WO2023272498A1 - 一种报文转发方法、装置、网络节点及存储介质 - Google Patents
一种报文转发方法、装置、网络节点及存储介质 Download PDFInfo
- Publication number
- WO2023272498A1 WO2023272498A1 PCT/CN2021/103176 CN2021103176W WO2023272498A1 WO 2023272498 A1 WO2023272498 A1 WO 2023272498A1 CN 2021103176 W CN2021103176 W CN 2021103176W WO 2023272498 A1 WO2023272498 A1 WO 2023272498A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- security authentication
- parameter
- message
- srv6
- authentication instruction
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000012545 processing Methods 0.000 claims abstract description 106
- 238000005538 encapsulation Methods 0.000 claims description 38
- 230000006870 function Effects 0.000 description 42
- 230000008569 process Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 11
- 238000004590 computer program Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 4
- 230000011218 segmentation Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013496 data integrity verification Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/50—Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/34—Source routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/06—Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
Definitions
- the present application relates to the field of network technology, in particular to a message forwarding method, device, network node and storage medium.
- SRv6 Segment Routing IPv6, Segment Routing Internet Protocol Version 6
- the SRv6 technology supports the source network node of the SRv6 forwarding path to insert segment information of the SRv6 forwarding path in the packet.
- the packet after inserting the segmentation information is called an SRv6 packet.
- the segment information of the SRv6 forwarding path indicates the packet forwarding sequence of each network node included in the path. In this way, after receiving the SRv6 message, other network nodes can forward the message according to the segmentation information carried in the SRc6 message.
- the SRv6 forwarding path may contain insecure network nodes or insecure links, resulting in poor security when forwarding SRv6 packets along the SRv6 forwarding path.
- the purpose of the embodiments of the present application is to provide a packet forwarding method and device, so as to improve the security of forwarding SRv6 packets.
- the specific technical scheme is as follows:
- the embodiment of the present application provides a message forwarding method, which is applied to a network node, and the method includes:
- the function field of the target segment identifier SID includes a security authentication instruction, obtain target parameters according to the operation indicated by the security authentication instruction, and perform security authentication processing on the SRv6 message according to the target parameters, wherein the
- the target SID is: the SID corresponding to the network node in the segment list carried by the message header of the SRv6 message, and the target parameter is: the parameter of the security authentication instruction recorded in the message header;
- the SRv6 message is generated by the source network node of the SRv6 message in the following manner:
- the parameter of the security authentication instruction is obtained, wherein the security authentication instruction indicates: the insecure network node performs security on the SRv6 message Authentication processing;
- the insecure network node If yes, for the insecure network node, generate a SID that includes the security authentication instruction in the function field and includes the first parameter in the parameter field, and generates the SRv6 message based on the original message, wherein , the extension field in the message header of the SRv6 message contains a second parameter, and the security authentication instruction also indicates that: the parameters of the security authentication instruction are stored in the parameter field and the message header In the extension field, the first parameter is: some parameters in the parameters of the security authentication instruction whose data size is less than or equal to the maximum data amount, and the second parameter is: the parameters of the security authentication instruction except the parameters other than the first parameter;
- the insecure network node If not, for the insecure network node, generate a SID containing the security authentication instruction in the function field and a parameter of the security authentication instruction in the parameter field, and generate the SRv6 based on the original message message, wherein the security authentication instruction further indicates that: the parameters of the security authentication instruction are stored in the parameter field.
- the acquiring target parameters according to the operation indicated by the security authentication instruction includes:
- the security authentication instruction indicates that the parameters of the security authentication instruction are stored in the parameter field and the extension field of the packet header, then the parameter contained in the parameter field of the target SID and the extension field in the packet header contain In the parameters of , get the target parameters.
- the performing security authentication processing on the SRv6 message according to the target parameter includes:
- the security authentication instruction includes: a decapsulation instruction, and the decapsulation instruction indicates to perform decapsulation processing on the payload of the SRv6 message;
- the performing security authentication processing on the SRv6 message according to the target parameter includes:
- the embodiment of the present application provides a message forwarding device, which is applied to a network node, and the device includes:
- a packet obtaining module configured to obtain an SRv6 packet
- the security processing module is specifically used for:
- the function field of the target SID includes a security authentication instruction
- the security authentication instruction indicates that the parameters of the security authentication instruction are stored in the parameter field and the packet header extension field
- the parameters contained in the parameter field of the target SID Obtain the target parameter from the parameter and the parameter contained in the extension field in the message header;
- the security authentication instruction includes: an encapsulation instruction, and the encapsulation instruction indicates to perform encapsulation processing on the payload of the SRv6 message;
- the security processing module is specifically used for:
- the function field of the target SID includes a security authentication instruction, acquire target parameters according to the operation indicated by the security authentication instruction;
- the security authentication instruction includes: a decapsulation instruction, and the decapsulation instruction indicates to perform decapsulation processing on the payload of the SRv6 message;
- the security processing module is specifically used for:
- the function field of the target SID includes a security authentication instruction, acquire target parameters according to the operation indicated by the security authentication instruction;
- an embodiment of the present application provides a network node, including: a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions that can be executed by the processor, and the The processor is prompted by the machine-executable instructions to implement any one of the method steps in the first aspect.
- an embodiment of the present application provides a machine-readable storage medium, which stores machine-executable instructions, and when called and executed by a processor, the machine-executable instructions prompt the processor to: implement the first aspect Any of the described method steps.
- the network node When the network node applies the solution provided by the embodiment of the present application to forward the message, after obtaining the SRv6 message, if the function field of the target SID corresponding to the network node includes a security authentication instruction, then according to the operation indicated by the security authentication instruction, obtain the target parameter , and perform security authentication processing on the SRv6 message according to the target parameters, and then forward the processed SRv6 message to the next-hop device in the SRv6 forwarding path.
- the network node does not directly forward the SRv6 message, but performs a security authentication instruction on the SRv6 message according to the target parameters After the security authentication processing, the SRv6 packets that have undergone security authentication processing are forwarded. Since the network node has performed the security authentication processing indicated by the security authentication instruction on the SRv6 message, the security of the SRv6 message can be improved. Therefore, the network node applies the solution provided by the embodiment of this application to forward the SRv6 message after the security authentication process , which can improve the security of forwarding SRv6 packets.
- FIG. 1 is a schematic flowchart of a first message forwarding method provided in an embodiment of the present application
- FIG. 2 is a schematic diagram of an SRv6 forwarding path provided by an embodiment of the present application
- FIG. 3 is a schematic diagram of an SRv6 message after encapsulation processing provided by an embodiment of the present application
- FIG. 4 is a schematic diagram of a decapsulated SRv6 message provided by an embodiment of the present application.
- FIG. 5 is a schematic flowchart of a method for generating an SRv6 message provided in an embodiment of the present application
- FIG. 8 is a schematic structural diagram of a network node provided by an embodiment of the present application.
- this application implements The example provides a message forwarding method, device, network node and storage medium.
- a message forwarding method is provided, which is applied to a network node, and the above method includes:
- the above-mentioned network nodes may be routers, switches and the like.
- FIG. 2 is a schematic diagram of an SRv6 forwarding path provided by an embodiment of the present application.
- the SRv6 forwarding path shown in FIG. 2 is R1-R2-R3-R5-R6-R7.
- R1-R3 may be called a first path segment
- R3-R5 may be called a second path segment
- R5-R7 may be called a third path segment.
- the above-mentioned SRv6 message includes a message header and a payload
- the above-mentioned message header is SRH (Segment Identifier Header, segment routing message header).
- the packet header of the above SRv6 packet includes a segment list.
- the above segment list includes the SIDs corresponding to network nodes other than the source network node in the SRv6 forwarding path, and the arrangement order of the SIDs corresponding to each network node in the segment list is opposite to that of the network nodes in the SRv6 forwarding path .
- the SID includes Locator (location field), Function (function field) and Arguments (parameter field).
- Locator is used to identify the position of the network node corresponding to the aforementioned SID in the SRv6 forwarding path.
- Locator includes Locator Block (location block field) and Locator Node (location node field).
- the above Function includes message processing instructions that the network node corresponding to the above SID needs to execute on the SRv6 message.
- the above Function may include one or more message processing instructions.
- the above-mentioned Arguments include parameters of the above-mentioned message processing instruction.
- the message header of the SRv6 message also includes other fields except the segment list, and the information contained in the other fields is the same as that in the prior art, which will not be repeated in this embodiment of the present application.
- the above-mentioned payload is a field in the above-mentioned SRv6 message except the message header, which includes the data transmitted by the SRv6 message.
- the above-mentioned message header further includes a number field for recording the number of the SID corresponding to the above-mentioned network node, and the above-mentioned number field can be represented by SL (Segments Left, remaining segment).
- the above-mentioned target SID is: the SID corresponding to the above-mentioned network node in the segment list carried in the message header of the above-mentioned SRv6 message.
- the above-mentioned target parameter is: the parameter of the above-mentioned security authentication instruction recorded in the above-mentioned packet header.
- the SID whose number is recorded in the number field in the segment list may be determined as the target SID.
- the above security authentication instruction may be an encapsulation instruction indicating to perform encapsulation processing on the payload of the SRv6 message, or may be a decapsulation instruction indicating to perform decapsulation processing on the payload of the SRv6 message.
- the above-mentioned security authentication instruction may be to instruct the network node to perform security on the SRv6 message based on IPsec (Internet Protocol Security, Internet Network Layer Security Protocol) and/or HMAC (Hash-based Message Authentication Code, hash operation message authentication code). Instructions for authentication processing.
- IPsec Internet Protocol Security, Internet Network Layer Security Protocol
- HMAC Hash-based Message Authentication Code, hash operation message authentication code
- the above-mentioned AH can provide functions such as data integrity check, data source authentication and anti-replay attack protection for SRv6 messages
- the above-mentioned ESP can provide data encryption, data source authentication, data integrity verification and anti-replay protection for SRv6 messages Attack protection and other functions.
- SA is used to build a one-way security relationship between network nodes at both ends of the communication, and is used to specify information such as algorithms and parameters required by IPsec.
- the SA can be established through the IKE (Internet Key Exchange, Internet Key Exchange) protocol.
- SAs can also be established in other ways.
- the above-mentioned AH or ESP can be used alone to perform security authentication processing on SRv6 packets, or AH and ESP can be used together to perform security authentication processing on SRv6 packets.
- the above-mentioned SRv6 message may be processed for security authentication through step B shown below, which will not be described in detail here.
- the network node does not directly forward the SRv6 message, but performs a security authentication instruction on the SRv6 message according to the target parameters After the security authentication processing, the SRv6 packets that have undergone security authentication processing are forwarded. Since the network node has performed the security authentication processing indicated by the security authentication instruction on the SRv6 message, the security of the SRv6 message can be improved. Therefore, the network node applies the solution provided by the embodiment of this application to forward the SRv6 message after the security authentication process , which can improve the security of forwarding SRv6 packets.
- network nodes other than the source network node in the SRv6 forwarding path may perform security authentication processing on the SRv6 message through the embodiment shown in FIG. 1 above. If the source network node determines that it is an insecure network node, it can directly perform security authentication processing on the payload of the original message, and then generate and send the above-mentioned SRv6 message.
- SA Source Address, source address
- DA Destination or Target Address, target address
- R5 the address of this SRv6 message is forwarded according to the SRv6 forwarding path
- the destination address is the address of the network node R5.
- the above-mentioned decapsulation processing can be performed by the network node R5 shown in FIG. 2. Compared with the embodiment shown in the aforementioned FIG. The encapsulation is removed after processing. Moreover, according to the SRv6 forwarding path, the message forwarded by the network node R5 needs to be forwarded to the network node R7, so the DA recorded in the decapsulated SRv6 message is the address of the network node R7.
- FIG. 4 is a schematic diagram of an SRv6 packet obtained after decapsulation processing, and the actually obtained SRv6 packet also includes other fields besides the fields shown in FIG. 4 .
- the foregoing original message may include a payload and a message header of the original message.
- the above-mentioned original message may be a message sent by other devices, or may be a message generated by the above-mentioned source network node.
- the above-mentioned security authentication instruction indicates: the above-mentioned insecure network node performs security authentication processing on the SRv6 message.
- the above security authentication instruction may include an encapsulation instruction and a decapsulation instruction.
- the aforementioned unsafe network node may be a preset network node.
- a network node with a large number of occurrences of data leakage may be determined as the above-mentioned insecure network node.
- the parameters of the above-mentioned security authentication instruction may be generated by the above-mentioned source network node after determining the above-mentioned insecure network node, or may be issued by the centralized controller or control node to the above-mentioned source network node , can also be manually issued by the administrator to the above-mentioned source network node.
- performing security authentication processing on the SRv6 message may include two processes of encapsulating the SRv6 message and decapsulating the SRv6 message. Therefore, a pair of network nodes included in the SRv6 forwarding path need to respectively perform encapsulation processing and decapsulation processing on the SRv6 message, so insecure network nodes may appear in pairs in the above-mentioned SRv6 forwarding path.
- the network node that performs encapsulation processing on the SRv6 message is located before the network node that performs decapsulation processing on the SRv6 message.
- the total data volume of the above-mentioned SID preset in the SRv6 message is 128 bits
- the above-mentioned 128-bit data volume can be divided into Locator, Function, and Arguments in advance
- the maximum data volume of the above-mentioned parameter field is the data volume allocated to Arguments .
- step S504 may be executed. If the data volume of the parameter of the security authentication instruction is less than or equal to the parameter field of the SID, then the parameters of the security authentication instruction can be completely stored in the parameter field, and step S505 may be executed.
- S504 For the aforementioned insecure network node, generate the SID whose function field includes the aforementioned security authentication instruction and whose parameter field includes the first parameter, and generate the aforementioned SRv6 packet based on the aforementioned original packet.
- the extension field in the packet header of the SRv6 packet includes the second parameter.
- the above-mentioned security authentication instruction also indicates that: the parameters of the above-mentioned security authentication instruction are stored in the above-mentioned parameter field and the extension field in the above-mentioned message header.
- the above-mentioned first parameter is: among the parameters of the above-mentioned security authentication instruction, the data volume is less than or equal to some parameters of the above-mentioned maximum data volume.
- the above-mentioned second parameter is: a parameter other than the above-mentioned first parameter among the parameters of the above-mentioned security authentication instruction.
- the data size of the parameters of the above-mentioned security authentication instruction is greater than the maximum data amount, it is difficult to completely store the parameters of the above-mentioned security authentication instruction in the parameter field, and the first parameter whose data amount is less than or equal to the maximum data amount among the above-mentioned parameters can be stored in The parameter field of the SID.
- the second parameters other than the first parameter that are difficult to be stored in the parameter field are stored in the extension field in the message header.
- the above-mentioned first parameter may be any data whose data size is less than or equal to the above-mentioned maximum data size among the parameters of the above-mentioned security authentication instruction. It may also be data whose data volume composed of consecutive bytes is less than or equal to the above-mentioned maximum data volume starting from the start byte of the parameter of the above-mentioned security authentication instruction.
- the second parameter stored in the above-mentioned extension field may be data in TLV (Type Length Value) format, wherein the above-mentioned extension field records the second parameter, the type of the parameter corresponding to the second parameter, and the value of the second parameter. length, the identity of the second parameter above.
- TLV Type Length Value
- Table 1 shows a TLV format data group provided by the embodiment of the present application.
- the above-mentioned Type indicates the type of the parameter corresponding to the second parameter
- the above-mentioned Length indicates the length of the second parameter
- the above-mentioned identification indicates the identification of the second parameter.
- the generated SID may be inserted into the segment list in the header of the original message according to the position of the insecure network node in the SRv6 forwarding path to generate the SRv6 message.
- the order in which the SIDs are arranged in the segment list is opposite to the order in which the network nodes corresponding to the SIDs are arranged in the SRv6 forwarding path.
- the identifier of the above-mentioned encapsulation instruction may be END.SE, so that the instruction identified as END.SE is used to instruct the network node to perform encapsulation processing on the SRv6 message.
- the above-mentioned decapsulation instruction may have an identifier of END.SD, so that the instruction with the identifier END.SD is used to instruct the network node to decapsulate the SRv6 message.
- step S505 is similar to the above-mentioned step S504, which will not be repeated in this embodiment of the present application.
- the target parameters can be obtained from the parameter field of the target SID.
- S102B If the function field of the target SID includes a security authentication instruction, and the above-mentioned security authentication instruction indicates that the parameters of the above-mentioned security authentication instruction are stored in the above-mentioned parameter field and the header extension field, then from the parameters contained in the parameter field of the above-mentioned target SID and Among the parameters included in the extension field in the above message header, the target parameter is obtained, and security authentication processing is performed on the above SRv6 message according to the above target parameter.
- FIG. 7 it is a schematic structural diagram of a message forwarding device provided in an embodiment of the present application, which is applied to a network node.
- the above device includes:
- the parameter of the security authentication instruction is obtained, wherein the security authentication instruction indicates: the insecure network node performs security on the SRv6 message Authentication processing;
- the insecure network node If yes, for the insecure network node, generate a SID that includes the security authentication instruction in the function field and includes the first parameter in the parameter field, and generates the SRv6 message based on the original message, wherein , the extension field in the message header of the SRv6 message contains a second parameter, and the security authentication instruction also indicates that: the parameters of the security authentication instruction are stored in the parameter field and the message header In the extension field, the first parameter is: some parameters in the parameters of the security authentication instruction whose data size is less than or equal to the maximum data amount, and the second parameter is: the parameters of the security authentication instruction except the parameters other than the first parameter;
- the above-mentioned security processing module 702 is specifically used for:
- the parameters of the security authentication instruction corresponding to the above-mentioned network nodes can be completely stored in the parameter field, or partly stored in the above-mentioned parameter field, and the other part is stored in the extension field contained in the message header of the SRv6 message.
- the storage location of the above parameters may be determined based on the instruction of the security authentication instruction, and the target parameter may be acquired from the storage location indicated by the security authentication instruction, so that the security authentication processing of the SRv6 message may be performed based on the completed target parameter.
- the security authentication instruction includes: an encapsulation instruction, and the encapsulation instruction indicates to perform encapsulation processing on the payload of the SRv6 message;
- the security authentication instruction includes: a decapsulation instruction, and the decapsulation instruction indicates to perform decapsulation processing on the payload of the SRv6 message;
- the security processing module 702 is specifically used for:
- the embodiment of the present application also provides a network node, as shown in FIG. 8 , including a processor 801 and a machine-readable storage medium 802.
- the machine-readable storage medium 802 stores machine Executable instructions, the processor 801 is prompted by the machine-executable instructions to implement the method steps described in any one of the above packet forwarding methods.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims (12)
- 一种报文转发方法,其特征在于,应用于网络节点,所述方法包括:获得SRv6报文;若目标段标识SID的功能字段中包括安全认证指令,根据所述安全认证指令指示的操作,获取目标参数,并依据所述目标参数,对所述SRv6报文进行安全认证处理,其中,所述目标SID为:所述SRv6报文的报文头携带的分段列表中与所述网络节点对应的SID,所述目标参数为:所述报文头中记录的所述安全认证指令的参数;向下一跳设备转发处理后的SRv6报文。
- 根据权利要求1所述的方法,其特征在于,所述SRv6报文为所述SRv6报文的来源网络节点通过以下方式生成的:接收原始报文;若确定出需要转发所述原始报文的SRv6转发路径中存在不安全网络节点,则获得安全认证指令的参数,其中,所述安全认证指令指示:所述不安全网络节点对SRv6报文进行安全认证处理;判断所述安全认证指令的参数的数据量是否大于SID的参数字段的最大数据量;若为是,则针对所述不安全网络节点,生成功能字段中包含所述安全认证指令、且参数字段中包含第一参数的SID,并基于所述原始报文生成所述SRv6报文,其中,所述SRv6报文的所述报文头中的扩展字段中包含第二参数,所述安全认证指令还指示:所述安全认证指令的参数存储于所述参数字段和所述报文头中的扩展字段,所述第一参数为:所述安全认证指令的参数中数据量小于等于所述最大数据量的部分参数,所述第二参数为:所述安全认证指令的参数中除所述第一参数之外的参数;若为否,则针对所述不安全网络节点,生成功能字段中包含所述安全认证指令、且参数字段中包含所述安全认证指令的参数的SID,并基于所述原始报文生成所述SRv6报文,其中,所述安全认证指令还指示:所述安全认证指令的参数存储于所述参数字段。
- 根据权利要求2所述的方法,其特征在于,所述根据所述安全认证指令指示的操作,获取目标参数,包括:若所述安全认证指令指示所述安全认证指令的参数存储于所述参数字段,则从所述目标SID的参数字段包含的参数中,获取目标参数;若所述安全认证指令指示所述安全认证指令的参数存储于所述参数字段和报文头扩展字段,则从所述目标SID的参数字段包含的参数和所述报文头中的扩展字段包含的参数中,获取目标参数。
- 根据权利要求1-3中任一项所述的方法,其特征在于,所述安全认证指令包括:加封装指令,所述加封装指令指示对所述SRv6报文的有效载荷进行加封装处理;所述依据所述目标参数,对所述SRv6报文进行安全认证处理,包括:依据所述目标参数,对所述SRv6报文的有效载荷进行加封装处理。
- 根据权利要求1-3中任一项所述的方法,其特征在于,所述安全认证指令包括:解封装指令,所述解封装指令指示对所述SRv6报文的有效载荷进行解封装处理;所述依据所述目标参数,对所述SRv6报文进行安全认证处理,包括:依据所述目标参数,对所述SRv6报文的有效载荷进行解封装处理。
- 一种报文转发装置,其特征在于,应用于网络节点,所述装置包括:报文获得模块,用于获得SRv6报文;安全处理模块,用于若目标SID的功能字段中包括安全认证指令,根据所述安全认证指令指示的操作,获取目标参数,并依据所述目标参数,对所述SRv6报文进行安全认证处理,其中,所述目标SID为:所述SRv6报文的报文头携带的分段列表中与所述网络节点对应的SID,所述目标参数为:所述报文头中记录的所述安全认证指令的参数;报文转发模块,用于向下一跳设备转发处理后的SRv6报文。
- 根据权利要求6所述的装置,其特征在于,所述SRv6报文为所述SRv6报文的来源网络节点通过以下方式生成的:接收原始报文;若确定出需要转发所述原始报文的SRv6转发路径中存在不安全网络节点,则获得安全认证指令的参数,其中,所述安全认证指令指示:所述不安全网络节点对SRv6报文进行安全认证处理;判断所述安全认证指令的参数的数据量是否大于SID的参数字段的最大数据量;若为是,则针对所述不安全网络节点,生成功能字段中包含所述安全认证指令、且参数字段中包含第一参数的SID,并基于所述原始报文生成所述SRv6报文,其中,所述SRv6报文的所述报文头中的扩展字段中包含第二参数,所述安全认证指令还指示:所述安全认证指令的参数存储于所述参数字段和所述报文头中的扩展字段,所述第一参数为:所述安全认证指令的参数中数据量小于等于所述最大数据量的部分参数,所述第二参数为:所述安全认证指令的参数中除所述第一参数之外的参数;若为否,则针对所述不安全网络节点,生成功能字段中包含所述安全认证指令、且参数字段中包含所述安全认证指令的参数的SID,并基于所述原始报文生成所述SRv6报文,其中,所述安全认证指令还指示:所述安全认证指令的参数存储于所述参数字段。
- 根据权利要求7所述的装置,其特征在于,所述安全处理模块,具体用于:若目标SID的功能字段中包括安全认证指令,若所述安全认证指令指示所述安全认证指令的参数存储于所述参数字段,则从所述目标SID的参数字段包含的参数中,获取目标参数;若目标SID的功能字段中包括安全认证指令,若所述安全认证指令指示所述安全认证指令的参数存储于所述参数字段和报文头扩展字段,则从所述目标SID的参数字段包含的参数和所述报文头中的扩展字段包含的参数中,获取目标参数;依据所述目标参数,对所述SRv6报文进行安全认证处理。
- 根据权利要求6-8中任一项所述的装置,其特征在于,所述安全认证指令包括:加封装指令,所述加封装指令指示对所述SRv6报文的有效载荷进行加封装处理;所述安全处理模块,具体用于:若目标SID的功能字段中包括安全认证指令,根据所述安全认证指令指示的操作,获 取目标参数;依据所述目标参数,对所述SRv6报文的有效载荷进行加封装处理。
- 根据权利要求6-8中任一项所述的装置,其特征在于,所述安全认证指令包括:解封装指令,所述解封装指令指示对所述SRv6报文的有效载荷进行解封装处理;所述安全处理模块,具体用于:若目标SID的功能字段中包括安全认证指令,根据所述安全认证指令指示的操作,获取目标参数;依据所述目标参数,对所述SRv6报文的有效载荷进行解封装处理。
- 一种网络节点,其特征在于,包括:处理器和机器可读存储介质,所述机器可读存储介质存储有能够被所述处理器执行的机器可执行指令,所述处理器被所述机器可执行指令促使:实现权利要求1-5任一所述的方法步骤。
- 一种机器可读存储介质,其特征在于,存储有机器可执行指令,在被处理器调用和执行时,所述机器可执行指令促使所述处理器:实现权利要求1-5任一所述的方法步骤。
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202180001694.9A CN113615134A (zh) | 2021-06-29 | 2021-06-29 | 一种报文转发方法、装置、网络节点及存储介质 |
EP21944452.8A EP4152728A4 (en) | 2021-06-29 | 2021-06-29 | PACKET FORWARDING METHOD AND APPARATUS, NETWORK NODE AND STORAGE MEDIUM |
JP2022578739A JP2023535277A (ja) | 2021-06-29 | 2021-06-29 | パケット転送方法、装置、ネットワークノードおよび記憶媒体 |
PCT/CN2021/103176 WO2023272498A1 (zh) | 2021-06-29 | 2021-06-29 | 一种报文转发方法、装置、网络节点及存储介质 |
US18/001,943 US20240106740A1 (en) | 2021-06-29 | 2021-06-29 | Method and apparatus for packet forwarding, network node and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2021/103176 WO2023272498A1 (zh) | 2021-06-29 | 2021-06-29 | 一种报文转发方法、装置、网络节点及存储介质 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023272498A1 true WO2023272498A1 (zh) | 2023-01-05 |
Family
ID=78310957
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/103176 WO2023272498A1 (zh) | 2021-06-29 | 2021-06-29 | 一种报文转发方法、装置、网络节点及存储介质 |
Country Status (5)
Country | Link |
---|---|
US (1) | US20240106740A1 (zh) |
EP (1) | EP4152728A4 (zh) |
JP (1) | JP2023535277A (zh) |
CN (1) | CN113615134A (zh) |
WO (1) | WO2023272498A1 (zh) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109688057A (zh) * | 2018-12-13 | 2019-04-26 | Ut斯达康通讯有限公司 | 基于ipv6的段路由网络的报文转发方法及装置 |
CN111181852A (zh) * | 2019-12-30 | 2020-05-19 | 清华大学 | 一种发送方法、接收方法及其装置 |
CN111510387A (zh) * | 2019-01-30 | 2020-08-07 | 华为技术有限公司 | 数据转发方法及相关装置 |
US20200389391A1 (en) * | 2019-01-30 | 2020-12-10 | Huawei Technologies Co., Ltd. | Packet processing method and apparatus |
WO2021021172A1 (en) * | 2019-07-31 | 2021-02-04 | Huawei Technologies Co., Ltd. | Transporting mtnc-id over srv6-header for 5g transport |
CN112532575A (zh) * | 2020-10-13 | 2021-03-19 | 上海瑾琛网络科技有限公司 | 一种基于Segment Routing的安全与网络融合的系统与方法 |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11019075B2 (en) * | 2018-06-26 | 2021-05-25 | Cisco Technology, Inc. | Providing processing and network efficiencies in protecting internet protocol version 6 segment routing packets and functions using security segment identifiers |
-
2021
- 2021-06-29 WO PCT/CN2021/103176 patent/WO2023272498A1/zh active Application Filing
- 2021-06-29 US US18/001,943 patent/US20240106740A1/en active Pending
- 2021-06-29 JP JP2022578739A patent/JP2023535277A/ja active Pending
- 2021-06-29 EP EP21944452.8A patent/EP4152728A4/en active Pending
- 2021-06-29 CN CN202180001694.9A patent/CN113615134A/zh active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109688057A (zh) * | 2018-12-13 | 2019-04-26 | Ut斯达康通讯有限公司 | 基于ipv6的段路由网络的报文转发方法及装置 |
CN111510387A (zh) * | 2019-01-30 | 2020-08-07 | 华为技术有限公司 | 数据转发方法及相关装置 |
US20200389391A1 (en) * | 2019-01-30 | 2020-12-10 | Huawei Technologies Co., Ltd. | Packet processing method and apparatus |
WO2021021172A1 (en) * | 2019-07-31 | 2021-02-04 | Huawei Technologies Co., Ltd. | Transporting mtnc-id over srv6-header for 5g transport |
CN111181852A (zh) * | 2019-12-30 | 2020-05-19 | 清华大学 | 一种发送方法、接收方法及其装置 |
CN112532575A (zh) * | 2020-10-13 | 2021-03-19 | 上海瑾琛网络科技有限公司 | 一种基于Segment Routing的安全与网络融合的系统与方法 |
Non-Patent Citations (2)
Title |
---|
FILSFILS C, ED, LEDDY HUAWEI J, MATSUSHIMA INDIVIDUAL S, VOYER SOFTBANK D, CANADA ED BELL: "Network Working Group IPv6 Segment Routing Header (SRH) draft-ietf-6man-segment-routing-header-15", DRAFT-IETF-6MAN-SEGMENT-ROUTING-HEADER-15, 22 October 2018 (2018-10-22), XP093018528, [retrieved on 20230127] * |
See also references of EP4152728A4 * |
Also Published As
Publication number | Publication date |
---|---|
US20240106740A1 (en) | 2024-03-28 |
JP2023535277A (ja) | 2023-08-17 |
EP4152728A8 (en) | 2023-06-28 |
CN113615134A (zh) | 2021-11-05 |
EP4152728A4 (en) | 2023-08-30 |
EP4152728A1 (en) | 2023-03-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10757138B2 (en) | Systems and methods for storing a security parameter index in an options field of an encapsulation header | |
US10404588B2 (en) | Path maximum transmission unit handling for virtual private networks | |
TWI499342B (zh) | 網路卸載方法與系統 | |
CN110650076B (zh) | Vxlan的实现方法,网络设备和通信系统 | |
WO2020063528A1 (zh) | 数据中心中虚拟机之间的通信方法、装置和系统 | |
US10044841B2 (en) | Methods and systems for creating protocol header for embedded layer two packets | |
JP2005287034A (ja) | テンプレートを使用したインターネットプロトコルトンネリング | |
CN109412927B (zh) | 一种多vpn数据传输方法、装置及网络设备 | |
US11418951B2 (en) | Method for identifying encrypted data stream, device, storage medium and system | |
US9473466B2 (en) | System and method for internet protocol security processing | |
US11102115B2 (en) | Forwarding packet | |
CN107547343B (zh) | 报文操作控制方法及装置 | |
US20180176230A1 (en) | Data packet transmission method, apparatus, and system, and node device | |
CN108989342B (zh) | 一种数据传输的方法及装置 | |
WO2023272498A1 (zh) | 一种报文转发方法、装置、网络节点及存储介质 | |
WO2023030160A1 (zh) | 发送报文的方法、网络设备、存储介质及程序产品 | |
WO2022166979A1 (zh) | 报文处理方法、客户端设备、服务器端设备和计算机可读介质 | |
US10917502B2 (en) | Method for using metadata in internet protocol packets | |
CN115941227A (zh) | 发送报文的方法、网络设备、存储介质及程序产品 | |
US20100275008A1 (en) | Method and apparatus for secure packet transmission | |
US11610011B2 (en) | Secure transfer of data between programs executing on the same end-user device | |
CN113839946B (zh) | 一种IPSec传输的异常检测方法、装置及可读存储介质 | |
WO2023179174A1 (zh) | 一种报文传输方法及相关设备 | |
US20210092103A1 (en) | In-line encryption of network data | |
CN114465755A (zh) | 基于IPSec传输异常的检测方法、装置及存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 18001943 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2022578739 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2021944452 Country of ref document: EP Effective date: 20221216 |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21944452 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |