行的信息包括所述源节点的MAC地址、表征所述源节点与所述环节点之间的相对路径数目的有效路径(Effective Path,EP)、以太环网的环标识(ringID)和报文类型。其中,所述发出协议报文的源MAC地址和EP是由网络物理拓扑结构决定,因此环网部署完成后即可确定每个环节点与其它环节点间的EP。The information used to ensure the safe operation of the ring network protocol includes a MAC address of the source node, an effective path (EP) that represents the number of relative paths between the source node and the ring node, and an Ethernet ring network. Ring ID (ringID) and message type. The source MAC address and the EP of the protocol packet are determined by the network physical topology. Therefore, after the ring network is deployed, the EP between each ring node and other ring nodes can be determined.
环节点进行合法性校验时,若在预先配置的MAC地址与EP表项中找到解密得到的所述MAC地址及对应的所述EP,且预先配置的环标识与解密得到的所述环标识匹配,且所述协议报文的报文类型与解密得到的所述报文类型匹配,则所述环节点确定对所述环网协议安全运行的信息校验成功,否则所述环节点确定对所述环网协议安全运行的信息校验失败。When the ring node performs the validity check, if the MAC address and the corresponding EP obtained by the decryption are found in the pre-configured MAC address and the EP entry, the pre-configured ring identifier and the ring identifier obtained by the decryption are obtained. If the packet type of the protocol packet matches the packet type obtained by the decryption, the ring node determines that the information about the secure operation of the ring network protocol is successfully verified, otherwise the ring node determines the pair. The information verification of the ring network protocol security operation fails.
步骤S103:若确定所述协议报文的源节点是所述以太环网的其它环节点,则所述环节点对所述协议报文进行处理和转发。Step S103: If it is determined that the source node of the protocol packet is another ring node of the Ethernet ring network, the ring node processes and forwards the protocol packet.
所述环节点将解密得到的所述EP加1作为新的EP,并将所述MAC地址、所述新的EP、所述环标识和所述报文类型进行加密处理,得到用来保证环网协议安全运行的新的加密信息。然后所述环节点将所述新的加密信息填充至所述协议报文的保留字段,并转发携带所述新的加密信息的所述协议报文。The ring node adds 1 to the decrypted EP as a new EP, and encrypts the MAC address, the new EP, the ring identifier, and the packet type to obtain a guarantee ring. The network protocol runs securely with new encrypted information. Then, the ring node fills the new encrypted information into a reserved field of the protocol packet, and forwards the protocol packet carrying the new encrypted information.
其中,可以采用如下加密算法:所述环节点将所述MAC地址与预设密钥进行异或运算,得到第一加密信息,将所述新的EP、所述环标识和所述报文类型进行移位运算,得到第二加密信息,然后将所述第一加密信息和所述第二加密信息合并,得到所述新的加密信息。The following encryption algorithm may be adopted: the ring node performs an exclusive-OR operation on the MAC address and the preset key to obtain first encryption information, and the new EP, the ring identifier, and the packet type. Performing a shift operation to obtain second encrypted information, and then combining the first encrypted information and the second encrypted information to obtain the new encrypted information.
对应地,下一环节点得到所述新加密信息后,将加密信息的第一部分(即第一加密信息)与预设密钥进行异或运算,即可得到所述MAC地址,对加密信息的第二部分(即第二加密信息)进行逆向的 移位运算,即可得到所述新的EP、所述环标识和所述报文类型。Correspondingly, after the next ring node obtains the new encrypted information, the first part of the encrypted information (ie, the first encrypted information) is XORed with the preset key to obtain the MAC address, and the encrypted information is obtained. The second part (ie, the second encrypted information) performs a reverse shift operation to obtain the new EP, the ring identifier, and the message type.
步骤S104:若确定所述协议报文的源节点是非环网节点,则所述环节点丢弃所述协议报文。Step S104: If it is determined that the source node of the protocol packet is a non-ring network node, the ring node discards the protocol packet.
本领域普通技术人员可以理解,实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,所述的程序可以存储于计算机可读取存储介质中。进一步说,本发明还可以提供一种存储介质,该存储介质设置在以太环网的环节点上,所述存储介质上存储有保证环网协议运行安全的程序,所述保证环网协议运行安全的程序被处理器执行时实现上述的保证环网协议运行安全的方法的步骤。其中,所述的存储介质可以包括ROM/RAM、磁碟、光盘、U盘。It will be understood by those skilled in the art that all or part of the steps of the above embodiments may be implemented by a program to instruct related hardware, and the program may be stored in a computer readable storage medium. Further, the present invention may further provide a storage medium, where the storage medium is disposed on a ring node of an Ethernet ring network, and the storage medium stores a program for ensuring operation security of the ring network protocol, and the guaranteed ring network protocol runs safely. When the program is executed by the processor, the above steps of the method for ensuring the security operation of the ring network protocol are implemented. The storage medium may include a ROM/RAM, a magnetic disk, an optical disk, and a USB flash drive.
图2是本发明实施例提供的保证环网协议运行安全的装置框图,如图2所示,包括:2 is a block diagram of a device for ensuring the security of a ring network protocol according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
报文接收模块,用于接收协议报文,并获取所述协议报文携带的用来保证环网协议安全运行的加密信息。具体地说,报文接收模块通过解析收到的所述协议报文,从所述协议报文的保留字段中获取所述加密信息。The packet receiving module is configured to receive the protocol packet, and obtain the encrypted information carried in the protocol packet to ensure the secure operation of the ring network protocol. Specifically, the packet receiving module obtains the encrypted information from the reserved field of the protocol packet by parsing the received protocol packet.
源节点确定模块,用于根据所述加密信息,确定所述协议报文的源节点是所述以太环网的其它环节点或是非环网节点。具体地说,所述源节点确定模块对所述加密信息进行解密处理,得到用来保证环网协议安全运行的信息,包括所述源节点的MAC地址、表征所述源节点与所述环节点之间的相对路径数目的有效路径EP、以太环网的环标识和报文类型。所述源节点确定模块对所述环网协议安全运行的信息进行合法性校验,若在预先配置的MAC地址与EP表项中找到解密得到的所述MAC地址及对应的所述EP,且预先配置的环标识与解密得到的所述环标识匹配,且所述协议报文的报文类型与解密得到的所述报文类型匹配,则校验成功,确定所述协议报文的源节点是所述以太环网的其它环节点,否则校验失败,确定所述协议报文的源节点是所述非环网节点。The source node determining module is configured to determine, according to the encryption information, that the source node of the protocol packet is another ring node or a non-ring network node of the Ethernet ring network. Specifically, the source node determining module decrypts the encrypted information to obtain information for ensuring the secure operation of the ring network protocol, including the MAC address of the source node, and characterizing the source node and the ring node. The effective path EP of the relative number of paths, the ring identifier of the Ethernet ring network, and the message type. The source node determining module performs legality verification on the information about the security operation of the ring network protocol, and if the MAC address and the corresponding EP obtained by the decryption are found in the pre-configured MAC address and the EP entry, The pre-configured ring identifier matches the decrypted ring identifier, and the packet type of the protocol packet matches the decrypted packet type, the verification succeeds, and the source node of the protocol packet is determined. It is the other ring node of the Ethernet ring network. Otherwise, the check fails. The source node of the protocol packet is determined to be the non-ring network node.
处理和转发模块,用于若确定所述协议报文的源节点是所述以太环网的其它环节点,则对所述协议报文进行处理和转发。具体地说,所述处理和转发模块将解密得到的所述EP加1作为新的EP,并将所述MAC地址、所述新的EP、所述环标识和所述报文类型进行加密处理,得到用来保证环网协议安全运行的新的加密信息,然后将所述新的加密信息填充至所述协议报文的保留字段,并转发携带所述新的加密信息的所述协议报文。The processing and forwarding module is configured to process and forward the protocol packet if the source node of the protocol packet is determined to be another ring node of the Ethernet ring network. Specifically, the processing and forwarding module adds 1 to the decrypted EP as a new EP, and encrypts the MAC address, the new EP, the ring identifier, and the packet type. Obtaining new encrypted information for ensuring the secure operation of the ring network protocol, and then filling the new encrypted information into a reserved field of the protocol packet, and forwarding the protocol packet carrying the new encrypted information .
报文丢弃模块,用于若确定所述协议报文的源节点是非环网节点,则丢弃所述协议报文。The packet discarding module is configured to discard the protocol packet if the source node of the protocol packet is a non-ring network node.
所述报文接收模块、所述源节点确定模块、所述处理和转发模块和所述报文丢弃模块的功能可以设置在以太网环的环节点上,可以由所述环节点的处理器执行存储器上存储的保证环网协议运行安全的程序,实现各模块的功能。进一步说,本发明还可以提供一种保证环网协议运行安全的设备,包括:处理器,以及与所述处理器耦接的存储器;所述存储器上存储有可在所述处理器上运行的保证环网协议运行安全的程序,所述保证环网协议运行安全的程序被所述处理器执行时实现上述的保证环网协议运行安全的方法的步骤。The functions of the packet receiving module, the source node determining module, the processing and forwarding module, and the packet discarding module may be set on a ring node of an Ethernet ring, and may be executed by a processor of the ring node. The program for ensuring the safe operation of the ring network protocol stored in the memory realizes the functions of each module. Further, the present invention may also provide an apparatus for ensuring the security of operation of a ring network protocol, comprising: a processor, and a memory coupled to the processor; the memory is stored on the processor and operable to run on the processor A program for ensuring that the ring network protocol runs safely, and the method for ensuring the security operation of the ring network protocol is implemented when the program for ensuring the security operation of the ring network protocol is executed by the processor.
概括地说,本发明实施例提供一种通用的以太环网协议报文的处理算法,以保证只处理和转发应用在环网中的节点(或环节点)发送的报文,对于非环节点(或非环网节点)发出的报文直接丢弃。以太环网部署完毕后,其物理拓扑结构是固定的,各个环节点的源MAC地址(Medium Access Control,物理地址)也是固定的。对于不同的环网协议,这两个元素是不变项,可以提取为通用环网协议的不变元素。运用这两个不变元素,并结合不同协议特有的元素(或可变项、可变元素),通过一定的加密算法,可以保证协议报文的安全性。本发明实施例以G.8032描述的ERPS(Ethernet Ring Protection Switching,以太网多环保护技术)协议为例,选取环ringId(ring identification,逻辑环标识) 和报文类型作为可变元素,描述本发明在工程上的应用。In general, the embodiments of the present invention provide a general Ethernet ring network protocol packet processing algorithm to ensure that only packets sent by nodes (or ring nodes) in the ring network are processed and forwarded, for non-ring nodes. The packets sent by the (or non-ring network nodes) are directly discarded. After the Ethernet ring network is deployed, its physical topology is fixed. The source MAC address (Medium Access Control) of each ring node is also fixed. For different ring networks, these two elements are invariant and can be extracted as invariant elements of the universal ring network protocol. The use of these two invariant elements, combined with elements unique to different protocols (or variable items, variable elements), through a certain encryption algorithm, can ensure the security of protocol messages. In the embodiment of the present invention, an ERPS (Ethernet Ring Protection Switching) protocol described in G.8032 is taken as an example, and a ring identifier (ring identification, logical ring identifier) and a packet type are selected as variable elements, and the description is The application of the invention in engineering.
选取环节点源MAC地址以及EP(effective path,本实施例自定义的环网有效路径),结合ERPS实例的ringId和报文类型,通过加密算法,在ERPS协议报文的保留字段中填充生成的密文。假定一个环节点发送协议报文,相邻的环节点收到报文后进行密文解析,计算出以上4种元素,并检查这4种要素的合法性,合法性通过的报文才处理,不通过的协议报文直接丢弃。这样可以大大提高攻击报文伪装的难度,保证环网中报文的安全性,避免环网受到恶意的破坏。The ring source source MAC address and the EP (effective path, the custom ring network effective path in this embodiment) are combined with the ringId and the packet type of the ERPS instance, and the generated algorithm is filled in the reserved field of the ERPS protocol packet by using an encryption algorithm. Cipher text. Suppose a ring node sends a protocol packet, and the neighboring ring node receives the packet and parses the ciphertext, calculates the above four elements, and checks the legality of the four elements. The packets passing the legality are processed. Protocol packets that do not pass are discarded directly. This can greatly improve the difficulty of spoofing attack packets, ensure the security of packets in the ring network, and avoid malicious damage to the ring network.
具体可采用如下方案:Specifically, the following scheme can be adopted:
1、环网环境部署1. Ring network environment deployment
所有环节点根据环网部署的角色要求,完成开通ERPS环网业务的配置,并保证正确性。包含的工作有创建ERPS实例,配置ERPS实例的ringId以及配置端口角色等。All ring nodes complete the configuration of the ERPS ring network service and ensure correctness according to the role requirements of the ring network deployment. The included work includes creating an ERPS instance, configuring the ringId of the ERPS instance, and configuring the port role.
除了以上基本配置,每个环节点上还需要配置其他环节点的源MAC地址、正向EP和逆向EP。这里所谓的正向EP,是指不启用RPL链路(Ring Protection Link,备用链路),两个环节点之间的路径数目。所谓的逆向EP,是指启用RPL链路,两个环节点之间的路径数目。同一个环节点在其他环节点上的EP有效路径是不同的,这由网络物理拓扑结构决定。In addition to the above basic configuration, each ring node also needs to configure the source MAC address, forward EP, and reverse EP of other ring nodes. The so-called forward EP here refers to the number of paths between two ring nodes that do not enable RPL links (Ring Protection Link). The so-called reverse EP refers to the number of paths between two ring nodes that enable RPL links. The EP effective path of the same ring node on other ring nodes is different, which is determined by the network physical topology.
2、密钥因子选取2, key factor selection
根据不变元素环节点源MAC地址和EP有效路径,在每个环节点上生成一张表项,暂且称为MAC-EP表项。对于部署完毕的物理环网拓扑,这个表项在每个环节点上是唯一的。由于一个物理环网上可能配置多个逻辑环(配置多个ERPS实例),因而选取ringId作为可变元素参与生成密文是必要的。此外,再选取报文类型参与密文计算,以增加破解密文的难度。即使有人恶意截获报文,篡改报文也是很困难的。An entry is generated on each ring node, which is called a MAC-EP entry, based on the source MAC address of the invariant element ring and the valid path of the EP. For a deployed physical ring topology, this entry is unique on each ring node. Since multiple logical rings (configured with multiple ERPS instances) may be configured on one physical ring network, it is necessary to select ringId as a variable element to participate in generating ciphertext. In addition, the message type is selected to participate in the ciphertext calculation to increase the difficulty of cracking the ciphertext. Even if someone maliciously intercepts a message, it is very difficult to tamper with the message.
3、协议报文的结构3. Structure of the protocol message
与标准的ERPS协议报文一致。目的MAC为01-19-a8-00-00-[instance id],以太网类型8902,version、opcode(在以太网中对应的报文号,在Y.1731中被定义)与ERPS标准协议报文完全一致。有差异的是,在报文的保留字段Reserved 2(24octets)划出一个字段,字段的大小由密文的长度决定,该字段填充由源MAC地址、EP有效路径、ringId以及报文类型生成的合成密文,如图6所示。Consistent with standard ERPS protocol messages. The destination MAC is 01-19-a8-00-00-[instance id], Ethernet type 8902, version, opcode (corresponding message number in Ethernet, defined in Y.1731) and ERPS standard protocol report The text is completely consistent. The difference is that a field is reserved in the reserved field Reserved 2 (24octets) of the message. The size of the field is determined by the length of the ciphertext. The field is filled with the source MAC address, the EP valid path, the ringId, and the packet type. Synthetic ciphertext, as shown in Figure 6.
4、协议报文的处理4. Processing of protocol packets
环节点在收到协议报文时,通过解析保留字段的密文,算出源MAC,EP,ringId和报文类型。根据MAC地址,EP查找本地的MAC-EP表项,匹配通过则进行下一步ringId和报文类型的检查。如果这些检查都没有问题,在报文处理完成后,将密文中的EP数值增一,再重新加密打包进行转发,否则丢弃不响应。When receiving the protocol packet, the ring node calculates the source MAC address, EP, ringId, and packet type by parsing the ciphertext of the reserved field. According to the MAC address, the EP searches for the local MAC-EP entry. If the match is passed, the next ringId and packet type check are performed. If there is no problem with these checks, after the packet processing is completed, the EP value in the ciphertext is incremented by one, and then re-encrypted and packaged for forwarding, otherwise the discard does not respond.
5、密钥的选取5, the selection of the key
原则上不限定特定的加密算法,用户可以根据自身的需要灵活选取。针对前文选取的4项元素参与密文合成,本发明实施例采用的密钥算法有两种。一种是异或运算,另一种是移位运算。MAC地址占用6个字节,选取特定的数字作为密钥,采用异或算法来生成密文,生成后的密文同样占用6个字节。EP可以用一个字节表示,ringId占一个字节,协议报文类型占1个字节,采用移位运算进行加密,大小占用4个字节。密钥的规则是EP左移20位,ringId左移12位,报文类型左移4位。这两部分合成的密文填充在协议报文的保留字段中。In principle, a specific encryption algorithm is not limited, and the user can flexibly select according to his own needs. There are two key algorithms used in the embodiments of the present invention for the four elements selected in the foregoing. One is an exclusive OR operation and the other is a shift operation. The MAC address occupies 6 bytes, selects a specific number as the key, and uses the XOR algorithm to generate the ciphertext. The generated ciphertext also occupies 6 bytes. The EP can be represented by one byte, the ringId occupies one byte, the protocol message type occupies 1 byte, and is encrypted by a shift operation, and the size occupies 4 bytes. The rule of the key is that the EP is shifted 20 bits to the left, the ringId is shifted to the left by 12 bits, and the message type is shifted to the left by 4 bits. The comma of the two parts is filled in the reserved field of the protocol message.
以下结合附图3至图6,对技术方案的实施做进一步的详细描述。本发明实施例对专业技术人员熟知的部分未进行表述或者未进行详细描述,各种操作将按照顺序使用多个分离的步骤进行描述。The implementation of the technical solution will be further described in detail below with reference to FIGS. 3 to 6. Portions of the present invention which are well known to those skilled in the art are not described or described in detail, and various operations will be described in sequence using a plurality of separate steps.
本发明实施的一般组网状态如图3,若干台设备组成环网(假定环节点数量为8个,即node1至node8),根据图3中的物理拓扑结构,确定所有环节点的相对正向、逆向EP有效路径。以node4为 例,node1节点到node4上的正向EP如图4所示,当不启用RPL链路时,node4与各个环节点之间的路径数目,例如计算node4与node2之间的正向EP,node4与node2之间的链路正常,不启用node1与node8之间的RPL链路,因此node4与node2之间的正向EP为2;逆向EP如图5所示,当启用RPL链路,node4与各个环节点之间的路径数目,例如计算node4与node2之间的逆向EP,node4与node2之间的链路断开,启用node1与node8之间的RPL链路,因此node4与node2之间的逆向EP为6。EP在发送报文的环节点上定为1,每经过一个环节点,EP数值增一。因此,其他环节点在本机的EP有效路径为两个环节点之间的相对路径数目。相邻的环节点EP数值是1。同时结合其他环节点的源MAC地址,在本机生成一张MAC-EP表项,如表1所示,为node4上的MAC-EP表项。这个表项生命周期同ERPS实例,实例删除后表项销毁。环节点的源MAC地址、正向EP和逆向EP需要部署时,用户配置到所有的环节点上。The general networking state implemented by the present invention is shown in FIG. 3. Several devices form a ring network (assuming that the number of ring nodes is eight, that is, node1 to node8), and according to the physical topology in FIG. 3, the relative forward direction of all ring nodes is determined. , reverse EP effective path. Taking node4 as an example, the forward EP on the node1 node to node4 is as shown in Figure 4. When the RPL link is not enabled, the number of paths between node4 and each ring node, for example, the forward EP between node4 and node2 is calculated. The link between node4 and node2 is normal. The RPL link between node1 and node8 is not enabled. Therefore, the forward EP between node4 and node2 is 2; the reverse EP is as shown in Figure 5. When the RPL link is enabled, The number of paths between node4 and each ring node, for example, calculating the reverse EP between node4 and node2, disconnecting the link between node4 and node2, enabling the RPL link between node1 and node8, so between node4 and node2 The reverse EP is 6. The EP is set to 1 on the ring node that sends the message, and the EP value is incremented by one each time a ring node is passed. Therefore, the EP effective path of other ring nodes in the local is the relative number of paths between the two ring nodes. The adjacent ring node EP value is 1. At the same time, in combination with the source MAC address of the other ring node, a MAC-EP entry is generated locally, as shown in Table 1, which is the MAC-EP entry on node4. The lifetime of this entry is the same as the ERPS instance. After the instance is deleted, the entry is destroyed. When the source MAC address, forward EP, and reverse EP of the ring node need to be deployed, the user is configured to all ring nodes.
表1.MAC地址与EP表项(node4)Table 1. MAC address and EP entry (node4)
节点node MACMAC 正向EPForward EP 逆向EPReverse EP
node1Node1 52-54-00-94-78-3952-54-00-94-78-39 33 55
node2Node2 52-54-00-94-78-3a52-54-00-94-78-3a 22 66
node3Node3 52-54-00-94-78-3b52-54-00-94-78-3b 11 77
node5Node5 52-54-00-94-78-3d52-54-00-94-78-3d 11 77
node6Node6 52-54-00-94-78-3e52-54-00-94-78-3e 22 66
node7Node7 52-54-00-94-78-3f52-54-00-94-78-3f 33 55
node8Node8 52-54-00-94-78-4052-54-00-94-78-40 44 44
其他环节点在node4节点的表项中的位置可以是不定的,按照配置的先后顺序来,但表项的内容一定是唯一的。在所有环节点上,ERPS协议必要配置数据完备后,开启ERPS协议加密功能。The location of other ring nodes in the entries of the node4 node may be indefinite, according to the order of configuration, but the contents of the entries must be unique. On all ring nodes, after the necessary configuration data of the ERPS protocol is complete, the ERPS protocol encryption function is enabled.
假设当前node4节点在发送协议报文,报文类型为0xb。在填充保留字段时,前6个字节填充本机源MAC地址生成的密文,后4个字节存储由EP有效路径,ringId,报文类型组成的密文。Assume that the current node4 node is transmitting protocol packets with the packet type being 0xb. When the reserved field is filled, the first 6 bytes are filled with the ciphertext generated by the local source MAC address, and the last 4 bytes are stored by the EP valid path, ringId, and packet type.
源MAC地址利用“^”异或运算对6字节进行加密。node4的源MAC地址为52-54-00-94-78-3C,明文就是52540094783C,设定密钥key为数字6(0110),两者做“异或”结果为545206927E3A----这个就是密文(按字节进行异或运算而得到)。Node4节点的EP(1),逻辑环标识ringId(假定为50,即0x32),报文类型(0xb)利用移位运算进行加密。密文大小占4个字节,高4位可填任意值,EP有效路径左移20位,ringId左移12位,报文类型左移4位,低4位可填任意值,生成大小占4字节的整数。高低4位可引入随机值,增加破解密文的难度。假设高4位和低4位填0,算出的密文是001320B0。根据整体的加密方案,最终的密文就是545206927E3A001320B0。The source MAC address encrypts 6 bytes using a "^" XOR operation. The source MAC address of node4 is 52-54-00-94-78-3C, the plaintext is 52540094783C, and the key is set to the number 6 (0110). The result of XOR is 545206927E3A----this is Ciphertext (obtained by bytewise exclusive OR operation). The EP4 of the Node4 node, the logical ring identifier ringId (assumed to be 50, that is, 0x32), and the message type (0xb) are encrypted by the shift operation. The ciphertext size is 4 bytes, the upper 4 bits can be filled with any value, the EP valid path is shifted to the left by 20 bits, the ringId is shifted to the left by 12 bits, the message type is shifted to the left by 4 bits, and the lower 4 bits can be filled with any value, and the generated size is occupied. 4-byte integer. The high and low 4 bits can introduce random values, which increases the difficulty of cracking ciphertext. Assuming that the upper 4 bits and the lower 4 bits are filled with 0, the calculated ciphertext is 001320B0. According to the overall encryption scheme, the final ciphertext is 545206927E3A001320B0.
相邻节点node3在收到node4节点发送的协议报文后,首先将保留字段大小占10个字节的密文取出来,进行解密。前6个字节为MAC地址的密文545206927E3A,利用密钥数字6(0110)进行异或操作,算出MAC地址52540094783C——这个就是node4节点的源MAC地址。后4个字节的密文001320B0,利用移位运算,右移20位,取出低位一个字节的整数,值是1,这个就是EP有效路径;右移12位,取出低位一个字节的整数,值是50,这个就是ringId标识;右移4位,取出低位一个字节的整数,值是B,这个就是报文类型。高4位和低4位移位的结果不予考虑。至此,密文解析的过程就完成了。接下来进行密文的有效性检查。After receiving the protocol packet sent by the node4 node, the adjacent node node3 first takes out the ciphertext with the reserved field size of 10 bytes and decrypts it. The first 6 bytes are the ciphertext 545206927E3A of the MAC address, and the XOR operation is performed by using the key number 6 (0110) to calculate the MAC address 52540094783C - this is the source MAC address of the node4 node. The last 4 bytes of ciphertext 001320B0, using the shift operation, shift 20 bits to the right, take the lower byte one integer, the value is 1, this is the EP valid path; the right shift 12 bits, take the lower one byte integer The value is 50. This is the ringId identifier; the right bit is shifted by 4 bits, and the low-order one-byte integer is taken out. The value is B. This is the message type. The results of the high 4 bits and the low 4 bits are not considered. At this point, the ciphertext parsing process is complete. Next, check the validity of the ciphertext.
Node3节点将解析出来的EP有效路径,结合源MAC地址52-54-00-94-78-3C查找自身的MAC-EP表项,见表2。The Node3 node will find the valid path of the EP and find its own MAC-EP entry in combination with the source MAC address 52-54-00-94-78-3C. See Table 2.
表2.MAC地址与EP表项(node3)Table 2. MAC address and EP entry (node3)
节点node MACMAC 正向EPForward EP 逆向EPReverse EP
node1Node1 52-54-00-94-78-3952-54-00-94-78-39 22 66
node2Node2 52-54-00-94-78-3a52-54-00-94-78-3a 11 77
node4Node4 52-54-00-94-78-3c52-54-00-94-78-3c 11 77
node5Node5 52-54-00-94-78-3d52-54-00-94-78-3d 22 66
node6Node6 52-54-00-94-78-3e52-54-00-94-78-3e 33 55
node7Node7 52-54-00-94-78-3f52-54-00-94-78-3f 44 44
node8Node8 52-54-00-94-78-4052-54-00-94-78-40 55 33
遍历表项,第3行能够匹配上,表示MAC-EP表项的合法性检查通过。这里需要说明的是,表项中的正向EP和逆向EP只要任一个匹配上,就认为表项检查合法。下一步进行ringId和报文类型的校验。ringId必须和本机ERPS实例的ringId一致,报文类型(0xb)必须和协议报文中的Request/Sate一致。密文校验通过后,本机进行报文的其他处理。最后,node3环节点将密文部分的EP数值增一(即为2),MAC地址52-54-00-94-78-3C,ringId 50,报文类型0xb,再按照上述加密规则重新加密,生成的密文545206927E3A002320B0再次打包,进行转发。Traversing the entry, the third line can match, indicating that the validity check of the MAC-EP entry is passed. It should be noted here that if the forward EP and the reverse EP in the entry match any one, the entry check is considered legal. The next step is to verify the ringId and message type. The ringId must be the same as the ringId of the local ERPS instance. The packet type (0xb) must be the same as the Request/Sate in the protocol packet. After the ciphertext check is passed, the machine performs other processing of the message. Finally, the node3 ring node increments the EP value of the ciphertext part by one (ie 2), the MAC address 52-54-00-94-78-3C, the ringId 50, the message type 0xb, and then re-encrypts according to the above encryption rules. The generated ciphertext 545206927E3A002320B0 is again packaged and forwarded.
Node2节点收到node3节点的转发报文,同样地,首先将保留字段的密文取出来,进行解析,解析的过程同node3节点。算出的结果源MAC地址52-54-00-94-78-3C,EP有效路径2,ringId标识50,报文类型0xb。查找本地的MAC-EP表项,见表3。The Node2 node receives the forwarding packet of the node3 node. Similarly, the ciphertext of the reserved field is first taken out for parsing, and the parsing process is the same as the node3 node. The calculated result source MAC address is 52-54-00-94-78-3C, EP is valid path 2, ringId is 50, and message type is 0xb. Find the local MAC-EP entry, as shown in Table 3.
表3.MAC地址与EP表项(node2)Table 3. MAC address and EP entry (node2)
节点node MACMAC 正向EPForward EP 逆向EPReverse EP
node1Node1 52-54-00-94-78-3952-54-00-94-78-39 11 77
node3Node3 52-54-00-94-78-3b52-54-00-94-78-3b 11 77
node4Node4 52-54-00-94-78-3c52-54-00-94-78-3c 22 66
node5Node5 52-54-00-94-78-3d52-54-00-94-78-3d 33 55
node6Node6 52-54-00-94-78-3e52-54-00-94-78-3e 44 44
node7Node7 52-54-00-94-78-3f52-54-00-94-78-3f 55 33
node8Node8 52-54-00-94-78-4052-54-00-94-78-40 66 22
遍历到表项第3行,发现源MAC地址52-54-00-94-78-3C和正向EP能够匹配上,说明表项检查合法。ringId标识和报文类型校验同node3。密文校验通过后,将EP有效路径再次增一,重新加密再次打包进行转发。Traversing to the third line of the entry, it is found that the source MAC address 52-54-00-94-78-3C and the forward EP can match, indicating that the entry check is legal. The ringId identifier and the packet type check are the same as node3. After the ciphertext check is passed, the EP valid path is incremented by one again, and the encryption is re-encrypted and then forwarded.
假设当前环网中存在恶意的报文攻击:第一种情况篡改报文的源MAC地址,假设从node4节点截获出协议报文,并从node4节点发出,MAC地址修改为攻击者本机的源MAC地址02-54-00-04-78-48,报文的其他内容不变,那么收到报文的环节点遍历查找本机的MAC-EP表项时就会匹配不上,因为没有一条表项的MAC地址能够和攻击报文的MAC地址一致,可以确定不是环网中的节点发出的报文,这种未知来源的报文会被直接丢弃。第二种情况假定攻击者在node4节点抓到一个正常报文,出于某种考虑,攻击者希望在node6节点发出来,报文的内容完全一致,node7节点在收到攻击报文时,通过密文解析算出的EP值是1,而MAC-EP表项中52-54-00-94-78-3C MAC地址的正向EP值是3,逆向EP值是5(参见表4),和EP值为1都匹配不上,可以确定报文发送的位置不对,这也属于异常报文,直接被丢弃。Assume that there is a malicious packet attack in the current ring network. The first case tampers with the source MAC address of the packet. It assumes that the protocol packet is intercepted from the node4 node and is sent from the node4 node. The MAC address is modified to be the source of the attacker's local device. The MAC address is 02-54-00-04-78-48. If the other content of the packet is unchanged, the ring node that receives the packet traverses to find the MAC-EP entry of the local device. The MAC address of the entry can be the same as the MAC address of the attack packet. The packets from the unknown source are discarded. The second case assumes that the attacker catches a normal message on the node4 node. For some reason, the attacker wants to send the message on the node6 node. The content of the message is completely consistent. The node7 node passes the attack packet when it receives the attack packet. The EP value calculated by the ciphertext parsing is 1, and the forward EP value of the 52-54-00-94-78-3C MAC address in the MAC-EP entry is 3, and the reverse EP value is 5 (see Table 4), and If the EP value is 1, the packet cannot be matched. The location of the packet is incorrect. This is also an abnormal packet and is discarded.
表4.MAC地址与EP表项(node7)Table 4. MAC address and EP entry (node7)
节点node MACMAC 正向EPForward EP 逆向EPReverse EP
node1Node1 52-54-00-94-78-3952-54-00-94-78-39 66 22
node2Node2 52-54-00-94-78-3a52-54-00-94-78-3a 55 33
node3Node3 52-54-00-94-78-3b52-54-00-94-78-3b 44 44
node4Node4 52-54-00-94-78-3c52-54-00-94-78-3c 33 55
node5Node5 52-54-00-94-78-3d52-54-00-94-78-3d 22 66
node6Node6 52-54-00-94-78-3e52-54-00-94-78-3e 11 77
node8Node8 52-54-00-94-78-4052-54-00-94-78-40 11 77
最后一种情况只是修改报文类型,伪造环网的故障报文,从node4抓包,也从node4节点发出,其他部分都保持不变,node3节点在收到攻击报文后,报文类型校验就会失败,报文也会被丢弃。以上只是列举了本发明几种简单的防御报文攻击的实施场景,本发明的效用远不止以上这些。The last case is to modify the packet type and forge the ring network fault packet. The packet is captured from node4 and sent from the node4 node. The other parts remain unchanged. After receiving the attack packet, the node3 node selects the packet type. The test will fail and the message will be discarded. The above merely enumerates the implementation scenarios of several simple defense message attacks of the present invention, and the utility of the present invention goes far beyond the above.
环网中的所有节点遵循以上的报文处理规则,就可以避免响应伪装的协议攻击报文,从而大大提高环网的稳定性。All the nodes in the ring network follow the above packet processing rules to avoid responding to the spoofed protocol attack packets, thus greatly improving the stability of the ring network.
综上所述,本发明实施例具有以下技术效果:In summary, the embodiments of the present invention have the following technical effects:
本发明实施例是申请涉及网络通信领域一种通用的保证环网协议安全的处理算法,通过合理选取以太环网中的不变元素和可变元素,对协议报文进行加密解密,能够有效地提高环网协议运行的安全性,避免因响应伪装的攻击报文而影响环网的稳定,解决了环网协议报文在工程应用上的明文隐患。The embodiment of the present invention is a general processing algorithm for ensuring security of a ring network protocol in the field of network communication. By reasonably selecting invariant elements and variable elements in the Ethernet ring network, the protocol message is encrypted and decrypted, which can effectively The security of the operation of the ring network protocol is improved, and the stability of the ring network is affected by the response to the spoofed attack packets, and the hidden dangers of the ring network protocol packets in the engineering application are solved.
本发明实施例提供了一种非暂态(非易失性)计算机存储介质,所述计算机存储介质存储有计算机可执行指令,该计算机可执行指令可执行上述任意方法实施例中的方法。Embodiments of the present invention provide a non-transitory (non-volatile) computer storage medium storing computer-executable instructions that can perform the methods of any of the foregoing method embodiments.
本发明实施例提供了一种计算机程序产品,所述计算机程 序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,使所述计算机执行上述任意方法实施例中的方法。Embodiments of the present invention provide a computer program product, the computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer The computer is caused to perform the method of any of the above method embodiments.
图7是本发明实施例提供的执行保证环网协议运行安全的方法的电子设备的硬件结构示意图,如图所示,该设备包括一个或多个处理器610以及存储器620。以一个处理器610为例。该设备还可以包括:输入装置630和输出装置640。FIG. 7 is a schematic diagram of a hardware structure of an electronic device for performing a method for ensuring operation security of a ring network protocol according to an embodiment of the present invention. As shown, the device includes one or more processors 610 and a memory 620. Take a processor 610 as an example. The device may also include an input device 630 and an output device 640.
处理器610、存储器620、输入装置630和输出装置640可以通过总线或者其他方式连接,图7中以通过总线连接为例。The processor 610, the memory 620, the input device 630, and the output device 640 may be connected by a bus or other means, as exemplified by a bus connection in FIG.
存储器620作为一种非暂态计算机可读存储介质,可用于存储非暂态软件程序、非暂态计算机可执行程序以及模块。处理器610通过运行存储在存储器620中的非暂态软件程序、指令以及模块,从而执行电子设备的各种功能应用以及数据处理,即实现上述方法实施例的处理方法。The memory 620 is a non-transitory computer readable storage medium for storing non-transitory software programs, non-transitory computer executable programs, and modules. The processor 610 executes various functional applications and data processing of the electronic device by running non-transitory software programs, instructions, and modules stored in the memory 620, that is, the processing method of the above method embodiments.
存储器620可以包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需要的应用程序;存储数据区可存储数据等。此外,存储器620可以包括高速随机存取存储器,还可以包括非暂态存储器,例如至少一个磁盘存储器件、闪存器件、或其他非暂态固态存储器件。在一些实施例中,存储器620可选包括相对于处理器610远程设置的存储器,这些远程存储器可以通过网络连接至处理装置。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 620 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function; the storage data area may store data or the like. Moreover, memory 620 can include high speed random access memory, and can also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 620 can optionally include memory remotely located relative to processor 610, which can be connected to the processing device over a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.
输入装置630可接收输入的数字或字符信息,以及产生信号输入。输出装置640可包括显示屏等显示设备。 Input device 630 can receive input digital or character information and generate a signal input. The output device 640 can include a display device such as a display screen.
所述一个或者多个模块存储在所述存储器620中,当被所述一个或者多个处理器610执行时,执行上述任意方法实施例中的方法。The one or more modules are stored in the memory 620, and when executed by the one or more processors 610, perform the methods of any of the above method embodiments.
上述产品可执行本发明实施例所提供的方法,具备执行方法相应的功能模块和有益效果。未在本实施例中详尽描述的技术细节, 可参见本发明实施例所提供的方法。The above product can perform the method provided by the embodiment of the present invention, and has the corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the method provided by the embodiments of the present invention.
本发明实施例的电子设备以多种形式存在,包括但不限于以下设备。服务器:提供计算服务的设备,服务器的构成包括处理器、硬盘、内存、系统总线等,服务器和通用的计算机架构类似,但是由于需要提供高可靠的服务,因此在处理能力、稳定性、可靠性、安全性、可扩展性、可管理性等方面要求较高。其他具有数据交互功能的电子装置。The electronic device of the embodiments of the present invention exists in various forms including, but not limited to, the following devices. Server: A device that provides computing services. The server consists of a processor, hard disk, memory, system bus, etc. The server is similar to a general-purpose computer architecture, but because of the need to provide highly reliable services, processing power, stability, and reliability. Security, scalability, manageability and other aspects are high. Other electronic devices with data interaction capabilities.
以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The device embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对相关技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the various embodiments can be implemented by means of software plus a general hardware platform, and of course, by hardware. Based on such understanding, the above technical solutions may be embodied in the form of software products in essence or in the form of software products, which may be stored in a computer readable storage medium such as a ROM/RAM or a disk. , an optical disk, etc., includes instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments or portions of the embodiments.
最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and are not limited thereto; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that The technical solutions described in the foregoing embodiments are modified, or the equivalents of the technical features are replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

  1. 一种保证环网协议运行安全的方法,其特征在于,包括:A method for ensuring the security of a ring network protocol is characterized in that it comprises:
    以太环网中的环节点接收协议报文,并获取所述协议报文携带的用来保证环网协议安全运行的加密信息;The ring node in the Ethernet ring network receives the protocol packet, and obtains the encrypted information carried in the protocol packet to ensure the secure operation of the ring network protocol.
    所述环节点根据所述加密信息,确定所述协议报文的源节点是所述以太环网的其它环节点或是非环网节点;Determining, by the ring node, that the source node of the protocol packet is another ring node or a non-ring network node of the Ethernet ring network according to the encryption information;
    若确定所述协议报文的源节点是所述以太环网的其它环节点,则所述环节点对所述协议报文进行处理和转发;If the source node of the protocol packet is determined to be another ring node of the Ethernet ring network, the ring node processes and forwards the protocol packet;
    若确定所述协议报文的源节点是非环网节点,则所述环节点丢弃所述协议报文。If the source node of the protocol packet is determined to be a non-ring network node, the ring node discards the protocol packet.
  2. 根据权利要求1所述的方法,其特征在于,所述获取所述协议报文携带的用来保证环网协议安全运行的加密信息包括:The method according to claim 1, wherein the obtaining the encrypted information carried in the protocol packet to ensure the safe operation of the ring network protocol comprises:
    所述以太环网中的环节点通过解析收到的所述协议报文,从所述协议报文的保留字段中获取所述加密信息。The ring node in the Ethernet ring network obtains the encrypted information from the reserved field of the protocol packet by parsing the received protocol packet.
  3. 根据权利要求2所述的方法,其特征在于,所述环节点根据所述加密信息,确定所述协议报文的源节点是所述以太环网的其它环节点或是非环网节点包括:The method according to claim 2, wherein the ring node determines, according to the encryption information, that the source node of the protocol packet is another ring node or the non-ring network node of the Ethernet ring network, including:
    所述环节点对所述加密信息进行解密处理,得到用来保证环网协议安全运行的信息;The ring node decrypts the encrypted information to obtain information used to ensure the safe operation of the ring network protocol;
    所述环节点对所述环网协议安全运行的信息进行合法性校验;The ring node performs legality verification on the information about the safe operation of the ring network protocol;
    若校验成功,则所述环节点确定所述协议报文的源节点是所述以太环网的其它环节点;If the verification is successful, the ring node determines that the source node of the protocol packet is another ring node of the Ethernet ring network;
    若校验失败,则所述环节点确定所述协议报文的源节点是所述非环网节点。If the verification fails, the ring node determines that the source node of the protocol packet is the acyclic network node.
  4. 根据权利要求3所述的方法,其特征在于,所述用来保证环网协议安 全运行的信息包括所述源节点的MAC地址、表征所述源节点与所述环节点之间的相对路径数目的有效路径EP、以太环网的环标识和报文类型,所述环节点对所述环网协议安全运行的信息进行合法性校验包括:The method according to claim 3, wherein the information used to ensure secure operation of the ring network protocol includes a MAC address of the source node, and a number of relative paths between the source node and the ring node. The valid path EP, the ring identifier of the Ethernet ring network, and the packet type, and the loop node performs legality verification on the information about the safe operation of the ring network protocol, including:
    若在预先配置的MAC地址与EP表项中找到解密得到的所述MAC地址及对应的所述EP,且预先配置的环标识与解密得到的所述环标识匹配,且所述协议报文的报文类型与解密得到的所述报文类型匹配,则所述环节点确定对所述环网协议安全运行的信息校验成功,否则所述环节点确定对所述环网协议安全运行的信息校验失败。If the decrypted MAC address and the corresponding EP are found in the pre-configured MAC address and the EP entry, and the pre-configured ring identifier matches the decrypted ring identifier, and the protocol packet is If the packet type matches the decrypted packet type, the ring node determines that the information about the secure operation of the ring network protocol is successfully verified, otherwise the ring node determines information about the ring network protocol security operation. The verification failed.
  5. 根据权利要求4所述的方法,其特征在于,所述若确定所述协议报文的源节点是所述以太环网的其它环节点,则所述环节点对所述协议报文进行处理和转发包括:The method according to claim 4, wherein if the source node of the protocol packet is determined to be another ring node of the Ethernet ring network, the ring node processes the protocol packet and Forwarding includes:
    所述环节点将解密得到的所述EP加1作为新的EP;The ring node adds 1 to the decrypted EP as a new EP;
    所述环节点将所述MAC地址、所述新的EP、所述环标识和所述报文类型进行加密处理,得到用来保证环网协议安全运行的新的加密信息;The ring node encrypts the MAC address, the new EP, the ring identifier, and the packet type, and obtains new encrypted information used to ensure the safe operation of the ring network protocol;
    所述环节点将所述新的加密信息填充至所述协议报文的保留字段,并转发携带所述新的加密信息的所述协议报文。The ring node fills the new encrypted information into a reserved field of the protocol packet, and forwards the protocol packet carrying the new encrypted information.
  6. 根据权利要求5所述的方法,其特征在于,所述环节点将所述MAC地址、所述新的EP、所述环标识和所述报文类型进行加密处理,得到用来保证环网协议安全运行的新的加密信息包括:The method according to claim 5, wherein the ring node encrypts the MAC address, the new EP, the ring identifier, and the packet type to obtain a ring network protocol. New encrypted information that runs safely includes:
    所述环节点将所述MAC地址与预设密钥进行异或运算,得到第一加密信息;The ring node performs an exclusive OR operation on the MAC address and the preset key to obtain first encrypted information.
    所述环节点将所述新的EP、所述环标识和所述报文类型进行移位运算,得到第二加密信息;The ring node performs a shift operation on the new EP, the ring identifier, and the packet type to obtain second encrypted information.
    将所述第一加密信息和所述第二加密信息合并,得到所述新的加密信息。Combining the first encrypted information and the second encrypted information to obtain the new encrypted information.
  7. 一种保证环网协议运行安全的装置,其特征在于,包括:A device for ensuring the operation security of a ring network protocol, characterized in that it comprises:
    报文接收模块,用于接收协议报文,并获取所述协议报文携带的用来保证环网协议安全运行的加密信息;The packet receiving module is configured to receive the protocol packet, and obtain the encrypted information carried by the protocol packet to ensure the safe operation of the ring network protocol;
    源节点确定模块,用于根据所述加密信息,确定所述协议报文的源节点是所述以太环网的其它环节点或是非环网节点;a source node determining module, configured to determine, according to the encryption information, that a source node of the protocol packet is another ring node or a non-ring network node of the Ethernet ring network;
    处理和转发模块,用于若确定所述协议报文的源节点是所述以太环网的其它环节点,则对所述协议报文进行处理和转发;The processing and forwarding module is configured to process and forward the protocol packet if the source node of the protocol packet is determined to be another ring node of the Ethernet ring network;
    报文丢弃模块,用于若确定所述协议报文的源节点是非环网节点,则丢弃所述协议报文。The packet discarding module is configured to discard the protocol packet if the source node of the protocol packet is a non-ring network node.
  8. 根据权利要求7所述的装置,其特征在于,所述源节点确定模块对所述加密信息进行解密处理,得到用来保证环网协议安全运行的信息,对所述环网协议安全运行的信息进行合法性校验,若校验成功,则确定所述协议报文的源节点是所述以太环网的其它环节点,若校验失败,则确定所述协议报文的源节点是所述非环网节点。The device according to claim 7, wherein the source node determining module decrypts the encrypted information to obtain information for ensuring safe operation of the ring network protocol, and information about the safe operation of the ring network protocol. If the verification succeeds, the source node of the protocol packet is determined to be the other ring node of the Ethernet ring network. If the verification fails, the source node of the protocol packet is determined to be the Non-ring network node.
  9. 根据权利要求8所述的装置,其特征在于,所述用来保证环网协议安全运行的信息包括所述源节点的MAC地址、表征所述源节点与所述环节点之间的相对路径数目的有效路径EP、以太环网的环标识和报文类型,若在预先配置的MAC地址与EP表项中找到解密得到的所述MAC地址及对应的所述EP,且预先配置的环标识与解密得到的所述环标识匹配,且所述协议报文的报文类型与解密得到的所述报文类型匹配,则所述源节点确定模块确定对所述环网协议安全运行的信息校验成功,否则所述环节点确定对所述环网协议安全运行的信息校验失败。The apparatus according to claim 8, wherein the information used to ensure secure operation of the ring network protocol comprises a MAC address of the source node, and a number of relative paths between the source node and the ring node. The effective path EP, the ring identifier of the Ethernet ring network, and the packet type, if the MAC address and the corresponding EP obtained by the decryption are found in the pre-configured MAC address and the EP entry, and the pre-configured ring identifier and If the ring identifier obtained by the decryption matches, and the packet type of the protocol packet matches the packet type obtained by decryption, the source node determining module determines the information verification for the secure operation of the ring network protocol. Successfully, otherwise the ring node determines that the information verification for the secure operation of the ring network protocol fails.
  10. 根据权利要求9所述的装置,其特征在于,所述处理和转发模块将解密得到的所述EP加1作为新的EP,并将所述MAC地址、所述新的EP、所述环标识和所述报文类型进行加密处理,得到用来保证环网协议安全运行 的新的加密信息,然后将所述新的加密信息填充至所述协议报文的保留字段,并转发携带所述新的加密信息的所述协议报文。The apparatus according to claim 9, wherein said processing and forwarding module adds 1 to the decrypted EP as a new EP, and identifies the MAC address, the new EP, and the ring identifier. Encrypting the packet type to obtain new encrypted information for ensuring the secure operation of the ring network protocol, and then filling the new encrypted information into a reserved field of the protocol packet, and forwarding the new The protocol message of the encrypted information.
PCT/CN2019/071745 2018-01-15 2019-01-15 Method and device for ensuring operation security of ring network protocol WO2019137554A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810034033.6 2018-01-15
CN201810034033.6A CN110048986B (en) 2018-01-15 2018-01-15 Method and device for ensuring ring network protocol operation safety

Publications (1)

Publication Number Publication Date
WO2019137554A1 true WO2019137554A1 (en) 2019-07-18

Family

ID=67219399

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/071745 WO2019137554A1 (en) 2018-01-15 2019-01-15 Method and device for ensuring operation security of ring network protocol

Country Status (2)

Country Link
CN (1) CN110048986B (en)
WO (1) WO2019137554A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112637240A (en) * 2020-12-31 2021-04-09 河南信大网御科技有限公司 Method, system and readable storage medium for preventing protocol message from being tampered under mimicry environment
CN112839009A (en) * 2019-11-22 2021-05-25 华为技术有限公司 Method, device and system for processing message
CN112995192A (en) * 2021-03-16 2021-06-18 深圳融安网络科技有限公司 White list generation method, system, device and storage medium
CN114363041A (en) * 2021-12-31 2022-04-15 河南信大网御科技有限公司 Intranet protection method and system based on dynamic operating system fingerprint and protocol fingerprint
CN115242823A (en) * 2021-04-22 2022-10-25 广州汽车集团股份有限公司 Method, system and gateway for processing message data in cross-network communication

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112543142B (en) * 2019-09-20 2023-05-12 南京南瑞继保电气有限公司 Method and device for realizing RSTP ring network protocol based on FPGA

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878061A (en) * 2006-07-11 2006-12-13 杭州华为三康技术有限公司 Bridge protocol data unit message verification method and device therefor
CN101030912A (en) * 2007-04-06 2007-09-05 华为技术有限公司 Fast ring network method against attack based on RRPP, apparatus and system
CN101562614A (en) * 2009-05-26 2009-10-21 北京星网锐捷网络技术有限公司 Method, system and exchange equipment for preventing attacks in Ethernet ring network
CN101567891A (en) * 2009-05-31 2009-10-28 成都市华为赛门铁克科技有限公司 Source address verification method, device and system
US20130298181A1 (en) * 2012-05-01 2013-11-07 Harris Corporation Noise, encryption, and decoys for communications in a dynamic computer network
CN104702444A (en) * 2015-03-27 2015-06-10 杭州华三通信技术有限公司 Method and device for handling ERPS (Ethernet Ring Protection Switching) protocol message

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9647938B2 (en) * 2012-06-11 2017-05-09 Radware, Ltd. Techniques for providing value-added services in SDN-based networks
CN102957588A (en) * 2012-11-05 2013-03-06 盛科网络(苏州)有限公司 Method and system for protecting looped network from broadcast storm
CN104883337B (en) * 2014-02-27 2019-05-07 中兴通讯股份有限公司 The implementation method and device of looped network user security
CN104967513B (en) * 2015-05-29 2018-08-07 西北工业大学 The multi-receiver ring label decryption method of identity-based with maltilevel security attribute

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878061A (en) * 2006-07-11 2006-12-13 杭州华为三康技术有限公司 Bridge protocol data unit message verification method and device therefor
CN101030912A (en) * 2007-04-06 2007-09-05 华为技术有限公司 Fast ring network method against attack based on RRPP, apparatus and system
CN101562614A (en) * 2009-05-26 2009-10-21 北京星网锐捷网络技术有限公司 Method, system and exchange equipment for preventing attacks in Ethernet ring network
CN101567891A (en) * 2009-05-31 2009-10-28 成都市华为赛门铁克科技有限公司 Source address verification method, device and system
US20130298181A1 (en) * 2012-05-01 2013-11-07 Harris Corporation Noise, encryption, and decoys for communications in a dynamic computer network
CN104702444A (en) * 2015-03-27 2015-06-10 杭州华三通信技术有限公司 Method and device for handling ERPS (Ethernet Ring Protection Switching) protocol message

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112839009A (en) * 2019-11-22 2021-05-25 华为技术有限公司 Method, device and system for processing message
CN112839009B (en) * 2019-11-22 2023-09-01 华为技术有限公司 Method, device and system for processing message
CN112637240A (en) * 2020-12-31 2021-04-09 河南信大网御科技有限公司 Method, system and readable storage medium for preventing protocol message from being tampered under mimicry environment
CN112637240B (en) * 2020-12-31 2023-09-12 河南信大网御科技有限公司 Protocol message tamper-proof method and system under mimicry environment and readable storage medium
CN112995192A (en) * 2021-03-16 2021-06-18 深圳融安网络科技有限公司 White list generation method, system, device and storage medium
CN112995192B (en) * 2021-03-16 2022-11-15 深圳融安网络科技有限公司 White list generation method, system, device and storage medium
CN115242823A (en) * 2021-04-22 2022-10-25 广州汽车集团股份有限公司 Method, system and gateway for processing message data in cross-network communication
CN115242823B (en) * 2021-04-22 2024-03-19 广州汽车集团股份有限公司 Method, system and gateway for processing message data in cross-network-segment communication
CN114363041A (en) * 2021-12-31 2022-04-15 河南信大网御科技有限公司 Intranet protection method and system based on dynamic operating system fingerprint and protocol fingerprint
CN114363041B (en) * 2021-12-31 2023-08-11 河南信大网御科技有限公司 Intranet protection method and system based on dynamic operating system fingerprint and protocol fingerprint

Also Published As

Publication number Publication date
CN110048986B (en) 2022-02-25
CN110048986A (en) 2019-07-23

Similar Documents

Publication Publication Date Title
WO2019137554A1 (en) Method and device for ensuring operation security of ring network protocol
Li et al. Securing SDN infrastructure of IoT–fog networks from MitM attacks
CN107567704B (en) Network path pass authentication using in-band metadata
Alharbi et al. The (in) security of topology discovery in software defined networks
JP6488702B2 (en) COMMUNICATION CONTROL DEVICE, COMMUNICATION CONTROL METHOD, AND COMMUNICATION CONTROL PROGRAM
JP2017506846A (en) System and method for securing source routing using digital signatures based on public keys
CA3039795A1 (en) Extracting encryption metadata and terminating malicious connections using machine learning
US11838283B2 (en) Network enclave attestation for network and compute devices
US10911581B2 (en) Packet parsing method and device
US7290281B1 (en) Method and apparatus for cryptographically blocking network denial of service attacks based on payload size
JP2015220751A (en) Border characteristic verification for named data network
Tennekoon et al. Prototype implementation of fast and secure traceability service over public networks
US9614720B2 (en) Notification technique for network reconfiguration
Alzahrani et al. Key management in information centric networking
WO2022174739A1 (en) Message sending method, signature information generating method, and device
CN117375862A (en) Message forwarding method, system, network device, storage medium and program product
CN111970245B (en) Heterogeneous layered anonymous communication network construction method and device
Ming-Hao The security analysis and attacks detection of OSPF routing protocol
US20230283588A1 (en) Packet processing method and apparatus
WO2023221742A1 (en) Route selection method, network device, and system
AU2022246728B2 (en) Verifying trust postures of heterogeneous confidential computing clusters
US11012427B2 (en) RSA trusted networks: RSA packet frames for advanced networking switches
CN108243099B (en) Method, device and system for path selection
US20220286469A1 (en) Packet processing method, apparatus, and system
Ashraf et al. Design and Implementation of Lightweight Certificateless Secure Communication Scheme on Industrial NFV-Based IPv6 Virtual Networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19738492

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 18.11.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 19738492

Country of ref document: EP

Kind code of ref document: A1