WO2024094082A1 - Information transmission method and apparatus, node, and storage medium - Google Patents

Information transmission method and apparatus, node, and storage medium Download PDF

Info

Publication number
WO2024094082A1
WO2024094082A1 PCT/CN2023/129156 CN2023129156W WO2024094082A1 WO 2024094082 A1 WO2024094082 A1 WO 2024094082A1 CN 2023129156 W CN2023129156 W CN 2023129156W WO 2024094082 A1 WO2024094082 A1 WO 2024094082A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
link
information
security capability
nlri
Prior art date
Application number
PCT/CN2023/129156
Other languages
French (fr)
Chinese (zh)
Inventor
陈美玲
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2024094082A1 publication Critical patent/WO2024094082A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W40/00Communication routing or communication path finding
    • H04W40/02Communication route or path selection, e.g. power-based or shortest path routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/08Mobility data transfer
    • H04W8/14Mobility data transfer between corresponding nodes

Definitions

  • the present disclosure relates to the field of communication technology, and in particular to an information transmission method, device, node and storage medium.
  • IPv6 Segment Routing SRv6
  • Embodiments of the present disclosure provide an information transmission method, device, node, and storage medium.
  • an embodiment of the present disclosure provides an information transmission method, the method comprising:
  • a first node sends first network layer reachability information (NLRI) to a second node, where the first NLRI includes at least first information and/or second information, where the first information indicates a security capability of the first node, and the second information indicates a link-associated security capability of a link between the first node and the second node.
  • NLRI network layer reachability information
  • the first NLRI is a link NLRI or a type 2 NLRI.
  • the first NLRI includes a remote node descriptor field
  • the remote node descriptor field includes a first attribute
  • the first attribute is used to represent the security capability of the first node
  • the remote node descriptor field includes at least the first information
  • the first NLRI includes a local node descriptor field
  • the local node descriptor field includes a second attribute
  • the second attribute is used to represent the security capability of the first node
  • the local node descriptor field includes at least the first information
  • the first NLRI includes a link descriptor field
  • the link descriptor field includes a third attribute
  • the third attribute is used to indicate a link-associated security capability of the link between the first node and the second node
  • the link descriptor field includes at least the second information
  • the method further includes: the first node receiving a second NLRI sent by the second node, the second NLRI including at least third information, and the third information represents the security capability of the second node.
  • the method further includes: the first node determining the second information based at least on the security capability of the first node and the security capability of the second node.
  • the first node determines the second information based at least on the security capability of the first node and the security capability of the second node, including:
  • the first node performs a logical AND operation on the security capability of the first node and the security capability of the second node to obtain the link-associated security capability of the link between the first node and the second node;
  • the first node When the first node and the second node are in the same security domain, the first node performs a logical OR operation on the security capability of the first node and the security capability of the second node to obtain the link-associated security capability of the link between the first node and the second node.
  • an embodiment of the present disclosure further provides an information transmission method, the method comprising:
  • the second node receives a first NLRI sent by the first node, where the first NLRI includes at least first information and/or second information, where the first information indicates a security capability of the first node, and the second information indicates a link-associated security capability of a link between the first node and the second node.
  • the first NLRI is a Link NLRI or a Type 2 NLRI.
  • the first NLRI includes a remote node descriptor field
  • the remote node descriptor field includes a first attribute
  • the first attribute is used to represent the security capability of the first node
  • the remote node descriptor field includes at least the first information
  • the first NLRI includes a local node descriptor field
  • the local node descriptor field includes a second attribute
  • the second attribute is used to represent the security capability of the first node
  • the local node descriptor field includes at least the first information
  • the first NLRI includes a link descriptor field
  • the link descriptor field includes a third attribute
  • the third attribute is used to indicate a link-associated security capability of the link between the first node and the second node
  • the link descriptor field includes at least the second information
  • the method further includes: the second node at least A link-associated security capability of a link between the second node and the first node is determined based on the security capability of the second node and the security capability of the first node.
  • the method when the second node is connected to the control node, the method further includes:
  • the second node sends the fourth information and/or the fifth information to the control node
  • the fourth information represents the security capability of the first node and/or the link-associated security capability of the link between the first node and the second node
  • the fifth information represents the security capability of the second node and/or the link-associated security capability of the link between the second node and the first node
  • the fourth information and/or the fifth information are used by the control node to determine the path information.
  • the second node determines, based at least on the security capability of the second node and the security capability of the first node, a link-associated security capability of a link between the second node and the first node, including:
  • the second node When the first node and the second node are two nodes in different security domains, the second node performs a logical AND operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node; or
  • the second node When the first node and the second node are two nodes in the same security domain, the second node performs a logical OR operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node.
  • the method further includes: the second node sending a second NLRI to the first node, the second NLRI includes at least third information, and the third information indicates the security capability of the second node.
  • an embodiment of the present disclosure further provides an information transmission device, which is applied to a first node, and the device includes: a first communication unit, configured to send a first NLRI to a second node, wherein the first NLRI includes at least the first information and/or the second information, and the first information
  • the second information represents the security capability of the first node, and the second information represents the link-associated security capability of the link between the first node and the second node.
  • an embodiment of the present disclosure further provides an information transmission device, which is applied to a second node, and the device includes: a second communication unit, configured to receive a first NLRI sent by a first node, wherein the first NLRI includes at least first information and/or second information, the first information represents the security capability of the first node, and the second information represents the link-associated security capability of the link between the first node and the second node.
  • an embodiment of the present disclosure further provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the steps of the method described in the first aspect or the second aspect of the embodiment of the present disclosure are implemented.
  • an embodiment of the present disclosure further provides a node, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, the steps of the method described in the first aspect or the second aspect of the embodiment of the present disclosure are implemented.
  • the information transmission method, device, node and storage medium provided by the embodiment of the present disclosure include: a first node sends a first NLRI to a second node, the first NLRI includes at least first information and/or second information, the first information indicates the security capability of the first node, and the second information indicates the link-associated security capability of the link between the first node and the second node.
  • the technical solution of the embodiment of the present disclosure is adopted to realize the carrying of relevant security capability information through the routing protocol, so that the subsequent controller can decide the routing path according to the relevant security capability information, thereby meeting the security requirements of users in the link forwarding process.
  • FIG1 is a schematic diagram of a system architecture of an information transmission method according to an embodiment of the present disclosure
  • FIG2 is a schematic diagram of a flow chart of an information transmission method according to an embodiment of the present disclosure
  • FIG3 is a schematic diagram of the NLRI format
  • FIG4 is a schematic diagram of the format of a field in NLRI
  • FIG5 is a second flow chart of the information transmission method according to an embodiment of the present disclosure.
  • FIG6 is a schematic diagram of a path sending process in the information transmission method according to an embodiment of the present disclosure.
  • FIG7 is a schematic diagram of the first structure of the information transmission device according to an embodiment of the present disclosure.
  • FIG8 is a second schematic diagram of the structure of the information transmission device according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic diagram of the hardware structure of a node according to an embodiment of the present disclosure.
  • GSM Global System of Mobile communication
  • LTE Long Term Evolution
  • 5G system 5G network
  • NR New Radio
  • the communication system applied in the embodiments of the present disclosure may include a network device and a terminal device (also referred to as a terminal, a communication terminal, etc.); the network device may be a device that communicates with the terminal device. Among them, the network device can provide communication coverage within a certain area, and can communicate with terminals located in the area.
  • the network device can be a base station in each communication system, such as an evolved base station (eNB, Evolutional Node B) in an LTE system, or a base station (gNB) in a 5G system or an NR system.
  • eNB evolved base station
  • gNB base station
  • the communication device may include a network device and a terminal with communication function, and the network device and the terminal device may be the specific devices described above, which will not be repeated here; the communication device may also include other devices in the communication system, such as a network controller, a mobile management entity and other network entities, which are not limited in the embodiments of the present disclosure.
  • BGP-LS Border Gateway Protocol
  • node routing function is to record the node information of the topology
  • link routing function is to record the link information between two devices (or nodes)
  • address prefix routing function is to record the network segment information reachable by the node.
  • the NLRI collected through BGP-LS is described in the type/length/value triplet (TLV) format.
  • TLV type/length/value triplet
  • Each link state described by the NLRI can identify a node, link, or prefix. Therefore, corresponding to the above three types of BGP-LS routes, three types of NLRI are set, as shown in Table 1 below, where type 3 and type 4 are used to distinguish IPv4 and IPv6 prefixes.
  • the embodiments of the present disclosure mainly involve the transmission of information related to security capabilities between nodes, such as the local node obtaining information related to the security capabilities of the peer node, or the local node sending information related to its own security capabilities to the peer node, specifically transmitting information related to security capabilities through a routing protocol.
  • the nodes in the embodiments of the present disclosure can be independent nodes, or can be as shown in FIG1, including a node R and a security product (security products) mounted thereon as a basic unit.
  • the node can be a router
  • the security product can be any product with network security functions such as a security component, a firewall, etc., which is not limited in the present embodiment.
  • nodes are directly connected to the controller (these nodes are referred to as directly connected nodes), so the nodes can directly transmit node information to the controller through the BGP-LS protocol; while some nodes are not directly connected to the controller (these nodes are referred to as non-directly connected nodes), so the node information needs to be passed to the directly connected nodes to achieve the transmission of node information. Therefore, for non-directly connected nodes, the node-related information needs to be reported through the BGP-LS protocol.
  • FIG2 is a flow chart of the information transmission method of the present disclosure embodiment; as shown in FIG2 , the method includes:
  • Step 101 A first node sends a first NLRI to a second node, where the first NLRI includes at least first information and/or second information, where the first information indicates a security capability of the first node, and the second information indicates a link-associated security capability of a link between the first node and the second node.
  • the nodes transmit the related information indicating the security capability of the nodes through the BGP-LS protocol.
  • the NLRI is included in the BGP routing update message.
  • the first information indicates the security capability of the first node, and the first information may also be referred to as the security capability information of the first node.
  • the second information indicates the link-associated security capability of the link between the first node and the second node, and it can be considered that the second information indicates the security capability of the link between the first node and the second node, the security capability of the first node and/or the second node associated with the link, and the like.
  • FIG3 is a schematic diagram of the NLRI format, specifically a schematic diagram of the Link NLRI format, as shown in FIG3, including a protocol ID field (Protocol-ID), a 64-bit identifier (Identifier) field, a variable length (variable) local node descriptor field (Local Node Descriptors), a variable length (variable) remote node descriptor field (Local Node Descriptors) and a variable length (variable) link descriptor (Link Descriptors) field.
  • Protocol-ID protocol ID field
  • Identifier 64-bit identifier
  • the Protocol-ID field identifies the type of protocol, as shown in Table 2.
  • the Identifier field identifies the reachable routing scope of the network to which it belongs. NLRI objects (nodes, links, or prefixes) from the same routing scope must have the same "identifier" value.
  • the Local Node Descriptors field contains the node descriptor of the local end of the anchor link. It is mandatory and of variable length. Its format is shown in Figure 4. The attributes of the Local Node Descriptors field are shown in Table 3.
  • the Node Descriptor Sub-TLVs of the local node descriptor domain records the Node Descriptor Sub-TLV type code point and length, as shown in Table 4 below.
  • the Remote Node Descriptors field contains the node descriptor of the remote end node of the anchor link, and has a variable length.
  • the format of the Remote Node Descriptors field is similar to the format of the Local Node Descriptors field, as shown in Figure 4, or the instructions for deleting the Local Node Descriptors field.
  • the Link Descriptors field uniquely identifies a link between multiple parallel links between a pair of anchor routers. Examples of its attributes are shown in Table 5.
  • a new attribute is added to a specified field in the NLRI, thereby realizing the transmission of the node security capability related information and/or link-associated security capability.
  • the first NLRI includes a remote node descriptor field
  • the remote node descriptor field includes a first attribute
  • the first attribute is used to represent the security capability of the first node
  • the remote node descriptor field includes at least the first information
  • the security capability of the node can be represented by the first attribute in the Remote Node Descriptors field in the NLRI.
  • the security capability of the first node (Node Security Capability) is represented by the attribute corresponding to the newly added TLV code point 1030 (i.e., the first attribute), and it has a variable length.
  • the first NLRI includes a local node descriptor field
  • the local node descriptor field includes a second attribute
  • the second attribute is used to represent the security capability of the first node
  • the local node descriptor field includes at least the first information
  • the local node descriptor field (Local Node).
  • the second attribute in the TLV Descriptors represents the security capability of the node.
  • the attribute corresponding to the newly added TLV code point 1030 ie, the second attribute
  • the security capability of the first node Node Security Capability
  • the difference between the above two embodiments is whether the first node acts as a local node or a remote node. If the first node acts as a local node, the second method can be used to transmit the security capability of the first node using the second attribute in the local node descriptor field; if the first node acts as a remote node, the first method can be used to transmit the security capability of the first node using the first attribute in the remote node descriptor field.
  • whether the first node acts as a local node or a remote node can be determined based on whether the relevant information of the first node (such as identification, address, etc.) is filled in the field or field related to the local node (Local Node) or the remote node (Remote Node).
  • the relevant information of the first node (such as identification, address, etc.) is filled in the field or field related to the local node (Local Node) If the first node is in a domain or field related to a remote node, the first node can be determined to be a local node; if the relevant information of the first node (such as an identifier, an address, etc.) is filled in a domain or field related to a remote node (Remote Node), the first node can be determined to be a remote node.
  • the first NLRI includes a link descriptor field
  • the link descriptor field includes a third attribute
  • the third attribute is used to indicate a link-associated security capability of the link between the first node and the second node
  • the link descriptor field includes at least the second information
  • the link-associated security capability (in this embodiment, the link-associated security capability of the link between the first node and the second node) can be identified by the third attribute in the Link Descriptors field in the NLRI.
  • the link-associated security capability of the link between the first node and the second node is represented by the attribute corresponding to the newly added TLV code point 1099 (i.e., the third attribute).
  • the method further includes: the first node receiving a second NLRI sent by the second node, the second NLRI including at least third information, and the third information represents the security capability of the second node.
  • the first node may also receive a second NLRI sent by a second node connected thereto, wherein the second NLRI includes at least third information, and the third information indicates the security capability of the second node.
  • the manner in which the third information is carried in the second NLRI may refer to the specific description of the manner in which the first information is carried in the first NLRI, which will not be described in detail here.
  • the second NLRI may also include information indicating the link-associated security capability of the link between the second node and the first node, and the specific implementation method may refer to the specific description of the second information carried in the first NLRI, which will not be described in detail here.
  • the method further includes: the first node determining the second information based at least on the security capability of the first node and the security capability of the second node.
  • the first node can be based on the first node security capability and the second node security
  • the full capabilities determine a link-associated security capability of a link between the first node and the second node.
  • the first node determines the second information based at least on the security capabilities of the first node and the security capabilities of the second node, including: when the first node and the second node are in different security domains, the first node performs a logical AND operation on the security capabilities of the first node and the security capabilities of the second node to obtain the link-associated security capabilities of the link between the first node and the second node; or, when the first node and the second node are in the same security domain, the first node performs a logical OR operation on the security capabilities of the first node and the security capabilities of the second node to obtain the link-associated security capabilities of the link between the first node and the second node.
  • the decision on link-associated security capability is divided into two cases, one case is that the nodes in the link are in the same security domain, and the other case is that the nodes in the link are in different security domains.
  • the security domain may refer to a security level.
  • “1" in the above expression can represent the corresponding security capability, and "0" can represent the lack of the corresponding security capability.
  • the method may further include: the first node sends sixth information and/or seventh information to the control node, the sixth information indicating the security capability of the first node and/or the link-associated security capability of the link between the first node and the second node; the seventh information indicating the second node
  • the sixth information and/or the seventh information are used by the control node to determine path information.
  • the first node may report the node's security capabilities and/or link-associated security capabilities to the control node.
  • the above information may be reported to the controller through the BGP-LS protocol so that the control node may generate path information based on the policy and the corresponding node's security capabilities and/or link-associated security capabilities.
  • FIG5 is a flow chart of the information transmission method of the present disclosure embodiment; as shown in FIG5 , the method includes:
  • Step 201 A second node receives a first NLRI sent by a first node, where the first NLRI includes at least first information and/or second information, where the first information indicates a security capability of the first node, and the second information indicates a link-associated security capability of a link between the first node and the second node.
  • the nodes transmit the related information indicating the security capability of the nodes through the BGP-LS protocol.
  • the NLRI is included in the BGP routing update message.
  • the first information indicates the security capability of the first node, and the first information may also be referred to as the security capability information of the first node.
  • the second information indicates the link-associated security capability of the link between the first node and the second node, and it can be considered that the second information indicates the security capability of the link between the first node and the second node, the security capability of the first node and/or the second node associated with the link, and the like.
  • the first NLRI includes a remote node descriptor field
  • the remote node descriptor field includes a first attribute, where the first attribute is used to represent the security capability of the first node.
  • the remote node descriptor field includes at least the first information.
  • the security capability of the node can be represented by the first attribute in the Remote Node Descriptors field in the NLRI.
  • the security capability of the node can be represented by the first attribute in the Remote Node Descriptors field in the NLRI.
  • the first NLRI includes a local node descriptor field
  • the local node descriptor field includes a second attribute
  • the second attribute is used to represent the security capability of the first node
  • the local node descriptor field includes at least the first information
  • the security capability of the node can be represented by the second attribute in the Local Node Descriptors field in the NLRI.
  • the security capability of the node can be represented by the second attribute in the Local Node Descriptors field in the NLRI.
  • the first NLRI includes a link descriptor field
  • the link descriptor field includes a third attribute
  • the third attribute is used to indicate a link-associated security capability of the link between the first node and the second node
  • the link descriptor field includes at least the second information
  • the link-associated security capability (in this embodiment, the link-associated security capability of the link between the first node and the second node) can be identified by the third attribute in the Link Descriptors field in the NLRI.
  • the link-associated security capability can be identified by the third attribute in the Link Descriptors field in the NLRI.
  • Table 8 for details, please refer to Table 8 in the above embodiment.
  • the method further includes: the second node determining a link-associated security capability of a link between the second node and the first node based at least on the security capability of the second node and the security capability of the first node.
  • the second node may determine the link-associated security capability of the link between the second node and the first node based on the security capability of the first node and the security capability of the second node.
  • the second node is based at least on the security capability of the second node.
  • the link-associated security capability of the link between the second node and the first node is determined based on the security capability of the first node and the security capability of the first node, including: when the first node and the second node are two nodes in different security domains, the second node performs a logical AND operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node; or, when the first node and the second node are two nodes in the same security domain, the second node performs a logical OR operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node.
  • the decision on link-associated security capability is divided into two cases, one case is that the nodes in the link are in the same security domain, and the other case is that the nodes in the link are in different security domains.
  • the security domain may refer to a security level.
  • “1" in the above expression can represent the corresponding security capability, and "0" can represent the lack of the corresponding security capability.
  • the method when the second node is connected to the control node, the method further includes: the second node sends the fourth information and/or the fifth information to the control node, the fourth information indicating the security capability of the first node and/or the link-associated security capability of the link between the first node and the second node; the fifth information indicating the security capability of the second node and/or the link-associated security capability of the link between the second node and the first node.
  • the fourth information and/or the fifth information is used by the control node to determine the path information.
  • the second node can report the node's security capabilities and/or link-associated security capabilities to the control node.
  • the above information can be reported to the controller through the BGP-LS protocol so that the control node can generate path information based on the policy and the corresponding node's security capabilities and/or link-associated security capabilities.
  • control node receives the security capabilities of each node in the link and/or the link-associated security capabilities; when the link passes through more than two nodes, a logical AND operation or a logical OR operation can be performed based on the relevant processing logic of whether each node in the link is in the same security domain to obtain the link-associated security capabilities of the complete link.
  • the method further includes: the second node sending a second NLRI to the first node, the second NLRI includes at least third information, and the third information indicates the security capability of the second node.
  • the second node may also send third information indicating the security capability of the second node to the first node connected thereto.
  • the manner in which the third information is carried in the second NLRI may refer to the specific description of the manner in which the first information is carried in the first NLRI, which will not be described in detail here.
  • the second NLRI may also include information indicating the link-associated security capability of the link between the second node and the first node, and the specific implementation manner may refer to the specific description of the manner in which the second information is carried in the first NLRI, which will not be described in detail here.
  • Figure 6 is a schematic diagram of the path sending process in the information transmission method of an embodiment of the present disclosure; as shown in Figure 6, after the control node generates path information according to the policy and the security capabilities of the corresponding nodes and/or the link-associated security capabilities, the path information is sent down to the entry node in the link. After the entry node receives the path information, it will encapsulate the received message into SRv6 message, and the forwarding node completes the forwarding according to the destination address of the next hop.
  • FIG7 is a schematic diagram of the structure of the information transmission device according to an embodiment of the present disclosure; as shown in FIG7 , the device includes: a first communication unit 31, configured to send a first NLRI to a second node, wherein the first NLRI includes at least first information and/or second information, the first information indicates the security capability of the first node, and the second information indicates the link-associated security capability of the link between the first node and the second node.
  • the first NLRI includes a remote node descriptor field
  • the remote node descriptor field includes a first attribute
  • the first attribute is used to represent the security capability of the first node
  • the remote node descriptor field includes at least the first information
  • the first NLRI includes a local node descriptor field
  • the local node descriptor field includes a second attribute
  • the second attribute is used to represent the security capability of the first node
  • the local node descriptor field includes at least the first information
  • the first NLRI includes a link descriptor field
  • the link descriptor field includes a third attribute
  • the third attribute is used to indicate a link-associated security capability of the link between the first node and the second node
  • the link descriptor field includes at least the second information
  • the first communication unit 31 is further configured to receive a second NLRI sent by the second node, where the second NLRI includes at least third information, and the third information indicates the security capability of the second node.
  • the apparatus further includes a first processing unit 32 configured to determine the second information based at least on the security capability of the first node and the security capability of the second node.
  • the first processing unit 32 is configured to, when the first node and the second node are in different security domains, process the security of the first node. Perform a logical AND operation on the full capabilities and the security capabilities of the second node to obtain the link-associated security capabilities of the link between the first node and the second node; or, when the first node and the second node are in the same security domain, perform a logical OR operation on the security capabilities of the first node and the security capabilities of the second node to obtain the link-associated security capabilities of the link between the first node and the second node.
  • the first processing unit 32 in the device can be implemented by a central processing unit (CPU), a digital signal processor (DSP), a microcontroller unit (MCU) or a programmable gate array (FPGA) in actual applications;
  • the first communication unit 31 in the device can be implemented by a communication module (including: basic communication kit, operating system, communication module, standardized interface and protocol, etc.) and a transceiver antenna in actual applications.
  • FIG8 is a second schematic diagram of the composition structure of the information transmission device of the embodiment of the present disclosure; as shown in FIG8 , the device includes: a second communication unit 41, configured to receive a first NLRI sent by a first node, wherein the first NLRI includes at least first information and/or second information, the first information indicates the security capability of the first node, and the second information indicates the link-associated security capability of the link between the first node and the second node.
  • the first NLRI includes a remote node descriptor field
  • the remote node descriptor field includes a first attribute
  • the first attribute is used to represent the security capability of the first node
  • the remote node descriptor field includes at least the first information
  • the first NLRI includes a local node descriptor field
  • the local node descriptor field includes a second attribute
  • the second attribute is used to represent the security capability of the first node
  • the local node descriptor field includes at least the first information
  • the first NLRI includes a link descriptor field
  • the link descriptor field includes a third attribute
  • the third attribute is used to indicate a link-associated security capability of the link between the first node and the second node
  • the link descriptor field includes at least the second information
  • the device also includes a second processing unit 42 configured to determine a link-associated security capability of a link between the second node and the first node based at least on the security capability of the second node and the security capability of the first node.
  • the second communication unit 41 is further configured to send the fourth information and/or the fifth information to the control node, the fourth information indicating the security capability of the first node and/or the link-associated security capability of the link between the first node and the second node; the fifth information indicating the security capability of the second node and/or the link-associated security capability of the link between the second node and the first node, and the fourth information and/or the fifth information are used by the control node to determine path information.
  • the second processing unit 42 is configured to, when the first node and the second node are two nodes in different security domains, perform a logical AND operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node; or, when the first node and the second node are two nodes in the same security domain, perform a logical OR operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node.
  • the second communication unit 41 is further configured to send a second NLRI to the first node, where the second NLRI includes at least third information, and the third information indicates the security capability of the second node.
  • the second processing unit 42 in the device can be composed of It can be implemented by CPU, DSP, MCU or FPGA; the second communication unit 41 in the device can be implemented by a communication module (including: basic communication kit, operating system, communication module, standardized interface and protocol, etc.) and a transceiver antenna in actual application.
  • a communication module including: basic communication kit, operating system, communication module, standardized interface and protocol, etc.
  • the information transmission device provided in the above embodiment only uses the division of the above program modules as an example when performing information transmission.
  • the above processing can be assigned to different program modules as needed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above.
  • the information transmission device provided in the above embodiment and the information transmission method embodiment belong to the same concept, and the specific implementation process is detailed in the method embodiment, which will not be repeated here.
  • the embodiment of the present disclosure also provides a node, which is the first node or the second node in the above-mentioned embodiment.
  • FIG9 is a schematic diagram of the hardware composition structure of the node in the embodiment of the present disclosure.
  • the node includes a memory 52, a processor 51, and a computer program stored in the memory 52 and executable on the processor 51.
  • the processor 51 executes the program, the steps of the information transmission method applied in the first node or the second node in the embodiment of the present disclosure are implemented.
  • the node further includes at least one network interface 53.
  • the various components in the node are coupled together via a bus system 54.
  • the bus system 54 is used to achieve connection and communication between these components.
  • the bus system 54 also includes a power bus, a control bus, and a status signal bus.
  • various buses are labeled as bus system 54 in FIG. 9.
  • the memory 52 can be a volatile memory or a non-volatile memory, or can include both volatile and non-volatile memories.
  • the non-volatile memory can be a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), a magnetic random access memory (RAM), or a 32-bit ...
  • Volatile memory may be a Ferromagnetic Random Access Memory (FRAM), a Flash Memory, a magnetic surface memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface memory may be a magnetic disk memory or a magnetic tape memory.
  • FRAM Ferromagnetic Random Access Memory
  • CD-ROM Compact Disc Read-Only Memory
  • Volatile memory may be a Random Access Memory (RAM), which is used as an external cache.
  • RAM Random Access Memory
  • RAM random Access Memory
  • SRAM static random access memory
  • SSRAM synchronous static random access memory
  • DRAM dynamic random access memory
  • SDRAM synchronous dynamic random access memory
  • DDRSDRAM double data rate synchronous dynamic random access memory
  • ESDRAM enhanced synchronous dynamic random access memory
  • SLDRAM synchronous link dynamic random access memory
  • DRRAM direct memory bus random access memory
  • the memory 52 described in the embodiments of the present disclosure is intended to include, but is not limited to, these and any other suitable types of memory.
  • the method disclosed in the above-mentioned embodiment of the present disclosure can be applied to the processor 51, or implemented by the processor 51.
  • the processor 51 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above-mentioned method can be completed by the hardware integrated logic circuit in the processor 51 or the instruction in the form of software.
  • the above-mentioned processor 51 can be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the processor 51 can implement or execute the various methods, steps and logic block diagrams disclosed in the embodiment of the present disclosure.
  • the general-purpose processor can be a microprocessor or any conventional processor, etc.
  • the steps of the method disclosed in the embodiment of the present disclosure can be directly embodied as a hardware decoding processor for execution, or can be executed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in In the storage medium, the storage medium is located in the memory 52, and the processor 51 reads the information in the memory 52 and completes the steps of the above method in combination with its hardware.
  • the node can be implemented by one or more application specific integrated circuits (ASIC), DSP, programmable logic device (PLD), complex programmable logic device (CPLD), FPGA, general-purpose processor, controller, MCU, microprocessor, or other electronic components to execute the aforementioned method.
  • ASIC application specific integrated circuits
  • DSP digital signal processor
  • PLD programmable logic device
  • CPLD complex programmable logic device
  • FPGA field-programmable gate array
  • controller MCU
  • microprocessor microprocessor
  • the disclosed embodiment further provides a computer-readable storage medium, such as a memory 52 including a computer program, which can be executed by a processor 51 of a node to complete the steps of the aforementioned method.
  • the computer-readable storage medium can be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM; or it can be various devices including one or any combination of the above memories.
  • the embodiment of the present disclosure also provides a computer-readable storage medium, on which a computer program is stored.
  • the program is executed by a processor, the steps of the information transmission method applied to the first node or the second node in the embodiment of the present disclosure are implemented.
  • the disclosed devices and methods can be implemented in other ways.
  • the device embodiments described above are only exemplary.
  • the division of the units is only a logical function division.
  • the coupling, direct coupling, or communication connection between the components shown or discussed may be through some interfaces, indirect coupling or communication connection of devices or units, which may be electrical, mechanical or other forms.
  • the units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units; some or all of the units may be selected according to actual needs to achieve the purpose of the scheme of this embodiment.
  • all functional units in the embodiments of the present disclosure may be integrated into one processing unit, or each unit may be separately configured as a unit, or two or more units may be integrated into one unit; the above-mentioned integrated units may be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the integrated unit of the present disclosure can also be stored in a computer-readable storage medium.
  • the technical solution of the embodiment of the present disclosure can essentially or in other words, the part that contributes to the prior art can be embodied in the form of a software product, which is stored in a storage medium and includes a number of instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to execute all or part of the methods described in each embodiment of the present disclosure.
  • the aforementioned storage medium includes: various media that can store program codes, such as mobile storage devices, ROM, RAM, magnetic disks or optical disks.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed in embodiments of the present disclosure are an information transmission method and apparatus, a node, and a storage medium. The method comprises: a first node sends first network layer reachability information (NLRI) to a second node, the first NLRI at least comprising first information and/or second information, the first information representing the security capability of the first node, and the second information representing the link association security capability of a link between the first node and the second node.

