The process of mapping the communication traffic on the network physical topology structure and the resource location for the communication traffic are called the TE.
Recently, PCE is a new model adapted to compute the TE path. As compared with a conventional manner of implementing the TE path computation by routers, in the TE path computation model based on the PCE, a path computation function is separated and is implemented by the PCE. All nodes which need to establish a traffic engineering label switched path (TE-LSP) serving as the PCCs request the path computation from the PCE. After implementing the path computation according to the path computation requirement, the PCE returns corresponding results to the PCC nodes, and the PCC nodes establish the corresponding TE-LSPs according to the computation result.
The PCC and the PCE are of typical client/server (C/S) model, and before sending a path computation request to the PCE, the PCC needs to know where the PCE is.
Path Computation Element Discovery (PCED) is a standard protocol adapted to implement automatic discovery of the PCE proposed by a PCE workgroup. The PCED extends the Open Short Path First (OSPF) protocol or the Intermediate System to Intermediate System (ISIS) protocol, the OSPF or the ISIS protocol floods the relevant information of the PCE in one routing domain, which is equivalent to broadcasting in the routing domain, and the routing domain may be a routing area or an autonomous system (AS). Thus the relevant information to the PCE information may be acquired by all the PCCs in the routing domain. The information includes location information of the PCE, the computation capability of the PCE, the function supported by the PCE, the computation scope of the PCE, the information about whether the load sharing is supported, and the information about whether the PCE is in a congestion state, etc.
One PCC may receive the information of a plurality of PCEs. The PCC selects one appropriate PCE as the default PCE for the path computation from the PCEs according to the received information of the PCEs. When the PCC needs to compute a TE path, the PCC sends a relevant path computation request to the default PCE, and the default PCE implements the TE path computation. The PCE implements the path computation and returns the relevant path computation result to the PCC, and the PCC establishes the corresponding TE path according to the path computation result.
The communication between the PCC and the PCE is implemented through a path computation element communication protocol (PCEP), the PCEP is a protocol adapted to perform the communication of PCC-PCE and PCE-PCE, and the PCEP adopts a transmission control protocol (TCP) as a transmission protocol. The PCEP bears various interaction packets between the PCC and the PCE, and the packets include packets of capability negotiation, various path computation request packets sent from the PCC to the PCE, a relevant path computation result sent from the PCE to the PCC, and various error packets delivered between the PCC and the PCE, etc.
Before the PCC sends the path computation request to the PCE, a PCEP connection between the PCC and the PCE need to be established. In the process of establishing the connection, firstly, a TCP connection between the PCC and the PCE is established, and then the relevant capability negotiation is performed. After the capability negotiation is finished, the PCEP connection between the PCC and the PCE is established. The capability negotiation between the PCC and the PCE includes a PCEP protocol version number, keep-alive time of the connection between the PCC and the PCE, and the maximum keep-alive time, etc.
Referring to FIG. 1, it is a schematic view of the TE path computation implemented together by a plurality of PCEs. A head end 101 serving as the PCC sends a computation request to a default PCE 102. The default PCE 102 performs the path computation according to the path computation request, and returns the path computation result to the head end 101. If the default PCE 102 cannot independently implement the path computation, the PCE 102 sends the path computation request to another PCE, for example, the PCE 103, so as to request the path computation assistance. Here, relative to the PCE 103, the PCE 102 becomes the PCC.
As described above, the information of the PCE is flooded in one routing domain through the OSPF or the ISIS, so that all the nodes in the routing domain may acquire the PCE information. And, the information may be spread to other routing domains through a certain mechanism. In this manner, many nodes, including authorized and unauthorized nodes, acquire the information of the PCE, and may get access to the PCE through the PCEP protocol. Therefore, some problems as follows are generated.
(1) The unauthorized node illegally intercepts the computation requests and the response packets delivered between the PCE and the PCE.
(2) The unauthorized node pretends to be the PCC or the PCE.
(3) The unauthorized node performs a denial of service (Dos) attack on the PCC or the PCE, in which the Dos attack refers to an attack implemented through the denial of providing service. For example, if one subscriber sends a great amount of unwanted data packets to sina, the chances of the requests of the subscribers intending to get access to sina may be neglected as compared with the data packets sent from the subscriber, in this manner, the requests of other subscribers may be submerged in the attack packets of the subscriber, which is a typical Dos attack.
The unauthorized node refers to the node which is not authorized and cannot be trusted, and the authorized node refers to the node which is authorized and can be trusted.
Therefore, a security mechanism is required to ensure the communication security between the PCC and the PCE, in the PCEP, many methods such as a TCP Message Digest5 (TCP MD5) signature, and Internet protocol of security (IPSec) encryption are adopted to ensure the communication security between the PCC and the PCE, to prevent the PCE and the PCC from being pretended, and relief the Dos attack in a certain degree. Meanwhile, other security mechanisms are proposed to protect the PCC-PCE communication, for example, the PCE performs an access authentication on the PCC.
Thereof, it is necessary to negotiate between the PCC and the PCE which security mechanism is adopted between the PCC and the PCE and whether the security mechanism is required or not, so as to determine the security mechanism of the communication between the PCC and the PCE. However, during the process of realizing the present invention, the inventor finds that presently the mechanism for negotiating various security capabilities does not exist in the PCEP or the PCED.
In addition, for whether the security mechanism is adopted or not between the PCC and the PCE, whether a TCP MD5 signature mechanism is adopted or not, and whether the IPSec encryption or other security mechanism is performed on the packets between the PCC and the PCE, presently only the static configuration method is adopted. In the static configuration mode, after the PCC discovers and selects one or more PCEs as the path computation server, the security mechanism between the PCC and the PCE should be statically configured one by one.
During the process of realizing the present invention, the inventor finds that the disadvantage of the static configuration of the security mechanism between the PCC and the PCE is that the configuration is rather heavy and complicated.