A wired local area network is typically a broadcast network in which data sent from a node can be received by any other node. The respective nodes over a network share a channel, and this poses great potential insecurity to the network. An attacker can capture all of data packets over a network simply by accessing the network to listen.
No data security method has been proposed for a Local Area Network (LAN) defined in the existing national standard GB/T 15629.3 (corresponding to the IEEE 802.3 or ISO/IEC 8802-3), and this makes it easy for an attacker to steal key information. A terminal device in compliance with the GB/T 15629.3 (corresponding to the IEEE 802.3 or ISO/IEC 8802-3) is incapable of link layer encryption and decryption, and all of link layer data packets are sent over the network in the form of a plaintext, where the sent information is susceptible to interception, thus resulting in great potential insecurity.
A method of link layer data security with encryption per hop has been proposed for a Local Area Network (LAN) in the IEEE 802.1AE, and this mechanism limits a terminal device to the use of only a key between the terminal device and the closest access switch device to perform encryption and decryption processing on a data frame at the link layer instead of the direct use of a key between the terminal device and another terminal device or another switch device to perform encryption and decryption processing on a data packet at the link layer. This link layer processing scheme of the terminal device supporting the IEEE 802.1AE poses a heavy computing burden on the closest access switch device; since a data frame constructed in this scheme has to be decrypted and then encrypted and then forwarded by each switch device over a link until arrival at a destination terminal device, there is a significant delay in data transmission; and the terminal device supporting the IEEE 802.1AE does not support hybrid network deployment of a general switch device and a switch device supporting the IEEE 802.1AE.