CN112367355A - Trust level issuing method and device - Google Patents

Trust level issuing method and device Download PDF

Info

Publication number
CN112367355A
CN112367355A CN202011085306.3A CN202011085306A CN112367355A CN 112367355 A CN112367355 A CN 112367355A CN 202011085306 A CN202011085306 A CN 202011085306A CN 112367355 A CN112367355 A CN 112367355A
Authority
CN
China
Prior art keywords
trust level
equipment
network
network device
network equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202011085306.3A
Other languages
Chinese (zh)
Inventor
李�昊
陈梦骁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN202011085306.3A priority Critical patent/CN112367355A/en
Publication of CN112367355A publication Critical patent/CN112367355A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a trust level issuing method and device, the method is applied to a first network device, the first network device is in an autonomous domain, the autonomous domain further comprises a second network device, and the method comprises the following steps: when a connection establishment request sent by the second network equipment is received, establishing communication connection with the second network equipment; receiving an identifier notification message sent by the second network device, wherein the identifier notification message includes a device identifier of the second network device; and sending a first trust level issuing message to the second network equipment according to the equipment identifier of the second network equipment, wherein the first trust level issuing message comprises the equipment trust levels of all the network equipment in the autonomous domain.

Description

Trust level issuing method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for issuing a trust level.
Background
The mutual trust between routers is one of the key factors for ensuring the security and stability of the communication network. The trust level of the router is issued in the autonomous domain, so that mutual trust relationship can be established among the routers, and the transmitted data traffic is controlled in a security level according to the mutual trust relationship.
In one case, when data traffic is transmitted in the autonomous domain, a path with the smallest link cost value is usually selected as a forwarding path, and after the trust level of each router in the autonomous domain is obtained, the trust level factor can be considered when the forwarding path is constructed. For example: and establishing a forwarding path between routers with trust level higher than a certain level threshold, and forwarding data traffic with security requirements by adopting the path.
In another case, when a router in the autonomous domain has a fault or an abnormality, the trust level of the router can be lowered, and the router is restricted. In this way, the influence of the router on the autonomous domain and the communication network is reduced. For example: and when the trust level of a certain router in the autonomous domain is lower than a certain level threshold, the neighbor router of the router avoids the forwarding path comprising the router, and reselects the forwarding path not comprising the router to realize the forwarding message of the message.
However, in the prior art, no implementation is provided for mutually issuing the trust level of the router by each router in the autonomous domain.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for issuing a trust level, so as to solve the problem in the prior art that routers in an autonomous domain cannot issue a trust level of a router.
In a first aspect, the present application provides a method for issuing a trust level, where the method is applied to a first network device, where the first network device is in an autonomous domain, and the autonomous domain further includes a second network device, and the method includes:
when a connection establishment request sent by the second network equipment is received, establishing communication connection with the second network equipment;
receiving an identifier notification message sent by the second network device, wherein the identifier notification message includes a device identifier of the second network device;
and sending a first trust level issuing message to the second network equipment according to the equipment identifier of the second network equipment, wherein the first trust level issuing message comprises the equipment trust levels of all the network equipment in the autonomous domain.
In a second aspect, the present application provides a method for issuing a trust level, where the method is applied to a second network device, where the second network device is in an autonomous domain, and the autonomous domain further includes a first network device, and the method includes:
sending a connection establishment request to the first network equipment, and establishing communication connection with the first network equipment;
sending an identifier notification message to the first network device, where the identifier notification message includes a device identifier of the second network device;
and receiving a first trust level issuing message sent by the first network equipment according to the equipment identifier of the second network equipment, wherein the first trust level issuing message comprises the equipment trust levels of all the network equipment in the autonomous domain.
In a third aspect, the present application provides an apparatus for issuing a trust level, where the apparatus is applied to a first network device, the first network device is in an autonomous domain, the autonomous domain further includes a second network device, and the apparatus includes:
the establishing unit is used for establishing communication connection with the second network equipment when receiving a connection establishing request sent by the second network equipment;
a receiving unit, configured to receive an identifier advertisement packet sent by the second network device, where the identifier advertisement packet includes a device identifier of the second network device;
and the sending unit is used for sending a first trust level issuing message to the second network equipment according to the equipment identifier of the second network equipment, wherein the first trust level issuing message comprises the equipment trust levels of all the network equipment in the autonomous domain.
In a fourth aspect, the present application provides an apparatus for issuing a trust level, where the apparatus is applied to a second network device, where the second network device is in an autonomous domain, where the autonomous domain further includes a first network device, and the apparatus includes:
a sending unit, configured to send a connection establishment request to the first network device;
an establishing unit, configured to establish a communication connection with the first network device;
the sending unit is further configured to send an identifier advertisement packet to the first network device, where the identifier advertisement packet includes a device identifier of the second network device;
a receiving unit, configured to receive a first trust level issue packet sent by the first network device according to the device identifier of the second network device, where the first trust level issue packet includes device trust levels of all network devices in the autonomous domain.
In a fifth aspect, the present application provides a network device comprising a processor and a machine-readable storage medium, the machine-readable storage medium storing machine-executable instructions capable of being executed by the processor, the processor being caused by the machine-executable instructions to perform the method provided in the first and second aspects of the present application.
Therefore, by applying the trust level issuing method and device provided by the application, when a connection establishment request sent by second network equipment is received, the first network equipment and the second network equipment establish communication connection; the first network equipment receives an identification notification message sent by the second network equipment, wherein the identification notification message comprises an equipment identification of the second network equipment. According to the device identification of the second network device, the first network device sends a first trust level issuing message to the second network device, wherein the first trust level issuing message comprises the device trust levels of all network devices in the autonomous domain.
Therefore, the problem that the trust level of the router cannot be issued among the routers in the autonomous domain in the prior art is solved. The process of mutually issuing the equipment trust level between the network equipment in the autonomous domain is realized, and the technical blank in the prior art is made up.
Drawings
Fig. 1 is a flowchart of a trust level issuing method according to an embodiment of the present application;
fig. 2 is a schematic diagram of a structure of a header of each type of message provided in the embodiment of the present application
Fig. 3-a is a schematic diagram of a first-level TLV structure included in a trust level issue packet according to an embodiment of the present application;
fig. 3-B is a schematic diagram of a first-level TLV structure included in a trust level revocation message according to an embodiment of the present application;
fig. 3-C is a schematic diagram of a first-level TLV structure included in a trust level request packet according to an embodiment of the present application;
fig. 3-D is a schematic diagram of a first-level TLV structure included in an identifier advertisement packet according to an embodiment of the present application;
fig. 4-a is a schematic diagram of a second-level TLV structure included in various types of messages according to the embodiment of the present application;
FIG. 4-B is a schematic diagram of another second-level TLV structure provided by embodiments of the present application;
FIG. 4-C is a schematic diagram of yet another second level TLV structure provided by an embodiment of the present application;
FIG. 5 is a flowchart of another method for issuing trust levels provided by an embodiment of the present application;
fig. 6 is a block diagram of an apparatus for issuing a trust level according to an embodiment of the present application;
fig. 7 is a block diagram of another trust level issuing apparatus according to an embodiment of the present application;
fig. 8 is a hardware structure diagram of a network device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the corresponding listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The following describes in detail a method for issuing a trust level provided in an embodiment of the present application. Referring to fig. 1, fig. 1 is a flowchart of a trust level issuing method according to an embodiment of the present application. The method is applied to a first network device, and the method for issuing the trust level provided by the embodiment of the application may include the following steps.
Step 110, when receiving a connection establishment request sent by the second network device, establishing a communication connection with the second network device.
Specifically, a user configures a Secure Socket Layer (SSL), an IP address of an opposite-end network device, a port number for establishing a communication connection with an opposite end, and the like in the first network device and the second network device, respectively.
After SSL is configured in the second network equipment, the second network equipment generates a connection establishment request. And the second network equipment sends a connection establishment request to the configured port in the first network equipment through SSL.
And after the first network equipment receives the connection establishment request sent by the second network equipment, the first network equipment establishes communication connection with the second network equipment.
Further, in the embodiment of the application, a server-client mode is adopted to realize mutual issuing of the device trust level among network devices in the autonomous domain. The first network device may serve as a network device implementing a server function and the second network device may serve as a network device implementing a client function. The server-side function can be deployed in one router in the autonomous domain or in one server. The client functionality may be deployed in all routers within the autonomous domain that initiate device trust level functionality.
The device trust levels of all the network devices in the autonomous domain are uniformly managed by the server side (i.e., the first network device) in a centralized manner, a secure connection is established between the client side and the server side, and encrypted communication is performed (for example, communication connection is established through the SSL), and the server side issues the device trust levels of the network devices in the autonomous domain to the client side.
Further, before this step, a process of the first network device receiving a configuration instruction input by a user is also included.
The first network equipment receives a first configuration instruction input by a user, wherein the first configuration instruction comprises equipment identifications of all network equipment in the autonomous domain and equipment trust levels of the network equipment corresponding to each equipment identification.
The first network device stores the device identifications of all the network devices in the autonomous domain and the device trust level of the network device corresponding to each device identification in a network device trust level table.
In one example, the configuration instruction is specifically:
Router1 ospf 2.2.2.2trust-level 1
Router2 isis 0000.0000.0002trust-level 1
in the foregoing example, router 1 runs the OSPF protocol, and its device identifier is RouterID, and the device trust level is level 1; the router 2 runs the ISIS protocol with a device identification of SystemID and a device trust level of level 1.
It should be noted that, after the first network device configures the device trust level of the foregoing network device locally, if the second network device corresponding to the device identifier successfully establishes a communication connection with the first network device, the first network device configures the device trust level of the second network device to be in an effective state; and if the second network equipment corresponding to the equipment identification does not establish communication connection with the first network equipment, the first network equipment configures the equipment trust level of the second network equipment into an invalid state. Subsequently, the first network device does not issue the device trust level of the second network device, or the first network device issues the device trust level of the second network device as a default value.
Step 120, receiving an identifier advertisement message sent by the second network device, where the identifier advertisement message includes a device identifier of the second network device.
Specifically, after the second network device establishes a communication connection with the first network device, the second network device generates an identifier advertisement message, where the identifier advertisement message includes a device identifier of the second network device.
Through the communication connection established in step 110, the second network device sends an identification passing message to the first network device. And after receiving the identifier notification message, the first network equipment acquires the equipment identifier of the second network equipment.
Further, the identify-passing packet includes a packet header, a first-level TLV, and a second-level TLV.
As shown in fig. 2, fig. 2 is a schematic diagram of a structure of a header of each type of message provided in the embodiment of the present application. The message header includes a flag (Marker) field, a Version (Version) field, and a Length (Length) field. The flag field is used for marking the beginning of the message, and the value is fixed to 0x50A0F 0. The Version field represents the Version number of the message, and the current value is 1; the Length field indicates the Length of the message data (excluding the header).
As shown in fig. 3-a to 3-D, fig. 3-a to 3-D are schematic diagrams of first-level TLV structures included in various packets provided in this embodiment. The first level TLV includes a Type (Type) field, a Length (Length) field, and 0-255 bytes of data. The Type field is 1 byte, and the value of the Type field is 1, 2, 3 and 4. According to different values, the messages can be expressed as different types of messages.
For example, in the embodiment of the present application, when the value of the Type field is 1, the message is a trust level issue message, as shown in fig. 3-a; when the Type field takes a value of 2, the message is a trust level revocation message, as shown in fig. 3-B; when the Type field takes a value of 3, the message is a trust level request message, as shown in fig. 3-C; when the Type field takes a value of 4, the message is an identifier advertisement message, as shown in fig. 3-D.
The Length field is 1 byte and indicates the data Length (Length excluding the Type field and the Length field).
As shown in fig. 4-a to 4-C, fig. 4-a to 4-C are schematic diagrams of second-level TLV structures included in various types of messages provided in the embodiment of the present application. The second level TLV includes a Type (Type) field, a Length (Length) field, and 0-255 bytes of data. The Type field is 1 byte, and the value of the Type field is 1, 2 and 3. Different contents can be carried according to different values.
For example, in this embodiment of the present application, in the embodiment of the present application, when the Type field takes values of 1 and 2, the packet carries the device identifier of the network device. And when the value of the Type field is 3, the message carries the equipment trust level of the network equipment. Wherein, when the Type field value is 1, the packet carries the device identifier (i.e., Router ID, Router identifier) of the network device running the OSPF protocol, as shown in fig. 4-a; when the Type field takes a value of 2, the message carries the device identifier (i.e., System ID, System identifier) of the network device running the ISIS protocol, as shown in fig. 4-B; when the Type field takes a value of 3, the message carries the device trust level of the network device, as shown in fig. 4-C.
The Length field is 1 byte and indicates the data Length (Length excluding the Type field and the Length field).
According to the foregoing description of the message structure, the identifier advertisement message in this step includes a message header, a first-level TLV, and a second-level TLV. The message header is shown in fig. 2; the first level TLVs are shown in FIG. 3-D; the second level TLVs are shown in FIG. 4-A or in FIG. 4-B. If the second network device runs the OSPF protocol, the second level TLVs are shown in FIG. 4-A. If the second network device runs the ISIS protocol, the second level TLVs are as shown in FIG. 4-B.
Step 130, sending a first trust level issue message to the second network device according to the device identifier of the second network device, where the first trust level issue message includes the device trust levels of all network devices in the autonomous domain.
Specifically, according to the device identifiers of the second network device obtained in step 120, the first network device obtains the device identifiers of all network devices in the autonomous domain from the network device trust level table, and the device trust level of the network device corresponding to each device identifier.
The first network device obtains the device identifiers of all network devices in the autonomous domain from the network device trust level table, and the device trust level of the network device corresponding to each device identifier is carried in the first trust level issuing message.
The first trust level issuing message comprises a message header, a first-level TLV and a second-level TLV. The message header is shown in fig. 2; the first level TLVs are shown in FIG. 3-A; the second level TLVs include as shown in FIG. 4-A and as shown in FIG. 4-C, or the second level TLVs include as shown in FIG. 4-B and as shown in FIG. 4-C. If the network device in the autonomous domain runs the OSPF protocol, the second level TLV included in the first trust level issue packet is as shown in fig. 4-a; if the network device in the autonomous domain runs the ISIS protocol, the second level TLV included in the first trust level packet is as shown in fig. 4-B; if the network device in the autonomous domain partially runs the OSPF protocol and partially runs the ISIS protocol, the first trust level packet simultaneously includes the second level TLV as shown in fig. 4-a and fig. 4-B.
The first network equipment sends a first trust level issuing message to the second network equipment. And after receiving the first trust level issuing message, the second network equipment acquires the equipment identifications of all the network equipment in the autonomous domain and the equipment trust level of the network equipment corresponding to each equipment identification.
And the second network equipment stores the equipment identifications of all the network equipment in the autonomous domain and the equipment trust level of the network equipment corresponding to each equipment identification into a network equipment trust level table.
It should be noted that, in this embodiment of the application, the second network device is a network device that newly establishes a connection with the first network device, and at this time, the first network device sends the first trust level issue packet to the newly established network device. And if the second network equipment is the network equipment which establishes the connection, the first network equipment does not repeatedly send the first trust level issuing message.
Therefore, by applying the trust level issuing method and device provided by the application, when a connection establishment request sent by second network equipment is received, the first network equipment and the second network equipment establish communication connection; the first network equipment receives an identification notification message sent by the second network equipment, wherein the identification notification message comprises an equipment identification of the second network equipment. According to the device identification of the second network device, the first network device sends a first trust level issuing message to the second network device, wherein the first trust level issuing message comprises the device trust levels of all network devices in the autonomous domain.
Therefore, the problem that the trust level of the router cannot be issued among the routers in the autonomous domain in the prior art is solved. The process of mutually issuing the equipment trust level between the network equipment in the autonomous domain is realized, and the technical blank in the prior art is made up.
Optionally, in this embodiment of the present application, the method further includes a step that the first network device does not receive the connection establishment request sent by the second network device.
Specifically, when the first network device does not receive a connection establishment request sent by the second network device, the first network device determines whether a trust level request message sent by the second network device is received. The trust level request message includes a message header and a first level TLV. The message header is shown in fig. 2; the first level TLVs are shown in fig. 3-C.
If the first network equipment receives the trust level request message sent by the second network equipment, the first network equipment acquires the equipment identifications of all the network equipment in the autonomous domain and the equipment trust level of the network equipment corresponding to each equipment identification from the network equipment trust level table.
The first network device obtains the device identifiers of all network devices in the autonomous domain from the network device trust level table, and the device trust level of the network device corresponding to each device identifier is carried in the first trust level issuing message.
It is understood that the message format of the first trust level issuance message is described above and will not be repeated here.
The first network equipment sends a first trust level issuing message to the second network equipment. And after receiving the first trust level issuing message, the second network equipment acquires the equipment identifications of all the network equipment in the autonomous domain and the equipment trust level of the network equipment corresponding to each equipment identification.
And the second network equipment stores the equipment identifications of all the network equipment in the autonomous domain and the equipment trust level of the network equipment corresponding to each equipment identification into a network equipment trust level table.
Optionally, in this embodiment of the present application, the method further includes a step after the first network device receives a second configuration instruction input by the user.
Specifically, the first network device receives a second configuration instruction input by the user, where the second configuration instruction includes device identifiers of network devices whose trust levels have been updated in the autonomous domain, and an updated device trust level of the network device corresponding to each device identifier.
According to the device identifier of the network device, the first network device obtains a network device trust level table entry corresponding to the device identifier of the network device from the network device trust level table. And the first network equipment stores the updated equipment trust level of the network equipment corresponding to each equipment identifier into the network equipment trust level table entry corresponding to the equipment identifier of the network equipment.
Further, in this embodiment of the application, the first network device further determines an update type of the updated device trust level in the network device trust level entry.
And if the updating type is the first type, the first network equipment generates a second trust level issuing message. The second trust level issuing message includes the device identifier of the network device whose trust level has been updated in the autonomous domain, and the updated device trust level of the network device corresponding to each device identifier.
The message format of the second trust level issuing message is the same as the message format of the first trust level issuing message, and the description is not repeated here.
And the first network equipment sends a second trust level issuing message to the third network equipment. And after receiving the second trust level issuing message, the third network equipment acquires the equipment identification of the network equipment with the updated trust level in the autonomous domain and the updated equipment trust level of the network equipment corresponding to each equipment identification.
And according to the equipment identifier of the network equipment with the updated trust level in the autonomous domain, the third network equipment acquires a network equipment trust level table item corresponding to the equipment identifier of the network equipment from the network equipment trust level table. And the third network equipment stores the updated equipment trust level of the network equipment corresponding to each equipment identifier into the network equipment trust level table entry corresponding to the equipment identifier of the network equipment.
And if the updating type is the second type, the first network equipment generates a trust level revocation message. The trust level revocation message comprises a message header and a first level TLV. The message header is shown in fig. 2; the first level TLVs are shown in fig. 3-B.
It should be noted that the trust level revocation message may or may not include the second-level TLV.
And when the trust level revoking message comprises the second-level TLV, the trust level revoking message is used for revoking the device trust level of the network device indicated by the second-level TLV. The second level TLVs are shown in FIG. 4-A or in FIG. 4-B. If the second network device runs the OSPF protocol, the second level TLVs are shown in FIG. 4-A. If the second network device runs the ISIS protocol, the second level TLVs are as shown in FIG. 4-B.
And when the trust level revocation message does not comprise the second-level TLV, the trust level revocation message is used for revoking the device trust levels of all the issued network devices.
And the first network equipment sends a trust level revocation message to the third network equipment. And after receiving the trust level revocation message, the third network equipment judges whether the trust level revocation message comprises a second-level TLV. And if the trust level revocation message comprises a second-level TLV, the third network equipment searches a corresponding network equipment trust level table item from the network equipment trust level table according to the second-level TLV, and deletes the equipment trust level of the network equipment stored in the network equipment trust level table item. And if the trust level revocation message does not comprise the second-level TLV, the third network equipment deletes the stored equipment trust levels of all the network equipment in the network equipment trust level table.
It should be noted that the third network device is a network device that has established a communication connection with the first network device.
The following describes in detail a method for issuing a trust level provided in an embodiment of the present application. Referring to fig. 5, fig. 5 is a flowchart of another trust level issuing method provided in the embodiment of the present application. The method is applied to the second network device, and the method for issuing the trust level provided by the embodiment of the application may include the following steps.
Step 510, sending a connection establishment request to the first network device, and establishing a communication connection with the first network device.
Specifically, the user configures SSL, an IP address of the peer network device, a port number for establishing communication connection with the peer, and the like in the first network device and the second network device, respectively.
After SSL is configured in the second network equipment, the second network equipment generates a connection establishment request. And the second network equipment sends a connection establishment request to the configured port in the first network equipment through SSL.
And after the first network equipment receives the connection establishment request sent by the second network equipment, the first network equipment establishes communication connection with the second network equipment.
Step 520, sending an identifier advertisement message to the first network device, where the identifier advertisement message includes the device identifier of the second network device.
Specifically, after the second network device establishes a communication connection with the first network device, the second network device generates an identifier advertisement message, where the identifier advertisement message includes a device identifier of the second network device.
Through the communication connection established in step 520, the second network device sends an identifier passing message to the first network device.
It is to be understood that the message format for identifying the notification message has been described above and will not be repeated here.
Step 530, receiving a first trust level issue message sent by the first network device according to the device identifier of the second network device, where the first trust level issue message includes device trust levels of all network devices in the autonomous domain.
Specifically, after receiving the identifier advertisement message, the first network device obtains the device identifier of the second network device. And according to the equipment identification of the second network equipment, the first network equipment acquires the equipment identifications of all the network equipment in the autonomous domain from the network equipment trust level table and the equipment trust level of the network equipment corresponding to each equipment identification.
The first network device obtains the device identifiers of all network devices in the autonomous domain from the network device trust level table, and the device trust level of the network device corresponding to each device identifier is carried in the first trust level issuing message.
It is understood that the message format of the first trust level issuance message is described above and will not be repeated here.
The first network equipment sends a first trust level issuing message to the second network equipment. And after receiving the first trust level issuing message, the second network equipment acquires the equipment identifications of all the network equipment in the autonomous domain and the equipment trust level of the network equipment corresponding to each equipment identification.
And the second network equipment stores the equipment identifications of all the network equipment in the autonomous domain and the equipment trust level of the network equipment corresponding to each equipment identification into a network equipment trust level table.
Optionally, in this embodiment of the present application, the method further includes a step in which the second network device sends a trust level request packet to the first network device.
Specifically, when the second network device does not receive the first trust level issue packet sent by the first network device within a preset time, or when the configuration of the second network device is updated, the second network device generates a trust level request packet.
It is understood that the message format of the trust level request message has been described above and will not be repeated here.
And the second network equipment sends a trust level request message to the first network equipment. After the first network device receives the trust level request message, the first network device obtains the device identifiers of all network devices in the autonomous domain from the network device trust level table and the device trust level of the network device corresponding to each device identifier.
The first network device obtains the device identifiers of all network devices in the autonomous domain from the network device trust level table, and the device trust level of the network device corresponding to each device identifier is carried in the first trust level issuing message.
It is understood that the message format of the first trust level issuance message is described above and will not be repeated here.
The first network equipment sends a first trust level issuing message to the second network equipment. And after receiving the first trust level issuing message, the second network equipment acquires the equipment identifications of all the network equipment in the autonomous domain and the equipment trust level of the network equipment corresponding to each equipment identification.
And the second network equipment stores the equipment identifications of all the network equipment in the autonomous domain and the equipment trust level of the network equipment corresponding to each equipment identification into a network equipment trust level table.
Optionally, in this embodiment of the application, the method further includes the steps of performing type identification on the packet sent by the first network device by the second network device, and executing different steps according to different types of packets.
Specifically, the second network device determines whether a packet sent by the first network device is received. And the second network equipment acquires the first-stage TLV from the message and judges the value of the Type field included in the first-stage TLV.
When the value of the Type field is 1, the second network device determines that the message is a trust level issue message (herein, referred to as a second trust level issue message). And the second network equipment acquires the equipment identifier of the network equipment with the updated trust level in the autonomous domain from the second-level TLV included in the second trust level issuing message and the updated equipment trust level of the network equipment corresponding to each equipment identifier. And according to the equipment identifier of the network equipment, the second network equipment acquires a network equipment trust level table entry corresponding to the equipment identifier of the network equipment from the network equipment trust level table. And the second network equipment stores the updated equipment trust level of the network equipment corresponding to each equipment identifier into the network equipment trust level table entry corresponding to the equipment identifier of the network equipment.
The message format of the second trust level issuing message is the same as the message format of the first trust level issuing message, and the description is not repeated here.
And when the value of the Type field is 2, the second network equipment determines that the message is a trust level revocation message. And the second network equipment judges whether the trust level revocation message comprises a second-level TLV. And if the trust level revocation message comprises a second-level TLV, the second network equipment searches a corresponding network equipment trust level table item from the network equipment trust level table according to the second-level TLV, and deletes the equipment trust level of the network equipment stored in the network equipment trust level table item. And if the trust level revocation message does not comprise the second-level TLV, the second network equipment deletes the stored equipment trust levels of all the network equipment in the network equipment trust level table.
It is understood that the message format of the trust level revocation message has been described previously, and will not be repeated here.
Therefore, by applying the issuing method of the trust level provided by the application, when a connection establishment request sent by the second network equipment is received, the first network equipment establishes communication connection with the second network equipment; the first network equipment receives an identification notification message sent by the second network equipment, wherein the identification notification message comprises an equipment identification of the second network equipment. According to the device identification of the second network device, the first network device sends a first trust level issuing message to the second network device, wherein the first trust level issuing message comprises the device trust levels of all network devices in the autonomous domain.
Therefore, the problem that the trust level of the router cannot be issued among the routers in the autonomous domain in the prior art is solved. The process of mutually issuing the equipment trust level between the network equipment in the autonomous domain is realized, and the technical blank in the prior art is made up.
Based on the same inventive concept, the embodiment of the application also provides a trust level issuing device corresponding to the trust level issuing method. Referring to fig. 6, fig. 6 is a structural diagram of an apparatus for issuing a trust level according to an embodiment of the present application, where the apparatus is applied to a first network device, the first network device is in an autonomous domain, the autonomous domain further includes a second network device, and the apparatus includes:
an establishing unit 610, configured to establish a communication connection with the second network device when receiving a connection establishment request sent by the second network device;
a receiving unit 620, configured to receive an identifier notification packet sent by the second network device, where the identifier notification packet includes a device identifier of the second network device;
a sending unit 630, configured to send a first trust level issue packet to the second network device according to the device identifier of the second network device, where the first trust level issue packet includes device trust levels of all network devices in the autonomous domain.
Optionally, the receiving unit 620 is further configured to receive a first configuration instruction input by a user, where the first configuration instruction includes device identifiers of all network devices in the autonomous domain, and a device trust level of a network device corresponding to each device identifier;
the device further comprises: and a storage unit (not shown in the figure) for storing the device identifications of all the network devices in the autonomous domain and the device trust level of the network device corresponding to each device identification in a network device trust level table.
Optionally, the apparatus further comprises: a determining unit (not shown in the figure), configured to determine whether a trust level request packet sent by the second network device is received when a connection establishment request sent by the second network device is not received;
the sending unit 630 is further configured to send the first trust level issue packet to the second network device if the trust level request packet sent by the second network device is received.
Optionally, the receiving unit 620 is further configured to receive a second configuration instruction input by the user, where the second configuration instruction includes the device identifier of the network device whose trust level has been updated in the autonomous domain, and the updated device trust level of the network device corresponding to each device identifier;
the device further comprises: an obtaining unit (not shown in the figure), configured to obtain, according to the device identifier of the network device, a router table entry corresponding to the device identifier of the network device from a network device trust level table;
the storage unit (not shown in the figure) is further configured to store the updated device trust level of the network device corresponding to each device identifier in the network device trust level entry corresponding to the device identifier of the network device.
Optionally, the determining unit (not shown in the figure) is further configured to determine an update type of the updated device trust level in the network device trust level entry;
the sending unit 630 is further configured to send a second trust level issue packet to a third network device if the update type is the first type, where the second trust level issue packet includes the device identifier of the network device whose trust level has been updated in the autonomous domain, and the updated device trust level of the network device corresponding to each device identifier;
the sending unit 630 is further configured to send a trust level revoke packet to the third network device if the update type is the second type, so that the third network device deletes the device trust level of the network device that has been issued by the first network device according to the trust level revoke packet;
the third network device is a network device which has established communication connection with the first network device.
Therefore, by applying the issuing device of the trust level provided by the application, when the device receives a connection establishment request sent by the second network equipment, the device establishes communication connection with the second network equipment; the first network equipment receives an identification notification message sent by the second network equipment, wherein the identification notification message comprises an equipment identification of the second network equipment. According to the equipment identification of the second network equipment, the device sends a first trust level issuing message to the second network equipment, wherein the first trust level issuing message comprises the equipment trust levels of all the network equipment in the autonomous domain.
Therefore, the problem that the trust level of the router cannot be issued among the routers in the autonomous domain in the prior art is solved. The process of mutually issuing the equipment trust level between the network equipment in the autonomous domain is realized, and the technical blank in the prior art is made up.
Based on the same inventive concept, the embodiment of the application also provides a trust level issuing device corresponding to the trust level issuing method. Referring to fig. 7, fig. 7 is a structural diagram of another apparatus for issuing a trust level according to an embodiment of the present application, where the apparatus is applied to a second network device, the second network device is in an autonomous domain, the autonomous domain further includes a first network device, and the apparatus includes:
a sending unit 710, configured to send a connection establishment request to the first network device;
an establishing unit 720, configured to establish a communication connection with the first network device;
the sending unit 710 is further configured to send an identifier advertisement message to the first network device, where the identifier advertisement message includes a device identifier of the second network device;
a receiving unit 730, configured to receive a first trust level issue packet sent by the first network device according to the device identifier of the second network device, where the first trust level issue packet includes device trust levels of all network devices in the autonomous domain.
Optionally, the sending unit 710 is further configured to send a trust level request message to the first network device when a first trust level issue message sent by the first network device is not received within a preset time, or when the configuration of the second network device is updated;
the receiving unit 730 is further configured to receive the first trust level issue packet sent by the first network device according to the trust level request packet.
Optionally, the first trust level issue packet further includes device identifiers of all network devices in the autonomous domain;
the device further comprises: and a storage unit (not shown in the figure) for storing the device identifications of all the network devices in the autonomous domain and the device trust level of the network device corresponding to each device identification in a network device trust level table.
Optionally, the apparatus further comprises: a determining unit (not shown in the figure) configured to determine whether a message sent by the first network device is received;
an obtaining unit (not shown in the figure), configured to obtain, when the packet is a second trust level issue packet, the device identifier of the network device whose trust level has been updated in the autonomous domain and the updated device trust level of the network device corresponding to each device identifier from the second trust level issue packet;
acquiring a router table item corresponding to the equipment identifier of the network equipment from a network equipment trust level table according to the equipment identifier of the network equipment;
the storage unit (not shown in the figure) is further configured to store the updated device trust level of the network device corresponding to each device identifier in the network device trust level entry corresponding to the device identifier of the network device.
Optionally, the apparatus further comprises: a deleting unit (not shown in the figure), configured to delete the stored network device trust level entry in the network device trust level table when the packet is a trust level revocation packet, where the device trust level of the network device that is already issued by the first network device is stored in the network device trust level entry.
Therefore, by applying the issuing device of the trust level provided by the application, when the device receives a connection establishment request sent by the second network equipment, the device establishes communication connection with the second network equipment; the first network equipment receives an identification notification message sent by the second network equipment, wherein the identification notification message comprises an equipment identification of the second network equipment. According to the equipment identification of the second network equipment, the device sends a first trust level issuing message to the second network equipment, wherein the first trust level issuing message comprises the equipment trust levels of all the network equipment in the autonomous domain.
Therefore, the problem that the trust level of the router cannot be issued among the routers in the autonomous domain in the prior art is solved. The process of mutually issuing the equipment trust level between the network equipment in the autonomous domain is realized, and the technical blank in the prior art is made up.
Based on the same inventive concept, the embodiment of the present application further provides a network device, as shown in fig. 8, including a processor 810, a transceiver 820 and a machine-readable storage medium 830, where the machine-readable storage medium 830 stores machine-executable instructions capable of being executed by the processor 810, and the processor 810 is caused by the machine-executable instructions to execute the issuing method of the trust level provided by the embodiment of the present application. The trust level issuing apparatus shown in fig. 6 and 7 may be implemented by using a network device hardware structure shown in fig. 8.
The computer-readable storage medium 830 may include a Random Access Memory (RAM) and a Non-volatile Memory (NVM), such as at least one disk Memory. Alternatively, the computer-readable storage medium 830 may be at least one memory device located remotely from the processor 810.
The Processor 810 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), etc.; the Integrated Circuit can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In embodiments of the present application, the processor 810 is caused by machine-executable instructions stored in the machine-readable storage medium 830 by reading the machine-executable instructions to enable the processor 810 itself and the invoking transceiver 820 to perform the aforementioned issuing method of the trust level described in embodiments of the present application.
Additionally, embodiments of the present application provide a machine-readable storage medium 830, the machine-readable storage medium 830 storing machine-executable instructions that, when invoked and executed by the processor 810, cause the processor 810 itself and the invoking transceiver 820 to perform the aforementioned methods of issuing trust levels described in embodiments of the present application.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
For the embodiments of the issuing device and the machine-readable storage medium of the trust level, the content of the related method is basically similar to the foregoing method embodiments, so the description is relatively simple, and the relevant points can be referred to the partial description of the method embodiments.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (12)

1. A method for issuing a trust level is applied to a first network device, the first network device is in an autonomous domain, the autonomous domain further comprises a second network device, and the method comprises the following steps:
when a connection establishment request sent by the second network equipment is received, establishing communication connection with the second network equipment;
receiving an identifier notification message sent by the second network device, wherein the identifier notification message includes a device identifier of the second network device;
and sending a first trust level issuing message to the second network equipment according to the equipment identifier of the second network equipment, wherein the first trust level issuing message comprises the equipment trust levels of all the network equipment in the autonomous domain.
2. The method of claim 1, wherein before receiving the connection establishment request sent by the second network device, the method further comprises:
receiving a first configuration instruction input by a user, wherein the first configuration instruction comprises equipment identifications of all network equipment in the autonomous domain and an equipment trust level of the network equipment corresponding to each equipment identification;
and storing the equipment identifications of all the network equipment in the autonomous domain and the equipment trust level of the network equipment corresponding to each equipment identification into a network equipment trust level table.
3. The method of claim 1, further comprising:
when the connection establishment request sent by the second network equipment is not received, judging whether a trust level request message sent by the second network equipment is received or not;
and if the trust level request message sent by the second network equipment is received, sending the first trust level issuing message to the second network equipment.
4. The method of claim 1, further comprising:
receiving a second configuration instruction input by a user, wherein the second configuration instruction comprises equipment identifiers of the network equipment with the updated trust level in the autonomous domain and an updated equipment trust level of the network equipment corresponding to each equipment identifier;
acquiring a router table item corresponding to the equipment identifier of the network equipment from a network equipment trust level table according to the equipment identifier of the network equipment;
and storing the updated device trust level of the network device corresponding to each device identifier into the network device trust level table entry corresponding to the device identifier of the network device.
5. The method of claim 4, wherein after storing the updated device trust level of the network device corresponding to each device identifier in the network device trust level entry corresponding to the device identifier of the network device, the method further comprises:
judging the updating type of the updated equipment trust level in the network equipment trust level table entry;
if the update type is the first type, sending a second trust level issuing message to third network equipment, wherein the second trust level issuing message comprises equipment identifications of the network equipment with the updated trust level in the autonomous domain and an updated equipment trust level of the network equipment corresponding to each equipment identification;
if the update type is a second type, sending a trust level revocation message to the third network device, so that the third network device deletes the device trust level of the network device issued by the first network device according to the trust level revocation message;
the third network device is a network device which has established communication connection with the first network device.
6. A method for issuing a trust level is applied to a second network device, the second network device is in an autonomous domain, the autonomous domain further comprises a first network device, and the method comprises:
sending a connection establishment request to the first network equipment, and establishing communication connection with the first network equipment;
sending an identifier notification message to the first network device, where the identifier notification message includes a device identifier of the second network device;
and receiving a first trust level issuing message sent by the first network equipment according to the equipment identifier of the second network equipment, wherein the first trust level issuing message comprises the equipment trust levels of all the network equipment in the autonomous domain.
7. The method of claim 6, further comprising:
when a first trust level issuing message sent by the first network equipment is not received within a preset time, or the configuration of the second network equipment is updated, sending a trust level request message to the first network equipment;
and receiving the first trust level issuing message sent by the first network equipment according to the trust level request message.
8. The method according to claim 6, wherein the first trust level issuance packet further includes device identifiers of all network devices within the autonomous domain;
the method further comprises the following steps:
and storing the equipment identifications of all the network equipment in the autonomous domain and the equipment trust level of the network equipment corresponding to each equipment identification into a network equipment trust level table.
9. The method of claim 6, further comprising:
judging whether a message sent by the first network equipment is received or not;
when the message is a second trust level issuing message, acquiring the equipment identification of the network equipment with the updated trust level in the autonomous domain and the updated equipment trust level of the network equipment corresponding to each equipment identification from the second trust level issuing message;
acquiring a router table item corresponding to the equipment identifier of the network equipment from a network equipment trust level table according to the equipment identifier of the network equipment;
and storing the updated device trust level of the network device corresponding to each device identifier into the network device trust level table entry corresponding to the device identifier of the network device.
10. The method of claim 9, further comprising:
and when the message is a trust level revocation message, deleting a stored network equipment trust level table entry in the network equipment trust level table, wherein the network equipment trust level table entry stores the equipment trust level of the network equipment issued by the first network equipment.
11. An apparatus for issuing a trust level, the apparatus being applied to a first network device, the first network device being in an autonomous domain, the autonomous domain further including a second network device, the apparatus comprising:
the establishing unit is used for establishing communication connection with the second network equipment when receiving a connection establishing request sent by the second network equipment;
a receiving unit, configured to receive an identifier advertisement packet sent by the second network device, where the identifier advertisement packet includes a device identifier of the second network device;
and the sending unit is used for sending a first trust level issuing message to the second network equipment according to the equipment identifier of the second network equipment, wherein the first trust level issuing message comprises the equipment trust levels of all the network equipment in the autonomous domain.
12. An apparatus for issuing a trust level, the apparatus being applied to a second network device, the second network device being within an autonomous domain, the autonomous domain further including a first network device, the apparatus comprising:
a sending unit, configured to send a connection establishment request to the first network device;
an establishing unit, configured to establish a communication connection with the first network device;
the sending unit is further configured to send an identifier advertisement packet to the first network device, where the identifier advertisement packet includes a device identifier of the second network device;
a receiving unit, configured to receive a first trust level issue packet sent by the first network device according to the device identifier of the second network device, where the first trust level issue packet includes device trust levels of all network devices in the autonomous domain.
CN202011085306.3A 2020-10-12 2020-10-12 Trust level issuing method and device Withdrawn CN112367355A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011085306.3A CN112367355A (en) 2020-10-12 2020-10-12 Trust level issuing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011085306.3A CN112367355A (en) 2020-10-12 2020-10-12 Trust level issuing method and device

Publications (1)

Publication Number Publication Date
CN112367355A true CN112367355A (en) 2021-02-12

Family

ID=74507620

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011085306.3A Withdrawn CN112367355A (en) 2020-10-12 2020-10-12 Trust level issuing method and device

Country Status (1)

Country Link
CN (1) CN112367355A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023051455A1 (en) * 2021-09-28 2023-04-06 华为技术有限公司 Method and apparatus for training trust model

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023051455A1 (en) * 2021-09-28 2023-04-06 华为技术有限公司 Method and apparatus for training trust model

Similar Documents

Publication Publication Date Title
CN107800602B (en) Message processing method, device and system
EP3207690B1 (en) Duplicate address detection based on distributed bloom filter
US8949959B2 (en) Reduced authentication times for shared-media network migration
US7991864B2 (en) Network element discovery using a network routing protocol
US10263808B2 (en) Deployment of virtual extensible local area network
US10277564B2 (en) Light-weight key update mechanism with blacklisting based on secret sharing algorithm in wireless sensor networks
KR101409384B1 (en) Methods, systems, and computer readable media for providing dynamic origination-based routing key registration in a diameter network
US10454710B2 (en) Virtual local area network mismatch detection in networks
US8767712B2 (en) Message forwarding using GRE tunneling protocol
US10277686B2 (en) Service discovery optimization in a network based on bloom filter
WO2019184752A1 (en) Network device management method, apparatus and system
US10855576B2 (en) Information transmission method and device
US10785809B1 (en) Coordinating zero touch network joins
CN102739497A (en) Automatic generation method for routes and device thereof
CN106899500B (en) Message processing method and device for cross-virtual extensible local area network
CN111541616A (en) Flow control method and device
CN103209108A (en) Dynamic virtual private network (DVPN)-based route generation method and equipment
CN104125244A (en) Information forwarding method and system in distributed network
US20190215191A1 (en) Deployment Of Virtual Extensible Local Area Network
KR20130080626A (en) A routing method between domains for content centric network and the content centric network
CN112367355A (en) Trust level issuing method and device
JP2018174550A (en) Communication system
CN108259292B (en) Method and device for establishing tunnel
CN107888383B (en) Login authentication method and device
CN105721313B (en) Data transmission method and relevant device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20210212

WW01 Invention patent application withdrawn after publication