CN107086959B - Method and device for authenticating operation management maintenance message - Google Patents
Method and device for authenticating operation management maintenance message Download PDFInfo
- Publication number
- CN107086959B CN107086959B CN201610088118.3A CN201610088118A CN107086959B CN 107086959 B CN107086959 B CN 107086959B CN 201610088118 A CN201610088118 A CN 201610088118A CN 107086959 B CN107086959 B CN 107086959B
- Authority
- CN
- China
- Prior art keywords
- network element
- authentication information
- oam message
- message
- oam
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/50—Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The present application relates to the field of communications, and in particular, to an authentication method for an operation, administration and maintenance OAM packet and a first network element. The OAM message authentication method comprises the following steps: a first network element receives a first OAM message, wherein the first OAM message carries a first identifier and first authentication information; the first network element determines second authentication information according to the mapping from the first identifier to the second authentication information; the first network element judges whether the first authentication information is matched with the second authentication information; and if the first authentication information is not matched with the second authentication information, the first network element determines that the first OAM message is an illegal message. By determining whether the first authentication information is matched with the second authentication information, the first network element can identify whether the first OAM message is a legal message, so that the execution of an error instruction in an illegal OAM message is avoided, and the stability and the safety of communication are improved.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a method and an apparatus for authenticating an operation management maintenance packet.
Background
An operation, administration and maintenance (OAM) technique is a technique for providing link defect detection and defect correction for a network. Network equipment which is communicated with each other detects whether a channel (English: channel) for communication is in a normal state or not by sending an OAM message, and when the channel for communication is detected to be abnormal, the OAM message is sent to each other to trigger a protection switching mechanism to switch the communication to a preset protection channel, so that packet loss caused by the abnormality of a working channel is reduced, and the stability of service transmission is guaranteed. For example, an Automatic Protection Switching (APS) message is an OAM message. The network nodes negotiate and switch to the protection channel for communication when the communication channel is abnormal by sending APS messages to each other.
When the OAM message is maliciously tampered by other devices, or the OAM message is forged by other network elements, or a network administrator has an error in configuring parameters, the network device receiving the OAM message may obtain an incorrect switching request, so that the network node makes an incorrect switching according to the incorrect switching request, resulting in serious influence on normal communication.
Disclosure of Invention
The application provides a method and a device for operation, administration and maintenance (OAM) message authentication, which are used for reducing the risk that network equipment makes wrong switching according to an incorrect OAM message and improving the stability of communication.
In a first aspect, a method for OAM message authentication is provided, where the method includes:
a first network element receives a first OAM message, wherein the first OAM message carries a first identifier and first authentication information;
the first network element determines second authentication information according to the mapping from the first identifier to the second authentication information;
the first network element judges whether the first authentication information is matched with the second authentication information;
and if the first authentication information is not matched with the second authentication information, the first network element determines that the first OAM message is an illegal message.
And the first network element determines second authentication information according to the first identifier, and judges whether the second authentication information is matched with first authentication information in the first OAM message, so as to judge whether the first OAM message is a legal message. Therefore, when a network administrator configures the first identifier incorrectly, or the first identifier is maliciously tampered or forged by another network element, the first network element may identify that the information in the first OAM message is incorrect by determining that the first authentication information is not matched with the second authentication information, and avoid executing an incorrect instruction according to the information in the first OAM message, thereby improving security and stability of communication.
Optionally, after determining that the first OAM message is an illegal message, the first network element further includes: and the first network element stores the first OAM message.
The first network element stores an illegal first OAM message, and can provide more information for a network administrator to analyze the reason for receiving the illegal message. For example, when the first authentication information and the second authentication information do not match and are caused by a first identifier configuration error, the first OAM packet is stored, and information provided for a network administrator to analyze the configuration error may be provided, so as to correct the configuration error. For example, when the first authentication information and the second authentication information are not matched, because the first OAM packet is maliciously tampered or forged by other network elements, the first OAM packet is stored, so that more information can be provided for a network administrator to search the network element, thereby improving the security of the network.
Optionally, in an example, the determining, by the first network element, whether the first authentication information matches the second authentication information includes: the first network element determines a decryption algorithm according to the mapping from the first identifier to the decryption algorithm; the first network element performs decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information; and the first network element judges whether the third authentication information is equal to the second authentication information.
Optionally, in another example, the first network element and the second network element communicate through a first Label Switch Path (LSP), the first identifier is a multi-protocol label switching MPLS label encapsulated by the second network element, and the second authentication information includes at least one of the following information: an identifier of a label switch router (LSR for short) of the second network element; an identity of an LSR of the first network element; and an identification of the first LSP.
Optionally, the method further includes: the first network element acquires fourth authentication information according to mapping from a third network element to the fourth authentication information; and the first network element sends a second OAM message to the third network element, wherein the second OAM message carries fourth authentication information, the fourth authentication information is used for indicating the third network element, and the second OAM message is a legal message.
Optionally, the obtaining, by the first network element, the fourth authentication information according to the mapping from the third network element to the fourth authentication information includes: the first network element determines the encryption algorithm according to the mapping from the third network element to the encryption algorithm; the first network element determines fifth authentication information according to mapping from the third network element to the fifth authentication information; and the first network element performs encryption operation on the fifth authentication information according to the encryption algorithm to obtain the fourth authentication information.
Optionally, the first network element and the third network element communicate via a second LSP, and the fourth authentication information includes at least one of the following information: an identity of an LSR of the third network element; an identity of an LSR of the first network element; and an identification of the second LSP.
In a second aspect, there is provided a first network element, comprising: a processor and a network interface, the processor to:
receiving a first OAM message through the network interface, wherein the first OAM message carries a first identifier and first authentication information;
determining second authentication information according to the mapping from the first identification to the second authentication information;
judging whether the first authentication information is matched with the second authentication information;
and if the first authentication information is not matched with the second authentication information, determining that the first OAM message is an illegal message.
Optionally, the processor is further configured to store the first OAM message after determining that the first OAM message is an illegal message.
Optionally, the determining whether the first authentication information is matched with the second authentication information includes: determining a decryption algorithm according to the mapping of the first identifier to the decryption algorithm; carrying out decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information; and judging whether the third authentication information is equal to the second authentication information.
Optionally, the first network element and the second network element communicate via a first label switched path LSP, where the first identifier is a multi-protocol label switching MPLS label encapsulated by the second network element, and the second authentication information includes at least one of the following information: an identity of a label switched router, LSR, of the second network element; an identity of an LSR of the first network element; and an identification of the first LSP.
Optionally, the processor is further configured to: acquiring fourth authentication information according to mapping from a third network element to the fourth authentication information; and sending a second OAM message to the third network element through the network interface, where the second OAM message carries the fourth authentication information, and the fourth authentication information is used to indicate the third network element, and the second OAM message is a legal message.
Optionally, the obtaining the fourth authentication information according to the mapping from the third network element to the fourth authentication information includes: determining an encryption algorithm according to the mapping from the third network element to the encryption algorithm; determining fifth authentication information according to the mapping from the third network element to the fifth authentication information; and carrying out encryption operation on the fifth authentication information according to the encryption algorithm to obtain the fourth authentication information.
Optionally, the first network element and the third network element communicate via a second LSP, and the fourth authentication information includes at least one of the following information: an identity of an LSR of the third network element; an identity of an LSR of the first network element; and an identification of the second LSP.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application.
Fig. 2 is a schematic flowchart of an authentication method for an OAM message according to an embodiment of the present application.
Fig. 3a is a schematic diagram of an OAM message format provided in this embodiment.
Fig. 3b is a schematic diagram of another OAM message format provided in this embodiment.
Fig. 4 is a schematic flowchart of another authentication method for an OAM message according to an embodiment of the present application.
Fig. 5 is a schematic structural diagram of a first network element according to an embodiment of the present application.
Detailed Description
The application scenario described in the embodiment of the present application is for more clearly illustrating the technical solution of the embodiment of the present application, and does not form a limitation on the technical solution provided in the embodiment of the present application, and as a person having ordinary skill in the art knows that along with the evolution of a network architecture and the appearance of a new service scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application. As shown in fig. 1, the path for communication between the first network element 101 and the second network element 102 includes a working path and a protection path.
For example, the first network element 101 may be a router, a network switch, a firewall, a wavelength division multiplexing device, a packet transport network device, a base station controller, or a data center. The second network element 102 may be a router, a network switch, a firewall, a wavelength division multiplexing device, a packet transport network device, a base station controller, or a data center. The working channel or the protection channel may be a Pseudo Wire (PW) or a tunnel.
The first network element 101 and the second network element 102 detect whether a channel used for communication is in a normal state by sending operation, administration and maintenance (OAM) messages to each other, and trigger protection switching by sending OAM messages when detecting that the channel currently used for communication is abnormal.
In one example, the first network element 101 and the second network element 102 communicate via Ethernet (english: Ethernet), and the OAM message may be an OAM message specified in ITU-T y.1731. Specifically, the OAM message may be an Automatic Protection Switching (APS) message, for example, an APS message specified in ITU-t g 8031/y.1342.
In another example, the first network element 101 and the second network element 102 use a Multi Protocol Label Switching (MPLS) tunnel communication, and the OAM message may be a message specified in ITU-t y.1711. Specifically, the OAM message may be an APS message.
In a normal communication process, the first network element 101 receives an OAM message, determines that the OAM message comes from the second network element 102 through information in a header of the OAM message, for example, an MPLS label (english: label) in the MPLS header, searches an OAM state machine corresponding to a channel used for communication between the first network element 101 and the second network element 102, performs corresponding configuration on a state of the OAM state machine according to a request carried in the OAM message, and further performs corresponding operation according to the state of the OAM state machine.
In the above scheme, when receiving an OAM message, the first network element 101 does not authenticate the authenticity or correctness of the OAM message. Therefore, if the OAM message received by the first network element 101 is forged or tampered by other network devices, or in an example where the first network element 101 identifies the source of the OAM message by using the MPLS label, if a network administrator configures an error, which causes the MPLS label of the OAM message sent to the first network element 101 by a third network element (not shown in fig. 1) communicating with the first network element 101 to be the same as the MPLS label of the OAM message sent to the first network element 101 by the second network element 102, the first network element 101 may identify the OAM message from the third network element as the OAM message from the second network element 102 when receiving the OAM message from the third network element. When this occurs, the source of the OAM message received by the first network element 101 or the instruction carried in the OAM message may be incorrect. The first network element 101 may perform an incorrect operation according to the incorrect OAM message, for example, switch to an incorrect channel to communicate with the second network element 102, so that normal communication is affected.
The embodiment of the application provides an OAM message authentication method, which is used for reducing the risk that network equipment makes wrong switching according to an incorrect OAM message and improving the communication stability.
Fig. 2 shows a method for OAM message authentication provided in this embodiment of the present application. For example, the method may be applied to the scenario shown in fig. 1. The first network element in the method shown in fig. 2 may adopt the first network element 101 shown in fig. 1. The second network element in the method shown in fig. 2 may adopt the second network element 102 shown in fig. 1. The method comprises the following steps.
S201, a first network element receives a first OAM message, where the first OAM message carries a first identifier and first authentication information.
For example, the first OAM message may be the OAM message described in fig. 1. Further, the first OAM message may be an APS message as described in fig. 1.
The first identifier is carried in a header of the first OAM message, and is used for indicating a source of the first OAM message. For example, the first OAM message includes an MPLS header, and the first identifier is a Label (english: Label) field in the MPLS header. For another example, the first OAM message includes a Virtual Local Area Network (VLAN) tag (english: VLAN tag), and the first identifier is a VLAN Identifier (VID) field in the VLAN tag.
The first authentication information is carried in a payload (english: payload) of the first OAM packet. For example, the first authentication information may be implemented by defining a Type-Length-Value (TLV) in a payload of the first OAM packet, that is, defining a Type for indicating that the Value in the TLV is the Value of the first authentication information.
In an example, in a case that the first OAM message is an OAM message that allows an extension field to be added, for example, in a case that the first OAM message is an APS message specified in ITU-T G8031/y.1342, the first authentication information may be carried in the extension field of the APS message. Fig. 3a shows a schematic format diagram of a payload of an APS packet that does not carry the first authentication information in the ITU-T G8031/y.1342 standard. Fig. 3b shows a schematic format diagram of a payload of an APS packet carrying the first authentication information by adding a TLV in an extension field. It should be noted that the length of the Value field shown in fig. 3b is merely illustrative, and the specific length of the Value field is not limited in the embodiment of the present application.
In another example, in a case that the first OAM message is an OAM message that does not allow an extension field to be added, the first authentication information may be carried in other fields that are not used by a protocol. For example, in the case where the first OAM message is a message specified in ITU-T y.1711, the first authentication information may be carried in a Padding (english: Padding) field.
S202, the first network element determines the second authentication information according to the mapping from the first identifier to the second authentication information.
The first network element has stored therein a mapping of the first identity to the second authentication information. The second authentication information is information configured in advance in the first network element and the second network element by a network administrator. In one example, the mapping of the first identity and the second authentication information may be stored directly in an entry of a mapping table of identities and authentication information. In another example, the first network element stores the mapping from the first identifier to an OAM state machine, and the first network element determines, according to the first identifier, the OAM state machine corresponding to the first OAM message, where the OAM state machine is used to monitor the working states of a working channel and a protection channel between the first network element and the second network element. In an example where the first OAM message is an APS message, the state machine may also be an APS state machine. Further, the first network element also stores a mapping from an OAM state machine to authentication information, and the first network element finds the second authentication information according to the OAM state machine corresponding to the first OAM message.
S203, the first network element determines whether the first authentication information matches with the second authentication information.
Optionally, in a possible example, the determining, by the first network element, whether the first authentication information matches the second authentication information includes: the first network element determines a decryption algorithm according to the mapping from the first identifier to the decryption algorithm; the first network element performs decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information; and the first network element judges whether the third authentication information is equal to the second authentication information. And if the third authentication information is equal to the second authentication information, the first network element determines that the first authentication information is matched with the second authentication information.
For example, the first network element and the second network element are configured with an encryption algorithm and a corresponding decryption algorithm together. The first network element and the second network element also pre-store the second authentication information. And before sending the first OAM message to the first network element, the second network element performs encryption operation on the second authentication information according to the encryption algorithm to obtain the first authentication information. Optionally, the specific process of the second network element performing encryption operation on the second authentication information includes: and the second network element generates a random number, and the second network element performs encryption operation on the random number and the second authentication information by using the encryption algorithm to obtain an encryption parameter. The first authentication information includes the random number and the encryption parameter. For example, when the first authentication information is carried in the first OAM message by a customized TLV, the TLV may include a first sub-TLV and a second sub-TLV, where a Value in the first sub-TLV is a Value of the random number, and a Value in the second sub-TLV is a Value of the encryption parameter. And after receiving the first authentication information, the first network element acquires the random number and the encryption parameter, and performs decryption operation on the random number and the encryption parameter according to the decryption algorithm to acquire third authentication information. And if the third authentication information is equal to the second authentication information, the first network element determines that the first OAM message is a legal message. And if the third authentication information is not equal to the second authentication information, the first network element determines that the first OAM message is an illegal message.
Optionally, in another possible example, the first network element and the second network element communicate via a first label switched path LSP, the first identifier is a multi-protocol label switching MPLS label encapsulated by the second network element, and the second authentication information includes at least one of the following information: an identifier (English: identifier) of a Label Switching Router (LSR) of the second network element; an identity of an LSR of the first network element; and an identification of the first LSP. The identity of the LSR of the first network element is unique throughout the MPLS network. The identity of the LSR of the second network element is unique throughout the MPLS network. The identification of the first LSP is unique throughout the MPLS network.
For example, the first network element and the second network element both store therein an identifier of an LSR of the second network element. And before sending the first OAM message to the first network element, the second network element writes the identifier of the LSR of the second network element into the first OAM message as the first authentication information. In addition, the second network element writes a preset MPLS label as the first identifier into an MPLS header of the first OAM packet. And after receiving the first OAM message, the first network element acquires the second authentication information according to the mapping between the MPLS label and the second authentication information. The second authentication information is an identifier of an LSR of the second network element stored in the first network element. And the first network element compares the first authentication information with the second authentication information, and if the first authentication information is equal to the second authentication information, the first authentication information is determined to be matched with the second authentication information.
If the first authentication information does not match the second authentication information, the first network element performs S204.
S204, the first network element determines that the first OAM message is an illegal message.
And the first network element does not execute corresponding operation according to the indication information in the first OAM message.
Optionally, after the first network element determines that the first OAM message is an illegal message, the first network element stores the first OAM message.
By storing the illegal message, the first network element can provide the information of the illegal message for a network administrator, so that the network administrator can determine the source of the illegal message.
Optionally, after determining that the first OAM message is an illegal message, the first network element discards the first OAM message.
Optionally, if the first authentication information matches the second authentication information, the first network element performs S205.
S205, the first network element determines that the first OAM message is a legal message. And the first network element further executes corresponding operation according to the indication information in the first OAM message. For example, the first OAM packet is used to instruct the first network element to switch the communication from the working channel to the protection channel, and the first network element switches the communication from the working channel to the protection channel according to the instruction of the first OAM packet.
Optionally, the first network element may also write authentication information in an OAM message when sending the OAM message to another network element, where the authentication information is used to indicate the network element that receives the OAM message, and the OAM message is a valid message. For example, when the first network element sends the second OAM message to the third network element, as shown in fig. 4, the method further includes S401 and S402.
S401, the first network element obtains the fourth authentication information according to the mapping from the third network element to the fourth authentication information.
Optionally, in an example, the obtaining, by the first network element, the fourth authentication information according to the mapping from the third network element to the fourth authentication information includes: the first network element determines the encryption algorithm according to the mapping from the third network element to the encryption algorithm; the first network element determines fifth authentication information according to mapping from the third network element to the fifth authentication information; and the first network element performs encryption operation on the fifth authentication information according to the encryption algorithm to obtain the fourth authentication information.
For example, the specific implementation manner of the first network element performing the encryption operation on the fifth authentication information to obtain the fourth authentication information may be the specific implementation manner of the second network element performing the encryption operation on the second authentication information to obtain the first authentication information in S203.
Optionally, in another example, the first network element and the third network element communicate via a second LSP, and the fourth authentication information includes at least one of the following information: an identity of an LSR of the third network element; an identity of an LSR of the first network element; and an identification of the second LSP.
S402, the first network element sends a second OAM message to the third network element, where the second OAM message carries the fourth authentication information.
For example, a format of the fourth authentication information in the second OAM message may be the same as a format of the first authentication information in the first OAM message.
For example, the third network element determines, according to the fourth authentication information, whether the second OAM message is a legal message, which may be the method shown in fig. 2.
Fig. 5 is a schematic structural diagram of a first network element according to an embodiment of the present application. As shown in fig. 5, the first network element 500 comprises a processor 501 and a network interface 502. Optionally, a memory 503 is also included.
The processor 501 includes, but is not limited to, one or more of a Central Processing Unit (CPU), a Network Processor (NP), an application-specific integrated circuit (ASIC), or a Programmable Logic Device (PLD). The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
The network Interface 502 may be a wired Interface, such as a Fiber Distributed Data Interface (FDDI), Ethernet (Ethernet). The network interface 502 may also be a wireless interface, such as a wireless local area network interface.
The memory 503 is used to store program instructions that are executed by the processor 501. The memory 503 includes, but is not limited to, a content-addressable memory (CAM), such as a Ternary CAM (TCAM), and a random-access memory (RAM).
The memory 503 may also be integrated in the processor 501. If the memory 503 and the processor 501 are separate devices, the memory 503 is coupled to the processor 501, for example, the memory 503 and the processor 501 may communicate via a bus. The network interface 503 and the processor 501 may communicate via a bus, and the network interface 503 may also be directly connected to the processor 501.
The processor 501 is configured to perform the following operations: receiving a first OAM message through the network interface 502, where the first OAM message carries a first identifier and first authentication information; determining second authentication information according to the mapping from the first identification to the second authentication information; judging whether the first authentication information is matched with the second authentication information; and if the first authentication information is not matched with the second authentication information, determining that the first OAM message is an illegal message.
Optionally, the processor 501 is further configured to store the first OAM message after determining that the first OAM message is an illegal message.
Optionally, the determining whether the first authentication information is matched with the second authentication information includes: determining a decryption algorithm according to the mapping of the first identifier to the decryption algorithm; carrying out decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information; and judging whether the third authentication information is equal to the second authentication information.
Optionally, the first network element 500 and the second network element communicate through a first label switched path LSP, where the first identifier is a multi-protocol label switching MPLS label encapsulated by the second network element, and the second authentication information includes at least one of the following information: an identity of a label switched router, LSR, of the second network element; an identity of an LSR of said first network element 500; and an identification of the first LSP.
Optionally, the processor 501 is further configured to: acquiring fourth authentication information according to mapping from a third network element to the fourth authentication information; and sending a second OAM message to the third network element through the network interface, where the second OAM message carries the fourth authentication information, and the fourth authentication information is used to indicate the third network element, and the second OAM message is a legal message.
Optionally, the obtaining the fourth authentication information according to the mapping from the third network element to the fourth authentication information includes: determining an encryption algorithm according to the mapping from the third network element to the encryption algorithm; determining fifth authentication information according to the mapping from the third network element to the fifth authentication information; and carrying out encryption operation on the fifth authentication information according to the encryption algorithm to obtain the fourth authentication information.
Optionally, the first network element 500 and the third network element communicate via a second LSP, and the fourth authentication information includes at least one of the following information: an identity of an LSR of the third network element; an identity of an LSR of the first network element; and an identification of the second LSP.
The first network element 500 provided in this embodiment may be applied to the method in the embodiment of fig. 2 or fig. 4, to implement the function of the first network element. Please refer to the description of the first network element in the method embodiment, which is not described herein again, for other additional functions that can be implemented by the first network element and an interaction process with other network elements.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (15)
1. An authentication method for operation, administration and maintenance (OAM) messages is characterized by comprising the following steps:
a first network element receives a first OAM message, wherein the first OAM message carries a first identifier and first authentication information;
the first network element determines second authentication information according to the received first identifier in the first OAM message and mapping from the first identifier stored in the first network element to the second authentication information;
and the first network element determines that the first OAM message is an illegal message according to the fact that the first authentication information is not matched with the second authentication information.
2. The method of claim 1, wherein after the first network element determines that the first OAM message is an illegal message, further comprising:
and the first network element stores the first OAM message.
3. The method of claim 1, wherein the first authentication information is encrypted information, and the determining, by the first network element, whether the first authentication information matches the second authentication information comprises:
the first network element determines a decryption algorithm according to the mapping from the first identifier to the decryption algorithm;
the first network element performs decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information;
and the first network element judges whether the third authentication information is equal to the second authentication information.
4. The method of claim 1, wherein the first network element communicates with a second network element via a first Label Switched Path (LSP), wherein the first identifier is an encapsulated multi-protocol label switched (MPLS) label of the second network element, and wherein the second authentication information comprises at least one of the following information:
an identity of a label switched router, LSR, of the second network element;
an identity of an LSR of the first network element; and
an identification of the first LSP.
5. The method of any of claims 1 to 4, further comprising:
the first network element acquires fourth authentication information according to mapping from a third network element to the fourth authentication information;
and the first network element sends a second OAM message to the third network element, wherein the second OAM message carries fourth authentication information, the fourth authentication information is used for indicating the third network element, and the second OAM message is a legal message.
6. The method of claim 5, wherein the obtaining, by the first network element, the fourth authentication information according to the mapping from the third network element to the fourth authentication information comprises:
the first network element determines the encryption algorithm according to the mapping from the third network element to the encryption algorithm;
the first network element determines fifth authentication information according to mapping from the third network element to the fifth authentication information;
and the first network element performs encryption operation on the fifth authentication information according to the encryption algorithm to obtain the fourth authentication information.
7. The method of claim 5, wherein the first network element and the third network element communicate via a second LSP, and wherein the fourth authentication information comprises at least one of:
an identity of an LSR of the third network element;
an identity of an LSR of the first network element; and
an identification of the second LSP.
8. A first network element, comprising: a processor and a network interface, wherein the processor is capable of,
the network interface is to: receiving a first OAM message, wherein the first OAM message carries a first identifier and first authentication information;
the processor is configured to:
determining second authentication information according to the first identifier in the first OAM message received by the network interface and mapping from the first identifier to the second authentication information;
and determining that the first OAM message is an illegal message according to the fact that the first authentication information is not matched with the second authentication information.
9. The first network element of claim 8, wherein the processor is further configured to save the first OAM message after determining that the first OAM message is an illegal message.
10. The first network element of claim 8, wherein the first authentication information is encryption information, and the determining that the first OAM message is an illegal message according to the mismatch between the first authentication information and the second authentication information includes:
determining a decryption algorithm according to the mapping of the first identifier to the decryption algorithm;
carrying out decryption operation on the first authentication information according to the decryption algorithm to obtain third authentication information;
and determining that the first OAM message is an illegal message according to the fact that the third authentication information is not matched with the second authentication information.
11. The first network element of claim 8, wherein the first network element communicates with a second network element via a first Label Switched Path (LSP), wherein the first identifier is a multiprotocol Label switching (MPLS) label encapsulated by the second network element, and wherein the second authentication information comprises at least one of:
an identity of a label switched router, LSR, of the second network element;
an identity of an LSR of the first network element; and
an identification of the first LSP.
12. The first network element of any one of claims 8 to 11, wherein the processor is further configured to:
acquiring fourth authentication information according to mapping from a third network element to the fourth authentication information;
and sending a second OAM message to the third network element through the network interface, where the second OAM message carries the fourth authentication information, and the fourth authentication information is used to indicate the third network element, and the second OAM message is a legal message.
13. The first network element of claim 12, wherein obtaining the fourth authentication information according to the mapping from the third network element to the fourth authentication information comprises:
determining an encryption algorithm according to the mapping from the third network element to the encryption algorithm;
determining fifth authentication information according to the mapping from the third network element to the fifth authentication information;
and carrying out encryption operation on the fifth authentication information according to the encryption algorithm to obtain the fourth authentication information.
14. The first network element of claim 12, wherein the first network element and the third network element communicate via a second LSP, and wherein the fourth authentication information comprises at least one of:
an identity of an LSR of the third network element;
an identity of an LSR of the first network element; and
an identification of the second LSP.
15. A system comprising a first network element according to any one of claims 8 to 14 and a second network element, the second network element being configured to send a first OAM message, the first OAM message carrying a first identifier and first authentication information.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610088118.3A CN107086959B (en) | 2016-02-16 | 2016-02-16 | Method and device for authenticating operation management maintenance message |
| PCT/CN2017/071512 WO2017140199A1 (en) | 2016-02-16 | 2017-01-18 | Operations, administration and maintenance message authentication method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610088118.3A CN107086959B (en) | 2016-02-16 | 2016-02-16 | Method and device for authenticating operation management maintenance message |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107086959A CN107086959A (en) | 2017-08-22 |
| CN107086959B true CN107086959B (en) | 2020-11-06 |
Family
ID=59614549
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610088118.3A Active CN107086959B (en) | 2016-02-16 | 2016-02-16 | Method and device for authenticating operation management maintenance message |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107086959B (en) |
| WO (1) | WO2017140199A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112839009B (en) * | 2019-11-22 | 2023-09-01 | 华为技术有限公司 | Method, device and system for processing message |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857521A (en) * | 2012-10-12 | 2013-01-02 | 盛科网络(苏州)有限公司 | Method and device for setting operation, administration and maintenance (OAM) security authentication |
| CN103428009A (en) * | 2012-05-14 | 2013-12-04 | 中兴通讯股份有限公司 | Method and device for achieving OAM of grouped synchronous networks |
| CN103684792A (en) * | 2013-12-23 | 2014-03-26 | 加弘科技咨询(上海)有限公司 | Safety authentication method for OAM (Operation, Administration and Maintenance) and OAM message sending/receiving device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE60313306T2 (en) * | 2002-03-18 | 2007-07-19 | Nortel Networks Ltd., St. Laurent | RESOURCE DISTRIBUTION USING AUTOMATIC DETECTION METHOD FOR PROVIDER-CONTROLLED LAYER-2 AND LAYER-3 VIRTUAL PRIVATE NETWORKS |
| CN101651670B (en) * | 2008-10-29 | 2012-08-15 | 中国科学院声学研究所 | Integrated management method for services and users in Ethernet service operation and system thereof |
| US8830841B1 (en) * | 2010-03-23 | 2014-09-09 | Marvell Israel (M.I.S.L) Ltd. | Operations, administration, and maintenance (OAM) processing engine |
| CN103780420B (en) * | 2012-10-25 | 2017-07-28 | 中国电信股份有限公司 | The method of automatic configuration and system of Ethernet detection of connectivity under VPLS environment |
-
2016
- 2016-02-16 CN CN201610088118.3A patent/CN107086959B/en active Active
-
2017
- 2017-01-18 WO PCT/CN2017/071512 patent/WO2017140199A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103428009A (en) * | 2012-05-14 | 2013-12-04 | 中兴通讯股份有限公司 | Method and device for achieving OAM of grouped synchronous networks |
| CN102857521A (en) * | 2012-10-12 | 2013-01-02 | 盛科网络(苏州)有限公司 | Method and device for setting operation, administration and maintenance (OAM) security authentication |
| CN103684792A (en) * | 2013-12-23 | 2014-03-26 | 加弘科技咨询(上海)有限公司 | Safety authentication method for OAM (Operation, Administration and Maintenance) and OAM message sending/receiving device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2017140199A1 (en) | 2017-08-24 |
| CN107086959A (en) | 2017-08-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11032174B2 (en) | Service chain fault detection method and apparatus | |
| US10153951B2 (en) | Determining the operations performed along a service path/service chain | |
| EP3242441B1 (en) | Bit-forwarding ingress router, bit-forwarding router, and operation, administration and maintenance detection method | |
| US10868697B2 (en) | Packet processing method, device, and packet processing system | |
| US20200007446A1 (en) | Full-path validation in segment routing | |
| US9537846B2 (en) | Integrity check optimization systems and methods in live connectivity frames | |
| EP2457351B1 (en) | Method and arrangement in a mpls-tp telecommunications network for oam functions | |
| CN108964943B (en) | Method and device for realizing IOAM packaging | |
| WO2016058245A1 (en) | Processing method and apparatus for operation, administration and maintenance (oam) message | |
| CN102571601B (en) | A kind of method and label switched path equipment for ensureing two-way converting detection reliability | |
| KR102066978B1 (en) | Method and apparatus for data plane for monitoring differentiated service code point (DSCP) and explicit congestion notification (ECN) | |
| CN105515816B (en) | Processing method and device for detecting hierarchical information | |
| CN111447095B (en) | Bidirectional forwarding detection switching method, bidirectional forwarding detection module and edge device | |
| CN114189564A (en) | Message transmission method, device and system | |
| CN116094978A (en) | Information reporting method, information processing method and information processing equipment | |
| CN107086959B (en) | Method and device for authenticating operation management maintenance message | |
| CN113950811B (en) | Extending BGP protection for SR Path ingress protection | |
| CN111064668A (en) | Method and device for generating routing table entry and related equipment | |
| CN110224916B (en) | Message processing method and device and message packaging method, device and system | |
| WO2021213082A1 (en) | Method for verifying service chain, sending node, forwarding node and service function node | |
| CN112737949B (en) | Fault detection method and device, electronic equipment and computer readable medium | |
| CN112291148B (en) | Method for detecting BFD forwarding path quality through BFD ping | |
| CN108243099B (en) | Method, device and system for path selection | |
| CN117041126A (en) | Message forwarding method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |