CN114157419B - Security routing protocol method and system based on OSPF - Google Patents
Security routing protocol method and system based on OSPF Download PDFInfo
- Publication number
- CN114157419B CN114157419B CN202111438825.8A CN202111438825A CN114157419B CN 114157419 B CN114157419 B CN 114157419B CN 202111438825 A CN202111438825 A CN 202111438825A CN 114157419 B CN114157419 B CN 114157419B
- Authority
- CN
- China
- Prior art keywords
- sequence number
- protocol message
- ospf protocol
- ospf
- receiving
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 239000000284 extract Substances 0.000 claims abstract description 7
- 238000012545 processing Methods 0.000 claims description 34
- 238000012795 verification Methods 0.000 claims description 26
- 238000004422 calculation algorithm Methods 0.000 claims description 17
- 230000002787 reinforcement Effects 0.000 claims description 15
- 230000008569 process Effects 0.000 claims description 14
- 238000005728 strengthening Methods 0.000 claims description 13
- 230000004044 response Effects 0.000 claims description 12
- 238000005538 encapsulation Methods 0.000 claims description 9
- 238000012790 confirmation Methods 0.000 claims description 6
- 230000006854 communication Effects 0.000 description 13
- 238000004891 communication Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 6
- 238000004806 packaging method and process Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- ABEXEQSGABRUHS-UHFFFAOYSA-N 16-methylheptadecyl 16-methylheptadecanoate Chemical compound CC(C)CCCCCCCCCCCCCCCOC(=O)CCCCCCCCCCCCCCC(C)C ABEXEQSGABRUHS-UHFFFAOYSA-N 0.000 description 1
- 241000764238 Isis Species 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000005417 image-selected in vivo spectroscopy Methods 0.000 description 1
- 238000012739 integrated shape imaging system Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 239000013598 vector Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/12—Shortest path evaluation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/16—Multipoint routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a secure routing protocol method and a secure routing protocol system based on OSPF. The method comprises the following steps: step S1, a sender and a receiver of an OSPF protocol message carry out random number negotiation, wherein the OSPF is an open shortest path first protocol; s2, the sender encapsulates and consolidates the OSPF protocol message to be sent by adopting a hash value, sends the encapsulated and consolidated OSPF protocol message to the receiver, and distributes a sending sequence number for the encapsulated and consolidated OSPF protocol message; and step S3, after receiving the encapsulated and reinforced OSPF protocol message, the receiver extracts the sending sequence number of the encapsulated and reinforced OSPF protocol message and compares the sending sequence number with the receiving sequence number maintained by the receiving end.
Description
Technical Field
The invention belongs to the field of communication protocols, and particularly relates to a secure routing protocol method and system based on OSPF.
Background
The router is used as network interconnection equipment and directly bears key functions such as routing selection, message forwarding and the like, and the reliability and the safety of the router are directly related to the performance of the network and the safety of data information. The routing protocols running thereon are often chosen as attack targets by malicious attackers due to the critical role played in the network communication process. Routing protocols widely used in large-scale networks today are RIP, ISIS and OSPF protocols, which generate full-network routes based on distance vectors or link state information, but most of these protocol designs originate from performance improvement considerations instead of secure transmission purposes. Although they also have authentication fields reserved in their respective message structures, this manner of plaintext ciphers does not guarantee confidentiality of the information transmission.
Disclosure of Invention
Aiming at the technical problems, the invention provides a secure routing protocol scheme based on OSPF, so as to realize secure reinforcement of protocol information and route optimization in a specific scene. The scheme designs a high-safety and reliable routing protocol method based on OSPF aiming at an application scene consisting of a fixed safety access router and a safety switch so as to complete routing calculation work in a network range and ensure safety and reliability of the whole communication process. Firstly, an authentication mechanism is introduced in the process of packaging and disassembling message information, a consistent random number is obtained through handshake negotiation, a hash algorithm is adopted to authenticate the message, and only the message passing through the integrity check can be packaged; secondly, the self-defined opposite terminal in the message format sends and receives the fields such as sequence numbers, random numbers, hash values and the like, and the security check of the message information is realized through handshake negotiation and encryption and decryption operations; thirdly, in the process of sending and receiving the message, the message validity is identified through the maintenance of the sending sequence number and the receiving sequence number, and replay attack is avoided.
The first aspect of the invention discloses a secure routing protocol method based on OSPF. The method comprises the following steps:
step S1, a sender and a receiver of an OSPF protocol message carry out random number negotiation, wherein the OSPF is an open shortest path first protocol;
s2, the sender encapsulates and consolidates the OSPF protocol message to be sent by adopting a hash value, sends the encapsulated and consolidated OSPF protocol message to the receiver, and distributes a sending sequence number for the encapsulated and consolidated OSPF protocol message; wherein:
the hash value is determined based on the negotiated random number and the OSPF protocol message;
the sending sequence numbers are gradually increased according to the sequence of each message sent by the sending end;
step S3, after receiving the encapsulated and reinforced OSPF protocol message, the receiver extracts the sending sequence number of the encapsulated and reinforced OSPF protocol message and compares the sending sequence number with the receiving sequence number maintained by the receiving end; wherein:
the receiving sequence number is gradually increased according to the sequence of the receiving end for receiving each message;
when the sending sequence number is consistent with the receiving sequence number, performing decapsulation strengthening processing on the encapsulated and strengthened OSPF protocol message by adopting the hash value so as to extract the content in the OSPF protocol message;
and discarding the encapsulated and reinforced OSPF protocol message when the sending sequence number is smaller than the receiving sequence number.
According to the method of the first aspect of the present invention, in the step S1, the random number negotiation specifically includes:
a first party in the sender and the receiver sends a negotiation request to a second party, wherein the negotiation request contains a random number of the first party;
after receiving the negotiation request, the second party sends the random number of the first party and the random number of the second party to the first party through a negotiation request response message;
and after receiving the negotiation request response message, the first party sends a negotiation confirmation message to the second party so as to complete the random number negotiation.
According to the method of the first aspect of the present invention, the step S2 specifically includes:
calculating the hash value by using a hash algorithm based on the negotiated random number and the OSPF protocol message;
encapsulating the hash value at the tail of the OSPF protocol message to finish the encapsulation and reinforcement;
and distributing the sending sequence number in a sequence number field of the head part of the encapsulated and reinforced OSPF protocol message.
According to the method of the first aspect of the present invention, in the step S3, when the sending sequence number is consistent with the receiving sequence number, the decapsulating and strengthening process is performed on the encapsulated and strengthened OSPF protocol packet by using the hash value, and specifically includes:
the receiver calculates a verification hash value for verifying the integrity of the encapsulated and reinforced OSPF protocol message by using a hash algorithm based on the negotiated random number and the OSPF protocol message;
when the verification hash value is consistent with the hash value, completing the integrity verification, and performing the decapsulation and reinforcement processing on the encapsulated and reinforced OSPF protocol message to obtain the content in the OSPF protocol message;
and discarding the received encapsulated and reinforced OSPF protocol message when the verification hash value is inconsistent with the hash value.
According to the method of the first aspect of the present invention, in the step S3, when the sending sequence number of the encapsulated and reinforced OSPF protocol packet received by the receiving party is greater than the receiving sequence number maintained by the receiving party, the sending sequence number is used as a new receiving sequence number of the receiving party.
A second aspect of the present invention discloses a secure routing protocol system for OSPF-based applications. The system comprises:
the first processing unit is configured to call a sender and a receiver of an OSPF protocol message to carry out random number negotiation, wherein the OSPF is an open shortest path first protocol;
the second processing unit is configured to call the sender, package and consolidate the OSPF protocol message to be sent by adopting a hash value, send the packaged and consolidated OSPF protocol message to the receiver, and allocate a sending sequence number for the packaged and consolidated OSPF protocol message; wherein:
the hash value is determined based on the negotiated random number and the OSPF protocol message;
the sending sequence numbers are gradually increased according to the sequence of each message sent by the sending end;
the third processing unit is configured to call the receiver, extract the sending sequence number of the encapsulated and reinforced OSPF protocol message after receiving the encapsulated and reinforced OSPF protocol message, and compare the sending sequence number with the receiving sequence number maintained by the receiving end; wherein:
the receiving sequence number is gradually increased according to the sequence of the receiving end for receiving each message;
when the sending sequence number is consistent with the receiving sequence number, performing decapsulation strengthening processing on the encapsulated and strengthened OSPF protocol message by adopting the hash value so as to extract the content in the OSPF protocol message;
and discarding the encapsulated and reinforced OSPF protocol message when the sending sequence number is smaller than the receiving sequence number.
According to the system of the second aspect of the present invention, the first processing unit is specifically configured to:
invoking a first party in the sender and the receiver, and sending a negotiation request to a second party, wherein the negotiation request comprises a random number of the first party;
invoking the second party, and after receiving the negotiation request, transmitting the random number of the first party and the random number of the second party to the first party through a negotiation request response message;
and calling the first party, and after receiving the negotiation request response message, sending a negotiation confirmation message to the second party so as to complete the random number negotiation.
According to the system of the second aspect of the present invention, the second processing unit is specifically configured to:
calculating the hash value by using a hash algorithm based on the negotiated random number and the OSPF protocol message;
encapsulating the hash value at the tail of the OSPF protocol message to finish the encapsulation and reinforcement;
and distributing the sending sequence number in a sequence number field of the head part of the encapsulated and reinforced OSPF protocol message.
According to the system of the second aspect of the present invention, the third processing unit is specifically configured to: when the sending sequence number is consistent with the receiving sequence number, the decapsulation strengthening process is executed on the encapsulated and strengthened OSPF protocol message by adopting the hash value, and the method specifically comprises the following steps:
invoking the receiver, and calculating a verification hash value for verifying the integrity of the encapsulated and reinforced OSPF protocol message by using a hash algorithm based on the negotiated random number and the OSPF protocol message;
when the verification hash value is consistent with the hash value, completing the integrity verification, and performing the decapsulation and reinforcement processing on the encapsulated and reinforced OSPF protocol message to obtain the content in the OSPF protocol message;
and discarding the received encapsulated and reinforced OSPF protocol message when the verification hash value is inconsistent with the hash value.
According to the system of the second aspect of the present invention, the third processing unit is specifically configured to: and when the sending sequence number of the encapsulated and reinforced OSPF protocol message received by the receiver is larger than the receiving sequence number maintained by the receiving end, taking the sending sequence number as a new receiving sequence number of the receiving end.
A third aspect of the invention discloses an electronic device. The electronic device comprises a memory storing a computer program and a processor implementing the steps in an OSPF-based secure routing protocol method according to any of the first aspects of the present disclosure when the computer program is executed.
A fourth aspect of the invention discloses a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of an OSPF-based secure routing protocol method according to any of the first aspects of the present disclosure.
In summary, in the technical scheme provided by the invention, in the process of packaging and disassembling message information, an additional information authentication mechanism is introduced into the protocol, a consistent random number is obtained through handshake negotiation, and the message is authenticated by adopting a hash algorithm provided by a cryptographic module, so that the safety and reliability of a communication process are ensured; the self-defining specific message format sends and receives the fields of sequence number, random number, hash value, etc. and implements the security check of message information through handshake negotiation and encryption and decryption operation. The value range of the specific field is not limited, and the encryption and decryption method is adopted.
The invention provides a secure routing protocol scheme for a high-reliability demand scene, which standardizes application entities and structure components of the secure routing protocol based on OSPF, prescribes a message encapsulation format and a receiving and dispatching flow of the secure routing protocol based on OSPF, and provides a high-safety and reliable routing mechanism for a network.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings which are required in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are some embodiments of the invention and that other drawings may be obtained from these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a communication entity model according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method of secure routing protocol based on OSPF in accordance with an embodiment of the present invention;
FIG. 3 is a flow chart of random number negotiation according to an embodiment of the present invention;
FIG. 4 is a flow chart of protocol security enforcement (outbound direction) according to an embodiment of the present invention;
FIG. 5 is a flow chart of a protocol security process (ingress direction) according to an embodiment of the present invention;
FIG. 6 is a block diagram of an OSPF-based secure routing protocol system in accordance with an embodiment of the present invention;
fig. 7 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The first aspect of the invention discloses a secure routing protocol method based on OSPF. The secure routing protocol relies on the OSPF protocol. FIG. 1 is a schematic diagram of a communication entity model according to an embodiment of the present invention; as shown in fig. 1, the secure routing protocol operates at the application layer. The secure routing protocol is a symmetrical protocol, namely the relationship between two communication entities communicating in the protocol is peer-to-peer, and the equipment end running the protocol comprises a secure core router and a secure access router. The router can be divided into two components, namely a routing entity and a secure routing protocol entity (SQRP), wherein the routing entity can configure parameters of the SQRP entity based on information such as a routing policy table, a secure real link, a secure virtual link and the like.
FIG. 2 is a flow chart of a method of secure routing protocol based on OSPF in accordance with an embodiment of the present invention; as shown in fig. 2, the method includes:
step S1, a sender and a receiver of an OSPF protocol message carry out random number negotiation, wherein the OSPF is an open shortest path first protocol;
s2, the sender encapsulates and consolidates the OSPF protocol message to be sent by adopting a hash value, sends the encapsulated and consolidated OSPF protocol message to the receiver, and distributes a sending sequence number for the encapsulated and consolidated OSPF protocol message; wherein:
the hash value is determined based on the negotiated random number and the OSPF protocol message;
the sending sequence numbers are gradually increased according to the sequence of each message sent by the sending end;
step S3, after receiving the encapsulated and reinforced OSPF protocol message, the receiver extracts the sending sequence number of the encapsulated and reinforced OSPF protocol message and compares the sending sequence number with the receiving sequence number maintained by the receiving end; wherein:
the receiving sequence number is gradually increased according to the sequence of the receiving end for receiving each message;
when the sending sequence number is consistent with the receiving sequence number, performing decapsulation strengthening processing on the encapsulated and strengthened OSPF protocol message by adopting the hash value so as to extract the content in the OSPF protocol message;
and discarding the encapsulated and reinforced OSPF protocol message when the sending sequence number is smaller than the receiving sequence number.
In step S1, the sender and the receiver of the OSPF protocol packet perform random number negotiation, where OSPF is an open shortest path first protocol.
In some embodiments, in the step S1, the random number negotiation specifically includes:
a first party in the sender and the receiver sends a negotiation request to a second party, wherein the negotiation request contains a random number of the first party;
after receiving the negotiation request, the second party sends the random number of the first party and the random number of the second party to the first party through a negotiation request response message;
and after receiving the negotiation request response message, the first party sends a negotiation confirmation message to the second party so as to complete the random number negotiation.
FIG. 3 is a flow chart of random number negotiation according to an embodiment of the present invention; as shown in fig. 3, the security reinforcement of the protocol information first requires the two parties to negotiate a random number. Firstly checking that the random number is correct, if the opposite terminal random number is consistent with the local terminal random number of the equipment in the negotiation notice sent back by the opposite terminal, considering effective negotiation, and finishing sequence number negotiation.
In step S2, the sender encapsulates and consolidates the OSPF protocol packet to be sent by adopting a hash value, sends the encapsulated and consolidated OSPF protocol packet to the receiver, and allocates a sending sequence number for the encapsulated and consolidated OSPF protocol packet; wherein:
the hash value is determined based on the negotiated random number and the OSPF protocol message;
the sending sequence numbers are gradually increased according to the sequence of each message sent by the sending end.
In some embodiments, the step S2 specifically includes:
calculating the hash value by using a hash algorithm based on the negotiated random number and the OSPF protocol message;
encapsulating the hash value at the tail of the OSPF protocol message to finish the encapsulation and reinforcement;
and distributing the sending sequence number in a sequence number field of the head part of the encapsulated and reinforced OSPF protocol message.
Specifically, the process of encapsulating and reinforcing the message information of the OSPF protocol can be regarded as a primary authentication process, and the receiving parties can carry out integrity verification on the received message hash value based on the random number negotiated in advance and the hash algorithm provided by the cryptographic module so as to realize the security authentication of the message.
FIG. 4 is a flow chart of protocol security enforcement (outbound direction) according to an embodiment of the present invention; as shown in fig. 4, the OSPF protocol data to be consolidated encapsulates the security-hardened information, and adds 1 to the serial number of the interface of the protocol; calculating hash values for parts such as protocol data by adopting a hash algorithm provided by the cryptographic module; and packaging the hash value at the tail of the message.
In step S3, after receiving the encapsulated and consolidated OSPF protocol packet, the receiving party extracts the sending sequence number of the encapsulated and consolidated OSPF protocol packet, and compares the sending sequence number with a receiving sequence number maintained by the receiving end; wherein:
the receiving sequence number is gradually increased according to the sequence of the receiving end for receiving each message;
when the sending sequence number is consistent with the receiving sequence number, performing decapsulation strengthening processing on the encapsulated and strengthened OSPF protocol message by adopting the hash value so as to extract the content in the OSPF protocol message;
and discarding the encapsulated and reinforced OSPF protocol message when the sending sequence number is smaller than the receiving sequence number.
In some embodiments, in the step S3, when the sending sequence number is consistent with the receiving sequence number, the decapsulating and strengthening process is performed on the encapsulated and strengthened OSPF protocol packet by using the hash value, and specifically includes:
the receiver calculates a verification hash value for verifying the integrity of the encapsulated and reinforced OSPF protocol message by using a hash algorithm based on the negotiated random number and the OSPF protocol message;
when the verification hash value is consistent with the hash value, completing the integrity verification, and performing the decapsulation and reinforcement processing on the encapsulated and reinforced OSPF protocol message to obtain the content in the OSPF protocol message;
and discarding the received encapsulated and reinforced OSPF protocol message when the verification hash value is inconsistent with the hash value.
FIG. 5 is a flow chart of a protocol security process (ingress direction) according to an embodiment of the present invention; as shown in fig. 5, the validity of the sequence number is judged by adopting a sliding window mechanism, and the replay protocol data is discarded; taking a message hash value part, carrying out integrity verification, recording and discarding messages with hash value comparison failure; judging non-replay information, removing the security reinforcement encapsulation extraction protocol payload, and adding 1 to the interface sequence number.
In some embodiments, in the step S3, when the sending sequence number of the encapsulated and consolidated OSPF protocol packet received by the receiving party is greater than the receiving sequence number maintained by the receiving end, the sending sequence number is taken as a new receiving sequence number of the receiving end.
Specifically, when a message is sent, the sequence number is increased based on the interface. When receiving a message, if the receiving sequence number is larger than the local receiving sequence number, after calculating the hash value successfully, setting the local receiving sequence number as a sending sequence number in the message, otherwise, discarding the message; if the receiving sequence number in the message is larger than the sending sequence number of the local terminal, the sending sequence number of the local terminal is set as the receiving sequence number in the message.
A second aspect of the present invention discloses a secure routing protocol system for OSPF-based applications. FIG. 6 is a block diagram of an OSPF-based secure routing protocol system in accordance with an embodiment of the present invention; as shown in fig. 6, the system 600 includes:
a first processing unit 601, configured to invoke a sender and a receiver of an OSPF protocol packet to perform random number negotiation, where OSPF is an open shortest path first protocol;
a second processing unit 602, configured to invoke the sender, encapsulate and consolidate the OSPF protocol packet to be sent by using a hash value, send the encapsulated and consolidated OSPF protocol packet to the receiver, and allocate a sending sequence number for the encapsulated and consolidated OSPF protocol packet; wherein:
the hash value is determined based on the negotiated random number and the OSPF protocol message;
the sending sequence numbers are gradually increased according to the sequence of each message sent by the sending end;
a third processing unit 603, configured to invoke the receiver, after receiving the encapsulated and consolidated OSPF protocol packet, to extract the sending sequence number of the encapsulated and consolidated OSPF protocol packet, and to compare the sending sequence number with a receiving sequence number maintained by a receiving end; wherein:
the receiving sequence number is gradually increased according to the sequence of the receiving end for receiving each message;
when the sending sequence number is consistent with the receiving sequence number, performing decapsulation strengthening processing on the encapsulated and strengthened OSPF protocol message by adopting the hash value so as to extract the content in the OSPF protocol message;
and discarding the encapsulated and reinforced OSPF protocol message when the sending sequence number is smaller than the receiving sequence number.
According to the system of the second aspect of the present invention, the first processing unit 601 is specifically configured to:
invoking a first party in the sender and the receiver, and sending a negotiation request to a second party, wherein the negotiation request comprises a random number of the first party;
invoking the second party, and after receiving the negotiation request, transmitting the random number of the first party and the random number of the second party to the first party through a negotiation request response message;
and calling the first party, and after receiving the negotiation request response message, sending a negotiation confirmation message to the second party so as to complete the random number negotiation.
The system according to the second aspect of the present invention, the second processing unit 602 is specifically configured to:
calculating the hash value by using a hash algorithm based on the negotiated random number and the OSPF protocol message;
encapsulating the hash value at the tail of the OSPF protocol message to finish the encapsulation and reinforcement;
and distributing the sending sequence number in a sequence number field of the head part of the encapsulated and reinforced OSPF protocol message.
According to the system of the second aspect of the present invention, the third processing unit 603 is specifically configured to: when the sending sequence number is consistent with the receiving sequence number, the decapsulation strengthening process is executed on the encapsulated and strengthened OSPF protocol message by adopting the hash value, and the method specifically comprises the following steps:
invoking the receiver, and calculating a verification hash value for verifying the integrity of the encapsulated and reinforced OSPF protocol message by using a hash algorithm based on the negotiated random number and the OSPF protocol message;
when the verification hash value is consistent with the hash value, completing the integrity verification, and performing the decapsulation and reinforcement processing on the encapsulated and reinforced OSPF protocol message to obtain the content in the OSPF protocol message;
and discarding the received encapsulated and reinforced OSPF protocol message when the verification hash value is inconsistent with the hash value.
According to the system of the second aspect of the present invention, the third processing unit 603 is specifically configured to: and when the sending sequence number of the encapsulated and reinforced OSPF protocol message received by the receiver is larger than the receiving sequence number maintained by the receiving end, taking the sending sequence number as a new receiving sequence number of the receiving end.
A third aspect of the invention discloses an electronic device. The electronic device comprises a memory storing a computer program and a processor implementing the steps in an OSPF-based secure routing protocol method according to any of the first aspects of the present disclosure when the computer program is executed.
Fig. 7 is a block diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 7, the electronic device includes a processor, a memory, a communication interface, a display screen, and an input device connected through a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic device includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the electronic device is used for conducting wired or wireless communication with an external terminal, and the wireless communication can be achieved through WIFI, an operator network, near Field Communication (NFC) or other technologies. The display screen of the electronic equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the electronic equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the electronic equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in fig. 7 is merely a structural diagram of a portion related to the technical solution of the present disclosure, and does not constitute a limitation of the electronic device to which the present application solution is applied, and a specific electronic device may include more or less components than those shown in the drawings, or may combine some components, or have different component arrangements.
A fourth aspect of the invention discloses a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of an OSPF-based secure routing protocol method according to any of the first aspects of the present disclosure.
In summary, in the technical scheme provided by the invention, in the process of packaging and disassembling message information, an additional information authentication mechanism is introduced into the protocol, a consistent random number is obtained through handshake negotiation, and the message is authenticated by adopting a hash algorithm provided by a cryptographic module, so that the safety and reliability of a communication process are ensured; the self-defining specific message format sends and receives the fields of sequence number, random number, hash value, etc. and implements the security check of message information through handshake negotiation and encryption and decryption operation. The value range of the specific field is not limited, and the encryption and decryption method is adopted.
The invention provides a secure routing protocol scheme for a high-reliability demand scene, which standardizes application entities and structure components of the secure routing protocol based on OSPF, prescribes a message encapsulation format and a receiving and dispatching flow of the secure routing protocol based on OSPF, and provides a high-safety and reliable routing mechanism for a network.
Note that the technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be regarded as the scope of the description. The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.
Claims (6)
1. An OSPF-based secure routing protocol method, the method comprising:
step S1, a sender and a receiver of an OSPF protocol message carry out random number negotiation, wherein the OSPF is an open shortest path first protocol;
s2, the sender encapsulates and consolidates the OSPF protocol message to be sent by adopting a hash value, sends the encapsulated and consolidated OSPF protocol message to the receiver, and distributes a sending sequence number for the encapsulated and consolidated OSPF protocol message; wherein:
the hash value is determined based on the negotiated random number and the OSPF protocol message;
the sending sequence numbers are gradually increased according to the sequence of each message sent by the sending end;
step S3, after receiving the encapsulated and reinforced OSPF protocol message, the receiver extracts the sending sequence number of the encapsulated and reinforced OSPF protocol message and compares the sending sequence number with the receiving sequence number maintained by the receiving end; wherein:
the receiving sequence number is gradually increased according to the sequence of the receiving end for receiving each message;
when the sending sequence number is consistent with the receiving sequence number, performing decapsulation strengthening processing on the encapsulated and strengthened OSPF protocol message by adopting the hash value so as to extract the content in the OSPF protocol message;
discarding the encapsulated and reinforced OSPF protocol message when the sending sequence number is smaller than the receiving sequence number;
in the step S1, the random number negotiation specifically includes:
a first party in the sender and the receiver sends a negotiation request to a second party, wherein the negotiation request contains a random number of the first party;
after receiving the negotiation request, the second party sends the random number of the first party and the random number of the second party to the first party through a negotiation request response message;
after receiving the negotiation request response message, the first party sends a negotiation confirmation message to the second party so as to complete the random number negotiation;
the step S2 specifically includes:
calculating the hash value by using a hash algorithm based on the negotiated random number and the OSPF protocol message;
encapsulating the hash value at the tail of the OSPF protocol message to finish the encapsulation and reinforcement; and distributing the sending sequence number in a sequence number field of the head part of the encapsulated and reinforced OSPF protocol message.
2. The method according to claim 1, wherein in step S3, when the sending sequence number is consistent with the receiving sequence number, the decapsulating and strengthening process is performed on the encapsulated and strengthened OSPF protocol packet by using the hash value, and the method specifically includes:
the receiver calculates a verification hash value for verifying the integrity of the encapsulated and reinforced OSPF protocol message by using a hash algorithm based on the negotiated random number and the OSPF protocol message;
when the verification hash value is consistent with the hash value, completing the integrity verification, and performing the decapsulation and reinforcement processing on the encapsulated and reinforced OSPF protocol message to obtain the content in the OSPF protocol message;
and discarding the received encapsulated and reinforced OSPF protocol message when the verification hash value is inconsistent with the hash value.
3. The method according to claim 2, wherein in the step S3, when the sending sequence number of the encapsulated and reinforced OSPF protocol packet received by the receiving party is greater than the receiving sequence number maintained by the receiving party, the sending sequence number is taken as the new receiving sequence number of the receiving party.
4. An OSPF-based secure routing protocol system, the system comprising:
the first processing unit is configured to call a sender and a receiver of an OSPF protocol message to carry out random number negotiation, wherein the OSPF is an open shortest path first protocol;
the second processing unit is configured to call the sender, package and consolidate the OSPF protocol message to be sent by adopting a hash value, send the packaged and consolidated OSPF protocol message to the receiver, and allocate a sending sequence number for the packaged and consolidated OSPF protocol message; wherein:
the hash value is determined based on the negotiated random number and the OSPF protocol message;
the sending sequence numbers are gradually increased according to the sequence of each message sent by the sending end;
the third processing unit is configured to call the receiver, extract the sending sequence number of the encapsulated and reinforced OSPF protocol message after receiving the encapsulated and reinforced OSPF protocol message, and compare the sending sequence number with the receiving sequence number maintained by the receiving end; wherein:
the receiving sequence number is gradually increased according to the sequence of the receiving end for receiving each message;
when the sending sequence number is consistent with the receiving sequence number, performing decapsulation strengthening processing on the encapsulated and strengthened OSPF protocol message by adopting the hash value so as to extract the content in the OSPF protocol message;
discarding the encapsulated and reinforced OSPF protocol message when the sending sequence number is smaller than the receiving sequence number;
wherein the first processing unit is specifically configured to:
invoking a first party in the sender and the receiver, and sending a negotiation request to a second party, wherein the negotiation request comprises a random number of the first party;
invoking the second party, and after receiving the negotiation request, transmitting the random number of the first party and the random number of the second party to the first party through a negotiation request response message;
invoking the first party, and after receiving the negotiation request response message, sending a negotiation confirmation message to the second party so as to complete the random number negotiation;
wherein the second processing unit is specifically configured to:
calculating the hash value by using a hash algorithm based on the negotiated random number and the OSPF protocol message;
encapsulating the hash value at the tail of the OSPF protocol message to finish the encapsulation and reinforcement; and distributing the sending sequence number in a sequence number field of the head part of the encapsulated and reinforced OSPF protocol message.
5. The OSPF-based secure routing protocol system of claim 4, wherein the third processing unit is specifically configured to: when the sending sequence number is consistent with the receiving sequence number, the decapsulation strengthening process is executed on the encapsulated and strengthened OSPF protocol message by adopting the hash value, and the method specifically comprises the following steps:
invoking the receiver, and calculating a verification hash value for verifying the integrity of the encapsulated and reinforced OSPF protocol message by using a hash algorithm based on the negotiated random number and the OSPF protocol message;
when the verification hash value is consistent with the hash value, completing the integrity verification, and performing the decapsulation and reinforcement processing on the encapsulated and reinforced OSPF protocol message to obtain the content in the OSPF protocol message;
and discarding the received encapsulated and reinforced OSPF protocol message when the verification hash value is inconsistent with the hash value.
6. The OSPF-based secure routing protocol system of claim 5, wherein the third processing unit is specifically configured to: and when the sending sequence number of the encapsulated and reinforced OSPF protocol message received by the receiver is larger than the receiving sequence number maintained by the receiving end, taking the sending sequence number as a new receiving sequence number of the receiving end.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111438825.8A CN114157419B (en) | 2021-11-29 | 2021-11-29 | Security routing protocol method and system based on OSPF |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111438825.8A CN114157419B (en) | 2021-11-29 | 2021-11-29 | Security routing protocol method and system based on OSPF |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114157419A CN114157419A (en) | 2022-03-08 |
| CN114157419B true CN114157419B (en) | 2023-08-08 |
Family
ID=80454848
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111438825.8A Active CN114157419B (en) | 2021-11-29 | 2021-11-29 | Security routing protocol method and system based on OSPF |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114157419B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1404267A (en) * | 2002-10-01 | 2003-03-19 | 华中科技大学 | Safe network transmission method and system |
| CN1416245A (en) * | 2002-06-05 | 2003-05-07 | 华为技术有限公司 | Protection method for controlling message safety based on message of border gateway protocol |
| CN1477814A (en) * | 2002-08-20 | 2004-02-25 | 华为技术有限公司 | Message Security Protection Method Based on Border Gateway Protocol Message |
| CN102143010A (en) * | 2010-08-24 | 2011-08-03 | 华为软件技术有限公司 | Method for detecting message revision, sender equipment and receiver equipment |
| CN102447690A (en) * | 2010-10-12 | 2012-05-09 | 中兴通讯股份有限公司 | Key management method and network equipment |
| CN108055285A (en) * | 2018-01-09 | 2018-05-18 | 杭州迪普科技股份有限公司 | A kind of intrusion prevention method and apparatus based on OSPF Routing Protocols |
| CN111245862A (en) * | 2020-02-25 | 2020-06-05 | 无锡艾立德智能科技有限公司 | System for safely receiving and sending terminal data of Internet of things |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2009296190A (en) * | 2008-06-04 | 2009-12-17 | Panasonic Corp | Confidential communication method |
| WO2013068033A1 (en) * | 2011-11-07 | 2013-05-16 | Option | Establishing a communication session |
| US10587586B2 (en) * | 2017-01-10 | 2020-03-10 | Mocana Corporation | System and method for a multi system trust chain |
-
2021
- 2021-11-29 CN CN202111438825.8A patent/CN114157419B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1416245A (en) * | 2002-06-05 | 2003-05-07 | 华为技术有限公司 | Protection method for controlling message safety based on message of border gateway protocol |
| CN1477814A (en) * | 2002-08-20 | 2004-02-25 | 华为技术有限公司 | Message Security Protection Method Based on Border Gateway Protocol Message |
| CN1404267A (en) * | 2002-10-01 | 2003-03-19 | 华中科技大学 | Safe network transmission method and system |
| CN102143010A (en) * | 2010-08-24 | 2011-08-03 | 华为软件技术有限公司 | Method for detecting message revision, sender equipment and receiver equipment |
| CN102447690A (en) * | 2010-10-12 | 2012-05-09 | 中兴通讯股份有限公司 | Key management method and network equipment |
| CN108055285A (en) * | 2018-01-09 | 2018-05-18 | 杭州迪普科技股份有限公司 | A kind of intrusion prevention method and apparatus based on OSPF Routing Protocols |
| CN111245862A (en) * | 2020-02-25 | 2020-06-05 | 无锡艾立德智能科技有限公司 | System for safely receiving and sending terminal data of Internet of things |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114157419A (en) | 2022-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| FI120072B (en) | Transmission of packet data over a network with a security protocol | |
| CN108566381A (en) | A kind of security upgrading method, device, server, equipment and medium | |
| US20040005061A1 (en) | Key management system and method | |
| JP2004295891A (en) | Method for authenticating packet payload | |
| US20250133068A1 (en) | Encrypted communication method and apparatus, device, and storage medium | |
| Singh et al. | Cryptanalysis and improvement in user authentication and key agreement scheme for wireless sensor network | |
| CN113904809A (en) | Communication method, communication device, electronic equipment and storage medium | |
| CN112769568A (en) | Security authentication communication system and method in fog computing environment and Internet of things equipment | |
| CN115567209A (en) | Method for realizing VoIP encryption and decryption by adopting transparent proxy and quantum key pre-charging | |
| CN118138358A (en) | Data security transmission method, electronic device and computer readable medium | |
| CN115297194A (en) | Data processing method, device and equipment of wind power monitoring equipment and storage medium | |
| Peyravian et al. | Asynchronous transfer mode security | |
| US20080244268A1 (en) | End-to-end network security with traffic visibility | |
| US7564976B2 (en) | System and method for performing security operations on network data | |
| CN114157419B (en) | Security routing protocol method and system based on OSPF | |
| CN117254976B (en) | National standard IPsec VPN realization method, device and system based on VPP and electronic equipment | |
| CN107104888A (en) | A kind of safe instant communicating method | |
| US20230412371A1 (en) | Quantum cryptography in an internet key exchange procedure | |
| CN118102290A (en) | Quantum attack-resistant vehicle-ground authentication method and system based on NTRU public key encryption | |
| CN113810173A (en) | Method for checking application information, message processing method and device | |
| CN114257424B (en) | Data packet receiving and processing method and device based on power special chip | |
| CN101753588B (en) | Method and system for controlling integrated service operation | |
| CN113839872B (en) | Virtual link oriented security label distribution protocol method and system | |
| JP5057270B2 (en) | Information verification method, information verification apparatus, and information verification system | |
| CN113810353A (en) | A method, message processing method and device for verifying application information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |