CN113037684B - VxLan tunnel authentication method, device and system and gateway - Google Patents

VxLan tunnel authentication method, device and system and gateway Download PDF

Info

Publication number
CN113037684B
CN113037684B CN201911341457.8A CN201911341457A CN113037684B CN 113037684 B CN113037684 B CN 113037684B CN 201911341457 A CN201911341457 A CN 201911341457A CN 113037684 B CN113037684 B CN 113037684B
Authority
CN
China
Prior art keywords
authentication
vxlan
tunnel
data packet
vcpe
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911341457.8A
Other languages
Chinese (zh)
Other versions
CN113037684A (en
Inventor
吕航
刘玉飞
王学聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN201911341457.8A priority Critical patent/CN113037684B/en
Publication of CN113037684A publication Critical patent/CN113037684A/en
Application granted granted Critical
Publication of CN113037684B publication Critical patent/CN113037684B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides a virtual extended local area network tunnel authentication method, device and system and a gateway, and relates to the technical field of computer networks. The VxLan tunnel authentication method disclosed by the invention comprises the following steps: the VxLan challenge data packet is sent to the CPE at the opposite end of the tunnel by the virtual enterprise gateway vCPE under the condition that the IP address carried by the VxLan tunnel is determined not to be in the pre-configured range; the vCPE receives the VxLan challenge response data packet, records the identification of the VxLan tunnel, randomly generates an authentication plaintext, and feeds the authentication plaintext back to the CPE through the VxLan authentication data packet; the vCPE acquires a tunnel password through the VxLan tunnel identifier, decrypts the authentication ciphertext in the VxLan authentication response data packet according to the tunnel password, and acquires a decryption authentication ciphertext; and matching the decrypted authentication ciphertext with the authentication plaintext, and if the decrypted authentication ciphertext is successfully matched with the authentication plaintext, feeding back the authentication success to the CPE. By the method, the authentication and identification of the vCPE to the CPE can be effectively realized, the complexity of the system is greatly simplified, and the authentication safety is improved.

Description

VxLan tunnel authentication method, device and system and gateway
Technical Field
The present disclosure relates to the field of computer network technologies, and in particular, to a VxLan (Virtual Extensible LAN) tunnel authentication method, apparatus, system, and gateway.
Background
The VxLan tunnel is a peer-to-peer tunnel technology, no distinction between an initiator and a responder exists in protocol design, and communication can be carried out by configuring VxLan tunnel parameters of the initiator and the responder on VTEPs at two ends. The VxLan tunnel is applied to an IDC machine room and a cloud resource pool at the earliest time, so that the problems that VLAN resources are easy to exhaust, virtual machines are easy to migrate and the like are solved, and functions of authentication, identification and the like are not added like other tunnel technologies such as IPSec and L2 TP. VxLan is currently receiving more and more attention and application in the Internet field due to the advantages of good OverLay, light weight, easiness in deployment and the like.
Disclosure of Invention
An object of the present disclosure is to provide an authentication and identification scheme for a VxLan tunnel.
According to an aspect of some embodiments of the present disclosure, a VxLan tunnel authentication method is proposed, including: the VxLan challenge data packet is sent to the CPE at the opposite end of the tunnel by the virtual enterprise gateway vCPE under the condition that the IP address carried by the VxLan tunnel is determined not to be in the preconfigured range, so that the VxLan challenge response data packet carrying the VxLan tunnel identifier is generated by the CPE according to the VxLan challenge data packet; the vCPE receives the VxLan challenge response data packet, records the identification of the VxLan tunnel, randomly generates an authentication plaintext, feeds the authentication plaintext back to the CPE through the VxLan authentication data packet, so that the CPE encrypts the authentication plaintext by taking a tunnel password as a key, generates an authentication ciphertext, and feeds the authentication ciphertext back to the vCPE through the VxLan authentication response data packet; the vCPE acquires a tunnel password through the VxLan tunnel identifier, decrypts the authentication ciphertext in the VxLan authentication response data packet according to the tunnel password, and acquires a decryption authentication ciphertext; matching the decrypted authentication ciphertext with the authentication plaintext, and if the decrypted authentication ciphertext is successfully matched with the authentication plaintext, feeding back the authentication success to the CPE; and if the authentication fails, closing the tunnel.
In some embodiments, the VxLan tunnel authentication method further comprises: and the vCPE receives the VxLan data packet from the CPE and acquires the IP address borne by the VxLan tunnel.
In some embodiments, the VNI field of the VxLan challenge packet is a predetermined value, such that the CPE generates the VxLan challenge response packet if it determines that the VNI field is a predetermined value.
In some embodiments, the VxLan challenge-response packet carries a VxLan tunnel identification through the VNI field; the VxLan authentication data packet carries an authentication plaintext through a VNI field; the VxLan authentication response data packet carries an authentication ciphertext through a VNI field.
In some embodiments, the tunnel identification, authentication plaintext, and authentication ciphertext are 24 bits in length.
According to an aspect of some embodiments of the present disclosure, a VxLan tunnel authentication method is proposed, including: the method comprises the steps that a VxLan challenge response data packet carrying VxLan tunnel identification is generated by CPE under the condition that the VxLan challenge data packet from the vCPE is received by the CPE, so that after the VxLan challenge response data packet is received by the vCPE, an authentication plaintext is randomly generated, and the authentication plaintext is carried by VNI of the VxLan challenge response data packet and fed back to the CPE; the method comprises the steps that the CPE receives a VxLan authentication data packet, encrypts an authentication plaintext by taking a tunnel password as a secret key, generates an authentication ciphertext, carries the authentication ciphertext through a VNI of a VxLan authentication response data packet, and feeds back the authentication ciphertext to the vCPE so that the vCPE can obtain the tunnel password through an identifier of a VxLan tunnel, decrypts the authentication ciphertext in the VxLan authentication response data packet according to the tunnel password, obtains a decryption authentication ciphertext, and matches the decryption authentication ciphertext with the authentication plaintext; determining that the authentication is successful under the condition of receiving an authentication success message fed back by the vCPE; in the case of a tunnel closure, it is determined that authentication failed.
In some embodiments, the virtual extended lan tunnel authentication method further includes: and sending a VxLan data packet to the vCPE so that the vCPE can acquire the IP address carried by the VxLan tunnel, wherein the VxLan challenge data packet is sent to the CPE at the opposite end of the tunnel by the vCPE under the condition that the IP address carried by the VxLan tunnel is determined not to be in a pre-configured range.
In some embodiments, the VxLan tunnel authentication method further comprises: and the CPE acquires the VNI field under the condition that the data packet from the vCPE is received, and if the VNI field is a preset value, the received data packet is determined to be the VxLan challenge data packet.
In some embodiments, the VxLan challenge response packet carries a VxLan tunnel identifier over a VNI field; the VxLan authentication data packet carries authentication plaintext through a VNI field; the VxLan authentication response data packet carries an authentication ciphertext through a VNI field.
In some embodiments, the tunnel identification, authentication plaintext, and authentication ciphertext are 24 bits in length.
According to an aspect of some embodiments of the present disclosure, a VxLan tunnel authentication method is proposed, including: any one of the above mentioned virtual extended local area network tunnel authentication methods performed by the vCPE; and, any of the virtual extended local area network tunnel authentication methods mentioned hereinabove as being performed by a CPE.
By the method, the CPE and the vCPE can effectively realize the authentication and identification of the vCPE to the CPE under the condition that an additional authentication protocol is not required to be added into the VxLan message and other controllers are not depended on, so that the complexity of the system is greatly simplified; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication safety is improved.
According to an aspect of some embodiments of the disclosure, a VxLan tunnel authentication apparatus is proposed, including: a memory; and a processor coupled to the memory, the processor configured to perform any of the virtual extensible local area network tunnel authentication methods above based on instructions stored in the memory.
The authentication device can effectively realize the authentication and identification of the vCPE to the CPE without adding an additional authentication protocol in the VxLan message or depending on other controllers, thereby greatly simplifying the complexity of the system; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication security is improved.
According to an aspect of some embodiments of the present disclosure, a computer-readable storage medium is proposed, on which computer program instructions are stored, which instructions, when executed by a processor, implement the steps of any of the virtual extended local area network tunnel authentication methods above.
By executing the instruction on the computer-readable storage medium, the authentication and identification of the vCPE to the CPE can be effectively realized without adding an additional authentication protocol in the VxLan message and without depending on other controllers, and the complexity of the system is greatly simplified; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication safety is improved.
According to an aspect of some embodiments of the disclosure, a VxLan tunnel authentication system is proposed, comprising: CPE and vCPE; the CPE and the vCPE are configured to perform any of the virtual extended local area network tunnel authentication methods described above.
The VxLan tunnel authentication system can effectively realize the authentication and identification of the vCPE to the CPE without adding an additional authentication protocol in the VxLan message or depending on other controllers, thereby greatly simplifying the complexity of the system; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication security is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and not to limit the disclosure. In the drawings:
Fig. 1 is a flow diagram of some embodiments of a VxLan tunnel authentication method of the present disclosure.
Fig. 2 is a flowchart of other embodiments of the VxLan tunnel authentication method of the present disclosure.
Fig. 3 is a schematic diagram of some embodiments of a data packet in the VxLan tunnel authentication method according to the present disclosure.
Fig. 4 is a signaling flow diagram of some embodiments of a VxLan tunnel authentication method of the present disclosure.
Fig. 5 is a schematic diagram of some embodiments of a VxLan tunnel authentication device of the present disclosure.
Fig. 6 is a schematic diagram of other embodiments of the VxLan tunnel authentication device of the present disclosure.
Fig. 7 is a schematic diagram of some embodiments of a VxLan tunnel authentication system of the present disclosure.
Detailed Description
The technical solution of the present disclosure is further described in detail by the accompanying drawings and examples.
In the operating environment of the vCPE, a general CPE side is a Tunnel data active initiator, CPE network access IP addresses of many small and medium-sized enterprise customers are not fixed at present, and when some situations occur, such as the CPE is restarted, and devices such as BRAS and the like can reallocate the IP addresses, but a VxLan Tunnel needs to be preconfigured with IP addresses of VTEPs (VxLan Tunnel Endpoint simulators) of both sides. It is common practice to perform dynamic configuration by a Controller, such as SDN-C (software Defined Network Controller).
The vCPE is usually deployed at an edge node of the Internet, the traffic of the CPE side is introduced to the vCPE side through a tunnel technology, the VxLan tunnel technology is more and more concerned due to the characteristics of good OVLay, easiness in deployment and the like, for small and medium-sized enterprises, the CPE has fewer fixed public network IPs, and the VxLan belongs to a peer-to-peer tunnel technology, so that obstacles are brought to the wide application of the VxLan.
A flowchart of some embodiments of the vCPE-side VxLan tunnel authentication method of the present disclosure is shown in fig. 1.
In step 101, the vCPE sends a VxLan challenge packet to the CPE at the opposite end of the tunnel if it is determined that the IP address carried by the VxLan tunnel is not within the preconfigured range. In some embodiments, the vCPE obtains the IP address carried by the VxLan tunnel upon receiving the VxLan packet from the CPE, matches the IP address with an IP address within a preconfigured range, and determines whether the IP address carried by the VxLan tunnel is within the preconfigured range.
In some embodiments, the CPE generates a VxLan challenge response packet carrying a VxLan tunnel identification from the VxLan challenge packet.
In step 102, the vCPE receives the VxLan challenge response data packet, records the identification of the VxLan tunnel, randomly generates an authentication plaintext, and feeds back the authentication plaintext to the CPE through the VxLan authentication data packet. In some embodiments, the CPE encrypts an authentication plaintext with the tunnel password as a key, generates an authentication ciphertext, and feeds back the authentication ciphertext to the vCPE through the VxLan authentication response packet.
In step 103, the vCPE obtains a tunnel password through the VxLan tunnel identifier, decrypts the authentication ciphertext in the VxLan authentication response packet according to the tunnel password, and obtains a decryption authentication ciphertext.
In step 104, the vCPE matches the decrypted authentication ciphertext with the authentication plaintext. If the matching is successful, go to step 105; if the matching is not successful, go to step 106.
In step 105, the authentication success is fed back to the CPE.
In step 106, it is determined that authentication failed, the tunnel is closed.
By the method, the vCPE can effectively realize the authentication identification of the vCPE to the CPE without adding an additional authentication protocol in the VxLan message or depending on other controllers, and the complexity of the system is greatly simplified; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication security is improved.
Flow diagrams of further embodiments of the CPE-side VxLan tunnel authentication method of the present disclosure are shown in fig. 2.
In step 201, the CPE generates a VxLan challenge response packet carrying a VxLan tunnel identifier when receiving the VxLan challenge packet from the vCPE. In some embodiments, the CPE may send a VxLan packet to the vCPE. The vCPE acquires the IP address carried by the VxLan tunnel based on the VxLan data packet, and sends a VxLan challenge data packet to the enterprise gateway CPE at the opposite end of the tunnel under the condition that the IP address carried by the VxLan tunnel is determined not to be in the preconfigured range.
In some embodiments, after receiving the VxLan challenge response packet, the vCPE randomly generates an authentication plaintext, and feeds back the authentication plaintext carried by the VNI of the VxLan authentication packet to the CPE.
In step 202, the CPE receives the VxLan authentication data packet, encrypts an authentication plaintext with the tunnel password as a key, generates an authentication ciphertext, carries the authentication ciphertext through the VNI of the VxLan authentication response data packet, and feeds back the authentication ciphertext to the vCPE. In some embodiments, the vCPE obtains a tunnel password by querying through the VxLan tunnel identifier, decrypts the authentication ciphertext in the VxLan authentication response packet according to the tunnel password, obtains a decryption authentication ciphertext, and matches the decryption authentication ciphertext with the authentication plaintext.
In step 203, the CPE determines whether an authentication success message fed back from the vCPE is received. If the message is received, go to step 204; otherwise, the tunnel is closed, and authentication failure is determined.
In step 204, authentication is determined to be successful.
By the method, the CPE can effectively realize the authentication identification of the vCPE to the CPE without adding an additional authentication protocol in the VxLan message or depending on other controllers, thereby greatly simplifying the authentication complexity; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication security is improved.
In some embodiments, as shown in fig. 3, since the VNI of the VxLan tunnel is 24 bits, the tunnel ID is 24 bits. When receiving a VxLan data packet sent by CPE, the vCPE analyzes the IP carried by the VxLan tunnel, if the IP is not in a pre-configured VxLan tunnel list (the CPE is re-allocated with an IP address at a WAN side due to restart and the like), or authentication and identification are needed due to overtime and other reasons, the vCPE sends an unloaded VxLan data packet to the CPE side, and a special VNI value is used for identifying in the packet header of the VxLan packet, such as 0xFE0xFE0 xFE. When the CPE receives this packet, it indicates that the vCPE requires authentication.
When the CPE receives the challenge VxLan packet sent by the vCPE once, the vCPE is indicated to require the authentication of the CPE. The CPE assembles an unloaded VxLan packet with the VNI in the VxLan header of the VxLan packet being the tunnel ID, which as previously mentioned is 24 bits.
The vCPE records the ID of the received VxLan tunnel, and simultaneously generates a section of 24-bit random plaintext, and the vCPE takes the plaintext as a VNI value to generate a VxLan authentication initiation packet and sends the VxLan authentication initiation packet to the CPE; after receiving the authentication initiating packet, the CPE encrypts an authentication plaintext in the VNI by taking the tunnel password as a secret key to generate a 24-bit ciphertext, and meanwhile, the ciphertext serving as a new VNI is packaged in an authentication response VxLan message and is sent to the vCPE. And the vCPE retrieves the tunnel password through the tunnel ID, decrypts the authentication ciphertext by taking the password as a key, compares the authentication ciphertext with the plaintext sent before, completes tunnel authentication identification if the authentication ciphertext is successful, and closes the tunnel if the authentication ciphertext is failed, and sends an authentication result packet to the CPE at the same time.
In some embodiments, the authentication result may also be 24 bits and sent as a VNI field, for example, if it is 0xEF0x EF0x EF, the authentication is successful, and if it is 0 xee 0x EE0x EE, the authentication fails.
By the method, VNI fields in VxLan packet headers can be fully utilized, interface intervention is not needed, extra authentication control protocols are not needed to be loaded in VxLan loads, and dynamic configuration is not needed to be interfered by a controller.
A signaling flow diagram of some embodiments of the VxLan tunnel authentication method of the present disclosure is shown in fig. 4.
In 401-403, the CPE sends a VxLan data packet to the vCPE, and the vCPE firstly judges whether authentication and identification are needed through an authentication strategy library; if authentication is needed, the vCPE sends an authentication challenge packet to the CPE, and the CPE encapsulates the tunnel ID in the VNI to generate a response challenge packet.
In 404-410, the vCPE forwards the tunnel ID to an authentication identification unit to request authentication, the authentication unit calls a generator to generate a random authentication plaintext, the random authentication plaintext is forwarded to the CPE through an authentication initiating packet, and the CPE encrypts the plaintext by using a tunnel password as a key to generate a VNI and encapsulates the VNI in an authentication response packet.
In 411-415, the authentication identification unit decrypts the ciphertext by using the tunnel password and compares the ciphertext with the authentication plaintext to obtain an authentication result, and finally encapsulates the authentication result into VNI and returns the VNI to the CPE end, if the authentication fails, the tunnel is closed by the vCPE.
By the method, the processes of challenge- > response to war- > initiation of authentication- > response authentication are realized by changing the value of the VNI in the VxLan data packets back and forth between the vCPE and the CPE, no additional authentication protocol is required to be added into the VxLan message, no other controller is required, and the vCPE authenticates and identifies the CPE when the VxLan tunnel is initiated by the CPE according to the service requirement; meanwhile, a method for carrying out authentication based on plaintext/ciphertext encryption and decryption is provided, and tunnel passwords are not transmitted, so that the whole system is safer and more reliable.
A schematic structural diagram of an embodiment of the VxLan tunnel authentication device of the present disclosure is shown in fig. 5. The VxLan tunnel authentication device comprises a memory 501 and a processor 502. Wherein: the memory 501 may be a magnetic disk, flash memory, or any other non-volatile storage medium. The memory is used for storing the instructions in the corresponding embodiments of the VxLan tunnel authentication method above. The processor 502 is coupled to the memory 501 and may be implemented as one or more integrated circuits, such as a microprocessor or microcontroller. The processor 502 is used for executing instructions stored in the memory, and can simplify the complexity of authentication and improve the security of authentication.
In one embodiment, as also shown in fig. 6, the VxLan tunnel authentication apparatus 600 includes a memory 601 and a processor 602. The processor 602 is coupled to the memory 601 by a BUS 603. The VxLan tunnel authentication apparatus 600 may be further connected to an external storage apparatus 605 through a storage interface 604 to call external data, and may be further connected to a network or another computer system (not shown) through a network interface 606. And will not be described in detail herein.
In the embodiment, the data instruction is stored in the memory, and the processor processes the instruction, so that the complexity of authentication can be simplified, and the security of the authentication can be improved.
In another embodiment, a computer readable storage medium has stored thereon computer program instructions which, when executed by a processor, implement the steps of a method in a corresponding embodiment of a VxLan tunnel authentication method. As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
A schematic diagram of some embodiments of the VxLan tunnel authentication system of the present disclosure is shown in fig. 7. The CPE 71 may be any one of the above mentioned, and executes a VxLan tunnel authentication method on the CPE side; the vCPE72 may also be any one of the above mentioned, and performs a VxLan tunnel authentication method on the vCPE side.
The VxLan tunnel authentication system can effectively realize the authentication and identification of the vCPE to the CPE without adding an additional authentication protocol in the VxLan message or depending on other controllers, thereby greatly simplifying the complexity of the system; meanwhile, tunnel passwords are not transmitted in the authentication process, so that the authentication security is improved.
In some embodiments, the authentication policy repository in the vCPE72 can be based on the reason that its authentication policy may be an IP address update of the CPE, a timeout, etc., which will activate authentication; in order to improve the security, the vCPE72 does not transmit a tunnel password, but uses the password as an encryption key to perform encryption/decryption comparison on a random plaintext to complete authentication; in some embodiments, the encryption/decryption algorithm is a symmetric encryption algorithm, since the plaintext/ciphertext is 24 bits, a stream cipher algorithm, such as RC4, may be used without using DES, 3DES, ASE, or other block cipher algorithms. Since the tunnel cipher is used as an encryption/decryption key, it is not limited to a long one, and 128 or more bits (the RC4 encryption key of 128 or more bits is secure and reliable) can be used to enhance the security.
The method mentioned above has universality, universality and cross-platform performance, and can be realized and deployed on vCPE equipment based on various platforms, and also can be realized and deployed on other tunnel gateways based on entity equipment or virtual machines; in addition, the cloud gateway can be deployed in a mainstream cloud resource pool (such as a space wing cloud) and a private cloud resource pool of an enterprise, and has a wide application prospect.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Thus far, the present disclosure has been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
The methods and apparatus of the present disclosure may be implemented in a number of ways. For example, the methods and apparatus of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosure.
Finally, it should be noted that: the above examples are intended only to illustrate the technical solutions of the present disclosure and not to limit them; although the present disclosure has been described in detail with reference to preferred embodiments, those of ordinary skill in the art will understand that: modifications to the specific embodiments of the disclosure or equivalent substitutions for parts of the technical features may still be made; all such modifications are intended to be included within the scope of the claims of this disclosure without departing from the spirit thereof.

Claims (14)

1. A virtual extended local area network tunnel authentication method comprises the following steps:
the method comprises the steps that a VxLan challenge data packet is sent to an enterprise gateway CPE at the opposite end of a tunnel by a virtual enterprise gateway vCPE under the condition that the IP address carried by a VxLan tunnel of a virtual expansion local area network is determined not to be in a pre-configured range, so that the VxLan challenge data packet carrying VxLan tunnel identification is generated by the CPE according to the VxLan challenge data packet;
the vCPE receives the VxLan challenge response data packet, records the identification of the VxLan tunnel, randomly generates an authentication plaintext, feeds the authentication plaintext back to the CPE through the VxLan authentication data packet, so that the CPE encrypts the authentication plaintext by taking a tunnel password as a key to generate an authentication ciphertext, and feeds the authentication ciphertext back to the vCPE through the VxLan authentication response data packet;
The vCPE acquires a tunnel password through the identification of the VxLan tunnel, and decrypts the authentication ciphertext in the VxLan authentication response data packet according to the tunnel password to acquire a decryption authentication ciphertext;
matching the decryption authentication ciphertext with the authentication plaintext, and if the decryption authentication ciphertext is successfully matched with the authentication plaintext, feeding back authentication success to the CPE; and if the authentication fails, closing the tunnel.
2. The method of claim 1, further comprising:
and the vCPE receives the VxLan data packet from the CPE and acquires the IP address borne by the VxLan tunnel.
3. The method of claim 1, wherein a VNI field of the VxLan challenge data packet is a predetermined value, such that the CPE generates the VxLan challenge response data packet if the VNI field is determined to be the predetermined value.
4. The method of claim 1, wherein,
the VxLan challenge response data packet carries the VxLan tunnel identifier through a VNI field;
the VxLan authentication data packet carries the authentication plaintext through a VNI field;
and the VxLan authentication response data packet carries the authentication ciphertext through a VNI field.
5. The method of claim 1, wherein the tunnel identification, the authentication plaintext, and the authentication ciphertext are 24 bits in length.
6. A virtual extended local area network tunnel authentication method comprises the following steps:
the method comprises the steps that an enterprise gateway CPE generates a VxLan challenge response data packet carrying VxLan tunnel identification under the condition that the VxLan challenge data packet of a virtual expansion local area network from a virtual enterprise gateway vCPE is received, so that the vCPE randomly generates an authentication plaintext after receiving the VxLan challenge response data packet, and the authentication plaintext is carried by a VNI of the VxLan authentication data packet and fed back to the CPE;
the CPE receives the VxLan authentication data packet, encrypts the authentication plaintext by taking a tunnel password as a key, generates an authentication ciphertext, carries the authentication ciphertext through a VNI of a VxLan authentication response data packet, and feeds the authentication ciphertext back to the vCPE, so that the vCPE obtains the tunnel password through the mark of the VxLan tunnel, decrypts the authentication ciphertext in the VxLan authentication response data packet according to the tunnel password, obtains a decrypted authentication ciphertext, and matches the decrypted authentication ciphertext with the authentication plaintext;
determining that the authentication is successful under the condition of receiving an authentication success message fed back by the vCPE;
in the case of a tunnel closure, it is determined that authentication failed.
7. The method of claim 6, further comprising:
And sending a VxLan data packet to the vCPE so that the vCPE can acquire the IP address carried by the VxLan tunnel, wherein the VxLan challenge data packet is sent to the enterprise gateway CPE at the opposite end of the tunnel by the vCPE under the condition that the IP address carried by the VxLan tunnel of the virtual extended local area network is determined not to be in the preconfigured range.
8. The method of claim 6, further comprising:
and the CPE acquires the VNI field under the condition that the data packet from the vCPE is received, and if the VNI field is a preset value, the received data packet is determined to be the VxLan challenge data packet.
9. The method of claim 6, wherein,
the VxLan challenge response data packet carries the VxLan tunnel identifier through a VNI field;
the VxLan authentication data packet carries the authentication plaintext through a VNI field;
and the VxLan authentication response data packet carries the authentication ciphertext through a VNI field.
10. The method of claim 6, wherein the tunnel identification, the authentication plaintext and the authentication ciphertext are 24 bits in length.
11. A virtual extended local area network tunnel authentication method comprises the following steps:
the virtual extended local area network tunnel authentication method executed by the virtual enterprise gateway vCPE according to any one of claims 1 to 5; and the combination of (a) and (b),
The virtual extended local area network tunnel authentication method performed by an enterprise gateway CPE as claimed in any one of claims 6 to 10.
12. A virtual extensible local area network tunnel authentication device comprises:
a memory; and
a processor coupled to the memory, the processor configured to perform the method of any of claims 1-10 based on instructions stored in the memory.
13. A computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the method of any one of claims 1 to 11.
14. A virtual extended local area network tunnel authentication system, comprising:
a virtual enterprise gateway configured to perform the method of any of claims 1 to 5; and the combination of (a) and (b),
an enterprise gateway configured to perform the method of any of claims 6 to 10.
CN201911341457.8A 2019-12-24 2019-12-24 VxLan tunnel authentication method, device and system and gateway Active CN113037684B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911341457.8A CN113037684B (en) 2019-12-24 2019-12-24 VxLan tunnel authentication method, device and system and gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911341457.8A CN113037684B (en) 2019-12-24 2019-12-24 VxLan tunnel authentication method, device and system and gateway

Publications (2)

Publication Number Publication Date
CN113037684A CN113037684A (en) 2021-06-25
CN113037684B true CN113037684B (en) 2022-05-24

Family

ID=76451244

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911341457.8A Active CN113037684B (en) 2019-12-24 2019-12-24 VxLan tunnel authentication method, device and system and gateway

Country Status (1)

Country Link
CN (1) CN113037684B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117201230A (en) * 2022-05-31 2023-12-08 中国电信股份有限公司 Authentication method and system of VXLAN tunnel, access gateway and network access equipment
CN115065576B (en) * 2022-08-17 2022-11-04 广州赛讯信息技术有限公司 VXLAN tunnel establishment method, device, network system and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107493297A (en) * 2017-09-08 2017-12-19 安徽皖通邮电股份有限公司 A kind of method of VxLAN tunnels access authentication
CN108028748A (en) * 2016-02-27 2018-05-11 华为技术有限公司 For handling the method, equipment and system of VXLAN messages
CN109361684A (en) * 2018-11-14 2019-02-19 盛科网络(苏州)有限公司 A kind of dynamic encrypting method and system in the tunnel VXLAN
CN109995639A (en) * 2018-01-02 2019-07-09 ***通信有限公司研究院 A kind of data transmission method, device, interchanger and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10257162B2 (en) * 2015-02-16 2019-04-09 Telefonaktiebolaget Lm Ericsson (Publ) Method and system for providing “anywhere access” for fixed broadband subscribers

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108028748A (en) * 2016-02-27 2018-05-11 华为技术有限公司 For handling the method, equipment and system of VXLAN messages
CN107493297A (en) * 2017-09-08 2017-12-19 安徽皖通邮电股份有限公司 A kind of method of VxLAN tunnels access authentication
CN109995639A (en) * 2018-01-02 2019-07-09 ***通信有限公司研究院 A kind of data transmission method, device, interchanger and storage medium
CN109361684A (en) * 2018-11-14 2019-02-19 盛科网络(苏州)有限公司 A kind of dynamic encrypting method and system in the tunnel VXLAN

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于SDN的政企vCPE VPN业务研究;扶奉超等;《电信科学》;20170331(第3期);全文 *

Also Published As

Publication number Publication date
CN113037684A (en) 2021-06-25

Similar Documents

Publication Publication Date Title
US11405780B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US10601594B2 (en) End-to-end service layer authentication
US11425202B2 (en) Session processing method and device
US11825303B2 (en) Method for performing verification by using shared key, method for performing verification by using public key and private key, and apparatus
US10498531B2 (en) Electronic subscriber identity module (eSIM) provisioning error recovery
US11165604B2 (en) Method and system used by terminal to connect to virtual private network, and related device
JP6903006B2 (en) User plane security for next-generation cellular networks
TWI695611B (en) Method and apparatus for serving network authentication in wireless communications
US20110113236A1 (en) Methods, systems, and computer readable media for offloading internet protocol security (ipsec) processing using an ipsec proxy mechanism
US9516061B2 (en) Smart virtual private network
US10911581B2 (en) Packet parsing method and device
CN106169952B (en) A kind of authentication method that internet Key Management Protocol is negotiated again and device
US11388145B2 (en) Tunneling data traffic and signaling over secure etls over wireless local area networks
EP2609721A1 (en) Methods and arrangements for secure communication over an ip network
WO2020133543A1 (en) Communication method and related product
CN113037684B (en) VxLan tunnel authentication method, device and system and gateway
CN114629678B (en) TLS-based intranet penetration method and device
CN110830351B (en) Tenant management and service providing method and device based on SaaS service mode
CN112838925B (en) Data transmission method, device and system, electronic equipment and storage medium
CN112788594A (en) Data transmission method, device and system, electronic equipment and storage medium
US20180183584A1 (en) IKE Negotiation Control Method, Device and System
CN106161386B (en) Method and device for realizing IPsec (Internet protocol Security) shunt
US20170078288A1 (en) Method for accessing communications network by terminal, apparatus, and communications system
CN114039812B (en) Data transmission channel establishment method, device, computer equipment and storage medium
CN113973001A (en) Method and device for updating authentication key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant