WO2023179174A1

WO2023179174A1 - Message transmission method and related device

Info

Publication number: WO2023179174A1
Application number: PCT/CN2023/070317
Authority: WO
Inventors: 史玉林; 韩涛; 赵凤华; 赵宇萍
Original assignee: 华为技术有限公司
Priority date: 2022-03-23
Filing date: 2023-01-04
Publication date: 2023-09-28
Also published as: CN116846566A

Abstract

Disclosed in the embodiments of the present application are a message transmission method and a related device, which are used for flexibly arranging a segment routing list on the basis of a tunnel path security policy, so as to enhance network security more flexibly. The method in the embodiments of the present application comprises: according to a service requirement of a segment routing tunnel forwarding path, determining forwarding topology information from a first edge node to a second edge node; according to the forwarding topology information and a security policy of a segment routing tunnel, generating enhanced security function segment routing information; pressing a first path into the segment routing list; determining that a plurality of enhanced security function SIDs in the segment routing list pass a rule check; and sending a packet message, the packet message comprising a first enhanced security function SID.

Description

A message transmission method and related equipment

This application claims priority to the Chinese patent application filed with the China Patent Office on March 23, 2022, with the application number CN202210288718.X and the application title "A message transmission method and related equipment", the entire content of which is incorporated by reference. in this application.

Technical field

Embodiments of the present application relate to the field of data transmission, and in particular, to a message transmission method and related equipment.

Background technique

The development of Internet Protocol version 4 (IPv4) technology encountered scalability problems. At the beginning of the design, I did not expect that so many devices would be connected to the IP network, which triggered the development of Internet Protocol version 6 (Internet Protocol version 6). , IPv6) technology development.

In order to solve the compatibility problem of IPv4 and IPv6, the existing technical solution is to use the Internet Protocol Security (IPSec) network protocol. IPSec is used to provide interoperable, high-quality, based on IPv4 and IPv6. Encrypted security services. The security services provided by IPSec are provided at the IP layer and provide protection for the IP layer and all protocols carried on the IP layer in a standard way. IPsec can be used to protect one or more paths between a pair of hosts, a pair of security gateways, or a security gateway and a host. In the tunnel mode supported by IPSec, the entire IP data packet that needs to be protected is encapsulated in a new IP packet as the payload of the new packet, and then a new IP header is added to the outside.

The existing IPSec technology is a point-to-point tunnel encryption technology. For example, for IPv6 segment routing (IPv6, SRv6) Policy tunnel, tunnel encryption can only be deployed at the first node and tail node of the tunnel. In the actual deployment process, SRv6 tunnels may traverse multiple trust domains, and different trust domains have different security requirements.

Contents of the invention

Embodiments of the present application provide a message transmission method and related equipment, which are used to flexibly arrange segment routing lists based on tunnel path security policies to more flexibly enhance network security.

The first aspect of the embodiment of the present application provides a message transmission method, which is applied to a segment routing network. The segment routing network includes a controller, a first edge node, at least one central node and a second edge node. The first The edge node, at least one central node and the second edge node are sequentially connected to build a segment routing tunnel. The method includes: the first edge node determines the forwarding from the first edge node to the second edge node according to the business requirements of the segment routing tunnel forwarding path. Topology information; the first edge node generates enhanced security function segment routing information based on the forwarding topology information and the security policy of the segment routing tunnel. The enhanced security function segment routing information includes the first enhanced security function segment list identity SID, and the first enhanced security function segment routing information. The function SID matches the security association SA identifier of the second edge node; the first edge node pushes the first path into the segment routing list; the first edge node determines that multiple enhanced security function SIDs in the segment routing list pass the rule check, The plurality of enhanced security function SIDs include a first enhanced security function SID and at least one enhanced security function SID sent by the central node and the second edge node respectively; the first edge node sends a packet message, and the packet message includes the first enhanced security function SID. .

In this possible implementation, the segment routing node publishes the enhanced security function SID, and the first edge node can flexibly arrange the segment routing list based on the tunnel path security policy. By using the enhanced security function SID, there are few changes to the existing network system and it is easy to Deployment can flexibly enhance the security performance of the network.

In a possible implementation of the first aspect, before the first edge node determines the forwarding topology information from the first edge node to the second edge node according to the service requirements of the segment routing tunnel forwarding path, the above method further includes: The first edge node negotiates with at least one central node and the second edge node to establish a security alliance; the first edge node generates a first enhanced security function SID; the first edge node sends the first enhanced security function SID to the controller, at least one The central node and the second edge node; the first edge node receives a plurality of enhanced security function SIDs respectively sent by at least one central node and the second edge node.

In a possible implementation of the first aspect, the above-mentioned first edge node pushes the first path into the segment routing list, including: the first edge node generates the first path according to multiple enhanced security function SIDs, and adds the first path to the segment routing list. Push a path into the segment routing list; or the first edge node sends the first enhanced security function SID to the controller, so that the controller generates the first path according to the forwarding logic and delivers the first path to the first edge node.

In a possible implementation of the first aspect, the above method further includes: if the first edge node determines that the security capability of the security alliance is weakened, the first edge node sends a request to at least one central node, the second edge node and/or the controller. SID revocation information is sent, and the SID revocation information instructs at least one central node, the second edge node and/or the controller to revoke the first enhanced security function SID.

In a possible implementation of the first aspect, the first edge node determining that the security capability of the security alliance is weakened includes: the first edge node determining changes in network node device relationships in the security alliance and/or changes in key parameters of the security association. ; The first edge node determines that the security capability of the security alliance is weakened based on the key parameters of the security association and the enhanced security function capability of the SID.

In a possible implementation of the first aspect, the above-mentioned first enhanced security function SID includes a locator network node identifier, a function code and parameters, wherein the locator network node identifier is used in the network topology for routing and forwarding messages to The node identification of a network node; the function code includes the device instructions preset by the device. The function code implements enhanced security functions, encryption, decryption, joint encryption and integrity, joint decryption and integrity, authentication addition, authentication verification capability and security enhancement. and other functions; parameters are used to define service information of security enhancement capabilities; or locator network node identifier is the identifier of a network node in the network topology, used to route and forward packets to the node, and the function code includes the device preset by the device Instructions and parameters are used to define service information of security enhancement capabilities. Service information is used to implement enhanced security functions, encryption, decryption, joint encryption and integrity, joint decryption and integrity, authentication addition, authentication verification capabilities and security enhancement functions.

In a possible implementation of the first aspect, the above-mentioned packet message includes an IPv6 standard message header, a segment routing message header, at least one encapsulating security load extension header, at least one extension header, and an IP packet message payload. , at least one encapsulated security payload trailer and at least one packet message integrity check value ICV; or the packet message includes an IPv6 standard message header, a segment routing message header, at least one encapsulated security payload extension header, and at least one extension header and IP packet message payload.

In a possible implementation of the first aspect, the above method further includes: the first edge node performs at least one joint encryption and integrity enhancement on the packet message.

In a possible implementation of the first aspect, the above-mentioned first edge node jointly encrypts and enhances the integrity of the packet message, including: the first edge node constructs key information of the security payload extension option header according to the security association SA; An edge node inserts the security extension option header; the first edge node constructs an encapsulated security payload trailer, adds it to the end of the original message, and forms a new packet message payload with the original IP packet payload; the first edge node uses SA The key and corresponding algorithm in encrypt the packet message payload. If the encryption algorithm needs to use the initial vector IV, then IV = {SPI||SN}, where SPI is the security parameter and SN is the message security sequence number; Section An edge node calculates the packet integrity check value ICV for the packet message and adds it to the end of the packet message; the first edge node updates the relevant fields of the packet message.

The second aspect of the embodiment of the present application provides a message transmission method, which method is applied to a segment routing network. The segment routing network includes a first edge node, at least one central node and a second edge node. The first edge node, At least one central node and a second edge node are connected in sequence to build a segment routing tunnel. The target network node is any one of at least one central node and the second edge node. The method includes: the target network node receives a packet sent by the first edge node. message, the target network node is any one of at least one central node and the second edge node; the target network node parses the extension header RH of the packet message as an encapsulated security payload extension header; the target network node extracts the information in the encapsulated security extension header ;The target network node decrypts the packet message and calculates the integrity through the key and encryption algorithm associated with the security association SA, and compares the calculated integrity value with the integrity check value ICV carried in the message for integrity verification; If the comparison results are consistent, it is determined that the integrity verification is passed; if the integrity verification is passed, the target network node decrypts the packet message according to the key and encryption algorithm associated with the SA; the target network node removes the encapsulated security payload extension associated with the packet message. header and encapsulated security payload trailer, and update the relevant fields of the packet message.

In a possible implementation of the second aspect, before the target network node parses the extension header RH of the packet message into the encapsulated security payload extension header, the above method further includes: the target network node parses the remaining segments SL of the segment route. Is it legal? If the SL is legal, the target network node uses the IPv6 standard packet header to search the IPv6 FIB table. If the DIP is found to be a local route, the target network node uses the segment routing extension header SRH current SID to continue to search for the local SID; if the target If the network node hits the local SID, the target network node is associated with the relevant SA according to the forwarding action function definition and parameters in the hit SID, or the target network node is directly associated with the relevant SA through the SID; the target network node forwards the action function definition according to the SID Determine specific implementation actions with SA.

In a possible implementation of the second aspect, the above-mentioned target network node performs decryption integrity calculation on the packet message through the key and encryption algorithm associated with the SA, including: the target network node determines the authentication calculation field of the packet message. The scope of the authentication calculation field includes the IPv6 standard header of the packet message, all enhanced security function segment routing lists and the encapsulated authentication extension header; the target network node uses the SA-associated key and encryption algorithm to calculate the field range based on the authentication Decryption integrity calculation is performed on the packet message. For the variable fields in the authentication calculation field range, the target network node performs decryption integrity calculation by presetting corresponding values.

In a possible implementation manner of the second aspect, the above-mentioned authentication calculation field range also includes: at least one extension header and an IP packet message payload.

A third aspect of the present application provides a first edge node, which has the function of implementing the method of the above-mentioned first aspect or any possible implementation of the first aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions, such as a generation module.

The fourth aspect of the present application provides a target network node, which has the function of implementing the method of the above-mentioned second aspect or any of the possible implementation methods of the second aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions, such as: receiving module.

A fifth aspect of the present application provides a first edge node. The first edge node includes at least one processor, a memory, an input/output (I/O) interface, and a device stored in the memory and available on the processor. The running computer executes the instructions. When the computer execution instructions are executed by the processor, the processor executes the method of the above-mentioned first aspect or any possible implementation of the first aspect.

A sixth aspect of the present application provides a target network node, which includes at least one processor, a memory, an input/output (I/O) interface, and a program that is stored in the memory and can be run on the processor. The computer executes the instructions. When the computer executes the instructions and is executed by the processor, the processor executes the method of the above second aspect or any possible implementation of the second aspect.

A seventh aspect of the present application provides a computer-readable storage medium that stores one or more computer-executable instructions. When the computer-executable instructions are executed by a processor, the processor executes the above-mentioned first aspect or any one of the possible methods of the first aspect. Ways to implement it.

An eighth aspect of the present application provides a computer-readable storage medium that stores one or more computer-executable instructions. When the computer-executable instructions are executed by a processor, the processor executes the above second aspect or any one of the possible methods of the second aspect. Ways to implement it.

A ninth aspect of the present application provides a computer program product that stores one or more computer-executable instructions. When the computer-executable instructions are executed by a processor, the processor executes the above-mentioned first aspect or any possible implementation of the first aspect. Methods.

A tenth aspect of the present application provides a computer program product that stores one or more computer execution instructions. When the computer execution instructions are executed by a processor, the processor executes the above second aspect or any of the possible implementations of the second aspect. Methods.

An eleventh aspect of the present application provides a chip system. The chip system includes at least one processor, and the at least one processor is used to implement the functions involved in the above-mentioned first aspect or any possible implementation manner of the first aspect. In a possible design, the chip system may also include a memory, which is used to store program instructions and data necessary for processing the artificial intelligence model. The chip system may be composed of chips, or may include chips and other discrete devices.

A twelfth aspect of the present application provides a chip system. The chip system includes at least one processor, and the at least one processor is used to implement the functions involved in the above-mentioned second aspect or any possible implementation manner of the second aspect. In a possible design, the chip system may also include a memory, which is used to store program instructions and data necessary for processing the artificial intelligence model. The chip system may be composed of chips, or may include chips and other discrete devices.

It can be seen from the above technical solutions that the embodiments of the present application have the following advantages:

In the embodiment of this application, the segment routing node publishes the enhanced security function SID, and the first edge node can flexibly arrange the segment routing list based on the tunnel path security policy. By using the enhanced security function SID, there are few changes to the existing network system and it is easy to deploy. Can flexibly enhance the security performance of the network.

Description of the drawings

Figure 1 is a schematic diagram of a message structure in tunnel mode;

Figure 2 is a network architecture diagram of the SRv6 network system;

Figure 3 is a schematic structural diagram of the communication mechanism in the embodiment of the present application;

Figure 4 is a schematic structural diagram of a line card or service card in the embodiment of the present application;

Figure 5 is a network architecture diagram of the SRv6 network system in the embodiment of this application;

Figure 6 is a schematic flow chart of a message transmission method in an embodiment of the present application;

Figure 7 is a schematic diagram of an encoding method of the enhanced security function segment list identity SID in the embodiment of the present application;

Figure 8 is a schematic diagram of another encoding method of the enhanced security function segment list identity SID in the embodiment of the present application;

Figure 9 is a schematic flow chart of revoking the enhanced security function segment list identity SID in the embodiment of the present application;

Figure 10 is a schematic flowchart of pushing segment routing information into a segment routing list in an embodiment of the present application;

Figure 11 is a schematic diagram of the format of a packet message in an embodiment of the present application;

Figure 12 is a schematic flow chart of secondary joint encryption and integrity enhancement in the embodiment of the present application;

Figure 13a is a schematic diagram of the format of a packet message in the embodiment of the present application;

Figure 13b is another schematic diagram of the format of the packet message in the embodiment of the present application;

Figure 14 is another schematic flow chart of the message transmission method in the embodiment of the present application;

Figure 15 is a schematic flowchart of parsing whether the remaining segment SL of segment routing is legal in the embodiment of the present application;

Figure 16 is a schematic flow chart of decryption and integrity processing in the embodiment of the present application;

Figure 17 is an architectural schematic diagram of the network topology in the embodiment of the present application;

Figures 18a and 18b are the first signal flow diagram of message transmission in the embodiment of the present application;

Figures 19a and 19b are the second signal flow diagram of message transmission in the embodiment of the present application;

Figures 20a and 20b are the third signal flow diagram of message transmission in the embodiment of the present application;

Figures 21a and 21b are the fourth signal flow diagram of message transmission in the embodiment of the present application;

Figure 22 is a schematic structural diagram of the first edge node in the embodiment of the present application;

Figure 23 is a schematic structural diagram of a target network node in an embodiment of the present application;

Figure 24 is another schematic structural diagram of the first edge node in the embodiment of the present application;

Figure 25 is another schematic structural diagram of a target network node in an embodiment of the present application.

Detailed ways

The embodiments of the present application will be described below with reference to the accompanying drawings. Obviously, the described embodiments are only part of the embodiments of the present application, rather than all the embodiments. Persons of ordinary skill in the art know that with the development of technology and the emergence of new scenarios, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems.

The terms "first", "second", etc. in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, e.g., a process, method, system, product, or apparatus that encompasses a series of steps or units and need not be limited to those explicitly listed. Those steps or elements may instead include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.

Figure 1 is a schematic diagram of a packet structure in tunnel mode. As shown in Figure 1, the development of Internet Protocol version 4 (IPv4) technology encountered scalability problems. At the beginning of the design, we did not expect that so many devices would be connected to the IP network, which triggered the development of Internet Protocol version 4. 6 (Internet Protocol version 6, IPv6) development of technology. In order to solve the compatibility problem of IPv4 and IPv6, the existing technical solution is to use the Internet Protocol Security (IPSec) network protocol. IPSec is used to provide interoperable, high-quality, based on IPv4 and IPv6. Encrypted security services. The security services provided by IPSec are provided at the IP layer and provide protection for the IP layer and all protocols carried on the IP layer in a standard way. IPsec can be used to protect one or more paths between a pair of hosts, a pair of security gateways, or a security gateway and a host. As shown in Figure 1, in the tunnel mode supported by IPSec, the entire IP data packet that needs to be protected is encapsulated in a new IP packet as the payload of the new message, and then a new IP header is added to the outside.

Figure 2 is a network architecture diagram of the SRv6 network system. As shown in Figure 2, the existing IPSec technology is a point-to-point tunnel encryption technology. For example, for SRv6Policy tunnels, tunnel encryption can only be deployed at the first node and tail node of the tunnel. As shown in Figure 2, during the actual deployment process of the SRv6 network system, the SRv6 tunnel may traverse multiple trust domains. Multiple trust domains may mean that the customer network traverses the networks of multiple operators. Each operator network can be considered as one Trust domains have different security requirements for different trust domains.

Figure 3 is a schematic structural diagram of a communication mechanism in an embodiment of the present application. As shown in Figure 3, the message transmission method in the embodiment of the present application is applied to a communication mechanism. The communication mechanism can be a first edge node, at least one central node, a second edge node and/or a controller. The communication mechanism The mechanism includes at least one route processor, line card and business processing card. The route processor can perform business processing according to the routing protocol and routing information base (Routing Information Base, RIB) for exchanging information; the line card can include one or more A network processor, one or more application specific integrated circuits (Application Specific Integrated Circuit, ASIC), such as a data forwarding information base (FIB); the business processing card may include one or more heterogeneous processors, the Heterogeneous processors have security processing engines or software processing capabilities such as encryption, decryption, and authentication.

Figure 4 is a schematic structural diagram of a line card or service card in this embodiment of the present application. As shown in Figure 4, the line card or service card includes one or more processors, one or more memories storing application programs or service data, encryption and decryption engines, one or more network data interfaces and one or more network processor.

Figure 5 is a network architecture diagram of the SRv6 network system in the embodiment of the present application. As shown in Figure 5, this embodiment of the present application provides a message transmission method, which is applied to a segment routing network. The segment routing network includes a controller, a first edge node, at least one central node and a second edge node. Nodes, the first edge node, at least one central node and the second edge node are connected in sequence to form a segment routing tunnel. The segment routing network is applied to the IPv6 segment routing (IPv6, SRv6) network system. The SRv6 network system also includes a source node and a destination node for message transmission. The first edge node determines the forwarding topology information from the first edge node to the second edge node according to the business requirements of the segment routing tunnel forwarding path; The forwarding topology information and the security policy of the segment routing tunnel generate the enhanced security function segment routing information, the enhanced security function segment routing information includes the first enhanced security function segment list identity SID, the first enhanced security function SID and the second edge node's The security association SA identifier matches; the first edge node pushes the first enhanced security function SID into the segment routing list; or the first edge node sends the first enhanced security function SID to the controller, so that the controller determines the first enhanced security function SID according to the first enhanced security function. The enhanced security function forwarding logic indicated by the function SID controls packet forwarding; the first edge node determines that multiple enhanced security function SIDs in the segment routing list pass the rule check, and the multiple enhanced security function SIDs include the first enhanced security function SID and The enhanced security function SID sent by at least one central node and the second edge node respectively; then, after the first edge node receives the packet message sent by the source node, it processes the packet message accordingly and sends it to the second edge node for processing. The subsequent packet message includes the first enhanced security function SID, and then the second edge node performs corresponding processing before sending it to the destination node. Please see the following steps for specific processing methods. It can be understood that the source node and the first edge node may be directly connected or connected through at least one network node; the second edge node and the destination node may be directly connected or connected through at least one network node. Specifically, There are no restrictions here.

Based on the above segmented routing network and SRv6 network system, the following describes the message transmission method performed by the first edge node in the embodiment of the present application.

Figure 6 is a schematic flow chart of a message transmission method in an embodiment of the present application. Please refer to Figure 6. A process of the message transmission method in this embodiment of the present application includes:

601. Network nodes in the segment routing network negotiate to build a security alliance.

The network nodes in the segment routing network, that is, the first edge node, at least one central node and the second edge node negotiate to form a Security Alliance (SA). The network nodes in the segment routing network can be formed through negotiation through protocols. Security alliances can also be manually configured through the controller to form security alliances. The segment routing initiating node, that is, the first edge node, may also notify other relevant segment routing nodes of security-related information through the controller.

The security association SA after successful negotiation includes: the key used for encryption or authentication integrity calculation, the ID of the security association SA, key update policy, encryption algorithm, integrity calculation algorithm, IV used for the encryption algorithm, and security parameter index ( Security parameter index (SPI), encryption method, authentication method and other security association information.

602. The network routing node generates the first enhanced security function SID.

Any two segment routing nodes in the security association SA locally generate one or more SIDs carrying enhanced security functions according to business needs. For example, the same network node identifies Locator, generates a SID without encryption function, generates a SID with enhanced security functions. SID with encryption function, generate a SID with authentication method and SID with encryption function.

Figure 7 is a schematic diagram of an encoding method of the enhanced security function segment list identity SID in the embodiment of the present application. As shown in Figure 7, in one possible implementation, the SID carrying the enhanced security function may include the segment routing node identifier Locator: length X, which is the identifier of a network node in the network topology and is used for routing and forwarding packets. to the node; the function code is the forwarding action function definition Function, length Y, representing the instruction of the device. These instructions are preset by the device. The function code enhances the security function. The security enhancement includes encryption, decryption, joint encryption and integrity. , joint decryption and integrity, authentication addition, authentication verification capabilities, security enhancement functions and other capabilities, as long as they can enhance network security, they can be implemented as enhanced function coding. Parameter args: length Z, the service information of the security enhancement capability is defined through the Arguments field, for example, the security association SA identification formed by different segment routing nodes. The security enhancement parameters are used for additional service information for the implementation of the security enhancement function.

Figure 8 is a schematic diagram of another encoding method of the enhanced security function segment list identity SID in the embodiment of the present application. As shown in Figure 8, in a possible implementation, the SID locator network node identification Locator with enhanced security function: length node. Function coding (forwarding action function definition Function): length Y, representing the instructions of the device. These instructions are preset by the device and are consistent with the segmented coding method without enhanced security functions. Parameters (Args): length Z, enhanced security function information is defined through the Arguments field, for example, the security association SA identity formed by different segment routing nodes, security function encoding: encryption, decryption, joint encryption and integrity, joint decryption and integrity , Authentication added, authentication verification code.

In the embodiment of this application, the SID carrying the enhanced security function can be any one of the two encoding methods shown in Figure 7 and Figure 8. In addition, it can also be other types of encoding methods. The details will not be discussed here. limited.

603. The segment routing node publishes the enhanced security function SID to the segment routing network.

Each segment routing node in the segment routing network publishes the enhanced security function SID generated by itself into the segment routing network, that is, to other segment routing nodes or controllers. For example, the first edge node may send the first enhanced security function SID to at least one central node and the second edge node, or to a controller in the segment routing network;

Specifically, the segment routing node publishes the generated SID with encryption function to other segment routing nodes and/or controllers in the network through protocols. The link SID is generally published to the controller through the protocol, and the node SID is generally published through the protocol. To other nodes in the segment routing network, the protocol can be IGP, BGP, or other protocols used to publish SIDs. Correspondingly, the segment routing node receives the SID published by other nodes. For the link SID, the controller associates the entire network link SID with the network topology. For the node SID, the received segment routing node is formed according to the route optimization policy. Outbound interface information of node SID.

Figure 9 is a schematic flowchart of revoking the enhanced security function segment list identity SID in the embodiment of the present application. In one possible implementation, as shown in Figure 9, the segment routing node can also revoke the published SID, as shown in the following steps:

a. The first edge node determines changes in network node device relationships in the security alliance and/or changes in key parameters of the security association.

Specifically, if the first edge node determines that the network node device relationship in the security alliance has changed, the segment routing node will revoke the enhanced security function SID related to the security alliance SA through the protocol; if the first edge node determines the key parameters of the security alliance If changed, proceed to step b.

b. The first edge node determines that the security capability of the security alliance is weakened.

The first edge node determines that the security capability of the security alliance is weakened based on the key parameters of the security association and the enhanced security function capability of the released SID, and the weakened capability has been released through the enhanced security function SID.

In a possible implementation manner, if the first edge node determines that the security capability of the security association has been enhanced, the enhanced security function SID is not updated.

c. If the first edge node determines that the security capability of the security alliance is weakened, the first edge node sends SID revocation information to at least one central node, the second edge node and/or the controller, and the SID revocation information indicates at least one central node, the second edge node and/or the controller. The edge node and/or controller revokes the SID.

Correspondingly, the first edge node receives a plurality of enhanced security function SIDs respectively sent by at least one central node and the second edge node.

604. The first edge node determines the forwarding topology information.

The first edge node determines the forwarding topology information from the first edge node to the second edge node according to the service requirements of the segment routing tunnel forwarding path.

605. The first edge node establishes a segment routing tunnel.

The first edge node establishes a segment routing tunnel, and the segment routing tunnel is used to forward packet messages. The first edge node establishes a forwarding topology from the source to the remote destination segment routing node (tail node PE) based on the service requirements of the tunnel forwarding path.

Specifically, in one possible implementation, the segment routing nodes in the segment routing network will publish the segment routing information to the segment routing network through the Interior Gateway Protocol (IGP). The information can be used to help other node devices forward packets to the node that publishes the network node identifier Locator.

Then the first edge node that receives the segment routing information selects a reachable path based on the learned segment ID list (SID) of the entire network and the tunnel purpose, and determines the segment routing list. The list includes a forwarding path that the packet message can reach, so that the first edge node can guide the forwarding path of the IP packet message according to the segment routing list. Then the first edge node determines the forwarding path of the packet message according to the segment routing list, thereby establishing a segment routing tunnel. The first edge node of the segment routing network establishes a forwarding topology from the source to the remote second edge node according to the service requirements of the tunnel forwarding path.

Specifically, in one possible implementation, each segment routing node in the segment routing network sends segment routing information to the controller in the segment routing network through the Border Gateway Protocol (BGP). , so that the controller can collect segmented network node identification Locator routes in the entire network. Then the controller calculates the tunnel path that is suitable for IP packet forwarding based on the learned network-wide segment routing SID, and delivers it to the first edge node through BGP SR-Policy.

The first edge node of the segment routing network establishes a forwarding topology from the source to the remote second edge node according to the service requirements of the tunnel forwarding path. The first edge node receives the forwarding path of the packet message sent by the controller. The forwarding path of the packet message is determined by the controller based on the segment routing list. The network-wide segment routing list is determined by the controller based on segment routing information. This establishes a segment routing tunnel.

606. The first edge node generates enhanced security function segment routing information.

The first edge node generates enhanced security function segment routing information according to the forwarding topology information and the security policy of the segment routing tunnel. The enhanced security function segment routing information includes the first enhanced security function segment list identity SID. The first enhanced security function SID is the same as The security association SA identifier of the second edge node matches.

607. The first edge node determines that the multiple enhanced security function SIDs in the segment routing list pass the rule check.

The first edge node determines that the multiple enhanced security function SIDs in the segment routing list pass the rule check, and the multiple enhanced security function SIDs include the first enhanced security function SID and at least one enhanced security function sent respectively by the central node and the second edge node. SID.

The first edge node checks the enhanced security function SID list rules. If the rule check passes, it sends a packet message containing the enhanced security function SID segment routing information; if the rule check fails, the tunnel establishment fails.

In the embodiment of this application, the first edge node's rule check may include: 1. Check whether all enhanced security function SIDs match in pairs (including implicit expression segment routing SIDs), the number can be divisible by 2, and the enhanced security function SIDs are Parameter information matching; 2. Check the relationship between matching SIDs. Enhanced security function SIDs with different parameter information matching are not allowed to cross. For example, 1-2-1-2 is not allowed to cross, but 1-1-2-2 is allowed. Or in the form of 1-2-2-1. In addition, other rule checking methods can also be used, and there are no specific restrictions here.

608. The first edge node pushes the first path into the segment routing list.

The first edge node pushes the first path into the segment routing list, and the first path is the path through which the first edge node sends the packet.

The first edge node generates a first path based on the multiple enhanced security function SIDs and pushes the first path into the segment routing list; or the first edge node sends the first enhanced security function SID to the controller. , so that the controller generates the first path according to the forwarding logic and delivers the first path to the first edge node.

Figure 10 is a schematic flowchart of pushing segment routing information into a segment routing list in an embodiment of the present application. As shown in Figure 10, the first edge node pushes the segment route into the segment routing list. If it is the first node of segment routing, there are two methods available. One is to push the segment routing list into the segment routing list and use the segment routing list explicitly. Expressing the enhanced security function SID is another way to express the enhanced security function forwarding logic implicitly through control plane management without explicitly pushing it into the segment routing list.

Then the first edge node determines whether there is any remaining segment routing information that has not been pushed into the segment routing header list. If there is, it continues to build the security policy to enhance the security function SID; if there is no remaining segment routing information, the entire complete routing information is The Enhanced Security Features SID is included in the segment routing list for rule checking.

609. The first edge node performs joint encryption and integrity enhancement on the packet message.

The first edge node performs at least one joint encryption and integrity enhancement on the packet message.

Specifically, the first edge node can perform joint encryption and integrity enhancement on the packet message through the following steps.

The first edge node constructs key information of the security payload extension option header according to the security association SA.

The first edge node inserts the security extension options header.

The first edge node constructs an encapsulated security payload trailer, adds it to the tail of the original message, and forms a new packet message payload with the original IP packet message payload.

The first edge node uses the key and corresponding algorithm in the SA to encrypt the packet message payload. If the encryption algorithm needs to use the initial vector IV, then IV = {SPI||SN}, where SPI is the security parameter and SN is the message document security serial number.

The first edge node calculates the packet integrity check value ICV for the packet message and adds it to the end of the packet message.

The first edge node updates the relevant fields of the packet message.

In this embodiment of the present application, the network nodes in the segment routing network will perform at least one joint encryption and integrity enhancement on the packet message, and correspondingly, they will also perform at least one joint decryption and integrity processing. For example, when a network node in a segment routing network performs two joint encryption and integrity enhancements, it performs two joint decryption and integrity processing accordingly. These two joint encryptions and integrity enhancements and two joint decryptions and integrity processing The processing does not allow A-B-a-b intersection, and allows the combination of A-a-B-b or A-B-b-a, (A here is the first joint encryption and integrity enhancement, B is the second joint encryption and integrity enhancement, and a is the first joint Decryption and integrity processing, b is joint decryption and integrity processing). In addition, other combination forms are also possible, and there are no specific restrictions here.

Figure 11 is a schematic diagram of the format of a packet message in this embodiment of the present application. As shown in Figure 11, the source node performs the first joint encryption and integrity-enhanced security function on the message to generate a grouped message. The once-encrypted data ranges from one or more optional extension headers to the encapsulated security payload tail number. 1. The additional authentication data for the integrity calculation is the encapsulated security payload extension header No. 1, and the other data is the once-encrypted data ciphertext; the integrity calculation value ICV No. 1 plain text is appended to the encapsulated security payload tail No. 1. Then the source node sends the packet message to the first edge node.

The first edge node performs a second joint encryption and integrity enhancement security function on the packet message. The secondary encrypted data ranges from the encapsulated security payload extension header No. 1 to the encapsulated security payload tail No. 2, including the first calculation The generated ciphertext and ICVNo.1, the integrity calculation additional authentication data is the encapsulated security payload extension header No.2, and the other data is the second encrypted data ciphertext; the integrity calculation value ICVNo.2 plain text is appended to the end of the encapsulated security payload Behind No.2.

Figure 12 is a schematic flow chart of secondary joint encryption and integrity enhancement in this embodiment of the present application. As shown in Figure 12, the first edge node performs the second joint encryption and integrity enhancement security function on the packet message, which may include the following steps:

a. Construct the key information of the security payload extension option header according to the security association SA, such as SPI and SN to form an encapsulated security payload extension header. The extension header can be a standard encryption extension header or a self-defined extension header.

b. Insert the security extension option header after RH.

c. Construct an encapsulated security payload trailer, add it to the tail of the original message, and form a new packet message Payload with the original IP packet message payload. In the embodiment of the present application, step c may not be performed, and the details are not limited here.

d. Use the key and corresponding algorithm in the SA to encrypt the payload of the packet message. If the encryption algorithm requires the use of IV, such as the AES-GCM algorithm, then IV = {SPI||SN} can be used without adding an additional IV to the message. transmission, saving extra packet load.

e. Perform ICV calculation on the grouped message and add it to the end of the grouped message.

f. Update the relevant fields of the packet message, including Total Length in the IPv6 standard header, NEXT Header in the RH extension header, etc.

610. The first edge node sends the packet message.

The first edge node sends a packet message to at least one central node and the second edge node, where the packet message includes the first enhanced security function SID.

The packet message includes an IPv6 standard message header, a segment routing message header, at least one encapsulated security payload extension header, at least one extension header, IP packet message payload, at least one encapsulated security payload trailer, and at least one packet message complete ICV; or the packet message includes an IPv6 standard message header, a segment routing message header, at least one encapsulating security load extension header, at least one extension header and the IP packet message payload.

Figure 13a is a schematic diagram of the format of a packet message in this embodiment of the present application. In this embodiment of the present application, as shown in Figure 13a, the SRv6 packet message may include the following format:

a. IPv6 standard message header: including IPv6 version number, flow tag, IPv6 payload length, next hop extension header, hop limit, IPv6 source IP, IPv6 destination IP.

b. Segment routing header: The message header is carried in the route optional extension header RH, routing type 4. The segment routing header mainly contains, remaining segment SL, last segment index, segment routing flag, group Tag; segment list contains one or more segments carrying enhanced security features.

c. One or more encapsulated security load extension headers. This extension header contains the security parameter SPI and the message security sequence number SN. One or more encapsulated security load extension headers are related to the actual implementation of enhanced security function segmentation.

d. One or more extension headers. This extension header is optional. The extension header here can be a destination-optional extension header.

e. The payload of the IP packet message is the payload of the customer's IP packet message after security processing. If the enhanced security function is encryption, the payload is the encrypted ciphertext.

e. One or more encapsulated security payload tails, including padding. The main purpose of padding is to adapt to the relevant encryption/integrity security algorithms; in addition, to ensure the ICV 8-byte alignment, where the Next header is the original routing extension header. Next header.

f. One or more packet message integrity check values ICV, which is an optional field. This field uses the joint encryption and integrity enhanced security functions to calculate the value of the security payload extension header and the integrity of the customer IP packet message. , or use the authentication adding function to calculate the integrity value of the security payload extension header and customer IP packet message.

Figure 13b is another schematic diagram of the format of a packet message in this embodiment of the present application. In the embodiment of this application, as shown in Figure 13b, the SRv6 packet message may also include the following format:

c. One or more encapsulation authentication extension headers. This extension header contains Next Header, security parameter SPI, and message security sequence number SN. One or more encapsulation authentication extension headers are related to the actual implementation of enhanced security function segmentation.

e. The payload of the IP packet message is the customer IP packet message.

Based on the above-mentioned segment routing network and SRv6 network system, the message transmission method performed by the target network node in the embodiment of the present application is described below. The target network node is any one of at least one central node and the second edge node:

Figure 14 is another schematic flowchart of a message transmission method in an embodiment of the present application. Please refer to Figure 14. A process of the message transmission method in the embodiment of the present application includes:

1401. The target network node receives the packet message sent by the first edge node.

1402. The target network node analyzes whether the remaining segment SL of the segment route is legal.

Figure 15 is a schematic flowchart of parsing whether the remaining segment SL of a segment route is legal in an embodiment of the present application. As shown in Figure 15, after the target network node receives the packet message sent by the source node, before encrypting the packet message and enhancing its integrity, the target network node parses the segment routing SL. If the SL is illegal, the message is discarded. , if the SL is legal, enter the SID search.

Then the target network node uses the DIP in the IPv6 standard packet header to look up the IPv6 FIB table. If it is found that the DIP is a local route, it uses the SRH current SID to continue looking for the local SID.

The target network node hits the local SID and associates it with the relevant SA according to the forwarding action function definition Function and parameter Args in the hit SID, or directly associates it with the relevant SA through the SID.

The target network node determines the specific security behavior based on the SID forwarding action function definition FUNCTION and SA. The final execution behavior is based on SID: forwarding action function definition Function. For example, SID: forwarding action function definition Function is encryption, and SA defines encryption and authentication. , then the final execution is performed according to encryption.

1403. The target network node jointly decrypts and authenticates the integrity of the packet message.

Figure 16 is a schematic flow chart of decryption and integrity processing in the embodiment of the present application. As shown in Figure 16, specifically, the target network node generates a packet message through decryption and integrity processing based on the packet message, as shown in the following steps:

a. The target network node parses the extension header RH Next header of the packet message to encapsulate the security payload extension header type.

b. The target network node extracts the SPI, SN and other information in the encapsulated security extension header. If the encryption algorithm requires the use of IV, such as the AES-GCM algorithm, IV = {SPI||SN} can be used without adding an additional IV to the message. transmission, saving extra packet load.

c. The target network node decrypts the message and calculates the integrity based on the key and encryption algorithm associated with the SA, and compares the calculated integrity value with the ICV carried in the message. If the comparison results are consistent, the integrity verification is passed. If If the comparison results are inconsistent, the integrity verification fails and the message is discarded directly.

Specifically, in the embodiment of this application, calculating the authentication integrity value using the enhanced security function includes the following steps:

a. Authentication calculation field range. The authentication calculation field range includes source address, destination address, next extension header, payload length, flow mark, segment routing extension header, next extension header, extension header length, route type, Information such as the number of remaining segments, Last Entry, Flags, Tags, and all segment routing lists.

b. Encapsulate the unchanged fields in the authentication extension header.

c. Historical encapsulation authentication extension header fields, such as encapsulation authentication extension header [n], unchanged fields in one or more extension headers, and IP packet message payload.

Among them, the destination address, payload length, and flow mark in the IPv6 standard header may be changed during the forwarding process if there is a routing extension header. The calculations here can be calculated by presetting the corresponding values, for example, forwarding to segments When routing list [1] is used, when encapsulating authentication extension header [1], the preset destination address is authentication extension header verification security association segment routing node [0], IPv6 destination address = segment routing list [0], payload length and The flow mark is also calculated in a similar manner through the corresponding value of the preset segment routing node [0].

For the variable fields in the segment routing extension header, the number of remaining segments and Tag are calculated using preset corresponding values. For example, when forwarding to the segment routing list [1], when encapsulating the authentication extension header [1] , the preset remaining segment number is the authentication extension header verification security association segment routing node [0], the remaining segment number = 0, and the Tag is also calculated in a similar manner through the corresponding value of the preset segment routing node [0].

In the embodiment of this application, calculating the authentication integrity value using the enhanced security function can also be calculated as follows:

b. Encapsulate the unchanged fields in the authentication extension header.

c. Historical encapsulation authentication extension header field, such as encapsulation authentication extension header [n].

d. The target network node decrypts the message according to the key and encryption algorithm associated with the SA.

If the integrity verification passes, the target network node decrypts the packet message based on the key and encryption algorithm associated with the SA.

e. The target network node removes the associated encapsulated security payload extension header and encapsulated security payload trailer, and updates the relevant fields of the packet message, such as the Total Length in the IPv6 standard header.

The target network node removes the encapsulated security payload extension header and encapsulated security payload trailer associated with the packet message, and updates the relevant fields of the packet message.

The embodiment of this application provides the following four embodiments for a message transmission method of segment routing:

Embodiment 1: Figure 17 is an architectural schematic diagram of the network topology in the embodiment of this application. A segment routing network topology is shown in Figure 17.

An SRv6 tunnel is established between RA and RE. The source node T1 and the destination node T2 are the sending and receiving ends of client IP packets.

RA segment routing node A::1::50 represents the enhanced security function SID, forwarding action function definition Function=1 represents joint encryption and integrity, parameter Args=50 represents association with security association 50, RE segment routing node E: :2::50 represents the enhanced security function SID, the forwarding action function definition Function=2 represents joint decryption and integrity, and the parameter Args=50 represents association with security alliance 50.

Figures 18a and 18b are the first signal flow diagram of message transmission in the embodiment of the present application. As shown in Figure 18a and Figure 18b, specifically, the message transmission is as follows.

Source node T1->routing node RA: Source node T1 sends the original IP packet.

Routing node RA (i.e., the first edge node) -> routing node RB: Routing node RA, i.e., the first edge node, establishes a segment routing tunnel according to the tunnel security policy. Routing node RA and routing node RE use the security association 50 to form an encrypted paired segment. Routing node, routing node RB and routing node RC use security association 20 to form an encrypted paired segment routing node; the first node of the routing node RA tunnel uses the non-displayed push segment routing A::1::50 method to establish a segment routing list< E::2::50,D::,C::2::20,B::1::20>, routing node RA also encrypts the original IP message according to security association 50 and then calculates the integrity. And add the outer IPv6 standard header and the S routing node RH (the S routing node RH pushes the segment routing list with enhanced security functions formed according to the security policy), and forwards it to the routing node RB.

Routing node RB->Routing node RC: hits B::1::20SID, routing node RB processes the message according to the above two joint encryption and integrity enhanced security function according to security association 20, and at the same time, SL is reduced by 1 and forwarded to Routing node RC.

Routing node RC->routing node RD: hits C::2::20SID, routing node RB based on the security association 20 and the valid information in the encapsulated security extension header 20 (for example, SPI, SN, not limited to these two pieces of information, Other information can also be extended), the message is jointly decrypted and integrity verified according to the above segmented routing node processing process, and the SL is reduced by 1 and forwarded to the routing node RD.

Routing node RD->routing node RE (i.e., the second edge node): hits D::SID, has no enhanced security function, and forwards to the routing node RE according to the normal S routing node Rv6 forwarding process.

Routing node RE->destination node T2: hits E::2::50SID. Routing node RB relies on the security association 50 and the valid information in the encapsulated security extension header 50 (for example, SPI, SN, and is not limited to these two pieces of information. Other information can also be extended), jointly decrypt and verify the integrity of the message according to the above segmented routing node processing process, remove the outer IPv6 encapsulation, and forward it to the destination node T2.

Embodiment 2: A segment routing network topology is shown in Figure 17.

An SRv6 tunnel is established between RA and RE, where the source node T1 and destination node T2 are the sending and receiving ends of client IP packets.

Figures 19a and 19b are second signal flow diagrams of message transmission in the embodiment of the present application. As shown in Figure 19a and Figure 19b, specifically, the message transmission is as follows.

Source node T1->routing node RA: Source node T1 sends the original IP packet.

Routing node RA->Routing node RB: RA establishes a segment routing tunnel according to the tunnel security policy. RA and RE use security association 50 to form an encrypted paired segment routing node, and RB and RC use security association 20 to form an encrypted paired segment routing node; The first node of the RA tunnel uses the explicit push segment route A::1::50 method to establish a segment routing list <E::2::50,D::,C::2::20,B::1: :20,A::1::50>, SL=4, RA uplink forwarding hits A::1::50 SID, the original IP message is first encrypted according to security association 50, then the integrity is calculated, and the outer layer is added The IPv6 standard header and SRH (the segment routing list with enhanced security functions formed according to the security policy is pushed into the SRH), and the SL is reduced by 1 to find the B::1::20 route and forward it to the RB.

Routing node RB->Routing node RC: Hits B::1::20 SID, RB processes the above two joint encryption and integrity enhanced security function message according to security association 20, and at the same time, SL is reduced by 1 and forwarded to RC .

Routing node RC->routing node RD: hits C::2::20 SID, RB is based on the valid information in the security association 20 and encapsulated security extension header 20 (for example, SPI, SN, not only limited to these two pieces of information, but also Other information can be extended), the message is jointly decrypted and integrity verified according to the above segmented routing node processing process, and the SL is reduced by 1 and forwarded to the RD.

Routing node RD->Routing node RE: Hits D::SID. There is no enhanced security function. It is forwarded to RE according to normal SRv6 forwarding processing.

Routing node RE->routing node T2: hits E::2::50 SID, RB is based on the valid information in the security association 50 and encapsulated security extension header 50 (for example, SPI, SN, not limited to these two information, it can also Extend other information), perform joint decryption and integrity verification on the message according to the above segmented routing node processing process, remove the outer IPv6 encapsulation, and forward it to T2.

Embodiment 3: A segment routing network topology is shown in Figure 17: an SRv6 tunnel is established between RA and RE, where the source node T1 and the destination node T2 are the sending and receiving ends of client IP packet messages.

Figures 20a and 20b are the third signal flow diagram of message transmission in the embodiment of the present application. As shown in Figure 20a and Figure 20b, specifically, the message transmission steps are as follows:

Source node T1->routing node RA: Source node T1 sends the original IP packet.

Routing node RA->Routing node RB: RA establishes a segment routing tunnel according to the tunnel security policy, RD and RE use security association 50 to form an encrypted paired segment routing node, RB and RC use security association 20 to form an encrypted paired segment routing node; The first node of the RA tunnel establishes a segment routing list <E::2::40,D::1::40,C::2::20,B::1::20>, and adds the outer IPv6 standard header and SRH (the segment routing list with enhanced security functions formed according to the security policy is pushed into SRH), SL=3, and forwarded to RB.

Routing node RB->Routing node RC: hits B::1::20 SID, RB performs joint encryption and integrity processing on the message according to the security association 20 and Figure 7 (segment routing node processing flow), and at the same time, the SL is reduced 1 and forwarded to RC.

Routing node RC->routing node RD: hits C::2::20 SID, RB is based on the valid information in the security association 20 and encapsulated security extension header 20 (for example, SPI, SN, not limited to these two information, it can also Extend other information), perform joint decryption and integrity verification on the message according to the above segmented routing node processing flow, and at the same time, SL is reduced by 1 and forwarded to RD.

Routing node RD->Routing node RE: Hits D::1::40 SID, RD performs joint encryption and integrity processing on the message according to the security association 40 and the above segmented routing node processing process, and at the same time, the SL is reduced by 1 and forwarded to RC.

Routing node RE->destination node T2: hits E::2::40 SID, RB is based on the security association 40 and the valid information in the encapsulated security extension header 40 (for example, SPI, SN, not only limited to these two pieces of information, but also Other information can be extended), jointly decrypt and verify the integrity of the message according to the above segmented routing node processing process, remove the outer IPv6 encapsulation, and forward it to T2.

Embodiment 4: A segment routing network topology is shown in Figure 17: an SRv6 tunnel is established between RA and RE, where the source node T1 and the destination node T2 are the sending and receiving ends of client IP packet messages.

Figures 21a and 21b are the fourth signal flow diagram of message transmission in the embodiment of the present application. As shown in Figure 21a and Figure 21b, specifically, the message transmission is as follows.

Source node T1->routing node RA: Source node T1 sends the original IP packet.

Routing node RA->Routing node RB: RA establishes a segment routing tunnel according to the tunnel security policy. RA and RE use security association 50 to form an encrypted paired segment routing node, and RB and RC use security association 20 to form an encrypted paired segment routing node; The first node of the RA tunnel uses the method of not displaying the push segment route A::1::50 to establish the segment routing list <T2::, E::2::50,D::,C::2::20, B::1::20>, RA also encrypts the original IP message payload according to security association 50 and then calculates the integrity, and pushes the SRH (SRH) into segments with enhanced security functions formed according to the security policy. Routing list) is inserted into the IPv6 standard header (IPv6SA=T1::, IPv6DA=B::1::20), SL=4, and forwarded to the RB.

Routing node RE->destination node T2: hits E::2::50 SID, RB is based on the valid information in the security association 50 and encapsulated security extension header 50 (for example, SPI, SN, not only limited to these two pieces of information, but also Other information can be extended), perform joint decryption and integrity verification on the message according to the above segmented routing node processing process, remove the pushed SRH, and forward it to the destination node T2.

The first edge node in the embodiment of the present application is described below. Figure 22 is a schematic structural diagram of the first edge node in the embodiment of the present application. Please refer to Figure 22. A first edge node 2200 is provided in an embodiment of the present application. The access network device can be the first edge node in Figure 6. The first edge node is applied to a segment routing network. The segment routing network It includes a first edge node, at least one central node and a second edge node. The first edge node, at least one central node and the second edge node are connected in sequence to form a segment routing tunnel. The first edge node 2200 includes:

The building module 2201 is used to negotiate with at least one central node and the second edge node to build a security alliance respectively; for specific implementation, please refer to step 601 in the embodiment shown in Figure 6: Network nodes in the segment routing network negotiate to build a security alliance. , we won’t go into details here.

The second generation module 2202 is used to generate the first enhanced security function SID; for specific implementation, please refer to step 602 in the embodiment shown in Figure 6: the network routing node generates the first enhanced security function SID, which will not be described again here.

The second sending module 2203 is used to send the first enhanced security function SID to the controller, at least one central node and the second edge node; for specific implementation, please refer to Step 603: Segment Routing Node in the embodiment shown in Figure 6 Publish the enhanced security function SID to the segment routing network, which will not be described here.

The third sending module 2204 is configured to send SID revocation information to at least one central node, the second edge node and/or the controller if the first edge node determines that the security capability of the security alliance is weakened. The SID revocation information indicates at least one central node, The second edge node and/or controller revokes the first enhanced security function SID. For specific implementation methods, please refer to step 603 in the embodiment shown in Figure 6: the segment routing node publishes the enhanced security function SID to the segment routing network, which will not be described again here.

In a possible implementation, the third sending module 2204 includes:

The first determination unit 2205 is used to determine changes in network node device relationships in the security association and/or changes in key parameters of the security association; for specific implementation, please refer to step 603 in the embodiment shown in Figure 6: the segment routing node will be enhanced The security function SID is published to the segment routing network, which will not be described here.

The second determination unit 2206 is configured to determine the weakening of the security capability of the security association based on the key parameters of the security association and the enhanced security functional capability of the SID. For specific implementation methods, please refer to step 603 in the embodiment shown in Figure 6: the segment routing node publishes the enhanced security function SID to the segment routing network, which will not be described again here.

The receiving module 2207 is configured to receive multiple enhanced security function SIDs respectively sent by at least one central node and the second edge node. For specific implementation methods, please refer to step 603 in the embodiment shown in Figure 6: the segment routing node publishes the enhanced security function SID to the segment routing network, which will not be described again here.

The first determination module 2208 is used to determine the forwarding topology information from the first edge node to the second edge node according to the service requirements of the segment routing tunnel forwarding path; for specific implementation, please refer to step 604 in the embodiment shown in Figure 6: An edge node determines the forwarding topology information, which will not be described again here.

The first generation module 2209 is configured to generate enhanced security function segment routing information according to the forwarding topology information and the security policy of the segment routing tunnel. The enhanced security function segment routing information includes the first enhanced security function segment list identity SID, and the first enhanced security function segment routing information. The security function SID matches the security association SA identifier of the second edge node; for specific implementation, please refer to step 606 in the embodiment shown in Figure 6: the first edge node generates enhanced security function segment routing information, which will not be described again here.

The push module 2210 is used to push the first path into the segment routing list; for specific implementation, please refer to step 608 in the embodiment shown in Figure 6: the first edge node pushes the first path into the segment routing list, here No longer.

In a possible implementation, the above-mentioned push module 2210 is specifically configured to: the first edge node generates a first path based on multiple enhanced security function SIDs, and push the first path into the segment routing list; the first edge node The first enhanced security function SID is sent to the controller, so that the controller generates a first path according to the forwarding logic and delivers the first path to the first edge node.

The second determination module 2211 is used to determine that the multiple enhanced security function SIDs in the segment routing list pass the rule check. The multiple enhanced security function SIDs include the first enhanced security function SID and are sent by at least one central node and the second edge node respectively. The enhanced security function SID; for specific implementation, please refer to step 607 in the embodiment shown in Figure 6: the first edge node determines that multiple enhanced security function SIDs in the segment routing list pass the rule check, which will not be described again here.

The joint encryption and integrity enhancement module 2212 is used to perform at least one joint encryption and integrity enhancement on the packet message. For specific implementation methods, please refer to step 609 in the embodiment shown in Figure 6: the first edge node performs joint encryption and integrity enhancement on the packet message, which will not be described again here.

The joint encryption and integrity enhancement module 2212 is specifically used to: construct the key information of the security payload extension option header according to the security association SA; insert the security extension option header; construct the encapsulation security payload trailer and add it to the end of the original message and the original IP packet message The message payload forms a new packet message payload; use the key and corresponding algorithm in the SA to encrypt the packet message payload. If the encryption algorithm requires the use of the initial vector IV, IV = {SPI||SN}, where SPI is the security parameter, SN is the message security sequence number; the packet message integrity check value ICV is calculated for the group message and added to the end of the group message; the related fields of the group message are updated. For specific implementation methods, please refer to step 609 in the embodiment shown in Figure 6: the first edge node performs joint encryption and integrity enhancement on the packet message, which will not be described again here.

The first sending module 2213 is configured to send a packet message, where the packet message includes the first enhanced security function SID. For specific implementation, please refer to step 610 in the embodiment shown in Figure 6: the first edge node sends a packet message, which will not be described again here.

In this embodiment, the first edge node may perform the operations performed by the first edge node in any of the embodiments shown in FIG. 6 , and details will not be described again here.

The target network node in the embodiment of the present application is described below. The target network node is any one of at least one central node and a second edge node. Please refer to Figure 23, a target network node 2300 provided by the embodiment of the present application. The target network node may be the target network node in Figure 14 above. The target network node is applied to a segment routing network. The segment routing network includes a first edge node, at least one center node and a target network node. The first edge node, at least one center node The nodes and the target network node are connected in sequence to build a segment routing tunnel. The target network node 2300 includes:

The receiving module 2301 is used to receive the packet message sent by the first edge node; for specific implementation, please refer to step 1401 in the embodiment shown in Figure 14: the target network node receives the packet message sent by the first edge node, which will not be discussed here. Repeat.

The second parsing module 2302 is used to parse whether the remaining segment SL of the segment routing is legal; for specific implementation, please refer to step 1402 in the embodiment shown in Figure 14: the target network node parses whether the remaining segment SL of the segment routing is legal, here No longer.

The search module 2303 is used to search the IPv6 FIB table using the IPv6 standard packet header if the SL is legal. If the DIP is found to be a local route, the target network node uses the segment routing extension header SRH current SID to continue searching for the local SID; specific implementation For the method, please refer to step 1402 in the embodiment shown in Figure 14: the target network node parses whether the remaining segment SL of the segment route is legal, which will not be described again here.

The association module 2304 is used to associate the target network node to the relevant SA according to the forwarding action function definition and parameters in the hit SID if the target network node hits the local SID, or the target network node directly associates to the relevant SA through the SID; specific implementation method, Please refer to step 1402 in the embodiment shown in Figure 14: the target network node parses whether the remaining segment SL of the segment route is legal, which will not be described again here.

The determination module 2305 is used to determine the specific execution behavior based on the SID forwarding action function definition and SA. For specific implementation, please refer to step 1402 in the embodiment shown in Figure 14: the target network node parses whether the remaining segment SL of the segment route is legal, which will not be described again here.

In the first parsing module 2306, the extension header RH used to parse the packet message is an encapsulated security payload extension header; for specific implementation, please refer to step 1403 in the embodiment shown in Figure 14: the target network node jointly decrypts the packet message and Authentication integrity will not be described here.

The extraction module 2307 is used to extract the information in the encapsulated security extension header; for specific implementation, please refer to step 1403 in the embodiment shown in Figure 14: the target network node jointly decrypts and authenticates the integrity of the packet message, which will not be described again here. .

The decryption integrity calculation module 2308 is used to calculate the decryption integrity of the packet message through the key and encryption algorithm associated with the security association SA, and compare the calculated integrity value with the integrity check value ICV carried in the message. Perform integrity verification; if the comparison results are consistent, it is determined that the integrity verification is passed; for specific implementation methods, please refer to step 1403 in the embodiment shown in Figure 14: the target network node jointly decrypts and authenticates the integrity of the packet message, which will not be described again here. .

The decryption integrity calculation module 2308 includes:

The determination unit 2309 is used to determine the authentication calculation field range of the packet message. The authentication calculation field range includes the IPv6 standard header of the packet message, all enhanced security function segment routing lists and the encapsulated authentication extension header; for specific implementation methods, please Referring to step 1403 in the embodiment shown in Figure 14: the target network node jointly decrypts and authenticates the integrity of the packet message, which will not be described again here.

The decryption integrity calculation unit 2310 is used to perform decryption integrity calculation on the packet message according to the authentication calculation field range through the key and encryption algorithm associated with the SA, wherein for the variable fields in the authentication calculation field range, the target Network nodes perform decryption integrity calculations by presetting corresponding values. For specific implementation methods, please refer to step 1403 in the embodiment shown in Figure 14: the target network node jointly decrypts and authenticates the integrity of the packet message, which will not be described again here.

In this embodiment, the target network node can perform the operations performed by the target network node in any of the embodiments shown in FIG. 14 , and details will not be described again here.

Figure 24 is a schematic structural diagram of a first edge node provided by an embodiment of the present application. The first edge node 2400 may include one or more central processing units (CPU) 2401 and a memory 2405. The memory 2405 stores There is one or more applications or data.

Among them, the memory 2405 can be volatile storage or persistent storage. The program stored in the memory 2405 may include one or more modules, and each module may include a series of instruction operations in the first edge node. Furthermore, the central processor 2401 may be configured to communicate with the memory 2405 and execute a series of instruction operations in the memory 2405 on the first edge node 2400.

Wherein, the central processor 2401 is used to execute the computer program in the memory 2405, so that the first edge node 2400 is used to execute: the first edge node determines the first edge node to the second edge according to the service requirements of the segment routing tunnel forwarding path. Forwarding topology information of the node; the first edge node generates enhanced security function segment routing information according to the forwarding topology information and the security policy of the segment routing tunnel, and the enhanced security function segment routing information includes the first enhanced security function segment list identity SID, and An enhanced security function SID matches the security association SA identifier of the second edge node; the first edge node pushes the first path into the segment routing list; the first edge node determines that multiple enhanced security function SIDs in the segment routing list pass The rule check shows that the multiple enhanced security function SIDs include a first enhanced security function SID and at least one enhanced security function SID sent by the central node and the second edge node respectively; the first edge node sends a grouping message, and the grouping message includes the first enhanced security function SID. Security function SID; for specific implementation methods, please refer to steps 601-610 in the embodiment shown in Figure 6, which will not be described again here.

The first edge node 2400 may also include one or more power supplies 2402, one or more wired or wireless network interfaces 2403, one or more input and output interfaces 2404, and/or, one or more operating systems, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.

The first edge node 2400 can perform the operations performed by the first edge node in the embodiment shown in FIG. 6, which will not be described again here.

Figure 25 is a schematic structural diagram of a target network node provided by an embodiment of the present application. The target network node 2500 may include one or more central processing units (CPU) 2501 and a memory 2505. The memory 2505 stores a or more than one application or data.

Among them, the memory 2505 can be volatile storage or persistent storage. The program stored in the memory 2505 may include one or more modules, and each module may include a series of instruction operations in the first edge node. Furthermore, the central processor 2501 may be configured to communicate with the memory 2505 and execute a series of instruction operations in the memory 2505 on the first edge node 2500 .

Among them, the central processor 2501 is used to execute the computer program in the memory 2505, so that the first edge node 2500 is used to execute: the target network node receives the packet message sent by the first edge node, and the target network node is at least one central node and Any one of the second edge nodes; the target network node parses the extension header RH of the packet message into an encapsulated security payload extension header; the target network node extracts the information in the encapsulated security extension header; the target network node passes the key associated with the security association SA and encryption algorithm to decrypt the packet message and calculate the integrity, and compare the calculated integrity value with the integrity check value ICV carried in the message for integrity verification; if the comparison results are consistent, the integrity verification is passed; if it is complete If the authenticity verification is passed, the target network node decrypts the packet message according to the key and encryption algorithm associated with the SA; the target network node removes the encapsulated security payload extension header and encapsulated security payload tail associated with the packet message, and updates the packet message Related fields; for specific implementation methods, please refer to steps 1401-1403 in the embodiment shown in Figure 14, which will not be described again here.

The target network node 2500 may also include one or more power supplies 2502, one or more wired or wireless network interfaces 2503, one or more input and output interfaces 2504, and/or, one or more operating systems, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.

The target network node 2500 can perform the operations performed by the target network node in the embodiment shown in FIG. 25, which will not be described again here.

Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the systems, devices and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be described again here.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated. to another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.

A unit described as a separate component may or may not be physically separate. A component shown as a unit may or may not be a physical unit, that is, it may be located in one place, or it may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit. The above integrated units can be implemented in the form of hardware or software functional units.

Integrated units may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as independent products. Based on this understanding, the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods of various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, read-only memory), random access memory (RAM, random access memory), magnetic disk or optical disk and other media that can store program code. .

Claims

A message transmission method, characterized in that the method is applied to a segment routing network, the segment routing network includes a controller, a first edge node, at least one central node and a second edge node, the first The edge node, the at least one central node and the second edge node are connected in sequence to build a segment routing tunnel, and the method includes:

The first edge node determines the forwarding topology information from the first edge node to the second edge node according to the service requirements of the segment routing tunnel forwarding path;

The first edge node generates enhanced security function segment routing information according to the forwarding topology information and the security policy of the segment routing tunnel, and the enhanced security function segment routing information includes a first enhanced security function segment list identity SID , the first enhanced security function SID matches the security association SA identification of the second edge node;

The first edge node pushes the first path into the segment routing list;

The first edge node determines that a plurality of enhanced security function SIDs in the segment routing list pass the rule check, and the plurality of enhanced security function SIDs include the first enhanced security function SID and the at least one central node and The enhanced security function SID sent by the second edge node respectively;

The first edge node sends a packet message, where the packet message includes the first enhanced security function SID.
The method according to claim 1, characterized in that, at the first edge node, the forwarding topology information from the first edge node to the second edge node is determined according to the service requirements of the segment routing tunnel forwarding path. Previously, the method also included:

The first edge node negotiates with the at least one central node and the second edge node to establish a security alliance respectively;

The first edge node generates the first enhanced security function SID;

The first edge node sends the first enhanced security function SID to the controller, the at least one central node and the second edge node;

The first edge node receives a plurality of enhanced security function SIDs respectively sent by the at least one central node and the second edge node.
The method according to claim 2, characterized in that the first edge node pushes the first path into the segment routing list, including:

The first edge node generates a first path based on the plurality of enhanced security function SIDs and pushes the first path into the segment routing list; or

The first edge node sends the first enhanced security function SID to the controller, so that the controller generates a first path according to the forwarding logic and delivers the first path to the first edge node.
The method of claim 3, further comprising:

If the first edge node determines that the security capability of the security association is weakened, the first edge node sends SID revocation information to the at least one central node, the second edge node and/or the controller, and the SID The revocation information instructs the at least one central node, the second edge node and/or the controller to revoke the first enhanced security function SID.
The method according to claim 4, wherein the first edge node determines that the security capability of the security association is weakened including:

The first edge node determines changes in network node device relationships in the security association and/or changes in key parameters of the security association;

The first edge node determines that the security capability of the security association is weakened based on the key parameters of the security association and the enhanced security function capability of the SID.
The method of claim 5, wherein the first enhanced security function SID includes a locator network node identifier, a function code and a parameter, wherein the locator network node identifier is used for routing and forwarding in the network topology. The node identification of the message to a network node; the function code includes the device instructions preset by the device, and the function code implements enhanced security functions, encryption, decryption, joint encryption and integrity, joint decryption and integrity, and authentication addition , authentication verification capabilities and security enhancement functions; the parameters are used to define service information of security enhancement capabilities; or

The locator network node identifier is the identifier of a network node in the network topology and is used to route and forward messages to the node. The function code includes device instructions preset by the device. The parameters are used to define security enhancement capabilities. Service information, which is used to implement functions such as enhanced security functions, encryption, decryption, joint encryption and integrity, joint decryption and integrity, authentication addition, authentication verification capabilities, and security enhancement.
The method according to claim 6, characterized in that the packet message includes an IPv6 standard message header, a segment routing message header, at least one encapsulated security load extension header, at least one extension header, and the IP packet message is valid payload, at least one encapsulating security payload trailer and at least one packet integrity check value ICV; or

The packet message includes an IPv6 standard message header, a segment routing message header, at least one encapsulated security load extension header, at least one extension header and an IP packet message payload.
The method of claim 7, further comprising:

The first edge node performs at least one joint encryption and integrity enhancement on the packet message.
The method according to claim 8, characterized in that the first edge node performs joint encryption and integrity enhancement on the packet message, including:

The first edge node constructs key information of the security payload extension option header according to the security association SA;

The first edge node inserts a security extension option header;

The first edge node constructs an encapsulated security payload trailer, adds it to the tail of the original message, and forms a new packet message payload with the original IP packet message payload;

The first edge node uses the key and corresponding algorithm in the SA to encrypt the packet message payload. If the encryption algorithm needs to use the initial vector IV, then IV = {SPI||SN}, where SPI is the security parameter and SN is the message security sequence number;

The first edge node calculates a packet integrity check value ICV for the packet message and adds it to the end of the packet message;

The first edge node updates the relevant field of the packet message.
A message transmission method, characterized in that the method is applied to a segment routing network, the segment routing network includes a first edge node, at least one central node and a second edge node, the first edge node, The at least one central node and the second edge node are connected in sequence to build a segment routing tunnel, and the method includes:

The target network node receives the packet message sent by the first edge node, and the target network node is any one of the at least one central node and the second edge node;

The target network node parses the extension header RH of the packet message as an encapsulated security payload extension header;

The target network node extracts the information in the encapsulated security extension header;

The target network node performs decryption integrity calculation on the packet message through the key and encryption algorithm associated with the security association SA, and compares the calculated integrity value with the integrity check value ICV carried in the message for completeness. integrity verification; if the comparison results are consistent, the integrity verification is passed;

If the integrity verification passes, the target network node decrypts the packet message according to the key and encryption algorithm associated with the SA;

The target network node removes the encapsulated security payload extension header and encapsulated security payload trailer associated with the packet message, and updates the relevant fields of the packet message.
The method according to claim 10, characterized in that before the target network node parses the extension header RH of the packet message into an encapsulated security payload extension header, the method further includes:

The target network node analyzes whether the remaining segment SL of the segment route is legal;

If the SL is legal, the target network node uses the IPv6 standard packet header to search the IPv6 FIB table. If it is found that the DIP is a local route, the target network node uses the current SID of the segment routing extension header SRH to continue to search for the local SID. ;

If the target network node hits the local SID, the target network node is associated with the relevant SA according to the forwarding action function definition and parameters in the hit SID, or the target network node is directly associated with the relevant SA through the SID;

The target network node determines the specific execution behavior according to the SID forwarding action function definition and SA.
The method according to claim 11, characterized in that the target network node performs decryption integrity calculation on the packet message through the SA-associated key and encryption algorithm, including:

The target network node determines the authentication calculation field range of the packet message, and the authentication calculation field range includes the IPv6 standard header of the packet message, all enhanced security function segment routing lists and encapsulated authentication extension headers;

The target network node performs decryption integrity calculation on the packet message according to the authentication calculation field range through the SA-associated key and encryption algorithm, wherein for the variable fields in the authentication calculation field range , the target network node performs decryption integrity calculation by presetting corresponding values.
The method according to claim 12, characterized in that the authentication calculation field range further includes: at least one extension header and an IP packet message payload.
A first edge node, characterized in that the first edge node is applied to a segment routing network, the segment routing network includes a first edge node, at least one central node and a second edge node, the first The edge node, the at least one central node and the second edge node are connected in sequence to build a segment routing tunnel, and the first edge node includes:

A first determination module configured to determine the forwarding topology information from the first edge node to the second edge node according to the service requirements of the segment routing tunnel forwarding path;

A first generation module configured to generate enhanced security function segment routing information according to the forwarding topology information and the security policy of the segment routing tunnel, where the enhanced security function segment routing information includes a first enhanced security function segment list identity SID, the first enhanced security function SID matches the security association SA identification of the second edge node;

Push module, used to push the first path into the segment routing list;

A second determination module configured to determine that multiple enhanced security function SIDs in the segment routing list pass the rule check, and the multiple enhanced security function SIDs include the first enhanced security function SID and the at least one central node. and the enhanced security function SID respectively sent by the second edge node;

The first sending module is configured to send a packet message, where the packet message includes the first enhanced security function SID.
The first edge node according to claim 14, characterized in that the first edge node further includes:

A building module configured to negotiate with the at least one central node and the second edge node to build a security alliance respectively;

a second generation module, configured to generate the first enhanced security function SID;

a second sending module configured to send the first enhanced security function SID to the controller, the at least one central node and the second edge node;

A receiving module, configured to receive multiple enhanced security function SIDs respectively sent by the at least one central node and the second edge node.
The first edge node according to claim 15, characterized in that the push module is specifically used for:

Generate a first path based on the plurality of enhanced security function SIDs and push the first path into the segment routing list; or

The first enhanced security function SID is sent to the controller, so that the controller generates a first path according to the forwarding logic and delivers the first path to the first edge node.
The first edge node according to claim 16, characterized in that the first edge node further includes:

A third sending module, configured to send SID revocation information to the at least one central node, the second edge node and/or the controller if the first edge node determines that the security capability of the security association is weakened, the The SID revocation information instructs the at least one central node, the second edge node and/or the controller to revoke the first enhanced security function SID.
The first edge node according to claim 17, characterized in that the third sending module includes:

A first determination unit configured to determine changes in network node device relationships in the security association and/or changes in key parameters of the security association;

The second determination unit is configured to determine the weakening of the security capability of the security association based on the key parameters of the security association and the enhanced security functional capability of the SID.
The first edge node according to claim 18, characterized in that the first edge node further includes:

A joint encryption and integrity enhancement module is used to perform at least one joint encryption and integrity enhancement on the packet message.
A target network node, characterized in that the target network node is applied to a segment routing network, the segment routing network includes a first edge node, at least one central node and a second edge node, and the target network node is Any one of the at least one central node and the second edge node, the first edge node, the at least one central node and the second edge node are connected in sequence to form a segment routing tunnel, and the target network Nodes include:

A receiving module, configured to receive the packet message sent by the first edge node;

The first parsing module is used to parse the extension header RH of the packet message to encapsulate the security payload extension header;

An extraction module, used to extract the information in the encapsulated security extension header;

The decryption integrity calculation module is used to calculate the decryption integrity of the packet message through the key and encryption algorithm associated with the security association SA, and compare the calculated integrity value with the integrity check value ICV carried by the message. Compare for integrity verification; if the comparison results are consistent, the integrity verification is passed;

A decryption module, used to decrypt the packet message according to the key and encryption algorithm associated with the SA if the integrity verification is passed;

A removal module, configured to remove the encapsulated security payload extension header and encapsulated security payload tail associated with the packet message, and update the relevant fields of the packet message.
The target network node according to claim 20, characterized in that the target network node further includes:

The second parsing module is used to parse whether the remaining segment SL of the segment routing is legal;

The search module is used to search the IPv6 FIB table using the IPv6 standard message header if the SL is legal. If the DIP is found to be a local route, the target network node uses the segment routing extension header SRH current SID to continue searching for the local SID. ;

An association module, configured to associate the target network node to the relevant SA according to the forwarding action function definition and parameters in the hit SID if the target network node hits the local SID, or the target network node directly associates to the relevant SA through the SID;

The determination module is used to determine the specific execution behavior based on the SID forwarding action function definition and SA.
A computer-readable storage medium on which a computer program is stored, characterized in that when the computer program is executed by a processor, the method according to any one of claims 1-9 is implemented.
A computer-readable storage medium on which a computer program is stored, characterized in that when the computer program is executed by a processor, the method according to any one of claims 10-13 is implemented.
A controller, characterized by comprising a processor and a computer-readable storage medium storing a computer program;

The processor is coupled to the computer-readable storage medium, and when the computer program is executed by the processor, the method according to any one of claims 1-9 is implemented.
A controller, characterized by comprising a processor and a computer-readable storage medium storing a computer program;

The processor is coupled to the computer-readable storage medium, and when the computer program is executed by the processor, the method according to any one of claims 10-13 is implemented.
A chip system is characterized by including a processor, and the processor is called to execute the method according to any one of claims 1-9.
A chip system is characterized by including a processor, and the processor is called to execute the method according to any one of claims 10-13.