CN116800867A - Message processing method and system - Google Patents
Message processing method and system Download PDFInfo
- Publication number
- CN116800867A CN116800867A CN202310831708.0A CN202310831708A CN116800867A CN 116800867 A CN116800867 A CN 116800867A CN 202310831708 A CN202310831708 A CN 202310831708A CN 116800867 A CN116800867 A CN 116800867A
- Authority
- CN
- China
- Prior art keywords
- network device
- segment
- message
- hash value
- checked
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title abstract description 26
- 238000012545 processing Methods 0.000 claims abstract description 160
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 129
- 238000000034 method Methods 0.000 claims abstract description 83
- 230000005540 biological transmission Effects 0.000 claims description 151
- 230000002159 abnormal effect Effects 0.000 claims description 50
- 238000001514 detection method Methods 0.000 claims description 12
- 238000005538 encapsulation Methods 0.000 claims description 5
- 239000000758 substrate Substances 0.000 claims 2
- 238000005516 engineering process Methods 0.000 abstract description 13
- 230000008569 process Effects 0.000 description 28
- 238000012795 verification Methods 0.000 description 25
- 238000004364 calculation method Methods 0.000 description 21
- 238000010586 diagram Methods 0.000 description 17
- 101000840469 Arabidopsis thaliana Isochorismate synthase 1, chloroplastic Proteins 0.000 description 14
- 101100064323 Arabidopsis thaliana DTX47 gene Proteins 0.000 description 11
- 101150026676 SID1 gene Proteins 0.000 description 11
- 238000004590 computer program Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 230000000694 effects Effects 0.000 description 6
- 230000009286 beneficial effect Effects 0.000 description 5
- 230000006855 networking Effects 0.000 description 4
- 238000012163 sequencing technique Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002349 favourable effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Abstract
The invention discloses a message processing method and a message processing system. Wherein the method comprises the following steps: the first network device determining first data to be transmitted, and a first segment routing header; the first network device generating a first message based on the first data, the first protocol header, and the first segment routing header; the first network device determines a first reference segment routing header corresponding to the second network device; the first network equipment generates a first reference hash value corresponding to the second network equipment by adopting a preset hash algorithm based on the first reference segment routing header; the first network device determines a first task comprising a first reference hash value and uploads the first task to the blockchain; the first network device sends a first message, wherein first data included in the first message is transmitted according to a forwarding path, and the forwarding path is obtained according to a segment list indication included in a first segment routing header. The invention solves the technical problem of non-ideal information security in the related technology.
Description
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method and a system for processing a message.
Background
Segment Routing (SR) is a source Routing technique. SRv6 is an application of SR technology in IPv6 (Internet Protocol Version) networks. SRv6 uses the routing extension header bearer segment routing header (Segment Routing Header, SRH) defined in the IPv6 standard to provide flexible programmability for the network to meet different path service requirements. Currently, due to the high network security required for part of the data, it is desirable that the data is forwarded only in partially trusted network devices. However, the network devices in the segment list may have a connection with the predetermined untrusted network device, and the related art fails to provide forwarding protection for the message, so that the message is forwarded to the untrusted network device, which causes risk of information leakage.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a message processing method and a message processing system, which are used for at least solving the technical problem of non-ideal information security in the related technology.
According to an aspect of an embodiment of the present invention, there is provided a message processing method, including: the method comprises the steps that first network equipment determines first data to be transmitted and a first segment routing header, wherein the first segment routing header comprises a segment list and a transmission segment pointer, the segment list comprises a group of segment identifiers which are orderly arranged, the segment list comprises segment identifiers corresponding to second network equipment, and the transmission segment pointer points to a first segment identifier in the segment list; the first network device generates a first message based on the first data, a first protocol header and the first segment routing header, wherein the first protocol header comprises a source address and a destination address, the source address of the first protocol header is the address of the first network device, and the destination address of the first protocol header is an address corresponding to the first segment identifier and indicated by a transmission segment pointer of the first segment routing header; the first network device determines a first reference segment routing header corresponding to the second network device, wherein the first reference segment routing header is generated based on the first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device; the first network device generates a first reference hash value corresponding to the second network device by adopting a preset hash algorithm based on the first reference segment routing header; the first network device determines a first task including the first reference hash value and uploads the first task to a blockchain; the first network device sends the first message, wherein the first data included in the first message is transmitted according to a forwarding path, the forwarding path is obtained according to the segment list indication included in the first segment routing header, the first data is transmitted along the forwarding path based on the update of the transmission segment pointer, the forwarding path includes the second network device, the second network device is used for receiving a first message to be checked, the first message to be checked is used for the second network device to obtain a matching result based on a first hash value to be checked and the first reference hash value of the first message to be checked, the matching result is used for determining a message processing strategy for processing the first message to be checked, the first hash value to be checked is obtained by the second network device based on the first segment routing header included in the first message to be checked, and the first reference hash value is obtained by the second network device to query the first hash chain for the first task.
According to another aspect of the embodiment of the present invention, there is provided a message processing method, including: the method comprises the steps that first network equipment determines first data to be transmitted and a first segment routing header, wherein the first segment routing header comprises a segment list and a transmission segment pointer, the segment list comprises a group of segment identifiers which are orderly arranged, the segment list comprises segment identifiers corresponding to second network equipment, and the transmission segment pointer points to a first segment identifier in the segment list; the first network device generates a first message based on the first data, a first protocol header and the first segment routing header, wherein the first protocol header comprises a source address and a destination address, the source address of the first protocol header is the address of the first network device, and the destination address of the first protocol header is an address corresponding to the first segment identifier and indicated by a transmission segment pointer of the first segment routing header; the first network device determines a first reference segment routing header corresponding to the second network device, wherein the first reference segment routing header is generated based on the first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device; the first network device generates a first reference hash value corresponding to the second network device by adopting a preset hash algorithm based on the first reference segment routing header; the first network device determines a first task including the first reference hash value and uploads the first task to a blockchain; the blockchain records the first task; the first network device sends the first message, wherein the first data included in the first message is transmitted according to a forwarding path, the forwarding path is obtained according to the segment list indication included in the first segment routing header, the first data is transmitted along the forwarding path based on the updating of the transmission segment pointer, and the forwarding path includes the second network device; the second network device queries a first task of which the receiver is the second network device in the blockchain to obtain a first reference hash value; the second network equipment receives a first message to be checked, wherein the first message to be checked is any message received by the second network equipment; the second network device generates a first hash value to be verified corresponding to the first message to be verified based on a first segment routing header to be verified included in the first message to be verified; the second network device performs matching based on the first hash value to be checked and the first reference hash value, and performs discarding processing on the first message to be checked under the condition that the first hash value to be checked is not matched with the first reference hash value; and the second network equipment determines a sub-strategy for processing the first message to be checked under the condition that the first hash value to be checked is matched with the first reference hash value.
According to another aspect of an embodiment of the present invention, there is provided a message processing system, including: the method comprises the steps of determining first data to be transmitted and a first segment routing header, wherein the first segment routing header comprises a segment list and a transmission segment pointer, the segment list comprises a group of segment identifiers which are orderly arranged, the segment list comprises segment identifiers corresponding to second network equipment, and the transmission segment pointer points to a first segment identifier in the segment list; generating a first message based on the first data, a first protocol header and the first segment routing header, wherein the first protocol header comprises a source address and a destination address, the source address of the first protocol header is an address of a first network device, and the destination address of the first protocol header is an address corresponding to the first segment identifier, and a transmission segment pointer of the first segment routing header points to the first segment identifier; determining a first reference segment routing header corresponding to the second network device, wherein the first reference segment routing header is generated based on the first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device; generating a first reference hash value corresponding to the second network device by adopting a preset hash algorithm based on the first reference segment routing header; determining a first task including the first reference hash value and uploading the first task to a blockchain system; the block chain system is connected with the first network equipment and records the first task; the first network device is further configured to send the first packet, where the first data included in the first packet is transmitted according to a forwarding path, where the forwarding path is obtained according to the segment list indication included in the first segment routing header, the first data is transmitted along the forwarding path based on the update of the transmission segment pointer, and the forwarding path includes the second network device; the second network device is connected with the blockchain system and is used for inquiring the first task of which the receiver is the second network device in the blockchain system to obtain the first reference hash value; receiving a first message to be checked, wherein the first message to be checked is any message received by the second network equipment; generating a first hash value to be verified, corresponding to the first message to be verified, based on a first segment routing header to be verified included in the first message to be verified; based on the first hash value to be checked and the first reference hash value, carrying out discarding processing on the first message to be checked under the condition that the first hash value to be checked is not matched with the first reference hash value; and determining a processing sub-strategy for the first message to be checked under the condition that the first hash value to be checked is matched with the first reference hash value.
In the embodiment of the invention, a first network device is used for determining first data to be transmitted and a first segment routing header in a manner of being combined with a block chain, wherein the first segment routing header comprises a segment list and a transmission segment pointer, the segment list comprises a group of segment identifiers which are orderly arranged, the segment list comprises segment identifiers corresponding to a second network device, and the transmission segment pointer points to a first segment identifier in the segment list; the first network device generates a first message based on the first data, a first protocol header and the first segment routing header, wherein the first protocol header comprises a source address and a destination address, the source address of the first protocol header is the address of the first network device, and the destination address of the first protocol header is an address corresponding to the first segment identifier and indicated by a transmission segment pointer of the first segment routing header; the first network device determines a first reference segment routing header corresponding to the second network device, wherein the first reference segment routing header is generated based on the first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device; the first network device generates a first reference hash value corresponding to the second network device by adopting a preset hash algorithm based on the first reference segment routing header; the first network device determines a first task including the first reference hash value and uploads the first task to a blockchain; the first network device sends the first message, wherein the first data included in the first message is transmitted according to a forwarding path, the forwarding path is obtained according to the segment list indication included in the first segment routing header, the first data is transmitted along the forwarding path based on the update of the transmission segment pointer, the forwarding path includes the second network device, the second network device is used for receiving a first message to be checked, the first message to be checked is used for the second network device to obtain a matching result based on a first hash value to be checked and the first reference hash value of the first message to be checked, the matching result is used for determining a message processing strategy for processing the first message to be checked, the first hash value to be checked is obtained by the second network device based on the first segment routing header included in the first message to be checked, and the first reference hash value is obtained by the second network device to query the first hash chain for the first task. The method and the device achieve the aim that data transmission cannot enter into an untrusted network device, achieve the technical effect of improving the information security of data transmission, and further solve the technical problem that the information security is not ideal in the related technology.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a flow chart of an alternative message processing method provided in accordance with an embodiment of the present application;
FIG. 2 is a diagram of a message format of an alternative message processing method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a network scenario of an alternative message processing method according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a network scenario of another alternative message processing method according to an embodiment of the present application;
FIG. 5 is a flow chart of another alternative message processing method provided in accordance with an embodiment of the present application;
FIG. 6 is a flow chart of yet another alternative message processing method provided in accordance with an embodiment of the present application;
FIG. 7 is a flow chart of an alternative message processing method according to an embodiment of the present application;
FIG. 8 is a flow chart of another alternative message processing method according to an embodiment of the present application;
FIG. 9 is a block diagram of an alternative message processing system provided in accordance with an embodiment of the present application; and
Fig. 10 is a schematic diagram of an alternative message processing apparatus according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In accordance with an embodiment of the present invention, there is provided a method embodiment of message processing, it being noted that the steps shown in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order other than that shown or described herein.
Fig. 1 is a flowchart of an alternative message processing method according to an embodiment of the present invention, where, as shown in fig. 1, an execution body is a first network device, and the method includes the following steps:
step S102, a first network device determines first data to be transmitted and a first segment routing header, wherein the first segment routing header comprises a segment list and a transmission segment pointer, the segment list comprises a group of segment identifiers which are orderly arranged, the segment list comprises segment identifiers corresponding to a second network device, and the transmission segment pointer points to a first segment identifier in the segment list;
it will be appreciated that segmented routing is a network communication mechanism that divides a data packet into segments (or segments), each segment having its own header (i.e., segmented routing header, segment Routing Header) for routing and transmission in the network. The segmented routing header may be used by the network device to determine the forwarding path for the next hop and forward the message to the correct destination. The first network device is a source node of first data to be transmitted, the first segment routing header generated by the first network device is related information for indicating forwarding of the first data, the first segment routing header includes a segment list and a transmission segment pointer, the processing of the first data is applied to SRv technology, and the source node (i.e. the first network device) of SRv specifies an end-to-end forwarding path of the message. The segment list includes a set of segment identifiers arranged in an order that may describe the entire forwarding path. Each segment contains information of the next hop and the segment list is configured at the first network device, i.e. at the start of the first data transmission, to indicate the forwarding path of the first data. The transmission segment pointer in the first segment routing header is used to point to the segment identifier in the segment list, and at the start of transmission of the first data, the transmission segment pointer points to the first segment identifier in the segment list by default. It should be noted that the first segment identifier in the segment list may be located at the bottom of the segment list, and is arranged in the reverse order of the forwarding paths.
It should be noted that, the segment list includes segment identifiers of network devices existing in the forwarding path, and in this forwarding path, the segment identifiers may include an offset, an identifier, and the like in the packet, in addition to an address of a corresponding network device.
Alternatively, the network device (including the first network device, the second network device, and the like) may be a plurality of types of devices, such as: a server, accelerator card, data processing unit (DPU, data Processing Unit, hardware device for performing data computation and processing tasks), application-specific integrated circuit (application-specific integrated circuit, ASIC), field programmable gate array (field programmable gate array, FPGA), other programmable logic device, or any other physical or virtual network device that supports network communication functions.
Step S104, the first network device generates a first packet based on the first data, a first protocol header, and the first segment routing header, where the first protocol header includes a source address and a destination address, the source address of the first protocol header is an address of the first network device, and the destination address of the first protocol header is an address corresponding to the first segment identifier, where a transmission segment pointer of the first segment routing header points to the first segment identifier;
It will be appreciated that the first message is generated from the first data, and may be considered as a transmission form of the first data, and the first message for transmission processing is generated from the first data, the first protocol header, and the first segment routing header. The first protocol header includes a source address and a destination address, the source address of the first protocol header is an address of the first network device, and the destination address of the first protocol header is an address of the segment identifier pointed to by the transmission segment pointer of the first segment routing header, that is, an address corresponding to the first segment identifier. Through the processing, the first message which is transmitted according to the communication protocol is generated by the first data to be transmitted.
It should be noted that, the segment list includes segment identifiers of network devices existing in the forwarding path, where the segment identifiers may include an offset, an identifier, and the like in the packet, in addition to an address of a corresponding network device.
For ease of understanding, specific examples are: the first network device determines that the segment list may be [ SID0; SID1; SID2], wherein SID2 is a segment identifier of the B network device, SID1 is a segment identifier of the C network device, and SID0 is a segment identifier of the D network device, and since the second network device may be a neighboring node or a non-neighboring node with the first network device, the second network device may be the B network device or C, D network device, in this example, it is assumed that the B network device is the second network device, and the C network device is a third network device subsequent to the second network device. It should be noted that, for one forwarding path, the segment list in each segment route header does not change. Fig. 2 is a schematic diagram of a message format of an alternative message processing method according to an embodiment of the present invention, where a first network device may be identified as an a network device, and any Segment routing header in fig. 2 includes a Segment List and a transmission Segment pointer, where a Segment List is a Segment List, segment List [2] indicates a Segment identifier of a B network device in the Segment List, segment List [1] indicates a Segment identifier of a C network device in the Segment List, and Segment List [0] indicates a Segment identifier of a D network device in the Segment List. The transmission segment pointer sl=2 points to the B network device, the transmission segment pointer sl=1 points to the C network device, and the transmission segment pointer sl=0 points to the D network device. SRH-1 is a first segment routing header, SRH-2 is a second segment routing header, and SRH-3 is a third segment routing header. It should be noted that, the first segment routing header is determined in the first network device, the second segment routing header is generated in the B network device, and the third segment routing header is generated in the C network device.
Setting the address B of the network equipment B, the address C of the network equipment C, and the address D of the network equipment D. For a first protocol header in which the destination address DA is SID2 indicated by the transmission segment pointer sl=2, the destination address da=b is obtained. It should be noted that, the updating of the transmission segment pointer is not performed only by the first network device, but is performed one by one according to the network devices included along the forwarding path, and further, the next forwarding node is determined according to the direction of the transmission segment pointer. The B network device generates a second protocol header with a destination address DA of SID1 indicated by the transmission segment pointer sl=1, and the destination address da=c is obtained. Similarly, the C network device generates a third protocol header, where the destination address DA is SID0 indicated by the transmission segment pointer sl=0, and the destination address da=d is obtained.
Further, in order to facilitate understanding of the message generation process, the predetermined protocol header is set as an IPv6 basic header, the source address is identified as SA (which is not updated along with the transmission pointer update), the address of the first network device set as the start is fixed, sa=a:, the destination address is identified as DA, and the destination address varies along with the transmission segment pointers of different network devices. The transmission segment pointer (sl=2) in the first segment routing header SRH-1 initially points to the first segment identifier in the segment list, which in this example is the segment identifier SID2 of the B network device, so that in the first packet generated by the first network device for the B network device, the first segment routing header SRH-1 includes the segment list [ SID0; SID1; SID2], and a transmission segment pointer sl=2, the first protocol header includes sa=a:: da=b::. Similarly, the second message generated by the B network device and used for being sent to the C network device includes: a second protocol header and a second segment routing header, the second segment routing header SRH-2 comprising a segment list [ SID0; SID1; SID2], and a transmission segment pointer sl=1, the second protocol header includes sa=a:: da=c::. The generation of the third message by the C network device for sending to the D network device includes: a third protocol header and a third segment routing header, the third segment routing header SRH-3 comprising a segment list [ SID0; SID1; SID2], and a transmission segment pointer sl=0, the third protocol header includes sa=a:: da=d::.
Step S106, the first network device determines a first reference segment routing header corresponding to the second network device, wherein the first reference segment routing header is generated based on the first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device;
it will be appreciated that the first network device needs to generate a corresponding first reference segment routing header for the second network device, the first reference segment routing header being generated by the first network device based on the first segment routing header and a check segment pointer to a corresponding segment identification of the second network device. The first reference segment routing header is used for generating a first task subsequently, and the first segment routing header is used for generating a first message for transmission, and the purposes of the first reference segment routing header and the first segment routing header are different.
Likewise, the check segment pointer in the first reference segment routing header and the transmission segment pointer in the first segment routing header, although used to point to the segment identifier in the segment list, are updated in the transmission order along the forwarding path and are updated in the corresponding network device. The check segment pointer is determined in the first network device and used in the first network device, the first network device can sense whether the network device in the forwarding path needs to perform check processing on the received message, and if it is determined that a certain network device does not need to perform check processing on the received message, the check segment pointer skips the segment identifier corresponding to the certain network device.
It should be noted that, the segment identifier corresponding to the second network device is not necessarily the first segment identifier in the segment list, that is, the second network device is not necessarily a neighboring node of the first network device. The first reference segment routing header is generated based on the first segment routing header and a check segment pointer to a segment identification corresponding to the second network device and is not limited to the form of networking of the second network device with the first network device.
Step S108, the first network equipment generates a first reference hash value corresponding to the second network equipment by adopting a preset hash algorithm based on the first reference segment routing header;
it can be understood that the first network device generates, based on the first reference segment routing header, a first reference hash value by using a hash algorithm, where the first reference hash value corresponds to the second network device and is used for performing a packet verification process by the subsequent second network device.
In an alternative embodiment, the first network device generates a first packet based on the first data, a first protocol header, and the first segment routing header, including: the first network device generating a first protocol header corresponding to the first segment identification based on a predetermined protocol; the first network device encapsulates the first packet based on the first protocol header, the first data, and the first segment routing header to obtain the first packet; the first network device generates a first reference hash value corresponding to the second network device by adopting a predetermined hash algorithm based on the first reference segment routing header, and the method comprises the following steps: the first network device determines a first reference protocol header corresponding to the second network device, wherein the first reference protocol header is generated based on the first protocol header and a check segment pointer pointing to a segment identifier corresponding to the second network device; the first network device generates the first reference hash value corresponding to the second network device based on the first reference protocol header, at least any one of the first data, and the first reference segment routing header.
It will be appreciated that the first protocol header is generated by the first network device using a predetermined protocol, the first reference protocol header is generated by the first network device corresponding to the second network device described above, the corresponding manner being based on a check segment pointer to a segment identifier corresponding to the second network device, and the first reference protocol header being generated, it being apparent that the first reference protocol header is not identical to the first protocol header. The first network device encapsulates the first data with the first segment routing header and the first protocol header to obtain a first message, and it should be noted that, the transmission segment pointer included in the first segment routing header points to the first segment identifier in the segment list, the first segment identifier is not necessarily the segment identifier of the second network device, and, similarly, the destination address in the first protocol header is the address corresponding to the first segment identifier, and is not necessarily the address of the second network device, and it is known that the first message is not necessarily sent by the first network device to the second network device. There may be various ways of generating the first reference hash value, and the first network device may generate the first reference hash value based on at least one of the first reference protocol header, the first data, and the first reference segment routing header, in addition to at least using the hash algorithm based on the first reference segment routing header. Through the above processing, the manner of generating the first reference hash value can be enriched, and as Ha Xiji is a digest processing (also called hash processing), parameters for generating the first reference hash value can be set as required, which is beneficial to increasing the security of the first reference hash value.
Optionally, the predetermined protocol is IPv6 or other protocols, the first data may be Payload data (Payload), and the first packet may be an IPv6 packet or other protocol packet.
It should be noted that, taking the first segment routing header SRH-1 and the first reference segment routing header SRH' -1 as an example, the first segment routing header is generated by the first network device and is used for generating a packet to be sent to the neighboring node, where the first segment routing header includes a transmission segment pointer and is updated along the forwarding path. It should be noted that, such a header as the segment routing header may be generated and processed by other nodes (B, C, D network devices, etc.) than the source node (first network device) in the forwarding path. The first reference segment routing header is used for generating a first reference hash value and further generating a first task, wherein the first reference segment routing header includes a check segment pointer, and it should be noted that the reference segment routing header is generated and processed only in a source node (first network device).
In an alternative embodiment, the first network device, the second network device belong to a predetermined domain, and the first network device generates a first packet based on the first data, a first protocol header, and the first segment routing header, including: the first network device generating a first protocol header corresponding to the first segment identification based on a predetermined protocol; the first network device acquires at least one heterodomain segment routing header corresponding to another domain different from the predetermined domain in a predetermined network system, wherein the predetermined network system is composed of a plurality of domains including the predetermined domain and the other domain; the first network device encapsulates the first packet based on the first protocol header, the first data, the first segment routing header, and the at least one foreign segment routing header; the first network device generates a first reference hash value corresponding to the second network device by adopting a predetermined hash algorithm based on the first reference segment routing header, and the method comprises the following steps: the first network device determines a first reference protocol header corresponding to the second network device, wherein the first reference protocol header is generated based on the first protocol header and a check segment pointer pointing to a segment identifier corresponding to the second network device; the first network device determines the first reference hash value corresponding to the second network device based on the first reference protocol header, the at least one out-of-domain segment routing header, at least any one of the first data, and the first reference segment routing header.
It may be understood that, in the case where the first network device and the second network device are defined to belong to the same predetermined domain, there are other domains different from the predetermined domain in the predetermined network system including the predetermined domain, and the first network device generates a first protocol header corresponding to the second network device by adopting the predetermined protocol, and the first network device may acquire at least one different domain segment routing header corresponding to the other domains, and when performing encapsulation processing on the first data, encapsulates the first packet based on the first protocol header, the first segment routing header, and the at least one different domain segment routing header. Correspondingly, there may be a plurality of ways to generate the first reference hash value, and the first network device may use a hash algorithm based on at least the first reference segment routing header, or may generate the first reference hash value based on at least any one of the first reference protocol header, the at least one heterogeneous segment routing header, the first data, and the first reference segment routing header. By the above processing, the networking environment is incorporated into the generation processing of generating the first reference hash value, in the networking environment that the first network device and the second network device are in a preset domain, and the preset network system has other domains besides the preset domain, at least one different domain segment route header can be used as an option, besides at least the first reference segment route header, at least one different domain segment route header and at least any one of the first data can be selected for generating the first reference hash value, so that the generation mode of generating the first reference hash value is enriched, and the security of the first reference hash value can be effectively improved.
In an optional embodiment, the generating, by the first network device, a first reference hash value corresponding to the second network device based on the first reference segment routing header and using a predetermined hash algorithm includes: the first network device determines a predetermined combination mode corresponding to a plurality of hash algorithms when the plurality of hash algorithms are the same or different; the first network device combines the plurality of hash algorithms based on the predetermined combination mode to obtain a joint hash algorithm; the first network device generates the first reference hash value corresponding to the second network device by adopting the joint hash algorithm based on the first reference segment routing header.
It will be appreciated that for the first reference segment routing header, a plurality of hash algorithms may be provided, as well as a predetermined combination of the plurality of hash algorithms. It should be noted that the plurality of hash algorithms may be the same or different, i.e. the same hash algorithm may be repeatedly set. And combining the plurality of hash algorithms in a preset combination mode to obtain a joint hash algorithm. Based on the first reference segment routing header, a joint hash algorithm is employed to obtain a first reference hash value. Through the processing, the combination mode of the hash algorithms can be adjusted, so that the encryption degree of the hash algorithm is improved, and the security of the generated first reference hash value is improved.
Alternatively, each of the plurality of hash algorithms may be any one of the following: SHA-256, SM3, etc.
Alternatively, the above predetermined combination may include a plurality of, for example: serial, parallel, series-parallel, etc.
In an optional embodiment, the combining the plurality of hash algorithms based on the predetermined combination manner to obtain a joint hash algorithm includes: under the condition that the preset combination mode is serial connection, sequencing the plurality of hash algorithms according to a preset serial connection sequence to obtain a plurality of hash algorithms after sequencing in the combined hash algorithm; based on the first reference segment routing header, the joint hash algorithm is adopted to obtain the first reference hash value, which comprises the following steps: inputting the first reference segment routing header into the ordered plurality of hash algorithms, and taking a calculation result obtained by a previous algorithm in the ordered plurality of hash algorithms as an input of a next algorithm according to the predetermined serial order until a calculation result obtained by a last algorithm in the ordered plurality of hash algorithms is taken as the first reference hash value.
It will be appreciated that in the case where the combination of the plurality of hash algorithms is serial, the joint hash algorithm is a plurality of hash algorithms arranged in series in a predetermined serial order. Inputting the first reference segment routing header into a joint hash algorithm, processing the first reference segment routing header by a plurality of hash algorithms after sequencing, calculating the first reference segment routing header by using the hash algorithms one by one according to a preset serial sequence, and continuing calculating the calculation result obtained by the former algorithm as the input of the latter algorithm until the last algorithm in the plurality of hash algorithms after sequencing outputs the calculation result as a first reference hash value corresponding to the second network device.
It should be noted that, the plurality of hash algorithms may be the same or different, and in the case of a plurality of the same hash algorithms, for example: for the tandem case, the results of using the same algorithm multiple times are different, and it is assumed that the results are different according to the types of algorithms, namely, the a algorithm and the B algorithm, the combination of the tandem AAA and the combination of the AA, and the combination of the tandem ABA and the combination of the BAB. Thus, the combination of a plurality of hash algorithms can be performed reproducibly according to specific needs.
In an optional embodiment, the combining the plurality of hash algorithms based on the predetermined combination manner to obtain a joint hash algorithm includes: under the condition that the preset combination mode is parallel connection, a plurality of hash algorithms which are connected in parallel are obtained from the combined hash algorithm; based on the first reference segment routing header, the joint hash algorithm is adopted to obtain the first reference hash value, which comprises the following steps: inputting the first reference segment routing header into the plurality of parallel hash algorithms to obtain calculation results respectively obtained by the plurality of parallel hash algorithms; and respectively obtaining calculation results of the plurality of hash algorithms after the parallel connection as a plurality of first reference hash values corresponding to the second network equipment.
It can be understood that, in the case that the combination manner of the plurality of hash algorithms is parallel, a plurality of hash algorithms after parallel connection are determined, the first reference segment routing header is input into the joint hash algorithm, and corresponding results can be obtained respectively by the plurality of hash algorithms after parallel connection included in the joint hash algorithm. And regarding calculation results obtained by the hash algorithms after being connected in parallel as a group of data to serve as a plurality of first reference hash values corresponding to the second network equipment. Through the processing, different combination modes can be adopted for carrying out encryption calculation by adopting a plurality of hash algorithms, and the security of generating the first reference hash value is improved.
In an optional embodiment, the combining the plurality of hash algorithms based on the predetermined combination manner to obtain a joint hash algorithm includes: determining a first number of serial algorithms, a second number of parallel algorithms and a preset serial-parallel sequence in the plurality of hash algorithms under the condition that the combination mode of the plurality of hash algorithms is serial-parallel; sorting the first number of series algorithms based on a predetermined first order to obtain a first number of sorted series algorithms; determining a second number of parallel algorithms after the parallel; based on the ordered first number of serial algorithms, the parallel second number of parallel algorithms and the serial-parallel sequence, the joint hash algorithm is obtained; and processing by adopting the joint hash algorithm based on the first reference segment routing header to obtain a first reference hash value.
It can be understood that, under the condition of the combination mode serial-parallel connection, a first number of serial algorithms for carrying out algorithm serial connection and a second number of parallel algorithms for carrying out algorithm parallel connection can be determined, the combination hash algorithm can be determined by adjusting according to a specific serial-parallel connection sequence, the first reference segment route header is input into the combination hash algorithm for processing, and a first reference hash value can be obtained.
In an alternative embodiment, the processing, based on the first reference segment routing header, using the joint hash algorithm to obtain a first reference hash value includes: inputting the first reference segment routing header into the first ordered number of series algorithms under the condition that the serial-parallel sequence is serial-parallel, and taking a calculation result obtained by a previous algorithm in the first ordered number of series algorithms as an input of a next algorithm according to the preset first sequence until a calculation result obtained by a last algorithm in the first ordered number of series algorithms is taken as a series calculation result; inputting the serial calculation results into the parallel algorithm of the second number after parallel connection to obtain calculation results corresponding to the parallel algorithm of the second number after parallel connection respectively; and taking the calculation results respectively corresponding to the second number of parallel algorithms after the parallel connection as a plurality of first reference hash values corresponding to the second network equipment.
It will be appreciated that in the serial-to-parallel sequence, a plurality of first reference hash values may be obtained, and the plurality of first reference hash values may be processed as a group or in a list for subsequent processing.
In an alternative embodiment, the processing, based on the first reference segment routing header, using the joint hash algorithm to obtain a first reference hash value includes: inputting the first reference segment routing header into the parallel second number of parallel algorithms under the condition that the serial-parallel sequence is the first parallel-after-serial sequence, and obtaining calculation results corresponding to the parallel second number of parallel algorithms respectively; taking the calculation results respectively corresponding to the second number of parallel algorithms after the parallel connection as a plurality of parallel calculation results; splicing the plurality of parallel computing results to obtain a computing splicing result; and inputting the calculation splicing result into the first ordered number of serial algorithms, taking the calculation result obtained by the previous algorithm in the first ordered number of serial algorithms as the input of the next algorithm according to a preset first sequence until the calculation result obtained by the last algorithm in the first ordered number of serial algorithms is used as a first reference hash value corresponding to the second network equipment.
It can be appreciated that the first reference hash value may also be obtained in the serial-parallel sequence of the preceding and following strings. It should be noted that, the above embodiment provides a combination manner of serial connection, parallel connection and serial-parallel connection, and further adjustment can be performed according to different serial-parallel connection sequences, and further one-step combination, such as serial-parallel and so on, without specific limitation.
Step S110, the first network device determines a first task including the first reference hash value, and uploads the first task to a block chain;
it can be appreciated that the first network device determines a first task including the first reference hash value, for the second network device to acquire and perform subsequent verification processing, and upload the first task to the blockchain is to use the non-tamper property of the blockchain, so that the first task is difficult to be tampered, and the first task acquired by the second network device is improved to be safe and reliable.
In an alternative embodiment, the first network device determines a first task including the first reference hash value, including: the first network device determines that the sender address of the first task is the address of the first network device, the receiver address of the first task is the address of the second network device, and a first number of sub-messages, where the first number of sub-messages is the number of sub-messages included in the first message, and the sub-messages included in the first message are respectively obtained by performing encapsulation processing based on the first segment routing header, the first protocol header, and corresponding message data, and the message data respectively corresponding to the sub-messages included in the first message form the first data; the first network device determines the first task based on the sender address of the first task, the receiver address of the first task, the first number of sub-messages, and the first reference hash value.
It will be appreciated that the first task is directional, the sender address of the first task being the address of the first network device and the receiver address of the first task being the address of the second network device. The data length of the first data to be transmitted may be long, and the first message needs to be divided into sub-messages with the number of first sub-messages to be transmitted, and each sub-message may carry a part of the first data as corresponding message data, where the sub-messages included in the first message respectively correspond to the message data to form the first data. In order to prevent packet loss in the transmission process, the number of the first sub-messages can be limited in the first task, so that the perceptibility of the transmission condition is improved, and the efficiency of message transmission is improved. The sub-messages included in the first message are respectively obtained by performing encapsulation processing on corresponding message data based on a first segment routing header and a first protocol header. The first task may be determined based on the sender address of the first task, the receiver address of the first task, the first number of sub-packets, and a first reference hash value generated by the first network device. Through the processing, when the first task is generated, the constraint of the number of the first sub-messages is added, and the first task is recorded in the blockchain with tamper resistance, so that whether the information loss problem occurs in the transmission process or not is facilitated to be perceived, and the information security is facilitated to be improved.
For ease of understanding, specific examples are: according to the transmission process of the first data indicated by the forwarding path, the first network device and the B network device transmit the first data to the C network device, and the B network device and the C network device are assumed to perform verification processing on the received message, where the second network device may be any one of B, C, and for convenience in description, the B network device is assumed to be the second network device, and the C network device is assumed to be the third network device. The first data is divided into N sub-message numbers under the condition of excessively long data length. The first network equipment generates a corresponding first task and a corresponding second task for the B network equipment and the C network equipment respectively, wherein the address A of the first network equipment of the sender of the first task is shown in the specification, the address B of the network equipment of the receiver B is shown in the specification, the first reference hash value H1-B is shown in the specification, and the first sub-message number N is shown in the specification. Similarly, the sender address A of the second task, the receiver address C, the second reference hash value H1-C and the first sub-message number N. In other words, in the process that the first data is transmitted along the forwarding path, the number of received sub-messages is consistent with the number N of the first sub-messages under the condition that packet loss does not occur, and the constraint of the number of the sub-messages is added into the first task, so that the method is beneficial to informing the network equipment on the forwarding path of the number of the sub-messages which should be received and timely sensing the packet loss problem.
In an alternative embodiment, the first network device determines a first task including the first reference hash value, including: the first network device determining that a sender address of the first task is an address of the first network device, a receiver address of the first task is an address of the second network device, and a first timestamp indicating a generation time of the first task; the first network device determines the first task based on the sender address of the first task, the receiver address of the first task, the first timestamp, and the first reference hash value.
It will be appreciated that a time constraint may also be set in the first task, and the time of generation of the first task as the first timestamp may be used to determine the time of transmission. The first network device may determine the first task based on the sender address, the receiver address, the first timestamp, and the first reference hash value of the first task. Through the processing, in order to avoid that the message sent by the first network device to the second network device at any time is judged to be legal, the transmission time interval of the first task can be determined by utilizing the first timestamp, and the transmission safety and efficiency in the message transmission process are effectively improved.
Optionally, in order to better constrain the first task in time, the validity period of the first task may be set in the first task, and the transmission efficiency and the security may be further ensured through the first timestamp and the validity period of the first task.
In an alternative embodiment, the first network device determines a first task including the first reference hash value, including: the first network device determines that the sender of the first task is the address of the first network device, the receiver of the first task is the address of the second network device, and a setting flag indicating that the first reference hash value is in a valid state or an invalid state; the first network device determines the first task based on the sender of the first task, the receiver of the first task, the set flag, and the first reference hash value.
It may be appreciated that the first task may further carry a set flag for the first reference hash value being in a valid state or an invalid state, so as to constrain the validity of the first reference hash value. The set flag in the first task may be set to an invalid state if the first reference hash value is not required to be used for verification within a period of time, and may be set to an valid state if the first reference hash value is required to be used for verification after a period of time, so that the first reference hash value may still be used for verification. Through the processing, the configuration of the first reference hash value serving as a matching basis can be more flexible by utilizing the set flag.
Step S112, the first network device sends the first packet, where the first data included in the first packet is transmitted according to a forwarding path, where the forwarding path is indicated by the segment list included in the first segment routing header, the first data is transmitted along the forwarding path based on the update of the transmission segment pointer, the forwarding path includes the second network device, the second network device is configured to receive a first packet to be checked, the first packet to be checked is configured to obtain a matching result based on a first hash value of the first packet to be checked and the first reference hash value, the matching result is used to determine a packet processing policy for processing the first packet to be checked, the first hash value to be checked is obtained by the second network device based on the first segment routing header included in the first packet to be checked, and the first reference hash value is obtained by the second network device querying the first hash chain for the first task.
It can be understood that the first packet actually carries the first data, and the first packet needs to be transmitted between network devices included in the forwarding path, where the forwarding path is obtained according to the segment list indication, and the first data is transmitted along the forwarding path based on the update of the transmission segment pointer, and the first data cannot be directly equivalent to the first packet, and the actually transmitted packet is updated along with the update of the transmission segment pointer. And the first message is sent to the adjacent node by the first network device, and in the case that the second network device is not the adjacent node of the first network device, there may be other network devices between the second network device and the first network device, and the first message is not sent to the second network device. And the second network device not only receives the message (including the first data) transmitted along the forwarding route, but also receives any message received by the second network device as a first message to be verified. It should be noted that, in the case that the second network device is a neighboring node of the first network device, the first message to be checked includes the first message, and there is a possibility that the first message to be checked is the first message, and in the case that the second network device is not a neighboring node of the first network device, the first message to be checked does not include the first message, and is not the first message. The first message to be checked is used for the second network equipment to be matched based on the first hash value to be checked and the first reference hash value to obtain a matching result. The matching result is used for determining a message processing strategy for processing the first message to be checked. The first hash value to be checked is obtained by the second network equipment based on a first segment routing header to be checked included in the first message to be checked, and the first reference hash value is obtained by the second network equipment inquiring a first task to the blockchain. Through the processing, the first network device uploads the first task to the blockchain, so that the information for verification is not easy to tamper, the combination of the first network device and the blockchain is favorable for improving transmission safety, the matching mode of the second network device to the first message to be verified is reliable, and the second network device can determine the processing mode of the first message to be verified according to a message processing strategy so as to ensure information safety.
For the sake of understanding, and taking a specific example, since the first network device may determine which network devices on the forwarding path need to perform the packet checking process to ensure information security, which network devices do not need to perform the packet checking and do not cause risk of information leakage. In an optional application scenario, it may be assumed that a network device connected to other domains on the forwarding path is at risk of information leakage, and a packet check process needs to be performed, for example: fig. 3 is a schematic diagram of a network scenario of an alternative packet processing method according to an embodiment of the present invention, because, as shown in fig. 3, a first network device is used as a source node, and identified as an a network device in fig. 3, a forwarding path includes a B network device, a C network device, and a D network device, and it is assumed that a manner of determining whether one network device is trusted is that, according to whether a domain is trusted, a first domain where the A, B, C, D network device is located is a predetermined trust, and a second domain where the second domain is predetermined to be untrusted, where E, F network devices may cause an information leakage problem. In fig. 3, the A, B, C, D network devices are connected to the E, F network devices of the second domain to some extent, that is, there is a risk of information leakage, and when a message is transmitted, it is necessary to perform verification processing on any received message by the B, C, D network devices respectively. For the a network device, a second task corresponding to the C network device and a third task corresponding to the D network device need to be generated by adopting a manner of generating the first task, and the first task, the second task and the third task are uploaded to the blockchain, and as the corresponding receiver is recorded in the task, the B, C, D network device can respectively query and obtain the corresponding task, so as to realize verification processing of the received message.
Fig. 4 is a network scenario schematic diagram of another alternative packet processing method according to an embodiment of the present invention, in which, as shown in fig. 4, since only the B network device does not have a connection with the second domain, it is considered that the B network device does not need to perform a verification process on any received packet, and the A, C, D network devices are all connected to the network devices of the second domain. Thus, the corresponding generation of the task for verification is still needed for the C, D network device, but the generation of the task for verification may be an optional process for the B network device, i.e. for the B network device where only the connection in the first domain exists, the transmission process may be performed for only the first message, and the a network device does not need to generate and upload the task in the blockchain. It should be noted that, in the network scenario of fig. 4, the B network device does not need to perform the message check, and in this network scenario, the B network device may not be a second network device, and the B network device may directly forward the message, and does not perform the check processing.
In an alternative embodiment, the method further comprises: after the first network device sends the first message, inquiring that a receiving party in the blockchain is a feedback task of the first network device, wherein the feedback task is used for feeding back a processing result of the message sent by the first network device, the feedback task is generated by the second network device, and the feedback task is a normal task or an abnormal task.
It can be appreciated that the first network device may also query the blockchain for a feedback task of the first network device by the receiving party after sending the first message. The feedback task is used for processing a message sent by the first network device, and the feedback task is generated by the second network device and can be a normal task or an abnormal task. Through the processing, the first network equipment is beneficial to sensing the transmission state of the message sent by the first network equipment, and the closed loop processing of the message transmission is completed. And inquiring the feedback of the second network equipment to the blockchain, namely the feedback task generated by the second network equipment, so that the first network equipment perceives the processing procedure in the whole forwarding path.
It should be noted that, the feedback task is sent and queried by the blockchain, so the feedback task is directional, i.e. has a receiver address and a sender address. The second network device and the first network device are not necessarily directly adjacent nodes, the processing state of the network device included in the forwarding path is not directly perceived by the first network device, whether the first data is normally transmitted or not needs to be determined by inquiring the feedback task through the blockchain, and if the feedback task is an abnormal task, the node which is in the forwarding path is perceived to be abnormal, so that the tracking of the information leakage problem is facilitated.
It should be noted that, the feedback task is a normal task or an abnormal task, which is specific to what information is carried in the feedback task, and it can be understood that the normal or abnormal situation is specific to the description of the task content, and not specific to the feedback task itself.
Through the steps S102 to S112, the purpose that data transmission cannot enter an untrusted network device can be achieved, the technical effect of improving the information security of data transmission is achieved, and the technical problem that the information security is not ideal in the related technology is solved.
Fig. 5 is a flowchart of another alternative message processing method provided in accordance with an embodiment of the present invention, as shown in fig. 5, where the execution body is a second network device, and the method includes the following steps:
step S502, a second network device queries a first task of a second network device, which is a receiver in a blockchain, for the second network device to obtain a first reference hash value, where the first reference hash value is generated by the first network device based on a first reference segment routing header, the first reference segment routing header is generated by the first network device based on a first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device, the first segment routing header includes a segment list and a transmission segment pointer, the segment list includes a set of segment identifiers in an ordered arrangement, the segment list includes segment identifiers corresponding to the second network device, and the transmission segment pointer corresponding to the first segment routing header points to a first segment identifier in the segment list;
It can be understood that the second network device needs to check the received first message to be checked, and the second network device queries the first task of the second network device that is the receiver in the blockchain, and can obtain the first reference hash value to be used as a basis for checking. By means of information security of the block chain, the second network equipment queries that the first task is trusted, and the obtained first reference hash value is trusted.
Step S504, the second network device receives a first message to be checked, wherein the first message to be checked is any message received by the second network device;
it may be understood that, the message received by the second network device is not limited, and may be sent by the first network device, or may be sent by an intermediate node on the forwarding path, or may be sent by a network device other than the first network device, that is, the message data included in the received first message to be checked may not be first data, and after the second network device checks the first message to be checked, the corresponding processing mode is determined. The first message to be checked may include the first message in the case where the first network device and the second network device are neighboring nodes, but the first message to be checked may not include the first message in the case where the first network device and the second network device are not neighboring nodes.
Step S506, the second network device generates a first hash value to be verified corresponding to the first message to be verified based on a first segment routing header to be verified included in the first message to be verified;
it can be appreciated that the second network device generates a first hash value to be verified with the first message to be verified based on the first segment routing header to be verified included in the first message to be verified. Through the above processing, the second network device may generate a first hash value to be verified that matches the first reference hash value. It should be noted that the above processing of the first to-be-verified packet is not forwarding processing or decapsulating processing, but is to obtain information in the verification packet, and correspondingly generate the first to-be-verified hash value at least based on the first to-be-verified segment routing header therein.
In an optional embodiment, the generating, by the second network device, a first hash value to be checked corresponding to the first message to be checked based on a first segment routing header to be checked included in the first message to be checked includes: the second network device determines a generation mode of the first network device for generating the first reference hash value; and the second network device adopts a preset hash algorithm for the first network device in the generation mode of the first reference hash value, and generates the first hash value to be verified based on the first segment routing header to be verified by adopting the hash algorithm when the second network device obtains the first reference segment routing header.
It can be understood that the first reference hash value generated by the first network device may be used as a basis for verification by the second network device, and the second network device needs to be aligned with the first reference hash value generated by the first network device in a manner of generating the first hash value to be verified by the second network device. The second network device determines that when the first reference hash value is generated in a manner that the first network device adopts a preset hash algorithm, and generates a first hash value to be verified based on the first segment routing header to be verified correspondingly by the second network device under the condition that the first reference segment routing header is generated. The matching process between the first hash value to be checked and the first reference hash value is made meaningful by the above-described process based on the idea of controlling the variables.
Optionally, the first hash value to be verified may also be generated by the second network device based on other selectable options, such as the first data, at least one heterogeneous segment routing header, and at least any one of the first protocol headers, and correspondingly, the second network device also adopts a similar generating manner.
Step S508, the second network device matches the first hash value to be checked with the first reference hash value, and discards the first message to be checked if the first hash value to be checked is not matched with the first reference hash value;
It may be appreciated that, in order to determine what processing is performed on the first to-be-checked packet, the second network device performs matching processing based on the first to-be-checked hash value and the first reference hash value, and if the first to-be-checked hash value and the first reference hash value are not matched, then discard the first to-be-checked packet. Through the processing, the second network equipment does not process the first hash value to be checked, which is not matched with the first reference hash value, and the information carried in the first message to be checked cannot leak out through the second network equipment which is not matched with the first hash value, and the second network equipment only processes the first message to be checked under the condition that the first message to be checked is successfully matched, so that the safety of message transmission is improved, and the content carried in the message is prevented from being leaked in the transmission.
In step S510, the second network device determines a sub-policy for processing the first to-be-verified packet when the first to-be-verified hash value matches the first reference hash value.
It can be understood that, when the first hash value to be checked is matched with the first reference hash value, the second network device is considered that the processing of the first message to be checked by the second network device does not cause information leakage, and the second network device can determine a processing sub-policy for the first message to be checked and process the first message according to the processing sub-policy.
In an alternative embodiment, the method further comprises: the second network device obtains a preset local routing pool, wherein a local reference hash value obtained from the blockchain is stored in the local routing pool, the local reference hash value is obtained by querying any task in the blockchain, and a receiver of the any task is the second network device; the second network device updates the local reference hash value by adopting the first reference hash value to obtain an updated local reference hash value; the second network device performs matching based on the first hash value to be checked and the first reference hash value, and performs discarding processing on the first message to be checked if the first hash value to be checked is not matched with the first reference hash value, including: the second network device discards the first message to be verified under the condition that the first hash value to be verified is not matched with the updated local reference hash value; the second network device determining a sub-policy for processing the first to-be-checked packet when the first to-be-checked hash value matches the first reference hash value, including: and determining the processing sub-policy for the first message to be checked under the condition that the first hash value to be checked is matched with the updated local reference hash value and the local reference hash value matched in the updated local reference hash value is the first reference hash value.
It may be understood that the local routing pool acquired by the second network device stores therein a local reference hash value acquired by the second network device from the blockchain, where the local reference hash value is acquired by querying any task in the blockchain, and any task may be from multiple network devices, and is not specifically limited, but the receiver of any task is the second network device. Because the task uploading block chain and the processing of receiving the message are not synchronous, namely after a reference hash value is not queried, the message corresponding to the reference hash value is received, and after the steps of checking processing and the like are completed, the next reference hash value is queried again. The second network device stores the queried reference hash value in a local routing pool, updates the local routing pool after querying the first reference hash value, and obtains an updated local reference hash value. And updating the local reference hash value by adopting the first reference hash value to obtain an updated local reference hash value. And under the condition that the first hash value to be checked and the updated local reference hash value are not matched, discarding the first message to be checked.
In the case where the first hash value to be verified matches the updated local reference hash value, there are two possibilities: the first is that the first hash value to be checked is not only matched with the updated local reference hash value, but also the matched local reference hash value is the first reference hash value, in other words, the first hash value to be checked is matched with the first reference hash value, and the processing sub-strategy of the first message to be checked needs to be determined.
The second is that the first hash value to be checked is matched with the updated local reference hash value, but the matched first hash value is not the first reference hash value, and the processing mode executed on the first message to be checked may be cache or other processing, and the message is not directly discarded. The second network device may query the blockchain continuously, and may query the task that the multiple receivers are self, so as to obtain multiple local reference hash values, and even if the local reference hash values are not matched with the first reference hash value, the local reference hash values are not directly discarded, which can be understood that the corresponding first message to be checked can be considered to be forwarded or unpacked by the second network device once the first hash value to be checked is matched with the updated local reference hash value, and specific determination is needed.
It should be noted that, the above processing sub-policies and discarding process are all part of the message processing policy, and the operations that can be performed in the processing sub-policies include forwarding and decapsulating processes.
It should be still noted that, when the first network device generates the plurality of first reference hash values, the second network device obtains a plurality of first hash values to be verified by adopting a generating mode matched with the generation of the plurality of first reference hash values, where the plurality of first hash values to be verified and the plurality of first reference hash values have a corresponding relationship. The second network equipment obtains a plurality of first reference hash values based on the queried first tasks, updates the local routing pool, and obtains updated local reference hash values; and determining a processing sub-strategy of the first message to be checked under the condition that the plurality of first hash values to be checked are respectively matched with the plurality of first reference hash values stored in the local routing pool. And under the condition that any one of the plurality of first hash values to be checked is not matched with the plurality of first reference hash values stored in the local routing pool, discarding the first message to be checked.
Optionally, the plurality of first hash values to be verified are matched with the plurality of first reference hash values respectively in a polling mode, and the matching mode is set according to requirements without specific limitation.
In an optional embodiment, the updating, by the second network device, the local reference hash value using the first reference hash value to obtain an updated local reference hash value includes: the second network device obtains a set mark for indicating whether the first reference hash value is in a valid state or an invalid state based on the first task; the second network device stores the first reference hash value into the local routing pool under the condition that the setting mark is in a valid state, so as to obtain the updated local reference hash value; and when the setting flag is in an invalid state and a local reference hash value matched with the first reference hash value exists in the local routing pool, deleting the matched local reference hash value from the local routing pool to obtain the updated local reference hash value.
It will be appreciated that, based on the first task, a set flag may be determined that yields a first reference hash value as either a valid state or an invalid state. Under the condition that the set flag is in a valid state, the first reference hash value and the first hash value to be checked can be adopted for matching processing, and the updating mode can be that the first reference hash value is stored in a local routing pool. When the set flag is in an invalid state, it is considered that the matching process between the first reference hash value and the first hash value to be verified is not possible. And under the condition that the local reference hash value matched with the first reference hash value exists in the local routing pool, the matched local reference hash value needs to be deleted to obtain an updated local reference hash value because the set identifier is invalid. Through the processing, the flexible configuration of the local reference hash value in the local routing pool can be realized by means of the set mark carried in the first task.
Optionally, when the first task includes a first timestamp and the local reference hash value in the local routing pool also carries timestamp related information, it is assumed that a local reference hash value matched with the first reference hash value exists in the local routing pool, and the first reference hash value may be used for updating, so that the timestamp of the matched local reference hash value is updated as the first timestamp.
In an alternative embodiment, the method further comprises: generating an abnormal task by the second network device based on at least one of the first message to be checked, the abnormal sub-message number and the second timestamp and the first hash value to be checked under the condition that the first hash value to be checked is not matched with the first reference hash value, wherein the sender address of the abnormal task is the address of the second network device, the address of the receiver is the address of a preset abnormal detection end, the second timestamp is used for indicating the generation time of the abnormal task, and the abnormal sub-message number is the number of sub-messages included in the first message to be checked; the second network device uploads the abnormal task to the blockchain; generating a normal task by the second network device based on at least any one of the first message to be checked, a normal sub-message number and a third timestamp and the first reference hash value under the condition that the first hash value to be checked is matched with the first reference hash value, wherein a sender address of the normal task is an address of the second network device, a receiver address is an address of the first network device, the third timestamp is used for indicating a generation time of the normal task, and the normal sub-message number is a number of sub-messages included in the first message to be checked; the second network device uploads the normal task to the blockchain.
It can be understood that, in the matching process performed by the second network device on the first hash value to be checked and the first reference hash value, there may be two matching and unmatching results, the second network device determines what operation is performed on the first message to be checked according to the matching or unmatching results, and the second network device generates a corresponding feedback task according to the matching result, where the feedback task may be a normal task or an abnormal task. The first is that the first hash value to be checked is not matched with the first reference hash value, the second network device needs to generate an abnormal task, and because the abnormal task needs to be interacted by means of a block chain and has directivity, the sender address of the abnormal task is the address of the second network device, and the receiver address is the address of a preset abnormal detection end. The second network device generates an abnormal task based on at least any one of the first message to be checked, the abnormal sub-message data, the second timestamp and the first hash value to be checked. The second timestamp may indicate a generation time of the abnormal task, which is used as a constraint on time of the abnormal task, and when the length of the data carried in the first message to be checked is too long, the first message to be checked is transmitted in a form of sub-messages, and the number of sub-messages included in the first message to be checked of the abnormal message number. The abnormal sub-message number indicates the number of sub-messages included in the first message to be checked and can be used as a constraint of the sub-message number.
The second is that the first hash value to be verified is matched with the first reference hash value, the second network device needs to generate a normal task, the normal task needs to be sent to the source node on the forwarding path, but not the intermediate node, and taking the transmission of the first data as an example, the first data is sent to the second network device through the source node (the first network device) and sent to the intermediate node (a certain assumed network device), and then the normal task generated by the second network device is sent to the first network device, but not the certain network device. Therefore, the second network sets the sender address of the normal task as the address of the second network device, and the receiver address as the address of the first network device, so as to realize the constraint of time and the number of sub-messages, the second network device generates the normal task based on at least any one of the first message to be checked, the number of normal sub-messages, the third timestamp and the first reference hash value. Through the processing, the second network equipment can feed back a normal task or an abnormal task of the message processing condition by means of the block chain based on the matching relation between the first hash value to be checked and the first reference hash value, and is beneficial to closed loop processing of message transmission. Whether discarding or processing according to the processing sub-policy, the first message to be checked in the second network device can be perceived. It should be noted that, unlike data transmission and forwarding, the processing of the uploading blockchain does not cause information security problem.
Alternatively, the predetermined anomaly detection terminal may be a designated anomaly detection device (having interaction capability with the blockchain) or a node in the blockchain, for performing global anomaly detection. The anomaly detection end may also be set as a source node for transmitting data, for example, for the first data, the receiver address of the anomaly task is set as the address of the first network device.
It should be noted that, the second timestamp or the third timestamp is used for determining a time constraint of the first message to be checked, and may represent a time of transmission processing corresponding to an abnormal task or a normal task, or a time interval.
In an optional embodiment, the first to-be-checked segment routing header includes a transmission segment pointer and a segment list, and the second network device determines a sub-policy for processing the first to-be-checked packet, including: the second network device determines whether the second network device is a destination network device; the second network device performs decapsulation processing on the first message to be checked under the condition that the second network device is an end network device, so as to obtain a processing result of the first message to be checked; determining, by the second network device, a third network device based on the transmission segment pointer of the first segment routing header to be checked and a segment list, where the third network device is a next node of the second network device, and the segment list includes a segment identifier corresponding to the third network device, where the second network device is not the destination network device; the second network device determines a second message based on the first message to be checked; and the second network equipment sends the second message to the third network equipment.
It will be appreciated that the first to-be-verified segment route header includes a transmission segment pointer and Duan Liebiao, the segment list is fixed for transmission on the same forwarding path, the source node on the forwarding path determines the segment identity included in the segment list, and the transmission segment pointer is updated along the forwarding path. The second network device may determine whether the second network device is a destination network device, where the destination network device is the last node on the forwarding path, that is, the transmission destination of the first message to be checked. And under the condition that the second network equipment is the terminal network equipment, carrying out decapsulation processing on the first message to be checked, so that a processing result of the first message to be checked can be obtained, and the first message to be checked cannot be forwarded continuously. And under the condition that the second network equipment is not the terminal network equipment, the second network equipment is regarded as an intermediate node on the forwarding path, and according to the step, the first message to be checked is the message passing the check and the first message to be checked is required to be forwarded. The second network device determines a third network device based on the transmission segment pointer in the header of the first segment to be checked, and the third network device can be determined to be the next node of the second network device in the forwarding path without additional release path information or carrying other processing modes of other identifiers in the related technology, and the segment list is provided with the segment identifier corresponding to the third network device. The second network device determines a second message based on the first message to be checked, and sends the second message to the third network device for subsequent transmission. Through the processing, whether the second network device is the destination network device has influence on the received first message to be checked or not, and different processing can be performed according to the processing sub-policy based on different positions of the second network device in the forwarding path.
In an alternative embodiment, the determining, by the second network device, whether the second network device is an endpoint network device includes: the second network device determines whether a transmission segment pointer of the first segment routing header to be checked is a predetermined termination value; if the transmission segment pointer of the first segment routing header to be checked is the preset termination value, the second network device determines that the second network device is a terminal network device; and if the transmission segment pointer of the first segment routing header to be checked is not the preset termination value, the second network device determines that the second network device is not the terminal network device.
It will be appreciated that the first segment routing header to be checked has a transmission segment pointer, and the transmission segment pointer is regarded as the last device that has reached the forwarding path when it is a predetermined termination value, where the predetermined termination value is generally set to 0, and where the segment pointer of the first segment routing header is a predetermined termination value, the second network device may determine itself to be the destination network device in the forwarding path for transmitting the first packet. By the above processing, the second network device can determine the position of the second network device in the forwarding path by means of the segment pointer therein without the need of a controller or other devices to issue path information to the second network device, thereby determining what processing should be performed.
In an optional embodiment, the determining, by the second network device, a second packet based on the first to-be-verified packet includes: the second network device determines a second protocol header of the second message based on the first to-be-checked protocol header of the first to-be-checked message; the second network device determines a second segment routing header of the second message based on the first segment routing header of the first message to be checked; the second network device determines the second message based on the second protocol header, the second segment routing header, the first message to be checked.
It can be understood that, in the process that the first message to be checked is transmitted in the forwarding path, the generated second message is mainly the update of the encapsulation message, and is not the change of the transmission data carried by the message. The second network device updates the first to-be-checked protocol header to obtain a second protocol header of the second message, and determines a second segment routing header of the second message based on the first to-be-checked segment routing header. The second network device updates the first message to be checked based on the second protocol header and the second segment routing header to obtain a second message for transmission to the third network device.
For ease of understanding, specific examples are: assuming that the first message to be checked is a first message, the first message includes a first segment routing header and a first protocol header, the predetermined termination value is 0, a transmission segment pointer SL in the first message is greater than 0 (SL is a positive integer, greater than 0 means at least 1), the second network device regarded as receiving the first message is not an end network device, and the second network device subtracts 1 from the SL after determining to continue transmitting the first message, so that the updated SL is updated by a segment identifier pointing to the second network device in the first segment routing header, and then points to a segment identifier of the third network device, and then updates to obtain the second segment routing header. For the first protocol header in the first message, because address information is included in the segment identifier, the destination address da=bb: (assumed address of the second network device) before updating, after updating, the destination address becomes da=cc: (assumed address of the third network device), and the second protocol header can be obtained.
Fig. 6 is a flowchart of an alternative message processing method according to an embodiment of the present invention, where, as shown in fig. 6, an execution body is a first network device, and a second network device, and the method includes the following steps:
Step S602, a first network device determines first data to be transmitted, and a first segment routing header, where the first segment routing header includes a segment list and a transmission segment pointer, the segment list includes a set of segment identifiers arranged in an ordered manner, the segment list includes segment identifiers corresponding to a second network device, and the transmission segment pointer points to a first segment identifier in the segment list;
step S604, the first network device generates a first packet based on the first data, a first protocol header, and the first segment routing header, where the first protocol header includes a source address and a destination address, the source address of the first protocol header is an address of the first network device, and the destination address of the first protocol header is an address corresponding to the first segment identifier, where a transmission segment pointer of the first segment routing header points to the first segment identifier;
step S606, the first network device determines a first reference segment routing header corresponding to the second network device, where the first reference segment routing header is generated based on the first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device;
Step S608, the first network device generates a first reference hash value corresponding to the second network device by using a predetermined hash algorithm based on the first reference segment routing header;
step S610, the first network device determines a first task including the first reference hash value, and uploads the first task to a blockchain;
step S612, the blockchain records the first task;
step S614, the first network device sends the first packet, where the first data included in the first packet is transmitted according to a forwarding path, where the forwarding path is obtained according to the segment list indication included in the first segment routing header, and the first data is transmitted along the forwarding path based on the update of the transmission segment pointer, and the forwarding path includes the second network device;
step S616, the second network device queries the first task of the second network device that the receiving party is the second network device in the blockchain, to obtain a first reference hash value;
step S618, the second network device receives a first message to be checked, where the first message to be checked is any message received by the second network device;
Step S620, the second network device generates a first hash value to be verified corresponding to the first message to be verified based on a first segment routing header to be verified included in the first message to be verified;
step S622, the second network device matches the first hash value with the first reference hash value based on the first hash value to be checked, and discards the first message to be checked if the first hash value to be checked is not matched with the first reference hash value;
in step S624, the second network device determines a sub-policy for processing the first to-be-verified packet when the first to-be-verified hash value matches the first reference hash value.
Through the steps S602 to S624, the purpose that data transmission cannot enter into an untrusted network device can be achieved, the technical effect of improving the information security of data transmission is achieved, and the technical problem that the information security is not ideal in the related technology is solved.
In an optional embodiment, the first task carries a first timestamp, the second network device is a neighboring node of the first network device, and before the discarding process is performed on the first to-be-verified packet, the method further includes: the second network device determines an abnormal task corresponding to the first message to be checked and a second timestamp indicating the generation time of the abnormal task; and the second network equipment compares the first timestamp with the second timestamp, and discards the first message to be checked under the condition that the first timestamp is earlier than the second timestamp.
It may be appreciated that, assuming that the networking situation is that the second network device is the next node of the first network device, the first message to be checked includes the first message. The first task is uploaded before, and the first network device can normally complete the verification after sending the first message, that is, the second network device successfully obtains the first reference hash value before performing the verification processing of the received first message (the first message to be verified before the verification). Under the condition that the sequence is misplaced due to network fluctuation or other reasons, the first message is received and then the first reference hash value is obtained, which may cause the first message which should pass the verification to be mishandled. Therefore, the checking is performed based on the first timestamp (the generation moment of the first task) and the second timestamp (the generation moment of the abnormal task), which is beneficial to reducing the message mishandling problem caused by the time difference.
Based on the above embodiment and the optional embodiment, the present invention proposes an optional implementation, which is applied to a predetermined network system as shown in fig. 3, including A, B, C, D, E, F network devices. A. B, C, D network devices belong to a first domain (i.e., a predetermined domain) and E, F network devices belong to a second domain (i.e., other domains). It will be appreciated that the A, B, C, D network device of the first domain has a path connecting network devices in the second domain, so that the a network device determines B, C, D that all network devices need to perform verification processing on the received packet, where the a network device is the first network device, and the second network device may be any one of the B, C, D network devices, and the second network device may be adjacent to the first network device or not adjacent to the first network device, and assuming that the B network device is the second network device. The a network device will generate corresponding tasks (i.e., first, second, third tasks) for each of the B, C, D network devices. The blockchain system is used for storing tasks and providing task submission and query interfaces.
It should be noted that, the blockchain may have a plurality of ledgers, and the abnormal tasks and the normal tasks may be stored in the corresponding ledgers respectively, so as to facilitate inquiry and reduce local storage load of the device.
The first data is the data to be transmitted, and for the A network equipment, which is the source node on the forwarding path, the first data is transmitted on the forwarding path according to the updating of the transmission segment pointer, and the segment list is [ SID0; SID1; SID2], wherein SID2 is a segment identifier of the B network device, SID1 is a segment identifier of the C network device, and SID0 is a segment identifier of the D network device, and since the segment list is represented in reverse order, the first segment identifier is a segment identifier SID2 of the B network device, and in the initial state, the transmission segment pointer points to the location of the first segment identifier by default, and the transmission segment pointer indicates the location of the next hop on the forwarding path. Correspondingly, the transmission segment pointer to the B network device is sl=2 when the a network device, the transmission segment pointer to the C network device is sl=1 when the B network device and the transmission segment pointer to the D network device is sl=0 when the C network device, as updated on the forwarding path.
Setting the address of the network equipment A, the address of the network equipment B, the address of the network equipment C and the address of the network equipment D. For the first segment routing header of the a network device, the transport segment pointer points to segment identification SID2 for sl=2.
Fig. 7 is a flow chart of an alternative message processing method according to an embodiment of the present invention, and fig. 7 is a schematic diagram of transmission of the network scenario in fig. 3, where fig. 7 is specifically described by the following steps:
in step S701, the a network device determines first data to be transmitted, and generates a first segment routing header SRH-1 corresponding to the B network device. In the first segment routing header SRH-1, a segment list SID0 is included; SID1; SID2], and a transmission segment pointer sl=2.
Similarly, the A network device generates a second segment routing header SRH-2 corresponding to the C network device, and the segment list [ SID0 ] is included in the second segment routing header SRH-2; SID1; SID2], and a transmission segment pointer sl=1.
The A network equipment generates a third segment routing header SRH-3 corresponding to the D network equipment, wherein the third segment routing header SRH-3 comprises a segment list [ SID0; SID1; SID2], and a transmission segment pointer sl=0.
In step S702, the a network device generates a first message, a first task corresponding to the B network device, a second task corresponding to the C network device, and a third task corresponding to the D network device.
The A network equipment generates a first protocol header for the B network equipment according to the IPv6 protocol, wherein the source address in the first protocol header is the address of the A network equipment, and the destination address in the first protocol header is obtained according to the indication of the transmission segment pointer, namely the address of the B network equipment.
The network equipment A adopts a first segment routing header SRH-1 and a first protocol header to encapsulate first data so as to obtain a first message.
The network equipment A correspondingly generates a first reference segment routing header SRH '-1 based on the first segment routing header SRH-1, wherein the first reference segment routing header SRH' -1 comprises a segment list and a check segment pointer, and the check segment pointer points to a segment identifier corresponding to the second network equipment, so that the receiver address of the first task can be determined to be B. The a network device generates a first reference hash value H1-B corresponding to the B network device based on the first reference segment routing header SRH' -1.
After the data length of the first data exceeds a certain length, dividing the first data to obtain a first sub-message number N.
The network equipment A generates a first task for inquiring and checking by the network equipment B based on the sender address of the first task as the address A of the network equipment A, the address B of the receiver as the first reference hash value H1-B and the first sub-message number N.
Similarly, the A network device correspondingly generates a second reference segment routing header SRH '-2 based on the second segment routing header SRH-2, wherein the second reference segment routing header SRH' -2 comprises a segment list and a check segment pointer, and the check segment pointer points to a segment identifier corresponding to the C network device, so that the receiver address of the second task can be determined to be C. The a network device generates a second reference hash value H1-C corresponding to the C network device based on the second reference segment routing header SRH' -2.
The network equipment A generates a second task for inquiring and checking by the network equipment C based on the sender address of the second task as the address A of the network equipment A, the address C of the receiver, the second reference hash value H1-C and the first sub-message number N.
The network equipment A correspondingly generates a third reference segment routing header SRH '-3 based on the third segment routing header SRH-3, wherein the third reference segment routing header SRH' -3 comprises a segment list and a check segment pointer, and the check segment pointer points to a segment identifier corresponding to the network equipment D, so that the receiver address of the third task can be determined to be D. The a network device will generate a third reference hash value H1-D corresponding to the C network device based on the third reference segment routing header SRH' -3.
The network equipment A generates a third task for inquiring and checking by the network equipment C based on the sender address of the third task, namely the address A of the network equipment A, the address D of the receiver, the third reference hash value H1-D and the first sub-message number N.
It should be noted that, the a network device only generates a first packet for a B network device of a neighboring node (the B network device is assumed to be the second network device in the network scenario of fig. 3), and the first task, and for non-neighboring C network devices and D network devices, does not generate a second packet and a third packet correspondingly, and only generates the second task and the third task for verification processing.
In step S703, the a network device uploads the first task, the second task, and the third task to the blockchain.
In step S704, the billing node of the blockchain checks the first task, the second task, and the third task, determines the first task, the second task, and the third task to store in the blockchain.
In step S705, the a network device submits a query to the blockchain for a request for a first task, a second task, and a third task.
In step S706, the a network device confirms the record status of the first task, the second task, and the third task in the blockchain, so as to ensure that the B, C, D network device can query normally.
In step S707, the B, C, D network device submits a query request to the blockchain system. Note that, in the case where the network devices B, C, D are billing nodes, it is considered that the corresponding first task, second task, and third task can be automatically acquired, and step S707 may be omitted, and step S708 may be directly executed.
In step S708, the B network device obtains a first task from the blockchain, and stores the first reference hash value H1-B in the local routing pool of the B network device. The C network device obtains a second task from the blockchain and stores the second reference hash value H1-C into a local routing pool of the C network device. The D network device obtains a third task from the blockchain and stores a third reference hash value H1-D into a local routing pool of the D network device.
In step S709, the a network device sends a first message to the B network device.
In step S710, the B network device receives the first message to be checked including the first message, and performs the checking process.
It should be noted that the B, C, D network device does not limit the source of the received message, i.e. the source of the message is not known until verification is not performed. And for the first message to be checked (whether the first message is needed to be determined), generating a first hash value to be checked corresponding to the first message to be checked. And the network equipment B analyzes the first message to be checked to obtain a first segment routing header SRH-X of the first message to be checked. And carrying out hash calculation in a mode of generating a first reference hash value, namely obtaining a first hash value H2-B to be verified of the first message to be verified based on the SRH-X and B network equipment.
And the network equipment B matches the first hash value H2-B to be checked with a local reference hash value (including the first reference hash value H1-B) stored in a local routing pool, and determines that the received first message to be checked is a first message under the condition that the H2-B is matched with the H1-B.
Step S711, the B network device generates a normal identifier for the first packet, which indicates that the first check hash value corresponding to the first packet is matched with the first reference hash value, where the normal identifier is used to instruct the B network device to generate a normal task.
It should be noted that, in step S710, if the first hash value to be checked cannot be matched with any one of the existing local reference hash values in the local routing pool of the B network device, an exception identifier is generated for the first message to be checked, where the matching is unsuccessful, and the exception identifier is used to instruct the B network device to generate an exception task.
Step S712, the B network device generates a feedback task and a second message. After the network device B determines that the received first message to be checked is the first message through step S710, the feedback task generated by the network device B in processing the first message is a normal task, and is used for feeding back to the network device a by means of the blockchain. The network equipment B checks the successful first reference hash value H1-B and the first sub-message quantity N based on the message information provided in the first message, and determines a normal task, wherein the address of a receiver of the normal task is the address of the network equipment A, and the address of a sender of the normal task is the address of the network equipment B.
The B network device indicates as the destination network device by determining that the transmission segment pointer sl=2 in the first segment routing header SHR-1, SL being 0, and therefore the B network device is not known to itself be the destination network device. And generating a second message to continue transmitting to the C network equipment. The B network device updates the SL by 1 based on the first packet, updates the first segment routing header to obtain a second segment routing header, and the transmission segment pointer (i.e., points to the C network device) sl=1 in the second segment routing header. And updating the first protocol header SA (i.e. source address) =A:: DA (i.e. destination address) =B:: in the first message into a second protocol header including SA=A::: DA=C::, according to the indication of the transmission segment pointer after 1 subtraction. And obtaining a second message for sending to the C network equipment through the processing.
It should be noted that, when the B network device determines that the first hash value to be checked does not match the first reference hash value through step S710, the B network device generates an abnormal task based on the first message to be checked, the number of abnormal sub-messages, the second timestamp indicating the generation time of the abnormal task, and the hash value to be checked, where the address of the receiving party of the abnormal task is the address of the predetermined abnormal detection end and is used for feeding back to the blockchain, but the first message to be checked which is not verified is not transmitted, and the second message transmitted to the C network device is not generated based on the first message to be checked, and the first message to be checked is discarded after the abnormal task is generated.
In step S713, the B network device sends the second message to the C network device.
In step S714, the B network device uploads the generated feedback task (normal task or abnormal task) to the blockchain.
In step S715, the accounting node of the blockchain determines whether the normal task or the abnormal task is stored correspondingly.
Step S716, the A network device submits a query request to the blockchain system to acquire a feedback task generated by the B network device
In step S717, the C network device receives the second message, and similarly processes the second message in the manner described in steps S710 to S714, to generate a feedback task that is transmitted back to the blockchain, and a third message that is sent to the D network device.
In step S718, the C network device sends a third message to the D network device.
In step S719, the D network device receives the third message, and similarly, after performing the message checking processing in the above manner in step S710, it is determined that the received message is the third message, and because in the third segment routing header of the D network device, the segment pointer sl=0, that is, the D network device is the destination network device, it is not necessary to forward again.
And D, the network equipment de-encapsulates the third message, deletes a third segment routing header and a third protocol header in the third message, and obtains the first data in the third message to obtain a processing result of the third message.
In another embodiment of the present invention, the network scenario shown in fig. 4 is applied to a case where a network device, a C network device, and a D network device of a first domain have paths connecting network devices of a second domain. The main difference from fig. 3 is that the B network device in the first domain has no connection with the second domain, which can be regarded as the case in fig. 4, where the B network device has only a connection relationship in the first domain, the message passing through the B network device is not connected by the second domain, and no information leakage problem is generated, and the a network device does not need to generate the first task for the B network device. In the network scenario shown in fig. 4, the B network device does not perform the packet verification processing, and is not a second network device, where the second network device can only be any one of C, D, and assuming that the C network device is a second network device, and the D network device is a third network device.
In step S801, the a network device acquires first data and a first segment routing header SRH-1.
Step S802, a first message, a first task and a second task are generated by adopting a processing mode similar to that of step S702. Unlike step S702, the B network device is only a neighboring node of the a network device, but in the network scenario of fig. 4 the B network device is not the second network device, in other words in the network scenario of fig. 4 the first message is still addressed to the B network device by the a network device, but the first task is generated by the a network device to the C network device and the second task is generated by the a network device to the D network device.
Step 803 to step 806, the processing manner similar to step 703 to step 706 is adopted, and the a network device uploads the first task and the second task to the blockchain, and confirms that all tasks are normally uploaded in the blockchain and in a state that can be queried.
In step S807, the C network device and the D network device submit query requests to the blockchain system. Unlike step S707, the B network device does not check by information in the blockchain because only the connection relationship in the first domain exists, and therefore the B network device does not make a query request to the blockchain.
Step S808, the C network device and the D network device acquire a first task and a second task respectively;
step S809, the A network device sends a first message to the B network device;
in step S810, the B network device receives the first message, and generates an intermediate message by adopting the processing manner similar to that in step S712, and it should be noted that, although the B network device does not need to perform verification processing on the received message, in order to implement forwarding, it still needs to generate the intermediate message based on the first message.
In step S811, the B network device sends the intermediate message to the C network device. It should be noted that, since the B network device does not have a connection with another domain, it is not necessary to check the received message, and it is not necessary to generate an abnormal task to feed back the blockchain. Generating feedback tasks back to the blockchain is an optional process for the B device.
After the C network device receives the intermediate message, the step S812 to step S819 processes the intermediate message in the same manner as the step S717 to step S719 until the D network device obtains a processing result of the received second message.
At least the following effects are achieved by the above alternative embodiments: based on the general message transmission mode, the network equipment included in the forwarding path can carry out message verification, and the message which is not passed through the verification is discarded, so that the message is prevented from being transmitted to the untrusted network equipment to cause information leakage. By combining the blockchain technology with message transmission, each network device checks the information in the blockchain by inquiring the information, so that the information security is improved. Because the message format does not need to be changed, the limitation of the transmission system is low, the combination with the existing transmission system is convenient and fast, and the adaptability is strong.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
The embodiment of the invention also provides a message processing system, and the message processing system provided by the embodiment of the invention is introduced below.
Fig. 9 is a block diagram of an alternative packet processing system according to an embodiment of the present invention, as shown in fig. 9, where the system includes: the first network device 902, the blockchain system 904, and the second network device 906 are described with respect to the system.
A first network device 902, configured to determine first data to be transmitted, and a first segment routing header, where the first segment routing header includes a segment list and a transmission segment pointer, the segment list includes a set of segment identifiers that are orderly arranged, the segment list includes segment identifiers corresponding to the second network device, and the transmission segment pointer points to a first segment identifier in the segment list; generating a first message based on the first data, a first protocol header and the first segment routing header, wherein the first protocol header comprises a source address and a destination address, the source address of the first protocol header is an address of a first network device, and the destination address of the first protocol header is an address corresponding to the first segment identifier, and a transmission segment pointer of the first segment routing header points to the first segment identifier; determining a first reference segment routing header corresponding to the second network device, wherein the first reference segment routing header is generated based on the first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device; generating a first reference hash value corresponding to the second network device by adopting a preset hash algorithm based on the first reference segment routing header; determining a first task comprising the first reference hash value, and uploading the first task to a blockchain system;
The blockchain system 904, coupled to the first network device 902, records the first task;
the first network device 902 is further configured to send the first packet, where the first data included in the first packet is transmitted according to a forwarding path, where the forwarding path is obtained according to the segment list indication included in the first segment routing header, the first data is transmitted along the forwarding path based on the update of the transmission segment pointer, and the forwarding path includes the second network device;
the second network device 906 is connected to the blockchain system 904, and is configured to query the blockchain system for the first task of the second network device that is received by the receiver, to obtain the first reference hash value; receiving a first message to be checked, wherein the first message to be checked is any message received by the second network equipment; generating a first hash value to be verified, corresponding to the first message to be verified, based on a first segment routing header to be verified included in the first message to be verified; based on the first hash value to be checked and the first reference hash value, carrying out discarding processing on the first message to be checked under the condition that the first hash value to be checked is not matched with the first reference hash value; and determining a processing sub-strategy for the first message to be checked under the condition that the first hash value to be checked is matched with the first reference hash value.
In the message processing system provided by the embodiment of the invention, by arranging the first network device 902, the blockchain system 904 and the second network device 906, the purpose that data transmission cannot enter the untrusted network device is achieved, the technical effect of improving the information security of the data transmission is achieved, and the technical problem of non-ideal information security in the related technology is further solved.
It should be noted that, the connection relationship between the first network device and the second network device is not necessarily a direct connection relationship, and may be an indirect connection relationship transmitted through a forwarding path.
In an alternative embodiment, the system further comprises a predetermined anomaly detection device: the predetermined abnormality detection device is connected to the blockchain and is configured to receive an abnormal task generated in the blockchain.
It can be understood that the anomaly detection device is configured to improve the message transmission efficiency and sense the security situation. Since the release of a large number of abnormal tasks may cause processing pressure, the predetermined abnormality detection device may receive all the abnormal tasks and realize sharing of the processing pressure.
In an alternative embodiment, any one of the network devices (including the first network device or the second network device) is an edge node device, where the edge node device includes: the main control board and interface board, above-mentioned main control board includes: a first processor and a first memory; the interface board includes: the system comprises a second processor, a second memory and an interface card. The main control board is coupled with the interface board.
Optionally, a PCI (peripheral component interconnect, PCI) channel is established between the main control board and the interface board, and communication is performed between the main control board and the interface board through the PCI channel. The main control board and the interface board can also establish an inter-process communication protocol (interprocess communication, IPC) channel, and the main control board and the interface board communicate through the IPC channel.
In an alternative embodiment, the above system further includes any one of the network devices (including the first network device or the second network device) being an edge node device, where the edge node device includes: the system comprises a processor, a network interface and a memory, wherein the network interface is a transceiver. The memory may be used for storing program codes and the processor may be used for calling the program codes in the memory to execute any one of the above message processing methods.
The embodiment also provides a message processing device, which is used for implementing the above embodiment and the preferred implementation manner, and the description is omitted herein. As used below, the terms "module," "apparatus" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
According to an embodiment of the present invention, there is further provided an apparatus embodiment for implementing a message processing method, and fig. 10 is a schematic diagram of an alternative message processing apparatus according to an embodiment of the present invention, where, as shown in fig. 10, the processing method apparatus includes: the apparatus is described below as a first determining module 1002, a first generating module 1004, a second determining module 1006, a calculating module 1008, an uploading module 1010, a recording module 1012, a sending module 1014, a querying module 1016, a receiving module 1018, a second generating module 1020, a discarding module 1022, and a processing module 1024.
A first determining module 1002, configured to determine, by a first network device, first data to be transmitted, and a first segment routing header, where the first segment routing header includes a segment list and a transmission segment pointer, the segment list includes a set of segment identifiers that are orderly arranged, the segment list includes segment identifiers corresponding to a second network device, and the transmission segment pointer points to a first segment identifier in the segment list;
a first generating module 1004, coupled to the first determining module 1002, configured to generate, by the first network device, a first packet based on the first data, a first protocol header, and the first segment routing header, where the first protocol header includes a source address and a destination address, the source address of the first protocol header is an address of the first network device, and the destination address of the first protocol header is an address corresponding to the first segment identifier, where a transmission segment pointer of the first segment routing header points to the first segment identifier;
A second determining module 1006, coupled to the first generating module 1004, configured to determine, by the first network device, a first reference segment routing header corresponding to the second network device, where the first reference segment routing header is generated based on the first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device;
a calculating module 1008, coupled to the second determining module 1006, configured to generate, by the first network device, a first reference hash value corresponding to the second network device using a predetermined hash algorithm based on the first reference segment routing header;
an uploading module 1010, coupled to the computing module 1008, configured to determine a first task including the first reference hash value by the first network device, and upload the first task to a blockchain;
a recording module 1012, coupled to the upload module 1010, for recording the first task by the blockchain;
a transmitting module 1014, coupled to the recording module 1012, configured to transmit the first packet by the first network device, where the first data included in the first packet is transmitted according to a forwarding path, where the forwarding path is obtained according to the segment list indication included in the first segment routing header, and the first data is transmitted along the forwarding path based on the update of the transmission segment pointer, and the forwarding path includes the second network device;
A query module 1016, coupled to the sending module 1014, configured to query the second network device for a first task of the second network device that is received by the second network device, to obtain a first reference hash value;
a receiving module 1018, coupled to the query module 1016, configured to receive a first to-be-checked packet by the second network device, where the first to-be-checked packet is any packet received by the second network device;
a second generating module 1020, coupled to the receiving module 1018, configured to generate, by the second network device, a first hash value to be verified corresponding to the first message to be verified based on a first segment routing header to be verified included in the first message to be verified;
a discarding module 1022, connected to the second generating module 1020, configured to match the first hash value to the first reference hash value based on the first hash value to be checked by the second network device, and discard the first message to be checked if the first hash value to be checked is not matched with the first reference hash value;
and the processing module 1024 is connected to the discarding module 1022, and is configured to determine a processing sub-policy for the first to-be-verified packet when the first to-be-verified hash value matches the first reference hash value.
In the message processing apparatus provided by the embodiment of the present invention, by setting the first determining module 1002, the first generating module 1004, the second determining module 1006, the calculating module 1008, the uploading module 1010, the recording module 1012, the sending module 1014, the querying module 1016, the receiving module 1018, the second generating module 1020, the discarding module 1022 and the processing module 1024, the purpose that data transmission cannot enter into an untrusted network device is achieved, the technical effect of improving the information security of data transmission is achieved, and further the technical problem of non-ideal information security in the related art is solved.
It should be noted that each of the above modules may be implemented by software or hardware, for example, in the latter case, it may be implemented by: the above modules may be located in the same processor; alternatively, the various modules described above may be located in different processors in any combination.
Here, the first determining module 1002, the first generating module 1004, the second determining module 1006, the calculating module 1008, the uploading module 1010, the recording module 1012, the sending module 1014, the querying module 1016, the receiving module 1018, the second generating module 1020, the discarding module 1022, and the processing module 1024 correspond to steps S602 to S624 in the embodiment, and the foregoing modules are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the foregoing embodiments. It should be noted that the above modules may be run in a computer terminal as part of the apparatus.
It should be noted that, the optional or preferred implementation manner of this embodiment may be referred to the related description in the embodiment, and will not be repeated herein.
The message processing apparatus may further include a processor and a memory, where the first determining module 1002, the first generating module 1004, the second determining module 1006, the calculating module 1008, the uploading module 1010, the recording module 1012, the sending module 1014, the querying module 1016, the receiving module 1018, the second generating module 1020, the discarding module 1022, the processing module 1024, and the like are stored as program units in the memory, and the processor executes the program units stored in the memory to implement corresponding functions.
The processor includes a kernel, and the kernel fetches the corresponding program unit from the memory. The kernel may be provided with one or more. The memory may include volatile memory, random Access Memory (RAM), and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), among other forms in computer readable media, the memory including at least one memory chip.
The embodiment of the invention provides a nonvolatile storage medium, on which a program is stored, which when executed by a processor, implements a message processing method.
The embodiment of the invention provides an electronic device, which comprises a processor, a memory and a program stored on the memory and capable of running on the processor, wherein the processor realizes a message processing method when executing the program. The device herein may be a server, a PC, etc.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The foregoing is merely exemplary of the present invention and is not intended to limit the present invention. Various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the invention are to be included in the scope of the claims of the present invention.
Claims (18)
1. A method for processing a message, comprising:
the method comprises the steps that first network equipment determines first data to be transmitted and a first segment routing header, wherein the first segment routing header comprises a segment list and a transmission segment pointer, the segment list comprises a group of segment identifiers which are orderly arranged, the segment list comprises segment identifiers corresponding to second network equipment, and the transmission segment pointer points to a first segment identifier in the segment list;
The first network device generates a first message based on the first data, a first protocol header and the first segment routing header, wherein the first protocol header comprises a source address and a destination address, the source address of the first protocol header is the address of the first network device, and the destination address of the first protocol header is an address corresponding to the first segment identifier and indicated by a transmission segment pointer of the first segment routing header;
the first network device determines a first reference segment routing header corresponding to the second network device, wherein the first reference segment routing header is generated based on the first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device;
the first network device generates a first reference hash value corresponding to the second network device by adopting a preset hash algorithm based on the first reference segment routing header;
the first network device determines a first task including the first reference hash value and uploads the first task to a blockchain;
the first network device sends the first message, wherein the first data included in the first message is transmitted according to a forwarding path, the forwarding path is obtained according to the segment list indication included in the first segment routing header, the first data is transmitted along the forwarding path based on the update of the transmission segment pointer, the forwarding path includes the second network device, the second network device is used for receiving a first message to be checked, the first message to be checked is used for the second network device to obtain a matching result based on a first hash value to be checked and the first reference hash value of the first message to be checked, the matching result is used for determining a message processing strategy for processing the first message to be checked, the first hash value to be checked is obtained by the second network device based on the first segment routing header included in the first message to be checked, and the first reference hash value is obtained by the second network device to query the first hash chain for the first task.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the first network device generating a first message based on the first data, a first protocol header, and the first segment routing header, comprising: the first network device generating a first protocol header corresponding to the first segment identification based on a predetermined protocol; the first network device encapsulates the first data and the first segment routing header based on the first protocol header to obtain the first message;
the first network device generates a first reference hash value corresponding to the second network device by adopting a predetermined hash algorithm based on the first reference segment routing header, and the method comprises the following steps: the first network device determines a first reference protocol header corresponding to the second network device, wherein the first reference protocol header is generated based on the first protocol header and a check segment pointer pointing to a segment identifier corresponding to the second network device; the first network device generates the first reference hash value corresponding to the second network device based on the first reference protocol header, at least any one of the first data, and the first reference segment routing header.
3. The method of claim 1, wherein the first network device and the second network device belong to a predetermined domain,
the first network device generating a first message based on the first data, a first protocol header, and the first segment routing header, comprising: the first network device generating a first protocol header corresponding to the first segment identification based on a predetermined protocol; the first network device obtains at least one heterogenous domain segment routing header corresponding to other domains different from the predetermined domain in a predetermined network system, wherein the predetermined network system is composed of a plurality of domains, and the plurality of domains comprise the predetermined domain and the other domains; the first network device encapsulates the first packet based on the first protocol header, the first data, the first segment routing header, and the at least one foreign segment routing header;
the first network device generates a first reference hash value corresponding to the second network device by adopting a predetermined hash algorithm based on the first reference segment routing header, and the method comprises the following steps: the first network device determines a first reference protocol header corresponding to the second network device, wherein the first reference protocol header is generated based on the first protocol header and a check segment pointer pointing to a segment identifier corresponding to the second network device; the first network device determines the first reference hash value corresponding to the second network device based on the first reference protocol header, the at least one out-of-domain segment routing header, at least any one of the first data, and the first reference segment routing header.
4. The method of claim 1, wherein the first network device generating a first reference hash value for the second network device using a predetermined hash algorithm based on the first reference segment routing header, comprises:
the first network device determines a preset combination mode corresponding to a plurality of hash algorithms under the condition that the plurality of hash algorithms are the same or different;
the first network device combines the plurality of hash algorithms based on the preset combination mode to obtain a joint hash algorithm;
the first network device generates the first reference hash value corresponding to the second network device by adopting the joint hash algorithm based on the first reference segment routing header.
5. The method according to claim 1, wherein the method further comprises:
after the first network device sends the first message, inquiring that a receiving party in the blockchain is a feedback task of the first network device, wherein the feedback task is used for feeding back a processing result of the message sent by the first network device, the feedback task is generated by the second network device, and the feedback task is a normal task or an abnormal task.
6. The method according to any of claims 1 to 5, wherein the first network device determining a first task comprising the first reference hash value comprises:
the first network device determines that a sender address of the first task is an address of the first network device, a receiver address of the first task is an address of the second network device, and a first number of sub-messages, wherein the first number of sub-messages is a number of sub-messages included in the first message, the sub-messages included in the first message are respectively obtained by performing encapsulation processing based on the first segment routing header, the first protocol header and corresponding message data, and the message data respectively corresponding to the sub-messages included in the first message form the first data;
the first network device determines the first task based on the sender address of the first task, the receiver address of the first task, the first number of sub-messages, and the first reference hash value.
7. The method according to any of claims 1 to 5, wherein the first network device determining a first task comprising the first reference hash value comprises:
The first network device determines that the sender address of the first task is the address of the first network device, the receiver address of the first task is the address of the second network device, and a first timestamp indicating the generation time of the first task;
the first network device determines the first task based on the sender address of the first task, the receiver address of the first task, the first timestamp, and the first reference hash value.
8. The method according to any of claims 1 to 5, wherein the first network device determining a first task comprising the first reference hash value comprises:
the first network device determines that a sender of the first task is an address of the first network device, a receiver of the first task is an address of the second network device, and a set flag indicating that the first reference hash value is in a valid state or an invalid state;
the first network device determines the first task based on the sender of the first task, the receiver of the first task, the set flag, and the first reference hash value.
9. A method for processing a message, comprising:
the method comprises the steps that a second network device inquires a first task of a second network device, which is a receiver in a blockchain, to obtain a first reference hash value, wherein the first reference hash value is generated by the first network device based on a first reference segment routing header, the first reference segment routing header is generated by the first network device based on a first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device, the first segment routing header comprises a segment list and a transmission segment pointer, the segment list comprises a group of segment identifiers which are orderly arranged, the segment list comprises segment identifiers corresponding to the second network device, and the transmission segment pointer corresponding to the first segment routing header points to a first segment identifier in the segment list;
the second network equipment receives a first message to be checked, wherein the first message to be checked is any message received by the second network equipment;
the second network device generates a first hash value to be verified corresponding to the first message to be verified based on a first segment routing header to be verified included in the first message to be verified;
The second network device performs matching based on the first hash value to be checked and the first reference hash value, and performs discarding processing on the first message to be checked under the condition that the first hash value to be checked is not matched with the first reference hash value;
and the second network equipment determines a sub-strategy for processing the first message to be checked under the condition that the first hash value to be checked is matched with the first reference hash value.
10. The method of claim 9, wherein the second network device generating a first to-be-verified hash value corresponding to the first to-be-verified message based on a first to-be-verified segment routing header included in the first to-be-verified message, comprises:
the second network device determines a generation mode of generating the first reference hash value by the first network device;
and the second network equipment adopts a preset hash algorithm for the first network equipment when the generation mode of the first reference hash value is that the first network equipment obtains the first reference subsection routing header, and adopts the hash algorithm to generate the first hash value to be verified based on the first subsection routing header to be verified.
11. The method of claim 9, wherein the step of determining the position of the substrate comprises,
the method further comprises the steps of: the second network device obtains a preset local routing pool, wherein a local reference hash value obtained from the blockchain is stored in the local routing pool, the local reference hash value is obtained by querying any task in the blockchain, and a receiver of the any task is the second network device; the second network device updates the local reference hash value by adopting the first reference hash value to obtain an updated local reference hash value;
the second network device performs matching based on the first hash value to be checked and the first reference hash value, and performs discarding processing on the first message to be checked if the first hash value to be checked is not matched with the first reference hash value, including: the second network device discards the first message to be verified under the condition that the first hash value to be verified and the updated local reference hash value are not matched;
the second network device determines a sub-policy for processing the first message to be checked when the first hash value to be checked is matched with the first reference hash value, including: and determining the processing sub-strategy for the first message to be checked under the condition that the first hash value to be checked is matched with the updated local reference hash value and the local reference hash value matched in the updated local reference hash value is the first reference hash value.
12. The method of claim 11, wherein the second network device updates the local reference hash value with the first reference hash value to obtain an updated local reference hash value, comprising:
the second network device obtains a set mark for indicating whether the first reference hash value is in a valid state or an invalid state based on the first task;
the second network device stores the first reference hash value into the local routing pool under the condition that the set mark is in a valid state, and obtains the updated local reference hash value;
and deleting the matched local reference hash value from the local routing pool to obtain the updated local reference hash value when the setting mark is in an invalid state and the local reference hash value matched with the first reference hash value exists in the local routing pool.
13. The method according to claim 9, wherein the method further comprises:
the second network device generates an abnormal task based on at least any one of the first message to be checked, the abnormal sub-message number and the second timestamp and the first hash value to be checked under the condition that the first hash value to be checked is not matched with the first reference hash value, wherein the sender address of the abnormal task is the address of the second network device, the address of the receiver is the address of a preset abnormal detection end, the second timestamp is used for indicating the generation time of the abnormal task, and the abnormal sub-message number is the number of the sub-messages included in the first message to be checked;
The second network device uploads the abnormal task to the blockchain;
the second network device generates a normal task based on at least any one of the first message to be checked, a normal sub-message number and a third timestamp and the first reference hash value under the condition that the first hash value to be checked is matched with the first reference hash value, wherein a sender address of the normal task is an address of the second network device, a receiver address is an address of the first network device, the third timestamp is used for indicating generation time of the normal task, and the normal sub-message number is the number of sub-messages included in the first message to be checked;
the second network device uploads the normal task to the blockchain.
14. The method according to any of claims 9 to 13, wherein the first segment to be checked route header includes a transmission segment pointer and a segment list, and the second network device determines a processing sub-policy for the first message to be checked, including:
the second network device determines whether the second network device is a destination network device;
The second network equipment performs decapsulation processing on the first message to be checked under the condition that the second network equipment is the terminal network equipment to obtain a processing result of the first message to be checked;
the second network device determines a third network device based on a transmission segment pointer and a segment list of the first segment routing header to be checked under the condition that the second network device is not an end point network device, wherein the third network device is the next node of the second network device, and the segment list comprises segment identifiers corresponding to the third network device;
the second network equipment determines a second message based on the first message to be checked;
and the second network equipment sends the second message to the third network equipment.
15. The method of claim 14, wherein the second network device determining whether the second network device is a destination network device comprises:
the second network device determines whether a transmission segment pointer of the first segment routing header to be checked is a predetermined termination value;
if the transmission segment pointer of the first segment routing header to be checked is the preset termination value, the second network device determines that the second network device is a terminal network device;
And if the transmission segment pointer of the first segment routing header to be checked is not the preset termination value, the second network device determines that the second network device is not the terminal network device.
16. The method of claim 14, wherein the second network device determining a second message based on the first message to be checked comprises:
the second network device determines a second protocol header of the second message based on the first to-be-checked protocol header of the first to-be-checked message;
the second network device determines a second segment routing header of the second message based on the first segment routing header of the first message to be checked;
the second network device determines the second message based on the second protocol header, the second segment routing header, the first message to be checked.
17. A method for processing a message, comprising:
the method comprises the steps that first network equipment determines first data to be transmitted and a first segment routing header, wherein the first segment routing header comprises a segment list and a transmission segment pointer, the segment list comprises a group of segment identifiers which are orderly arranged, the segment list comprises segment identifiers corresponding to second network equipment, and the transmission segment pointer points to a first segment identifier in the segment list;
The first network device generates a first message based on the first data, a first protocol header and the first segment routing header, wherein the first protocol header comprises a source address and a destination address, the source address of the first protocol header is the address of the first network device, and the destination address of the first protocol header is an address corresponding to the first segment identifier and indicated by a transmission segment pointer of the first segment routing header;
the first network device determines a first reference segment routing header corresponding to the second network device, wherein the first reference segment routing header is generated based on the first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device;
the first network device generates a first reference hash value corresponding to the second network device by adopting a preset hash algorithm based on the first reference segment routing header;
the first network device determines a first task including the first reference hash value and uploads the first task to a blockchain;
the blockchain records the first task;
the first network device sends the first message, wherein the first data included in the first message is transmitted according to a forwarding path, the forwarding path is obtained according to the segment list indication included in the first segment routing header, the first data is transmitted along the forwarding path based on the updating of the transmission segment pointer, and the forwarding path includes the second network device;
The second network device queries a first task of which the receiver is the second network device in the blockchain to obtain a first reference hash value;
the second network equipment receives a first message to be checked, wherein the first message to be checked is any message received by the second network equipment;
the second network device generates a first hash value to be verified corresponding to the first message to be verified based on a first segment routing header to be verified included in the first message to be verified;
the second network device performs matching based on the first hash value to be checked and the first reference hash value, and performs discarding processing on the first message to be checked under the condition that the first hash value to be checked is not matched with the first reference hash value;
and the second network equipment determines a sub-strategy for processing the first message to be checked under the condition that the first hash value to be checked is matched with the first reference hash value.
18. A message processing system, comprising:
the method comprises the steps of determining first data to be transmitted and a first segment routing header, wherein the first segment routing header comprises a segment list and a transmission segment pointer, the segment list comprises a group of segment identifiers which are orderly arranged, the segment list comprises segment identifiers corresponding to second network equipment, and the transmission segment pointer points to a first segment identifier in the segment list; generating a first message based on the first data, a first protocol header and the first segment routing header, wherein the first protocol header comprises a source address and a destination address, the source address of the first protocol header is an address of a first network device, and the destination address of the first protocol header is an address corresponding to the first segment identifier, and a transmission segment pointer of the first segment routing header points to the first segment identifier; determining a first reference segment routing header corresponding to the second network device, wherein the first reference segment routing header is generated based on the first segment routing header and a check segment pointer pointing to a segment identifier corresponding to the second network device; generating a first reference hash value corresponding to the second network device by adopting a preset hash algorithm based on the first reference segment routing header; determining a first task including the first reference hash value and uploading the first task to a blockchain system;
The block chain system is connected with the first network equipment and records the first task;
the first network device is further configured to send the first packet, where the first data included in the first packet is transmitted according to a forwarding path, where the forwarding path is obtained according to the segment list indication included in the first segment routing header, the first data is transmitted along the forwarding path based on the update of the transmission segment pointer, and the forwarding path includes the second network device;
the second network device is connected with the blockchain system and is used for inquiring the first task of which the receiver is the second network device in the blockchain system to obtain the first reference hash value; receiving a first message to be checked, wherein the first message to be checked is any message received by the second network equipment; generating a first hash value to be verified, corresponding to the first message to be verified, based on a first segment routing header to be verified included in the first message to be verified; based on the first hash value to be checked and the first reference hash value, carrying out discarding processing on the first message to be checked under the condition that the first hash value to be checked is not matched with the first reference hash value; and determining a processing sub-strategy for the first message to be checked under the condition that the first hash value to be checked is matched with the first reference hash value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310831708.0A CN116800867A (en) | 2023-07-06 | 2023-07-06 | Message processing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310831708.0A CN116800867A (en) | 2023-07-06 | 2023-07-06 | Message processing method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116800867A true CN116800867A (en) | 2023-09-22 |
Family
ID=88045971
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310831708.0A Pending CN116800867A (en) | 2023-07-06 | 2023-07-06 | Message processing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116800867A (en) |
-
2023
- 2023-07-06 CN CN202310831708.0A patent/CN116800867A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10785020B2 (en) | Hardware offload for QUIC connections | |
| US10637772B2 (en) | Verification mechanism for network service chain paths | |
| CN107567704B (en) | Network path pass authentication using in-band metadata | |
| WO2019210769A1 (en) | Explicit routing with network function encoding | |
| EP2978174B1 (en) | Interest return control message | |
| KR101883437B1 (en) | Policy for secure packet transmission using required node paths and cryptographic signatures | |
| EP3048771B1 (en) | A network-layer application-specific trust model | |
| US10945125B2 (en) | Methods and apparatus for communication | |
| US20200389322A1 (en) | Security for group communication | |
| CN112769745B (en) | Method and related device for transmitting multicast message | |
| WO2022036764A1 (en) | Method and apparatus for protecting stateful service function paths | |
| US9647876B2 (en) | Linked identifiers for multiple domains | |
| EP3542518B1 (en) | Enabling connections in a content centric network | |
| US10320568B1 (en) | Protocol-independent multi-table packet routing using shared memory resource | |
| CN116527405B (en) | SRV6 message encryption transmission method and device and electronic equipment | |
| CN116800867A (en) | Message processing method and system | |
| CN114884905B (en) | Traffic mirroring method, traffic mirroring device, traffic mirroring equipment and computer storage medium | |
| KR20190127867A (en) | Method for managing reputation level of communication device | |
| US11595367B2 (en) | Selectively disclosing content of data center interconnect encrypted links | |
| KR102654182B1 (en) | Packet acknowledgment technology for improved network traffic management | |
| US20210195418A1 (en) | A technique for authenticating data transmitted over a cellular network | |
| CN114731292A (en) | Low latency medium access control security authentication | |
| US20190334701A1 (en) | Lightweight security for internet of things messaging | |
| US20240146538A1 (en) | Systems and methods for verifying a route taken by a communication | |
| CN117749688A (en) | Message transmission method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |