Communication method and apparatus
By establishing a DTLS connection between the DHCP relay and the DHCP server and encrypting DHCP protocol messages, the problems of complex IPSec configuration and high performance consumption are solved, and secure and reliable DHCP communication is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- NEW H3C TECH CO LTD
- Filing Date
- 2025-03-21
- Publication Date
- 2026-07-03
AI Technical Summary
The existing IPSec encryption configuration between DHCP relays and servers is complex, difficult to maintain, and consumes a lot of resources. Furthermore, it requires reconfiguration when the IP address of network devices changes, resulting in significant latency.
By establishing DTLS connections between DHCP relays and DHCP servers, and between DHCP relays themselves, the keys corresponding to the DTLS connections are used to encrypt DHCP protocol messages, preventing messages from being eavesdropped on and tampered with, and reducing the configuration complexity of IPSec encryption.
It achieves secure encryption between DHCP relay and DHCP server, reduces configuration complexity and hardware and maintenance costs, and reduces performance consumption.
Smart Images

Figure CN120128400B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of communication technology, and in particular to a communication method and apparatus. Background Technology
[0002] Dynamic Host Configuration Protocol (DHCP) uses a client / server model, where the server dynamically assigns IP addresses and other network configuration parameters to network devices. DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 addressing schemes and is used to assign IPv6 prefixes, IPv6 addresses, and other network configuration parameters to hosts.
[0003] When the server and client are not within the same link range, they cannot communicate directly and need to use a DHCP relay to forward messages. Deploying a DHCP relay avoids deploying a DHCP server for every link range, saving costs and facilitating centralized management.
[0004] Given recent concerns about widespread surveillance and other attacks (RFC 7258), the existing RFC 8213 protocol specifies optional requirements for supporting IPsec authentication and encryption between relays and servers, and recommends that operators use IPsec to encrypt and protect the communication messages between relays and servers. However, IPsec configuration is relatively complex, requiring the definition of security policies, security associations (SAs), encryption algorithms, authentication mechanisms, and other aspects. Especially in large networks, configuring and managing multiple IPsec tunnels increases the difficulty of operation and maintenance; secondly, if the IP address of a network device changes, it is necessary to reconfigure or negotiate the SA; finally, IPsec encryption has a large overhead and consumes significant performance, resulting in greater latency. Summary of the Invention
[0005] In view of this, this application provides a communication method and apparatus to provide a better protection for message encryption between DHCP relays and DHCP servers, and between DHCP relays.
[0006] In a first aspect, this application provides a communication method applied to a first DHCP relay, wherein the DHCP relay has established a first DTLS connection with a first network device, the method comprising:
[0007] Receive the first DHCP protocol message;
[0008] Through the first DTLS connection, a second DHCP protocol message is sent to the first network device. The second DHCP protocol message is obtained by encrypting the first DHCP protocol message or the decrypted first DHCP protocol message according to the first key corresponding to the first DTLS connection.
[0009] If a third DHCP protocol message is received from the first network device and the third DHCP protocol message is an encrypted message, then the third DHCP protocol message is decrypted according to the first key, and the decrypted third DHCP protocol message is verified.
[0010] If the verification passes, a fourth DHCP protocol message is sent to the second network device;
[0011] The first network device is either a DHCP server or a second DHCP relay; the second network device is either a DHCP client or a third DHCP relay.
[0012] Secondly, this application provides a communication method applied to a DHCP server, wherein the DHCP server has established a DTLS connection with a DHCP relay, the method comprising:
[0013] The first DHCP protocol message sent by the DHCP relay is received through the DTLS connection.
[0014] If the first DHCP protocol message is an encrypted message, then the first DHCP protocol message is decrypted according to the key corresponding to the DTLS connection, and the decrypted first DHCP protocol message is verified.
[0015] If the verification passes and the decrypted first DHCP protocol message is a first type message, then a second DHCP protocol message is generated.
[0016] The second DHCP protocol message is encrypted using the key to obtain the third DHCP protocol message;
[0017] The third DHCP protocol message is sent to the DHCP relay via the DTLS connection.
[0018] Thirdly, this application provides a communication device applied to a first DHCP relay, wherein the DHCP relay has established a first DTLS connection with a first network device, and the method includes:
[0019] The receiving unit is used to receive the first DHCP protocol message;
[0020] The sending unit is configured to send a second DHCP protocol message to the first network device through the first DTLS connection. The second DHCP protocol message is obtained by encrypting the first DHCP protocol message or the decrypted first DHCP protocol message with the first key corresponding to the first DTLS connection.
[0021] The verification unit is configured to, if the receiving unit receives a third DHCP protocol message sent by the first network device and the third DHCP protocol message is an encrypted message, decrypt the third DHCP protocol message according to the first key and verify the decrypted third DHCP protocol message.
[0022] The sending unit is further configured to send a fourth DHCP protocol message to the second network device if the verification passes.
[0023] The first network device is either a DHCP server or a second DHCP relay; the second network device is either a DHCP client or a third DHCP relay.
[0024] Fourthly, this application provides a communication device applied to a DHCP server, wherein the DHCP server has established a DTLS connection with a DHCP relay, and the method includes:
[0025] The receiving unit is configured to receive the first DHCP protocol message sent by the DHCP relay via the DTLS connection;
[0026] The verification unit is used to decrypt the first DHCP protocol message according to the key corresponding to the DTLS connection if the first DHCP protocol message is an encrypted message, and to verify the decrypted first DHCP protocol message.
[0027] The generation unit is used to generate a second DHCP protocol message if the verification passes and the decrypted first DHCP protocol message is a first type message.
[0028] An encryption unit is used to encrypt the second DHCP protocol message according to the key to obtain a third DHCP protocol message;
[0029] The sending unit is configured to send the third DHCP protocol message to the DHCP relay via the DTLS connection.
[0030] Fifthly, this application provides a network device including a processor and a machine-readable storage medium storing machine-executable instructions that can be executed by the processor, which in turn cause the processor to perform the method provided in the first aspect of this application.
[0031] In a sixth aspect, this application provides a network device including a processor and a machine-readable storage medium storing machine-executable instructions that can be executed by the processor, which in turn cause the processor to perform the method provided in the second aspect of this application.
[0032] Therefore, using the communication method and apparatus provided in this application, the first DHCP relay receives a first DHCP protocol message; through a first DTLS connection, the first DHCP relay sends a second DHCP protocol message to a first network device, the second DHCP protocol message being obtained by encrypting the first DHCP protocol message or the decrypted first DHCP protocol message using the first key corresponding to the first DTLS connection; if a third DHCP protocol message is received from the first network device and the third DHCP protocol message is an encrypted message, the first DHCP relay decrypts the third DHCP protocol message according to the first key and verifies the decrypted third DHCP protocol message; if the verification passes, the first DHCP relay sends a fourth DHCP protocol message to the second network device; wherein, the first network device is a DHCP server or a second DHCP relay; the second network device is a DHCP client or a third DHCP relay.
[0033] In this way, by using the DTLS connections established between DHCP relays and between DHCP relays and DHCP servers, and by using the keys corresponding to the DTLS connections to encrypt the messages between DHCP relays and between DHCP relays and DHCP servers, the message transmission is prevented from being eavesdropped on or tampered with; the configuration complexity of IPSec encryption is reduced; the encryption of the DHCP protocol part is focused, resulting in less overhead; and the hardware and maintenance costs are lower. Attached Figure Description
[0034] Figure 1 A flowchart illustrating a communication method provided in an embodiment of this application;
[0035] Figure 2 A flowchart illustrating another communication method provided in an embodiment of this application;
[0036] Figure 3 A structural diagram of a communication device provided in an embodiment of this application;
[0037] Figure 4 A structural diagram of a communication device provided in an embodiment of this application;
[0038] Figure 5 The network device hardware structure provided in the embodiments of this application. Detailed Implementation
[0039] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numerals in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims.
[0040] The terminology used in this application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. The singular forms “a,” “the,” and “the” used in this application and the appended claims are also intended to include the plural forms unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used herein refers to and includes any or all possible combinations of one or more of the corresponding listed items.
[0041] It should be understood that although the terms first, second, third, etc., may be used in this application to describe various information, such information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, without departing from the scope of this application, first information may also be referred to as second information, and similarly, second information may also be referred to as first information. Depending on the context, the word "if" as used herein may be interpreted as "when," "when," or "in response to determination."
[0042] The communication method provided in the embodiments of this application will be described in detail below. See also... Figure 1 , Figure 1 This is a flowchart illustrating a communication method provided in an embodiment of this application. The method is applied to a first DHCP relay, which is located between a DHCP client and a DHCP server. The communication method provided in this embodiment may include the following steps.
[0043] Step 110: Receive the first DHCP protocol message;
[0044] Specifically, the first DHCP relay receives the first DHCP protocol message. This first DHCP protocol message can be sent by the DHCP client or by the DHCP relay (e.g., the third DHCP relay, where "third" is used to distinguish it from subsequent "second" DHCP relays).
[0045] In this embodiment, the DHCP client may specifically be a Dynamic Host Configuration Protocol for IPv4 (DHCPv4) client or a DHCPv6 client.
[0046] When the DHCP client is a DHCPv4 client, the first DHCP relay is specifically a DHCPv4 relay. In one networking mode, there is one DHCPv4 relay in the network, that is, the DHCPv4 client connects to the DHCPv4 server through the DHCPv4 relay; in another networking mode, there are multiple DHCPv4 relays in the network, that is, DHCPv4 client, DHCPv4 relay / DHCPv4 relay..., DHCPv4 server, the DHCPv4 client connects to one DHCPv4 relay, and each DHCPv4 relay connects to the DHCPv4 server.
[0047] When the DHCP client is a DHCPv6 client, the first DHCP relay is specifically a DHCPv6 relay. In one networking configuration, there is one DHCPv6 relay in the network, meaning the DHCPv6 client connects to the DHCPv6 server through the DHCPv6 relay. In another networking configuration, there are multiple DHCPv6 relays in the network, meaning there is a DHCPv6 client, DHCPv6 relay / DHCPv6 relay..., and DHCPv6 server. The DHCPv6 client connects to one DHCPv6 relay, and each DHCPv6 relay connects to the DHCPv6 server. In yet another networking configuration, there are two DHCPv6 relays in the network, meaning the DHCPv6 client connects to DHCPv6 relay 1, DHCPv6 relay 1 connects to DHCPv6 relay 2, and DHCPv6 relay 2 connects to the DHCPv6 server.
[0048] The communication schemes described in the embodiments of this application below are applicable to both DHCPv4 (client, relay, server) and DHCPv6 (client, relay, server), and will be referred to as DHCP for ease of description thereafter.
[0049] In this embodiment of the application, the first DHCP relay can receive a first DHCP protocol message sent by a DHCP client, or receive a first DHCP protocol message sent by a third DHCP relay.
[0050] In this embodiment, Datagram Transport Layer Security (DTLS) connections are established and maintained between the DHCP relay and the DHCP server, and between DHCP relays themselves. Specifically, when establishing a DTLS connection between the DHCP relay and the DHCP server, the DHCP relay acts as the DTLS client, and the DHCP server acts as the DTLS server. After configuring DTLS locally, the DHCP relay attempts to establish and maintain a DTLS connection with the DHCP server.
[0051] Similarly, when establishing a DTLS connection between DHCP relays, the upstream DHCP relay acts as the DTLS client, and the downstream DHCP relay acts as the DTLS server. After configuring the DTLS function locally, the upstream DHCP relay attempts to establish and maintain a DTLS connection with the downstream DHCP relay.
[0052] Understandably, during the establishment of a DTLS connection between the two devices, the verification of certificates, negotiation of encryption algorithms, versions, and keys are performed according to the existing DTLS protocol, and will not be repeated here. Therefore, when the first DHCP protocol message is sent by the DHCP client, since no DTLS connection has been established between the DHCP client and the first DHCP relay, the first DHCP protocol message is an unencrypted message.
[0053] When the first DHCP protocol message is sent by the third DHCP relay, since a second DTLS connection has been established between the third DHCP relay and the first DHCP relay, the first DHCP protocol message is an encrypted message. That is, the third DHCP relay encrypts the received DHCP protocol message (here referred to as the original DHCP protocol message, which is sent by the DHCP client to the third DHCP relay, to distinguish it from other DHCP protocol messages) using the key negotiated when establishing the DTLS connection (e.g., the second key) to obtain the first DHCP protocol message.
[0054] It should be noted that when DHCP relay encrypts DHCP protocol messages, it encrypts only the DHCP protocol part of the DHCP protocol message. That is, it encrypts the complete DHCP message (including the DHCP header and option part), but does not encrypt the IP header and UDP header that are encapsulated on the outer layer of the DHCP message.
[0055] In this embodiment, after encrypting the DHCP protocol message, the UDP header of the DHCP relay is set to either port number 50001 or 50002. Here, 50001 indicates DHCPv4 over DTLS, and 50002 indicates DHCPv6 over DTLS.
[0056] Step 120: Send a second DHCP protocol message to the first network device through the first DTLS connection. The second DHCP protocol message is obtained by encrypting the first DHCP protocol message or the decrypted first DHCP protocol message with the first key corresponding to the first DTLS connection.
[0057] Specifically, according to the description of step 110, after receiving the first protocol message, the first DHCP relay continues to forward it to the next hop device.
[0058] In this embodiment, the next-hop device of the first DHCP relay can be a first network device. Specifically, the first network device can be a DHCP server or a second DHCP relay. As described above, a DTLS connection has been established between the DHCP relay and the DHCP server, or between DHCP relays themselves, in accordance with the existing DTLS protocol. Therefore, in this step, the first DHCP relay has established a first DTLS connection with the first network device.
[0059] The first DHCP relay generates a second DHCP protocol message, which is obtained by encrypting the first DHCP protocol message with the first key corresponding to the first DTLS connection.
[0060] In one implementation, when the first DHCP protocol message is sent by the DHCP client, the first DHCP relay encrypts the first DHCP protocol message using a first key to obtain the second DHCP protocol message.
[0061] In another implementation, when the first DHCP protocol message is sent by the third DHCP relay, the first DHCP relay first decrypts the first DHCP protocol message using the second key to obtain the original DHCP protocol message (i.e., the decrypted first DHCP protocol message). The first DHCP relay then encrypts the original DHCP protocol message using the first key to obtain the second DHCP protocol message.
[0062] After receiving the second DHCP protocol message, the first DHCP relay sends the second DHCP protocol message to the first network device through the first DTLS connection.
[0063] Optionally, in this embodiment of the application, after the first DHCP relay sends the second DHCP protocol message to the first network device, the following steps will also be performed.
[0064] Furthermore, after receiving the first DHCP protocol message or decrypting the first DHCP protocol message, the first DHCP relay can identify the type of the first DHCP protocol message or the decrypted first DHCP protocol message.
[0065] After the first DHCP relay sends the second DHCP protocol message, if the first DHCP protocol message or the decrypted first DHCP protocol message is a first type message, then the first DHCP relay starts a timer. The preset time of this timer can be 25 seconds.
[0066] In this embodiment, the first type of message specifically refers to DHCP protocol messages that require a response from the DHCP server. For example, for DHCPv4, the DHCPv4 Discover message and the DHCPv4 Request message are important messages related to the online status of DHCPv4 clients and require a response from the DHCPv4 server.
[0067] For DHCPv6, DHCPv6 Solicit, DHCPv6 Request, DHCPv6 Renew, and DHCPv6Rebind are important messages related to DHCPv6 client going online and require a response from the DHCPv6 server.
[0068] Within a preset time period, the first DHCP relay counts the cumulative number of second DHCP protocol messages sent to the first network device. If the preset time is exceeded and the cumulative number of second DHCP protocol messages sent exceeds a threshold (e.g., 10), the first DHCP relay determines that the first DTLS connection is unavailable and restarts the establishment of a new DTLS connection with the first network device.
[0069] If the preset time is exceeded and the cumulative number does not exceed the threshold, the first DHCP relay restarts the timer and repeats the process of counting the cumulative number of second DHCP protocol messages sent to the first network device within the preset time of the timer. If the preset time is exceeded and the cumulative number exceeds the threshold, the first DTLS connection is determined to be unavailable, and the process of establishing a DTLS connection with the first network device is restarted.
[0070] The aforementioned cumulative number specifically refers to the total number of second DHCP protocol messages sent from the initial start timer to the current start timer.
[0071] In one example, the preset time is 25 seconds, and the threshold number is 10. After the first DHCP relay sends the second DHCP protocol message, it starts timer 1 for the first time to count the number of second DHCP protocol messages sent to the first network device within 25 seconds. If more than 25 seconds have passed and the first DHCP relay has sent 12 second DHCP protocol messages, the first DHCP relay determines that the first DTLS connection is unavailable and a new DTLS connection needs to be established with the first network device.
[0072] If more than 25 seconds have passed and the first DHCP relay has sent 8 second DHCP protocol messages, then the first DHCP relay restarts timer 2 and continues to count the number of second DHCP protocol messages sent to the first network device within 25 seconds, based on the previous count (8 messages). If more than 25 seconds have passed and the total number of second DHCP protocol messages sent by the first DHCP relay is 8 + 5 = 13, the first DHCP relay determines that the first DTLS connection is unavailable and a new DTLS connection needs to be established with the first network device.
[0073] The five second DHCP protocol messages mentioned above were sent within the 25 seconds included in timer 2.
[0074] Understandably, after each second DHCP protocol message is sent, the first DHCP relay will also start another timer. The preset timer duration can be 3 seconds, which is used by the first DHCP relay to determine whether it has received a DHCP protocol message from the first network device within the preset time. If no DHCP protocol message is received from the first network device, the first DHCP relay will retransmit the second DHCP protocol message and count the cumulative number of second DHCP protocol messages sent. If a DHCP protocol message is received from the first network device, the first DHCP relay will execute step 130.
[0075] Understandably, when the first network device is a DHCP server, upon receiving the second DHCP protocol message, the DHCP server first identifies whether the message is encrypted. If it is unencrypted, the message is discarded. If it is encrypted, the message is decrypted and then verified. If verification succeeds, the type of the decrypted message is identified. If it is a first-type message, it is processed according to the DHCPv4 / DHCPv6 protocol and a third DHCP protocol message is sent back. This third message is encrypted using the first key and transmitted through the first DTLS connection. If verification fails, the second DHCP protocol message is discarded.
[0076] For details on the specific processing procedure of DHCP protocol messages by the DHCP server, please refer to the description of the following embodiments.
[0077] When the first network device is the second DHCP relay, the second DHCP relay can repeat the process of steps 110-120 until the second DHCP protocol message is sent to the DHCP server.
[0078] Step 130: If a third DHCP protocol message is received from the first network device and the third DHCP protocol message is an encrypted message, then the third DHCP protocol message is decrypted according to the first key, and the decrypted third DHCP protocol message is verified.
[0079] Specifically, according to the description of step 120, if the first DHCP relay receives a third DHCP protocol message sent by the first network device, it identifies whether the third DHCP protocol message is an encrypted message.
[0080] Optionally, if the third DHCP protocol message is an unencrypted message, the first DHCP relay discards the third DHCP protocol message.
[0081] If the third DHCP protocol message is encrypted, the first DHCP relay decrypts it using the first key. Then, the first DHCP relay verifies the decrypted third DHCP protocol message.
[0082] Understandably, the first DHCP relay can verify the third DHCP protocol message according to the existing DTLS protocol. The verification process is briefly described below.
[0083] In the DTLS protocol, the verification of encrypted messages is achieved through an integrity verification mechanism. DTLS uses the same security mechanisms as the Transport Layer Security (TLS) protocol, including encryption and message authentication codes (MACs), to ensure the integrity and authenticity of data.
[0084] The DTLS client / server determines whether the encrypted message verification passes through the following two processes:
[0085] 1) Decrypt the message:
[0086] When a DTLS client / server receives an encrypted message from its peer, it first decrypts the message using the key corresponding to the DTLS connection. During decryption, the original DTLS record layer data, including application layer data and the attached MAC address, is restored.
[0087] 2) Verify MAC address:
[0088] When encrypting messages, the DTLS client / server generates a MAC address for each DTLS record layer data segment. This MAC address is used to verify data integrity. The client / server recalculates the MAC address of the original DTLS record book data using the same key and algorithm (e.g., HMAC-SHA256). The client / server compares the calculated MAC address with the decrypted MAC address. If they match, the data has not been tampered with during transmission, and the verification passes. If they do not match, the data may have been tampered with or corrupted, and the verification fails.
[0089] According to the above verification process, the first DHCP relay verifies the decrypted third DHCP protocol message.
[0090] Optionally, if the verification fails, the first DHCP relay discards the third DHCP protocol message; if the verification passes, the first DHCP relay executes step 140.
[0091] Step 140: If the verification passes, send the fourth DHCP protocol message to the second network device.
[0092] Specifically, according to the description of step 130, if the verification of the decrypted third DHCP protocol message passes, the first DHCP relay sends the fourth DHCP protocol message to the second network device.
[0093] Optionally, in this embodiment of the application, when the first DHCP relay is a DHCPv4 relay, the first DHCP relay includes a first interface for connecting to a DHCPv4 client.
[0094] Under the above network topology, according to the existing DHCPv4 protocol, the first DHCP relay adds option 82 to the first DHCP protocol message. Option 82 includes sub-option 11, which includes the first address of the first interface.
[0095] After receiving the second DHCP protocol message, the DHCP server can, as described above, identify whether it is an encrypted message, decrypt the second DHCP protocol message, verify the decrypted second DHCP protocol message, and identify the type of the decrypted second DHCP protocol message. If the verification is successful, the DHCP server will process the decrypted second DHCP protocol message according to the DHCPv4 protocol.
[0096] During the process of the DHCP server processing the decrypted second DHCP protocol message according to the DHCPv4 specification, if the decrypted second DHCP protocol message includes option 54, the DHCP server will verify option 54.
[0097] The DHCP server continues to identify whether option 82 of the decrypted second DHCP protocol message contains suboption 11.
[0098] If sub-option 11 is included, the DHCP server checks if the address in sub-option 11 is the same as the address in option 54, or if the address in option 54 is its own address. If the address in sub-option 11 is the same as the address in option 54, or if the address in option 54 is its own address, the DHCP server determines that option 54 has passed verification. Subsequently, the DHCP server continues to include option 54 in the third DHCP protocol message. The DHCP server encrypts the third DHCP protocol message according to the first key corresponding to the first DTLS connection and sends it through the first DTLS connection.
[0099] If the address in sub-option 11 is different from the address in option 54, or if the address in option 54 is not its own address, the DHCP server determines that option 54 verification has failed. Subsequently, the DHCP server discards the second DHCP protocol message.
[0100] If sub-option 11 is not included, the DHCP server checks if the address in option 54 is its own address. If the address in option 54 is its own address, the DHCP server determines that option 54 verification is successful. Subsequently, the DHCP server continues to include option 54 in the third DHCP protocol message. The DHCP server encrypts the third DHCP protocol message according to the first key corresponding to the first DTLS connection and sends it through the first DTLS connection.
[0101] If the address in option 54 is not its own address, the DHCP server determines that option 54 verification has failed. Subsequently, the DHCP server discards the second DHCP protocol message.
[0102] If the decrypted second DHCP protocol message does not include option 54, the DHCP server continues to identify whether option 82 included in the decrypted second DHCP protocol message carries sub option 11.
[0103] If sub-option 11 is included, an address is obtained from sub-option 11 and filled into the newly added option 54. Subsequently, the DHCP server includes this newly added option 54 in the third DHCP protocol message. The DHCP server encrypts the third DHCP protocol message according to the first key corresponding to the first DTLS connection and sends it through the first DTLS connection.
[0104] If sub-option 11 is not included, the DHCP server fills its own address into the address in the newly added option 54. Subsequently, the DHCP server includes this newly added option 54 in the third DHCP protocol message. The DHCP server encrypts the third DHCP protocol message using the first key corresponding to the first DTLS connection and sends it through the first DTLS connection.
[0105] In this embodiment of the application, the address stored in option54 is collectively referred to as the second address.
[0106] After verifying the decrypted third DHCP protocol message, the first DHCP relay retrieves option 54 from the third DHCP protocol message and obtains the second address from option 54. The first DHCP relay checks whether the second address is the same as the first address; that is, it checks whether the second address is the interface address of its own first interface. If the second address is different from the first address, the first DHCP relay updates the second address to the first address. This ensures that the DHCP client sends subsequent DHCP protocol messages (e.g., renewal messages, release messages, etc.) to the first DHCP relay, which then encrypts and sends them to the DHCP server. If the second address is the same as the first address, the first DHCP relay retains the second address.
[0107] Optionally, in this embodiment, the second network device may be a DHCP client or a third DHCP relay.
[0108] The specific process of the first DHCP relay sending the fourth DHCP protocol message to the second network device is as follows: when the second network device is a DHCP client, the first DHCP relay sends the fourth DHCP protocol message to the second network device through the connection with the DHCP client. The fourth DHCP protocol message is the decrypted third DHCP protocol message.
[0109] When the second network device is the third DHCP relay, the first DHCP relay sends a fourth DHCP protocol message to the third DHCP relay through the second DTLS connection established with the third DHCP relay. This fourth DHCP protocol message is obtained by the first DHCP relay re-encrypting the decrypted third DHCP protocol message according to the second key corresponding to the second DTLS connection.
[0110] Therefore, using the communication method provided in this application, the first DHCP relay receives a first DHCP protocol message; through a first DTLS connection, the first DHCP relay sends a second DHCP protocol message to the first network device, the second DHCP protocol message being obtained by encrypting the first DHCP protocol message or the decrypted first DHCP protocol message using the first key corresponding to the first DTLS connection; if a third DHCP protocol message is received from the first network device and the third DHCP protocol message is an encrypted message, the first DHCP relay decrypts the third DHCP protocol message according to the first key and verifies the decrypted third DHCP protocol message; if the verification passes, the first DHCP relay sends a fourth DHCP protocol message to the second network device; wherein, the first network device is a DHCP server or a second DHCP relay; and the second network device is a DHCP client or a third DHCP relay.
[0111] In this way, by using the DTLS connections established between DHCP relays and between DHCP relays and DHCP servers, and by using the keys corresponding to the DTLS connections to encrypt the messages between DHCP relays and between DHCP relays and DHCP servers, the message transmission is prevented from being eavesdropped on or tampered with; the configuration complexity of IPSec encryption is reduced; the encryption of the DHCP protocol part is focused, resulting in less overhead; and the hardware and maintenance costs are lower.
[0112] The communication method provided in the embodiments of this application will be described in detail below. See also... Figure 2 , Figure 2 A flowchart illustrating another communication method provided in this application embodiment. This method is applied to a DHCP server that has established a DTLS connection with a DHCP relay. The communication method provided in this application embodiment may include the following steps.
[0113] Step 210: Receive the first DHCP protocol message sent by the DHCP relay through the DTLS connection;
[0114] Specifically, as can be seen from the foregoing embodiments, the DHCP server can be a DHCPv4 server or a DHCPv6 server. In the aforementioned networking methods, the DHCP server establishes a DTLS connection with the upstream device, i.e., the DHCP relay, and acts as the DTLS server.
[0115] As can be seen from the foregoing embodiments, after receiving a DHCP protocol message, the DHCP relay encrypts the DHCP protocol message using the key corresponding to the DTLS connection established with the DHCP server, and then sends it to the DHCP server through the DTLS connection.
[0116] In this step, the DHCP server receives the first DHCP protocol message via the DTLS connection.
[0117] Step 220: If the first DHCP protocol message is an encrypted message, then the first DHCP protocol message is decrypted according to the key corresponding to the DTLS connection, and the decrypted first DHCP protocol message is verified.
[0118] Specifically, according to the description of step 210, after the DHCP server receives the first DHCP protocol message, it first identifies whether the first DHCP protocol message is an encrypted message.
[0119] If the first DHCP protocol message is encrypted, the DHCP server decrypts it using the key corresponding to the DTLS connection. Then, the DHCP server verifies the decrypted first DHCP protocol message.
[0120] If the first decrypted DHCP protocol message passes verification, the DHCP server proceeds to step 230.
[0121] Optionally, in this embodiment of the application, if the decrypted first DHCP protocol message fails verification, the DHCP server discards the first DHCP protocol message.
[0122] Optionally, in this embodiment of the application, if the first DHCP protocol message is an unencrypted message, the DHCP server discards the first DHCP protocol message.
[0123] It should be noted that the process by which the DHCP server verifies the DHCP protocol message is the same as the process by which the DHCP relay verifies the DHCP protocol message in the previous embodiment, and will not be repeated here.
[0124] Step 230: If the verification passes and the decrypted first DHCP protocol message is a first type message, then generate a second DHCP protocol message;
[0125] Specifically, according to the description of step 220, if the decrypted first DHCP protocol message passes the verification, the DHCP server identifies the type of the first DHCP protocol message.
[0126] If the first DHCP protocol message is a Type 1 message, then according to the existing DHCP protocol, the DHCP server generates a second DHCP protocol message. This second DHCP protocol message is the response message to the first DHCP protocol message.
[0127] In this embodiment of the application, the first type of message specifically refers to a DHCP protocol message that requires a reply from the DHCP server.
[0128] Optionally, in this embodiment of the application, when the DHCP server is a DHCPv4 server, it can identify whether it is an encrypted message, decrypt the first DHCP protocol message, verify the decrypted first DHCP protocol message, and identify the type of the decrypted first DHCP protocol message as described above.
[0129] During the generation of the second DHCP protocol message, the DHCP server processes the decrypted first DHCP protocol message according to the DHCPv4 protocol.
[0130] During the process of the DHCP server processing the decrypted first DHCP protocol message according to the DHCPv4 specification, if the decrypted first DHCP protocol message includes option 54, the DHCP server will verify option 54.
[0131] The DHCP server continues to identify whether option 82 of the decrypted first DHCP protocol message contains suboption 11.
[0132] If sub-option 11 is included, the DHCP server checks if the address in sub-option 11 is the same as the address in option 54, or if the address in option 54 is its own address. If the address in sub-option 11 is the same as the address in option 54, or if the address in option 54 is its own address, the DHCP server determines that option 54 has passed verification. Subsequently, the DHCP server continues to include option 54 in the second DHCP protocol message. The DHCP server encrypts the second DHCP protocol message according to the key corresponding to the DTLS connection and sends it through the DTLS connection.
[0133] If the address in sub-option 11 is different from the address in option 54, or if the address in option 54 is not its own address, the DHCP server determines that option 54 verification has failed. Subsequently, the DHCP server discards the first DHCP protocol message.
[0134] If sub-option 11 is not included, the DHCP server checks if the address in option 54 is its own address. If the address in option 54 is its own address, the DHCP server determines that option 54 has passed verification. Subsequently, the DHCP server includes option 54 in the second DHCP protocol message. The DHCP server encrypts the second DHCP protocol message using the key corresponding to the DTLS connection and sends it through the DTLS connection.
[0135] If the address in option 54 is not its own address, the DHCP server determines that option 54 verification has failed. Subsequently, the DHCP server discards the first DHCP protocol message.
[0136] If the first decrypted DHCP protocol message does not include option 54, the DHCP server will continue to identify whether option 82 included in the first decrypted DHCP protocol message carries sub option 11.
[0137] If sub-option 11 is included, an address is obtained from sub-option 11 and filled into the newly added option 54. Subsequently, the DHCP server includes this newly added option 54 in the second DHCP protocol message. The DHCP server encrypts the second DHCP protocol message according to the key corresponding to the DTLS connection and sends it through the DTLS connection.
[0138] If sub-option 11 is not included, the DHCP server fills its own address into the address in the newly added option 54. Subsequently, the DHCP server includes this newly added option 54 in the second DHCP protocol message. The DHCP server encrypts the second DHCP protocol message according to the key corresponding to the DTLS connection and sends it through the DTLS connection.
[0139] Step 240: Encrypt the second DHCP protocol message using the key to obtain the third DHCP protocol message;
[0140] Specifically, according to the description of step 230, after the DHCP server generates the second DHCP protocol message, it encrypts the second DHCP protocol message according to the key to obtain the third DHCP protocol message.
[0141] It should be noted that when a DHCP server encrypts a DHCP protocol message, it encrypts only the DHCP protocol portion of the message. That is, it encrypts the complete DHCP message (including the DHCP header and option portion), but does not encrypt the encapsulated IP header or UDP header.
[0142] Step 250: Send the third DHCP protocol message to the DHCP relay through the DTLS connection.
[0143] Specifically, as described in step 240, the DHCP server sends a third DHCP protocol message to the DHCP relay via the DTLS connection.
[0144] Therefore, using the communication method provided in this application, the DHCP server receives a first DHCP protocol message sent by the DHCP relay via a DTLS connection. If the first DHCP protocol message is an encrypted message, the DHCP server decrypts the first DHCP protocol message according to the key corresponding to the DTLS connection and verifies the decrypted first DHCP protocol message. If the verification passes and the decrypted first DHCP protocol message is a first type message, the DHCP server generates a second DHCP protocol message. According to the key, the DHCP server encrypts the second DHCP protocol message to obtain a third DHCP protocol message. The DHCP server then sends the third DHCP protocol message to the DHCP relay via the DTLS connection.
[0145] In this way, by using the DTLS connections established between DHCP relays and between DHCP relays and DHCP servers, and by using the keys corresponding to the DTLS connections to encrypt the messages between DHCP relays and between DHCP relays and DHCP servers, the message transmission is prevented from being eavesdropped on or tampered with; the configuration complexity of IPSec encryption is reduced; the encryption of the DHCP protocol part is focused, resulting in less overhead; and the hardware and maintenance costs are lower.
[0146] Optionally, in this embodiment of the application, the DHCP server will also perform the following process.
[0147] Specifically, the DHCP server detects whether the configuration attributes of the configured DTLS connection have changed; if the configuration attributes have changed, the DHCP server closes the DTLS connection; if the configuration attributes have not changed, the DHCP server keeps the DTLS connection open.
[0148] The configuration attributes of the DTLS connection configured on the aforementioned DHCP server mainly include the following: 1) Certificate and key configuration, including: server certificate, private key, certificate chain, supported cipher suites, etc.; 2) DTLS protocol version configuration, including: determining the supported DTLS protocol versions, such as DTLS 1.2 or DTLS 1.3, and multiple versions can be supported; 3) Port and network configuration, including: specifying the listening port, network interface, maximum transmission unit (MTU), etc.; 4) Session management configuration, including: session caching, session timeout, etc.; 5) Client authentication configuration; 6) Retransmission and timeout configuration, including: retransmission mechanism, timeout duration, etc.
[0149] When any of the above configurations changes, the DHCP server determines that the configuration attributes have changed.
[0150] Understandably, according to the existing DTLS protocol, the DHCP server, as the DTLS server, does not need to actively rebuild the DTLS connection to the DTLS client after determining that the configuration of the local DTLS connection has changed.
[0151] Based on the same inventive concept, embodiments of this application also provide a communication device corresponding to the communication method. See also Figure 3 , Figure 3 A communication device provided in this application embodiment is applied to a first DHCP relay, the DHCP relay having established a first DTLS connection with a first network device, the method comprising:
[0152] The receiving unit 310 is used to receive the first DHCP protocol message;
[0153] The sending unit 320 is configured to send a second DHCP protocol message to the first network device through the first DTLS connection. The second DHCP protocol message is obtained by encrypting the first DHCP protocol message or the decrypted first DHCP protocol message according to the first key corresponding to the first DTLS connection.
[0154] The verification unit 330 is configured to, if the receiving unit 310 receives a third DHCP protocol message sent by the first network device and the third DHCP protocol message is an encrypted message, decrypt the third DHCP protocol message according to the first key and verify the decrypted third DHCP protocol message.
[0155] The sending unit 320 is further configured to send a fourth DHCP protocol message to the second network device if the verification passes.
[0156] The first network device is either a DHCP server or a second DHCP relay; the second network device is either a DHCP client or a third DHCP relay.
[0157] Optionally, the sending unit 320 is specifically used to send the fourth DHCP protocol message to the DHCP client through the connection between the second network device and the DHCP client when the second network device is the DHCP client. The fourth DHCP protocol message is a decrypted third DHCP protocol message.
[0158] When the second network device is the third DHCP relay, it sends the fourth DHCP protocol message to the third DHCP relay through the second DTLS connection established with the third DHCP relay. The fourth DHCP protocol message is obtained by re-encrypting the decrypted third DHCP protocol message according to the second key corresponding to the second DTLS connection.
[0159] Optionally, the device further includes:
[0160] The startup unit (not shown in the figure) is used to start a timer if the first DHCP protocol message or the decrypted first DHCP protocol message is a first type message;
[0161] A statistics unit (not shown in the figure) is used to count the cumulative number of second DHCP protocol messages sent to the first network device within a preset time period of the timer;
[0162] A determining unit (not shown in the figure) is used to determine that the first DTLS connection is unavailable and restart the establishment of a DTLS connection with the first network device if the preset time is exceeded and the cumulative number exceeds the number threshold.
[0163] The startup unit (not shown in the figure), the statistics unit (not shown in the figure), and the determination unit (not shown in the figure) are further configured to: if the preset time is exceeded and the cumulative number does not exceed the number threshold, restart the timer and repeat the process of counting the cumulative number of second DHCP protocol messages sent to the first network device within the preset time of the timer; if the preset time is exceeded and the cumulative number exceeds the number threshold, determine that the first DTLS connection is unavailable and restart the process of establishing a DTLS connection with the first network device.
[0164] Optionally, when the first DHCP relay is a DHCPv4 relay, the first DHCP relay includes a first interface;
[0165] The second DHCP protocol message also includes option 82, which includes sub option 11, and sub option 11 includes the first address of the first interface; the third DHCP protocol message also includes option 54, which includes the second address;
[0166] The device further includes:
[0167] An identification unit (not shown in the figure) is used to identify whether the second address is the same as the first address;
[0168] An update unit (not shown in the figure) is used to update the second address to the first address if they are different;
[0169] A holding unit (not shown in the figure) is used to hold the second address if they are the same.
[0170] Optionally, the device further includes:
[0171] A discarding unit (not shown in the figure) is used to discard the third DHCP protocol message when the receiving unit 310 receives the third DHCP protocol message sent by the network device and the third DHCP protocol message is an unencrypted message.
[0172] The discarding unit (not shown in the figure) is also used to discard the third DHCP protocol message if the verification fails.
[0173] Therefore, using the communication device provided in this application, the first DHCP relay receives a first DHCP protocol message; through the first DTLS connection, the first DHCP relay sends a second DHCP protocol message to the first network device, the second DHCP protocol message being obtained by encrypting the first DHCP protocol message or the decrypted first DHCP protocol message according to the first key corresponding to the first DTLS connection; if a third DHCP protocol message is received from the first network device and the third DHCP protocol message is an encrypted message, the first DHCP relay decrypts the third DHCP protocol message according to the first key and verifies the decrypted third DHCP protocol message; if the verification passes, the first DHCP relay sends a fourth DHCP protocol message to the second network device; wherein, the first network device is a DHCP server or a second DHCP relay; the second network device is a DHCP client or a third DHCP relay.
[0174] In this way, by using the DTLS connections established between DHCP relays and between DHCP relays and DHCP servers, and by using the keys corresponding to the DTLS connections to encrypt the messages between DHCP relays and between DHCP relays and DHCP servers, the message transmission is prevented from being eavesdropped on or tampered with; the configuration complexity of IPSec encryption is reduced; the encryption of the DHCP protocol part is focused, resulting in less overhead; and the hardware and maintenance costs are lower.
[0175] Based on the same inventive concept, embodiments of this application also provide a communication device corresponding to the communication method. See also Figure 4 , Figure 4 Another communication device provided in this application embodiment, the device being applied to a DHCP server, the DHCP server having established a DTLS connection with a DHCP relay, the method comprising:
[0176] The receiving unit 410 is configured to receive the first DHCP protocol message sent by the DHCP relay through the DTLS connection;
[0177] The verification unit 420 is used to decrypt the first DHCP protocol message according to the key corresponding to the DTLS connection if the first DHCP protocol message is an encrypted message, and to verify the decrypted first DHCP protocol message.
[0178] The generation unit 430 is used to generate a second DHCP protocol message if the verification passes and the decrypted first DHCP protocol message is a first type message.
[0179] The encryption unit 440 is used to encrypt the second DHCP protocol message according to the key to obtain the third DHCP protocol message;
[0180] The sending unit is configured to send the third DHCP protocol message to the DHCP relay via the DTLS connection.
[0181] Optionally, the device further includes:
[0182] The detection unit (not shown in the figure) is used to detect whether the configuration attributes of the configured DTLS connection have changed;
[0183] A shutdown unit (not shown in the figure) is used to shut down the DTLS connection if the configuration attributes change.
[0184] A holding unit (not shown in the figure) is used to maintain the DTLS connection if the configuration attributes do not change.
[0185] Optionally, the device further includes:
[0186] A discarding unit (not shown in the figure) is used to discard the first DHCP protocol message if the first DHCP protocol message is an unencrypted message;
[0187] The discarding unit (not shown in the figure) is also used to discard the first DHCP protocol message if the verification fails.
[0188] Therefore, using the communication device provided in this application, the DHCP server receives a first DHCP protocol message sent by the DHCP relay via a DTLS connection; if the first DHCP protocol message is an encrypted message, the DHCP server decrypts the first DHCP protocol message according to the key corresponding to the DTLS connection and verifies the decrypted first DHCP protocol message; if the verification passes and the decrypted first DHCP protocol message is a first type message, the DHCP server generates a second DHCP protocol message; according to the key, the DHCP server encrypts the second DHCP protocol message to obtain a third DHCP protocol message; and the DHCP server sends the third DHCP protocol message to the DHCP relay via the DTLS connection.
[0189] In this way, by using the DTLS connections established between DHCP relays and between DHCP relays and DHCP servers, and by using the keys corresponding to the DTLS connections to encrypt the messages between DHCP relays and between DHCP relays and DHCP servers, the message transmission is prevented from being eavesdropped on or tampered with; the configuration complexity of IPSec encryption is reduced; the encryption of the DHCP protocol part is focused, resulting in less overhead; and the hardware and maintenance costs are lower.
[0190] Based on the same inventive concept, embodiments of this application also provide a network device, such as... Figure 5 As shown, the system includes a processor 510, a transceiver 520, and a machine-readable storage medium 530. The machine-readable storage medium 530 stores machine-executable instructions that can be executed by the processor 510. The processor 510 is prompted by the machine-executable instructions to execute the communication method provided in the embodiments of this application. (The foregoing...) Figure 3 , Figure 4 The communication device shown can be used as follows: Figure 5 The hardware structure of the network device shown is implemented.
[0191] The aforementioned computer-readable storage medium 530 may include random access memory (RAM) or non-volatile memory (NVM), such as at least one disk storage device. Optionally, the computer-readable storage medium 530 may also be at least one storage device located remotely from the aforementioned processor 510.
[0192] The processor 510 mentioned above can be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it can also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components.
[0193] In this embodiment, the processor 510 reads the machine-executable instructions stored in the machine-readable storage medium 530, and is prompted by the machine-executable instructions to enable the processor 510 itself and the transceiver 520 to execute the communication method described in the foregoing embodiment.
[0194] In addition, this application provides a machine-readable storage medium 530 that stores machine-executable instructions. When called and executed by the processor 510, the machine-executable instructions cause the processor 510 itself and the transceiver 520 to execute the communication method described in the aforementioned application.
[0195] The specific implementation process of the functions and roles of each unit in the above device can be found in the implementation process of the corresponding steps in the above method, and will not be repeated here.
[0196] For the device embodiments, since they basically correspond to the method embodiments, the relevant parts can be referred to in the description of the method embodiments. The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this application according to actual needs. Those skilled in the art can understand and implement this without creative effort.
[0197] For the embodiments of communication devices and machine-readable storage media, since the methods involved are basically similar to those of the aforementioned method embodiments, the description is relatively simple, and relevant details can be found in the descriptions of the method embodiments.
[0198] The above description is merely a preferred embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application.
Claims
1. A communication method characterized by comprising: Applied to a first DHCP relay, which has established a first DTLS connection with a first network device, the method includes: Receive the first DHCP protocol message; Through the first DTLS connection, a second DHCP protocol message is sent to the first network device. The second DHCP protocol message is obtained by encrypting the first DHCP protocol message or the decrypted first DHCP protocol message according to the first key corresponding to the first DTLS connection. If a third DHCP protocol message is received from the first network device and the third DHCP protocol message is an encrypted message, then the third DHCP protocol message is decrypted according to the first key, and the decrypted third DHCP protocol message is verified. If the verification passes, a fourth DHCP protocol message is sent to the second network device; The first network device is either a DHCP server or a second DHCP relay; the second network device is either a DHCP client or a third DHCP relay.
2. The method of claim 1, wherein, Sending the fourth DHCP protocol message to the second network device specifically includes: When the second network device is the DHCP client, the fourth DHCP protocol message is sent to the DHCP client through the connection with the DHCP client. The fourth DHCP protocol message is the decrypted third DHCP protocol message. When the second network device is the third DHCP relay, it sends the fourth DHCP protocol message to the third DHCP relay through the second DTLS connection established with the third DHCP relay. The fourth DHCP protocol message is obtained by re-encrypting the decrypted third DHCP protocol message according to the second key corresponding to the second DTLS connection.
3. The method of claim 1, wherein, After sending the second DHCP protocol message to the first network device through the first DTLS connection, the method further includes: If the first DHCP protocol message or the decrypted first DHCP protocol message is a first type message, then start the timer; Within a preset time period of the timer, the cumulative number of second DHCP protocol messages sent to the first network device is counted; If the preset time is exceeded and the cumulative number exceeds the threshold, the first DTLS connection is determined to be unavailable, and the establishment of a DTLS connection with the first network device is restarted. If the preset time is exceeded and the cumulative number does not exceed the number threshold, the timer is restarted and the process of counting the cumulative number of second DHCP protocol messages sent to the first network device is repeated within the preset time of the timer. If the preset time is exceeded and the cumulative number exceeds the number threshold, the first DTLS connection is determined to be unavailable and the process of establishing a DTLS connection with the first network device is restarted.
4. The method according to claim 1, characterized in that, When the first DHCP relay is a DHCPv4 relay, the first DHCP relay includes a first interface; The second DHCP protocol message also includes option 82, which includes sub option 11, and sub option 11 includes the first address of the first interface; the third DHCP protocol message also includes option 54, which includes the second address; Before sending the fourth DHCP protocol message to the second network device, the method further includes: Identify whether the second address is the same as the first address; If they are different, then update the second address to the first address; If they are the same, then keep the second address.
5. The method according to claim 1, characterized in that, The method further includes: If a third DHCP protocol message is received from the network device and the third DHCP protocol message is unencrypted, then the third DHCP protocol message is discarded. If the verification fails, the third DHCP protocol message is discarded.
6. A communication method, characterized in that, Applied to a DHCP server that has established a DTLS connection with a DHCP relay, the method includes: The first DHCP protocol message sent by the DHCP relay is received through the DTLS connection. If the first DHCP protocol message is an encrypted message, then the first DHCP protocol message is decrypted according to the key corresponding to the DTLS connection, and the decrypted first DHCP protocol message is verified. If the verification passes and the decrypted first DHCP protocol message is a first type message, then a second DHCP protocol message is generated. The second DHCP protocol message is encrypted using the key to obtain the third DHCP protocol message; The third DHCP protocol message is sent to the DHCP relay via the DTLS connection; The first type of message is a DHCP protocol message that requires a response from the DHCP server.
7. The method according to claim 6, characterized in that, The method further includes: Detect whether the configuration properties of the configured DTLS connection have changed; If the configuration properties are changed, the DTLS connection is closed; If the configuration properties remain unchanged, the DTLS connection is maintained.
8. The method according to claim 6, characterized in that, The method further includes: If the first DHCP protocol message is an unencrypted message, then the first DHCP protocol message is discarded; If the verification fails, the first DHCP protocol message is discarded.
9. A communication device, characterized in that, Applied to a first DHCP relay, wherein the DHCP relay has established a first DTLS connection with a first network device, the apparatus includes: The receiving unit is used to receive the first DHCP protocol message; The sending unit is configured to send a second DHCP protocol message to the first network device through the first DTLS connection. The second DHCP protocol message is obtained by encrypting the first DHCP protocol message or the decrypted first DHCP protocol message with the first key corresponding to the first DTLS connection. The verification unit is configured to, if the receiving unit receives a third DHCP protocol message sent by the first network device and the third DHCP protocol message is an encrypted message, decrypt the third DHCP protocol message according to the first key and verify the decrypted third DHCP protocol message. The sending unit is further configured to send a fourth DHCP protocol message to the second network device if the verification passes. The first network device is either a DHCP server or a second DHCP relay; the second network device is either a DHCP client or a third DHCP relay.
10. A communication device, characterized in that, Applied to a DHCP server, wherein the DHCP server has established a DTLS connection with a DHCP relay, the apparatus includes: The receiving unit is configured to receive the first DHCP protocol message sent by the DHCP relay via the DTLS connection; The verification unit is used to decrypt the first DHCP protocol message according to the key corresponding to the DTLS connection if the first DHCP protocol message is an encrypted message, and to verify the decrypted first DHCP protocol message. The generation unit is used to generate a second DHCP protocol message if the verification passes and the decrypted first DHCP protocol message is a first type message. An encryption unit is used to encrypt the second DHCP protocol message according to the key to obtain a third DHCP protocol message; The sending unit is configured to send the third DHCP protocol message to the DHCP relay via the DTLS connection; The first type of message is a DHCP protocol message that requires a response from the DHCP server.