Description

一种信息传输方法、装置、节点及存储介质Information transmission method, device, node and storage medium
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本公开基于申请号为202211370868.1、申请日为2022年11月03日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此以引入方式并入本公开。This disclosure is based on the Chinese patent application with application number 202211370868.1 and application date November 03, 2022, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby incorporated into this disclosure by introduction.
技术领域Technical Field
本公开涉及通信技术领域,具体涉及一种信息传输方法、装置、节点及存储介质。The present disclosure relates to the field of communication technology, and in particular to an information transmission method, device, node and storage medium.
背景技术Background technique
随着网络安全的事件的频发,用户对于网络安全的需求越来越强烈,监管机构也对网络安全提出了相应的要求。作为管道运营商,除了保证基础网络的运行安全和路由可达外,也需要根据用户的需求对外提供安全路由能力。随着可编程网络和互联网协议第6版(IPv6,Internet Protocol Version 6)分段路由(SRv6,Segment Routing IPv6)技术的发展,可通过路由编程完成上层的转发需求;将路由过程中的可达性和安全性可同步处理,为用户提供匹配需求的安全路由和安全路径。With the frequent occurrence of network security incidents, users have an increasingly strong demand for network security, and regulators have also put forward corresponding requirements for network security. As a pipeline operator, in addition to ensuring the operational security and route accessibility of the basic network, it is also necessary to provide external secure routing capabilities according to user needs. With the development of programmable networks and Internet Protocol Version 6 (IPv6) Segment Routing (SRv6) technology, the forwarding requirements of the upper layer can be completed through routing programming; the accessibility and security of the routing process can be processed synchronously to provide users with secure routing and secure paths that match their needs.
目前,如何在搜集网络拓扑和集中算路过程中注入安全因素,即通过路由协议携带安全能力信息,实现安全路由路径转发,尚无有效解决方案。Currently, there is no effective solution for how to inject security factors into the process of collecting network topology and centralized path calculation, that is, to carry security capability information through routing protocols to achieve secure routing path forwarding.
发明内容Summary of the invention
本公开实施例提供一种信息传输方法、装置、节点及存储介质。Embodiments of the present disclosure provide an information transmission method, device, node, and storage medium.
本公开实施例的技术方案是这样实现的: The technical solution of the embodiment of the present disclosure is implemented as follows:
第一方面,本公开实施例提供了一种信息传输方法,所述方法包括:In a first aspect, an embodiment of the present disclosure provides an information transmission method, the method comprising:
第一节点向第二节点发送第一网络层可达性信息(NLRI,Network Layer Reachability Information),所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。A first node sends first network layer reachability information (NLRI) to a second node, where the first NLRI includes at least first information and/or second information, where the first information indicates a security capability of the first node, and the second information indicates a link-associated security capability of a link between the first node and the second node.
在本公开的一些可选实施例中,所述第一NLRI为链路(Link)NLRI或类型2NLRI。In some optional embodiments of the present disclosure, the first NLRI is a link NLRI or a type 2 NLRI.
在本公开的一些可选实施例中,所述第一NLRI中包括远端节点描述符域,所述远端节点描述符域中包括第一属性,所述第一属性用于表示所述第一节点的安全能力,所述远端节点描述符域中至少包括所述第一信息。In some optional embodiments of the present disclosure, the first NLRI includes a remote node descriptor field, the remote node descriptor field includes a first attribute, the first attribute is used to represent the security capability of the first node, and the remote node descriptor field includes at least the first information.
在本公开的一些可选实施例中,所述第一NLRI中包括本地节点描述符域,所述本地节点描述符域中包括第二属性,所述第二属性用于表示所述第一节点的安全能力,所述本地节点描述符域中至少包括所述第一信息。In some optional embodiments of the present disclosure, the first NLRI includes a local node descriptor field, the local node descriptor field includes a second attribute, the second attribute is used to represent the security capability of the first node, and the local node descriptor field includes at least the first information.
在本公开的一些可选实施例中,所述第一NLRI中包括链路描述符域,所述链路描述符域中包括第三属性,所述第三属性用于表示所述第一节点和所述第二节点之间链路的链路关联安全能力,所述链路描述符域中至少包括所述第二信息。In some optional embodiments of the present disclosure, the first NLRI includes a link descriptor field, the link descriptor field includes a third attribute, the third attribute is used to indicate a link-associated security capability of the link between the first node and the second node, and the link descriptor field includes at least the second information.
在本公开的一些可选实施例中,所述方法还包括:所述第一节点接收所述第二节点发送的第二NLRI,所述第二NLRI中至少包括第三信息,所述第三信息表示所述第二节点的安全能力。In some optional embodiments of the present disclosure, the method further includes: the first node receiving a second NLRI sent by the second node, the second NLRI including at least third information, and the third information represents the security capability of the second node.
在本公开的一些可选实施例中,所述方法还包括:所述第一节点至少基于所述第一节点的安全能力和所述第二节点的安全能力确定所述第二信息。In some optional embodiments of the present disclosure, the method further includes: the first node determining the second information based at least on the security capability of the first node and the security capability of the second node.
在本公开的一些可选实施例中,所述第一节点至少基于所述第一节点的安全能力和所述第二节点的安全能力确定所述第二信息,包括: In some optional embodiments of the present disclosure, the first node determines the second information based at least on the security capability of the first node and the security capability of the second node, including:
在所述第一节点和所述第二节点处于不同安全域的情况下,所述第一节点对所述第一节点的安全能力和所述第二节点的安全能力进行逻辑与操作,得到所述第一节点和所述第二节点之间链路的链路关联安全能力;或者,In the case where the first node and the second node are in different security domains, the first node performs a logical AND operation on the security capability of the first node and the security capability of the second node to obtain the link-associated security capability of the link between the first node and the second node; or
在所述第一节点和所述第二节点处于相同安全域的情况下,所述第一节点对所述第一节点的安全能力和所述第二节点的安全能力进行逻辑或操作,得到所述第一节点和所述第二节点之间链路的链路关联安全能力。When the first node and the second node are in the same security domain, the first node performs a logical OR operation on the security capability of the first node and the security capability of the second node to obtain the link-associated security capability of the link between the first node and the second node.
第二方面,本公开实施例还提供了一种信息传输方法,所述方法包括:In a second aspect, an embodiment of the present disclosure further provides an information transmission method, the method comprising:
第二节点接收第一节点发送的第一NLRI,所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。The second node receives a first NLRI sent by the first node, where the first NLRI includes at least first information and/or second information, where the first information indicates a security capability of the first node, and the second information indicates a link-associated security capability of a link between the first node and the second node.
在本公开的一些可选实施例中,所述第一NLRI为Link NLRI或类型2NLRI。In some optional embodiments of the present disclosure, the first NLRI is a Link NLRI or a Type 2 NLRI.
在本公开的一些可选实施例中,所述第一NLRI中包括远端节点描述符域,所述远端节点描述符域中包括第一属性,所述第一属性用于表示所述第一节点的安全能力,所述远端节点描述符域中至少包括所述第一信息。In some optional embodiments of the present disclosure, the first NLRI includes a remote node descriptor field, the remote node descriptor field includes a first attribute, the first attribute is used to represent the security capability of the first node, and the remote node descriptor field includes at least the first information.
在本公开的一些可选实施例中,所述第一NLRI中包括本地节点描述符域,所述本地节点描述符域中包括第二属性,所述第二属性用于表示所述第一节点的安全能力,所述本地节点描述符域中至少包括所述第一信息。In some optional embodiments of the present disclosure, the first NLRI includes a local node descriptor field, the local node descriptor field includes a second attribute, the second attribute is used to represent the security capability of the first node, and the local node descriptor field includes at least the first information.
在本公开的一些可选实施例中,所述第一NLRI中包括链路描述符域,所述链路描述符域中包括第三属性,所述第三属性用于表示所述第一节点和所述第二节点之间链路的链路关联安全能力,所述链路描述符域中至少包括所述第二信息。In some optional embodiments of the present disclosure, the first NLRI includes a link descriptor field, the link descriptor field includes a third attribute, the third attribute is used to indicate a link-associated security capability of the link between the first node and the second node, and the link descriptor field includes at least the second information.
在本公开的一些可选实施例中,所述方法还包括:所述第二节点至少 基于所述第二节点的安全能力和所述第一节点的安全能力确定所述第二节点和所述第一节点之间链路的链路关联安全能力。In some optional embodiments of the present disclosure, the method further includes: the second node at least A link-associated security capability of a link between the second node and the first node is determined based on the security capability of the second node and the security capability of the first node.
在本公开的一些可选实施例中,在所述第二节点与控制节点连接的情况下,所述方法还包括:In some optional embodiments of the present disclosure, when the second node is connected to the control node, the method further includes:
所述第二节点向所述控制节点发送所述第四信息和/或第五信息,所述第四信息表示所述第一节点的安全能力和/或所述第一节点与所述第二节点之间链路的链路关联安全能力;所述第五信息表示所述第二节点的安全能力和/或所述第二节点与所述第一节点之间链路的链路关联安全能力,所述第四信息和/或所述第五信息用于所述控制节点确定路径信息。The second node sends the fourth information and/or the fifth information to the control node, the fourth information represents the security capability of the first node and/or the link-associated security capability of the link between the first node and the second node; the fifth information represents the security capability of the second node and/or the link-associated security capability of the link between the second node and the first node, and the fourth information and/or the fifth information are used by the control node to determine the path information.
在本公开的一些可选实施例中,所述第二节点至少基于所述第二节点的安全能力和所述第一节点的安全能力确定所述第二节点和所述第一节点之间链路的链路关联安全能力,包括:In some optional embodiments of the present disclosure, the second node determines, based at least on the security capability of the second node and the security capability of the first node, a link-associated security capability of a link between the second node and the first node, including:
在所述第一节点和所述第二节点处于不同安全域的两个节点,所述第二节点对所述第二节点的安全能力和所述第一节点的安全能力进行逻辑与操作,得到所述第二节点和所述第一节点之间链路的链路关联安全能力;或者,When the first node and the second node are two nodes in different security domains, the second node performs a logical AND operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node; or
在所述第一节点和所述第二节点处于相同安全域的两个节点,所述第二节点对所述第二节点的安全能力和所述第一节点的安全能力进行逻辑或操作,得到所述第二节点和所述第一节点之间链路的链路关联安全能力。When the first node and the second node are two nodes in the same security domain, the second node performs a logical OR operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node.
在本公开的一些可选实施例中,所述方法还包括:所述第二节点向所述第一节点发送第二NLRI,所述第二NLRI中至少包括第三信息,所述第三信息表示所述第二节点的安全能力。In some optional embodiments of the present disclosure, the method further includes: the second node sending a second NLRI to the first node, the second NLRI includes at least third information, and the third information indicates the security capability of the second node.
第三方面,本公开实施例还提供了一种信息传输装置,所述装置应用于第一节点,所述装置包括:第一通信单元,配置为向第二节点发送第一NLRI,所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息 表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。In a third aspect, an embodiment of the present disclosure further provides an information transmission device, which is applied to a first node, and the device includes: a first communication unit, configured to send a first NLRI to a second node, wherein the first NLRI includes at least the first information and/or the second information, and the first information The second information represents the security capability of the first node, and the second information represents the link-associated security capability of the link between the first node and the second node.
第四方面,本公开实施例还提供了一种信息传输装置,所述装置应用于第二节点,所述装置包括:第二通信单元,配置为接收第一节点发送的第一NLRI,所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。In a fourth aspect, an embodiment of the present disclosure further provides an information transmission device, which is applied to a second node, and the device includes: a second communication unit, configured to receive a first NLRI sent by a first node, wherein the first NLRI includes at least first information and/or second information, the first information represents the security capability of the first node, and the second information represents the link-associated security capability of the link between the first node and the second node.
第五方面,本公开实施例还提供了一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现本公开实施例上述第一方面或第二方面所述方法的步骤。In a fifth aspect, an embodiment of the present disclosure further provides a computer-readable storage medium on which a computer program is stored, and when the program is executed by a processor, the steps of the method described in the first aspect or the second aspect of the embodiment of the present disclosure are implemented.
第六方面,本公开实施例还提供了一种节点,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现本公开实施例上述第一方面或第二方面所述方法的步骤。In the sixth aspect, an embodiment of the present disclosure further provides a node, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, the steps of the method described in the first aspect or the second aspect of the embodiment of the present disclosure are implemented.
本公开实施例提供的信息传输方法、装置、节点及存储介质,所述方法包括:第一节点向第二节点发送第一NLRI,所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。采用本公开实施例的技术方案,实现了通过路由协议携带相关的安全能力信息,便于后续控制器根据相关的安全能力信息决策路由路径,以此满足用户在链路转发过程中的安全需求。The information transmission method, device, node and storage medium provided by the embodiment of the present disclosure include: a first node sends a first NLRI to a second node, the first NLRI includes at least first information and/or second information, the first information indicates the security capability of the first node, and the second information indicates the link-associated security capability of the link between the first node and the second node. The technical solution of the embodiment of the present disclosure is adopted to realize the carrying of relevant security capability information through the routing protocol, so that the subsequent controller can decide the routing path according to the relevant security capability information, thereby meeting the security requirements of users in the link forwarding process.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为本公开实施例的信息传输方法应用的系统架构示意图;FIG1 is a schematic diagram of a system architecture of an information transmission method according to an embodiment of the present disclosure;
图2为本公开实施例的信息传输方法的流程示意图一;FIG2 is a schematic diagram of a flow chart of an information transmission method according to an embodiment of the present disclosure;
图3为NLRI格式示意图;FIG3 is a schematic diagram of the NLRI format;
图4为NLRI中的域的格式示意图; FIG4 is a schematic diagram of the format of a field in NLRI;
图5为本公开实施例的信息传输方法的流程示意图二;FIG5 is a second flow chart of the information transmission method according to an embodiment of the present disclosure;
图6为本公开实施例的信息传输方法中的路径下发过程示意图;FIG6 is a schematic diagram of a path sending process in the information transmission method according to an embodiment of the present disclosure;
图7为本公开实施例的信息传输装置的组成结构示意图一;FIG7 is a schematic diagram of the first structure of the information transmission device according to an embodiment of the present disclosure;
图8为本公开实施例的信息传输装置的组成结构示意图二;FIG8 is a second schematic diagram of the structure of the information transmission device according to an embodiment of the present disclosure;
图9为本公开实施例的节点的硬件结构示意图。FIG. 9 is a schematic diagram of the hardware structure of a node according to an embodiment of the present disclosure.
具体实施方式Detailed ways
下面结合附图及具体实施例对本公开作进一步详细的说明。The present disclosure is further described in detail below with reference to the accompanying drawings and specific embodiments.
本公开实施例的技术方案可以应用于各种通信系统,例如:全球移动通讯(GSM,Global System of Mobile communication)系统、长期演进(LTE,Long Term Evolution)系统或5G系统等。可选地,5G系统或5G网络还可以称为新无线(NR,New Radio)系统或NR网络。The technical solutions of the embodiments of the present disclosure can be applied to various communication systems, such as: Global System of Mobile communication (GSM) system, Long Term Evolution (LTE) system or 5G system, etc. Optionally, the 5G system or 5G network can also be called New Radio (NR) system or NR network.
示例性的,本公开实施例应用的通信系统可包括网络设备和终端设备(也可称为终端、通信终端等等);网络设备可以是与终端设备通信的设备。其中,网络设备可以为一定区域范围内提供通信覆盖,并且可以与位于该区域内的终端进行通信。可选地,网络设备可以是各通信系统中的基站,例如LTE系统中的演进型基站(eNB,Evolutional Node B),又例如5G系统或NR系统中的基站(gNB)。Exemplarily, the communication system applied in the embodiments of the present disclosure may include a network device and a terminal device (also referred to as a terminal, a communication terminal, etc.); the network device may be a device that communicates with the terminal device. Among them, the network device can provide communication coverage within a certain area, and can communicate with terminals located in the area. Optionally, the network device can be a base station in each communication system, such as an evolved base station (eNB, Evolutional Node B) in an LTE system, or a base station (gNB) in a 5G system or an NR system.
应理解,本申请实施例中网络/系统中具有通信功能的设备可称为通信设备。通信设备可包括具有通信功能的网络设备和终端,网络设备和终端设备可以为上文所述的具体设备,此处不再赘述;通信设备还可包括通信系统中的其他设备,例如网络控制器、移动管理实体等其他网络实体,本公开实施例中对此不做限定。It should be understood that the device with communication function in the network/system in the embodiment of the present application can be referred to as a communication device. The communication device may include a network device and a terminal with communication function, and the network device and the terminal device may be the specific devices described above, which will not be repeated here; the communication device may also include other devices in the communication system, such as a network controller, a mobile management entity and other network entities, which are not limited in the embodiments of the present disclosure.
应理解,本文中术语“系统”和“网络”在本文中常被可互换使用。本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B, 单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。It should be understood that the terms "system" and "network" are often used interchangeably in this article. The term "and/or" in this article is only a description of the association relationship between related objects, indicating that there can be three relationships. For example, A and/or B can mean: A exists alone, A and B exist at the same time, There are three cases of B alone. In addition, the character "/" in this article generally indicates that the objects before and after are in an "or" relationship.
本申请的说明书和权利要求书中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本申请的实施例例如能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", etc. in the specification and claims of the present application are used to distinguish similar objects, and need not be used to describe a specific order or sequential order. It should be understood that the data used in this way can be interchangeable in appropriate circumstances, so that the embodiments of the present application described herein can be implemented in a sequence other than those illustrated or described herein, for example. In addition, the terms "including" and "having" and any of their variations are intended to cover non-exclusive inclusions, for example, the process, method, system, product or equipment comprising a series of steps or units need not be limited to those steps or units clearly listed, but may include other steps or units that are not clearly listed or inherent to these processes, methods, products or equipment.
在对本公开实施例的信息传输方法进行详细说明之前,首先对本公开实施例所应用的网络协议进行简单说明。Before describing in detail the information transmission method of the embodiment of the present disclosure, the network protocol used in the embodiment of the present disclosure is briefly described first.
通过扩展边界网关协议(BGP,Border Gateway Protocol)使其可携带链路状态和流量工程等信息,也即通过BGP-LS(BGP Link State)上报网络拓扑。目前有三种BGP-LS路由,分别用来携带节点、链路和路由前缀信息。三种路由相互配合,共同完成拓扑信息的传输。其中,节点路由功能是记录拓扑的节点信息,链路路由功能是记录两台设备(或节点)之间的链路信息,地址前缀路由功能是记录节点可达的网段信息。By extending the Border Gateway Protocol (BGP) to carry information such as link status and traffic engineering, the network topology is reported through BGP-LS (BGP Link State). There are currently three types of BGP-LS routes, which are used to carry node, link and route prefix information respectively. The three types of routes work together to complete the transmission of topology information. Among them, the node routing function is to record the node information of the topology, the link routing function is to record the link information between two devices (or nodes), and the address prefix routing function is to record the network segment information reachable by the node.
通过BGP-LS收集的NLRI使用类型/长度/值三元组(TLV)格式描述,NLRI描述的每个链路状态可标识节点、链接或前缀。因此对应于上述三种BGP-LS路由,设定了三种类型的NLRI,如下表1所示,其中,类型3和类型4用以区分IPv4和IPv6的前缀。The NLRI collected through BGP-LS is described in the type/length/value triplet (TLV) format. Each link state described by the NLRI can identify a node, link, or prefix. Therefore, corresponding to the above three types of BGP-LS routes, three types of NLRI are set, as shown in Table 1 below, where type 3 and type 4 are used to distinguish IPv4 and IPv6 prefixes.
表1

Table 1

本公开实施例主要涉及节点之间传输安全能力的相关信息,例如包括本地节点获得对端节点的安全能力的相关信息,或者本地节点将自身的安全能力的相关信息发送给对端节点,具体是通过路由协议传输安全能力的相关信息。本公开实施例中的节点可以是独立的节点,也可以是如图1所示,包括节点R以及下挂的安全产品(security products)作为基本单元。其中,示例性的,节点可以是路由器,安全产品可以是安全组件、防火墙等具有网络安全功能的任意产品,本实施例中对此不做限定。The embodiments of the present disclosure mainly involve the transmission of information related to security capabilities between nodes, such as the local node obtaining information related to the security capabilities of the peer node, or the local node sending information related to its own security capabilities to the peer node, specifically transmitting information related to security capabilities through a routing protocol. The nodes in the embodiments of the present disclosure can be independent nodes, or can be as shown in FIG1, including a node R and a security product (security products) mounted thereon as a basic unit. For example, the node can be a router, and the security product can be any product with network security functions such as a security component, a firewall, etc., which is not limited in the present embodiment.
在实际应用中,有些节点与控制器直接连接(这些节点简称为直连节点),因此节点可直接将节点信息通过BGP-LS协议传输给控制器;而有些节点并未与控制器直接连接(这类节点简称为非直连节点),因此需要将节点信息传递给与直连节点,才能实现节点信息的传输。因此对于非直连节点,需要通过BGP-LS协议进行节点相关信息的上报。In actual applications, some nodes are directly connected to the controller (these nodes are referred to as directly connected nodes), so the nodes can directly transmit node information to the controller through the BGP-LS protocol; while some nodes are not directly connected to the controller (these nodes are referred to as non-directly connected nodes), so the node information needs to be passed to the directly connected nodes to achieve the transmission of node information. Therefore, for non-directly connected nodes, the node-related information needs to be reported through the BGP-LS protocol.
本公开实施例提供了一种信息传输方法。图2为本公开实施例的信息传输方法的流程示意图一;如图2所示,所述方法包括:The present disclosure provides an information transmission method. FIG2 is a flow chart of the information transmission method of the present disclosure embodiment; as shown in FIG2 , the method includes:
步骤101:第一节点向第二节点发送第一NLRI,所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。Step 101: A first node sends a first NLRI to a second node, where the first NLRI includes at least first information and/or second information, where the first information indicates a security capability of the first node, and the second information indicates a link-associated security capability of a link between the first node and the second node.
本实施例中,节点之间通过BGP-LS协议传输表示节点的安全能力的相关信息。示例性的,NLRI被包括在BGP路由选择更新报文中。 In this embodiment, the nodes transmit the related information indicating the security capability of the nodes through the BGP-LS protocol. Exemplarily, the NLRI is included in the BGP routing update message.
其中,所述第一信息表示所述第一节点的安全能力,所述第一信息也可称为第一节点的安全能力信息。所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力,可以认为,所述第二信息表示第一节点和第二节点之间链路的安全能力、该链路关联的第一节点和/或第二节点的安全能力等等。The first information indicates the security capability of the first node, and the first information may also be referred to as the security capability information of the first node. The second information indicates the link-associated security capability of the link between the first node and the second node, and it can be considered that the second information indicates the security capability of the link between the first node and the second node, the security capability of the first node and/or the second node associated with the link, and the like.
在本公开的一些可选实施例中,所述第一NLRI为链路NLRI(Link NLRI)或类型2 NLRI(NLRI Type=2)。也即,本实施例中是通过链路NLRI(Link NLRI)中的域或字段传输节点的安全能力的相关信息和/或链路关联安全能力的相关信息。In some optional embodiments of the present disclosure, the first NLRI is a link NLRI (Link NLRI) or a type 2 NLRI (NLRI Type=2). That is, in this embodiment, the relevant information of the security capability of the node and/or the relevant information of the link-associated security capability is transmitted through the domain or field in the link NLRI (Link NLRI).
示例性的,图3为NLRI格式示意图,具体是Link NLRI的格式示意图,如图3所示,包括协议ID域(Protocol-ID)、64比特的标识(Identifier)域、可变长度(variable)的本地节点描述符域(Local Node Descriptors)、可变长度(variable)的远端节点描述符域(Local Node Descriptors)和可变长度(variable)的链路描述符(Link Descriptors)域。其中,For example, FIG3 is a schematic diagram of the NLRI format, specifically a schematic diagram of the Link NLRI format, as shown in FIG3, including a protocol ID field (Protocol-ID), a 64-bit identifier (Identifier) field, a variable length (variable) local node descriptor field (Local Node Descriptors), a variable length (variable) remote node descriptor field (Local Node Descriptors) and a variable length (variable) link descriptor (Link Descriptors) field. Among them,
Protocol-ID域标识协议的类型,如表2所示。The Protocol-ID field identifies the type of protocol, as shown in Table 2.
表2
Table 2
Identifier域标识所属的网络可达的路由范围,来自同一路由范围的NLRI对象(节点、链接或前缀)必须具有相同的“标识符”值。 The Identifier field identifies the reachable routing scope of the network to which it belongs. NLRI objects (nodes, links, or prefixes) from the same routing scope must have the same "identifier" value.
Local Node Descriptors域包含了锚定链接本地端的节点描述符,长度可变的必选,其格式可参照图4所示。其中,本地节点描述符域的属性可参照表3所示。The Local Node Descriptors field contains the node descriptor of the local end of the anchor link. It is mandatory and of variable length. Its format is shown in Figure 4. The attributes of the Local Node Descriptors field are shown in Table 3.
表3
table 3
其中,本地节点描述符域的节点描述符子TLV(Node Descriptor Sub-TLVs)记载了节点描述符Sub-TLV类型代码点和长度,具体可参照如下表4所示。Among them, the Node Descriptor Sub-TLVs of the local node descriptor domain records the Node Descriptor Sub-TLV type code point and length, as shown in Table 4 below.
表4

Table 4

Remote Node Descriptors域包含了锚定链接的远程端节点的节点描述符,长度可变。Remote Node Descriptors域的格式与Local Node Descriptors域的格式类似,可参照图4所示,也可参照删除Local Node Descriptors域的说明。The Remote Node Descriptors field contains the node descriptor of the remote end node of the anchor link, and has a variable length. The format of the Remote Node Descriptors field is similar to the format of the Local Node Descriptors field, as shown in Figure 4, or the instructions for deleting the Local Node Descriptors field.
Link Descriptors域唯一标识一对锚路由器之间多个并行链路之间的链路,其属性示例可参照表5所示。The Link Descriptors field uniquely identifies a link between multiple parallel links between a pair of anchor routers. Examples of its attributes are shown in Table 5.
表5
table 5
基于此,本实施例中通过NLRI中的指定域中新增属性,从而实现节点的安全能力的相关信息和/或链路关联安全能力的传输。 Based on this, in this embodiment, a new attribute is added to a specified field in the NLRI, thereby realizing the transmission of the node security capability related information and/or link-associated security capability.
在一些可选实施例中,所述第一NLRI中包括远端节点描述符域,所述远端节点描述符域中包括第一属性,所述第一属性用于表示所述第一节点的安全能力,所述远端节点描述符域中至少包括所述第一信息。In some optional embodiments, the first NLRI includes a remote node descriptor field, the remote node descriptor field includes a first attribute, the first attribute is used to represent the security capability of the first node, and the remote node descriptor field includes at least the first information.
在本实施例中,可通过NLRI中的远端节点描述符域(Remote Node Descriptors)中的第一属性表示节点的安全能力。示例性的,如表6所示,通过新增的TLV代码点1030对应的属性(即第一属性)表示所述第一节点的安全能力(Node Security Capability),并且其具有可变长度。In this embodiment, the security capability of the node can be represented by the first attribute in the Remote Node Descriptors field in the NLRI. Exemplarily, as shown in Table 6, the security capability of the first node (Node Security Capability) is represented by the attribute corresponding to the newly added TLV code point 1030 (i.e., the first attribute), and it has a variable length.
表6
Table 6
在另一些可选实施例中,所述第一NLRI中包括本地节点描述符域,所述本地节点描述符域中包括第二属性,所述第二属性用于表示所述第一节点的安全能力,所述本地节点描述符域中至少包括所述第一信息。In some other optional embodiments, the first NLRI includes a local node descriptor field, the local node descriptor field includes a second attribute, the second attribute is used to represent the security capability of the first node, and the local node descriptor field includes at least the first information.
在本实施例中,可通过NLRI中的本地节点描述符域(Local Node  Descriptors)中的第二属性表示节点的安全能力。示例性的,如表7所示,通过新增的TLV代码点1030对应的属性(即第二属性)表示所述第一节点的安全能力(Node Security Capability),并且其具有可变长度。In this embodiment, the local node descriptor field (Local Node The second attribute in the TLV Descriptors represents the security capability of the node. Exemplarily, as shown in Table 7, the attribute corresponding to the newly added TLV code point 1030 (ie, the second attribute) represents the security capability of the first node (Node Security Capability), and it has a variable length.
表7
Table 7
上述两种实施例的区别在于,第一节点是作为本地节点还是远端节点。若第一节点作为本地节点,则可采用第二种方式,采用本地节点描述符域中的第二属性传输第一节点的安全能力;若第一节点作为远端节点,则可采用第一种方式,采用远端节点描述符域中的第一属性传输第一节点的安全能力。其中,第一节点作为本地节点还是远端节点,具体可以依据第一节点的相关信息(例如标识、地址等)填写在与本地节点(Local Node)相关的域或字段内还是与远端节点(Remote Node)相关的域或字段内来确定;若第一节点的相关信息(例如标识、地址等)填写在与本地节点(Local Node) 相关的域或字段内,则可确定第一节点为本地节点;若第一节点的相关信息(例如标识、地址等)填写在与远端节点(Remote Node)相关的域或字段内,则可确定第一节点为远端节点。The difference between the above two embodiments is whether the first node acts as a local node or a remote node. If the first node acts as a local node, the second method can be used to transmit the security capability of the first node using the second attribute in the local node descriptor field; if the first node acts as a remote node, the first method can be used to transmit the security capability of the first node using the first attribute in the remote node descriptor field. Among them, whether the first node acts as a local node or a remote node can be determined based on whether the relevant information of the first node (such as identification, address, etc.) is filled in the field or field related to the local node (Local Node) or the remote node (Remote Node). If the relevant information of the first node (such as identification, address, etc.) is filled in the field or field related to the local node (Local Node) If the first node is in a domain or field related to a remote node, the first node can be determined to be a local node; if the relevant information of the first node (such as an identifier, an address, etc.) is filled in a domain or field related to a remote node (Remote Node), the first node can be determined to be a remote node.
在又一些可选实施例中,所述第一NLRI中包括链路描述符域,所述链路描述符域中包括第三属性,所述第三属性用于表示所述第一节点和所述第二节点之间链路的链路关联安全能力,所述链路描述符域中至少包括所述第二信息。In some further optional embodiments, the first NLRI includes a link descriptor field, the link descriptor field includes a third attribute, the third attribute is used to indicate a link-associated security capability of the link between the first node and the second node, and the link descriptor field includes at least the second information.
在本实施例中,可通过NLRI中的链路描述符域(Link Descriptors)中的第三属性标识链路关联安全能力(在本实施例中即为所述第一节点和所述第二节点之间链路的链路关联安全能力)。示例性的,如表8所示,通过新增的TLV代码点1099对应的属性(即第三属性)表示所述第一节点和所述第二节点之间链路的链路关联安全能力。In this embodiment, the link-associated security capability (in this embodiment, the link-associated security capability of the link between the first node and the second node) can be identified by the third attribute in the Link Descriptors field in the NLRI. Exemplarily, as shown in Table 8, the link-associated security capability of the link between the first node and the second node is represented by the attribute corresponding to the newly added TLV code point 1099 (i.e., the third attribute).
表8

Table 8

在本公开的一些可选实施例中,所述方法还包括:所述第一节点接收所述第二节点发送的第二NLRI,所述第二NLRI中至少包括第三信息,所述第三信息表示所述第二节点的安全能力。In some optional embodiments of the present disclosure, the method further includes: the first node receiving a second NLRI sent by the second node, the second NLRI including at least third information, and the third information represents the security capability of the second node.
本实施例中,第一节点还可接收到与其相连接的第二节点发送的第二NLRI,所述第二NLRI中至少包括第三信息,所述第三信息表示所述第二节点的安全能力。其中,所述第二NLRI中携带第三信息的方式具体可参照第一NLRI中携带第一信息的方式的具体阐述,这里不再赘述。在其他实施例中,所述第二NLRI中也可包括表示第二节点和第一节点之间链路的链路关联安全能力的信息,具体的实现方式可参照第一NLRI中携带第二信息的具体阐述,这里不再赘述。In this embodiment, the first node may also receive a second NLRI sent by a second node connected thereto, wherein the second NLRI includes at least third information, and the third information indicates the security capability of the second node. The manner in which the third information is carried in the second NLRI may refer to the specific description of the manner in which the first information is carried in the first NLRI, which will not be described in detail here. In other embodiments, the second NLRI may also include information indicating the link-associated security capability of the link between the second node and the first node, and the specific implementation method may refer to the specific description of the second information carried in the first NLRI, which will not be described in detail here.
在本公开的一些可选实施例中,所述方法还包括:所述第一节点至少基于所述第一节点的安全能力和所述第二节点的安全能力确定所述第二信息。In some optional embodiments of the present disclosure, the method further includes: the first node determining the second information based at least on the security capability of the first node and the security capability of the second node.
本实施例中,第一节点可基于第一节点安全能力和所述第二节点的安 全能力确定所述第一节点和所述第二节点之间链路的链路关联安全能力。In this embodiment, the first node can be based on the first node security capability and the second node security The full capabilities determine a link-associated security capability of a link between the first node and the second node.
在一些可选实施例中,所述第一节点至少基于所述第一节点的安全能力和所述第二节点的安全能力确定所述第二信息,包括:在所述第一节点和所述第二节点处于不同安全域的情况下,所述第一节点对所述第一节点的安全能力和所述第二节点的安全能力进行逻辑与操作,得到所述第一节点和所述第二节点之间链路的链路关联安全能力;或者,在所述第一节点和所述第二节点处于相同安全域的情况下,所述第一节点对所述第一节点的安全能力和所述第二节点的安全能力进行逻辑或操作,得到所述第一节点和所述第二节点之间链路的链路关联安全能力。In some optional embodiments, the first node determines the second information based at least on the security capabilities of the first node and the security capabilities of the second node, including: when the first node and the second node are in different security domains, the first node performs a logical AND operation on the security capabilities of the first node and the security capabilities of the second node to obtain the link-associated security capabilities of the link between the first node and the second node; or, when the first node and the second node are in the same security domain, the first node performs a logical OR operation on the security capabilities of the first node and the security capabilities of the second node to obtain the link-associated security capabilities of the link between the first node and the second node.
本实施例中,对于链路关联安全能力的决策分为两种情况,一种情况是链路中的节点处于相同安全域下,另一种情况是链路中的节点处于不同安全域下。示例性的,所述安全域可以是指安全等级。In this embodiment, the decision on link-associated security capability is divided into two cases, one case is that the nodes in the link are in the same security domain, and the other case is that the nodes in the link are in different security domains. Exemplarily, the security domain may refer to a security level.
示例性的,若SCing表示节点已开启的安全能力,第一节点的安全能力可表示为SCing A=[1,0,0,1,0,……];第二节点的安全能力可表示为SCing B=[1,1,0,1,0,……];上述表达式中的“1”可表示具有对应的安全能力,“0”可表示不具有对应的安全能力。则作为一种示例,若第一节点和第二节点处于不同安全域下,则第一节点和第二节点之间链路的链路关联安全能力可表示为:SCing Association<A,B>=SCing A&&SCing B;其中,“&&”表示逻辑与操作。作为另一种示例,若第一节点和第二节点处于相同安全域下,则第一节点和第二节点之间链路的链路关联安全能力可表示为:SCing Association<A,B>=SCing A||SCing B;其中,“||”表示逻辑或操作。Exemplarily, if SCing represents the security capability that a node has enabled, the security capability of the first node can be expressed as SCing A=[1,0,0,1,0,……]; the security capability of the second node can be expressed as SCing B=[1,1,0,1,0,……]; "1" in the above expression can represent the corresponding security capability, and "0" can represent the lack of the corresponding security capability. As an example, if the first node and the second node are in different security domains, the link-associated security capability of the link between the first node and the second node can be expressed as: SCing Association<A,B>=SCing A&&SCing B; where "&&" represents a logical and operation. As another example, if the first node and the second node are in the same security domain, the link-associated security capability of the link between the first node and the second node can be expressed as: SCing Association<A,B>=SCing A||SCing B; where "||" represents a logical or operation.
在一些可选实施例中,在所述第一节点与控制节点连接的情况下,所述方法还可以包括:所述第一节点向所述控制节点发送第六信息和/或第七信息,所述第六信息表示所述第一节点的安全能力和/或所述第一节点与所述第二节点之间链路的链路关联安全能力;所述第七信息表示所述第二节 点的安全能力和/或所述第二节点与所述第一节点之间链路的链路关联安全能力,所述第六信息和/或所述第七信息用于所述控制节点确定路径信息。In some optional embodiments, when the first node is connected to a control node, the method may further include: the first node sends sixth information and/or seventh information to the control node, the sixth information indicating the security capability of the first node and/or the link-associated security capability of the link between the first node and the second node; the seventh information indicating the second node The sixth information and/or the seventh information are used by the control node to determine path information.
本实施例中,若第一节点是与控制节点(如控制器)直连的节点,则第一节点可向控制节点上报节点的安全能力和/或链路关联安全能力,具体可通过BGP-LS协议向控制器上报上述信息,以便控制节点可根据策略以及对应的节点的安全能力和/或链路关联安全能力生成路径信息。In this embodiment, if the first node is a node directly connected to a control node (such as a controller), the first node may report the node's security capabilities and/or link-associated security capabilities to the control node. Specifically, the above information may be reported to the controller through the BGP-LS protocol so that the control node may generate path information based on the policy and the corresponding node's security capabilities and/or link-associated security capabilities.
基于上述实施例,本公开实施例还提供了一种信息传输方法。图5为本公开实施例的信息传输方法的流程示意图二;如图5所示,所述方法包括:Based on the above embodiments, the present disclosure also provides an information transmission method. FIG5 is a flow chart of the information transmission method of the present disclosure embodiment; as shown in FIG5 , the method includes:
步骤201:第二节点接收第一节点发送的第一NLRI,所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。Step 201: A second node receives a first NLRI sent by a first node, where the first NLRI includes at least first information and/or second information, where the first information indicates a security capability of the first node, and the second information indicates a link-associated security capability of a link between the first node and the second node.
本实施例中,节点之间通过BGP-LS协议传输表示节点的安全能力的相关信息。示例性的,NLRI被包括在BGP路由选择更新报文中。In this embodiment, the nodes transmit the related information indicating the security capability of the nodes through the BGP-LS protocol. Exemplarily, the NLRI is included in the BGP routing update message.
其中,所述第一信息表示所述第一节点的安全能力,所述第一信息也可称为第一节点的安全能力信息。所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力,可以认为,所述第二信息表示第一节点和第二节点之间链路的安全能力、该链路关联的第一节点和/或第二节点的安全能力等等。The first information indicates the security capability of the first node, and the first information may also be referred to as the security capability information of the first node. The second information indicates the link-associated security capability of the link between the first node and the second node, and it can be considered that the second information indicates the security capability of the link between the first node and the second node, the security capability of the first node and/or the second node associated with the link, and the like.
在本公开的一些可选实施例中,所述第一NLRI为链路NLRI(Link NLRI)或类型2 NLRI(NLRI Type=2)。也即,本实施例中是通过链路NLRI(Link NLRI)中的域或字段传输节点的安全能力的相关信息和/或链路关联安全能力的相关信息。In some optional embodiments of the present disclosure, the first NLRI is a link NLRI (Link NLRI) or a type 2 NLRI (NLRI Type=2). That is, in this embodiment, the relevant information of the security capability of the node and/or the relevant information of the link-associated security capability is transmitted through the domain or field in the link NLRI (Link NLRI).
在一些可选实施例中,所述第一NLRI中包括远端节点描述符域,所述 远端节点描述符域中包括第一属性,所述第一属性用于表示所述第一节点的安全能力,所述远端节点描述符域中至少包括所述第一信息。In some optional embodiments, the first NLRI includes a remote node descriptor field, The remote node descriptor field includes a first attribute, where the first attribute is used to represent the security capability of the first node. The remote node descriptor field includes at least the first information.
在本实施例中,可通过NLRI中的远端节点描述符域(Remote Node Descriptors)中的第一属性表示节点的安全能力。具体可参照上述实施例中的表6所示。In this embodiment, the security capability of the node can be represented by the first attribute in the Remote Node Descriptors field in the NLRI. For details, please refer to Table 6 in the above embodiment.
在另一些可选实施例中,所述第一NLRI中包括本地节点描述符域,所述本地节点描述符域中包括第二属性,所述第二属性用于表示所述第一节点的安全能力,所述本地节点描述符域中至少包括所述第一信息。In some other optional embodiments, the first NLRI includes a local node descriptor field, the local node descriptor field includes a second attribute, the second attribute is used to represent the security capability of the first node, and the local node descriptor field includes at least the first information.
在本实施例中,可通过NLRI中的本地节点描述符域(Local Node Descriptors)中的第二属性表示节点的安全能力。具体可参照上述实施例中的表7所示。In this embodiment, the security capability of the node can be represented by the second attribute in the Local Node Descriptors field in the NLRI. For details, please refer to Table 7 in the above embodiment.
在又一些可选实施例中,所述第一NLRI中包括链路描述符域,所述链路描述符域中包括第三属性,所述第三属性用于表示所述第一节点和所述第二节点之间链路的链路关联安全能力,所述链路描述符域中至少包括所述第二信息。In some further optional embodiments, the first NLRI includes a link descriptor field, the link descriptor field includes a third attribute, the third attribute is used to indicate a link-associated security capability of the link between the first node and the second node, and the link descriptor field includes at least the second information.
在本实施例中,可通过NLRI中的链路描述符域(Link Descriptors)中的第三属性标识链路关联安全能力(在本实施例中即为所述第一节点和所述第二节点之间链路的链路关联安全能力)。具体可参照上述实施例中的表8所示。In this embodiment, the link-associated security capability (in this embodiment, the link-associated security capability of the link between the first node and the second node) can be identified by the third attribute in the Link Descriptors field in the NLRI. For details, please refer to Table 8 in the above embodiment.
在本公开的一些可选实施例中,所述方法还包括:所述第二节点至少基于所述第二节点的安全能力和所述第一节点的安全能力确定所述第二节点和所述第一节点之间链路的链路关联安全能力。In some optional embodiments of the present disclosure, the method further includes: the second node determining a link-associated security capability of a link between the second node and the first node based at least on the security capability of the second node and the security capability of the first node.
本实施例中,第二节点可基于第一节点安全能力和所述第二节点的安全能力确定所述第二节点和所述第一节点之间链路的链路关联安全能力。In this embodiment, the second node may determine the link-associated security capability of the link between the second node and the first node based on the security capability of the first node and the security capability of the second node.
在一些可选实施例中,所述第二节点至少基于所述第二节点的安全能 力和所述第一节点的安全能力确定所述第二节点和所述第一节点之间链路的链路关联安全能力,包括:在所述第一节点和所述第二节点处于不同安全域的两个节点,所述第二节点对所述第二节点的安全能力和所述第一节点的安全能力进行逻辑与操作,得到所述第二节点和所述第一节点之间链路的链路关联安全能力;或者,在所述第一节点和所述第二节点处于相同安全域的两个节点,所述第二节点对所述第二节点的安全能力和所述第一节点的安全能力进行逻辑或操作,得到所述第二节点和所述第一节点之间链路的链路关联安全能力。In some optional embodiments, the second node is based at least on the security capability of the second node. The link-associated security capability of the link between the second node and the first node is determined based on the security capability of the first node and the security capability of the first node, including: when the first node and the second node are two nodes in different security domains, the second node performs a logical AND operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node; or, when the first node and the second node are two nodes in the same security domain, the second node performs a logical OR operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node.
本实施例中,对于链路关联安全能力的决策分为两种情况,一种情况是链路中的节点处于相同安全域下,另一种情况是链路中的节点处于不同安全域下。示例性的,所述安全域可以是指安全等级。In this embodiment, the decision on link-associated security capability is divided into two cases, one case is that the nodes in the link are in the same security domain, and the other case is that the nodes in the link are in different security domains. Exemplarily, the security domain may refer to a security level.
示例性的,若SCing表示节点已开启的安全能力,第一节点的安全能力可表示为SCing A=[1,0,0,1,0,……];第二节点的安全能力可表示为SCing B=[1,1,0,1,0,……];上述表达式中的“1”可表示具有对应的安全能力,“0”可表示不具有对应的安全能力。则作为一种示例,若第一节点和第二节点处于不同安全域下,则第一节点和第二节点之间链路的链路关联安全能力可表示为:SCing Association<A,B>=SCing A&&SCing B;其中,“&&”表示逻辑与操作。作为另一种示例,若第一节点和第二节点处于相同安全域下,则第一节点和第二节点之间链路的链路关联安全能力可表示为:SCing Association<A,B>=SCing A||SCing B;其中,“||”表示逻辑或操作。Exemplarily, if SCing represents the security capability that a node has enabled, the security capability of the first node can be expressed as SCing A=[1,0,0,1,0,……]; the security capability of the second node can be expressed as SCing B=[1,1,0,1,0,……]; "1" in the above expression can represent the corresponding security capability, and "0" can represent the lack of the corresponding security capability. As an example, if the first node and the second node are in different security domains, the link-associated security capability of the link between the first node and the second node can be expressed as: SCing Association<A,B>=SCing A&&SCing B; where "&&" represents a logical and operation. As another example, if the first node and the second node are in the same security domain, the link-associated security capability of the link between the first node and the second node can be expressed as: SCing Association<A,B>=SCing A||SCing B; where "||" represents a logical or operation.
在本公开的一些可选实施例中,在所述第二节点与控制节点连接的情况下,所述方法还包括:所述第二节点向所述控制节点发送所述第四信息和/或第五信息,所述第四信息表示所述第一节点的安全能力和/或所述第一节点与所述第二节点之间链路的链路关联安全能力;所述第五信息表示所述第二节点的安全能力和/或所述第二节点与所述第一节点之间链路的链路 关联安全能力,所述第四信息和/或所述第五信息用于所述控制节点确定路径信息。In some optional embodiments of the present disclosure, when the second node is connected to the control node, the method further includes: the second node sends the fourth information and/or the fifth information to the control node, the fourth information indicating the security capability of the first node and/or the link-associated security capability of the link between the first node and the second node; the fifth information indicating the security capability of the second node and/or the link-associated security capability of the link between the second node and the first node. Associated with the security capability, the fourth information and/or the fifth information is used by the control node to determine the path information.
本实施例中,若第二节点是与控制节点(如控制器)直连的节点,则第二节点可向控制节点上报节点的安全能力和/或链路关联安全能力,具体可通过BGP-LS协议向控制器上报上述信息,以便控制节点可根据策略以及对应的节点的安全能力和/或链路关联安全能力生成路径信息。In this embodiment, if the second node is a node directly connected to the control node (such as a controller), the second node can report the node's security capabilities and/or link-associated security capabilities to the control node. Specifically, the above information can be reported to the controller through the BGP-LS protocol so that the control node can generate path information based on the policy and the corresponding node's security capabilities and/or link-associated security capabilities.
在其他实施方式中,控制节点接收到链路中的各节点的安全能力和/或链路关联安全能力;当链路经过超过两个节点时,可根据链路中的各节点是否处于相同安全域的相关处理逻辑进行逻辑与操作或逻辑或操作,得到完整链路的链路关联安全能力。In other embodiments, the control node receives the security capabilities of each node in the link and/or the link-associated security capabilities; when the link passes through more than two nodes, a logical AND operation or a logical OR operation can be performed based on the relevant processing logic of whether each node in the link is in the same security domain to obtain the link-associated security capabilities of the complete link.
在一些可选实施例中,所述方法还包括:所述第二节点向所述第一节点发送第二NLRI,所述第二NLRI中至少包括第三信息,所述第三信息表示所述第二节点的安全能力。In some optional embodiments, the method further includes: the second node sending a second NLRI to the first node, the second NLRI includes at least third information, and the third information indicates the security capability of the second node.
本实施例中,第二节点还可将表示所述第二节点的安全能力的第三信息发送至与其相连接的的第一节点。其中,所述第二NLRI中携带第三信息的方式具体可参照第一NLRI中携带第一信息的方式的具体阐述,这里不再赘述。在其他实施例中,所述第二NLRI中也可包括表示第二节点和第一节点之间链路的链路关联安全能力的信息,具体的实现方式可参照第一NLRI中携带第二信息的具体阐述,这里不再赘述。In this embodiment, the second node may also send third information indicating the security capability of the second node to the first node connected thereto. The manner in which the third information is carried in the second NLRI may refer to the specific description of the manner in which the first information is carried in the first NLRI, which will not be described in detail here. In other embodiments, the second NLRI may also include information indicating the link-associated security capability of the link between the second node and the first node, and the specific implementation manner may refer to the specific description of the manner in which the second information is carried in the first NLRI, which will not be described in detail here.
图6为本公开实施例的信息传输方法中的路径下发过程示意图;如图6所示,控制节点根据策略以及对应的节点的安全能力和/或链路关联安全能力生成路径信息后,将路径信息下发至链路中的入口节点,入口节点收到路径信息后,将对接收到的报文进行SRv6报文封装,转发节点根据下一跳的目的地址完成转发。Figure 6 is a schematic diagram of the path sending process in the information transmission method of an embodiment of the present disclosure; as shown in Figure 6, after the control node generates path information according to the policy and the security capabilities of the corresponding nodes and/or the link-associated security capabilities, the path information is sent down to the entry node in the link. After the entry node receives the path information, it will encapsulate the received message into SRv6 message, and the forwarding node completes the forwarding according to the destination address of the next hop.
基于上述实施例,本公开实施例还提供了一种信息传输装置,所述装 置应用于第一节点。图7为本公开实施例的信息传输装置的组成结构示意图一;如图7所示,所述装置包括:第一通信单元31,配置为向第二节点发送第一NLRI,所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。Based on the above embodiments, the present disclosure also provides an information transmission device. FIG7 is a schematic diagram of the structure of the information transmission device according to an embodiment of the present disclosure; as shown in FIG7 , the device includes: a first communication unit 31, configured to send a first NLRI to a second node, wherein the first NLRI includes at least first information and/or second information, the first information indicates the security capability of the first node, and the second information indicates the link-associated security capability of the link between the first node and the second node.
在本公开的一些可选实施例中,所述第一NLRI为Link NLRI或类型2 NLRI(NLRI Type=2)。In some optional embodiments of the present disclosure, the first NLRI is Link NLRI or Type 2 NLRI (NLRI Type=2).
在本公开的一些可选实施例中,所述第一NLRI中包括远端节点描述符域,所述远端节点描述符域中包括第一属性,所述第一属性用于表示所述第一节点的安全能力,所述远端节点描述符域中至少包括所述第一信息。In some optional embodiments of the present disclosure, the first NLRI includes a remote node descriptor field, the remote node descriptor field includes a first attribute, the first attribute is used to represent the security capability of the first node, and the remote node descriptor field includes at least the first information.
在本公开的一些可选实施例中,所述第一NLRI中包括本地节点描述符域,所述本地节点描述符域中包括第二属性,所述第二属性用于表示所述第一节点的安全能力,所述本地节点描述符域中至少包括所述第一信息。In some optional embodiments of the present disclosure, the first NLRI includes a local node descriptor field, the local node descriptor field includes a second attribute, the second attribute is used to represent the security capability of the first node, and the local node descriptor field includes at least the first information.
在本公开的一些可选实施例中,所述第一NLRI中包括链路描述符域,所述链路描述符域中包括第三属性,所述第三属性用于表示所述第一节点和所述第二节点之间链路的链路关联安全能力,所述链路描述符域中至少包括所述第二信息。In some optional embodiments of the present disclosure, the first NLRI includes a link descriptor field, the link descriptor field includes a third attribute, the third attribute is used to indicate a link-associated security capability of the link between the first node and the second node, and the link descriptor field includes at least the second information.
在本公开的一些可选实施例中,所述第一通信单元31,还配置为接收所述第二节点发送的第二NLRI,所述第二NLRI中至少包括第三信息,所述第三信息表示所述第二节点的安全能力。In some optional embodiments of the present disclosure, the first communication unit 31 is further configured to receive a second NLRI sent by the second node, where the second NLRI includes at least third information, and the third information indicates the security capability of the second node.
在本公开的一些可选实施例中,所述装置还包括第一处理单元32,配置为至少基于所述第一节点的安全能力和所述第二节点的安全能力确定所述第二信息。In some optional embodiments of the present disclosure, the apparatus further includes a first processing unit 32 configured to determine the second information based at least on the security capability of the first node and the security capability of the second node.
在本公开的一些可选实施例中,所述第一处理单元32,配置为在所述第一节点和所述第二节点处于不同安全域的情况下,对所述第一节点的安 全能力和所述第二节点的安全能力进行逻辑与操作,得到所述第一节点和所述第二节点之间链路的链路关联安全能力;或者,在所述第一节点和所述第二节点处于相同安全域的情况下,对所述第一节点的安全能力和所述第二节点的安全能力进行逻辑或操作,得到所述第一节点和所述第二节点之间链路的链路关联安全能力。In some optional embodiments of the present disclosure, the first processing unit 32 is configured to, when the first node and the second node are in different security domains, process the security of the first node. Perform a logical AND operation on the full capabilities and the security capabilities of the second node to obtain the link-associated security capabilities of the link between the first node and the second node; or, when the first node and the second node are in the same security domain, perform a logical OR operation on the security capabilities of the first node and the security capabilities of the second node to obtain the link-associated security capabilities of the link between the first node and the second node.
本公开实施例中,所述装置中的第一处理单元32,在实际应用中可由中央处理器(CPU,Central Processing Unit)、数字信号处理器(DSP,Digital Signal Processor)、微控制单元(MCU,Microcontroller Unit)或可编程门阵列(FPGA,Field-Programmable Gate Array)实现;所述装置中的第一通信单元31在实际应用中可通过通信模组(包含:基础通信套件、操作系统、通信模块、标准化接口和协议等)及收发天线实现。In the disclosed embodiment, the first processing unit 32 in the device can be implemented by a central processing unit (CPU), a digital signal processor (DSP), a microcontroller unit (MCU) or a programmable gate array (FPGA) in actual applications; the first communication unit 31 in the device can be implemented by a communication module (including: basic communication kit, operating system, communication module, standardized interface and protocol, etc.) and a transceiver antenna in actual applications.
本公开实施例还提供了一种信息传输装置,所述装置应用于第二节点。图8为本公开实施例的信息传输装置的组成结构示意图二;如图8所示,所述装置包括:第二通信单元41,配置为接收第一节点发送的第一NLRI,所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。The embodiment of the present disclosure also provides an information transmission device, which is applied to a second node. FIG8 is a second schematic diagram of the composition structure of the information transmission device of the embodiment of the present disclosure; as shown in FIG8 , the device includes: a second communication unit 41, configured to receive a first NLRI sent by a first node, wherein the first NLRI includes at least first information and/or second information, the first information indicates the security capability of the first node, and the second information indicates the link-associated security capability of the link between the first node and the second node.
在本公开的一些可选实施例中,所述第一NLRI为Link NLRI或类型2 NLRI(NLRI Type=2)。In some optional embodiments of the present disclosure, the first NLRI is Link NLRI or Type 2 NLRI (NLRI Type=2).
在本公开的一些可选实施例中,所述第一NLRI中包括远端节点描述符域,所述远端节点描述符域中包括第一属性,所述第一属性用于表示所述第一节点的安全能力,所述远端节点描述符域中至少包括所述第一信息。In some optional embodiments of the present disclosure, the first NLRI includes a remote node descriptor field, the remote node descriptor field includes a first attribute, the first attribute is used to represent the security capability of the first node, and the remote node descriptor field includes at least the first information.
在本公开的一些可选实施例中,所述第一NLRI中包括本地节点描述符域,所述本地节点描述符域中包括第二属性,所述第二属性用于表示所述第一节点的安全能力,所述本地节点描述符域中至少包括所述第一信息。 In some optional embodiments of the present disclosure, the first NLRI includes a local node descriptor field, the local node descriptor field includes a second attribute, the second attribute is used to represent the security capability of the first node, and the local node descriptor field includes at least the first information.
在本公开的一些可选实施例中,所述第一NLRI中包括链路描述符域,所述链路描述符域中包括第三属性,所述第三属性用于表示所述第一节点和所述第二节点之间链路的链路关联安全能力,所述链路描述符域中至少包括所述第二信息。In some optional embodiments of the present disclosure, the first NLRI includes a link descriptor field, the link descriptor field includes a third attribute, the third attribute is used to indicate a link-associated security capability of the link between the first node and the second node, and the link descriptor field includes at least the second information.
在本公开的一些可选实施例中,所述装置还包括第二处理单元42,配置为至少基于所述第二节点的安全能力和所述第一节点的安全能力确定所述第二节点和所述第一节点之间链路的链路关联安全能力。In some optional embodiments of the present disclosure, the device also includes a second processing unit 42 configured to determine a link-associated security capability of a link between the second node and the first node based at least on the security capability of the second node and the security capability of the first node.
在本公开的一些可选实施例中,在所述第二节点与控制节点连接的情况下,所述第二通信单元41,还配置为向所述控制节点发送所述第四信息和/或第五信息,所述第四信息表示所述第一节点的安全能力和/或所述第一节点与所述第二节点之间链路的链路关联安全能力;所述第五信息表示所述第二节点的安全能力和/或所述第二节点与所述第一节点之间链路的链路关联安全能力,所述第四信息和/或所述第五信息用于所述控制节点确定路径信息。In some optional embodiments of the present disclosure, when the second node is connected to a control node, the second communication unit 41 is further configured to send the fourth information and/or the fifth information to the control node, the fourth information indicating the security capability of the first node and/or the link-associated security capability of the link between the first node and the second node; the fifth information indicating the security capability of the second node and/or the link-associated security capability of the link between the second node and the first node, and the fourth information and/or the fifth information are used by the control node to determine path information.
在本公开的一些可选实施例中,所述第二处理单元42,配置为在所述第一节点和所述第二节点处于不同安全域的两个节点,对所述第二节点的安全能力和所述第一节点的安全能力进行逻辑与操作,得到所述第二节点和所述第一节点之间链路的链路关联安全能力;或者,在所述第一节点和所述第二节点处于相同安全域的两个节点,对所述第二节点的安全能力和所述第一节点的安全能力进行逻辑或操作,得到所述第二节点和所述第一节点之间链路的链路关联安全能力。In some optional embodiments of the present disclosure, the second processing unit 42 is configured to, when the first node and the second node are two nodes in different security domains, perform a logical AND operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node; or, when the first node and the second node are two nodes in the same security domain, perform a logical OR operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node.
在本公开的一些可选实施例中,所述第二通信单元41,还配置为向所述第一节点发送第二NLRI,所述第二NLRI中至少包括第三信息,所述第三信息表示所述第二节点的安全能力。In some optional embodiments of the present disclosure, the second communication unit 41 is further configured to send a second NLRI to the first node, where the second NLRI includes at least third information, and the third information indicates the security capability of the second node.
本公开实施例中,所述装置中的第二处理单元42,在实际应用中可由 CPU、DSP、MCU或FPGA实现;所述装置中的第二通信单元41在实际应用中可通过通信模组(包含:基础通信套件、操作系统、通信模块、标准化接口和协议等)及收发天线实现。In the embodiment of the present disclosure, the second processing unit 42 in the device can be composed of It can be implemented by CPU, DSP, MCU or FPGA; the second communication unit 41 in the device can be implemented by a communication module (including: basic communication kit, operating system, communication module, standardized interface and protocol, etc.) and a transceiver antenna in actual application.
需要说明的是:上述实施例提供的信息传输装置在进行信息传输时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的信息传输装置与信息传输方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: the information transmission device provided in the above embodiment only uses the division of the above program modules as an example when performing information transmission. In actual applications, the above processing can be assigned to different program modules as needed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the information transmission device provided in the above embodiment and the information transmission method embodiment belong to the same concept, and the specific implementation process is detailed in the method embodiment, which will not be repeated here.
本公开实施例还提供了一种节点,所述节点为前述实施例中的第一节点或第二节点。图9为本公开实施例的节点的硬件组成结构示意图,如图9所示,所述节点包括存储器52、处理器51及存储在存储器52上并可在处理器51上运行的计算机程序,所述处理器51执行所述程序时实现本公开实施例应用于第一节点或第二节点中的信息传输方法的步骤。The embodiment of the present disclosure also provides a node, which is the first node or the second node in the above-mentioned embodiment. FIG9 is a schematic diagram of the hardware composition structure of the node in the embodiment of the present disclosure. As shown in FIG9, the node includes a memory 52, a processor 51, and a computer program stored in the memory 52 and executable on the processor 51. When the processor 51 executes the program, the steps of the information transmission method applied in the first node or the second node in the embodiment of the present disclosure are implemented.
可选地,节点还包括至少一个网络接口53。其中,节点中的各个组件通过总线系统54耦合在一起。可理解,总线系统54用于实现这些组件之间的连接通信。总线系统54除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图9中将各种总线都标为总线系统54。Optionally, the node further includes at least one network interface 53. The various components in the node are coupled together via a bus system 54. It is understood that the bus system 54 is used to achieve connection and communication between these components. In addition to the data bus, the bus system 54 also includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus system 54 in FIG. 9.
可以理解,存储器52可以是易失性存储器或非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(ROM,Read Only Memory)、可编程只读存储器(PROM,Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM,Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,Electrically Erasable Programmable Read-Only Memory)、磁性随机存取存储 器(FRAM,Ferromagnetic Random Access Memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-Only Memory);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,Static Random Access Memory)、同步静态随机存取存储器(SSRAM,Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM,Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced Synchronous Dynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM,SyncLink Dynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM,Direct Rambus Random Access Memory)。本公开实施例描述的存储器52旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory 52 can be a volatile memory or a non-volatile memory, or can include both volatile and non-volatile memories. Among them, the non-volatile memory can be a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), a magnetic random access memory (RAM), or a 32-bit ... Volatile memory may be a Ferromagnetic Random Access Memory (FRAM), a Flash Memory, a magnetic surface memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface memory may be a magnetic disk memory or a magnetic tape memory. Volatile memory may be a Random Access Memory (RAM), which is used as an external cache. By way of example but not limitation, many forms of RAM are available, such as static random access memory (SRAM), synchronous static random access memory (SSRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDRSDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous link dynamic random access memory (SLDRAM), direct memory bus random access memory (DRRAM). The memory 52 described in the embodiments of the present disclosure is intended to include, but is not limited to, these and any other suitable types of memory.
上述本公开实施例揭示的方法可以应用于处理器51中,或者由处理器51实现。处理器51可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器51中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器51可以是通用处理器、DSP,或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。处理器51可以实现或者执行本公开实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本公开实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于 存储介质中,该存储介质位于存储器52,处理器51读取存储器52中的信息,结合其硬件完成前述方法的步骤。The method disclosed in the above-mentioned embodiment of the present disclosure can be applied to the processor 51, or implemented by the processor 51. The processor 51 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above-mentioned method can be completed by the hardware integrated logic circuit in the processor 51 or the instruction in the form of software. The above-mentioned processor 51 can be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The processor 51 can implement or execute the various methods, steps and logic block diagrams disclosed in the embodiment of the present disclosure. The general-purpose processor can be a microprocessor or any conventional processor, etc. The steps of the method disclosed in the embodiment of the present disclosure can be directly embodied as a hardware decoding processor for execution, or can be executed by a combination of hardware and software modules in the decoding processor. The software module can be located in In the storage medium, the storage medium is located in the memory 52, and the processor 51 reads the information in the memory 52 and completes the steps of the above method in combination with its hardware.
在示例性实施例中,节点可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,Programmable Logic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable Logic Device)、FPGA、通用处理器、控制器、MCU、微处理器(Microprocessor)、或其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the node can be implemented by one or more application specific integrated circuits (ASIC), DSP, programmable logic device (PLD), complex programmable logic device (CPLD), FPGA, general-purpose processor, controller, MCU, microprocessor, or other electronic components to execute the aforementioned method.
在示例性实施例中,本公开实施例还提供了一种计算机可读存储介质,例如包括计算机程序的存储器52,上述计算机程序可由节点的处理器51执行,以完成前述方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器;也可以是包括上述存储器之一或任意组合的各种设备。In an exemplary embodiment, the disclosed embodiment further provides a computer-readable storage medium, such as a memory 52 including a computer program, which can be executed by a processor 51 of a node to complete the steps of the aforementioned method. The computer-readable storage medium can be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM; or it can be various devices including one or any combination of the above memories.
本公开实施例还提供的计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现本公开实施例应用于第一节点或第二节点中的信息传输方法的步骤。The embodiment of the present disclosure also provides a computer-readable storage medium, on which a computer program is stored. When the program is executed by a processor, the steps of the information transmission method applied to the first node or the second node in the embodiment of the present disclosure are implemented.
本申请所提供的几个方法实施例中所揭露的方法,在不冲突的情况下可以任意组合,得到新的方法实施例。The methods disclosed in several method embodiments provided in this application can be arbitrarily combined without conflict to obtain new method embodiments.
本申请所提供的几个产品实施例中所揭露的特征,在不冲突的情况下可以任意组合,得到新的产品实施例。The features disclosed in several product embodiments provided in this application can be arbitrarily combined without conflict to obtain new product embodiments.
本申请所提供的几个方法或设备实施例中所揭露的特征,在不冲突的情况下可以任意组合,得到新的方法实施例或设备实施例。The features disclosed in several method or device embodiments provided in this application can be arbitrarily combined without conflict to obtain new method embodiments or device embodiments.
在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统, 或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods can be implemented in other ways. The device embodiments described above are only exemplary. For example, the division of the units is only a logical function division. There may be other division methods in actual implementation, such as: multiple units or components can be combined, or can be integrated into another system. Or some features may be omitted or not performed. In addition, the coupling, direct coupling, or communication connection between the components shown or discussed may be through some interfaces, indirect coupling or communication connection of devices or units, which may be electrical, mechanical or other forms.
上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元,即可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units; some or all of the units may be selected according to actual needs to achieve the purpose of the scheme of this embodiment.
另外,在本公开各实施例中的各功能单元可以全部集成在一个处理单元中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, all functional units in the embodiments of the present disclosure may be integrated into one processing unit, or each unit may be separately configured as a unit, or two or more units may be integrated into one unit; the above-mentioned integrated units may be implemented in the form of hardware or in the form of hardware plus software functional units.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:移动存储设备、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。A person of ordinary skill in the art can understand that: all or part of the steps of implementing the above-mentioned method embodiment can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium, which, when executed, executes the steps of the above-mentioned method embodiment; and the aforementioned storage medium includes: various media that can store program codes, such as mobile storage devices, ROM, RAM, magnetic disks or optical disks.
或者,本公开上述集成的单元如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。基于这样的理解,本公开实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机、服务器、或者网络设备等)执行本公开各个实施例所述方法的全部或部分。而前述的存储介质包括:移动存储设备、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Alternatively, if the above-mentioned integrated unit of the present disclosure is implemented in the form of a software function module and sold or used as an independent product, it can also be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the embodiment of the present disclosure can essentially or in other words, the part that contributes to the prior art can be embodied in the form of a software product, which is stored in a storage medium and includes a number of instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to execute all or part of the methods described in each embodiment of the present disclosure. The aforementioned storage medium includes: various media that can store program codes, such as mobile storage devices, ROM, RAM, magnetic disks or optical disks.
以上所述,仅为本公开的具体实施方式,但本公开的保护范围并不局 限于此,任何熟悉本技术领域的技术人员在本公开揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本公开的保护范围之内。因此,本公开的保护范围应以所述权利要求的保护范围为准。 The above is only a specific embodiment of the present disclosure, but the protection scope of the present disclosure is not limited to Without limiting this, any person skilled in the art who is familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in this disclosure, which should be included in the protection scope of this disclosure. Therefore, the protection scope of this disclosure should be based on the protection scope of the claims.

Claims (21)

  1. 一种信息传输方法,所述方法包括:An information transmission method, the method comprising:
    第一节点向第二节点发送第一网络层可达性信息NLRI,所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。The first node sends first network layer reachability information NLRI to the second node, where the first NLRI includes at least first information and/or second information, where the first information indicates the security capability of the first node, and the second information indicates the link-associated security capability of the link between the first node and the second node.
  2. 根据权利要求1所述的方法,其中,所述第一NLRI为链路Link NLRI或类型2 NLRI。The method according to claim 1, wherein the first NLRI is a link NLRI or a type 2 NLRI.
  3. 根据权利要求1所述的方法,其中,所述第一NLRI中包括远端节点描述符域,所述远端节点描述符域中包括第一属性,所述第一属性用于表示所述第一节点的安全能力,所述远端节点描述符域中至少包括所述第一信息。The method according to claim 1, wherein the first NLRI includes a remote node descriptor field, the remote node descriptor field includes a first attribute, the first attribute is used to represent the security capability of the first node, and the remote node descriptor field includes at least the first information.
  4. 根据权利要求1所述的方法,其中,所述第一NLRI中包括本地节点描述符域,所述本地节点描述符域中包括第二属性,所述第二属性用于表示所述第一节点的安全能力,所述本地节点描述符域中至少包括所述第一信息。The method according to claim 1, wherein the first NLRI includes a local node descriptor field, the local node descriptor field includes a second attribute, the second attribute is used to represent the security capability of the first node, and the local node descriptor field includes at least the first information.
  5. 根据权利要求1所述的方法,其中,所述第一NLRI中包括链路描述符域,所述链路描述符域中包括第三属性,所述第三属性用于表示所述第一节点和所述第二节点之间链路的链路关联安全能力,所述链路描述符域中至少包括所述第二信息。The method according to claim 1, wherein the first NLRI includes a link descriptor field, the link descriptor field includes a third attribute, the third attribute is used to indicate the link-associated security capability of the link between the first node and the second node, and the link descriptor field includes at least the second information.
  6. 根据权利要求1所述的方法,其中,所述方法还包括:The method according to claim 1, wherein the method further comprises:
    所述第一节点接收所述第二节点发送的第二NLRI,所述第二NLRI中至少包括第三信息,所述第三信息表示所述第二节点的安全能力。The first node receives a second NLRI sent by the second node, where the second NLRI includes at least third information, and the third information indicates a security capability of the second node.
  7. 根据权利要求6所述的方法,其中,所述方法还包括:The method according to claim 6, wherein the method further comprises:
    所述第一节点至少基于所述第一节点的安全能力和所述第二节点的安 全能力确定所述第二信息。The first node is based at least on the security capability of the first node and the security capability of the second node. The second information is determined by all capabilities.
  8. 根据权利要求7所述的方法,其中,所述第一节点至少基于所述第一节点的安全能力和所述第二节点的安全能力确定所述第二信息,包括:The method according to claim 7, wherein the first node determines the second information based at least on the security capability of the first node and the security capability of the second node, comprising:
    在所述第一节点和所述第二节点处于不同安全域的情况下,所述第一节点对所述第一节点的安全能力和所述第二节点的安全能力进行逻辑与操作,得到所述第一节点和所述第二节点之间链路的链路关联安全能力;或者,In the case where the first node and the second node are in different security domains, the first node performs a logical AND operation on the security capability of the first node and the security capability of the second node to obtain the link-associated security capability of the link between the first node and the second node; or
    在所述第一节点和所述第二节点处于相同安全域的情况下,所述第一节点对所述第一节点的安全能力和所述第二节点的安全能力进行逻辑或操作,得到所述第一节点和所述第二节点之间链路的链路关联安全能力。When the first node and the second node are in the same security domain, the first node performs a logical OR operation on the security capability of the first node and the security capability of the second node to obtain the link-associated security capability of the link between the first node and the second node.
  9. 一种信息传输方法,所述方法包括:An information transmission method, the method comprising:
    第二节点接收第一节点发送的第一NLRI,所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。The second node receives a first NLRI sent by the first node, where the first NLRI includes at least first information and/or second information, where the first information indicates a security capability of the first node, and the second information indicates a link-associated security capability of a link between the first node and the second node.
  10. 根据权利要求9所述的方法,其中,所述第一NLRI为链路Link NLRI或类型2 NLRI。The method according to claim 9, wherein the first NLRI is a link NLRI or a type 2 NLRI.
  11. 根据权利要求9所述的方法,其中,所述第一NLRI中包括远端节点描述符域,所述远端节点描述符域中包括第一属性,所述第一属性用于表示所述第一节点的安全能力,所述远端节点描述符域中至少包括所述第一信息。The method according to claim 9, wherein the first NLRI includes a remote node descriptor field, the remote node descriptor field includes a first attribute, the first attribute is used to represent the security capability of the first node, and the remote node descriptor field includes at least the first information.
  12. 根据权利要求9所述的方法,其中,所述第一NLRI中包括本地节点描述符域,所述本地节点描述符域中包括第二属性,所述第二属性用于表示所述第一节点的安全能力,所述本地节点描述符域中至少包括所述第一信息。 The method according to claim 9, wherein the first NLRI includes a local node descriptor field, the local node descriptor field includes a second attribute, the second attribute is used to represent the security capability of the first node, and the local node descriptor field includes at least the first information.
  13. 根据权利要求9所述的方法,其中,所述第一NLRI中包括链路描述符域,所述链路描述符域中包括第三属性,所述第三属性用于表示所述第一节点和所述第二节点之间链路的链路关联安全能力,所述链路描述符域中至少包括所述第二信息。The method according to claim 9, wherein the first NLRI includes a link descriptor field, the link descriptor field includes a third attribute, the third attribute is used to represent the link-associated security capability of the link between the first node and the second node, and the link descriptor field includes at least the second information.
  14. 根据权利要求9所述的方法,其中,所述方法还包括:The method according to claim 9, wherein the method further comprises:
    所述第二节点至少基于所述第二节点的安全能力和所述第一节点的安全能力确定所述第二节点和所述第一节点之间链路的链路关联安全能力。The second node determines a link-associated security capability of a link between the second node and the first node based at least on the security capability of the second node and the security capability of the first node.
  15. 根据权利要求9所述的方法,其中,在所述第二节点与控制节点连接的情况下,所述方法还包括:The method according to claim 9, wherein, when the second node is connected to the control node, the method further comprises:
    所述第二节点向所述控制节点发送所述第四信息和/或第五信息,所述第四信息表示所述第一节点的安全能力和/或所述第一节点与所述第二节点之间链路的链路关联安全能力;所述第五信息表示所述第二节点的安全能力和/或所述第二节点与所述第一节点之间链路的链路关联安全能力,所述第四信息和/或所述第五信息用于所述控制节点确定路径信息。The second node sends the fourth information and/or the fifth information to the control node, the fourth information represents the security capability of the first node and/or the link-associated security capability of the link between the first node and the second node; the fifth information represents the security capability of the second node and/or the link-associated security capability of the link between the second node and the first node, and the fourth information and/or the fifth information are used by the control node to determine the path information.
  16. 根据权利要求14所述的方法,其中,所述第二节点至少基于所述第二节点的安全能力和所述第一节点的安全能力确定所述第二节点和所述第一节点之间链路的链路关联安全能力,包括:The method according to claim 14, wherein the second node determines the link-associated security capability of the link between the second node and the first node based at least on the security capability of the second node and the security capability of the first node, comprising:
    在所述第一节点和所述第二节点处于不同安全域的两个节点,所述第二节点对所述第二节点的安全能力和所述第一节点的安全能力进行逻辑与操作,得到所述第二节点和所述第一节点之间链路的链路关联安全能力;或者,When the first node and the second node are two nodes in different security domains, the second node performs a logical AND operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node; or
    在所述第一节点和所述第二节点处于相同安全域的两个节点,所述第二节点对所述第二节点的安全能力和所述第一节点的安全能力进行逻辑或操作,得到所述第二节点和所述第一节点之间链路的链路关联安全能力。When the first node and the second node are two nodes in the same security domain, the second node performs a logical OR operation on the security capability of the second node and the security capability of the first node to obtain the link-associated security capability of the link between the second node and the first node.
  17. 根据权利要求9所述的方法,其中,所述方法还包括: The method according to claim 9, wherein the method further comprises:
    所述第二节点向所述第一节点发送第二NLRI,所述第二NLRI中至少包括第三信息,所述第三信息表示所述第二节点的安全能力。The second node sends a second NLRI to the first node, where the second NLRI includes at least third information, and the third information indicates the security capability of the second node.
  18. 一种信息传输装置,所述装置应用于第一节点,所述装置包括:第一通信单元,配置为向第二节点发送第一NLRI,所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。An information transmission device is applied to a first node, and the device includes: a first communication unit, configured to send a first NLRI to a second node, wherein the first NLRI includes at least first information and/or second information, the first information represents the security capability of the first node, and the second information represents the link-associated security capability of the link between the first node and the second node.
  19. 一种信息传输装置,所述装置应用于第二节点,所述装置包括:第二通信单元,配置为接收第一节点发送的第一NLRI,所述第一NLRI中至少包括第一信息和/或第二信息,所述第一信息表示所述第一节点的安全能力,所述第二信息表示所述第一节点和所述第二节点之间链路的链路关联安全能力。An information transmission device is applied to a second node, and the device includes: a second communication unit, configured to receive a first NLRI sent by a first node, wherein the first NLRI includes at least first information and/or second information, the first information represents the security capability of the first node, and the second information represents the link-associated security capability of the link between the first node and the second node.
  20. 一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现权利要求1至8任一项所述方法的步骤;或者,A computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the method according to any one of claims 1 to 8; or
    该程序被处理器执行时实现权利要求9至17任一项所述方法的步骤。When the program is executed by a processor, the steps of the method according to any one of claims 9 to 17 are implemented.
  21. 一种节点,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现权利要求1至8任一项所述方法的步骤;或者,A node, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the method according to any one of claims 1 to 8 when executing the program; or
    所述处理器执行所述程序时实现权利要求9至17任一项所述方法的步骤。 When the processor executes the program, the steps of the method according to any one of claims 9 to 17 are implemented.
PCT/CN2023/129156 2022-11-03 2023-11-01 Information transmission method and apparatus, node, and storage medium WO2024094082A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211370868.1A CN117998345A (en) 2022-11-03 2022-11-03 Information transmission method, device, node and storage medium
CN202211370868.1 2022-11-03

Publications (1)

Publication Number Publication Date
WO2024094082A1 true WO2024094082A1 (en) 2024-05-10

Family

ID=90889563

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/129156 WO2024094082A1 (en) 2022-11-03 2023-11-01 Information transmission method and apparatus, node, and storage medium

Country Status (2)

Country Link
CN (1) CN117998345A (en)
WO (1) WO2024094082A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9762537B1 (en) * 2008-10-14 2017-09-12 Juniper Networks, Inc. Secure path selection within computer networks
CN108462633A (en) * 2016-12-09 2018-08-28 中兴通讯股份有限公司 Network security routing scheduling method based on SDN and system
US20180270199A1 (en) * 2017-03-16 2018-09-20 Ixia Methods, systems, and computer readable media for advertising network security capabilities
CN114006857A (en) * 2021-10-14 2022-02-01 新华三信息安全技术有限公司 Path planning method and device
CN114465943A (en) * 2020-11-04 2022-05-10 华为技术有限公司 Topological information publishing method, network topology collecting method and equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9762537B1 (en) * 2008-10-14 2017-09-12 Juniper Networks, Inc. Secure path selection within computer networks
CN108462633A (en) * 2016-12-09 2018-08-28 中兴通讯股份有限公司 Network security routing scheduling method based on SDN and system
US20180270199A1 (en) * 2017-03-16 2018-09-20 Ixia Methods, systems, and computer readable media for advertising network security capabilities
CN114465943A (en) * 2020-11-04 2022-05-10 华为技术有限公司 Topological information publishing method, network topology collecting method and equipment
CN114006857A (en) * 2021-10-14 2022-02-01 新华三信息安全技术有限公司 Path planning method and device

Also Published As

Publication number Publication date
CN117998345A (en) 2024-05-07

Similar Documents

Publication Publication Date Title
WO2020182156A1 (en) Message forwarding method in network, network node and network system
EP3863237A1 (en) Packet forwarding method, packet transmission device, and packet reception device
US8144593B2 (en) Method and apparatus for efficient routing in communication networks
EP3751805B1 (en) Method and device for processing multicast data packet
WO2020073685A1 (en) Forwarding path determining method, apparatus and system, computer device, and storage medium
CN110798403B (en) Communication method, communication device and communication system
WO2021088433A1 (en) Message processing method, device and system
US11888818B2 (en) Multi-access interface for internet protocol security
WO2022184169A1 (en) Packet forwarding method and system, storage medium, and electronic device
US20190215191A1 (en) Deployment Of Virtual Extensible Local Area Network
WO2021180084A1 (en) Data transmission method, nodes and storage medium
US20230327983A1 (en) Performance measurement in a segment routing network
WO2011150835A1 (en) Method for requesting to obtain route information and corresponding route device thereof
JP2011217342A (en) Communication system, switching hub, and router
WO2024094082A1 (en) Information transmission method and apparatus, node, and storage medium
EP4287550A1 (en) Packet processing method, client end device, server end device, and computer-readable medium
WO2022111666A1 (en) Route advertisement method, apparatus, and system
CN115834472A (en) Message processing method, forwarding strategy obtaining method and device
TW202249464A (en) Method for routing of cellular data packets using ip networks
WO2021179935A1 (en) Route determination method, apparatus and network device
CN113132230A (en) Method, device and computer storage medium for sending message
WO2024094072A1 (en) Information transmission method and apparatus, and network node and storage medium
WO2024094074A1 (en) Information transmission method, apparatus, related device, and storage medium
WO2023040702A1 (en) Information transmission method and related device
JP2001007848A (en) Inter-network repeating method and inter-network repeater