+

CN1223145C - Message safety protection method based on boundary gateway protocol message - Google Patents

Message safety protection method based on boundary gateway protocol message Download PDF

Info

Publication number
CN1223145C
CN1223145C CN 02129194 CN02129194A CN1223145C CN 1223145 C CN1223145 C CN 1223145C CN 02129194 CN02129194 CN 02129194 CN 02129194 A CN02129194 A CN 02129194A CN 1223145 C CN1223145 C CN 1223145C
Authority
CN
China
Prior art keywords
message
bgp
verification
gateway protocol
authenticator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 02129194
Other languages
Chinese (zh)
Other versions
CN1477814A (en
Inventor
胡春哲
倪辉
邓秋林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 02129194 priority Critical patent/CN1223145C/en
Publication of CN1477814A publication Critical patent/CN1477814A/en
Application granted granted Critical
Publication of CN1223145C publication Critical patent/CN1223145C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种基于边界网关协议报文的控制报文安全保护方法,该方法包括报文接收端和接收端之间验证机制和验证字的协商过程,如果验证协商成功,在报文发送时,首先建立BGP连接,然后报文发送端根据验证机制、验证字和要发送的报文内容确定的报文头中的前16字节的标记域并发送BGP报文,报文接收端对收到的BGP报文利用相同的验证机制、验证字和接收到的报文内容对BGP报文头16字节标记域进行验证,如果验证通过,接收该报文,否则抛弃该报文;采用上述方案能够隐藏BGP的报文头,并利用报文头来进行验证,加大了BGP报文被非法截获的难度,同时也易于发现被非法截获后的报文是否被篡改,从而可以有效保护BGP报文内容和网络的安全。

Figure 02129194

The invention discloses a control message security protection method based on the border gateway protocol message. The method includes a verification mechanism and a verification word negotiation process between the message receiving end and the receiving end. If the verification negotiation is successful, the message is sent , first establish a BGP connection, and then send a BGP packet based on the first 16 bytes of the tag field in the packet header determined by the verification mechanism, verification word, and the content of the packet to be sent. The received BGP message uses the same verification mechanism, verification word and received message content to verify the 16-byte tag field of the BGP message header. If the verification is passed, the message is accepted, otherwise the message is discarded; The above scheme can hide the BGP message header and use the message header to verify, which increases the difficulty of illegal interception of BGP messages, and it is also easy to find out whether the illegally intercepted message has been tampered with, so that it can effectively protect BGP message content and network security.

Figure 02129194

Description

基于边界网关协议报文的报文安全保护方法Message Security Protection Method Based on Border Gateway Protocol Message

技术领域technical field

本发明涉及网络系统中报文的安全保护方法。The invention relates to a security protection method for messages in a network system.

背景技术Background technique

互联网(Internet)中的数据安全问题是一个重要的研究课题,对于Internet网的核心协议----边界网关协议(BGP协议,Border GatewayProtocol)来说,由于在域间传送大量路由,保证路由的安全性以及BGP连接的安全性成为重要的问题。具体说,就是要防止对BGP报文截获后的篡改,实现对BGP连接的保护。按照BGP协议,现有的BGP报文由16字节的全一加上BGP具体的报文内容构成,这样如果截获传输控制协议(TCP协议)连接,根据16字节的全1的报文头,只要分析出全1的域,就可以轻易地获取BGP报文内容,这样不但报文没有安全保障,也使整个网络系统失去安全保障。例如,根据BGP报文获取路由信息,根据路由信息进行破坏;在获取BGP信息时,将路由信息更改后重新放入TCP数据发送流,如果重放一个错误的路由,则会造成路由黑洞,增加某台路由器的流量,将路由器攻击直至重启或死机。因此,现有基于BGP协议的数据局报文的传输机制存在安全隐患。Data security in the Internet (Internet) is an important research topic. For the core protocol of the Internet - Border Gateway Protocol (BGP, Border Gateway Protocol), since a large number of routes are transmitted between domains, the security of routes is guaranteed. Security and security of the BGP connection becomes an important issue. Specifically, it is to prevent tampering after the BGP message is intercepted, so as to realize the protection of the BGP connection. According to the BGP protocol, the existing BGP message is composed of 16-byte all-ones plus BGP specific message content, so if the transmission control protocol (TCP protocol) connection is intercepted, according to the 16-byte all-1 message header , as long as the field of all 1s is analyzed, the content of the BGP message can be easily obtained. In this way, not only the message has no security guarantee, but also the entire network system loses security guarantee. For example, obtain routing information based on BGP packets, and destroy based on the routing information; when obtaining BGP information, change the routing information and put it back into the TCP data transmission stream. If a wrong route is replayed, it will cause routing black holes and increase The traffic of a certain router will attack the router until it restarts or crashes. Therefore, there are potential security risks in the existing transmission mechanism of data bureau packets based on the BGP protocol.

发明内容Contents of the invention

本发明的目的在于提供一种有利于互联网数据报文安全和网络安全的基于边界网关协议报文的报文安全保护方法。为达到上述目的,本发明提供的基于边界网关协议报文的报文安全保护方法,包括:The purpose of the present invention is to provide a message security protection method based on the border gateway protocol message, which is beneficial to Internet data message security and network security. In order to achieve the above object, the message security protection method based on the border gateway protocol message provided by the present invention includes:

a.报文接收端向报文发送端发送包括验证机制和验证字的连接协商报文(OPEN报文);a. The message receiving end sends a connection negotiation message (OPEN message) including a verification mechanism and a verification word to the message sending end;

b.报文发送端根据接收到的连接协商报文和本端的验证能力确定是否支持连接协商报文中的验证机制和验证字,如果支持,向报文接收端反馈支持报文,双方协商成功,否则反馈不支持报文;b. The message sender determines whether to support the authentication mechanism and verification word in the connection negotiation message according to the received connection negotiation message and the verification capability of the local end. If it supports it, it will feed back a support message to the message receiving end, and the negotiation between the two parties is successful. , otherwise the feedback does not support the message;

c.当报文发送端和报文接收端双方协商成功后,在发送报文时,建立基于边界网关协议的连接,然后报文发送端根据验证机制和验证字确定的报文头发送边界网关协议报文;c. After the negotiation between the message sending end and the message receiving end is successful, when sending the message, a connection based on the border gateway protocol is established, and then the message sending end sends the border gateway according to the message header determined by the verification mechanism and the verification word protocol message;

d.报文接收端对收到的边界网关协议报文利用报文发送端和报文接收端协商成功的验证机制和验证字对报文进行验证,如果验证通过,接收该报文,否则抛弃该报文。d. The message receiving end verifies the received Border Gateway Protocol message using the verification mechanism and verification word successfully negotiated between the message sending end and the message receiving end. If the verification is passed, the message is received, otherwise it is discarded the message.

所述方法还包括:The method also includes:

确定基于信息摘要算法5(MD5,Message Oigest.A:gorithm 5)的验证机制。Determine the authentication mechanism based on Message Digest Algorithm 5 (MD5, Message Oigest.A: gorithm 5).

确定验证字为16字节的随机数验证字。Confirm that the authentication word is a 16-byte random number authentication word.

所述根据验证机制和验证字确定验证报文发送端发出报文的边界网关协议(BGP协议)报文头按照下述公式完成:The Border Gateway Protocol (BGP protocol) header of the message sent by the verification message sender is determined according to the verification mechanism and the verification word to complete according to the following formula:

MD5的输入参数为OPEN类型+密码+16字节随机数+报文信息;The input parameters of MD5 are OPEN type + password + 16-byte random number + message information;

上述密码是报文发送端和报文接收端配置的UD5密码,16字节随机数为验证字,最后的报文信息为不带报文头,即不带16字节的报文头标记的报文全文。The above password is the UD5 password configured by the message sending end and the message receiving end, the 16-byte random number is the verification word, and the final message information is without a message header, that is, without a 16-byte message header mark The full text of the message.

由于本发明根据报文接收端和报文发送端之间的验证机制和相互之间交换的连接协商报文(OPEN报文)来对BGP报文头的标记域进行加密,即使非法截取到BGP报文,由于不能轻易获得BGP报文的头标志,因此很难获得BGP报文内容,使得根据BGP报文内容获得对整个网络攻击的机会大大减少;同时,在利用报文头验证时,将报文的内容作为验证参数之一,即使将报文非法截获后篡改,报文接收端通过对收到的报文根据其内容进行的验证,可以发现上述篡改,从而可以及时将被篡改的报文抛弃;可见,采用本发明可以配合TCP数据流保护报文接收端和报文发送端之间的BGP连接,从而保护BGP报文内容和网络的安全。Because the present invention encrypts the label domain of the BGP message header according to the authentication mechanism between the message receiving end and the message sending end and the connection negotiation message (OPEN message) exchanged between them, even if illegally intercepting the BGP Since the header mark of the BGP message cannot be easily obtained, it is difficult to obtain the content of the BGP message, which greatly reduces the chance of attacking the entire network based on the content of the BGP message; at the same time, when using the header verification, the The content of the message is one of the verification parameters. Even if the message is illegally intercepted and tampered with, the receiving end of the message can detect the above-mentioned tampering by verifying the received message according to its content, so that the tampered message can be promptly It can be seen that the present invention can cooperate with the TCP data flow to protect the BGP connection between the message receiving end and the message sending end, thereby protecting the BGP message content and the security of the network.

附图说明Description of drawings

图1是本发明所述方法的实施例流程图;Fig. 1 is the flow chart of the embodiment of the method of the present invention;

图2是图1所述实施例采用的OPEN报文结构图;Fig. 2 is the OPEN message structural diagram that the embodiment described in Fig. 1 adopts;

图3是图2所述OPEN报文结构图的可选参数字段图。FIG. 3 is a diagram of optional parameter fields in the structure diagram of the OPEN message shown in FIG. 2 .

具体实施方式Detailed ways

本发明的实现就是在建立BGP连接时,BGP报文的发送端和接收端双方通过OPEN报文交换验证字,这样通过对报文验证的能力协商后,改变基于BGP协议的报文头前16字节的标记域,即利用BGP报文头标记域对报文进行动态验证,从而实现对整个BGP报文的保护,并以此来保护BGP连接。使得非法者虽然可以从TCP报文流截获BGP报文,但因为不知道BGP的头,报文没有办法同步,因此不能获得BGP的报文具体内容。The realization of the present invention is that when establishing a BGP connection, both sides of the sending end and the receiving end of the BGP message exchange verification words through the OPEN message, so that after the ability negotiation to the message verification, the first 16 bits of the message header based on the BGP protocol are changed. Byte mark field, that is, use the BGP message header mark field to dynamically verify the message, so as to realize the protection of the entire BGP message, and thus protect the BGP connection. Although the illegal person can intercept the BGP message from the TCP message flow, but because the header of the BGP is not known, the message has no way to synchronize, so the specific content of the BGP message cannot be obtained.

下面结合附图对本发明作进一步详细的描述。The present invention will be described in further detail below in conjunction with the accompanying drawings.

图1是本发明所述方法的实施例流程图。按照图1,首先在步骤1报文接收端向报文发送端发送包括验证机制和验证字的连接协商报文(OPEN报文)。所述OPEN报文实际中可以根据协商的需要确定内容,本例中采用的OPEN报文的格式参考图2。图2所述的OPEN报文是用来建立BGP连接的,从图2看出该报文包括很多参数,本发明利用该报文进行验证机制和验证字的能力协商,利用了该报文的最后一个参数,即可选参数。所述可选参数的格式参考图3,其中验证码用于标识或约定采用的验证机制,16字节的随机数用于作为验证字。OPEN报文的作用在于携带协商的具体内容,即协商验证机制和验证字。本例中验证码值为1,定义为基于MD5验证算法的报文验证机制,随后跟随的16字节是由BGP报文接收端产生的作为验证字的随机数。需要说明,采用的加密算法实际中也可以是其他可能的验证算法,并不局限于MD5算法。Fig. 1 is a flowchart of an embodiment of the method of the present invention. According to FIG. 1, firstly in step 1, the message receiving end sends a connection negotiation message (OPEN message) including the verification mechanism and the verification word to the message sending end. In practice, the content of the OPEN message can be determined according to the needs of the negotiation. For the format of the OPEN message used in this example, refer to FIG. 2 . The OPEN message described in Fig. 2 is used to set up the BGP connection, finds out from Fig. 2 that this message comprises a lot of parameters, the present invention utilizes this message to carry out the ability negotiation of authentication mechanism and verification word, has utilized the The last parameter is an optional parameter. Refer to FIG. 3 for the format of the optional parameters, where the verification code is used to identify or agree on the verification mechanism adopted, and a 16-byte random number is used as a verification word. The function of the OPEN message is to carry the specific content of the negotiation, that is, the negotiation authentication mechanism and authentication word. In this example, the verification code value is 1, which is defined as the message verification mechanism based on the MD5 verification algorithm, and the following 16 bytes are random numbers generated by the receiving end of the BGP message as the verification word. It should be noted that the encryption algorithm used may also be other possible authentication algorithms in practice, and is not limited to the MD5 algorithm.

报文发送端在步骤2接收到OPEN报文后,根据OPEN报文和本端的验证能力确定是否支持OPEN报文中的验证机制和验证字,如果支持,向报文接收端反馈支持报文,表明报文发送端和报文接收端双方协商成功,否则反馈不支持报文。报文接收端在步骤3接收到报文发送端反馈的报文,根据反馈报文判断与报文发送端的协商是否成功,即是否支持协商的内容,如果接收到的报文是支持报文,则认为协商成功,继续步骤4,否则协商失败,结束协商。After receiving the OPEN message in step 2, the message sending end determines whether to support the verification mechanism and verification word in the OPEN message according to the OPEN message and the verification capability of the local end, and if so, feeds back a support message to the message receiving end, Indicates that the negotiation between the message sender and the message receiver is successful, otherwise the feedback does not support the message. The message receiving end receives the message fed back by the message sending end in step 3, and judges whether the negotiation with the message sending end is successful according to the feedback message, that is, whether it supports the negotiated content. If the received message is a support message, If the negotiation is considered successful, proceed to step 4; otherwise, the negotiation fails and the negotiation ends.

当报文发送端在步骤4发送报文时,建立BGP连接,然后报文发送端根据验证机制和验证字确定的报文头发送BGP报文;最后在步骤5,报文接收端对收到的BGP报文利用协商确定的验证机制和验证字对BGP报文头进行验证,如果验证通过,接收该报文,否则抛弃该报文。也就是说,报文发送端在BGP连接建立后,发送所有的报文都需要用新的报文头代替BGP协议规定的16字节的全1。报文接收端在收到BGP报文后先验证报文头是否一致,如果不一致,则将该报文丢弃。When the message sending end sends a message in step 4, a BGP connection is established, and then the message sending end sends a BGP message according to the message header determined by the verification mechanism and the verification word; finally in step 5, the message receiving end checks the received The BGP packet uses the negotiated verification mechanism and verification word to verify the BGP packet header. If the verification is passed, the packet is accepted; otherwise, the packet is discarded. That is to say, after the BGP connection is established, the sender of the message needs to replace the 16 bytes of all 1s specified by the BGP protocol with a new message header to send all the messages. After receiving the BGP message, the receiving end of the message verifies whether the header of the message is consistent, and if not, discards the message.

上述步骤4和步骤5中,报文接收端和报文发送端都要根据验证机制和验证字确定BGP报文头的内容,报文接收端用该内容验证接收到的BGP报文是否是发送给自己的,报文发送端用该内容发送BGP报文。具体的确定方法按照MD5算法的规定进行,参考下述命令:In the above steps 4 and 5, both the message receiving end and the message sending end must determine the content of the BGP message header according to the verification mechanism and the verification word, and the message receiving end uses the content to verify whether the received BGP message is sent For itself, the message sender uses this content to send the BGP message. The specific determination method is carried out according to the provisions of the MD5 algorithm, refer to the following command:

MD5的输入参数为OPEN类型+密码+16字节随机数+报文信息;The input parameters of MD5 are OPEN type + password + 16-byte random number + message information;

上述密码是报文发送端和报文接收端配置的MD5密码,16字节随机数为验证字,最后的报文信息为不带报文头(16字节的报文头标记)的报文全文。由上述命令可知,报文发送端用要发送的BGP报文作为参数确定报文头,报文接收端也用接收到的BGP(不带报文头)报文作为参数确定报文头,因此,当接收到的报文被篡改时,能够被及时发现,从而将被篡改的报文抛弃。The above password is the MD5 password configured by the message sending end and the message receiving end, the 16-byte random number is the verification word, and the final message information is a message without a message header (16-byte message header mark) full text. It can be seen from the above command that the message sending end uses the BGP message to be sent as a parameter to determine the message header, and the message receiving end also uses the received BGP (without message header) message as a parameter to determine the message header, so , when the received message is tampered with, it can be detected in time, so that the tampered message is discarded.

上述步骤中,步骤1到步骤3是协商的过程,在报文发送端和报文接收端之间的BGP连接建立前只需执行一次,而在双方协商成功BGP连接建立后,在报文发送端和报文接收端之间报文发送和接收需要重复执行。In the above steps, steps 1 to 3 are the process of negotiation, which only needs to be executed once before the establishment of the BGP connection between the message sending end and the message receiving end. The message sending and receiving between the message receiving end and the message receiving end need to be executed repeatedly.

需要说明的是,报文发送端和报文接收端是相对的,无论网络中的哪个节点作为报文接收端,每次与报文发送端协商采用的验证机制和验证字可能是不同的。另外,协商的具体过程也可以由报文发送端发起。It should be noted that the message sending end and the message receiving end are relative, no matter which node in the network is used as the message receiving end, the verification mechanism and authentication word used in each negotiation with the message sending end may be different. In addition, the specific process of negotiation can also be initiated by the packet sender.

Claims (4)

1, a kind of message safety protection method based on boundary gateway protocol message comprises:
A. message sink sends the connection negotiation message that comprises authentication mechanism and authenticator to message source;
B. message source determines whether to support authentication mechanism and authenticator in the connection negotiation message according to the checking ability of the connection negotiation message that receives and local terminal, if support, support message to the message sink feedback, both sides consult success, otherwise feedback is not supported authentication of message mechanism;
C. after message source and message sink both sides consult success, when sending message, set up the connection based on Border Gateway Protocol, the heading determined according to authentication mechanism and authenticator of message source sends boundary gateway protocol message then;
D. message sink utilizes message source and successful authentication mechanism and the authenticator of message sink negotiation that message is verified to the boundary gateway protocol message of receiving, if the verification passes, receives this message, otherwise abandons this message.
2, message safety protection method according to claim 1 is characterized in that described method also comprises: determine the authentication mechanism based on message digest algorithm 5.
3, message safety protection method according to claim 2 is characterized in that described method also comprises: determine that authenticator is the random number verification word of 16 bytes.
4, message safety protection method according to claim 3 is characterized in that describedly determining that according to authentication mechanism and authenticator the boundary gateway protocol message head that the checking message source sends message finishes according to the following equation:
The input parameter of message digest algorithm 5 is connection negotiation type+password+16 byte random number+message informations;
Above-mentioned password is message digest algorithm 5 passwords of message source and message sink configuration, and 16 byte random numbers are authenticator, and last message information is for being with heading, that is, and not with the message full text of the heading mark of 16 bytes.
CN 02129194 2002-08-20 2002-08-20 Message safety protection method based on boundary gateway protocol message Expired - Fee Related CN1223145C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 02129194 CN1223145C (en) 2002-08-20 2002-08-20 Message safety protection method based on boundary gateway protocol message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 02129194 CN1223145C (en) 2002-08-20 2002-08-20 Message safety protection method based on boundary gateway protocol message

Publications (2)

Publication Number Publication Date
CN1477814A CN1477814A (en) 2004-02-25
CN1223145C true CN1223145C (en) 2005-10-12

Family

ID=34144048

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 02129194 Expired - Fee Related CN1223145C (en) 2002-08-20 2002-08-20 Message safety protection method based on boundary gateway protocol message

Country Status (1)

Country Link
CN (1) CN1223145C (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100454833C (en) * 2005-08-19 2009-01-21 华为技术有限公司 A method for identifying network management interface parameters
CN101207555B (en) * 2006-12-18 2010-07-14 中兴通讯股份有限公司 Method for automatically clearing over loading bit in the course of avoiding path black hole
CN101399751B (en) * 2007-09-25 2011-02-09 华为技术有限公司 Switching system and method in a communication network
CN101547158B (en) * 2009-05-13 2013-04-10 杭州华三通信技术有限公司 PADT message interaction method and device in PPPoE session
CN106487746A (en) * 2015-08-26 2017-03-08 中兴通讯股份有限公司 A kind of method and device of BMP message authentication
CN107454069B (en) * 2017-07-21 2020-04-21 河南工程学院 A Mimic Protection Method for Inter-Domain Routing System Based on AS Security Association
CN113541924B (en) 2020-04-13 2023-09-29 华为技术有限公司 Message detection method, device and system
CN114157419B (en) * 2021-11-29 2023-08-08 军事科学院系统工程研究院网络信息研究所 Security routing protocol method and system based on OSPF

Also Published As

Publication number Publication date
CN1477814A (en) 2004-02-25

Similar Documents

Publication Publication Date Title
US7039713B1 (en) System and method of user authentication for network communication through a policy agent
US8713666B2 (en) Methods and devices for enforcing network access control utilizing secure packet tagging
JP6625211B2 (en) Key exchange through partially trusted third parties
US7134019B2 (en) Methods and systems for unilateral authentication of messages
US20040098620A1 (en) System, apparatuses, methods, and computer-readable media using identification data in packet communications
CN106357690B (en) data transmission method, data sending device and data receiving device
US20100211780A1 (en) Secure network communications
CN1173529C (en) Security Protection Method for Control Messages Based on Border Gateway Protocol Messages
WO2018214719A1 (en) Dynamic safety method and system based on multi-fusion linked responses
JP4107213B2 (en) Packet judgment device
US20110321145A1 (en) Method for Ensuring Security of Computers Connected to a Network
JP2004295891A (en) Method for authenticating packet payload
US7139679B1 (en) Method and apparatus for cryptographic protection from denial of service attacks
CN101729871B (en) Method for safe cross-domain access to SIP video monitoring system
EP1574009B1 (en) Systems and apparatuses using identification data in network communication
CN1223145C (en) Message safety protection method based on boundary gateway protocol message
EP2507940B1 (en) Identity based network policy enablement
KR101089269B1 (en) Attack detection method and system using secure SIP protocol that provides security function
CN108282337B (en) Routing protocol reinforcing method based on trusted password card
CN114666419A (en) Data transmission method, device, terminal equipment and storage medium
CN110830498A (en) Continuous attack detection method and system based on mining
CN117319088B (en) Method, device, equipment and medium for blocking illegal external connection equipment
CN118381634A (en) A data transmission method and system based on switch technology
Wu et al. Identity-Based Authentication Protocol for Trustworthy IP Address
Goyal et al. Computer Network Security and Protection Strategy.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20051012

Termination date: 20110820

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载