Multi-layer and multi-domain is the inevitable trend of the future large-scale optical interconnection networks.How-ever,how to construct secure and reliable light-path or light-tree is a new problem under the condition of the lack of global in-formation.In this paper,we first analyze the construction mechanism of light-path based on the Path Computation Element (PCE)architecture.Then we summarize the security threats of path computation phase and link establishment phase,which in-clude active attack and passive attack.To deal with the issue of the identity authentication,data source authentication,encryp-tion,digital signature and privacy protection,specific security mechanisms of the path construction of PCE communication Protocol (PCEP)and GMPLS RSVP-TE are proposed based on several technologies including Transport Layer Security (TLS),identity-based cryptosystem,and authentication option of TCP.The proposed technique can enhance the confidentiali-ty,integrity,authenticity,non-repudiation,freshness and privacy of the path construction of multi-domain optical networks.%多层多域是未来大规模光互联网络的必然趋势,如何在缺乏全局信息的条件下构建安全可靠的光路或光树,是光网络分域管理后面临的一个新问题。文章在分析基于PCE(路径计算单元)架构的多域光网络建路机理的基础上,剖析了其算路阶段与建链阶段存在的安全威胁,包括主动攻击和被动攻击两大类,围绕身份认证、数据源认证、加密、数字签名和隐私保护问题,利用TLS(传输层安全)、身份密码学和TCP(传输控制协议)认证选项等安全性技术,提出了针对 PCEP(PCE 协议)和GMPLS(通用多协议标签交换)RSVP-TE(基于流量工程扩展的资源预留协议)的安全建路机制,有效提升了多域光网络建路过程中的机密性、完整性、真实性、抗抵赖性、新鲜性和私有性。
展开▼
