Nothing Special   »   [go: up one dir, main page]

CN114826672A - Encryption and decryption methods and devices of cloud network, computing node and system - Google Patents

Encryption and decryption methods and devices of cloud network, computing node and system Download PDF

Info

Publication number
CN114826672A
CN114826672A CN202210306831.6A CN202210306831A CN114826672A CN 114826672 A CN114826672 A CN 114826672A CN 202210306831 A CN202210306831 A CN 202210306831A CN 114826672 A CN114826672 A CN 114826672A
Authority
CN
China
Prior art keywords
encryption
header
field
virtual machine
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210306831.6A
Other languages
Chinese (zh)
Inventor
乔义松
余年兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Cloud Computing Ltd
Original Assignee
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Cloud Computing Ltd filed Critical Alibaba Cloud Computing Ltd
Priority to CN202210306831.6A priority Critical patent/CN114826672A/en
Publication of CN114826672A publication Critical patent/CN114826672A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides an encryption method, a decryption method, an encryption device, a decryption device, a computing node and a system of a cloud network. The encryption method comprises the following steps: encrypting a tunnel message to be sent to a second virtual machine, which is obtained by tunnel encapsulation, by using a secret key to obtain an encryption result; generating an encryption head which accords with a preset encryption head format of an encryption result according to the preset encryption head format, and splicing the encryption head to the head of the encryption result to obtain a session layer message; the fields of the encryption header comprise a key field, and the field value of the key field is used for indicating a key; and splicing the transport layer protocol header generated aiming at the tunnel message to the header of the session layer message to obtain a transport layer message, and sending the transport layer message to the second virtual machine. The method and the device can provide the encryption capability for the tunnel message, and improve the safety of tunnel communication between the virtual machines.

Description

Encryption and decryption methods and devices of cloud network, computing node and system
Technical Field
The present application relates to the field of cloud computing technologies, and in particular, to an encryption method and an decryption method for a cloud network, an apparatus, a computing node, and a system.
Background
In the process of providing cloud services, tunneling is generally required between virtual machines running on different computing nodes, for example, a virtual machine may tunnel data that a cloud server running thereon needs to store to another virtual machine, so that another cloud server running on the other virtual machine stores the data.
At present, a clear text mode is directly adopted to transmit tunnel messages between virtual machines, and specifically, the tunnel messages obtained by encapsulation are directly carried in a transmission layer message as a session layer message for transmission. However, as the requirement of the user on the communication security is higher and higher, especially in the scenarios of private cloud, hybrid cloud, financial cloud, etc., how to provide the encryption capability of the tunnel message becomes a problem to be solved urgently at present.
Disclosure of Invention
The embodiment of the application provides an encryption method and a decryption method of a cloud network, a device, a computing node and a system, which are used for solving the problem of how to provide the encryption capability of a tunnel message in the prior art.
In a first aspect, an embodiment of the present application provides an encryption method for a cloud network, where the cloud network includes a first virtual machine and a second virtual machine that run on different computing nodes, and the method is applied to the first virtual machine, and the method includes:
encrypting the tunnel message to be sent to the second virtual machine, which is obtained by tunnel encapsulation, by using a secret key to obtain an encryption result;
generating an encryption head which accords with a preset encryption head format of the encryption result according to the preset encryption head format, and splicing the encryption head to the head of the encryption result to obtain a session layer message; fields of the encryption header comprise a key field, and a field value of the key field is used for indicating the key;
and splicing a transport layer protocol header generated aiming at the tunnel message to the header of the session layer message to obtain a transport layer message, and sending the transport layer message to the second virtual machine.
In a second aspect, an embodiment of the present application provides a decryption method for a cloud network, where the cloud network includes a first virtual machine and a second virtual machine that run on different computing nodes, and the method is applied to run the second virtual machine, and the method includes:
acquiring a transmission layer message sent by the first virtual machine;
analyzing an encryption header positioned at the header of the session layer message according to a preset encryption header format aiming at the session layer message carried in the transmission layer message so as to analyze a field of the encryption header, wherein the field of the encryption header comprises a key field, and the field value of the key field is used for indicating a key;
and decrypting the encryption result spliced at the head and the tail of the encryption in the session layer message by using the secret key to obtain a tunnel message.
In a third aspect, an embodiment of the present application provides an encryption apparatus for a cloud network, including:
the encryption module is used for encrypting the tunnel message to be sent to the second virtual machine, which is obtained by tunnel encapsulation, by using the secret key to obtain an encryption result;
the session layer module is used for generating an encryption head of the encryption result according to a preset encryption head format, and splicing the encryption head to the head of the encryption result to obtain a session layer message; fields of the encryption header comprise a key field, and a field value of the key field is used for indicating the key;
and the transmission layer module is used for splicing a transmission layer protocol header generated aiming at the tunnel message to the head of the session layer message to obtain a transmission layer message and sending the transmission layer message to the second virtual machine.
In a fourth aspect, an embodiment of the present application provides a decryption apparatus for a cloud network, including:
the acquisition module is used for acquiring a transmission layer message sent by a first virtual machine;
the analysis module is used for analyzing an encryption header positioned at the header of the session layer message according to a preset encryption header format aiming at the session layer message carried in the transmission layer message so as to analyze a field of the encryption header, wherein the field of the encryption header comprises a key field, and the field value of the key field is used for indicating a key;
and the decryption module is used for decrypting the encryption result spliced at the head and the tail of the encryption in the session layer message by using the secret key to obtain the tunnel message.
In a fifth aspect, an embodiment of the present application provides a computing node, including: a memory, a processor; wherein the memory is to store one or more computer instructions, wherein the one or more computer instructions, when executed by the processor, implement the method of any of the first aspects.
In a sixth aspect, an embodiment of the present application provides a computing node, including: a memory, a processor; wherein the memory is configured to store one or more computer instructions, wherein the one or more computer instructions, when executed by the processor, implement the method of any of the second aspects.
In a seventh aspect, an embodiment of the present application provides a cloud network system, including: a first computing node for performing the method of any of the first aspects and a second computing node for performing the method of any of the second aspects.
In an eighth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, which, when executed, implements the method according to any one of the first aspect.
In a ninth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed, the method according to any one of the second aspect is implemented.
Embodiments of the present application also provide a computer program, which is used to implement the method according to any one of the first aspect when the computer program is executed by a computer.
Embodiments of the present application also provide a computer program, which is used to implement the method according to any one of the second aspect when the computer program is executed by a computer.
In the embodiment of the application, the first virtual machine does not send the tunnel message to the second virtual machine in a plaintext manner, that is, the tunnel message is not directly taken as the session layer message carried in the transport layer message, but the encrypted result of the tunnel message is carried in the session layer message in the transport layer message, and in order to enable the second virtual machine to successfully decrypt the encrypted result as soon as possible, the head of the encrypted result is spliced with the encrypted head, so that the tunnel message between the virtual machines is transmitted in a ciphertext manner, the encryption capability of the tunnel message can be provided, and the security of tunnel communication between the virtual machines is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic structural diagram of a cloud network provided in an embodiment of the present application;
FIG. 2 is a diagram illustrating a message structure in the prior art;
fig. 3 is a schematic diagram of a message structure according to an embodiment of the present application;
fig. 4 is a schematic flowchart of an encryption method for a cloud network according to an embodiment of the present application;
fig. 5 is a schematic diagram of a message structure according to another embodiment of the present application;
fig. 6 is a schematic diagram of a message structure according to another embodiment of the present application;
fig. 7 is a schematic flowchart of an encryption method for a cloud network according to another embodiment of the present application;
fig. 8 is a schematic structural diagram of an encryption apparatus of a cloud network according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a compute node according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a decryption device of a cloud network according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a computing node according to another embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terminology used in the embodiments of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the examples of this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, and "a" and "an" typically include at least two, but do not exclude the presence of at least one.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrases "if determined" or "if detected (a stated condition or event)" may be interpreted as "when determined" or "in response to a determination" or "when detected (a stated condition or event)" or "in response to a detection (a stated condition or event)", depending on the context.
It is also noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a good or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such good or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a commodity or system that includes the element.
In addition, the sequence of steps in each method embodiment described below is only an example and is not strictly limited.
For the convenience of those skilled in the art to understand the technical solutions provided in the embodiments of the present application, a technical environment for implementing the technical solutions is described below.
Fig. 1 is a schematic structural diagram of a cloud network provided in an embodiment of the present application, and as shown in fig. 1, the cloud network 10 may include a plurality of computing nodes, for example, a first computing node 11 and a second computing node 12, and a Virtual Machine (Virtual Machine) may be run on the computing nodes, for example, a first Virtual Machine a may be run on the first computing node 11, and a second Virtual Machine B may be run on the second computing node 12. The virtual machine refers to a complete computer system which has a complete hardware system function and runs in a completely isolated environment through software simulation, and an instance, such as a cloud server instance, can run on the virtual machine.
In practical applications, tunneling is usually required between virtual machines running on different computing nodes, for example, a virtual machine may tunnel data that an instance running thereon needs to store to another virtual machine, so as to store the data by another instance running on the other virtual machine.
Generally, a clear text mode is directly adopted between virtual machines to transmit a tunnel message, and specifically, the tunnel message obtained by encapsulation is directly carried in a transmission layer message as a session layer message to be transmitted.
Taking a tunnel protocol as a Virtual eXtensible Local Area Network (VxLAN) as an example, in the conventional technology, a message sent by the first computing node 11 to the second computing node 12 may be, for example, as shown in fig. 2, where VxLAN + a second Eth + L3+ L4 refers to a tunnel message sent to the second Virtual machine and obtained by encapsulation by the first Virtual machine, a header encapsulated in the tunnel message may be understood as an inner layer header, and a header encapsulated outside the tunnel message may be understood as an outer layer header, where the inner layer header may be related to an instance running on the second Virtual machine, and the outer layer header may be related to the second computing node 12. The meaning of each field from left to right in fig. 2 is: the first Eth may represent an outer two-layer ethernet header, the IP may represent an outer three-layer IP header, the UDP may represent an outer four-layer User Datagram Protocol (UDP) header, the VxLAN may represent a VxLAN header, the second Eth may represent an Inner two-layer ethernet header, L3 may represent an Inner three-layer header, L4 may represent an Inner four-layer header, Inner Data may represent a payload, and the FCS may represent a frame check sequence.
In order to solve the technical problem how to provide the encryption capability of the tunnel message in the prior art, in the embodiment of the present application, the first virtual machine does not send the tunnel message to the second virtual machine in a plaintext manner, that is, the tunnel message is not directly used as a session layer message carried in a transport layer message, but an encryption result of the tunnel message is carried in the session layer message in the transport layer message, and in order to enable the second virtual machine to successfully decrypt the encryption result as early as possible, an encryption header is spliced at the head of the encryption result, so that the tunnel message between the virtual machines is transmitted in a ciphertext manner, thereby providing the encryption capability of the tunnel message, and improving the security of tunnel communication between the virtual machines.
As shown in fig. 3, in the present application, the first computing node 11 may encrypt the tunnel packet in fig. 2 to obtain an encryption result, that is, the encryption range may include the tunnel packet, and the SEC-Head in fig. 2 may represent an encryption header. It should be noted that the message structures shown in fig. 2 and fig. 3 are only examples, and the method provided in the embodiment of the present application may be applied to any type of scenario where tunneling needs to be performed across computing nodes between virtual machines.
Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Fig. 4 is a schematic flowchart of an encryption method for a cloud network according to an embodiment of the present application, where the method provided in this embodiment may be applied to the first virtual machine a in fig. 1. As shown in fig. 4, the method of this embodiment may include:
step 41, encrypting a tunnel message to be sent to a second virtual machine, which is obtained by tunnel encapsulation, by using a secret key to obtain an encryption result;
step 42, generating an encryption head which accords with the preset encryption head format of the encryption result according to a preset encryption head format, and splicing the encryption head to the head of the encryption result to obtain a session layer message; fields of the encryption header comprise a key field, and a field value of the key field is used for indicating the key;
and 43, splicing the transport layer protocol header generated aiming at the tunnel message to the header of the session layer message to obtain a transport layer message, and sending the transport layer message to the second virtual machine.
The tunnel message to be sent by the first virtual machine to the second virtual machine may be obtained by performing tunnel encapsulation on a target message to be sent by one instance of the first virtual machine to another instance of the second virtual machine. The target packet may be understood as an Inner layer packet carried in the tunnel packet, and the target packet may be, for example, a packet composed of VxLAN + Eth + L3+ L4+ Inner Data fields in fig. 3.
In practical application, the first virtual machine may first determine whether the second virtual machine supports the capability of encrypting the tunnel message, and if so, may encrypt the tunnel message using a secret key after obtaining the tunnel message to be sent to the second virtual machine; if not, the tunnel message may not be encrypted, i.e. the method in the conventional technology may be adopted. Therefore, the first virtual machine can be compatible with the virtual machine which does not support the encryption of the tunnel message, and the compatibility is improved. For example, the first virtual machine may obtain the capability of the second virtual machine in a configuration manner.
Optionally, a key that is required to be used for the encrypted communication between the first virtual machine and the second virtual machine may be obtained from at least one key supported by the second virtual machine, which is beneficial to improving flexibility of the key. Based on this, in an embodiment, the method provided in this embodiment may include: from the at least one key supported by the second virtual machine, a key to be used for encrypted communication with the second virtual machine is determined. At least one key supported by the second virtual machine may be carried in configuration information for the first virtual machine, for example, and sent to the first virtual machine.
Or, optionally, a key required to be used for the encrypted communication between the first virtual machine and the second virtual machine may be determined according to at least one key index supported by the second virtual machine, thereby facilitating to improve flexibility of the key. Based on this, in an embodiment, the method provided in this embodiment may include: determining a target key index required to be used for carrying out encryption communication with the second virtual machine from at least one key index supported by the second virtual machine; determining a key according to the target key index and the corresponding relation between different key indexes and the key; the at least one key index supported by the second virtual machine and the corresponding relationship between different key indexes and keys may be carried in the configuration information for the first virtual machine and sent to the first virtual machine.
After the first virtual machine obtains the key required to be used for encrypted communication with the second virtual machine, the first virtual machine may encrypt the tunnel message to be sent to the second virtual machine by using the key to obtain an encryption result. In an embodiment, the Encryption algorithm for encrypting the tunnel packet may be a block algorithm, for example, a Data Encryption Standard (DES) Encryption algorithm, and based on this, step 41 may specifically include: and encrypting the tunnel message to be sent to the second virtual machine, which is obtained by tunnel encapsulation, by using the secret key and taking the preset byte length as a unit to obtain an encryption result. The preset byte length may be, for example, 16 bytes, and the length of the preset byte is not sufficient to be filled. In this case, the first virtual machine may encrypt the tunnel packet and the Padding bytes together to obtain an encryption result, for example, as shown in fig. 5, in this application, the first virtual machine may encrypt the tunnel packet + Padding in fig. 2 to obtain an encryption result, that is, the encryption range may include the tunnel packet + Padding, and Padding may represent the Padding bytes. It should be noted that, as for specific descriptions of Eth, IP, UDP, VxLAN, L3, L4, Inner Data, and FCS in fig. 5, reference may be made to the specific descriptions in the related art, and details are not repeated here.
After the encryption result is obtained, the first virtual machine may generate an encryption header of the encryption result that conforms to the preset encryption header format according to the preset encryption header format. Optionally, the format of the encryption header required to be used for the encrypted communication between the first virtual machine and the second virtual machine may be obtained from at least one encryption header format key supported by the second virtual machine, so as to facilitate improvement of flexibility of the encryption header format. Based on this, in an embodiment, the method provided in this embodiment may further include: determining that encrypted communication with the second virtual machine requires the use of a preset encryption header format from among at least one encryption header format supported by the second virtual machine.
Wherein, the field of the encryption header may include a key field, and a field value of the key field may be used to indicate a key used by the first virtual machine for encryption. In one embodiment, as shown in fig. 6, the key field may specifically be a key index field (for example, may be denoted as key-index [1:0]), and a field value of the key field may be a key index, so as to further improve the security of the key. Where key-index [1:0] may indicate that the length of the key index field may be 2 bits, which is merely an example.
In the case of encrypting the tunnel packet in units of a preset byte length, as shown in fig. 6, the field of the encryption header may further include a Padding length field (which may be marked as Padding-length [3:0], for example), and a field value of the Padding length field may be used to indicate the length of Padding bytes used for encryption, so that the second virtual machine may decrypt based on the length of the Padding bytes used for encryption by the first virtual machine. Wherein Padding-length [3:0] may indicate that the length of the Padding length field may be 4 bits, which is merely an example.
In the case that the preset encryption header format is determined from at least one encryption header format supported by the second virtual machine, as shown in fig. 6, the fields of the encryption header may further include a version field (for example, may be denoted as version [3:0]), the version field may be a first field of the encryption header, and a field value of the version field may be used to indicate the preset encryption header format, so that the second virtual machine may know the format of the encryption header. Wherein version [3:0] may indicate that the length of the version field is 4 bits, which is merely an example.
In one embodiment, the first virtual machine may further indicate, in the encryption header, a tunneling protocol used for tunneling to the second virtual machine, so that the tunneling protocol used is variable, which is beneficial to improve flexibility. Based on this. The method provided in this embodiment may further include determining a tunneling protocol used by the tunnel packet, and accordingly, as shown in fig. 6, the field of the encryption header may further include a protocol field (which may be denoted as dport [15:0], where a field value of the protocol field is used to indicate the tunneling protocol used by the tunnel packet, so that the second virtual machine may know the tunneling protocol used by the tunnel packet. Where dport [15:0] may indicate that the length of the protocol field is 16 bits, which is merely an example.
As shown in fig. 6, the fields of the encryption header may further include a reserved field (e.g., which may be noted as rsv [5:0]) to facilitate expansion of the fields of the encryption header, wherein rsv [5:0] may indicate that the length of the reserved field is 6 bits, which is merely an example.
After the encryption head which accords with the preset encryption head format of the encryption result is generated, the encryption head can be spliced to the head of the encryption result to obtain the session layer message. The encryption header may be, for example, SEC-Head in fig. 5 and fig. 6, and an encryption result of the tunnel packet + Padding by SEC-Head + in the figures is the session layer packet.
After the session layer packet is obtained, the transport layer protocol header generated for the tunnel packet may be spliced to the header of the session layer packet to obtain the transport layer packet. The transport layer protocol header may be, for example, the UDP header in fig. 6, and an encryption result of the UDP header + SEC-Head + on the tunnel packet + Padding in fig. 6 is the transport layer packet.
Optionally, the first virtual machine may indicate, to the second virtual machine, whether the session layer packet carried in the transport layer packet is an encrypted packet, so that the second virtual machine may determine, according to the indication, a manner of processing the session packet in the transport layer packet. Based on this, in an embodiment, in a case that the transport layer protocol header is a UDP header, the method provided in this embodiment may further include: and setting the port number of a destination port in the transport layer protocol header as a preset port number, wherein the preset port number is used for indicating that the session layer message is an encrypted message. The preset port number may be 9000, for example, and certainly, in other embodiments, the preset port number may also be another port number, which is not limited in this application.
After obtaining the transport layer message, the first virtual machine may send the transport layer message to the second virtual machine. It should be understood that, as shown in fig. 5 and fig. 6, before the first computing node sends the transport layer packet, the first computing node needs to splice the network protocol header to the header of the transport layer packet to obtain the network layer packet, then splice the data link protocol header to the header of the network layer packet to obtain the data link layer packet, and then may send the obtained data link layer packet through the physical connection between the first computing node and the second computing node.
According to the encryption method of the cloud network, the tunnel message to be sent to the second virtual machine is encrypted by using the secret key, the encryption result is obtained by encrypting the tunnel message which is obtained by tunnel encapsulation and is to be sent to the second virtual machine, the encryption head which accords with the preset encryption head format of the encryption result is generated according to the preset encryption head format, the encryption head is spliced to the head of the encryption result to obtain the session layer message, the transport layer protocol head generated aiming at the tunnel message is spliced to the head of the session layer message to obtain the transport layer message, and the transport layer message is sent to the second virtual machine, so that the first virtual machine sends the tunnel message to the second virtual machine in a ciphertext mode, the encryption capacity of the tunnel message can be provided, and the safety of tunnel communication between the virtual machines is improved.
Fig. 7 is a schematic flowchart of an encryption method for a cloud network according to another embodiment of the present application, where the method provided in this embodiment may be applied to the second virtual machine B in fig. 1. As shown in fig. 7, the method of this embodiment may include:
step 71, acquiring a transmission layer message sent by a first virtual machine;
step 72, analyzing an encryption header located at a header of the session layer packet according to a preset encryption header format to analyze a field of the encryption header, wherein the field of the encryption header comprises a key field, and a field value of the key field is used for indicating a key;
and 73, decrypting the encryption result spliced at the head and the tail of the encryption in the session layer message by using the secret key to obtain a tunnel message.
For the data link layer packet sent by the first computing node, the second computing node may first parse the data link protocol header carried in the data link layer packet, then parse the network layer protocol header carried in the data link layer packet, and may obtain the transport layer packet by parsing the network layer protocol header.
After the second virtual machine acquires the transport layer packet, the second virtual machine may analyze an encryption header of a header of the session layer packet carried in the transport layer packet to analyze a field of the encryption header, where the field of the encryption header may include a key field, and a field value of the key field may be used to indicate a key.
Optionally, under the condition that the first virtual machine can indicate to the second virtual machine whether the session layer packet carried in the transport layer packet is the encrypted packet, after the second virtual machine obtains the transport layer packet, it may be determined whether the session layer packet carried in the transport layer packet is the encrypted packet. Based on this, in an embodiment, in the case that the transport layer protocol header carried in the transport layer packet is a UDP header, step 72 may specifically include: analyzing a transport layer protocol header to obtain a port number of a target port in the transport layer protocol header; and when the port number of the target port is a preset port number, analyzing an encryption head positioned at the head of the session layer message according to a preset encryption head format, wherein the preset port number is used for indicating that the session layer message is an encryption message. For example, if the second computing node resolves that the destination port in the DUP header is 9000, it may know that the session layer packet is an encrypted packet.
In one embodiment, in the case that the field of the encryption header does not include the version field, the fields in the encryption header may be sequentially parsed according to a default encryption header format.
In another embodiment, when the field of the encryption header further includes a version field, the version field may be parsed first, and then the other fields in the encryption header may be parsed according to the parsed version field. Based on this, step 72 may specifically include: from the head of the session layer message, the version field is firstly analyzed, and then other fields except the version field in the encryption head are sequentially analyzed according to the preset encryption head format indicated by the field value of the version field. For example, as shown in FIG. 6, the version field version [3:0] may be parsed first, and then the key index field key-index [1:0], the Padding-length field Padding-length [3:0], the reserved field rsv [5:0], and the protocol field dport [15:0] may be parsed in sequence according to the preset encryption header format indicated by the version field.
In an embodiment, when the field value of the key field is the key, after the key field is parsed, the key obtained by parsing may be used to decrypt the encryption result spliced at the tail of the encryption header in the session layer packet, so as to obtain the tunnel packet.
In another embodiment, in a case that the key field is a key index field and a field value of the key field is a target key index, the method provided in this embodiment may further include: and determining the key according to the target key index and the corresponding relation between different key indexes and the key, so that the determined key can be used for decrypting the encryption result spliced at the tail part of the encryption head in the session layer message to obtain the tunnel message. The correspondence between the different key indexes and the keys may be carried in the configuration information for the second virtual machine and sent to the second virtual machine.
In an embodiment, when the field of the encryption header further includes a padding length field, when the second virtual machine decrypts the encryption result, it needs to decrypt based on the length of the padding bytes indicated by the padding length field, and based on this, in an embodiment, step 73 may specifically include: and decrypting the encryption result spliced at the tail part of the encryption head in the session layer message by using a key and taking the preset byte length as a unit according to the length of the padding byte to obtain the tunnel message. It should be noted that, regarding the implementation manner of decrypting the encryption result based on the padding byte length and using the key with the preset byte length as a unit, reference may be made to the detailed description in the related art, and details are not repeated here.
In an embodiment, in a case that a field of the encryption header does not include a protocol field, the method provided in this embodiment may further include: and decapsulating the tunnel message according to a default tunnel protocol to obtain an inner layer message carried in the tunnel message.
In another embodiment, in a case that the field of the encryption header further includes a protocol field, the method provided in this embodiment may further include: and decapsulating the tunnel message according to the tunnel protocol indicated by the field value of the protocol field to obtain the inner layer message carried in the tunnel message.
According to the cloud network decryption method provided by the embodiment, the transmission layer message sent by the first virtual machine is obtained, the encryption head positioned at the head of the session layer message is analyzed according to the preset encryption head format aiming at the session layer message carried in the transmission layer message to analyze the field of the encryption head, the field of the encryption head comprises the key field of which the field value is used for indicating the key, the encryption result spliced at the tail of the encryption head in the session layer message is decrypted by using the key to obtain the tunnel message, so that the second virtual machine can decrypt the encrypted tunnel message, and the safety of tunnel communication between the virtual machines is improved. In addition, the encryption head is positioned at the head of the encryption result, so that the second computing node can decrypt the encryption result in the process of obtaining the encryption result, and the hardware implementation is facilitated in the scene of decryption in a hardware mode.
Fig. 8 is a schematic structural diagram of an encryption apparatus of a cloud network according to an embodiment of the present application; referring to fig. 8, the present embodiment provides an apparatus, which may perform the method provided in the embodiment shown in fig. 4, and specifically, the apparatus may include:
the encryption module 81 is configured to encrypt, by using a secret key, a tunnel message to be sent to the second virtual machine, which is obtained through tunnel encapsulation, to obtain an encryption result;
a session layer module 82, configured to generate an encrypted header of the encrypted result that meets a preset encrypted header format according to the preset encrypted header format, and splice the encrypted header to a header of the encrypted result to obtain a session layer packet; fields of the encryption header comprise a key field, and a field value of the key field is used for indicating the key;
and the transport layer module 83 is configured to splice a transport layer protocol header generated for the tunnel packet to a header of the session layer packet to obtain a transport layer packet, and send the transport layer packet to the second virtual machine.
In one embodiment, in the case that the transport layer protocol header is a UDP header, the transport layer module 83 is further configured to: and setting a port number of a destination port in the transport layer protocol header as a preset port number, wherein the preset port number is used for indicating that the session layer message is an encrypted message.
In one embodiment, the encryption module 81 is further configured to: determining a target key index required to be used for encrypted communication with the second virtual machine from at least one key index supported by the second virtual machine; determining the key according to the target key index and the corresponding relation between different key indexes and keys; the field value of the key field is the target key index.
In one embodiment, the encryption module 81 is further configured to: determining that a preset encryption header format is required to be used for encrypted communication with the second virtual machine from at least one encryption header format supported by the second virtual machine; the fields of the encryption header further comprise a version field, wherein the version field is the first field of the encryption header, and the field value of the version field is used for indicating the preset encryption header format.
In one embodiment, the encryption module 81 is specifically configured to: encrypting a tunnel message, obtained by tunnel encapsulation, of the first virtual machine to be sent to the second virtual machine by using a secret key and taking a preset byte length as a unit to obtain an encryption result; the fields of the encryption header further include a padding length field, and a field value of the padding length field indicates a length of padding bytes used for encryption.
In one embodiment, the encryption module 81 is further configured to: determining a tunnel protocol adopted by the tunnel message; the fields of the encryption header further include a protocol field, and a field value of the protocol field is used to indicate the tunneling protocol.
The apparatus shown in fig. 8 can execute the method provided by the embodiment shown in fig. 4, and reference may be made to the related description of the embodiment shown in fig. 4 for a part of this embodiment that is not described in detail. The implementation process and technical effect of the technical solution refer to the description in the embodiment shown in fig. 4, and are not described herein again.
In one possible implementation, the structure of the apparatus shown in FIG. 8 may be implemented as a compute node. As shown in fig. 9, the computing node may include: a processor 91 and a memory 92. Wherein the memory 92 is used for storing a program for supporting the computing node to execute the method provided by the embodiment shown in fig. 4, and the processor 91 is configured for executing the program stored in the memory 92.
The program comprises one or more computer instructions which, when executed by the processor 91, are capable of performing the steps of:
encrypting a tunnel message to be sent to a second virtual machine, which is obtained by tunnel encapsulation, by using a secret key to obtain an encryption result;
generating an encryption head which accords with a preset encryption head format of the encryption result according to the preset encryption head format, and splicing the encryption head to the head of the encryption result to obtain a session layer message; fields of the encryption header comprise a key field, and a field value of the key field is used for indicating the key;
and splicing a transport layer protocol header generated aiming at the tunnel message to the header of the session layer message to obtain a transport layer message, and sending the transport layer message to the second virtual machine.
Optionally, the processor 91 is further configured to perform all or part of the steps in the foregoing embodiment shown in fig. 4.
The structure of the computing node may further include a communication interface 93, which is used for the computing node to communicate with other devices or a communication network.
Fig. 10 is a schematic structural diagram of a decryption apparatus of a cloud network according to another embodiment of the present application; referring to fig. 10, the present embodiment provides an apparatus that can perform the method provided in the embodiment shown in fig. 7, and specifically, the apparatus may include:
an obtaining module 101, configured to obtain a transport layer packet sent by a first virtual machine;
an analysis module 102, configured to analyze, according to a preset encryption header format, an encryption header located at a header of the session layer packet in relation to a session layer packet carried in the transport layer packet, so as to analyze a field of the encryption header, where the field of the encryption header includes a key field, and a field value of the key field is used to indicate a key;
and the decryption module 103 is configured to decrypt, using the key, the encryption result spliced at the tail and the head of the encryption in the session layer packet, so as to obtain a tunnel packet.
In one embodiment, the parsing module 102 is specifically configured to: analyzing the transport layer protocol header to obtain a port number of a target port in the transport layer protocol header; when the port number of the target port is a preset port number, analyzing an encryption head positioned at the head of the session layer message according to a preset encryption head format, wherein the preset port number is used for indicating that the session layer message is an encryption message;
in one embodiment, the field value of the key field is the target key index; the decryption module 103 is further configured to: and determining the key according to the target key index and the corresponding relation between different key indexes and keys.
In one embodiment, the fields of the encrypted header further include a version field, the version field is a first field of the encrypted header, and a field value of the version field is used for indicating the preset encrypted header format; the parsing module 102 is specifically configured to: and from the head of the session layer message, analyzing the version field, and then sequentially analyzing other fields except the version field in the encryption head according to the preset encryption head format indicated by the field value of the version field.
In one embodiment, the fields of the encryption header further comprise a padding length field, and the field value of the padding length field is used for indicating the length of padding bytes used for encryption; the decryption module 103 is specifically configured to: and decrypting the encryption result spliced at the tail part of the encryption head in the session layer message by using the key and taking the preset byte length as a unit according to the length of the padding byte to obtain a tunnel message.
In one embodiment, the fields of the encryption header further comprise a protocol field, and a field value of the protocol field is used for indicating the tunneling protocol; the apparatus further comprises a decapsulation module to: and de-encapsulating the tunnel message according to the tunnel protocol to obtain an inner layer message carried in the tunnel message.
The apparatus shown in fig. 10 can execute the method provided by the embodiment shown in fig. 7, and reference may be made to the related description of the embodiment shown in fig. 7 for a part not described in detail in this embodiment. The implementation process and technical effect of the technical solution are described in the embodiment shown in fig. 7, and are not described herein again.
In one possible implementation, the structure of the apparatus shown in FIG. 10 may be implemented as a compute node. As shown in fig. 11, the computing node may include: a processor 111 and a memory 112. Wherein the memory 112 is used for storing programs that support the computing node to execute the method provided by the embodiment shown in fig. 7, and the processor 111 is configured for executing the programs stored in the memory 112.
The program comprises one or more computer instructions which, when executed by the processor 91, are capable of performing the steps of:
acquiring a transmission layer message sent by a first virtual machine;
analyzing an encryption header positioned at the head of the session layer message according to a preset encryption header format aiming at the session layer message carried in the transmission layer message so as to analyze a field of the encryption header, wherein the field of the encryption header comprises a key field, and the field value of the key field is used for indicating a key;
and decrypting the encryption result spliced at the tail part of the encryption head in the session layer message by using the key to obtain a tunnel message.
Optionally, the processor 111 is further configured to perform all or part of the steps in the foregoing embodiment shown in fig. 7.
The structure of the computing node may further include a communication interface 113, which is used for the computing node to communicate with other devices or communication networks.
In addition, an embodiment of the present application further provides a cloud network system, including: a first computing node for performing the method provided by the embodiment shown in fig. 4, and a second computing node for performing the method provided by the embodiment shown in fig. 7.
The embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed, the method provided in the embodiment shown in fig. 4 is implemented.
The embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed, the method provided in the embodiment shown in fig. 7 is implemented.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement such a technique without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by adding a necessary general hardware platform, and of course, can also be implemented by a combination of hardware and software. With this understanding in mind, the above-described technical solutions and/or portions thereof that contribute to the prior art may be embodied in the form of a computer program product, which may be embodied on one or more computer-usable storage media having computer-usable program code embodied therein (including but not limited to disk storage, CD-ROM, optical storage, etc.).
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, linked lists, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.

Claims (11)

1. An encryption method for a cloud network comprising a first virtual machine and a second virtual machine running on different computing nodes, the method being applied to the first virtual machine, the method comprising:
encrypting the tunnel message to be sent to the second virtual machine, which is obtained by tunnel encapsulation, by using a secret key to obtain an encryption result;
generating an encryption head which accords with a preset encryption head format of the encryption result according to the preset encryption head format, and splicing the encryption head to the head of the encryption result to obtain a session layer message; fields of the encryption header comprise a key field, and a field value of the key field is used for indicating the key;
and splicing a transport layer protocol header generated aiming at the tunnel message to the header of the session layer message to obtain a transport layer message, and sending the transport layer message to the second virtual machine.
2. The method of claim 1, wherein in a case that the transport layer protocol header is a User Datagram Protocol (UDP) header, the method further comprises: and setting a port number of a destination port in the transport layer protocol header as a preset port number, wherein the preset port number is used for indicating that the session layer message is an encrypted message.
3. The method of claim 1, further comprising:
determining a target key index required to be used for encrypted communication with the second virtual machine from at least one key index supported by the second virtual machine;
determining the key according to the target key index and the corresponding relation between different key indexes and keys; the field value of the key field is the target key index.
4. The method according to any one of claims 1-3, further comprising:
determining that a preset encryption header format is required to be used for encrypted communication with the second virtual machine from at least one encryption header format supported by the second virtual machine; the fields of the encryption header further comprise a version field, wherein the version field is the first field of the encryption header, and the field value of the version field is used for indicating the preset encryption header format.
5. A decryption method for a cloud network comprising a first virtual machine and a second virtual machine running on different computing nodes, the method being applied to run the second virtual machine, the method comprising:
acquiring a transmission layer message sent by the first virtual machine;
analyzing an encryption header positioned at the header of the session layer message according to a preset encryption header format aiming at the session layer message carried in the transmission layer message so as to analyze a field of the encryption header, wherein the field of the encryption header comprises a key field, and the field value of the key field is used for indicating a key;
and decrypting the encryption result spliced at the head and the tail of the encryption in the session layer message by using the secret key to obtain a tunnel message.
6. The method according to claim 5, wherein, in a case that a transport layer protocol header carried in the transport layer packet is a user datagram protocol UDP header, the parsing, according to a preset encryption header format, an encryption header located in a header of the session layer packet includes:
analyzing the transport layer protocol header to obtain a port number of a target port in the transport layer protocol header;
when the port number of the target port is a preset port number, analyzing an encryption head positioned at the head of the session layer message according to a preset encryption head format, wherein the preset port number is used for indicating that the session layer message is an encryption message.
7. The method of claim 5, wherein the field value of the key field is a target key index; the method further comprises the following steps: and determining the key according to the target key index and the corresponding relation between different key indexes and keys.
8. The method according to any one of claims 5-7, wherein the fields of the encryption header further comprise a version field, the version field being a first field of the encryption header, a field value of the version field being used to indicate the preset encryption header format;
the analyzing the encryption header positioned at the header of the session layer message according to a preset encryption header format comprises: and from the head of the session layer message, analyzing the version field, and then sequentially analyzing other fields except the version field in the encryption head according to the preset encryption head format indicated by the field value of the version field.
9. A computing node, comprising: a memory, a processor; wherein the memory is to store one or more computer instructions, wherein the one or more computer instructions, when executed by the processor, implement the method of any of claims 1 to 8.
10. A cloud network system, comprising: a first computing node for performing the method of any of claims 1-4 and a second computing node for performing the method of any of claims 5-8.
11. A computer-readable storage medium, having stored thereon a computer program which, when executed, implements the method of any of claims 1 to 8.
CN202210306831.6A 2022-03-25 2022-03-25 Encryption and decryption methods and devices of cloud network, computing node and system Pending CN114826672A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210306831.6A CN114826672A (en) 2022-03-25 2022-03-25 Encryption and decryption methods and devices of cloud network, computing node and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210306831.6A CN114826672A (en) 2022-03-25 2022-03-25 Encryption and decryption methods and devices of cloud network, computing node and system

Publications (1)

Publication Number Publication Date
CN114826672A true CN114826672A (en) 2022-07-29

Family

ID=82530058

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210306831.6A Pending CN114826672A (en) 2022-03-25 2022-03-25 Encryption and decryption methods and devices of cloud network, computing node and system

Country Status (1)

Country Link
CN (1) CN114826672A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115941600A (en) * 2023-03-14 2023-04-07 鹏城实验室 Message distribution method, system and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080205643A1 (en) * 2007-02-28 2008-08-28 General Instrument Corporation Method and Apparatus for Distribution and Synchronization of Cryptographic Context Information
CN103618596A (en) * 2013-05-15 2014-03-05 盛科网络(苏州)有限公司 Encryption method for inner layer information in VXLAN (Virtual Extensible Local Area Net) tunnel
CN105940644A (en) * 2013-12-02 2016-09-14 阿卡麦科技公司 Virtual private network (VPN)-as-a-service with delivery optimizations while maintaining end-to-end data security
CN108028748A (en) * 2016-02-27 2018-05-11 华为技术有限公司 For handling the method, equipment and system of VXLAN messages
CN109525477A (en) * 2018-09-30 2019-03-26 华为技术有限公司 Communication means, device and system in data center between virtual machine

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080205643A1 (en) * 2007-02-28 2008-08-28 General Instrument Corporation Method and Apparatus for Distribution and Synchronization of Cryptographic Context Information
CN103618596A (en) * 2013-05-15 2014-03-05 盛科网络(苏州)有限公司 Encryption method for inner layer information in VXLAN (Virtual Extensible Local Area Net) tunnel
CN105940644A (en) * 2013-12-02 2016-09-14 阿卡麦科技公司 Virtual private network (VPN)-as-a-service with delivery optimizations while maintaining end-to-end data security
CN108028748A (en) * 2016-02-27 2018-05-11 华为技术有限公司 For handling the method, equipment and system of VXLAN messages
CN109525477A (en) * 2018-09-30 2019-03-26 华为技术有限公司 Communication means, device and system in data center between virtual machine

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115941600A (en) * 2023-03-14 2023-04-07 鹏城实验室 Message distribution method, system and computer readable storage medium

Similar Documents

Publication Publication Date Title
US10757138B2 (en) Systems and methods for storing a security parameter index in an options field of an encapsulation header
EP3157225B1 (en) Encrypted ccnx
CN109150684B (en) Message processing method and device, communication equipment and computer readable storage medium
US20040024880A1 (en) System and method for secure sticky routing of requests within a server farm
US11470060B2 (en) Private exchange of encrypted data over a computer network
US10826876B1 (en) Obscuring network traffic characteristics
CN110690962B (en) Application method and device of service node
CN113141365B (en) Distributed micro-service data transmission method, device, system and electronic equipment
CN110690961A (en) Quantum network function virtualization method and device
CN107135190A (en) The data traffic ownership recognition methods connected based on Transport Layer Security and device
US20240205205A1 (en) Packet sending method, network device, storage medium, and program product
US20200322274A1 (en) Method and System for Transmitting Data
CN114285675B (en) Message forwarding method and device
CN114826672A (en) Encryption and decryption methods and devices of cloud network, computing node and system
CN112579112B (en) Mirror image security processing and deploying method, device and storage medium
CN107431691A (en) A kind of data pack transmission method, device, node device and system
CN116527405B (en) SRV6 message encryption transmission method and device and electronic equipment
CN112929355A (en) Safety management information processing method and device for optical transport network
CN111416791B (en) Data transmission method, equipment and system
CN107483197B (en) VPN network terminal key distribution method and device
CN112217769A (en) Data decryption method, data encryption method, data decryption device, data encryption device, data decryption equipment and data decryption medium based on tunnel
CN116708329A (en) Message forwarding method and device, storage medium and electronic equipment
CN110381034B (en) Message processing method, device, equipment and readable storage medium
CN115941227A (en) Method for sending message, network device, storage medium and program product
CN113055344A (en) Scheduling method, device, medium and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination