多层多域是未来大规模光互联网络的必然趋势，如何在缺乏全局信息的条件下构建安全可靠的光路或光树，是光网络分域管理后面临的一个新问题。文章在分析基于PCE（路径计算单元）架构的多域光网络建路机理的基础上，剖析了其算路阶段与建链阶段存在的安全威胁，包括主动攻击和被动攻击两大类，围绕身份认证、数据源认证、加密、数字签名和隐私保护问题，利用TLS（传输层安全）、身份密码学和TCP（传输控制协议）认证选项等安全性技术，提出了针对PCEP（PCE协议）和GMPLS（通用多协议标签交换）RSVP-TE（基于流量工程扩展的资源预留协议）的安全建路机制，有效提升了多域光网络建路过程中的机密性、完整性、真实性、抗抵赖性、新鲜性和私有性。

Multi-layer and multi-domain is the inevitable trend of the future large-scale optical interconnection networks. However, how to construct secure and reliable light-path or light-tree is a new problem under the condition of the lack of global information. In this paper, we first analyze the construction mechanism of light-path based on the Path Computation Element (PCE) architecture.Then we summarize the security threats of path computation phase and link establishment phase, which include active attack and passive attack. To deal with the issue of the identity authentication, data source authentication, encryption, digital signature and privacy protection, specific security mechanisms of the path construction of PCE communication Protocol (PCEP) and GMPLS RSVP-TE are proposed based on several technologies including Transport Layer Security (TLS), identity-based cryptosystem, and authentication option of TCP. The proposed technique can enhance the confidentiality, integrity, authenticity, non-repudiation, freshness and privacy of the path construction of multi-domain optical networks.