[go: up one dir, main page]

CN102368740A - Network addressing method - Google Patents

Network addressing method Download PDF

Info

Publication number
CN102368740A
CN102368740A CN201110393986XA CN201110393986A CN102368740A CN 102368740 A CN102368740 A CN 102368740A CN 201110393986X A CN201110393986X A CN 201110393986XA CN 201110393986 A CN201110393986 A CN 201110393986A CN 102368740 A CN102368740 A CN 102368740A
Authority
CN
China
Prior art keywords
responsibility
territory
domain
label
network addressing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201110393986XA
Other languages
Chinese (zh)
Inventor
张宏科
刘颖
卢宁宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN201110393986XA priority Critical patent/CN102368740A/en
Publication of CN102368740A publication Critical patent/CN102368740A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

一种新型网络寻址方法,其特征在于,每个网络接口的地址都由平面结构的责任域标签和层次结构的域内标签混合组成,责任域标签是责任域公钥的杂凑值,它同责任域公钥天然地一一对应,在责任域内,使用基于身份的签名算法按需离线,为网络设备分配私钥,使得对应公钥就是它们的混合网络寻址方案地址。根据本发明的网络寻址方法,不仅具有内在的、分布式的信任模型,而且不会造成部署代价的增加和通信性能的降低。

Figure 201110393986

A new type of network addressing method, characterized in that the address of each network interface is composed of a mixture of responsibility domain labels in a flat structure and intra-domain labels in a hierarchical structure. The responsibility domain label is a hash value of the public key of the responsibility domain, which is the same as the responsibility domain The domain public keys are naturally one-to-one correspondence. In the domain of responsibility, use the identity-based signature algorithm to go offline on demand, and assign private keys to network devices, so that the corresponding public keys are their hybrid network addressing scheme addresses. According to the network addressing method of the present invention, it not only has an inherent and distributed trust model, but also does not cause an increase in deployment cost and a decrease in communication performance.

Figure 201110393986

Description

一种网络寻址方法A method of network addressing

技术领域 technical field

本发明涉及一种网络寻址方法,它能够在整个网络中提供内在的、分布式的信任模型,属于网络安全领域,特别是,属于IP路由与交换领域。The invention relates to a network addressing method, which can provide an internal and distributed trust model in the whole network, and belongs to the field of network security, especially to the field of IP routing and switching.

背景技术 Background technique

AIP(Accountable Internet Protocol,可问责的网络层协议)通过重新设计网络寻址方案,提供了一种内在的,分布式信任模型。AIP (Accountable Internet Protocol, an accountable network layer protocol) provides an inherent, distributed trust model by redesigning the network addressing scheme.

AIP的网络寻址方案存在许多不足:(1)部署代价高,AIP具有变长的地址结构,这要求①全面更改IP协议、域间路由协议和域内路由协议;②重新分配主机地址,并修改端主机的操作系统;③升级所有应用程序;④扩展DNS(Domain Name System,域名解析系统)服务器功能。(2)通信性能低,由图1可以看到,AIP的分组首部远远大于IPv4或IPv6的分组首部。由于最大路径传输单元的限制,同样大小的数据,需要在AIP中分割成更多的分组传输,这会大大增减数据的传输时延,降低端到端的通信性能。There are many deficiencies in the network addressing scheme of AIP: (1) The deployment cost is high, and AIP has a variable-length address structure, which requires ① to completely change the IP protocol, inter-domain routing protocol, and intra-domain routing protocol; ② redistribute host addresses, and modify The operating system of the end host; ③ upgrade all applications; ④ expand the DNS (Domain Name System, domain name resolution system) server function. (2) The communication performance is low. It can be seen from Fig. 1 that the packet header of AIP is much larger than the packet header of IPv4 or IPv6. Due to the limitation of the maximum path transmission unit, data of the same size needs to be divided into more packets for transmission in AIP, which will greatly increase or decrease the data transmission delay and reduce the end-to-end communication performance.

发明内容 Contents of the invention

本发明的目的是提供一种网络寻址方法,其不仅具有内在的、分布式的信任模型,而且不会造成部署代价的增加和通信性能的降低。The purpose of the present invention is to provide a network addressing method, which not only has an inherent, distributed trust model, but also does not cause an increase in deployment cost and a decrease in communication performance.

为此,本发明提供了一种网络寻址方法,其特征在于,每个网络接口的地址都由平面结构的责任域标签和层次结构的域内标签混合组成,责任域标签是责任域公钥的杂凑值,它同责任域公钥天然地一一对应,在责任域内,使用基于身份的签名算法按需离线,为网络设备分配私钥,使得对应公钥就是它们的混合网络寻址方案地址。For this reason, the present invention provides a kind of network addressing method, it is characterized in that, the address of each network interface is all made up of the responsibility domain label of plane structure and the domain label of hierarchical structure, and the responsibility domain label is the public key of responsibility domain The hash value has a natural one-to-one correspondence with the public key of the domain of responsibility. In the domain of responsibility, use the identity-based signature algorithm to go offline on demand, and assign private keys to network devices, so that the corresponding public key is their hybrid network addressing scheme address.

优选地,使用非对称密码体制生成责任域的公/私钥对。Preferably, an asymmetric cryptosystem is used to generate the public/private key pair of the domain of responsibility.

优选地,非对称密码体制是RSA、DSA、ECDSA。Preferably, the asymmetric cryptosystem is RSA, DSA, ECDSA.

优选地,混合网络寻址方案同IPv6网络兼容,混合网络寻址方案地址的长度为128比特,这时责任域标签的长度为88比特,保留域的长度为8比特,域内标签的长度为32比特。Preferably, the hybrid network addressing scheme is compatible with the IPv6 network, and the length of the address of the hybrid network addressing scheme is 128 bits. At this time, the length of the responsibility domain label is 88 bits, the length of the reserved domain is 8 bits, and the length of the intra-domain label is 32 bits. bit.

优选地,改进后的域间路由机制包括,将BGP路由更新消息中出现的AS号和目的IP前缀都替换成责任域标签;以责任域标签为句柄,组织路由表和转发表。Preferably, the improved inter-domain routing mechanism includes replacing the AS number and the destination IP prefix in the BGP routing update message with the responsibility domain label; organizing the routing table and the forwarding table with the responsibility domain label as a handle.

优选地,改进后的域内路由机制包括,改进域内路由协议,使得它们能够同混合网络寻址方案地址相适应。Preferably, the improved intra-domain routing mechanism includes improving intra-domain routing protocols so that they can adapt to mixed network addressing scheme addresses.

优选地,所述域内路由协议包括RIP、OSPF。Preferably, the intra-domain routing protocols include RIP and OSPF.

优选地,域间路由器以平面结构的责任域标签为句柄组织转发表,在转发分组时,使用哈希表精确定位给定目的地址的路由信息。Preferably, the inter-domain router organizes the forwarding table with the responsibility domain label of the flat structure as a handle, and uses the hash table to precisely locate the routing information of the given destination address when forwarding the packet.

优选地,设置注册查询中心,负责存储、分发所有的责任域公钥和域内公共参数,并支持责任域标签、公钥和域内公共参数的更新。Preferably, a registration query center is set up, which is responsible for storing and distributing all responsibility domain public keys and intra-domain public parameters, and supports the updating of responsibility domain labels, public keys and intra-domain public parameters.

优选地,保留域位于“责任域标签域”和“域内标签域”之间。Preferably, the reserved domain is located between the "responsible domain label domain" and the "intra-domain label domain".

本发明的有益效果具体如下:The beneficial effects of the present invention are specifically as follows:

(1)内在的分布式信任模型:首先,责任域自己保证其公钥的可信,并且责任域通过担保域内公共参数保证域内设备公钥的可信,所以,每个责任域都是域内设备的信任锚,整个信任模型中不存在“根信任锚”,所以,本发明提供了一种分布式的信任模型。其次,本发明提供的分布式信任模型存在于路由结构中,不需要在路由结构之外部署任何机制,所以,本发明提供的信任模型是内在的。(1) Inherent distributed trust model: First, the responsibility domain itself guarantees the credibility of its public key, and the responsibility domain guarantees the credibility of the public key of the devices in the domain by guaranteeing the public parameters in the domain. Therefore, each responsibility domain is a device in the domain There is no "root trust anchor" in the whole trust model, so the present invention provides a distributed trust model. Secondly, the distributed trust model provided by the present invention exists in the routing structure and does not need to deploy any mechanism outside the routing structure, so the trust model provided by the present invention is internal.

(2)较低的部署代价:本发明地址的长度可以为128比特,以这一特殊情况为例,①本发明只是改变了端节点地址中网络号和主机号的划界方式,不会改变端节点的硬件、操作系统和应用程序;②本发明不会对域内路由器和域内路由机制造成影响,责任域仍然可以灵活自主地采用已有域内路由协议。③本发明变更了域间路由机制,要求升级BGP路由器和iBGP路由器;④本发明不会改变DNS系统。可见,本发明的部署代价要远远小于AIP。(2) Lower deployment cost: the length of the address of the present invention can be 128 bits, taking this special case as an example, 1. the present invention only changes the demarcation method of the network number and the host number in the end node address, and will not change The hardware, operating system and application programs of the end nodes; ② the present invention will not affect the intra-domain routers and intra-domain routing mechanisms, and the responsibility domain can still flexibly and autonomously adopt the existing intra-domain routing protocols. 3. the present invention changes the inter-domain routing mechanism, requiring upgrades of BGP routers and iBGP routers; 4. the present invention will not change the DNS system. It can be seen that the deployment cost of the present invention is far less than that of AIP.

(3)通信性能高:本发明地址的长度可以为128比特,以这一特殊情况为例,这时分组首部可以采用IPv6的首部格式,本发明不会像AIP一样因为增加分组首部长度而降低通信性能。(3) communication performance is high: the length of the address of the present invention can be 128 bits, take this special case as example, at this moment the packet header can adopt the header format of IPv6, the present invention can not reduce because of increasing the packet header length like AIP communication performance.

本发明提供了一种新型的网络寻址方法,本身便具有内在的信任模型,并且因为该信任模型是分布式的,所以不会引起互联网管理权之争。The present invention provides a novel network addressing method, which itself has an internal trust model, and because the trust model is distributed, it will not cause disputes over Internet management rights.

附图说明 Description of drawings

图1是AIP的路由结构的示意图。FIG. 1 is a schematic diagram of the routing structure of the AIP.

图2是根据本发明的网络寻址方法的示意图。Fig. 2 is a schematic diagram of a network addressing method according to the present invention.

具体实施方式 Detailed ways

研究人员往往使用非对称密码体制解决网络安全问题。而构建合理的信任模型是使用非对称密码体制解决网络安全问题的前提。在这里,信任模型是指,保证“公钥可信”的技术手段,其中,“公钥可信”可以按照如下方式理解:假设网络实体A(标签为QA)声称拥有公钥pkA,如果网络实体B相信pkA确实是A的公钥,或者pkA对应的私钥prA仅仅正当地被A所拥有,那么就说B相信A的公钥pkA可信。Researchers often use asymmetric cryptosystems to solve network security problems. Building a reasonable trust model is the premise of using asymmetric cryptosystem to solve network security problems. Here, the trust model refers to the technical means to ensure the "authenticity of the public key", where "authenticity of the public key" can be understood in the following way: Assume that the network entity A (labeled as Q A ) claims to have the public key pk A , If network entity B believes that pk A is indeed A's public key, or that the private key pr A corresponding to pk A is only legitimately owned by A, then B believes that A's public key pk A is trustworthy.

假设安全方案涉及的网络实体集合为Q,令一一对应关系

Figure BDA0000115127240000031
表示断语“标签QA对应的公钥是pkA”,则信任模型应达到的技术效果可以概括为:
Figure BDA0000115127240000032
如果Qx向外宣称
Figure BDA0000115127240000033
那么,其它网络实体通过信任模型可以辨别出是否可信。Assuming that the set of network entities involved in the security scheme is Q, let the one-to-one correspondence
Figure BDA0000115127240000031
Express the assertion "the public key corresponding to the label Q A is pk A ", then the technical effect that the trust model should achieve can be summarized as:
Figure BDA0000115127240000032
If Q x declares
Figure BDA0000115127240000033
Then, other network entities can discern through the trust model Is it credible.

在已有网络安全方案中,研究人员一般采用集中式的信任模型。具体地,In existing network security schemes, researchers generally adopt a centralized trust model. specifically,

(1)在网络中设置一个信任锚,它的私钥为pr,对应公钥为pk,所有网络实体都应该获得并存储pk,并且所有网络实体都相信该信任锚可以仲裁公钥的可信性。(1) Set up a trust anchor in the network, its private key is pr, and the corresponding public key is pk, all network entities should obtain and store pk, and all network entities believe that the trust anchor can arbitrate the trustworthiness of the public key sex.

(2)对于任意网络实体A(标签为QA),如果假设它的公钥为pkA,那么,A向外宣称之前,应当首先获得信任锚对对应关系的数字签名。可以将该数字签名记为

Figure BDA0000115127240000037
Figure BDA0000115127240000038
表明信任锚认为
Figure BDA0000115127240000039
是可信的。(3)如果A向网络实体B宣称
Figure BDA00001151272400000310
A应当向B一并提交
Figure BDA00001151272400000311
B使用信任锚的公钥pk验证如果验证通过,那么B相信“CA认为
Figure BDA00001151272400000313
是可信的”,因为B相信信任锚可以仲裁公钥的可信性,所以,B相信
Figure BDA00001151272400000314
可信。可见上述步骤达到了信任模型要求的技术效果。(2) For any network entity A (labeled as Q A ), if its public key is assumed to be pk A , then A declares Before, you should first obtain the trust anchor pair The digital signature of the corresponding relationship. This digital signature can be recorded as
Figure BDA0000115127240000037
but
Figure BDA0000115127240000038
Indicates that the trust anchor believes
Figure BDA0000115127240000039
be believable. (3) If A claims to network entity B
Figure BDA00001151272400000310
A should also submit to B
Figure BDA00001151272400000311
B uses the public key pk of the trust anchor to verify If verification passes, then B believes that "CA believes
Figure BDA00001151272400000313
is trusted", because B believes that the trust anchor can arbitrate the credibility of the public key, so B believes
Figure BDA00001151272400000314
believable. It can be seen that the above steps have achieved the technical effect required by the trust model.

总之,集中式信任模型要求一个信任锚,并且要求所有网络实体都相信该信任锚可以仲裁公钥的可信性。在当前的政治、社会环境中,如何设置该信任锚已经成为一个难题。例如,究竟设置在美国还是中国,究竟由美国或北约管理,还是由中国或俄罗斯管理,都难以确定。研究人员一般将这个不足概括为,集中式信任模型易于引起互联网管理权之争,因此,难以获得实际应用。In summary, a centralized trust model requires a trust anchor, and requires that all network entities trust that trust anchor to arbitrate the trustworthiness of public keys. In the current political and social environment, how to set up the trust anchor has become a difficult problem. For example, it is difficult to determine whether it is set in the United States or China, whether it is managed by the United States or NATO, or whether it is managed by China or Russia. Researchers generally summarize this shortcoming as that the centralized trust model is easy to cause disputes over Internet management rights, and therefore, it is difficult to obtain practical applications.

针对集中式信任模型的上述不足,本发明设计了一种新型的网络寻址方法HAS(Hybrid Addressing Scheme,混合寻址方案)。HAS本身便具有内在的信任模型,并且因为该信任模型是分布式的,所以不会引起互联网管理权之争。Aiming at the above-mentioned shortcomings of the centralized trust model, the present invention designs a novel network addressing method HAS (Hybrid Addressing Scheme, hybrid addressing scheme). HAS itself has a built-in trust model, and because the trust model is distributed, it will not cause disputes over Internet management rights.

AIP(Accountable Internet Protocol)也通过重新设计网络寻址方案,提供了一种内在的,分布式信任模型。AIP以责任域(Accountability Domain,AD)为网络拓扑的基本元素。责任域是互联网中具有独立管理主体的网络,责任域之间可以嵌套。AIP将IP前缀对应的网络当作顶级责任域,只有顶级责任域才可以参与全球路由。基于上述路由结构,AIP设计了层次化的地址结构,并且地址的每个层次都是一个自认证标签AIP (Accountable Internet Protocol) also provides an inherent, distributed trust model by redesigning the network addressing scheme. AIP takes Accountability Domain (AD) as the basic element of network topology. A domain of responsibility is a network with independent management entities in the Internet, and domains of responsibility can be nested. AIP regards the network corresponding to the IP prefix as the top-level responsibility domain, and only the top-level responsibility domain can participate in global routing. Based on the above routing structure, AIP designs a hierarchical address structure, and each level of the address is a self-certification label

首先,每个AD和网络设备均具有唯一的自认证标签,它们主要由对应公钥的杂凑值组成。因为杂凑算法具有良好的单向性,所以,自认证标签同公钥是一一对应的。值得注意的是,AIP要求使用RSA算法生成责任域的公/私钥对,AIP没有给出具体的杂凑算法。First, each AD and network device has a unique self-authentication label, which mainly consists of the hash value of the corresponding public key. Because the hash algorithm has a good one-way property, there is a one-to-one correspondence between the self-certification label and the public key. It is worth noting that the AIP requires the use of the RSA algorithm to generate the public/private key pair of the domain of responsibility, and the AIP does not provide a specific hash algorithm.

其次,每个网络接口的地址都具有层次结构,由顶级AD到该网络接口所宿AD之间所有AD的标签、网络设备标签、接口号(网络设备标签的最右8比特)构成。可见,AIP地址的长度是可变的。Secondly, the address of each network interface has a hierarchical structure, consisting of the labels of all ADs between the top AD and the AD where the network interface resides, the network equipment label, and the interface number (the rightmost 8 bits of the network equipment label). It can be seen that the length of the AIP address is variable.

基于上述网络寻址方法,AIP设计了一种特殊的分组转发方法。Based on the above network addressing method, AIP has designed a special packet forwarding method.

在图1中,AD1、AD4是顶级AD的标签,AD2嵌套在AD1内,AD3嵌套在AD2内,终端A宿于AD3内,同样AD5嵌套在AD4内,AD6嵌套在AD5内,终端B宿于AD6内。在AD1~AD6中仅有顶级责任域AD1、AD4参与全球路由,其它责任域中的边界路由器仅知道到达其上级AD和下级AD的路由。A和B的标签分别为EID1和EID2,全局地址分别为AD1:AD2:AD3:EID1和AD4:AD5:AD6:EID2In Figure 1, AD 1 and AD 4 are the labels of the top-level AD, AD 2 is nested in AD 1 , AD 3 is nested in AD 2 , terminal A is nested in AD 3 , and AD 5 is also nested in AD 4 , AD 6 is nested in AD 5 , and terminal B is nested in AD 6 . Among AD 1 to AD 6 , only top-level domains AD 1 and AD 4 participate in global routing, and border routers in other domains only know the routes to their upper-level ADs and lower-level ADs. The labels of A and B are EID 1 and EID 2 respectively, and the global addresses are AD 1 :AD 2 :AD 3 :EID 1 and AD 4 :AD 5 :AD 6 :EID 2 respectively.

如图1所示,当A向B发起通信时,它需要将源标签EID1、源顶级域AD1,目的标签EID2和目的顶级域AD4填充到分组首部的相应位置,并将源端中间域(AD2和AD3)附加在源堆栈SS,将目的端中间域(AD5和AD6)附加在目的堆栈DS中。AD3的边界路由器接收到分组后,发现“目的顶级域”(图1中标号为4的域)不是AD1,便向上一级AD递交该分组,AD2的边界路由器执行同样的操作。最终由AD1的边界路由器将分组转发到AD4(因为AD1的边界路由器拥有到达AD4的路由)。AD4的边界路由器接收到分组后,从DS中取出下一级域的标签AD5,并将“目的顶级域”替换为AD5,然后继续转发分组。AD5的边界路由器执行同样操作,并将“目的顶级域”替换为AD6。分组最终到达目的终端B。这样便完成了一次分组交换过程。As shown in Figure 1, when A initiates communication to B, it needs to fill the source label EID 1 , source top-level domain AD 1 , destination label EID 2 and destination top-level domain AD 4 into the corresponding positions of the packet header, and the source The intermediate domains (AD 2 and AD 3 ) are attached to the source stack SS, and the destination intermediate domains (AD 5 and AD 6 ) are attached to the destination stack DS. After receiving the packet, the border router of AD 3 finds that the "destination top-level domain" (the domain labeled 4 in Figure 1) is not AD 1 , and submits the packet to the upper-level AD, and the border router of AD 2 performs the same operation. Finally, the border router of AD 1 forwards the packet to AD 4 (because the border router of AD 1 has a route to AD 4 ). After the border router of AD 4 receives the packet, it takes out the label AD 5 of the lower-level domain from the DS, and replaces the "destination top-level domain" with AD 5 , and then continues to forward the packet. AD 5 's border router does the same, and replaces "Destination TLD" with AD 6 . The packet finally reaches the destination terminal B. This completes a packet exchange process.

由上述内容可见,AIP具有内在的,分布式的信任模型:As can be seen from the above, AIP has an inherent, distributed trust model:

在AIP中,每个AD和网络设备都具有唯一的自认证标签,

Figure BDA0000115127240000041
之间的对应关系不需要其它网络主体担保,这样,每个AD和网络设备都成为它自己的信任锚,整个信任模型中不存在“根信任锚”,所以,AIP的网络寻址方案使得它具有分布式的信任模型。In AIP, each AD and network device has a unique self-certification label,
Figure BDA0000115127240000041
The corresponding relationship between them does not require guarantees from other network subjects. In this way, each AD and network device becomes its own trust anchor, and there is no "root trust anchor" in the entire trust model. Therefore, the network addressing scheme of AIP makes it Has a distributed trust model.

关系的可信性存在于网络寻址方案中,不需要在路由体系之外部署任何机制,所以,AIP具有内在的信任模型。 The credibility of the relationship exists in the network addressing scheme, and there is no need to deploy any mechanism outside the routing system. Therefore, AIP has an internal trust model.

本发明比AIP性能更加优越。根据本发明的一个实施例,实现步骤包括:The performance of the present invention is more superior than that of AIP. According to one embodiment of the present invention, the implementation steps include:

第1步:给定路由结构,该路由结构以责任域为元素Step 1: Given a routing structure that has domains of responsibility as elements .

将互联网中具有独立管理主体的网络当作责任域,以责任域为网络拓扑的基本元素。这样,整个网络表现为“众多责任域的联合”,单个责任域则表现为网络拓扑的元素形式。责任域的粒度可变:无论网络规模,任何具备单一、独立管理主体的网络都可以成为责任域,例如固定子网(企业网或校园网)、移动子网(火车、轮船上的子网)、以及自治系统等都有可能被当作独立的责任域。The network with independent management subjects in the Internet is regarded as the domain of responsibility, and the domain of responsibility is the basic element of the network topology. In this way, the entire network appears as "a union of many domains of responsibility", and a single domain of responsibility appears as an element form of the network topology. The granularity of the domain of responsibility is variable: regardless of the network size, any network with a single, independent management entity can become a domain of responsibility, such as fixed subnets (enterprise networks or campus networks), mobile subnets (subnets on trains and ships) , and autonomous systems are all likely to be treated as independent domains of responsibility.

第2步:基于上述路由结构,设计网络寻址方法 Step 2: Based on the above routing structure, design a network addressing method

该网络寻址方法为:每个网络接口的地址都由平面结构的责任域标签d和层次结构的域内标签f混合组成,记作d:f,简称HAS地址。The network addressing method is as follows: the address of each network interface is composed of a mixture of a responsibility domain label d in a flat structure and an intra-domain label f in a hierarchical structure, and is recorded as d:f, referred to as an HAS address.

如图2所示,d在全网范围内唯一表示责任域身份,f在责任域内唯一表示网络接口的地址。As shown in Figure 2, d uniquely represents the responsibility domain identity in the entire network, and f uniquely represents the address of the network interface in the responsibility domain.

(1)需要同其它网络兼容时,可以进一步限定d和f的长度(1) When it needs to be compatible with other networks, the length of d and f can be further limited

例如,为了同IPv6网络兼容,可以规定d的长度为88比特,保留域的长度为8比特,f的长度为32比特,这样地址的总长度为128比特,和IPv6地址的长度相同。For example, in order to be compatible with the IPv6 network, the length of d can be specified as 88 bits, the length of the reserved field is 8 bits, and the length of f is 32 bits, so that the total length of the address is 128 bits, which is the same as the length of the IPv6 address.

(2)基于非对称密码体制和杂凑函数设置平面结构的责任域标签(2) Based on the asymmetric cryptosystem and hash function, set the responsibility domain label of the planar structure

责任域标签是责任域公钥的杂凑值。具体地,对于责任域i,它的标签di可以按照公式(1)生成:The responsibility domain label is the hash value of the responsibility domain public key. Specifically, for domain i, its label d i can be generated according to formula (1):

di=Prfi(pki)    (1)d i =P r f i (pk i ) (1)

公式(1)中,pki表示责任域i自主生成的公钥,对应私钥记作pri;Prfi(.)表示责任域i选择的杂凑函数,具有良好的单向性。具体地,In formula (1), pk i represents the public key independently generated by responsibility domain i, and the corresponding private key is denoted as pri ; Prf i (.) represents the hash function selected by responsibility domain i, which has good one-way property. specifically,

1)可使用非对称密码体制,如RSA、DSA、ECDSA(Elliptic Curve DigitalSignature Algorithm,椭圆曲线数字签名算法)等,生成责任域的公/私钥对。1) Asymmetric cryptographic systems, such as RSA, DSA, ECDSA (Elliptic Curve Digital Signature Algorithm, Elliptic Curve Digital Signature Algorithm), etc. can be used to generate public/private key pairs in the domain of responsibility.

2)可使用常见的杂凑函数(如SHA、MD-5等)处理责任域公钥,以生成责任域标签;也可基于对称密码体制AES,以标准方法ISO/IEC 10118-2构建杂凑函数,然后使用该杂凑函数处理责任域公钥,以生成责任域标签。2) A common hash function (such as SHA, MD-5, etc.) can be used to process the domain of responsibility public key to generate a domain of responsibility label; it can also be based on the symmetric cryptosystem AES, and the hash function can be constructed with the standard method ISO/IEC 10118-2, The domain of responsibility public key is then processed using this hash function to generate a domain of responsibility label.

(3)设置保留域(3) Set reserved domain

如图2所示,保留域位于“责任域标签域”和“域内标签域”之间。值得注意的是,保留域的长度并不固定,它只是一个填充字段,不具有任何语义,该域的值可以设定为全零。As shown in Figure 2, the reserved domain is located between the "responsibility domain label domain" and the "intra-domain label domain". It is worth noting that the length of the reserved field is not fixed, it is just a padding field without any semantics, and the value of this field can be set to all zeros.

(4)设置域内标签(4) Set the label in the domain

域内标签采用CIDR(Classless Inter-Domain Routing,无类别域间路由)模式的层次结构,支持子网划分和前缀聚合。责任域自主分配域内标签。The intra-domain label adopts the hierarchical structure of CIDR (Classless Inter-Domain Routing, Classless Inter-Domain Routing) mode, and supports subnet division and prefix aggregation. The domain of responsibility assigns labels within the domain independently.

(5)责任域设置终端设备的私钥,对应公钥就是它的HAS地址(5) The responsibility domain sets the private key of the terminal device, and the corresponding public key is its HAS address

在责任域内使用基于身份的签名算法(例如JYH算法),按需为域内的网络设备分配私钥,使得对应公钥就是它们各自的HAS地址。Use an identity-based signature algorithm (such as the JYH algorithm) in the domain of responsibility to assign private keys to network devices in the domain as needed, so that the corresponding public keys are their respective HAS addresses.

第3步:基于上述网络寻址方法,设计域间路由机制 Step 3: Based on the above network addressing method, design an inter-domain routing mechanism

改进BGP协议(Border Gateway Protocol,边界网关协议),使用改进后的BGP协议完成域间路由:(1)将BGP路由更新消息中出现的AS(AutonomousSystem,自治系统)号和目的IP前缀都替换成责任域标签。(2)以责任域标签为句柄,组织路由表和转发表。Improve the BGP protocol (Border Gateway Protocol, border gateway protocol), use the improved BGP protocol to complete inter-domain routing: (1) replace the AS (Autonomous System, autonomous system) number and destination IP prefix that appear in the BGP routing update message with Domain of Responsibility label. (2) Organize the routing table and forwarding table with the responsibility domain label as the handle.

第4步:基于上述网络寻址方法,设计域内路由机制 Step 4: Based on the above network addressing method, design the intra-domain routing mechanism

因为域内标签具有层次结构,因此可以,(1)改进RIP(Routing InformationProtocol,路由信息协议)、OSPF(Open Shortest-Path First Interior GatewayProtocol,开放最短路径优先)等域内路由协议,使得它们能够同HAS地址相适应;(2)采用改进后的RIP或OSPF等域内路由协议完成责任域内的路由功能。Because the label in the domain has a hierarchical structure, it is possible to (1) improve RIP (Routing Information Protocol, Routing Information Protocol), OSPF (Open Shortest-Path First Interior Gateway Protocol, Open Shortest Path First) and other intra-domain routing protocols, so that they can be the same as the HAS address (2) Use the improved RIP or OSPF and other intra-domain routing protocols to complete the routing function within the responsibility domain.

第5步:基于上述网络寻址方法,设计分组转发流程 Step 5: Based on the above network addressing method, design the packet forwarding process

采用HAS地址后,(1)每个分组首部主要包含源地址和目的地址等信息。特殊地,如果将HAS地址的长度限定为128比特,那么分组首部可以采用IPv6的首部格式。(2)域间路由器以平面结构的责任域标签为句柄组织域间路由表和转发表),在转发分组时,域间路由器可以摈弃Internet中的最长前缀匹配算法,转而使用哈希表精确定位给定目的地址的路由信息。After adopting the HAS address, (1) each packet header mainly includes information such as source address and destination address. In particular, if the length of the HAS address is limited to 128 bits, then the packet header can adopt the header format of IPv6. (2) The inter-domain router organizes the inter-domain routing table and forwarding table with the responsibility domain label of the flat structure as the handle). When forwarding packets, the inter-domain router can abandon the longest prefix matching algorithm in the Internet and use the hash table instead Pinpoint routing information for a given destination address.

第6步:基于上述网络寻址方法,设计公钥管理机制 Step 6: Based on the above network addressing method, design a public key management mechanism

公钥管理机制主要由PSR(Public Shared Registry,注册查询中心)组成。该注册查询中心负责存储、分发所有的责任域公钥,并支持责任域标签、公钥的动态更新。PSR的工作原理如下:The public key management mechanism is mainly composed of PSR (Public Shared Registry, registration query center). The registration query center is responsible for storing and distributing all responsibility domain public keys, and supports the dynamic updating of responsibility domain labels and public keys. PSR works as follows:

(1)PSR包含一个公钥信息列表。每个责任域标签都对应该列表的一个表项。每个表项包含的信息有:“责任域标签”、“公钥”、“生成参数”、“域内公共参数”(对于责任域i,假设其采用了某种基于身份的签名算法,将该算法所需的特定参数称为责任域i的域内公共参数,记作πi)、“生成时间”、“有效期”、“状态值”,“表项位置”、“数字签名”。其中“状态值”项为0时,表示该表项仍然有效,“状态值”项为1时,表示该表项已经被废止。“表项位置”项是可选的,当“状态值”项为1时,“表项位置”项表示新标签对应的表项位置。“数字签名”项存储了责任域对公钥”、“生成参数”、“域内公共参数”、“生成时间”、“有效期”、“状态值”,“表项位置”的数字签名。(1) PSR contains a list of public key information. Each domain-of-responsibility label corresponds to an entry in the list. The information contained in each entry includes: "Responsibility Domain Label", "Public Key", "Generation Parameters", "Intra-Domain Public Parameters" (for responsibility domain i, assuming that it uses a certain identity-based signature algorithm, the The specific parameters required by the algorithm are called public parameters in the responsibility domain i, denoted as π i ), "generation time", "validity period", "status value", "entry location", and "digital signature". When the "status value" item is 0, it means that the entry is still valid; when the "status value" item is 1, it means that the entry has been abolished. The "entry position" item is optional, and when the "status value" item is 1, the "entry position" item indicates the entry position corresponding to the new label. The "Digital Signature" item stores the digital signature of the responsibility domain on the public key", "generation parameters", "intra-domain public parameters", "generation time", "validity period", "status value", and "entry location".

(2)分发:每个责任域周期性地查询PSR,以实时更新其它责任域的标签、公钥、域内公共参数等信息。(2) Distribution: Each responsibility domain periodically queries the PSR to update information such as labels, public keys, and public parameters in other domains in real time.

(3)更新:为了抵御可能发生的密钥强度退化问题,设计了三种责任域标签更新方法:①定时更新,任何责任域在时间超过有效期之前,都必须生成新的公/私钥对、标签和域内公共参数,并在PSR中废止旧有表项,注册新的存储表项;②临时更新,每个责任域在任何时间都可以主动更新公/私钥对、标签和域内公共参数,临时更新同样需要废止旧有表项,注册新的表项;③部分更新,允许责任域单独更新存储表项中的“域内公共参数”属性。此外,当发生定时更新和临时更新时,每个责任域都需要将路由表、转发表或映射关系表中旧的责任域标签替换成新的责任域标签。(3) Update: In order to resist possible key strength degradation, three responsibility domain label update methods are designed: ①Regular update, any responsibility domain must generate a new public/private key pair before the time exceeds the validity period, Tags and public parameters in the domain, and abolish the old entries in the PSR, and register new storage entries; ②Temporary update, each responsibility domain can actively update the public/private key pair, tags and public parameters in the domain at any time, Temporary update also needs to abolish the old entry and register a new entry; ③ Partial update allows the domain of responsibility to update the "public parameters in the domain" attribute in the storage entry separately. In addition, when regular updates and temporary updates occur, each responsibility domain needs to replace the old responsibility domain label in the routing table, forwarding table, or mapping relationship table with a new responsibility domain label.

Claims (10)

1. a new network addressing method is characterized in that, the address of each network interface all is made up of the responsibility territory label of planar structure and the territory interior label mixing of hierarchical structure; Responsibility territory label is the Hash Value of responsibility territory PKI; It is corresponding one by one natively with responsibility territory PKI, in the responsibility territory, uses based on the signature algorithm of identity off-line as required; For the network equipment distributes private key, make that corresponding PKI is exactly their hybrid network addressing scheme address.
2. network addressing method as claimed in claim 1 is characterized in that, uses the public affairs/private key in asymmetric cryptosystem generation responsibility territory right.
3. network addressing method as claimed in claim 2 is characterized in that, asymmetric cryptosystem is RSA, DSA, ECDSA.
4. network addressing method as claimed in claim 1; It is characterized in that; The hybrid network addressing scheme is with the IPv6 Web-compatible, and the length of hybrid network addressing scheme address is 128 bits, and at this moment the length of responsibility territory label is 88 bits; The length that keeps the territory is 8 bits, and the length of territory interior label is 32 bits.
5. network addressing method as claimed in claim 1 is characterized in that, the inter-domain routing mechanism after the improvement comprises, all replaces to responsibility territory label with the AS that occurs in the BGP routing update message number with purpose IP prefix; With responsibility territory label is handle, organizes routing table and transmits.
6. network addressing method as claimed in claim 1 is characterized in that routing mechanism comprises in the territory after the improvement, improves Routing Protocol in the territory, makes them to adapt with hybrid network addressing scheme address.
7. network addressing method as claimed in claim 6 is characterized in that Routing Protocol comprises RIP, OSPF in the said territory.
8. network addressing method as claimed in claim 1 is characterized in that, inter domain router is that the handle tissue is transmitted with the responsibility territory label of planar structure, when transmitting grouping, uses the accurately routing iinformation of the given destination address in location of Hash table.
9. network addressing method as claimed in claim 1 is characterized in that, the trade mark enquiries center is set, and is responsible for storage, distributes common parameter in all responsibility territory PKIs and the territory, and support the renewal of common parameter in responsibility territory label, PKI and the territory.
10. network addressing method as claimed in claim 1 is characterized in that, keeps the territory and is positioned between " responsibility territory label field " and " interior label territory, territory ".
CN201110393986XA 2011-12-01 2011-12-01 Network addressing method Pending CN102368740A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110393986XA CN102368740A (en) 2011-12-01 2011-12-01 Network addressing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110393986XA CN102368740A (en) 2011-12-01 2011-12-01 Network addressing method

Publications (1)

Publication Number Publication Date
CN102368740A true CN102368740A (en) 2012-03-07

Family

ID=45761290

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110393986XA Pending CN102368740A (en) 2011-12-01 2011-12-01 Network addressing method

Country Status (1)

Country Link
CN (1) CN102368740A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103414691A (en) * 2013-07-17 2013-11-27 中国人民解放军国防科学技术大学 Self-trusted network address and secret key distributing method based on address (public key)
CN105072116A (en) * 2015-08-13 2015-11-18 中国人民解放军国防科学技术大学 Self-trusting route resource identifier and secret key distributing method based on identifier, namely public key
CN105141597B (en) * 2015-08-13 2018-08-14 中国人民解放军国防科学技术大学 It is a kind of that Security routing authorization method is indicated based on the i.e. public key of mark certainly
CN108809827A (en) * 2018-05-18 2018-11-13 清华大学 BGP improvement method and device combining stability and security

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1636378A (en) * 2001-10-26 2005-07-06 艾利森电话股份有限公司 Addressing mechanism in mobile internet protocol
US20090006849A1 (en) * 2002-04-29 2009-01-01 Microsoft Corporation Peer-to-peer name resolution protocol (pnrp) security infrastructure and method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1636378A (en) * 2001-10-26 2005-07-06 艾利森电话股份有限公司 Addressing mechanism in mobile internet protocol
US20090006849A1 (en) * 2002-04-29 2009-01-01 Microsoft Corporation Peer-to-peer name resolution protocol (pnrp) security infrastructure and method

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
JUNG HEE CHEON等: "A new ID-based signature with batch verification", 《CRYPTOLOGY EPRINT ARCHIVE》, 31 December 2004 (2004-12-31), pages 119 - 131 *
NING-NING LU;HUA-CHUN ZHOU;HONG-KE ZHANG: "《Information Assurance and Security,2009.IAS "09.》", 30 December 2009, article "A New Source Address Validation Scheme Based on IBS", pages: 334-337 *
NING-NING LU等: "IPas++:A Novel Accountable and Scalable Internet Protocol for Future Internet", 《网际网路技术学刊》, vol. 12, no. 5, 1 September 2011 (2011-09-01), pages 769 - 780 *
卢宁宁;周华春;张宏科: "一体化网络体系架构中一种新型接入机制", 《北京交通大学学报》, vol. 33, no. 2, 15 April 2009 (2009-04-15), pages 44 - 49 *
周三奇;陈佳;张宏科: "《2011全国无线及移动通信学术大会论文集》", 15 September 2011, article "新型平面标识域内路由协议", pages: 214-217 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103414691A (en) * 2013-07-17 2013-11-27 中国人民解放军国防科学技术大学 Self-trusted network address and secret key distributing method based on address (public key)
CN103414691B (en) * 2013-07-17 2017-02-08 中国人民解放军国防科学技术大学 Self-trusted network address and secret key distributing method based on address (public key)
CN105072116A (en) * 2015-08-13 2015-11-18 中国人民解放军国防科学技术大学 Self-trusting route resource identifier and secret key distributing method based on identifier, namely public key
CN105141597B (en) * 2015-08-13 2018-08-14 中国人民解放军国防科学技术大学 It is a kind of that Security routing authorization method is indicated based on the i.e. public key of mark certainly
CN105072116B (en) * 2015-08-13 2018-09-18 中国人民解放军国防科学技术大学 It is the route resource of the trust certainly mark and method for distributing key of public key based on mark
CN108809827A (en) * 2018-05-18 2018-11-13 清华大学 BGP improvement method and device combining stability and security
CN108809827B (en) * 2018-05-18 2020-06-02 清华大学 Method and device for improving border gateway protocol combining stability and security

Similar Documents

Publication Publication Date Title
CN102577255B (en) Layer 2 Seamless Site Extension for Enterprises in Cloud Computing
Gredler et al. North-bound distribution of link-state and traffic engineering (TE) information using BGP
Farinacci et al. The locator/ID separation protocol (LISP)
Vu et al. Dmap: A shared hosting scheme for dynamic identifier to locator mappings in the global internet
JP5536362B2 (en) Method for facilitating communication in a content-centric network
Jain et al. Viro: A scalable, robust and namespace independent virtual id routing for future networks
WO2011069399A1 (en) Address mapping method and access service node
CN101588343A (en) Management method of mapping relation between prefix and autonomous system (AS), message processing method and device
CN114785622B (en) Access control method, device and storage medium for multi-identification network
Scott et al. Addressing the Scalability of Ethernet with MOOSE
Farinacci et al. Rfc 6830: The locator/id separation protocol (lisp)
CN102368740A (en) Network addressing method
WO2014132958A1 (en) Communication system, control device, communication method and program
Liu et al. Secure name resolution for identifier-to-locator mappings in the global internet
CN102546419B (en) Routing method, routing device, packet forwarding method and packet forwarding system
EP2276206A1 (en) A method, device and communication system for managing and inquiring mapping information
Cabellos et al. An Architectural Introduction to the Locator/ID Separation Protocol (LISP)
Fuller et al. Locator/ID separation protocol delegated database tree (LISP-DDT)
WO2012075768A1 (en) Method and system for monitoring locator/identifier separation network
JP2012527794A (en) Method and system for host identity tag acquisition
CN108243190A (en) A trusted management method and system for network identification
CN101316239A (en) A method of controlling access and forwarding in a virtual private area network service network
Papadimitriou OSPFv2 Routing Protocols Extensions for Automatically Switched Optical Network (ASON) Routing
Meng et al. Establish the intrinsic binding in naming space for future internet using combined public key
Kanemaru et al. ZNP: A network layer protocol based on ID/locator split considering practical operation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20120307