Unlock instant, AI-driven research and patent intelligence for your innovation.

A macsec key update method and device

A technology for key update and network equipment, applied in the field of communication networks, can solve problems such as data transmission security threats and inability to ensure network security, and achieve the effect of improving timeliness and ensuring network security

Active Publication Date: 2017-08-22
NEW H3C TECH CO LTD
View PDF4 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

During data transmission, if SecY is attacked by illegal packets, it will pose a threat to data transmission security. According to the MACsec key update scheme of the existing standard protocol, even if SecY detects an attack, it will not immediately change the key, thus Network security cannot be guaranteed in the first place

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A macsec key update method and device
  • A macsec key update method and device
  • A macsec key update method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0069] Embodiment 1. When the network device under attack is network device A, the MACsec key update process. In this embodiment, it is assumed that when under attack, the SA of each network device is SA0, the corresponding SAK is SAK1, and the corresponding AN is ANO.

[0070] In this embodiment, the network device under attack is KEY SERVER (that is, device A), and the MACsec key update process includes the following steps:

[0071] KEY SERVER (device A) generates SAK1 and corresponding AN1 and notifies non-KEY SERVERs (device B and device C) in the CA of SAK1 and corresponding AN1.

[0072] Usually, in order to ensure normal data transmission, the SC can contain multiple SAs, up to 4 SAs, and the ANs are AN0, AN1, AN2 and AN3 respectively. When the network device is working normally, usually only one SA is valid. When a network attack occurs or the link of the current transmission channel fails, the current SA can be switched to other SAs. In the embodiment of the present ...

Embodiment 2

[0098] Embodiment 2: When the network device under attack is not a KEY SERVER, the MACsec key update process.

[0099] The difference between Embodiment 2 and Embodiment 1 is that, after the network device under network attack determines that the device is not the KEYSERVER, it needs to notify the KEY SERVER so that the KEY SERVER can issue a new key.

[0100] Specifically, if the network device under network attack judges that the device is a non-KEY SERVER, it will notify the KEY SERVER through the existing protocol message. Set the Lowest Acceptable PN (minimum acceptable PN value) in the Keep alive message directly to 0xC0000000 and send it to the KEY SERVER. The KEY SERVER receives the Keep alive message and parses out the PN carried in it. If it is judged that the PN value is 0xC0000000 , it is known that the non-KEY SERVER has been attacked by the network, thereby triggering the operation of generating and issuing a new key.

[0101] It should be noted that the non-KEY...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method and device for updating a MACsec key, which is applied to a connection alliance CA including multiple network devices. In the embodiment of the invention, after detecting an attack, the network device generates and issues a new SAK or triggers The network device as the key server generates and publishes a new SAK, which can replace the SAK used by the current CA in time after the network device in the CA detects that it is attacked, thereby improving the timeliness of MACsec key update and maximizing the guarantee cyber security.

Description

technical field [0001] The invention relates to the technical field of communication networks, in particular to a MACsec key update method and equipment. Background technique [0002] MACsec (Media Access Control Security, Media Access Control Security) technology is used to protect Layer 2 communication security, prevent Layer 2 attacks, and meet the security requirements of data transmission on Ethernet. MACsec defines a security infrastructure that provides data confidentiality and integrity as well as data source verification. By confirming the data source, MACsec can mitigate attacks on Layer 2 protocols. [0003] CA (Connectivity Association, connection alliance) is composed of multiple SecY (MACSecurity Entity, MAC security entity) that implements MACsec functions, and MKA (MACsec Key Agreement protocol, MACsec key agreement protocol) is responsible for the discovery, authentication, and authorization of SecY. CA has the same CAK (CA key), and each SecY uses the same...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): H04L9/08H04L29/06
Inventor 彭剑远
Owner NEW H3C TECH CO LTD