WO2022161369A1 - Security management information processing method and apparatus for optical transport network - Google Patents
Security management information processing method and apparatus for optical transport network Download PDFInfo
- Publication number
- WO2022161369A1 WO2022161369A1 PCT/CN2022/073865 CN2022073865W WO2022161369A1 WO 2022161369 A1 WO2022161369 A1 WO 2022161369A1 CN 2022073865 W CN2022073865 W CN 2022073865W WO 2022161369 A1 WO2022161369 A1 WO 2022161369A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- osu
- encryption
- oam
- frame
- security management
- Prior art date
Links
- 230000003287 optical effect Effects 0.000 title claims abstract description 31
- 230000010365 information processing Effects 0.000 title claims abstract description 9
- 238000003672 processing method Methods 0.000 title abstract 2
- 238000000034 method Methods 0.000 claims abstract description 71
- 238000005538 encapsulation Methods 0.000 claims abstract description 48
- 238000012545 processing Methods 0.000 claims description 33
- 230000008569 process Effects 0.000 claims description 19
- 230000015654 memory Effects 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 16
- 238000004364 calculation method Methods 0.000 claims description 5
- 239000000284 extract Substances 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 abstract description 17
- 238000005516 engineering process Methods 0.000 abstract description 4
- 101100143815 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) RPL3 gene Proteins 0.000 description 37
- 238000010586 diagram Methods 0.000 description 32
- 230000006870 function Effects 0.000 description 27
- 230000004044 response Effects 0.000 description 19
- 238000004422 calculation algorithm Methods 0.000 description 11
- 239000000463 material Substances 0.000 description 9
- 238000004891 communication Methods 0.000 description 6
- 238000012795 verification Methods 0.000 description 4
- 101100462419 Homo sapiens OTUB2 gene Proteins 0.000 description 3
- 101150046103 OTU2 gene Proteins 0.000 description 3
- 102100025914 Ubiquitin thioesterase OTUB2 Human genes 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 101100406674 Arabidopsis thaliana OTU4 gene Proteins 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000002250 progressing effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000004808 supercritical fluid chromatography Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04J—MULTIPLEX COMMUNICATION
- H04J3/00—Time-division multiplex systems
- H04J3/16—Time-division multiplex systems in which the time allocation to individual channels within a transmission cycle is variable, e.g. to accommodate varying complexity of signals, to vary number of channels transmitted
- H04J3/1605—Fixed allocated frame structures
- H04J3/1652—Optical Transport Network [OTN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
Definitions
- the embodiments of the present disclosure relate to the field of communications, and in particular, to a method and device for processing security management information in an optical transport network.
- SFH Secure Frame Header, secure frame header
- SFB Secure Frame Body, security frame body
- SFC Secure Frame Check, security frame check
- SFC and SFH are collectively called the encapsulation information of the security frame.
- the security implementation of FlexO determines that the encapsulation information SFH and SFC of the security frame are carried in the FlexO overhead. ODU security implementation method Because there are few reserved fields in the ODU overhead, it is necessary to consider the transmission of the security frame encapsulation information SFH and SFC in a multi-frame manner.
- OSU Optical Service Unit, Optical Service Unit
- the OSU technology mainly maps small-granularity services to the OSU, divides the payload area of the OTN (Optical Transport Network, Optical Transport Network) frame into multiple PB (Payload Block, payload block) blocks, and complexes the OSU frame according to a specific algorithm. It is used in the PB block, and finally the transmission of the OSU is completed through the optical port.
- OSU supports PM (Path Monitor, channel detection) and multiple TCM (Tandem Connection Monitor, tandem connection monitoring) levels of state monitoring.
- PM Path Monitor, channel detection
- TCM Tandem Connection Monitor, tandem connection monitoring
- the embodiments of the present disclosure provide a method and device for processing security management information of an optical transport network, so as to at least solve the problem of how to ensure the security of OSU transmission in the related art.
- a method for processing security management information of an optical transport network comprising: inserting an OSU OAM security management frame in an OSU every N OSU frames, and adding an OSU OAM security management frame to the N OSU frames. Perform encryption processing; carry the encrypted security frame header SFH into the OSU OAM (Operation Administration Maintenance) security management frame before the N OSU frames, wherein, in the OSU, every interval of the N The OSU frame is inserted into one of the OSU OAM security management frames.
- OSU OAM Operaation Administration Maintenance
- an apparatus for processing security management information of an optical transport network comprising: an encryption module configured to perform encryption processing on N OSU frames of an OSU of an optical service unit; a bearer module , set to carry the encrypted security frame header SFH into the OSU OAM security management frame before the N OSU frames.
- a computer-readable storage medium is also provided, where a computer program is stored in the storage medium, wherein the computer program is configured to execute any one of the above method embodiments when running steps in .
- an electronic device comprising a memory and a processor, wherein the memory stores a computer program, the processor is configured to run the computer program to execute any of the above Steps in Method Examples.
- an OSU OAM security management frame is inserted into the OSU every N OSU frames, and the N OSU frames are encrypted;
- the OSU OAM security management frame the problem of how to ensure the security of OSU transmission in the related art can be solved, and the OSU OAM security management frame is inserted every N OSU frames, and the OSU OAM security management frame is used to carry the N number of OSU frames used for encryption.
- Security Frame Encapsulation Information (SFH) to ensure the safe transmission of OSU frames.
- FIG. 1 is a hardware structural block diagram of a mobile terminal of a method for processing security management information of an optical transport network according to an embodiment of the present disclosure
- FIG. 2 is a flowchart of a method for processing security management information of an optical transport network according to an embodiment of the present disclosure
- FIG. 3 is a flowchart of a method for processing security management information of an optical transport network according to a preferred embodiment of the present disclosure
- Figure 4 is a schematic diagram of the Nx frame OSU covered by the OSU OAM security management frame
- Figure 5 is a schematic diagram of the overhead byte position of the OSU OAM security management frame
- Figure 6 is a schematic diagram of the SFH and SFC at each level of the OSU OAM security management frame
- FIG. 7 is a schematic diagram of an identity authentication process according to an optional embodiment of the present disclosure.
- FIG. 8 is a schematic diagram of a message format in an identity authentication process according to an optional embodiment of the disclosure.
- FIG. 9 is a schematic diagram of a TCM1-level OSU-encrypted OAM security management frame according to an optional embodiment of the disclosure.
- FIG. 10 is a schematic diagram of OSU encryption at the TCM1 layer according to an optional embodiment of the disclosure.
- FIG. 11 is a schematic diagram of a PM+TCM1TCM2 three-layer encryption OSU OAM security management frame according to an optional embodiment of the disclosure
- Figure 12 is a schematic diagram of OSU encryption at PM, TCM1 and TCM2 layers;
- Nx and Ny take a fixed OSU period
- Nz takes an unfixed OSU period according to an optional embodiment of the disclosure
- Figure 14 is a schematic diagram of Nx and Ny taking a fixed OSU cycle, and Nz taking an unfixed OSU cycle (1);
- Figure 15 is a schematic diagram of Nx and Ny taking a fixed OSU cycle, and Nz taking an unfixed OSU cycle (2);
- Figure 16 is a schematic diagram of Nx and Ny taking a fixed OSU cycle, and Nz taking an unfixed OSU cycle (3);
- FIG. 17 is an example flowchart of a specific message of an identity authentication process according to an optional embodiment of the present disclosure.
- 18 is a structural diagram of an apparatus for processing security management information of an optical transport network according to an embodiment of the present disclosure
- FIG. 19 is a structural diagram of a security management information processing apparatus of an optical transport network according to a preferred embodiment of the present disclosure.
- FIG. 1 is a hardware structural block diagram of a mobile terminal of a method for processing security management information of an optical transport network according to an embodiment of the present disclosure.
- the mobile terminal may include one or more (Fig.
- a processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.
- a memory 104 for storing data
- the above-mentioned mobile terminal may also Transmission devices 106 and input and output devices 108 are included for communication functions.
- FIG. 1 is only a schematic diagram, which does not limit the structure of the above-mentioned mobile terminal.
- the mobile terminal may also include more or fewer components than those shown in FIG. 1 , or have a different configuration than that shown in FIG. 1 .
- the memory 104 can be used to store computer programs, for example, software programs and modules of application software, such as computer programs corresponding to the method for processing security management information of the optical transport network in the embodiment of the present disclosure.
- a computer program is used to execute various functional applications and slicing processing of the business chain address pool, that is, to implement the above method.
- Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory.
- the memory 104 may further include memory located remotely from the processor 102, and these remote memories may be connected to the mobile terminal through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.
- Transmission means 106 are used to receive or transmit data via a network.
- the specific example of the above-mentioned network may include a wireless network provided by a communication provider of the mobile terminal.
- the transmission device 106 includes a network adapter (Network Interface Controller, NIC for short), which can be connected to other network devices through a base station so as to communicate with the Internet.
- the transmission device 106 may be a radio frequency (Radio Frequency, RF for short) module, which is used to communicate with the Internet in a wireless manner.
- RF Radio Frequency
- FIG. 2 is a flowchart of a method for processing security management information of an optical transport network according to an embodiment of the present disclosure ( 1), as shown in Figure 2, the process includes the following steps:
- Step S202 inserting OSU OAM security management frames at every interval of N OSU frames in the OSU, and encrypting the N OSU frames;
- Step S204 carrying the encrypted security frame header SFH into the OSU OAM security management frame before the N OSU frames.
- the OSU OAM security management frame is inserted into the OSU every N OSU frames, and the N OSU frames are encrypted; the encrypted security frame header SFH is carried to the N OSUs
- the OSU OAM security management frame before the frame can solve the problem of how to ensure the security of OSU transmission in the related art.
- the OSU OAM security management frame is inserted every N OSU frames, and the OSU OAM security management frame is used to carry N OSU frames.
- the security frame encapsulation information (ie SFH) used for encryption ensures the secure transmission of OSU frames.
- the method further includes: performing the integrity calculation required for the authentication on the N OSU frames, and carrying the security frame check SFC required for the authentication into the N OSU frames in the OSU OAM security management frame after that.
- the method before the above step S202, the method further includes: performing bidirectional identity authentication with the encryption sink.
- the encryption sink before encrypting the OSU frame, it is also necessary to perform bidirectional identity authentication with the encryption sink, and further, send a first identity authentication request message to the encryption sink, wherein the first identity authentication request message carries the authentication right information and the processed first private key information; receive the first identity authentication response message sent by the encryption sink after the authentication is performed according to the authentication information and the authentication is passed, wherein the first identity authentication response message contains It carries the processed second private key information and encrypted information, and the encrypted information is the temporary K pair that is obtained by the encryption sink according to the processed first private key information and the second private key information.
- the OSU frame bearing the OSU OAM security management frame is sent to The encryption sink, wherein the encryption sink is configured to decrypt the OSU frame according to the OSU OAM security management frame.
- the OSU frame after the security frame encapsulation information is carried in the OSU OAM security management frame, the OSU frame also needs to be sent to the encryption sink for decrypting the OSU frame, wherein the security frame encapsulation information includes SFH and/or SFC.
- the above step S202 may specifically include: if the OSU OAM security management frame is not detected from the OSU, the current encryption level A of the OSU is M encryptions of the OSU frame The first start-up encryption level in the level, inserts the OSU OAM security management frame every N OSU frames, encrypts the N OSU frames, and sets the encryption state of the encryption level A in the OAM frame to Encrypt, set the value of N in it to a known value.
- the current encryption level A of the OSU is not the first one to be activated among M encryption levels of the OSU frame Encryption level, performing encryption processing on the N OSU frames, and carrying the generated security encapsulation information in the overhead corresponding to the encryption level B of the OSU OAM management frame.
- the encryption function of the OSU frame is activated, or the encryption and authentication functions of the OSU frame are activated.
- the encryption function of the OSU frame needs to be activated first, and then it is determined that the current level is sufficient to be the first encryption level to be activated.
- the authentication function of the OSU frame needs to be activated first, and then it is determined that the current level is sufficient to be the first encryption level to be activated.
- the value of N is determined according to the available bandwidth of the OSU security management frame and the encryption processing delay requirement.
- N needs to be determined first, and then it is determined whether the current level is the first activated encryption level.
- the encryption state of the encryption source end of the encryption level A and the encryption state of the encryption source end of the encryption level A are obtained from the OSU OAM security management frame.
- the value of N is determined to enable the encryption function of encryption level B, or the encryption and authentication functions; the encryption state of the encryption level B is set to the encrypted state, and is carried in the OSU OAM security management frame.
- the above step S204 includes: carrying the security frame encapsulation information in the overhead corresponding to the encryption level A in the OSU OAM security management frame.
- the security frame encapsulation information needs to be carried in the overhead corresponding to the encryption level A, wherein the OSU OAM security management frame includes M encryption levels corresponding to the The overhead for storing the encryption state, the overhead for storing the N value, and the overhead for storing the security frame header SFH and/or the security frame check SFC of the M encryption levels, the security frame encapsulation information includes the security frame header SFH and/or or Security Frame Check SFC.
- the value of N and the encrypted state of the current encryption level are carried in the OSU OAM security management frame. That is, the N value and the encrypted state can also be carried in the OSU OAM security management frame.
- FIG. 3 is a flowchart of a method for processing security management information of an optical transport network according to a preferred embodiment of the present disclosure. As shown in FIG. 3 , the flowchart includes the following steps:
- Step S302 identify the OSU OAM security management frame from the received OSU;
- Step S304 decrypt the OSU according to the OSU OAM security management frame.
- the above step S304 includes: identifying the encryption state of the encryption level A from the OSU OAM security management frame; the encryption state of the encryption level A is the encrypted state and is the encryption level In the case of the decryption end of A, decrypt the OSU according to the OSU OAM security management frame.
- the above step S304 includes: extracting the value of N and SFH from the OSU OAM security management frame; judging whether the number of OSU frames in the adjacent OAM frame interval in the OSU frame is N; If the determination result is yes, decrypt the N OSU frames according to the SFH to obtain the plaintext OSU.
- decrypting N OSU frames according to the SFH to obtain a plaintext OSU includes: if the OSU OAM security management frame also carries the N security frames used for authentication of the OSU frames The SFC is checked, and the N OSU frames are authenticated according to the SFC; after the authentication is passed, the N OSU frames are decrypted according to the SFH to obtain the plaintext OSU.
- the N OSU frames need to be authenticated according to the SFC first, and then the OSU frames need to be decrypted according to the SFH to obtain the plaintext OSU frames.
- the method further includes: when the encryption state of the encryption level A is an encrypted state and is not the decryption end of the encryption level A, transparently transmitting the OSU frame.
- the OSU frame can also be transparently transmitted under the condition that the encryption state is not the decryption end.
- the encryption state of encryption level A in the OSU OAM security management frame is set to unencrypted. That is, the encryption status can also be cleared and set to unencrypted.
- the OSU security implementation method of authentication combined with encryption is as follows:
- Step 1 After the OSUP or OSUT is generated, you can choose the level Q to enable encryption and authentication. If the current Q level is the first level to enable encryption among all levels of the OSU service, the local end will insert it every Nx OSU frames.
- An OSU OAM security management frame the security frame encapsulation information generated by encrypting and authenticating Nx OSU frames is carried in the OSU OAM security management frame. If the encryption source of this layer is not the first encryption layer enabled by the OSU service, the OSU OAM security management frame in the OSU frame is identified, and the security frame encapsulation information generated by encrypting and authenticating Nx OSU frames is carried to the OSU frame. OSU OAM security management frame.
- Step 2 Carry the Nx value in the OSU OAM security management frame.
- the Nx value is variable for the same OSU service, and Nx is the number of OSU frames between two OSU OAM security management frames.
- Figure 4 shows the OSU OAM
- Figure 4 shows a schematic diagram of the OSU of the Nx frame covered by the security management frame. The selection of Nx needs to comprehensively consider the influence of three factors: OSU OAM security management frame bandwidth, buffering and delay introduced by OSU encryption and authentication, and encryption The encryption block size of the algorithm.
- Step 3 Figure 5 is a schematic diagram of the location of the overhead bytes of the OSU OAM security management frame. As shown in Figure 5, in the overhead of the OSU OAM security management frame, the state indications representing the M levels of encryption of the OSU are respectively defined, and the encrypted state and unencrypted state are respectively defined. Status distinction.
- Step 4 If the encryption source end of this level Q does not enable encryption and authentication functions, then the encryption state of this level is set to the unencrypted state, and the OSU OAM security management frames of other levels are transparently transmitted. If the encryption and authentication functions are enabled at the encryption source end of level Q, the encryption state of the Q level is set to the encryption state.
- Step 5 Figure 6 is a schematic diagram of SFH and SFC at each level of the OSU OAM security management frame.
- the encryption source end of the Q layer encrypts Nx OSU frames between adjacent OSU OAM management frames according to 128bit blocks. and authentication, and carry the security frame encapsulation information generated by encryption and authentication in the OSU OAM security management frame of the corresponding level.
- Step 6 The encryption sink node identifies the OSU OAM security management frame, identifies a certain Q-layer encryption state from the OSU OAM security management frame, and determines whether the node corresponds to the Q-level decryption end, and if so, extracts the OSU OAM security management Nx value and security encryption overhead in the frame, and determine whether the number of OSU frames between two adjacent OSU OAM frames is Nx, if so, use the security encryption overhead to authenticate and decrypt Nx OSU frames to obtain OSUQ level decryption plaintext after. If it is recognized that the node is not the decryption terminal corresponding to the Q level, or the encryption of the P level is enabled on the node (Q is not equal to P), the corresponding OAM security management frame and OSU frame are transparently transmitted.
- the OSU security implementation method of encryption combined with authentication is as follows:
- FIG. 7 is a schematic diagram of an identity authentication process according to an optional embodiment of the disclosure, as shown in FIG. 7 , including:
- Step S1 identity authentication request message type I
- Step S2 identity authentication response message type I or type II;
- Step S3 identity authentication request message type II or response message type II;
- Step S4 identity authentication response message type II.
- the identity authentication request message type I includes fixed authentication information and private key material information
- the identity authentication response message type I includes Random authentication information and private key material information
- identity authentication request message type II includes authentication subject information
- identity authentication response message type II includes authentication results.
- FIG. 9 is a schematic diagram of a TCM1-level OSU-encrypted OAM security management frame according to an optional embodiment of the present disclosure.
- nodes A and B correspond to an OTN branch line integration function device
- nodes A1 and A2 correspond to A, respectively.
- the different function points of the node A1 corresponds to the customer service generation OSUP or the demultiplexed customer service in the OSUP
- A2 corresponds to the OSUT overhead processing function and the adaptation function point multiplexed to the OPU or demultiplexed from the OPU to the OSU and OSUT. overhead processing.
- Nodes B1 and B2 correspond to different function points of node B, and the specific functions are equivalent to the inverse process of nodes A1 and A2. It includes the following steps:
- Step S1 the CBR service Client is mapped to OSU; meanwhile, PM encryption is not enabled;
- Step S2 generate the OSU frame; meanwhile, determine the Nx frame, the encryption and authentication is completed, and the Nx and TCM1 encryption is inserted into the OAM security management to be encrypted;
- Step S3 generating an OSU frame + OSU OAM security management frame; at the same time, locally obtaining the encryption enablement of the TCM1 layer, identifying the OSU OAM security management frame, obtaining the Nx value that the encryption source TCM1 is in an encrypted state, performing authentication and decryption, and clearing the encryption of TCM1 enabled state;
- Step S4 generating an OSU frame
- Step S5 CBR service ClientA.
- step 1 at the A1 end, after the service ClientA is mapped to the OSU, the OSU and PB are both 192 bytes in length and divided into 12 128-bit blocks. If the encryption function is not enabled at the PM level, the OAM security management frame will not be inserted.
- Step 2 The A2 end learns from the local that TCM1 encryption is enabled at the local end, and at the same time recognizes that the TCM1 layer is the first layer of encryption enabled by the current OSU service, and determines the Nx value. Under the condition that the Nx value is balanced, Nx can take a value. It is 64. In the case of combining the identity authentication process, it can be considered that the value of Nx is larger, such as 128.
- Encrypt and authenticate 64 consecutive OSU frames, that is, 768 blocks of 128bitblock, and carry the OSU security frame encapsulation information generated by the encryption and authentication in the security frame encapsulation information of the TCM1 level of the OSU OAM security management frame, as shown in Figure 10 10 is a schematic diagram of OSU encryption at the TCM1 layer according to an optional embodiment of the disclosure.
- Step 4 After the B1 end recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the source end of the TCM1 layer is in an encrypted state, the Nx value is 64, and the security frame encapsulation information obtained by encryption and authentication is obtained locally.
- the local end has enabled the encryption and authentication function of the TCM1 level, and judges that the local end is the decryption end of the TCM1 level, and further judges whether the number of OSU frames between two adjacent OSU OAM security management frames is Nx, and if so, use the security frame
- the encapsulation information authenticates and decrypts Nx OSU frames to obtain the plaintext decrypted at the OSU TCM1 level.
- Step 5 the B2 end demaps the OSU plaintext to obtain the service ClientA.
- FIG. 11 is a schematic diagram of a PM+TCM1TCM2 three-layer encryption OSU OAM security management frame according to an optional embodiment of the disclosure, the A node and the B node are connected through the OTU2, and the B and C nodes are connected through the OTU4.
- the client side accesses the CBR service clientA at a rate of 155.520Mbit/s, generates an OSU frame through mapping, and performs PM-level encryption and authentication on the OSU at the A1 end.
- the A2 side performs TCM1-level encryption and authentication on the OSU
- the B1 side performs TCM1-level authentication and decryption on the OSU
- the B2 side performs TCM2-level encryption and authentication on the OSU
- the C1 side performs TCM2-level authentication and decryption on the OSU.
- the OSUPM layer is authenticated and decrypted to finally obtain the CBR service ClientA, as shown in Figure 11, including:
- Step S1 the CBR service Client is mapped to the OSU, and the encryption period is determined to be Nx; at the same time, the Nx frame encryption and authentication is completed, Nx is inserted into the OAM security management frame, the PM encryption state is the encrypted state and the security frame encapsulation information after encryption and authentication ;
- Step S2 generate OAM security management frame; At the same time, identify OAM security management frame, obtain PM as encrypted state and Nx, local end TCM1 starts encryption authentication, and inserts TCM1 encryption enable state in current OAM frame;
- Step S3 generate the OAM security management frame; meanwhile, locally obtain the TCM1 encryption and authentication enablement, identify the OAM security management frame, obtain the encrypted state of the encryption source PM+TCM1 and the OSU frame period Nx, perform the TCM1 layer authentication and decryption, and clear TCM1 encryption enabled state;
- Step S4 generates OAM security management frame; At the same time, identify OAM security management frame, obtain encryption source PM to be encrypted state and Nx, local TCM2 starts encryption authentication, and inserts TCM2 encryption enabling state in current OAM frame;
- Step S5 generate the OAM security management frame; At the same time, identify the OAM security management frame, obtain the encrypted state and Nx of the encryption source PM+TCM2, carry out the TCM2 layer authentication and decryption, and clear the TCM2 encryption enabled state;
- Step S6 generating the OAM security management frame; meanwhile, identifying the OAM security management frame, obtaining the encrypted source PM as the encrypted state and Nx, performing PM layer authentication and decryption, intermediating the OAM security management frame, and obtaining the OSU (CBR) original text;
- step S7 the service ClientA is obtained.
- step 1 at the A1 end, after the service ClientA is mapped to the OSU, the OSU and PB are both 192 bytes in length and divided into 12 128-bit blocks.
- the A1 end learns from the local that the local end is set to start the PM layer encryption.
- the PM layer determines the Nx value for the first encryption and authentication layer. Under the condition that the Nx value is considered in a balanced manner, the Nx value can be 64. In combination with the identity authentication In the case of the process, it can be considered that the value of Nx is larger, such as 128.
- Figure 12 is a schematic diagram of OSU encryption at the PM, TCM1 and TCM2 layers.
- Step 3 After A2 recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the PM layer source end is in an encrypted state, and the Nx value is 64. At the same time, it learns from the local that the local end has enabled TCM1-level encryption authentication. Function, determine that the local end is the encryption source end of TCM1 level, set the encryption state of TCM1 level to the encrypted state and carry it in the OSU OAM security management frame. The A2 side authenticates and encrypts 64 consecutive OSU frames in the TCM1 level, and carries the OSU security frame encapsulation information generated by encryption and authentication in the security frame encapsulation information of the TCM1 level of the current OSU OAM security management frame.
- Step 5 after the B2 end recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the PM layer source end is in an encrypted state, the Nx value is 64 and the PM layer security frame encapsulation information obtained by encryption and authentication, At the same time, it is learned from the local that the encryption and authentication function of the TCM2 level is enabled at the local end, and it is determined that the local end is the encryption source end of the TCM2 level, and the encryption state of the TCM2 level is set to the encrypted state, which is carried in the OSU OAM security management frame.
- the B2 side performs encryption and authentication on the TCM2 level of 64 consecutive OSU frames, and carries the OSU security frame encapsulation information generated by the encryption and authentication in the security frame encapsulation information at the TCM2 level of the current OSU OAM security management frame.
- Step 7 after the C2 end recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the PM layer source end is in an encrypted state, the Nx value is 64, and the PM layer security frame encapsulation information obtained by encryption and authentication, and at the same time.
- Step 8 the C2 end demaps the OSU to obtain the service ClientA.
- FIG. 13 is a schematic diagram of a security information processing flow in which Nx and Ny take a fixed OSU period, and Nz takes an unfixed OSU period, according to an optional embodiment of the present disclosure
- a node A and a node B are connected through OTU2
- three different services ClientA on the client side ClientB and ClientC
- ClientA is CBR service
- the rate is 155Mbit/s
- ClientB is PKT service
- the maximum guaranteed flow is 100Mbit/s
- ClientC PKT service
- the maximum guaranteed flow is 200Mbit/s
- three kinds of services are mapped to generate three kinds of OSU frames.
- the A1 side determines to perform PM layer encryption authentication for the three OSUs respectively.
- the three OSUPM layers are authenticated and decrypted at the B2 end, and finally the CBR service ClientA, PKT service ClientB and PKT service ClientC are obtained respectively through de-mapping, including the following steps:
- Step S2 generating OAM security management frame A; Meanwhile, identifying PM is encrypted, identifying Nx authentication and decryption, and decrypting OSU plaintext;
- Step S3 obtaining the CBR service ClientA
- Step S5 generate OAM security management frame B
- Step S6 obtaining the PKT service ClientB
- Step S7 the PKT service ClientC is 200M, the actual service flow is changed between 40 and 160M, and Nz(16+delta*n) is selected; at the same time, the Nz value is inserted into the overhead and PM encryption is enabled;
- Step S8 generate OAM security management frame C
- step S9 the PKT service ClientC is obtained.
- step 1 at the A1 end, after the service ClientA is mapped to the OSU, the OSU and PB lengths are 192 bytes, and the PB rate is 2.6M.
- the recommended value of Nx is 64, that is, 64 PBs are occupied in the same service layer OPU.
- the OAM security management frame bandwidth accounts for 1/Nx of the service bandwidth. Considering the overhead of the OAM bandwidth, the larger the Nx value, the better.
- the frame length of 192 bytes is sufficient to be a multiple of 128 bits of the encrypted block.
- the impact of real-time authentication on the OSU frame buffer and delay needs to be as small as possible for Nx. In the case of sufficient bandwidth, bandwidth can be exchanged for delay, that is, Nx is 32. That is, a fixed 32 OSU frame period can be used for encryption and authentication.
- the maximum guaranteed traffic of the service ClientB is 100Mbit/s, and the actual rate of the OSU is 104Mbit/s.
- the recommended value of Ny is 40 according to the above-mentioned principles. Ny can be selected as 40 according to the actual bandwidth and the delay requirements of the PKT service.
- the statistical value varies from 40Mbit/s to 160Mbit/s
- the actual rate of the OSU is at most 41.6M ⁇ 166.4Mbit/s
- the recommended range of Nz value is from 16 to 64. Increase or decrease the Nz value by stepping delta according to the change trend of the statistical flow.
- the real-time value of Nz and the encrypted state of the PM level are carried in the OSU OAM security management frame.
- Encrypt and authenticate Nz consecutive OSU frames that is, Nz*12 blocks of 128bit blocks, and carry the OSU security frame encapsulation information generated by encryption and authentication in the PM-level security frame encapsulation information of the OSU OAM security management frame.
- Step 3 After the B2 end recognizes the OSU OAM security management frame of the ClientA OSU service, it obtains from the OSU OAM security management frame that the PM layer source end of the OSU service is encrypted, and the Nx value and the encryption and authentication of each OSU service are obtained.
- Security frame encapsulation information and at the same time, it is obtained from the local that the PM level is set to enable the encryption and authentication function, and it is judged that the local end is the decryption end of the PM level, and further judges whether the number of OSU frames between two adjacent OSU OAM security management frames is If it is Nx, use the security frame encapsulation information to authenticate and decrypt the Nx OSU frames to obtain the plaintext decrypted at the OSUPM level, and demap the OSU to obtain the service ClientA, as shown in Figure 14.
- Figure 14 shows Nx and Ny takes the fixed OSU period, and Nz takes the non-fixed OSU period (1).
- the B2 side After the B2 side recognizes the OSU OAM security management frame of the ClientB OSU service, it obtains from the OSU OAM security management frame that the PM layer source end of the OSU service is encrypted, the Ny value and the security frame encapsulation obtained by the encryption and authentication of each OSU service. At the same time, it is known from the local that the PM level is set to enable the encryption and authentication function at the local end. It is judged that the local end is the decryption end of the PM level, and it is further judged whether the number of OSU frames between two adjacent OSU OAM security management frames is Ny.
- Figure 15 shows that Nx and Ny are fixed OSU cycle, Nz is not fixed OSU cycle schematic diagram (2).
- the B2 end After the B2 end recognizes the OSU OAM security management frame of the ClientC OSU service, it obtains from the OSU OAM security management frame that the PM layer source end of the OSU service is encrypted, the Nz value and the security frame encapsulation obtained by the encryption and authentication of each OSU service At the same time, it is learned from the local that the PM level is set to enable the encryption and authentication function at the local end. It is judged that the local end is the decryption end of the PM level, and it is further judged whether the number of OSU frames between two adjacent OSU OAM security management frames is Nz. , if yes, use the security frame encapsulation information to authenticate and decrypt the Nz OSU frames to obtain the plaintext decrypted at the OSUPM level. Demap the OSU to obtain the service ClientC, as shown in Figure 16.
- Figure 16 is a schematic diagram (3) of Nx and Ny taking a fixed OSU period, and Nz taking a non-fixed OSU period.
- FIG. 17 is a flowchart of an example of a specific message of an identity authentication process according to an optional embodiment of the present disclosure.
- the encryption is combined with the identity authentication process.
- the OTN device A node and the B node at both ends are connected through the OTU2, and the client side of the A node accesses the CBR service ClientA, with a rate of 155.520Mbit/s, generates OSU frames through mapping.
- node A initiates the identity authentication process.
- Nodes A and B respectively verify and authenticate the information sent by the peer.
- All identity authentication messages are encapsulated by GFP and inserted into KCC (Key Exchange Communication Channel, secret key). Exchange communication channel) channel is sent to the peer end, after the identity authentication is completed, the pure encryption process is enabled, as shown in Figure 17, including:
- KCC Key Exchange Communication Channel, secret key
- Step S1 request message type I (fixed authentication information and private key information); At the same time, verify the fixed authentication information and local storage;
- Step S2 response message type I (encrypted private key information and private key information)/response message type II (authentication failure); Meanwhile, verify the converted private key information and the received private key information;
- Step S3 request message type II (encrypted identity authentication information) or response message type II (authentication failure); At the same time, verify whether the identity authentication information after the local symmetric conversion is consistent with the received information;
- Step S4 response message type II (authentication success or failure).
- Step 1 A node encryption entity sends an identity authentication request message type I to node B, carrying fixed authentication information and private key material information of the node, such as a timestamp or a counter generated by the DF algorithm.
- the fixed authentication information can be selected as the information stored at both ends, such as port number or IP information or even user name after one-way conversion such as algorithm.
- Step 2 After receiving the identity authentication message type I, the node B first determines whether the fixed authentication information is the intended communication object, and if not, replies with an identity authentication response message type II, which carries the authentication failure information.
- Step 3 If node B verifies that the users are consistent, it generates the private key material information of this node, such as a random timestamp or counter value, which is obtained according to the information generated by the DF algorithm and the private key material information of node A Temporary Ki (Key Index, key index), and the encrypted information of the private key material information of the node and the private key material information of the node are sent to the A node through the identity authentication response message type I.
- the private key material information of this node such as a random timestamp or counter value, which is obtained according to the information generated by the DF algorithm and the private key material information of node A Temporary Ki (Key Index, key index)
- the encrypted information of the private key material information of the node and the private key material information of the node are sent to the A node through the identity authentication response message type I.
- Step 4 Node A receives the identity authentication response message type I, extracts the private key material information sent by node B, and combines the private key material information of this node to obtain temporary Ki through the DF algorithm.
- the encrypted information carried is decrypted, and at the same time, it is determined whether the decrypted information is consistent with the private key information of node B carried in the message. If the same is preliminarily believed that node B is legal, node A continues the next authentication process.
- Step 5 Node A uses the information stored at both ends such as user name and password, and the information converted by some algorithms, optionally such as HASH or HASH combined with XOR algorithm, etc., as the authentication subject information through the identity authentication request information type. II is sent to Node B.
- Step 6 After receiving the identity authentication request information type II, the node B converts the information stored at the local end using a symmetric algorithm, verifies the authentication subject information, and compares whether the two are consistent. If they are the same, the identity authentication response message type II is returned. , which carries the authentication success information.
- Step 7 After receiving the authentication success, the A node starts the encryption process, and the SFC information is processed according to the default value.
- FIG. 18 is a structural diagram of a security management information processing device for an optical transport network according to an embodiment of the present disclosure. As shown in FIG. 18 , the device include:
- the encryption module 1802 is configured to insert the OSU OAM security management frame every N OSU frames in the optical service unit OSU, and encrypt the N OSU frames;
- the bearing module 1804 is configured to carry the encrypted security frame header SFH into the OSU OAM security management frame before the N OSU frames.
- the apparatus further includes:
- the authentication calculation module is set to perform the integrity calculation required for the authentication on the N OSU frames, and carries the obtained security frame check SFC required for the authentication to the OSU OAM after the N OSU frames in the security management frame.
- the apparatus further includes:
- the identity authentication module is set to perform two-way identity authentication with the encryption sink.
- the apparatus further includes:
- the determining module is configured to determine the value of N according to the available bandwidth of the OSU security management frame and the encryption processing delay requirements.
- the encryption module 1802 is further configured to
- the current encryption level A of the OSU is the encryption level that is first activated among the M encryption levels of the OSU frame, and every N OSU frames are inserted
- encryption processing is performed on the N OSU frames, the encryption state of the encryption level A in the OAM frame is set as encrypted, and the N value therein is set as a known value.
- the apparatus further includes:
- the processing module is set to if the OSU OAM security management frame is detected from the OSU, the current encryption level A of the OSU is not the first encryption level to start in the M encryption levels of the OSU frame,
- the N OSU frames are encrypted, and the generated security encapsulation information is carried in the overhead corresponding to the encryption level B of the OSU OAM management frame.
- the apparatus further includes:
- An acquisition module configured to acquire the encryption state of the encryption source end of the encryption level A and the value of the N from the OSU OAM security management frame, and simultaneously determine to enable the encryption processing of the encryption level B;
- a setting module is configured to set the encryption state of the encryption level B in the OSU OAM security management frame to an encrypted state.
- the OSUOAM security management frame includes an overhead corresponding to M encryption levels for storing an encryption state, an overhead for storing N values, and M encryption levels for storing a security frame header SFH and/or Security Frame Check SFC overhead.
- the bearing module 1804 is further configured as
- the security frame encapsulation information is carried in the overhead corresponding to the encryption level A in the OSU OAM security management frame, wherein the security frame encapsulation information includes the security frame header SFH and/or the security frame check SFC.
- the bearing module 1804 is further configured as
- N and the encrypted state of the current encryption level are carried in the OSU OAM security management frame.
- FIG. 19 is a structural diagram of a security management information processing device of an optical transport network according to a preferred embodiment of the present disclosure. As shown in FIG. 19 , the device includes:
- the identification module 1902 is set to identify the OSU OAM security management frame from the OSU received;
- the decryption module 1904 is configured to decrypt the OSU according to the OSU OAM security management frame.
- the decryption module 1904 is further configured to: identify the encryption state of the encryption level A from the OSU OAM security management frame; the encryption state of the encryption level A is the encrypted state and is In the case of the decryption end of the encryption level A, the OSU is decrypted according to the OSU OAM security management frame.
- the decryption module is further configured to: extract the value of N and SFH from the OSU OAM security management frame; determine whether the number of OSU frames in the adjacent OAM frame interval in the OSU frame is is N; if the judgment result is yes, decrypt the N OSU frames according to the SFH to obtain the plaintext OSU.
- the decryption module is further configured to: if the OSU OAM security management frame also carries the N security frame verification SFCs used for OSU frame authentication, according to the SFC The N OSU frames are authenticated; after the authentication is passed, the N OSU frames are decrypted according to the SFH to obtain the plaintext OSU.
- the N OSU frames need to be authenticated according to the SFC first, and then the OSU frames need to be decrypted according to the SFH to obtain the plaintext OSU.
- the apparatus further includes: a first processing module configured to, when the encryption state of the encryption level A is an encrypted state and not the decryption end of the encryption level A, the transparent Pass the OSU.
- the OSU frame can also be transparently transmitted under the condition that the encrypted state is not the decrypted segment.
- the apparatus further includes: a first processing module configured to set the encryption state of the encryption level A in the OSU OAM security management frame to unencrypted.
- Embodiments of the present disclosure also provide a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, wherein the computer program is configured to execute the steps in any one of the above method embodiments when running.
- the above-mentioned computer-readable storage medium may include, but is not limited to, a USB flash drive, a read-only memory (Read-Only Memory, referred to as ROM for short), and a random access memory (Random Access Memory, referred to as RAM for short) , mobile hard disk, magnetic disk or CD-ROM and other media that can store computer programs.
- ROM Read-Only Memory
- RAM Random Access Memory
- An embodiment of the present disclosure also provides an electronic device, including a memory and a processor, where a computer program is stored in the memory, and the processor is configured to run the computer program to execute the steps in any one of the above method embodiments.
- the above-mentioned electronic device may further include a transmission device and an input-output device, wherein the transmission device is connected to the above-mentioned processor, and the input-output device is connected to the above-mentioned processor.
- modules or steps of the present disclosure can be implemented by a general-purpose computing device, and they can be centralized on a single computing device or distributed in a network composed of multiple computing devices
- they can be implemented in program code executable by a computing device, so that they can be stored in a storage device and executed by the computing device, and in some cases, can be performed in a different order than shown here.
- the described steps, or they are respectively made into individual integrated circuit modules, or a plurality of modules or steps in them are made into a single integrated circuit module to realize.
- the present disclosure is not limited to any particular combination of hardware and software.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiments of the present disclosure provide a security management information processing method and apparatus for an optical transport network, the method comprising: inserting an OSU OAM security management frame at an interval of every N OSU frames in an OSU, and encrypting the N OSU frames; arranging an encrypted secure frame header (SFH) in the OSU OAM security management frame in front of the N OSU frames so that the security problem of how to ensure OSU transmission in related technologies can be solved; and inserting the OSU OAM security management frame at an interval of every N OSU frames, the OSU OAM security management frame being used to carry security frame encapsulation information (SFH) used by the N OSU frames for encryption, so that the secure transmission of the OSU frames is ensured.
Description
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本公开基于2021年01月29日提交的发明名称为“一种光传送网的安全管理信息处理方法及装置”的中国专利申请CN202110130725.2,并且要求该专利申请的优先权,通过引用将其所公开的内容全部并入本公开。The present disclosure is based on Chinese patent application CN202110130725.2 filed on January 29, 2021 and entitled "A method and device for processing security management information of an optical transport network", and claims the priority of the patent application, which is incorporated by reference The disclosures are fully incorporated into this disclosure.
本公开实施例涉及通信领域,具体而言,涉及一种光传送网的安全管理信息处理方法及装置。The embodiments of the present disclosure relate to the field of communications, and in particular, to a method and device for processing security management information in an optical transport network.
业内统一确定安全帧的基本结构由SFH+SFB+SFC组成。SFH(Secure Frame Header,安全帧帧头)包括从加密端传输到解密端的安全控制信息以及其它安全传输关联的控制信息,SFB(Secure Frame Body,安全帧帧体)即为安全帧的加密和/或鉴权的净荷部分,SFC(Secure Frame Check,安全帧校验)即为安全帧鉴权校验值,SFC和SFH统一称之为安全帧的封装信息。FlexO的安全实现确定了安全帧的封装信息SFH和SFC承载在FlexO开销中。ODU安全实现方法因为ODU开销中保留字段较少,需要考虑采用复帧方式进行安全帧封装信息SFH和SFC的传输。The basic structure of the security frame is determined uniformly in the industry by SFH+SFB+SFC. SFH (Secure Frame Header, secure frame header) includes the security control information transmitted from the encryption end to the decryption end and other control information associated with secure transmission, SFB (Secure Frame Body, security frame body) is the encryption and/or encryption of the security frame. Or the payload part of the authentication, SFC (Secure Frame Check, security frame check) is the security frame authentication check value, and SFC and SFH are collectively called the encapsulation information of the security frame. The security implementation of FlexO determines that the encapsulation information SFH and SFC of the security frame are carried in the FlexO overhead. ODU security implementation method Because there are few reserved fields in the ODU overhead, it is necessary to consider the transmission of the security frame encapsulation information SFH and SFC in a multi-frame manner.
随着政企专线业务需求的增长,Sub1G的解决方案OSU(Optical Service Unit,光业务单元)技术已经完成方案收敛,技术落地测试也在推进。OSU技术主要将小颗粒业务映射到OSU中,将OTN(Optical Transport Network,光传送网)帧的净荷区划分为多个PB(Payload Block,净荷块)块,把OSU帧按照特定算法复用到PB块中,最后通过光口完成OSU的传输。OSU支持PM(Path Monitor,通道检测)和多个TCM(Tandem Connection Monitor,串联连接监测)层次的状态监测。OSU标准已经立项,技术讨论已经达成部分共识。在这种情况下,需要对OSU的安全实现方案需要进行研究,对应的解决方案也需要落地。With the growth of government and enterprise private line business demand, Sub1G's solution OSU (Optical Service Unit, Optical Service Unit) technology has completed the solution convergence, and the technology landing test is also progressing. The OSU technology mainly maps small-granularity services to the OSU, divides the payload area of the OTN (Optical Transport Network, Optical Transport Network) frame into multiple PB (Payload Block, payload block) blocks, and complexes the OSU frame according to a specific algorithm. It is used in the PB block, and finally the transmission of the OSU is completed through the optical port. OSU supports PM (Path Monitor, channel detection) and multiple TCM (Tandem Connection Monitor, tandem connection monitoring) levels of state monitoring. The OSU standard has been established, and some consensus has been reached in technical discussions. In this case, the security implementation scheme of OSU needs to be studied, and the corresponding solution needs to be implemented.
针对相关技术中如何确保OSU传输的安全问题,尚未提出解决方案。A solution has not yet been proposed for the security problem of how to ensure OSU transmission in the related art.
发明内容SUMMARY OF THE INVENTION
本公开实施例提供了一种光传送网的安全管理信息处理方法及装置,以至少解决相关技术中如何确保OSU传输的安全问题。The embodiments of the present disclosure provide a method and device for processing security management information of an optical transport network, so as to at least solve the problem of how to ensure the security of OSU transmission in the related art.
根据本公开的一个实施例,提供了一种光传送网的安全管理信息处理方法,所述方法包括:在OSU中每间隔N个OSU帧插入OSU OAM安全管理帧,对所述N个OSU帧进行加密处理;将加密的安全帧帧头SFH承载到所述N个OSU帧之前的OSU OAM(Operation Administration Maintenance,操作管理维护)安全管理帧中,其中,所述OSU中每间隔所述N个OSU帧插入一个所述OSU OAM安全管理帧。According to an embodiment of the present disclosure, there is provided a method for processing security management information of an optical transport network, the method comprising: inserting an OSU OAM security management frame in an OSU every N OSU frames, and adding an OSU OAM security management frame to the N OSU frames. Perform encryption processing; carry the encrypted security frame header SFH into the OSU OAM (Operation Administration Maintenance) security management frame before the N OSU frames, wherein, in the OSU, every interval of the N The OSU frame is inserted into one of the OSU OAM security management frames.
根据本公开的又一个实施例,还提供了一种光传送网的安全管理信息处理装置,所述装置包括:加密模块,设置为对光业务单元OSU的N个OSU帧进行加密处理;承载模块,设置 为将加密的安全帧帧头SFH承载到所述N个OSU帧之前的所述OSU OAM安全管理帧中。According to yet another embodiment of the present disclosure, an apparatus for processing security management information of an optical transport network is also provided, the apparatus comprising: an encryption module configured to perform encryption processing on N OSU frames of an OSU of an optical service unit; a bearer module , set to carry the encrypted security frame header SFH into the OSU OAM security management frame before the N OSU frames.
根据本公开的又一个实施例,还提供了一种计算机可读的存储介质,所述存储介质中存储有计算机程序,其中,所述计算机程序被设置为运行时执行上述任一项方法实施例中的步骤。According to yet another embodiment of the present disclosure, a computer-readable storage medium is also provided, where a computer program is stored in the storage medium, wherein the computer program is configured to execute any one of the above method embodiments when running steps in .
根据本公开的又一个实施例,还提供了一种电子装置,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行上述任一项方法实施例中的步骤。According to yet another embodiment of the present disclosure, there is also provided an electronic device comprising a memory and a processor, wherein the memory stores a computer program, the processor is configured to run the computer program to execute any of the above Steps in Method Examples.
本公开实施例,在OSU中每间隔N个OSU帧插入OSU OAM安全管理帧,对所述N个OSU帧进行加密处理;将加密的安全帧帧头SFH承载到所述N个OSU帧之前的所述OSU OAM安全管理帧中,可以解决相关技术中如何确保OSU传输的安全问题,每间隔N个OSU帧插入OSU OAM安全管理帧,OSU OAM安全管理帧用于承载N个OSU帧加密使用的安全帧封装信息(SFH),确保OSU帧的安全传输。In this embodiment of the present disclosure, an OSU OAM security management frame is inserted into the OSU every N OSU frames, and the N OSU frames are encrypted; In the OSU OAM security management frame, the problem of how to ensure the security of OSU transmission in the related art can be solved, and the OSU OAM security management frame is inserted every N OSU frames, and the OSU OAM security management frame is used to carry the N number of OSU frames used for encryption. Security Frame Encapsulation Information (SFH) to ensure the safe transmission of OSU frames.
图1是本公开实施例的光传送网的安全管理信息处理方法的移动终端的硬件结构框图;1 is a hardware structural block diagram of a mobile terminal of a method for processing security management information of an optical transport network according to an embodiment of the present disclosure;
图2是根据本公开实施例的光传送网的安全管理信息处理方法的流程图;2 is a flowchart of a method for processing security management information of an optical transport network according to an embodiment of the present disclosure;
图3是根据本公开优选实施例的光传送网的安全管理信息处理方法的流程图;3 is a flowchart of a method for processing security management information of an optical transport network according to a preferred embodiment of the present disclosure;
图4为OSU OAM安全管理帧覆盖的Nx帧OSU示意图;Figure 4 is a schematic diagram of the Nx frame OSU covered by the OSU OAM security management frame;
图5为OSU OAM安全管理帧开销字节位置示意图;Figure 5 is a schematic diagram of the overhead byte position of the OSU OAM security management frame;
图6为OSU OAM安全管理帧各层次SFH和SFC示意图;Figure 6 is a schematic diagram of the SFH and SFC at each level of the OSU OAM security management frame;
图7为本公开一可选实施例的身份认证流程示意图;FIG. 7 is a schematic diagram of an identity authentication process according to an optional embodiment of the present disclosure;
图8为本公开一可选实施例的身份认证流程中的消息格式示意图;8 is a schematic diagram of a message format in an identity authentication process according to an optional embodiment of the disclosure;
图9为本公开一可选实施例的TCM1层次OSU加密OAM安全管理帧示意图;9 is a schematic diagram of a TCM1-level OSU-encrypted OAM security management frame according to an optional embodiment of the disclosure;
图10为本公开一可选实施例的TCM1层OSU加密示意图;10 is a schematic diagram of OSU encryption at the TCM1 layer according to an optional embodiment of the disclosure;
图11为本公开一可选实施例的PM+TCM1TCM2三层次加密OSU OAM安全管理帧示意图;11 is a schematic diagram of a PM+TCM1TCM2 three-layer encryption OSU OAM security management frame according to an optional embodiment of the disclosure;
图12为PM、TCM1和TCM2层OSU加密示意图;Figure 12 is a schematic diagram of OSU encryption at PM, TCM1 and TCM2 layers;
图13为本公开一可选实施例的Nx和Ny取固定OSU周期,Nz取不固定OSU周期的安全信息处理流程示意图;13 is a schematic diagram of a security information processing flow in which Nx and Ny take a fixed OSU period, and Nz takes an unfixed OSU period according to an optional embodiment of the disclosure;
图14为Nx和Ny取固定OSU周期,Nz取不固定OSU周期示意图(一);Figure 14 is a schematic diagram of Nx and Ny taking a fixed OSU cycle, and Nz taking an unfixed OSU cycle (1);
图15为Nx和Ny取固定OSU周期,Nz取不固定OSU周期示意图(二);Figure 15 is a schematic diagram of Nx and Ny taking a fixed OSU cycle, and Nz taking an unfixed OSU cycle (2);
图16为Nx和Ny取固定OSU周期,Nz取不固定OSU周期示意图(三);Figure 16 is a schematic diagram of Nx and Ny taking a fixed OSU cycle, and Nz taking an unfixed OSU cycle (3);
图17为根据本公开一可选实施例的身份认证流程具体消息示例流程图;FIG. 17 is an example flowchart of a specific message of an identity authentication process according to an optional embodiment of the present disclosure;
图18是根据本公开实施例的光传送网的安全管理信息处理装置的结构图;18 is a structural diagram of an apparatus for processing security management information of an optical transport network according to an embodiment of the present disclosure;
图19是根据本公开优选实施例的光传送网的安全管理信息处理装置的结构图。19 is a structural diagram of a security management information processing apparatus of an optical transport network according to a preferred embodiment of the present disclosure.
下文中将参考附图并结合实施例来详细说明本公开的实施例。Hereinafter, embodiments of the present disclosure will be described in detail with reference to the accompanying drawings and in conjunction with the embodiments.
需要说明的是,本公开的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that the terms "first", "second" and the like in the description and claims of the present disclosure and the above drawings are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence.
本申请实施例中所提供的方法实施例可以在移动终端、计算机终端或者类似的运算装置中执行。以运行在移动终端上为例,图1是本公开实施例的光传送网的安全管理信息处理方法的移动终端的硬件结构框图,如图1所示,移动终端可以包括一个或多个(图1中仅示出一个)处理器102(处理器102可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)和用于存储数据的存储器104,其中,上述移动终端还可以包括用于通信功能的传输设备106以及输入输出设备108。本领域普通技术人员可以理解,图1所示的结构仅为示意,其并不对上述移动终端的结构造成限定。例如,移动终端还可包括比图1中所示更多或者更少的组件,或者具有与图1所示不同的配置。The method embodiments provided in the embodiments of this application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Taking running on a mobile terminal as an example, FIG. 1 is a hardware structural block diagram of a mobile terminal of a method for processing security management information of an optical transport network according to an embodiment of the present disclosure. As shown in FIG. 1 , the mobile terminal may include one or more (Fig. Only one is shown in 1) a processor 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.) and a memory 104 for storing data, wherein the above-mentioned mobile terminal may also Transmission devices 106 and input and output devices 108 are included for communication functions. Those of ordinary skill in the art can understand that the structure shown in FIG. 1 is only a schematic diagram, which does not limit the structure of the above-mentioned mobile terminal. For example, the mobile terminal may also include more or fewer components than those shown in FIG. 1 , or have a different configuration than that shown in FIG. 1 .
存储器104可用于存储计算机程序,例如,应用软件的软件程序以及模块,如本公开实施例中的光传送网的安全管理信息处理方法对应的计算机程序,处理器102通过运行存储在存储器104内的计算机程序,从而执行各种功能应用以及业务链地址池切片处理,即实现上述的方法。存储器104可包括高速随机存储器,还可包括非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器104可进一步包括相对于处理器102远程设置的存储器,这些远程存储器可以通过网络连接至移动终端。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 104 can be used to store computer programs, for example, software programs and modules of application software, such as computer programs corresponding to the method for processing security management information of the optical transport network in the embodiment of the present disclosure. A computer program is used to execute various functional applications and slicing processing of the business chain address pool, that is, to implement the above method. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory 104 may further include memory located remotely from the processor 102, and these remote memories may be connected to the mobile terminal through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.
传输装置106用于经由一个网络接收或者发送数据。上述的网络具体实例可包括移动终端的通信供应商提供的无线网络。在一个实例中,传输装置106包括一个网络适配器(Network Interface Controller,简称为NIC),其可通过基站与其他网络设备相连从而可与互联网进行通讯。在一个实例中,传输装置106可以为射频(Radio Frequency,简称为RF)模块,其用于通过无线方式与互联网进行通讯。Transmission means 106 are used to receive or transmit data via a network. The specific example of the above-mentioned network may include a wireless network provided by a communication provider of the mobile terminal. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, NIC for short), which can be connected to other network devices through a base station so as to communicate with the Internet. In one example, the transmission device 106 may be a radio frequency (Radio Frequency, RF for short) module, which is used to communicate with the Internet in a wireless manner.
在本实施例中提供了一种运行于上述移动终端或网络架构的光传送网的安全管理信息处理方法,图2是根据本公开实施例的光传送网的安全管理信息处理方法的流程图(一),如图2所示,该流程包括如下步骤:In this embodiment, a method for processing security management information of an optical transport network running on the above-mentioned mobile terminal or network architecture is provided. FIG. 2 is a flowchart of a method for processing security management information of an optical transport network according to an embodiment of the present disclosure ( 1), as shown in Figure 2, the process includes the following steps:
步骤S202,在OSU中每间隔N个OSU帧插入OSU OAM安全管理帧,对所述N个OSU帧进行加密处理;Step S202, inserting OSU OAM security management frames at every interval of N OSU frames in the OSU, and encrypting the N OSU frames;
步骤S204,将加密的安全帧帧头SFH承载到所述N个OSU帧之前的所述OSU OAM安全管理帧中。Step S204, carrying the encrypted security frame header SFH into the OSU OAM security management frame before the N OSU frames.
通过上述步骤S202至步骤S204,在OSU中每间隔N个OSU帧插入OSU OAM安全管理帧,对所述N个OSU帧进行加密处理;将加密的安全帧帧头SFH承载到所述N个OSU帧之前的所述OSU OAM安全管理帧中,可以解决相关技术中如何确保OSU传输的安全问题,每间隔N个OSU帧插入OSU OAM安全管理帧,OSU OAM安全管理帧用于承载N个OSU帧加密使用的安全帧封装信息(即SFH),确保OSU帧的安全传输。Through the above steps S202 to S204, the OSU OAM security management frame is inserted into the OSU every N OSU frames, and the N OSU frames are encrypted; the encrypted security frame header SFH is carried to the N OSUs The OSU OAM security management frame before the frame can solve the problem of how to ensure the security of OSU transmission in the related art. The OSU OAM security management frame is inserted every N OSU frames, and the OSU OAM security management frame is used to carry N OSU frames. The security frame encapsulation information (ie SFH) used for encryption ensures the secure transmission of OSU frames.
在一个可选的实施例中,所述方法还包括:对所述N个OSU帧进行鉴权所需的完整性计算,并将鉴权所需的安全帧校验SFC承载到N个OSU帧之后的所述OSU OAM安全管理帧中。In an optional embodiment, the method further includes: performing the integrity calculation required for the authentication on the N OSU frames, and carrying the security frame check SFC required for the authentication into the N OSU frames in the OSU OAM security management frame after that.
即,对N个OSU帧进行完整性计算并将安全帧校验SFC承载到OSU OAM安全管理帧中。That is, integrity calculation is performed on N OSU frames and the security frame check SFC is carried into the OSU OAM security management frame.
在一个可选的实施例中,在上述步骤S202之前,所述方法还包括:与加密宿端进行双向身份认证。In an optional embodiment, before the above step S202, the method further includes: performing bidirectional identity authentication with the encryption sink.
即,在对OSU帧进行加密前,还需要和加密宿端进行双向身份认证,进一步的,向加密宿端发送第一身份认证请求消息,其中,所述第一身份认证请求消息中携带有鉴权信息与处 理后的第一私钥信息;接收所述加密宿端根据所述鉴权信息进行认证且认证通过之后发送的第一身份认证响应消息,其中,所述第一身份认证响应消息中携带有处理后的第二私钥信息与加密信息,所述加密信息是所述加密宿端根据所述处理后的第一私钥信息与所述第二私钥信息得到的临时K对所述第二私钥信息进行加密得到的;根据所述第一私钥信息与所述处理后的第二私钥信息得到的临时K,根据所述临时K对所述加密信息进行解密得到所述第二私钥信息,若所述第二私钥信息与所述第一身份认证响应消息中携带的所述处理后的第二私钥信息一致,向所述加密宿端发送第二身份认证请求消息,其中,所述第二身份认证请求消息中携带有鉴权主体信息;接收所述加密宿端在对所述鉴权主体信息进行校验且校验通过之后发送的第二身份认证响应消息,其中,所述第二身份认证响应消息中携带有认证成功信息。That is, before encrypting the OSU frame, it is also necessary to perform bidirectional identity authentication with the encryption sink, and further, send a first identity authentication request message to the encryption sink, wherein the first identity authentication request message carries the authentication right information and the processed first private key information; receive the first identity authentication response message sent by the encryption sink after the authentication is performed according to the authentication information and the authentication is passed, wherein the first identity authentication response message contains It carries the processed second private key information and encrypted information, and the encrypted information is the temporary K pair that is obtained by the encryption sink according to the processed first private key information and the second private key information. Obtained by encrypting the second private key information; obtaining the temporary K obtained according to the first private key information and the processed second private key information, and decrypting the encrypted information according to the temporary K to obtain the first Second private key information, if the second private key information is consistent with the processed second private key information carried in the first identity authentication response message, send a second identity authentication request message to the encryption sink , wherein the second identity authentication request message carries the authentication subject information; receiving the second identity authentication response message sent by the encryption sink after verifying the authentication subject information and passing the verification, Wherein, the second identity authentication response message carries authentication success information.
简而言之,与加密宿端进行双向身份认证需要,先向加密宿端发送身份认证请求消息并接收认证响应,再得到加密信息和临时K,根据临时K得到第二私钥信息,在验证第二私钥信息一致后再次发送验证请求,接收验证反馈信息。In short, to perform two-way identity authentication with the encryption sink, first send an identity authentication request message to the encryption sink and receive an authentication response, then obtain the encryption information and temporary K, and obtain the second private key information according to the temporary K. After the second private key information is consistent, the verification request is sent again, and the verification feedback information is received.
在一个可选的实施例中,在将所述N个OSU帧的安全帧封装信息承载到所述OSU OAM安全管理帧中之后,将承载所述OSU OAM安全管理帧的所述OSU帧发送给所述加密宿端,其中,所述加密宿端用于根据所述OSU OAM安全管理帧解密所述OSU帧。In an optional embodiment, after the security frame encapsulation information of the N OSU frames is borne in the OSU OAM security management frame, the OSU frame bearing the OSU OAM security management frame is sent to The encryption sink, wherein the encryption sink is configured to decrypt the OSU frame according to the OSU OAM security management frame.
即,在安全帧封装信息承载到OSU OAM安全管理帧中后,还需要将OSU帧发送给用于解密OSU帧的加密宿端,其中,安全帧封装信息包括SFH和/或SFC。That is, after the security frame encapsulation information is carried in the OSU OAM security management frame, the OSU frame also needs to be sent to the encryption sink for decrypting the OSU frame, wherein the security frame encapsulation information includes SFH and/or SFC.
在一个可选的实施例中,在上述步骤S202具体可以包括:若从所述OSU中未检测到所述OSU OAM安全管理帧,则所述OSU的当前加密层级A为OSU帧的M个加密层次中第一个启动的加密层级,每间隔N个OSU帧插入所述OSU OAM安全管理帧,对所述N个OSU帧进行加密处理,将OAM帧中的加密层级A的加密状态设置为已加密,将其中的N值设置为已知值。In an optional embodiment, the above step S202 may specifically include: if the OSU OAM security management frame is not detected from the OSU, the current encryption level A of the OSU is M encryptions of the OSU frame The first start-up encryption level in the level, inserts the OSU OAM security management frame every N OSU frames, encrypts the N OSU frames, and sets the encryption state of the encryption level A in the OAM frame to Encrypt, set the value of N in it to a known value.
在一个可选的实施例中,若从所述OSU中检测到所述OSU OAM安全管理帧,则所述OSU的当前加密层级A不是所述OSU帧的M个加密层次中第一个启动的加密层级,对所述N个OSU帧进行加密处理,并将产生的安全封装信息承载在所述OSU OAM管理帧的加密层级B对应的开销中。In an optional embodiment, if the OSU OAM security management frame is detected from the OSU, the current encryption level A of the OSU is not the first one to be activated among M encryption levels of the OSU frame Encryption level, performing encryption processing on the N OSU frames, and carrying the generated security encapsulation information in the overhead corresponding to the encryption level B of the OSU OAM management frame.
即,在对OSU帧进行加密处理之前,还需要先判断当前层级是否为第一个启动的加密层级,若是,则在OSU帧中每间隔N个OSU帧插入一个OSU OAM安全管理帧;若否,则从OSU帧中识别OSU OAM安全管理帧。That is, before encrypting the OSU frame, it is necessary to judge whether the current level is the first encryption level to be activated. If so, insert an OSU OAM security management frame every N OSU frames in the OSU frame; if not , the OSU OAM security management frame is identified from the OSU frame.
在一个可选的实施例中,启动OSU帧的加密功能,或者启动所述OSU帧的加密与鉴权功能。In an optional embodiment, the encryption function of the OSU frame is activated, or the encryption and authentication functions of the OSU frame are activated.
即,需要先启动OSU帧的加密功能,再判断当前层级是够为第一个启动的加密层级。或者需要先启动OSU帧的鉴权功能,再判断当前层级是够为第一个启动的加密层级。That is, the encryption function of the OSU frame needs to be activated first, and then it is determined that the current level is sufficient to be the first encryption level to be activated. Alternatively, the authentication function of the OSU frame needs to be activated first, and then it is determined that the current level is sufficient to be the first encryption level to be activated.
在一个可选的实施例中,根据OSU安全管理帧可用带宽与加密处理时延要求确定所述N的值。In an optional embodiment, the value of N is determined according to the available bandwidth of the OSU security management frame and the encryption processing delay requirement.
即,需要先确定N,再判断当前层级是否为第一个启动的加密层级。That is, N needs to be determined first, and then it is determined whether the current level is the first activated encryption level.
在一个可选的实施例中,在从所述OSU帧中识别所述OSU OAM安全管理帧之后,从所述OSU OAM安全管理帧中获取所述加密层级A的加密源端的加密状态与所述N的值,同时确定启用加密层级B的加密功能,或者,加密与鉴权功能;将所述加密层次B的加密状态设置为已加密状态,并承载在所述OSU OAM安全管理帧中。In an optional embodiment, after the OSU OAM security management frame is identified from the OSU frame, the encryption state of the encryption source end of the encryption level A and the encryption state of the encryption source end of the encryption level A are obtained from the OSU OAM security management frame. The value of N is determined to enable the encryption function of encryption level B, or the encryption and authentication functions; the encryption state of the encryption level B is set to the encrypted state, and is carried in the OSU OAM security management frame.
即,在从OSU帧中识别OSU OAM安全管理帧之后,还需要从OSU OAM安全管理帧中获取加密层级A的加密源端的加密状态与N的值,同时启动加密功能或加密与鉴权功能,再将加密层次B的加密状态设置为已加密状态,并承载在OSU OAM安全管理帧中。That is, after identifying the OSU OAM security management frame from the OSU frame, it is also necessary to obtain the encryption state of the encryption source end of encryption level A and the value of N from the OSU OAM security management frame, and simultaneously start the encryption function or encryption and authentication functions, Then set the encryption state of encryption layer B to the encrypted state, and carry it in the OSU OAM security management frame.
在一个可选的实施例中,上述步骤S204包括:将安全帧封装信息承载在所述OSU OAM安全管理帧中所述加密层级A对应的开销中。In an optional embodiment, the above step S204 includes: carrying the security frame encapsulation information in the overhead corresponding to the encryption level A in the OSU OAM security management frame.
即,将安全帧帧头SFH承载到OSU OAM安全帧中,需要将安全帧封装信息承载在加密层级A对应的开销中,其中,所述OSU OAM安全管理帧包括M个加密层级对应的用于存储加密状态的开销、存储N值的开销以及M个加密层级的用于存储安全帧帧头SFH和/或安全帧校验SFC的开销,所述安全帧封装信息包括安全帧帧头SFH和/或安全帧校验SFC。That is, to carry the security frame header SFH into the OSU OAM security frame, the security frame encapsulation information needs to be carried in the overhead corresponding to the encryption level A, wherein the OSU OAM security management frame includes M encryption levels corresponding to the The overhead for storing the encryption state, the overhead for storing the N value, and the overhead for storing the security frame header SFH and/or the security frame check SFC of the M encryption levels, the security frame encapsulation information includes the security frame header SFH and/or or Security Frame Check SFC.
在一个可选的实施例中,将所述N的值与所述当前加密层级的已加密状态承载在所述OSU OAM安全管理帧中。即,还可以将N值与已加密状态承载在OSU OAM安全管理帧中。In an optional embodiment, the value of N and the encrypted state of the current encryption level are carried in the OSU OAM security management frame. That is, the N value and the encrypted state can also be carried in the OSU OAM security management frame.
图3是根据本公开优选实施例的光传送网的安全管理信息处理方法的流程图,如图3所示该流程包括如下步骤:FIG. 3 is a flowchart of a method for processing security management information of an optical transport network according to a preferred embodiment of the present disclosure. As shown in FIG. 3 , the flowchart includes the following steps:
步骤S302,从接收到的OSU中识别OSU OAM安全管理帧;Step S302, identify the OSU OAM security management frame from the received OSU;
步骤S304,根据所述OSU OAM安全管理帧解密所述OSU。Step S304, decrypt the OSU according to the OSU OAM security management frame.
在一个可选的实施例中,上述步骤S304包括:从所述OSU OAM安全管理帧中识别加密层级A的加密状态;在所述加密层级A的加密状态为已加密状态且为所述加密层级A的解密端的情况下,根据所述OSU OAM安全管理帧解密所述OSU。In an optional embodiment, the above step S304 includes: identifying the encryption state of the encryption level A from the OSU OAM security management frame; the encryption state of the encryption level A is the encrypted state and is the encryption level In the case of the decryption end of A, decrypt the OSU according to the OSU OAM security management frame.
即,根据OSU OAM安全管理帧解密OSU帧需要,先识别加密层A的加密状态;再根据OSU OAM安全管理帧解密OSU。That is, to decrypt the OSU frame according to the OSU OAM security management frame, first identify the encryption state of the encryption layer A; then decrypt the OSU according to the OSU OAM security management frame.
在一个可选的实施例中,上述步骤S304包括:从所述OSU OAM安全管理帧中提取N的值与SFH;判断所述OSU帧中相邻OAM帧间隔的OSU帧的数量是否为N;在判断结果为是的情况下,根据所述SFH对N个OSU帧进行解密,得到明文OSU。In an optional embodiment, the above step S304 includes: extracting the value of N and SFH from the OSU OAM security management frame; judging whether the number of OSU frames in the adjacent OAM frame interval in the OSU frame is N; If the determination result is yes, decrypt the N OSU frames according to the SFH to obtain the plaintext OSU.
即,根据OSU OAM安全管理帧解密OSU帧需要,先确定相邻OAM帧间隔的OSU帧数量是N;再根据SFH对OSU帧进行解密,得到明文OSU。That is, according to the needs of decrypting the OSU frame of the OSU OAM security management frame, first determine that the number of OSU frames in the interval between adjacent OAM frames is N; then decrypt the OSU frame according to the SFH to obtain the plaintext OSU.
在一个可选的实施例中,根据所述SFH对N个OSU帧进行解密,得到明文OSU包括:若所述OSU OAM安全管理帧中还承载有所述N个OSU帧鉴权使用的安全帧校验SFC,根据所述SFC对所述N个OSU帧进行鉴权处理;在鉴权通过之后,根据所述SFH对N个OSU帧进行解密,得到所述明文OSU。In an optional embodiment, decrypting N OSU frames according to the SFH to obtain a plaintext OSU includes: if the OSU OAM security management frame also carries the N security frames used for authentication of the OSU frames The SFC is checked, and the N OSU frames are authenticated according to the SFC; after the authentication is passed, the N OSU frames are decrypted according to the SFH to obtain the plaintext OSU.
即,需要先根据SFC对N个OSU帧进行鉴权处理,再根据SFH对OSU帧进行解密,得到明文OSU帧。That is, the N OSU frames need to be authenticated according to the SFC first, and then the OSU frames need to be decrypted according to the SFH to obtain the plaintext OSU frames.
在一个可选的实施例中,所述方法还包括:在所述加密层级A的加密状态为已加密状态且不为所述加密层级A的解密端的情况下,透传所述OSU帧。In an optional embodiment, the method further includes: when the encryption state of the encryption level A is an encrypted state and is not the decryption end of the encryption level A, transparently transmitting the OSU frame.
即,还可以在加密状态却不为解密端的条件下,透传OSU帧。That is, the OSU frame can also be transparently transmitted under the condition that the encryption state is not the decryption end.
在一个可选的实施例中,将所述OSU OAM安全管理帧中加密层级A的加密状态设置为未加密。即,还可以将加密状态清除,设置为未加密。In an optional embodiment, the encryption state of encryption level A in the OSU OAM security management frame is set to unencrypted. That is, the encryption status can also be cleared and set to unencrypted.
在一个可选的实施例中,鉴权结合加密的OSU安全实现方法如下:In an optional embodiment, the OSU security implementation method of authentication combined with encryption is as follows:
步骤1:OSUP或OSUT生成后,可以任选层次Q启用加密和鉴权,如果当前的Q层是该OSU业务所有层次中第一个启用加密的层次,则由本端每隔Nx个OSU帧插入一个OSU OAM安 全管理帧,将对Nx个OSU帧进行加密和鉴权生成的安全帧封装信息承载到该OSU OAM安全管理帧中。如果本层加密源端不是该OSU业务启用的第一个加密层次,则识别OSU帧中的OSU OAM安全管理帧,将对Nx个OSU帧进行加密和鉴权生成的安全帧封装信息承载到该OSU OAM安全管理帧中。Step 1: After the OSUP or OSUT is generated, you can choose the level Q to enable encryption and authentication. If the current Q level is the first level to enable encryption among all levels of the OSU service, the local end will insert it every Nx OSU frames. An OSU OAM security management frame, the security frame encapsulation information generated by encrypting and authenticating Nx OSU frames is carried in the OSU OAM security management frame. If the encryption source of this layer is not the first encryption layer enabled by the OSU service, the OSU OAM security management frame in the OSU frame is identified, and the security frame encapsulation information generated by encrypting and authenticating Nx OSU frames is carried to the OSU frame. OSU OAM security management frame.
步骤2:将Nx值承载在OSU OAM安全管理帧中,该Nx值针对同一个OSU业务时是可变,Nx即为两个OSU OAM安全管理帧之间的OSU帧数,图4为OSU OAM安全管理帧覆盖的Nx帧OSU示意图,如图4所示,Nx的选定需要综合考虑三种因素的影响,OSU OAM安全管理帧带宽,OSU加密和鉴权引入的缓存和延时,以及加密算法的加密块大小。Step 2: Carry the Nx value in the OSU OAM security management frame. The Nx value is variable for the same OSU service, and Nx is the number of OSU frames between two OSU OAM security management frames. Figure 4 shows the OSU OAM Figure 4 shows a schematic diagram of the OSU of the Nx frame covered by the security management frame. The selection of Nx needs to comprehensively consider the influence of three factors: OSU OAM security management frame bandwidth, buffering and delay introduced by OSU encryption and authentication, and encryption The encryption block size of the algorithm.
步骤3:图5为OSU OAM安全管理帧开销字节位置示意图如图5所示,在OSU OAM安全管理帧的开销中分别定义表征OSU的M个层次加密的状态指示,进行加密状态和未加密状态的区分。Step 3: Figure 5 is a schematic diagram of the location of the overhead bytes of the OSU OAM security management frame. As shown in Figure 5, in the overhead of the OSU OAM security management frame, the state indications representing the M levels of encryption of the OSU are respectively defined, and the encrypted state and unencrypted state are respectively defined. Status distinction.
步骤4:如果该层次Q的加密源端不启用加密和鉴权功能,那么该层次的加密状态设置为未加密状态,透传其它层次的OSU OAM安全管理帧。如果层次Q的加密源端启用加密和鉴权功能,则该Q层次的加密状态设置为加密状态。Step 4: If the encryption source end of this level Q does not enable encryption and authentication functions, then the encryption state of this level is set to the unencrypted state, and the OSU OAM security management frames of other levels are transparently transmitted. If the encryption and authentication functions are enabled at the encryption source end of level Q, the encryption state of the Q level is set to the encryption state.
步骤5:图6为OSU OAM安全管理帧各层次SFH和SFC示意图如图6所示,Q层的加密源端对相邻OSU OAM管理帧之间的Nx个的OSU帧按照128bit划分block进行加密和鉴权,并将加密鉴权生成的安全帧封装信息承载在对应层次的OSU OAM安全管理帧中。Step 5: Figure 6 is a schematic diagram of SFH and SFC at each level of the OSU OAM security management frame. As shown in Figure 6, the encryption source end of the Q layer encrypts Nx OSU frames between adjacent OSU OAM management frames according to 128bit blocks. and authentication, and carry the security frame encapsulation information generated by encryption and authentication in the OSU OAM security management frame of the corresponding level.
步骤6:加密宿端节点进行OSU OAM安全管理帧识别,从OSU OAM安全管理帧中识别某个Q层加密状态,同时判断本节点是否对应Q层次的解密端,如果是,提取OSU OAM安全管理帧中的Nx值和安全加密开销,并判断相邻2个OSU OAM帧间隔的OSU帧数量是否为Nx,如果是,使用安全加密开销对Nx个OSU帧进行鉴权和解密,得到OSUQ层次解密后的明文。如果识别本节点不是对应Q层次的解密端,或者本节点启用是P层次的加密(Q不等于P),则透传对应的OAM安全管理帧和OSU帧。Step 6: The encryption sink node identifies the OSU OAM security management frame, identifies a certain Q-layer encryption state from the OSU OAM security management frame, and determines whether the node corresponds to the Q-level decryption end, and if so, extracts the OSU OAM security management Nx value and security encryption overhead in the frame, and determine whether the number of OSU frames between two adjacent OSU OAM frames is Nx, if so, use the security encryption overhead to authenticate and decrypt Nx OSU frames to obtain OSUQ level decryption plaintext after. If it is recognized that the node is not the decryption terminal corresponding to the Q level, or the encryption of the P level is enabled on the node (Q is not equal to P), the corresponding OAM security management frame and OSU frame are transparently transmitted.
在一个可选的实施例中,加密结合认证的OSU安全实现方法如下:In an optional embodiment, the OSU security implementation method of encryption combined with authentication is as follows:
在启动加密算法前,进行身份验证,源端和收端身份验证通过后,则启动加密流程。在业务从中断到恢复时或者加密算法套件切换到仅加密算法时,启用身份认证流程。图7为本公开一可选实施例的身份认证流程示意图,如图7所示,包括:Before starting the encryption algorithm, perform authentication, and start the encryption process after the authentication of the source and the receiving end is passed. The authentication process is enabled when the business goes from outage to recovery or when the cipher suite switches to only cipher algorithms. FIG. 7 is a schematic diagram of an identity authentication process according to an optional embodiment of the disclosure, as shown in FIG. 7 , including:
步骤S1,身份认证请求消息类型I;Step S1, identity authentication request message type I;
步骤S2,身份认证响应消息类型I或者类型II;Step S2, identity authentication response message type I or type II;
步骤S3,身份认证请求消息类型II或者响应消息类型II;Step S3, identity authentication request message type II or response message type II;
步骤S4,身份认证响应消息类型II。Step S4, identity authentication response message type II.
图8为本公开一可选实施例的身份认证流程中的消息格式示意图,如图8所示,身份认证请求消息类型I包括固定鉴权信息和私钥材料信息;身份认证响应消息类型I包括随机鉴权信息和私钥材料信息;身份认证请求消息类型II包括鉴权主体信息;身份认证响应消息类型II包括鉴权结果。8 is a schematic diagram of a message format in an identity authentication process of an optional embodiment of the disclosure. As shown in FIG. 8 , the identity authentication request message type I includes fixed authentication information and private key material information; the identity authentication response message type I includes Random authentication information and private key material information; identity authentication request message type II includes authentication subject information; identity authentication response message type II includes authentication results.
图9为本公开一可选实施例的TCM1层次OSU加密OAM安全管理帧示意图,如图9所示,A和B节点对应一个OTN的支线路合一功能设备,A1和A2节点分别对应着A节点的不同功能点,A1对应着客户业务生成OSUP或者OSUP中解出客户业务,A2对应着OSUT开销处理功能和复用到OPU的适配功能点或者从OPU重解复用到OSU以及OSUT的开销处理。B1和B2节点 对应着B节点的不同功能点,具体功能等同于A1和A2节点的逆过程。包括如下步骤:FIG. 9 is a schematic diagram of a TCM1-level OSU-encrypted OAM security management frame according to an optional embodiment of the present disclosure. As shown in FIG. 9, nodes A and B correspond to an OTN branch line integration function device, and nodes A1 and A2 correspond to A, respectively. The different function points of the node, A1 corresponds to the customer service generation OSUP or the demultiplexed customer service in the OSUP, A2 corresponds to the OSUT overhead processing function and the adaptation function point multiplexed to the OPU or demultiplexed from the OPU to the OSU and OSUT. overhead processing. Nodes B1 and B2 correspond to different function points of node B, and the specific functions are equivalent to the inverse process of nodes A1 and A2. It includes the following steps:
步骤S1,CBR业务Client映射成OSU;同时,PM加密未启用;Step S1, the CBR service Client is mapped to OSU; meanwhile, PM encryption is not enabled;
步骤S2,生成OSU帧;同时,确定Nx帧,加密鉴权完成,OAM安全管理中插入Nx和TCM1加密为已加密状态;Step S2, generate the OSU frame; meanwhile, determine the Nx frame, the encryption and authentication is completed, and the Nx and TCM1 encryption is inserted into the OAM security management to be encrypted;
步骤S3,生成OSU帧+OSU OAM安全管理帧;同时,本地获取TCM1层加密启用,识别OSU OAM安全管理帧,获取加密源端TCM1为已加密状态的Nx值,进行鉴权解密,清除TCM1加密启用状态;Step S3, generating an OSU frame + OSU OAM security management frame; at the same time, locally obtaining the encryption enablement of the TCM1 layer, identifying the OSU OAM security management frame, obtaining the Nx value that the encryption source TCM1 is in an encrypted state, performing authentication and decryption, and clearing the encryption of TCM1 enabled state;
步骤S4,生成OSU帧;Step S4, generating an OSU frame;
步骤S5,CBR业务ClientA。Step S5, CBR service ClientA.
具体地,包括:步骤1,A1端,业务ClientA映射到OSU后,OSU和PB长度均为192字节,划分为12个128bit块。PM层次不启用加密功能,则不插入OAM安全管理帧。Specifically, it includes: step 1, at the A1 end, after the service ClientA is mapped to the OSU, the OSU and PB are both 192 bytes in length and divided into 12 128-bit blocks. If the encryption function is not enabled at the PM level, the OAM security management frame will not be inserted.
步骤2,A2端从本地获知本端设置了启用TCM1加密,同时识别TCM1层是当前OSU业务启用的第一层加密层次,确定Nx值,在均衡考虑Nx值的限制条件下,Nx可取值为64,在结合身份认证流程的情况下,可以考虑Nx取值更大,如128。Step 2: The A2 end learns from the local that TCM1 encryption is enabled at the local end, and at the same time recognizes that the TCM1 layer is the first layer of encryption enabled by the current OSU service, and determines the Nx value. Under the condition that the Nx value is balanced, Nx can take a value. It is 64. In the case of combining the identity authentication process, it can be considered that the value of Nx is larger, such as 128.
步骤3,A2端按每隔64个OSU帧周期插入一个OAM安全管理帧,将Nx=64和TCM1层次的已加密状态承载在该OSU OAM安全管理帧中。对64个连续的OSU帧即768块128bitblock进行加密鉴权,并将加密鉴权生成的OSU安全帧封装信息承载在OSU OAM安全管理帧的TCM1层次的安全帧封装信息中,如图10所示,图10为本公开一可选实施例的TCM1层OSU加密示意图。 Step 3, the A2 end inserts an OAM security management frame every 64 OSU frame periods, and carries the encrypted state of Nx=64 and TCM1 level in the OSU OAM security management frame. Encrypt and authenticate 64 consecutive OSU frames, that is, 768 blocks of 128bitblock, and carry the OSU security frame encapsulation information generated by the encryption and authentication in the security frame encapsulation information of the TCM1 level of the OSU OAM security management frame, as shown in Figure 10 10 is a schematic diagram of OSU encryption at the TCM1 layer according to an optional embodiment of the disclosure.
步骤4,B1端识别到OSU OAM安全管理帧后,从OSU OAM安全管理帧中得到TCM1层源端是已经加密状态,Nx值为64和加密鉴权得到的安全帧封装信息,同时从本地获知本端启用了TCM1层次的加密鉴权功能,判断本端是TCM1层次的解密端,进一步判断相邻2个OSU OAM安全管理帧之间的OSU帧数是否为Nx个,如果是,使用安全帧封装信息对Nx个OSU帧进行鉴权解密即得到OSU TCM1层次解密后的明文。Step 4: After the B1 end recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the source end of the TCM1 layer is in an encrypted state, the Nx value is 64, and the security frame encapsulation information obtained by encryption and authentication is obtained locally. The local end has enabled the encryption and authentication function of the TCM1 level, and judges that the local end is the decryption end of the TCM1 level, and further judges whether the number of OSU frames between two adjacent OSU OAM security management frames is Nx, and if so, use the security frame The encapsulation information authenticates and decrypts Nx OSU frames to obtain the plaintext decrypted at the OSU TCM1 level.
步骤5,B2端将OSU明文解映射得到业务ClientA。 Step 5, the B2 end demaps the OSU plaintext to obtain the service ClientA.
图11为本公开一可选实施例的PM+TCM1TCM2三层次加密OSU OAM安全管理帧示意图,A节点和B节点之间通过OTU2相接,B和C节点之间通过OTU4相接。客户侧接入CBR业务clientA,速率为155.520Mbit/s,通过映射产生OSU帧,在A1端对OSU进行PM层次加密鉴权。在A2端对OSU进行TCM1层次加密鉴权,B1端对OSU进行TCM1层次鉴权解密,在B2端对OSU进行TCM2层次加密鉴权,C1端对OSU进行TCM2层次鉴权解密。在C2端对OSUPM层次进行鉴权解密最终得到CBR业务ClientA,如图11所示,包括:11 is a schematic diagram of a PM+TCM1TCM2 three-layer encryption OSU OAM security management frame according to an optional embodiment of the disclosure, the A node and the B node are connected through the OTU2, and the B and C nodes are connected through the OTU4. The client side accesses the CBR service clientA at a rate of 155.520Mbit/s, generates an OSU frame through mapping, and performs PM-level encryption and authentication on the OSU at the A1 end. The A2 side performs TCM1-level encryption and authentication on the OSU, the B1 side performs TCM1-level authentication and decryption on the OSU, the B2 side performs TCM2-level encryption and authentication on the OSU, and the C1 side performs TCM2-level authentication and decryption on the OSU. At the C2 side, the OSUPM layer is authenticated and decrypted to finally obtain the CBR service ClientA, as shown in Figure 11, including:
步骤S1,CBR业务Client映射成OSU,确定加密周期为Nx;同时,Nx帧加密鉴权完成,OAM安全管理帧中插入Nx,PM加密状态为已加密状态和加密鉴权后的安全帧封装信息;Step S1, the CBR service Client is mapped to the OSU, and the encryption period is determined to be Nx; at the same time, the Nx frame encryption and authentication is completed, Nx is inserted into the OAM security management frame, the PM encryption state is the encrypted state and the security frame encapsulation information after encryption and authentication ;
步骤S2,生成OAM安全管理帧;同时,识别OAM安全管理帧,获取PM为已加密状态和Nx,本端TCM1启动加密鉴权,当前OAM帧中插入TCM1加密启用状态;Step S2, generate OAM security management frame; At the same time, identify OAM security management frame, obtain PM as encrypted state and Nx, local end TCM1 starts encryption authentication, and inserts TCM1 encryption enable state in current OAM frame;
步骤S3,生成OAM安全管理帧;同时,本地获取TCM1加密鉴权启用,识别OAM安全管理帧,获取加密源端PM+TCM1为已加密状态和OSU帧周期Nx,进行TCM1层鉴权解密,清除TCM1加密启用状态;Step S3, generate the OAM security management frame; meanwhile, locally obtain the TCM1 encryption and authentication enablement, identify the OAM security management frame, obtain the encrypted state of the encryption source PM+TCM1 and the OSU frame period Nx, perform the TCM1 layer authentication and decryption, and clear TCM1 encryption enabled state;
步骤S4,生成OAM安全管理帧;同时,识别OAM安全管理帧,获取加密源端PM为已加 密状态和Nx,本端TCM2启动加密鉴权,当前OAM帧中插入TCM2加密启用状态;Step S4, generates OAM security management frame; At the same time, identify OAM security management frame, obtain encryption source PM to be encrypted state and Nx, local TCM2 starts encryption authentication, and inserts TCM2 encryption enabling state in current OAM frame;
步骤S5,生成OAM安全管理帧;同时,识别OAM安全管理帧,获取加密源端PM+TCM2已加密状态和Nx,进行TCM2层鉴权解密,清除TCM2加密启用状态;Step S5, generate the OAM security management frame; At the same time, identify the OAM security management frame, obtain the encrypted state and Nx of the encryption source PM+TCM2, carry out the TCM2 layer authentication and decryption, and clear the TCM2 encryption enabled state;
步骤S6,生成OAM安全管理帧;同时,识别OAM安全管理帧,获取加密源端PM为已加密状态和Nx,进行PM层鉴权解密,中介OAM安全管理帧,获取OSU(CBR)原文;Step S6, generating the OAM security management frame; meanwhile, identifying the OAM security management frame, obtaining the encrypted source PM as the encrypted state and Nx, performing PM layer authentication and decryption, intermediating the OAM security management frame, and obtaining the OSU (CBR) original text;
步骤S7,得到业务ClientA。In step S7, the service ClientA is obtained.
具体地,包括:步骤1,A1端,业务ClientA映射到OSU后,OSU和PB长度均为192字节,划分为12个128bit块。A1端从本地获知本端设置了启动PM层加密PM层即为第一个加密鉴权的层次确定Nx值,在均衡考虑Nx值的限制条件下,Nx可取值为64,在结合身份认证流程的情况下,可以考虑Nx取值更大,如128。Specifically, it includes: step 1, at the A1 end, after the service ClientA is mapped to the OSU, the OSU and PB are both 192 bytes in length and divided into 12 128-bit blocks. The A1 end learns from the local that the local end is set to start the PM layer encryption. The PM layer determines the Nx value for the first encryption and authentication layer. Under the condition that the Nx value is considered in a balanced manner, the Nx value can be 64. In combination with the identity authentication In the case of the process, it can be considered that the value of Nx is larger, such as 128.
步骤2,A1端按每隔64个OSU帧周期插入一个OAM安全管理帧,将Nx=64和PM层次的已加密状态承载在该OSU OAM安全管理帧中。对64个连续的OSU帧即768块128bitblock进行加密鉴权,并将加密鉴权生成的OSU安全帧封装信息承载在OSU OAM安全管理帧的PM层次的安全帧封装信息中,如图12所示,图12为PM、TCM1和TCM2层OSU加密示意图。 Step 2, the A1 end inserts an OAM security management frame every 64 OSU frame periods, and carries the encrypted state of Nx=64 and PM level in the OSU OAM security management frame. Encrypt and authenticate 64 consecutive OSU frames, that is, 768 blocks of 128bitblock, and carry the OSU security frame encapsulation information generated by encryption and authentication in the PM-level security frame encapsulation information of the OSU OAM security management frame, as shown in Figure 12 , Figure 12 is a schematic diagram of OSU encryption at the PM, TCM1 and TCM2 layers.
步骤3,A2端识别到OSU OAM安全管理帧后,从OSU OAM安全管理帧中得到PM层源端是已经加密状态,Nx值为64,同时从本地获知本端启用了TCM1层次的加密鉴权功能,判断本端是TCM1层次的加密源端,将TCM1层次加密状态设置为已加密状态承载在该OSU OAM安全管理帧中。A2端即对TCM1层次中的64个连续OSU帧进行鉴权加密,并将加密鉴权生成的OSU安全帧封装信息承载在当前的OSU OAM安全管理帧的TCM1层次的安全帧封装信息中。Step 3: After A2 recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the PM layer source end is in an encrypted state, and the Nx value is 64. At the same time, it learns from the local that the local end has enabled TCM1-level encryption authentication. Function, determine that the local end is the encryption source end of TCM1 level, set the encryption state of TCM1 level to the encrypted state and carry it in the OSU OAM security management frame. The A2 side authenticates and encrypts 64 consecutive OSU frames in the TCM1 level, and carries the OSU security frame encapsulation information generated by encryption and authentication in the security frame encapsulation information of the TCM1 level of the current OSU OAM security management frame.
步骤4,B1端识别到OSU OAM安全管理帧后,从OSU OAM安全管理帧中得到PM+TCM1层源端是已经加密状态,Nx值为64和加密鉴权得到的PM和TCM1层次的安全帧封装信息,同时从本地获知本端启用了TCM1层次的加密鉴权功能,判断本端是TCM1层次的解密端,清除OAM帧中的TCM1加密状态为未加密状态,进一步判断相邻2个OSU OAM安全管理帧之间的OSU帧数是否为Nx=64个,如果是,使用安全帧封装信息对Nx个OSU帧进行鉴权解密即得到OSU TCM1层次解密后的明文。Step 4: After the B1 end recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the source end of the PM+TCM1 layer is in an encrypted state, the Nx value is 64, and the security frame of the PM and TCM1 layers obtained by encryption and authentication Encapsulate the information, and learn from the local that the encryption and authentication function of the TCM1 level is enabled at the local end, determine that the local end is the decryption end of the TCM1 level, clear the encryption state of TCM1 in the OAM frame to the unencrypted state, and further determine the two adjacent OSU OAMs Whether the number of OSU frames between security management frames is Nx=64, if so, use the security frame encapsulation information to authenticate and decrypt the Nx OSU frames to obtain the plaintext decrypted at the OSU TCM1 level.
步骤5,B2端识别到OSU OAM安全管理帧后,从OSU OAM安全管理帧中得到PM层源端是已经加密状态,Nx值为64和和加密鉴权得到的PM层次的安全帧封装信息,同时从本地获知本端启用了TCM2层次的加密鉴权功能,判断本端是TCM2层次的加密源端,将TCM2层次的加密状态设置为已加密状态承载在该OSU OAM安全管理帧中。B2端即对64个连续OSU帧TCM2层次进行加密鉴权,并将加密鉴权生成的OSU安全帧封装信息承载在当前的OSU OAM安全管理帧的TCM2层次的安全帧封装信息中。 Step 5, after the B2 end recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the PM layer source end is in an encrypted state, the Nx value is 64 and the PM layer security frame encapsulation information obtained by encryption and authentication, At the same time, it is learned from the local that the encryption and authentication function of the TCM2 level is enabled at the local end, and it is determined that the local end is the encryption source end of the TCM2 level, and the encryption state of the TCM2 level is set to the encrypted state, which is carried in the OSU OAM security management frame. The B2 side performs encryption and authentication on the TCM2 level of 64 consecutive OSU frames, and carries the OSU security frame encapsulation information generated by the encryption and authentication in the security frame encapsulation information at the TCM2 level of the current OSU OAM security management frame.
步骤6,C1端识别到OSU OAM安全管理帧后,从OSU OAM安全管理帧中得到PM+TCM2层源端是已经加密状态,Nx值为64和加密鉴权得到的PM和TCM2层次的安全帧封装信息,同时从本地获知本端启用了TCM2层次的加密鉴权功能,判断本端是TCM2层次的解密端,清除OAM帧中的TCM2加密状态为未加密状态,进一步判断相邻2个OSU OAM安全管理帧之间的OSU帧数是否为Nx=64个,如果是,使用安全帧封装信息对Nx个OSU帧进行鉴权解密即得到OSU TCM2层次解密后的明文。Step 6: After the C1 end recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the source end of the PM+TCM2 layer is in an encrypted state, the Nx value is 64, and the security frame of the PM and TCM2 layers obtained by encryption and authentication Encapsulate the information, and at the same time learn from the local that the encryption and authentication function of the TCM2 layer is enabled on the local end, determine that the local end is the decryption end of the TCM2 layer, clear the TCM2 encryption state in the OAM frame to the unencrypted state, and further determine the two adjacent OSU OAMs Whether the number of OSU frames between security management frames is Nx=64, if so, use the security frame encapsulation information to authenticate and decrypt the Nx OSU frames to obtain the plaintext decrypted at the OSU TCM2 level.
步骤7,C2端识别到OSU OAM安全管理帧后,从OSU OAM安全管理帧中得到PM层源端是已经加密状态,Nx值为64和加密鉴权得到的PM层次的安全帧封装信息,同时从本地获知本 端启用了PM层次的加密鉴权功能,判断本端是PM层次的解密端,清除OAM帧中的PM加密状态为未加密状态,进一步判断相邻2个OSU OAM安全管理帧之间的OSU帧数是否为Nx=64个,如果是,使用安全帧封装信息对Nx个OSU帧进行鉴权解密即得到OSUPM层次解密后的明文。 Step 7, after the C2 end recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the PM layer source end is in an encrypted state, the Nx value is 64, and the PM layer security frame encapsulation information obtained by encryption and authentication, and at the same time. Learn from the local that the PM level encryption and authentication function is enabled on the local end, determine that the local end is the decryption end of the PM level, clear the PM encryption state in the OAM frame to the unencrypted state, and further determine which of the two adjacent OSU OAM security management frames Whether the number of OSU frames in between is Nx=64, and if so, use the security frame encapsulation information to authenticate and decrypt the Nx OSU frames to obtain the plaintext decrypted at the OSUPM level.
步骤8,C2端对OSU进行解映射得到业务ClientA。 Step 8, the C2 end demaps the OSU to obtain the service ClientA.
图13为本公开一可选实施例的Nx和Ny取固定OSU周期,Nz取不固定OSU周期的安全信息处理流程示意图,A节点和B节点之间通过OTU2连接,客户侧三种不同业务ClientA、ClientB和ClientC,ClientA为CBR业务,速率为155Mbit/s,ClientB为PKT业务,最大保证流量100Mbit/s,ClientC为PKT业务,最大保证流量200Mbit/s,三种业务分别映射产生三种OSU帧,在A1端确定对三种OSU分别进行PM层加密鉴权。在B2端对三种OSUPM层次进行鉴权解密,最终通过解映射分别得到CBR业务ClientA、PKT业务ClientB和PKT业务ClientC,包括如下步骤:13 is a schematic diagram of a security information processing flow in which Nx and Ny take a fixed OSU period, and Nz takes an unfixed OSU period, according to an optional embodiment of the present disclosure, a node A and a node B are connected through OTU2, and three different services ClientA on the client side , ClientB and ClientC, ClientA is CBR service, the rate is 155Mbit/s, ClientB is PKT service, the maximum guaranteed flow is 100Mbit/s, ClientC is PKT service, the maximum guaranteed flow is 200Mbit/s, three kinds of services are mapped to generate three kinds of OSU frames. , the A1 side determines to perform PM layer encryption authentication for the three OSUs respectively. The three OSUPM layers are authenticated and decrypted at the B2 end, and finally the CBR service ClientA, PKT service ClientB and PKT service ClientC are obtained respectively through de-mapping, including the following steps:
步骤S1,CBR业务ClientA 155M,选定Nx=32;同时,Nx值插入开销和PM加密启用;Step S1, CBR service ClientA 155M, selected Nx=32; Meanwhile, Nx value is inserted into overhead and PM encryption is enabled;
步骤S2,生成OAM安全管理帧A;同时,识别PM是加密,识别Nx鉴权解密,解密出OSU明文;Step S2, generating OAM security management frame A; Meanwhile, identifying PM is encrypted, identifying Nx authentication and decryption, and decrypting OSU plaintext;
步骤S3,得到CBR业务ClientA;Step S3, obtaining the CBR service ClientA;
步骤S4,PKT业务ClientB 100M,选定Ny=40;同时,Ny值插入开销和PM加密启用;Step S4, PKT service ClientB 100M, select Ny=40; Meanwhile, Ny value inserts overhead and PM encryption to enable;
步骤S5,生成OAM安全管理帧B;Step S5, generate OAM security management frame B;
步骤S6,得到PKT业务ClientB;Step S6, obtaining the PKT service ClientB;
步骤S7,PKT业务ClientC 200M,实际业务流量在40到160M之间变更,选定Nz(16+delta*n);同时,Nz值插入开销和PM加密启用;Step S7, the PKT service ClientC is 200M, the actual service flow is changed between 40 and 160M, and Nz(16+delta*n) is selected; at the same time, the Nz value is inserted into the overhead and PM encryption is enabled;
步骤S8,生成OAM安全管理帧C;Step S8, generate OAM security management frame C;
步骤S9,得到PKT业务ClientC。In step S9, the PKT service ClientC is obtained.
具体地,包括:步骤1,A1端,业务ClientA映射到OSU后,OSU和PB长度为192字节,PB速率2.6M。根据OSU速率166Mbit/s和对应PB速率得到Nx的建议取值为64,即在同一个服务层OPU中占用64个PB。OAM安全管理帧带宽占业务带宽为1/Nx,考虑到OAM带宽的开销,Nx值越大越好。帧长为192字节满足为加密块128bit的倍数。实时鉴权对OSU帧缓存和时延的影响,需要Nx越小越好。在带宽充足情况下可以采用带宽换取延时,即Nx为32。即可以采用固定32个OSU帧周期进行加密和鉴权。Specifically, it includes: step 1, at the A1 end, after the service ClientA is mapped to the OSU, the OSU and PB lengths are 192 bytes, and the PB rate is 2.6M. According to the OSU rate of 166Mbit/s and the corresponding PB rate, the recommended value of Nx is 64, that is, 64 PBs are occupied in the same service layer OPU. The OAM security management frame bandwidth accounts for 1/Nx of the service bandwidth. Considering the overhead of the OAM bandwidth, the larger the Nx value, the better. The frame length of 192 bytes is sufficient to be a multiple of 128 bits of the encrypted block. The impact of real-time authentication on the OSU frame buffer and delay needs to be as small as possible for Nx. In the case of sufficient bandwidth, bandwidth can be exchanged for delay, that is, Nx is 32. That is, a fixed 32 OSU frame period can be used for encryption and authentication.
业务ClientB最大保证流量100Mbit/s,OSU实际速率最大为104Mbit/s,如上获取原则Ny的建议取值为40,可根据实际带宽和PKT业务对延时的要求情况选择Ny为40。The maximum guaranteed traffic of the service ClientB is 100Mbit/s, and the actual rate of the OSU is 104Mbit/s. The recommended value of Ny is 40 according to the above-mentioned principles. Ny can be selected as 40 according to the actual bandwidth and the delay requirements of the PKT service.
当业务ClientC的实际流量变化较大,统计值在40Mbit/s到160Mbit/s范围内变化,OSU实际速率最大为41.6M ̄166.4Mbit/s,Nz值推荐范围为16到64之间变化的。按照统计流量的变化趋势步进delta来增加或者减少Nz值。When the actual traffic of the service ClientC changes greatly, the statistical value varies from 40Mbit/s to 160Mbit/s, the actual rate of the OSU is at most 41.6M~166.4Mbit/s, and the recommended range of Nz value is from 16 to 64. Increase or decrease the Nz value by stepping delta according to the change trend of the statistical flow.
步骤2,A1端,业务ClientA生成的OSU帧,按每隔64个OSU帧周期插入一个OAM安全管理帧,将Nx=64和PM层次的已加密状态承载在该OSU OAM安全管理帧中。对64个连续的OSU帧即768块128bitblock进行加密鉴权,并将加密鉴权生成的OSU安全帧封装信息承载在OSU OAM安全管理帧的PM层次的安全帧封装信息中。 Step 2, A1 side, the OSU frame generated by the service ClientA, inserts an OAM security management frame every 64 OSU frame cycles, and carries the encrypted state of Nx=64 and PM level in the OSU OAM security management frame. Encrypt and authenticate 64 consecutive OSU frames, that is, 768 blocks of 128bitblock, and carry the OSU security frame encapsulation information generated by encryption and authentication in the PM-level security frame encapsulation information of the OSU OAM security management frame.
业务ClientB生成OSU帧,按每隔40个OSU帧周期插入一个OAM安全管理帧,将Nx=40和PM层次的已加密状态承载在该OSU OAM安全管理帧中。对40个连续的OSU帧即480块128bit block进行加密鉴权,并将加密鉴权生成的OSU安全帧封装信息承载在OSU OAM安全管理帧的PM层次的安全帧封装信息中。The service ClientB generates an OSU frame, inserts an OAM security management frame every 40 OSU frame periods, and carries the encrypted state of Nx=40 and PM level in the OSU OAM security management frame. Encrypt and authenticate 40 consecutive OSU frames, that is, 480 128-bit blocks, and carry the OSU security frame encapsulation information generated by encryption and authentication in the PM-level security frame encapsulation information of the OSU OAM security management frame.
业务ClientC生成OSU帧,按每隔Nz个OSU帧周期插入一个OAM安全管理帧,根据统计值如果业务流量为40Mbit/s,按照Nz=16对OSU帧进行加密鉴权,流量增加某个量级,如可选以1Mbit/s为单位,按照Nz=16+delta方式步进,delta为每1Mbit/s增加4。将Nz的实时值和PM层次的已加密状态承载在该OSU OAM安全管理帧中。对Nz个连续的OSU帧即Nz*12块128bit block进行加密鉴权,并将加密鉴权生成的OSU安全帧封装信息承载在OSU OAM安全管理帧的PM层次的安全帧封装信息中。The service ClientC generates an OSU frame, and inserts an OAM security management frame every Nz OSU frame period. If the service traffic is 40Mbit/s according to the statistical value, the OSU frame is encrypted and authenticated according to Nz=16, and the traffic increases by a certain order of magnitude. , for example, the unit is 1Mbit/s, and the step is Nz=16+delta, and the delta is increased by 4 every 1Mbit/s. The real-time value of Nz and the encrypted state of the PM level are carried in the OSU OAM security management frame. Encrypt and authenticate Nz consecutive OSU frames, that is, Nz*12 blocks of 128bit blocks, and carry the OSU security frame encapsulation information generated by encryption and authentication in the PM-level security frame encapsulation information of the OSU OAM security management frame.
步骤3,B2端识别到ClientA OSU业务的OSU OAM安全管理帧后,从OSU OAM安全管理帧中得到该OSU业务的PM层源端是已经加密状态,Nx值以及各OSU业务加密鉴权得到的安全帧封装信息,同时从本地获知本端都设置了PM层次启用加密鉴权功能,判断本端是PM层次的解密端,进一步判断相邻2个OSU OAM安全管理帧之间的OSU帧数是否为Nx个,如果是,使用安全帧封装信息对Nx个OSU帧进行鉴权解密即得到OSUPM层次解密后的明文,对OSU进行解映射得到业务ClientA,如图14所示,图14为Nx和Ny取固定OSU周期,Nz取不固定OSU周期示意图(一)。Step 3: After the B2 end recognizes the OSU OAM security management frame of the ClientA OSU service, it obtains from the OSU OAM security management frame that the PM layer source end of the OSU service is encrypted, and the Nx value and the encryption and authentication of each OSU service are obtained. Security frame encapsulation information, and at the same time, it is obtained from the local that the PM level is set to enable the encryption and authentication function, and it is judged that the local end is the decryption end of the PM level, and further judges whether the number of OSU frames between two adjacent OSU OAM security management frames is If it is Nx, use the security frame encapsulation information to authenticate and decrypt the Nx OSU frames to obtain the plaintext decrypted at the OSUPM level, and demap the OSU to obtain the service ClientA, as shown in Figure 14. Figure 14 shows Nx and Ny takes the fixed OSU period, and Nz takes the non-fixed OSU period (1).
B2端识别到ClientB OSU业务的OSU OAM安全管理帧后,从OSU OAM安全管理帧中得到该OSU业务的PM层源端是已经加密状态,Ny值以及各OSU业务加密鉴权得到的安全帧封装信息,同时从本地获知本端都设置了PM层次启用加密鉴权功能,判断本端是PM层次的解密端,进一步判断相邻2个OSU OAM安全管理帧之间的OSU帧数是否为Ny个,如果是,使用安全帧封装信息对Ny个OSU帧进行鉴权解密即得到OSUPM层次解密后的明文,对OSU进行解映射得到业务ClientB,如图15所示,图15为Nx和Ny取固定OSU周期,Nz取不固定OSU周期示意图(二)。After the B2 side recognizes the OSU OAM security management frame of the ClientB OSU service, it obtains from the OSU OAM security management frame that the PM layer source end of the OSU service is encrypted, the Ny value and the security frame encapsulation obtained by the encryption and authentication of each OSU service. At the same time, it is known from the local that the PM level is set to enable the encryption and authentication function at the local end. It is judged that the local end is the decryption end of the PM level, and it is further judged whether the number of OSU frames between two adjacent OSU OAM security management frames is Ny. , if so, use the security frame encapsulation information to authenticate and decrypt Ny OSU frames to obtain the plaintext decrypted at the OSUPM level, and demap the OSU to obtain the service ClientB, as shown in Figure 15. Figure 15 shows that Nx and Ny are fixed OSU cycle, Nz is not fixed OSU cycle schematic diagram (2).
B2端识别到ClientC OSU业务的OSU OAM安全管理帧后,从OSU OAM安全管理帧中得到该OSU业务的PM层源端是已经加密状态,Nz值以及各OSU业务加密鉴权得到的安全帧封装信息,同时从本地获知本端都设置了PM层次启用加密鉴权功能,判断本端是PM层次的解密端,进一步判断相邻2个OSU OAM安全管理帧之间的OSU帧数是否为Nz个,如果是,使用安全帧封装信息对Nz个OSU帧进行鉴权解密即得到OSUPM层次解密后的明文。对OSU进行解映射得到业务ClientC,如图16所示,图16为Nx和Ny取固定OSU周期,Nz取不固定OSU周期示意图(三)。After the B2 end recognizes the OSU OAM security management frame of the ClientC OSU service, it obtains from the OSU OAM security management frame that the PM layer source end of the OSU service is encrypted, the Nz value and the security frame encapsulation obtained by the encryption and authentication of each OSU service At the same time, it is learned from the local that the PM level is set to enable the encryption and authentication function at the local end. It is judged that the local end is the decryption end of the PM level, and it is further judged whether the number of OSU frames between two adjacent OSU OAM security management frames is Nz. , if yes, use the security frame encapsulation information to authenticate and decrypt the Nz OSU frames to obtain the plaintext decrypted at the OSUPM level. Demap the OSU to obtain the service ClientC, as shown in Figure 16. Figure 16 is a schematic diagram (3) of Nx and Ny taking a fixed OSU period, and Nz taking a non-fixed OSU period.
图17为根据本公开一可选实施例的身份认证流程具体消息示例流程图,加密结合身份认证流程,两端OTN设备A节点和B节点之间通过OTU2连接,A节点客户侧接入CBR业务ClientA,速率为155.520Mbit/s,通过映射产生OSU帧。在加密流程启动前,A节点发起身份认证流程,A和B节点分别对对端发送过来的信息进行校验认证,所有身份认证的消息经过GFP封装后,插入KCC(Key Exchange Communication Channel,秘钥交换通信通道)通道发送到对端,身份认证完成后,启用纯加密流程,如图17所示,包括:17 is a flowchart of an example of a specific message of an identity authentication process according to an optional embodiment of the present disclosure. The encryption is combined with the identity authentication process. The OTN device A node and the B node at both ends are connected through the OTU2, and the client side of the A node accesses the CBR service ClientA, with a rate of 155.520Mbit/s, generates OSU frames through mapping. Before the encryption process starts, node A initiates the identity authentication process. Nodes A and B respectively verify and authenticate the information sent by the peer. All identity authentication messages are encapsulated by GFP and inserted into KCC (Key Exchange Communication Channel, secret key). Exchange communication channel) channel is sent to the peer end, after the identity authentication is completed, the pure encryption process is enabled, as shown in Figure 17, including:
步骤S1,请求消息类型I(固定鉴权信息和私有私钥信息);同时,校验固定鉴权信息与本地存储;Step S1, request message type I (fixed authentication information and private key information); At the same time, verify the fixed authentication information and local storage;
步骤S2,响应消息类型I(加密后的私有秘钥信息和私有秘钥信息)/响应消息类型II(认证失败);同时,校验转换的私有秘钥信息和收到的私有秘钥信息;Step S2, response message type I (encrypted private key information and private key information)/response message type II (authentication failure); Meanwhile, verify the converted private key information and the received private key information;
步骤S3,请求消息类型II(加密后的身份认证信息)或者响应消息类型II(认证失败);同时,校验本地对称转换后的身份认证信息和收到的信息是否一致;Step S3, request message type II (encrypted identity authentication information) or response message type II (authentication failure); At the same time, verify whether the identity authentication information after the local symmetric conversion is consistent with the received information;
步骤S4,响应消息类型II(认证成功或失败)。Step S4, response message type II (authentication success or failure).
具体地,包括:步骤1:A节点加密实体给B节点发送身份认证请求消息类型I,携带固定鉴权信息以及本节点的私有密钥材料信息,如可选为时间戳或者计数器经过DF算法生成后的信息,固定鉴权信息可选为两端都保存的如端口号或者IP信息甚至用户名经过单向如算法转换后的信息。Specifically, it includes: Step 1: A node encryption entity sends an identity authentication request message type I to node B, carrying fixed authentication information and private key material information of the node, such as a timestamp or a counter generated by the DF algorithm. The fixed authentication information can be selected as the information stored at both ends, such as port number or IP information or even user name after one-way conversion such as algorithm.
步骤2:B节点收到身份认证消息类I后,先判固定鉴权信息是否为自己预期的通信对象,否的话回复一条身份认证响应消息类型II,携带鉴权失败信息。Step 2: After receiving the identity authentication message type I, the node B first determines whether the fixed authentication information is the intended communication object, and if not, replies with an identity authentication response message type II, which carries the authentication failure information.
步骤3:如果B节点校验用户一致后,产生本节点的私有秘钥材料信息,如可选为随机时戳或者计数器值,根据DF算法生成后的信息和A节点的私有秘钥材料信息得到临时Ki(Key Index,密钥索引),并且将对本节点的私有秘钥材料信息加密后的信息和本节点的私有秘钥材料信息,通过身份认证响应消息类型I发送给A节点。Step 3: If node B verifies that the users are consistent, it generates the private key material information of this node, such as a random timestamp or counter value, which is obtained according to the information generated by the DF algorithm and the private key material information of node A Temporary Ki (Key Index, key index), and the encrypted information of the private key material information of the node and the private key material information of the node are sent to the A node through the identity authentication response message type I.
步骤4:A节点收到身份认证响应消息类型I,提取B节点发送的私有秘钥材料信息,结合本节点的私有秘钥材料信息,通过DF算法得到临时Ki,对身份认证响应消息类型I中携带的加密信息进行解密,同时判定解密后的信息和消息中携带的B节点的私有秘钥信息是否一致,如果相同初步认为B节点合法,A节点继续下一步的认证流程。Step 4: Node A receives the identity authentication response message type I, extracts the private key material information sent by node B, and combines the private key material information of this node to obtain temporary Ki through the DF algorithm. The encrypted information carried is decrypted, and at the same time, it is determined whether the decrypted information is consistent with the private key information of node B carried in the message. If the same is preliminarily believed that node B is legal, node A continues the next authentication process.
步骤5,A节点使用如用户名和密码等两端存储的信息,通过某些算法转换后的信息,可选地如HASH或者HASH结合异或算法等,作为鉴权主体信息通过身份认证请求信息类型II发送给B节点。Step 5: Node A uses the information stored at both ends such as user name and password, and the information converted by some algorithms, optionally such as HASH or HASH combined with XOR algorithm, etc., as the authentication subject information through the identity authentication request information type. II is sent to Node B.
步骤6,B节点收到身份认证请求信息类型II后,对本端存储的信息采用对称的算法转换后,校验鉴权主体信息,比较两者是否一致,相同的话则返回身份认证响应消息类型II,携带认证成功信息。Step 6: After receiving the identity authentication request information type II, the node B converts the information stored at the local end using a symmetric algorithm, verifies the authentication subject information, and compares whether the two are consistent. If they are the same, the identity authentication response message type II is returned. , which carries the authentication success information.
步骤7,A节点收到认证成功后,启动加密流程,SFC信息按照默认值处理。Step 7: After receiving the authentication success, the A node starts the encryption process, and the SFC information is processed according to the default value.
本公开的实施例还提供了一种光传送网的安全管理信息处理装置,图18是根据本公开实施例的光传送网的安全管理信息处理装置的结构图,如图18所示,该装置包括:An embodiment of the present disclosure also provides a security management information processing device for an optical transport network. FIG. 18 is a structural diagram of a security management information processing device for an optical transport network according to an embodiment of the present disclosure. As shown in FIG. 18 , the device include:
加密模块1802,设置为在光业务单元OSU中每间隔N个OSU帧插入OSU OAM安全管理帧,对所述N个OSU帧进行加密处理;The encryption module 1802 is configured to insert the OSU OAM security management frame every N OSU frames in the optical service unit OSU, and encrypt the N OSU frames;
承载模块1804,设置为将加密的安全帧帧头SFH承载到所述N个OSU帧之前的所述OSU OAM安全管理帧中。The bearing module 1804 is configured to carry the encrypted security frame header SFH into the OSU OAM security management frame before the N OSU frames.
在一个可选的实施例中,所述装置还包括:In an optional embodiment, the apparatus further includes:
鉴权计算模块,设置为对所述N个OSU帧进行鉴权所需的完整性计算,并将得到的鉴权所需的安全帧校验SFC承载到所述N个OSU帧之后的OSU OAM安全管理帧中。The authentication calculation module is set to perform the integrity calculation required for the authentication on the N OSU frames, and carries the obtained security frame check SFC required for the authentication to the OSU OAM after the N OSU frames in the security management frame.
在一个可选的实施例中,所述装置还包括:In an optional embodiment, the apparatus further includes:
身份认证模块,设置为与加密宿端进行双向身份认证。The identity authentication module is set to perform two-way identity authentication with the encryption sink.
在一个可选的实施例中,所述装置还包括:In an optional embodiment, the apparatus further includes:
确定模块,设置为根据OSU安全管理帧可用带宽与加密处理时延要求确定所述N的值。The determining module is configured to determine the value of N according to the available bandwidth of the OSU security management frame and the encryption processing delay requirements.
在一个可选的实施例中,所述加密模块1802,还设置为In an optional embodiment, the encryption module 1802 is further configured to
若从所述OSU中未检测到所述OSU OAM安全管理帧,则所述OSU的当前加密层级A为OSU帧的M个加密层次中第一个启动的加密层级,每间隔N个OSU帧插入所述OSU OAM安全管理帧,对所述N个OSU帧进行加密处理,将OAM帧中的加密层级A的加密状态设置为已加密,将其中的N值设置为已知值。If the OSU OAM security management frame is not detected from the OSU, the current encryption level A of the OSU is the encryption level that is first activated among the M encryption levels of the OSU frame, and every N OSU frames are inserted In the OSU OAM security management frame, encryption processing is performed on the N OSU frames, the encryption state of the encryption level A in the OAM frame is set as encrypted, and the N value therein is set as a known value.
在一个可选的实施例中,所述装置还包括:In an optional embodiment, the apparatus further includes:
处理模块,设置为若从所述OSU中检测到所述OSU OAM安全管理帧,则所述OSU的当前加密层级A不是所述OSU帧的M个加密层次中第一个启动的加密层级,对所述N个OSU帧进行加密处理,并将产生的安全封装信息承载在所述OSU OAM管理帧的加密层级B对应的开销中。The processing module is set to if the OSU OAM security management frame is detected from the OSU, the current encryption level A of the OSU is not the first encryption level to start in the M encryption levels of the OSU frame, The N OSU frames are encrypted, and the generated security encapsulation information is carried in the overhead corresponding to the encryption level B of the OSU OAM management frame.
在一个可选的实施例中,所述装置还包括:In an optional embodiment, the apparatus further includes:
获取模块,设置为从所述OSU OAM安全管理帧中获取所述加密层级A的加密源端的加密状态与所述N的值,同时确定启用加密层级B的加密处理;An acquisition module, configured to acquire the encryption state of the encryption source end of the encryption level A and the value of the N from the OSU OAM security management frame, and simultaneously determine to enable the encryption processing of the encryption level B;
设置模块,设置为将所述OSU OAM安全管理帧中的加密层次B的加密状态设置为已加密状态。A setting module is configured to set the encryption state of the encryption level B in the OSU OAM security management frame to an encrypted state.
在一个可选的实施例中,所述OSUOAM安全管理帧包括M个加密层级对应的用于存储加密状态的开销、存储N值的开销,以及M个加密层级的用于存储安全帧帧头SFH和/或安全帧校验SFC的开销。In an optional embodiment, the OSUOAM security management frame includes an overhead corresponding to M encryption levels for storing an encryption state, an overhead for storing N values, and M encryption levels for storing a security frame header SFH and/or Security Frame Check SFC overhead.
在一个可选的实施例中,所述承载模块1804,还设置为In an optional embodiment, the bearing module 1804 is further configured as
将安全帧封装信息承载在所述OSU OAM安全管理帧中所述加密层级A对应的开销中,其中,所述安全帧封装信息包括安全帧帧头SFH和/或安全帧校验SFC。The security frame encapsulation information is carried in the overhead corresponding to the encryption level A in the OSU OAM security management frame, wherein the security frame encapsulation information includes the security frame header SFH and/or the security frame check SFC.
在一个可选的实施例中,所述承载模块1804,还设置为In an optional embodiment, the bearing module 1804 is further configured as
将所述N的值与所述当前加密层级的已加密状态承载在所述OSU OAM安全管理帧中。The value of N and the encrypted state of the current encryption level are carried in the OSU OAM security management frame.
图19是根据本公开优选实施例的光传送网的安全管理信息处理装置的结构图,如图19所示,该装置包括:FIG. 19 is a structural diagram of a security management information processing device of an optical transport network according to a preferred embodiment of the present disclosure. As shown in FIG. 19 , the device includes:
识别模块1902,设置为从接收到的所述OSU中识别OSU OAM安全管理帧;The identification module 1902 is set to identify the OSU OAM security management frame from the OSU received;
解密模块1904,设置为根据所述OSU OAM安全管理帧解密所述OSU。The decryption module 1904 is configured to decrypt the OSU according to the OSU OAM security management frame.
在一个可选的实施例中,所述解密模块1904还设置为:从所述OSU OAM安全管理帧中识别加密层级A的加密状态;在所述加密层级A的加密状态为已加密状态且为所述加密层级A的解密端的情况下,根据所述OSU OAM安全管理帧解密所述OSU。In an optional embodiment, the decryption module 1904 is further configured to: identify the encryption state of the encryption level A from the OSU OAM security management frame; the encryption state of the encryption level A is the encrypted state and is In the case of the decryption end of the encryption level A, the OSU is decrypted according to the OSU OAM security management frame.
即,根据OSU OAM安全管理帧解密OSU帧需要,先识别加密层A的加密状态;再根据OSU OAM安全管理帧解密OSU。That is, to decrypt the OSU frame according to the OSU OAM security management frame, first identify the encryption state of the encryption layer A; then decrypt the OSU according to the OSU OAM security management frame.
在一个可选的实施例中,所述解密模块还设置为:从所述OSU OAM安全管理帧中提取N的值与SFH;判断所述OSU帧中相邻OAM帧间隔的OSU帧的数量是否为N;在判断结果为是的情况下,根据所述SFH对N个OSU帧进行解密,得到明文OSU。In an optional embodiment, the decryption module is further configured to: extract the value of N and SFH from the OSU OAM security management frame; determine whether the number of OSU frames in the adjacent OAM frame interval in the OSU frame is is N; if the judgment result is yes, decrypt the N OSU frames according to the SFH to obtain the plaintext OSU.
即,根据OSU OAM安全管理帧解密OSU帧需要,先确定相邻OAM帧间隔的OSU帧数量是N;再根据SFH对OSU帧进行解密,得到明文OSU。That is, according to the needs of decrypting the OSU frame of the OSU OAM security management frame, first determine that the number of OSU frames in the interval between adjacent OAM frames is N; then decrypt the OSU frame according to the SFH to obtain the plaintext OSU.
在一个可选的实施例中,所述解密模块还设置为:若所述OSU OAM安全管理帧中还承载有所述N个OSU帧鉴权使用的安全帧校验SFC,根据所述SFC对所述N个OSU帧进行鉴权处理;在鉴权通过之后,根据所述SFH对N个OSU帧进行解密,得到所述明文OSU。In an optional embodiment, the decryption module is further configured to: if the OSU OAM security management frame also carries the N security frame verification SFCs used for OSU frame authentication, according to the SFC The N OSU frames are authenticated; after the authentication is passed, the N OSU frames are decrypted according to the SFH to obtain the plaintext OSU.
即,需要先根据SFC对N个OSU帧进行鉴权处理,再根据SFH对OSU帧进行解密,得到明文OSU。That is, the N OSU frames need to be authenticated according to the SFC first, and then the OSU frames need to be decrypted according to the SFH to obtain the plaintext OSU.
在一个可选的实施例中,所述装置还包括:第一处理模块,设置为在所述加密层级A的加密状态为已加密状态且不为所述加密层级A的解密端的情况下,透传所述OSU。In an optional embodiment, the apparatus further includes: a first processing module configured to, when the encryption state of the encryption level A is an encrypted state and not the decryption end of the encryption level A, the transparent Pass the OSU.
即,还可以在加密状态却不为解密段的条件下,透传OSU帧。That is, the OSU frame can also be transparently transmitted under the condition that the encrypted state is not the decrypted segment.
在一个可选的实施例中,所述装置还包括:第一处理模块,设置为将所述OSU OAM安全管理帧中加密层级A的加密状态设置为未加密。In an optional embodiment, the apparatus further includes: a first processing module configured to set the encryption state of the encryption level A in the OSU OAM security management frame to unencrypted.
本公开的实施例还提供了一种计算机可读存储介质,该计算机可读存储介质中存储有计算机程序,其中,该计算机程序被设置为运行时执行上述任一项方法实施例中的步骤。Embodiments of the present disclosure also provide a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, wherein the computer program is configured to execute the steps in any one of the above method embodiments when running.
在一个示例性实施例中,上述计算机可读存储介质可以包括但不限于:U盘、只读存储器(Read-Only Memory,简称为ROM)、随机存取存储器(Random Access Memory,简称为RAM)、移动硬盘、磁碟或者光盘等各种可以存储计算机程序的介质。In an exemplary embodiment, the above-mentioned computer-readable storage medium may include, but is not limited to, a USB flash drive, a read-only memory (Read-Only Memory, referred to as ROM for short), and a random access memory (Random Access Memory, referred to as RAM for short) , mobile hard disk, magnetic disk or CD-ROM and other media that can store computer programs.
本公开的实施例还提供了一种电子装置,包括存储器和处理器,该存储器中存储有计算机程序,该处理器被设置为运行计算机程序以执行上述任一项方法实施例中的步骤。An embodiment of the present disclosure also provides an electronic device, including a memory and a processor, where a computer program is stored in the memory, and the processor is configured to run the computer program to execute the steps in any one of the above method embodiments.
在一个示例性实施例中,上述电子装置还可以包括传输设备以及输入输出设备,其中,该传输设备和上述处理器连接,该输入输出设备和上述处理器连接。In an exemplary embodiment, the above-mentioned electronic device may further include a transmission device and an input-output device, wherein the transmission device is connected to the above-mentioned processor, and the input-output device is connected to the above-mentioned processor.
本实施例中的具体示例可以参考上述实施例及示例性实施方式中所描述的示例,本实施例在此不再赘述。For specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiments and exemplary implementation manners, and details are not described herein again in this embodiment.
显然,本领域的技术人员应该明白,上述的本公开的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本公开不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that the above-mentioned modules or steps of the present disclosure can be implemented by a general-purpose computing device, and they can be centralized on a single computing device or distributed in a network composed of multiple computing devices On the other hand, they can be implemented in program code executable by a computing device, so that they can be stored in a storage device and executed by the computing device, and in some cases, can be performed in a different order than shown here. Or the described steps, or they are respectively made into individual integrated circuit modules, or a plurality of modules or steps in them are made into a single integrated circuit module to realize. As such, the present disclosure is not limited to any particular combination of hardware and software.
以上所述仅为本公开的优选实施例而已,并不用于限制本公开,对于本领域的技术人员来说,本公开可以有各种更改和变化。凡在本公开的原则之内,所作的任何修改、等同替换、改进等,均应包含在本公开的保护范围之内。The above descriptions are only preferred embodiments of the present disclosure, and are not intended to limit the present disclosure. For those skilled in the art, the present disclosure may have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the principles of the present disclosure shall be included within the protection scope of the present disclosure.
Claims (17)
- 一种光传送网的安全管理信息处理方法,所述方法包括:A method for processing security management information of an optical transport network, the method comprising:在光业务单元OSU中每间隔N个OSU帧插入OSU OAM安全管理帧,对所述N个OSU帧进行加密处理;In the optical service unit OSU, an OSU OAM security management frame is inserted every N OSU frames, and the N OSU frames are encrypted;将加密的安全帧帧头SFH承载到所述N个OSU帧之前的所述OSU OAM安全管理帧中。The encrypted security frame header SFH is carried into the OSU OAM security management frame before the N OSU frames.
- 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1, wherein the method further comprises:对所述N个OSU帧进行鉴权所需的完整性计算,并将得到的鉴权所需的安全帧校验SFC承载到所述N个OSU帧之后的OSU OAM安全管理帧中。Perform the integrity calculation required for the authentication on the N OSU frames, and carry the obtained security frame check SFC required for the authentication into the OSU OAM security management frame after the N OSU frames.
- 根据权利要求1所述的方法,其中,在对所述N个OSU帧进行加密处理之前,所述方法还包括:The method according to claim 1, wherein before encrypting the N OSU frames, the method further comprises:与加密宿端进行双向身份认证。Perform two-way authentication with the encryption sink.
- 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1, wherein the method further comprises:根据OSU安全管理帧可用带宽与加密处理时延要求确定所述N的值。The value of N is determined according to the available bandwidth of the OSU security management frame and the requirement of encryption processing delay.
- 根据权利要求1所述的方法,其中,在OSU中每间隔N个OSU帧插入OSU OAM安全管理帧,对所述N个OSU帧进行加密处理包括:The method according to claim 1, wherein, inserting an OSU OAM security management frame every N OSU frames in the OSU, and performing encryption processing on the N OSU frames comprises:若从所述OSU中未检测到所述OSU OAM安全管理帧,则所述OSU的当前加密层级A为OSU帧的M个加密层次中第一个启动的加密层级,每间隔N个OSU帧插入所述OSU OAM安全管理帧,对所述N个OSU帧进行加密处理,将OAM帧中的加密层级A的加密状态设置为已加密,将其中的N值设置为已知值。If the OSU OAM security management frame is not detected from the OSU, the current encryption level A of the OSU is the encryption level that is first activated among the M encryption levels of the OSU frame, and every N OSU frames are inserted In the OSU OAM security management frame, encryption processing is performed on the N OSU frames, the encryption state of the encryption level A in the OAM frame is set as encrypted, and the N value therein is set as a known value.
- 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1, wherein the method further comprises:若从所述OSU中检测到所述OSU OAM安全管理帧,则所述OSU的当前加密层级B不是所述OSU帧的M个加密层次中第一个启动的加密层级,对所述N个OSU帧进行加密处理,并将产生的安全封装信息承载在所述OSU OAM管理帧的加密层级B对应的开销中。If the OSU OAM security management frame is detected from the OSU, the current encryption level B of the OSU is not the first started encryption level among the M encryption levels of the OSU frame, and the N OSUs The frame is encrypted, and the generated security encapsulation information is carried in the overhead corresponding to the encryption level B of the OSU OAM management frame.
- 根据权利要求6所述的方法,其中,在从所述OSU帧中识别所述OSU OAM安全管理帧之后,所述方法还包括:The method of claim 6, wherein after identifying the OSU OAM security management frame from the OSU frame, the method further comprises:从所述OSU OAM安全管理帧中获取所述加密层级A的加密源端的加密状态与所述N的值,同时确定启用加密层级B的加密处理;Obtain the encryption state of the encryption source end of the encryption level A and the value of the N from the OSU OAM security management frame, and determine to enable the encryption process of the encryption level B;将所述OSU OAM安全管理帧中的加密层次B的加密状态设置为已加密状态。The encryption state of encryption level B in the OSU OAM security management frame is set to the encrypted state.
- 根据权利要求1至7中任一项所述的方法,其中,所述OSU OAM安全管理帧包括M个加密层级对应的用于存储加密状态的开销、存储N值的开销,以及M个加密层级的用于存储安全帧帧头SFH和/或安全帧校验SFC的开销。The method according to any one of claims 1 to 7, wherein the OSU OAM security management frame includes an overhead corresponding to M encryption levels for storing an encryption state, an overhead for storing N values, and M encryption levels The overhead for storing the safety frame header SFH and/or the safety frame check SFC.
- 根据权利要求1所述的方法,其中,所述方法包括:The method of claim 1, wherein the method comprises:从接收到的所述OSU中识别所述OSU OAM安全管理帧;Identify the OSU OAM security management frame from the received OSU;根据所述OSU OAM安全管理帧解密所述OSU。Decrypt the OSU according to the OSU OAM security management frame.
- 根据权利要求9所述的方法,其中,根据所述OSU OAM安全管理帧解密所述OSU包括:The method of claim 9, wherein decrypting the OSU according to the OSU OAM security management frame comprises:从所述OSU OAM安全管理帧中识别加密层级A的加密状态;Identify the encryption state of encryption level A from the OSU OAM security management frame;在所述加密层级A的加密状态为已加密状态且为所述加密层级A的解密端的情况下,根 据所述OSU OAM安全管理帧解密所述OSU。When the encryption state of the encryption level A is the encrypted state and is the decryption end of the encryption level A, the OSU is decrypted according to the OSU OAM security management frame.
- 根据权利要求9所述的方法,其中,根据所述OSU OAM安全管理帧解密所述OSU包括:The method of claim 9, wherein decrypting the OSU according to the OSU OAM security management frame comprises:从所述OSU OAM安全管理帧中提取N的值与SFH;Extract the value of N and SFH from the OSU OAM security management frame;判断所述OSU帧中相邻OAM帧间隔的OSU帧的数量是否为N;Determine whether the number of OSU frames in the adjacent OAM frame interval in the OSU frame is N;在判断结果为是的情况下,根据所述SFH对N个OSU帧进行解密,得到明文OSU。If the determination result is yes, decrypt the N OSU frames according to the SFH to obtain the plaintext OSU.
- 根据权利要求11所述的方法,其中,根据所述SFH对N个OSU帧进行解密,得到明文OSU包括:The method according to claim 11, wherein decrypting N OSU frames according to the SFH to obtain a plaintext OSU comprises:若所述OSU OAM安全管理帧中还承载有所述N个OSU帧鉴权使用的安全帧校验SFC,根据所述SFC对所述N个OSU帧进行鉴权处理;If the OSU OAM security management frame also carries the security frame check SFC used for the authentication of the N OSU frames, perform authentication processing on the N OSU frames according to the SFC;在鉴权通过之后,根据所述SFH对N个OSU帧进行解密,得到所述明文OSU。After the authentication is passed, the N OSU frames are decrypted according to the SFH to obtain the plaintext OSU.
- 根据权利要求9所述的方法,其中,所述方法还包括:The method of claim 9, wherein the method further comprises:在所述加密层级A的加密状态为已加密状态且不为所述加密层级A的解密端的情况下,透传所述OSU帧。When the encryption state of the encryption level A is the encrypted state and is not the decryption end of the encryption level A, the OSU frame is transparently transmitted.
- 根据权利要求9至15中任一项所述的方法,其中,所述方法还包括:The method of any one of claims 9 to 15, wherein the method further comprises:将所述OSU OAM安全管理帧中加密层级A的加密状态设置为未加密。The encryption state of encryption level A in the OSU OAM security management frame is set to unencrypted.
- 一种光传送网的安全管理信息处理装置,所述装置包括:An optical transport network security management information processing device, the device comprising:加密模块,设置为在光业务单元OSU中每间隔N个OSU帧插入OSU OAM安全管理帧,对所述N个OSU帧进行加密处理;The encryption module is set to insert the OSU OAM security management frame every N OSU frames in the optical service unit OSU, and encrypts the N OSU frames;承载模块,设置为将加密的安全帧帧头SFH承载到所述N个OSU帧之前的所述OSU OAM安全管理帧中。A bearer module, configured to bear the encrypted security frame header SFH into the OSU OAM security management frame before the N OSU frames.
- 一种计算机可读的存储介质,所述存储介质中存储有计算机程序,其中,所述计算机程序被设置为运行时执行所述权利要求1至14任一项中所述的方法。A computer-readable storage medium in which a computer program is stored, wherein the computer program is configured to execute the method of any one of claims 1 to 14 when run.
- 一种电子装置,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行所述权利要求1至14任一项中所述的方法。An electronic device comprising a memory and a processor having a computer program stored in the memory, the processor being arranged to run the computer program to perform the method of any one of claims 1 to 14.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110130725.2 | 2021-01-29 | ||
| CN202110130725.2A CN112929355A (en) | 2021-01-29 | 2021-01-29 | Safety management information processing method and device for optical transport network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2022161369A1 true WO2022161369A1 (en) | 2022-08-04 |
Family
ID=76168873
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/CN2022/073865 WO2022161369A1 (en) | 2021-01-29 | 2022-01-25 | Security management information processing method and apparatus for optical transport network |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN112929355A (en) |
| WO (1) | WO2022161369A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112929355A (en) * | 2021-01-29 | 2021-06-08 | 中兴通讯股份有限公司 | Safety management information processing method and device for optical transport network |
| CN115549895A (en) * | 2021-06-29 | 2022-12-30 | 深圳市海思半导体有限公司 | Encryption transmission method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080040604A1 (en) * | 2005-12-05 | 2008-02-14 | Electronics & Telecommunications Research Institute | System and method for providing authenticated encryption in GPON network |
| CN111490845A (en) * | 2019-01-28 | 2020-08-04 | 中兴通讯股份有限公司 | Method, device and system for transmitting customer service |
| CN111713117A (en) * | 2018-02-09 | 2020-09-25 | 华为技术有限公司 | Method and device for processing service data in optical transport network |
| CN111865887A (en) * | 2019-04-30 | 2020-10-30 | 华为技术有限公司 | Data transmission method and device in optical transport network |
| CN112929355A (en) * | 2021-01-29 | 2021-06-08 | 中兴通讯股份有限公司 | Safety management information processing method and device for optical transport network |
-
2021
- 2021-01-29 CN CN202110130725.2A patent/CN112929355A/en active Pending
-
2022
- 2022-01-25 WO PCT/CN2022/073865 patent/WO2022161369A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080040604A1 (en) * | 2005-12-05 | 2008-02-14 | Electronics & Telecommunications Research Institute | System and method for providing authenticated encryption in GPON network |
| CN111713117A (en) * | 2018-02-09 | 2020-09-25 | 华为技术有限公司 | Method and device for processing service data in optical transport network |
| CN111490845A (en) * | 2019-01-28 | 2020-08-04 | 中兴通讯股份有限公司 | Method, device and system for transmitting customer service |
| CN111865887A (en) * | 2019-04-30 | 2020-10-30 | 华为技术有限公司 | Data transmission method and device in optical transport network |
| CN112929355A (en) * | 2021-01-29 | 2021-06-08 | 中兴通讯股份有限公司 | Safety management information processing method and device for optical transport network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112929355A (en) | 2021-06-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9571458B1 (en) | Anti-replay mechanism for group virtual private networks | |
| US8345875B2 (en) | System and method of creating and sending broadcast and multicast data | |
| US7305551B2 (en) | Method of transmitting security data in an ethernet passive optical network system | |
| WO2022161369A1 (en) | Security management information processing method and apparatus for optical transport network | |
| US7565539B2 (en) | Method and apparatus for secure communications | |
| US20200162439A1 (en) | End-to-end encryption for personal communication nodes | |
| JP2018170766A (en) | Adaptive traffic encryption for optical network | |
| EP3286896A1 (en) | Scalable intermediate network device leveraging ssl session ticket extension | |
| CN111371798B (en) | Data security transmission method, system, device and storage medium | |
| CN108810023A (en) | Safe encryption method, key sharing method and safety encryption isolation gateway | |
| CN103338185B (en) | A kind of method and system of file-sharing | |
| KR20180130203A (en) | APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME | |
| CN112422560A (en) | Lightweight substation secure communication method and system based on secure socket layer | |
| CN104468126A (en) | Safety communication system and method | |
| CN115567206A (en) | Method and system for realizing encryption and decryption of network data message by quantum distribution key | |
| CN113572766A (en) | Power data transmission method and system | |
| US20210067956A1 (en) | Methods and apparatus for end-to-end secure communications | |
| KR100594023B1 (en) | Method of encryption for gigabit ethernet passive optical network | |
| CN107431691A (en) | A kind of data pack transmission method, device, node device and system | |
| CN114826748B (en) | Audio and video stream data encryption method and device based on RTP, UDP and IP protocols | |
| CN108111515B (en) | End-to-end secure communication encryption method suitable for satellite communication | |
| KR101457455B1 (en) | Apparatus and method for data security in cloud networks | |
| CN115459913A (en) | Quantum key cloud platform-based link transparent encryption method and system | |
| CN111866865B (en) | Data transmission method, 5G private network establishment method and system | |
| CN113950802B (en) | Gateway device and method for performing site-to-site communication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22745243 Country of ref document: EP Kind code of ref document: A1 |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| 32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12.12.2023) |
|
| 122 | Ep: pct application non-entry in european phase |
Ref document number: 22745243 Country of ref document: EP Kind code of ref document: A1 |