CN101447956B - Cross-GAP communication method and communication system using same - Google Patents

Cross-GAP communication method and communication system using same Download PDF

Info

Publication number
CN101447956B
CN101447956B CN2009100002152A CN200910000215A CN101447956B CN 101447956 B CN101447956 B CN 101447956B CN 2009100002152 A CN2009100002152 A CN 2009100002152A CN 200910000215 A CN200910000215 A CN 200910000215A CN 101447956 B CN101447956 B CN 101447956B
Authority
CN
China
Prior art keywords
address
equipment
business stream
gateway
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009100002152A
Other languages
Chinese (zh)
Other versions
CN101447956A (en
Inventor
苏佳
周迪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN2009100002152A priority Critical patent/CN101447956B/en
Publication of CN101447956A publication Critical patent/CN101447956A/en
Application granted granted Critical
Publication of CN101447956B publication Critical patent/CN101447956B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a cross-GAP communication method and a communication system using same, which are applied to a network with a first communication device and a second communication device. The first communication device is positioned in a first network. The second communication device is positioned in a second network. The first network is isolated from the external network via a first GAP device. The second network is isolated from the external network via a second GAP device. By establishing the address-port dynamic transition relationship of traffic stream between the two GAP devices, the linked communication between the two communication devices crossing two GAPs is implemented. The cross-GAP communication works without needing the manual static configuration of the transition tables on the two GAP devices, thereby facilitating the configuration and providing conveniences for configuring and maintaining the GAP equipment.

Description

A kind of communication means of inter-network lock and communication system
Technical field
The present invention relates to networking technology area, particularly a kind of communication means of inter-network lock and communication system.
Background technology
Safe isolation gap is a kind of by the Network Security Device that has various control function specialized hardware, and the link layer that is used to cut off between the network connects, and can between network, carry out the application data exchange of safety appropriateness.As the xegregating unit that exchanges data is provided, the functional module of embedded checking and killing virus on the safe isolation gap can be carried out virus checking to the data of exchange.
Traditional safety product can satisfy the needs of protected data and network security in a different manner, but can not solve the secure exchange problem of information between network fully, because various safe practice all has its limitation.In the time of gateway protection intranet security, limited the part communication stream to.Some communication service need launch inside and outside the gateway or between the equipment behind two gateways.Gateway will be acted on behalf of destination and source end respectively to crossing over the communication of gateway, be divided into two independently connections thereby will communicate by letter end to end with connecting, and between two connections, do data filter and ferry-boat by gateway.
With the network scenarios that comprises single gateway shown in Figure 1A is example; When being arranged in the inner host A of trustable network and needing to cross over communicating by letter of gateway with the B that is positioned at unreliable network, gateway at first uses an address B ' in the trustable network (Intranet) to act on behalf of the destination address B of unreliable network (outer net).Afterwards, it is the communication Socket1 of B ' that host A is initiated destination address, and Socket1 is connected the trustable network internal transmission, terminates in gateway inside; Gateway carries out filtration treatment to communication data, and sets up transformation table entries; If gateway is thought the secure communication flow; Use a Socket again based on the Socket2 proxy A of outer net address; The initiation destination address is that B, source address are the communication Socket2 of A '; The content of Socket1 is ferried on the Socket2, and Socket2 is connected the unreliable network internal transmission, terminates in host B; Host B is replied if desired, then on Socket2, replys, and after gateway carries out filtration treatment to current data, according to transformation table entries data is ferried on the Socket1.Comprise address and port information among the above-mentioned Socket (socket), main frame can perhaps reply the request of the opposite end in the automatic network usually through the request of sending of the opposite end of Socket in network.
Through above-mentioned flow process; The communication that makes gateway will cross between trustable network, the unreliable network is divided into trustable network inside and two inner separate connection of unreliable network; And between two connections, do data filter and ferry-boat, thereby guarantee the safety of communication data by gateway.In addition, initiate if communication connects by Intranet, forwarding-table item can dynamically be set up.Initiate if communication connects by outer net, then need be on gateway the configuring static forwarding-table item.
For the communication that needs are crossed over two gateways, be example with the network scenarios that comprises two gateways shown in Figure 1B, on gateway D, need the static configuration transformation table entries.Yet from gateway C is that the Socket2 port that host A is acted on behalf of is not fixed, and the transformation table entries that on gateway D, disposes differs and matches Socket2 surely, so gateway C also must the static configuration transformation table entries.Therefore, for the communication of two gateways of needs leap, need dispose corresponding transformation table entries, inconvenient configuration of devices and maintenance respectively in the prior art at two gateways.
Summary of the invention
The present invention provides a kind of communication means and communication system of inter-network lock, is used for realizing easily the communication of two gateways of needs leap.
For achieving the above object, the present invention provides a kind of communication means of inter-network lock, is applied in the network that comprises first communication equipment and second communication equipment; Said first communication equipment is arranged in first network; Said second communication equipment is arranged in second network, and said first network is separated through the first gateway equipment and external network, and said second network is separated through the second gateway equipment and external network; It is characterized in that said communication means comprises:
When the said first gateway equipment receives said first communication equipment to the communication request of said second communication equipment, send the request of obtaining the address of said second communication equipment according to the domain name of second communication equipment to domain name mapping equipment;
The said first gateway equipment receives the address of the said second gateway equipment that the domain name analyzing device returns according to the domain name of said second communication equipment;
First Business Stream between said first gateway equipment foundation and said first communication equipment;
The said first gateway equipment is according to the address of the said second gateway equipment, set up second Business Stream with the said second gateway equipment room, and the first address port dynamic translation of setting up between said first Business Stream and said second Business Stream concerns;
The said second gateway equipment is set up the 3rd Business Stream with said second communication equipment room, and sets up the second address port dynamic translation relation between said second Business Stream and said the 3rd Business Stream;
The said first gateway equipment according to the said first address port dynamic translation concern, the said second gateway equipment concerns according to the said second address port dynamic translation, realizes communicating by letter of said first communication equipment and second communication equipment room.
Wherein, the said first gateway equipment receives the address of the said second gateway equipment that the domain name analyzing device returns according to the domain name of said second communication equipment, also comprises:
The domain name mapping corresponding relation of the address of the domain name of the said second communication equipment of storage and the said second gateway equipment on the domain name analyzing device.
Wherein, first Business Stream between said first gateway equipment foundation and said first communication equipment comprises:
The said first gateway equipment generates first agent address corresponding with the address of the said second gateway equipment and notifies said first communication equipment;
Set up first Business Stream between said first gateway equipment and said first communication equipment; In the address port information of said first Business Stream; Source address is the address of first communication equipment; Source port is that first communication equipment is set up the port that said first Business Stream uses, and destination address is said first agent address in the said first gateway equipment, and destination interface is that the said first gateway equipment is the port of said first traffic flow assignment.
Wherein, the said first gateway equipment is according to the address of the said second gateway equipment, and foundation comprises with second Business Stream of the said second gateway equipment room:
The said first gateway equipment is sent as the request that new service flow is distributed destination interface to the said second gateway equipment, receives the destination interface of the said second gateway devices allocation;
Said first gateway equipment and the said second gateway equipment room are set up second Business Stream; In the address port information of said second Business Stream; Source address is the address of the first gateway equipment; Source port is to set up the employed port of said second Business Stream in the first gateway equipment, and destination address is the address of the said second gateway equipment, and destination interface is that the said second gateway equipment is the port of said second traffic flow assignment.
Wherein, said second gateway equipment foundation comprises with the 3rd Business Stream of said second communication equipment room:
The said second gateway equipment generates second agent address corresponding with the address of said second communication equipment;
The said second gateway equipment is set up the 3rd Business Stream with said second communication equipment room; In the address port information of said the 3rd Business Stream; Source address is said second agent address in the said second gateway equipment; Source port is that the said second gateway equipment is the port of said the 3rd traffic flow assignment, and destination address is the address of said second communication equipment, and destination interface is to set up the employed port of said the 3rd Business Stream on the said second communication equipment.
Wherein, the said first gateway equipment according to the said first address port dynamic translation concern, the said second address port dynamic translation of said second gateway equipment relation, realize that said first communication equipment comprises with communicating by letter of second communication equipment room:
The said first gateway equipment concerns that according to the said first address port dynamic translation data transaction that first communication equipment described in said first Business Stream is sent is the data in said second Business Stream, and sends to the said second gateway equipment; The data transaction that second communication equipment described in said second Business Stream is sent is the data in said first Business Stream, and sends to said first communication equipment;
The said second gateway equipment concerns that according to the said second address port dynamic translation data transaction that first communication equipment described in said second Business Stream is sent is the data in said the 3rd Business Stream, and sends to said second communication equipment; The data transaction that second communication equipment described in said the 3rd Business Stream is sent is the data in said second Business Stream, and sends to the said first gateway equipment.
The present invention also provides a kind of communication system; Comprise first communication equipment and second communication equipment; Said first communication equipment is arranged in first network; Said second communication equipment is arranged in second network, and said first network is separated through the first gateway equipment and external network, and said second network is separated through the second gateway equipment and external network:
The said first gateway equipment, when being used to receive said first communication equipment to the communication request of said second communication equipment, the address that obtains the said second gateway equipment, set up and said first communication equipment between first Business Stream; According to the address of the said second gateway equipment, second Business Stream of foundation and the said second gateway equipment room, and set up the first address port dynamic translation relation between said first Business Stream and said second Business Stream; Realize communicating by letter of said first communication equipment and second communication equipment room according to said first address port dynamic translation relation with the said second gateway equipment;
The said second gateway equipment is used to set up the 3rd Business Stream with said second communication equipment room, and sets up the second address port dynamic translation relation between said second Business Stream and said the 3rd Business Stream; Realize communicating by letter of said first communication equipment and second communication equipment room according to said second address port dynamic translation relation with the said first gateway equipment.
Concrete, the said first gateway equipment comprises: address acquisition unit, and receive said first communication equipment and obtain the request of the address of said second communication equipment according to the domain name of said second communication equipment, send request to domain name mapping equipment; And receive the address of the said second gateway equipment that the domain name analyzing device returns according to the domain name of said second communication equipment.
Wherein, the said first gateway equipment also comprises:
First acts on behalf of scalar/vector, is used to generate first agent address corresponding with the address of the said second gateway equipment and notifies said first communication equipment;
First Business Stream is set up the unit; Be used for and said first communication equipment between set up first Business Stream; In the address port information of said first Business Stream, source address is the address of first communication equipment, and source port is that first communication equipment is set up the port that said first Business Stream uses; Destination address is said first agent address in the said first gateway equipment, and destination interface is that the said first gateway equipment is the port of said first traffic flow assignment.
Wherein, the said first gateway equipment also comprises:
The port acquiring unit is used for the said second gateway equipment and is sent as the request that new service flow is distributed destination interface, receives the destination interface of the said second gateway devices allocation;
Second Business Stream is set up the unit; Be used for setting up second Business Stream with the said second gateway equipment room; In the address port information of said second Business Stream, source address is the address of the first gateway equipment, and source port is to set up the employed port of said second Business Stream in the first gateway equipment; Destination address is the address of the said second gateway equipment, and destination interface is that the said second gateway equipment is the port of said second traffic flow assignment.
Wherein, the said first gateway equipment also comprises:
First address port dynamic translation relation is set up the unit, is used for the first address port dynamic translation relation between said first Business Stream and said second Business Stream;
First retransmission unit is used for according to said first address port dynamic translation relation, and the data transaction that first communication equipment described in said first Business Stream is sent is the data in said second Business Stream, and sends to the said second gateway equipment; The data transaction that second communication equipment described in said second Business Stream is sent is the data in said first Business Stream, and sends to said first communication equipment.
Wherein, the said second gateway equipment comprises:
The port assignment unit is used for the request according to the said first gateway equipment, is the second traffic flow assignment destination interface;
Second acts on behalf of scalar/vector, is used to generate second agent address corresponding with the address of said second communication equipment;
The 3rd Business Stream is set up the unit; Be used to set up the 3rd Business Stream with said second communication equipment room; In the address port information of said the 3rd Business Stream, source address is said second agent address in the said second gateway equipment, and source port is that the said second gateway equipment is the port of said the 3rd traffic flow assignment; Destination address is the address of said second communication equipment, and destination interface is to set up the employed port of said the 3rd Business Stream on the said second communication equipment.
Wherein, the said second gateway equipment also comprises:
Second address port dynamic translation relation is set up the unit, is used for the second address port dynamic translation relation between said first Business Stream and said second Business Stream;
Second retransmission unit is used for according to said second address port dynamic translation relation, and the data transaction that first communication equipment described in said second Business Stream is sent is the data in said the 3rd Business Stream, and sends to said second communication equipment; The data transaction that second communication equipment described in said the 3rd Business Stream is sent is the data in said second Business Stream, and sends to the said first gateway equipment.
Wherein, also comprise:
Domain name mapping equipment is used to store the domain name mapping corresponding relation of address of domain name and the said second gateway equipment of said second communication equipment.Compared with prior art, the present invention has the following advantages:
Through setting up the address port dynamic translation relation of two Business Streams between the gateway equipment, realized crossing over the interlock communication between the communication equipment of two gateways.This process need not manual static configuration transformation table entries on two gateway equipment, disposes more flexibly, is convenient to gateway configuration of devices and maintenance.
Description of drawings
In order to be illustrated more clearly in the technical scheme of the embodiment of the invention; The accompanying drawing of required use is done to introduce simply in will describing embodiment below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Figure 1A is the network scenarios sketch map that comprises single gateway in the prior art;
Figure 1B is the network scenarios sketch map that comprises two gateways in the prior art;
Fig. 2 is the flow chart of the communication means of inter-network lock among the present invention;
Fig. 3 is an application scenarios sketch map of the communication means of inter-network lock among the present invention;
Fig. 4 A and Fig. 4 B are the sketch mapes of the communication means of inter-network lock in the application scenarios of the present invention;
Fig. 5 is the structural representation of the first gateway equipment in the communication system among the present invention;
Fig. 6 is the structural representation of the second gateway equipment in the communication system among the present invention.
Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is a part of embodiment of the present invention, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
The embodiment of the invention provides a kind of communication means of inter-network lock; Be applied in the network that comprises first communication equipment and second communication equipment, first communication equipment is arranged in first network, and second communication equipment is arranged in second network; First network is separated through the first gateway equipment and external network; Second network is separated through the second gateway equipment and external network, and this method is as shown in Figure 2, comprising:
When step s201, the first gateway equipment receive first communication equipment to the communication request of second communication equipment, the address that obtains the second gateway equipment, set up and first communication equipment between first Business Stream.
Step s202, the first gateway equipment be according to the address of the second gateway equipment, set up second Business Stream with the second gateway equipment room, and the first address port dynamic translation of setting up between first Business Stream and second Business Stream concerns.
Step s203, the second gateway equipment are set up the 3rd Business Stream with the second communication equipment room, and set up the second address port dynamic translation relation between second Business Stream and the 3rd Business Stream.
Step s204, the first gateway equipment according to the first address port dynamic translation concern, the second gateway equipment concerns according to the second address port dynamic translation, realizes communicating by letter of first communication equipment and second communication equipment room.
Among the present invention, concern, concern in the second address port dynamic translation of setting up on the second gateway equipment between second Business Stream and the 3rd Business Stream in the first address port dynamic translation of setting up on the first gateway equipment between first Business Stream and second Business Stream; Through the relation of the address port dynamic translation between the above-mentioned Business Stream of setting up, realized crossing over the interlock communication between the communication equipment of two gateways, avoided the troublesome operation of manual static configuration transformation table entries on gateway equipment.
Below in conjunction with a concrete application scenarios, the embodiment of the communication means of inter-network lock among the present invention is described.With application scenarios shown in Figure 3 is example, comprising the host A that is arranged in trustable network Domain1, is arranged in the host B of trustable network Domain2.Trustable network Domain1 and external network are separated through gateway C, and trustable network Domain2 and external network are separated through gateway D, on gateway C and gateway D, start the DNS agent functionality.Host A and host B be registered domain name HostA.domain1 and HostB.domain2 on the dns server of outer net respectively, and corresponding IP address is respectively gateway C, the public network address IPC of gateway D, IPD.
Shown in Fig. 4 A and Fig. 4 B, the communication means among the present invention between host A and host B comprises:
When step s401, host A are visited host B through domain name HostB.domain2, to the IP address of gateway C request about HostB.domain2.
Step s402, gateway C are to the IP address of DNS (Domain Name System, domain name system) server requests about HostB.domain2.
Step s403, dns server are replied gateway C, and the IP address that HostB.domain2 is corresponding is the public network address IPD of gateway D.The realization of above-mentioned steps s402~s403 needs gateway C to have the DNS agent functionality.Except using DNS to obtain the address of host B, host A can also use other name resolving service, such as NETBIOS etc.Gateway C and gateway D then need start corresponding agent functionality.
Step s404, gateway C reply Intranet address ip B ' to host A, and the corresponding relation of storing IP B ' and IPD.
Concrete, gateway C has an Intranet address pool, and is private network IP of each destination host distribution.Gateway C obtains generating behind the address ip D that dns server replys an Intranet address ip B ' proxy B and comes intercepting the Socket from host A, and replys Intranet address ip B ' so that host A is thought " the IP address that HostB.domain2 is corresponding is IPB ' " to host A.In addition, gateway C be in order to distinguish the destination address of stream when receiving homogeneous turbulence not, also needs the corresponding relation of storing IP B ' and IPD.
Step s405, host A send Business Stream Socket1; In the address port information of Socket1: source address is the address ip A of host A; Source port is that host A is set up the port SrcPort1 that Business Stream Socket1 uses; Destination address is the agent address IPB ' among the gateway C, and destination interface is the port DstPort1 that distributes for Business Stream Socket1 among the gateway C.Wherein, host A thinks that IPB ' is real destination address, and DstPort1 is real destination interface.
After step s406, gateway C receive the Business Stream of Socket1, after safe handlings such as filtration, on unreliable network, transmit the Business Stream of Socket1.
Concrete, gateway C at first buffer memory should flow, and distributed public network source port number SrcPort2 to create Socket2; Gateway C is according to the IPB ' of buffer memory among the step s404 and the corresponding relation of IPD simultaneously; To destination address is that the gateway D of IPD sends a request message; Request gateway D is that " IPC:SrcPort2+ domain name HostB.domain2:DstPort1 " distributes outer net destination slogan; Comprise request ID in the request message simultaneously, be used to represent different request from different gateways.
Step s407, gateway D reply the outer net destination slogan DstPort2 of gateway C host B.
After gateway D receives request, if satisfy Agent Requirements, then for " HostB.domain2 " distributes outer net destination slogan DstPort2, also generation is used for the Intranet IP address ip A ' of proxy A, the Intranet source port SrcPort3 of proxy A.Set up following transformation table entries afterwards:
Figure GSB00000624270500091
Gateway D replys gateway C afterwards, and content comprises the outer net destination slogan DstPort2 of request ID and host B.
In this step, gateway D can also at first carry out processing such as authentication to the request message source address from gateway C, to confirm whether gateway C has authority application outer net destination interface.Authority can comprise: whether gateway C belongs to the gateway of local configuration needs interlock communication; Or whether gateway C and this equipment belong to modes such as same Security Association.In addition, the domain name of the host B that gateway D can connect request is carried out processing such as authentication, to determine whether need to be that host B is opened outer net communication authority.The authority of taking can comprise: whether this locality has disposed need be carried out gateway interlock communication for host B; And host B belongs to modes such as a certain Security Association.
After step s408, gateway C receive the answer of gateway D; Generate Business Stream Socket2; In the address port information of Socket2, source address is the address ip C of gateway C, and source port is to set up the employed port SrcPort2 of Business Stream Socket2 among the gateway C; Destination address is the address ip D of gateway D, the port DstPort2 that destination interface distributes for Business Stream Socket2 for gateway D.Afterwards, gateway C ferries the data on the Socket1 to Socket2, and sets up following list item:
Figure GSB00000624270500101
This transformation table entries can be thought the first address port dynamic translation relation between the Business Stream of Business Stream and Socket2 of Socket1.
Step s409, gateway D receive from the data of Socket2 in the unreliable network, through after the safe handlings such as filtration, according to the transformation table entries that step s407 generates, create Business Stream Socket3, and the data on the Socket2 are ferried to Socket3.In the address port information of Socket3; Source address is the agent address IPA ' among the gateway D; The port SrcPort3 that source port distributes for Business Stream Socket3 for gateway D, destination address is the address of IPB, destination interface is to set up the employed port DstPort1 of Business Stream Socket3 on the IPB.
In addition, the step that gateway D sets up transformation table entries among the above-mentioned steps s407 also can be carried out in this step.This transformation table entries can be thought the second address port dynamic translation relation between the Business Stream of Business Stream and Socket3 of Socket2.
Step s410, host B respond if desired, then on Socket3, send response data to IPA '.
Step s411, gateway D the response data on the Socket3 through safe handlings such as filtration after, ferry-boat sends to IPC to Socket2.
Step s412, gateway C the data on the Socket2 through safe handlings such as filtration after, ferry-boat sends to IPA to Socket1.
In addition; In the communication process of above-mentioned gateway C and gateway D; Because communication is in insecure network, to carry out, therefore can carry out data encryption technologys such as IPSec to the Content of Communication between gateway C and gateway D, and through IKE (Internet Key Exchange; Internet key exchange) dynamic negotiation and more new key are with the fail safe that guarantees to communicate by letter between gateway.For initiatively initiate by host B with the communicating by letter of host A, the similar process with shown in above-mentioned Fig. 4 A and Fig. 4 B is not repeated in this description at this.
In the method provided by the invention,, realized crossing over the interlock communication between the communication equipment of two gateways through setting up the address port dynamic translation relation of two Business Streams between the gateway equipment.This process need not manual static configuration transformation table entries on two gateway equipment, disposes more flexibly, is convenient to gateway configuration of devices and maintenance.
The present invention also provides a kind of communication system; Comprise first communication equipment and second communication equipment; First communication equipment is arranged in first network, and second communication equipment is arranged in second network, and first network is separated through the first gateway equipment and external network; Second network is separated through the second gateway equipment and external network, it is characterized in that:
The first gateway equipment, when being used to receive first communication equipment to the communication request of second communication equipment, the address that obtains the second gateway equipment, set up and first communication equipment between first Business Stream; According to the address of the second gateway equipment, second Business Stream of the foundation and the second gateway equipment room, and set up the first address port dynamic translation relation between first Business Stream and second Business Stream; Realize communicating by letter of first communication equipment and second communication equipment room according to first address port dynamic translation relation with the second gateway equipment;
The second gateway equipment is used to set up the 3rd Business Stream with the second communication equipment room, and sets up the second address port dynamic translation relation between second Business Stream and the 3rd Business Stream; Realize communicating by letter of first communication equipment and second communication equipment room according to second address port dynamic translation relation with the first gateway equipment.
This system can also comprise domain name mapping equipment, is used to store the domain name mapping corresponding relation of address of domain name and the second gateway equipment of second communication equipment, and the domain name mapping corresponding relation of the address of the domain name of first communication equipment and the first gateway equipment.
Wherein, the structural representation of the first gateway equipment is as shown in Figure 5, and wherein the first gateway equipment 10 can comprise:
Address acquisition unit 11 is used to receive first communication equipment and obtains the request of the address of second communication equipment according to the domain name of second communication equipment, sends request to domain name mapping equipment; And the address of the second gateway equipment that returns according to the domain name of second communication equipment of acceptance domain name analysis equipment;
First acts on behalf of scalar/vector 12, is used to generate first agent address corresponding with the address of the second gateway equipment and notifies first communication equipment;
First Business Stream is set up unit 13; Be used for and first communication equipment between set up first Business Stream; In the address port information of first Business Stream, source address is the address of first communication equipment, and source port is that first communication equipment is set up the port that first Business Stream uses; Destination address is first agent address in the first gateway equipment, and destination interface is that the first gateway equipment is the port of first traffic flow assignment;
Port acquiring unit 14 is used for the second gateway equipment and is sent as the request that new service flow is distributed destination interface, receives the destination interface of the second gateway devices allocation;
Second Business Stream is set up unit 15; Be used for setting up second Business Stream with the second gateway equipment room; In the address port information of second Business Stream, source address is the address of the first gateway equipment, and source port is to set up the employed port of second Business Stream in the first gateway equipment; Destination address is the address of the second gateway equipment, and destination interface is that the second gateway equipment is the port of second traffic flow assignment;
First address port dynamic translation relation is set up unit 16, is used for the first address port dynamic translation relation between first Business Stream and second Business Stream;
First retransmission unit 17 is used for according to first address port dynamic translation relation, and the data transaction that first communication equipment in first Business Stream is sent is the data in second Business Stream, and sends to the second gateway equipment; The data transaction that second communication equipment in second Business Stream is sent is the data in first Business Stream, and sends to first communication equipment.
Wherein, the structural representation of the second gateway equipment is as shown in Figure 6, and wherein the second gateway equipment 20 can comprise:
Port assignment unit 21 is used for the request according to the first gateway equipment, is the second traffic flow assignment destination interface;
Second acts on behalf of scalar/vector 22, is used to generate second agent address corresponding with the address of second communication equipment;
The 3rd Business Stream is set up unit 23; Be used to set up the 3rd Business Stream with the second communication equipment room; In the address port information of the 3rd Business Stream, source address is second agent address in the second gateway equipment, and source port is that the second gateway equipment is the port of the 3rd traffic flow assignment; Destination address is the address of second communication equipment, and destination interface is to set up the employed port of the 3rd Business Stream on the second communication equipment;
Second address port dynamic translation relation is set up unit 24, is used for the second address port dynamic translation relation between second Business Stream and the 3rd Business Stream;
Second retransmission unit 25 is used for according to second address port dynamic translation relation, and the data transaction that first communication equipment in second Business Stream is sent is the data in the 3rd Business Stream, and sends to second communication equipment; The data transaction that second communication equipment in the 3rd Business Stream is sent is the data in second Business Stream, and sends to the first gateway equipment.
In system provided by the invention and the equipment,, realized crossing over the interlock communication between the communication equipment of two gateways through setting up the address port dynamic translation relation of two Business Streams between the gateway equipment.This process need not manual static configuration transformation table entries on two gateway equipment, disposes more flexibly, is convenient to gateway configuration of devices and maintenance.
Above-mentioned module can be distributed in a device, also can be distributed in multiple arrangement.Above-mentioned module can be merged into a module, also can further split into a plurality of submodules.
Through the description of above execution mode, those skilled in the art can be well understood to the present invention and can realize through hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding; Technical scheme of the present invention can be come out with the embodied of software product, this software product can be stored in a non-volatile memory medium (can be CD-ROM, USB flash disk; Portable hard drive etc.) in; Comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the sketch map of a preferred embodiment, module in the accompanying drawing or flow process might not be that embodiment of the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above embodiment sequence number is not represented the quality of embodiment just to description.
More than disclosedly be merely several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.

Claims (13)

1. the communication means of an inter-network lock; Be applied in the network that comprises first communication equipment and second communication equipment, said first communication equipment is arranged in first network, and said second communication equipment is arranged in second network; Said first network is separated through the first gateway equipment and external network; Said second network is separated through the second gateway equipment and external network, it is characterized in that said communication means comprises:
When the said first gateway equipment receives said first communication equipment to the communication request of said second communication equipment, send the request of obtaining the address of said second communication equipment according to the domain name of second communication equipment to domain name mapping equipment;
The said first gateway equipment receives the address of the said second gateway equipment that the domain name analyzing device returns according to the domain name of said second communication equipment;
First Business Stream between said first gateway equipment foundation and said first communication equipment;
The said first gateway equipment is according to the address of the said second gateway equipment, set up second Business Stream with the said second gateway equipment room, and the first address port dynamic translation of setting up between said first Business Stream and said second Business Stream concerns;
The said second gateway equipment is set up the 3rd Business Stream with said second communication equipment room, and sets up the second address port dynamic translation relation between said second Business Stream and said the 3rd Business Stream;
The said first gateway equipment according to the said first address port dynamic translation concern, the said second gateway equipment concerns according to the said second address port dynamic translation, realizes communicating by letter of said first communication equipment and second communication equipment room.
2. the method for claim 1 is characterized in that, the said first gateway equipment receives the address of the said second gateway equipment that the domain name analyzing device returns according to the domain name of said second communication equipment, also comprises:
The domain name mapping corresponding relation of the address of the domain name of the said second communication equipment of storage and the said second gateway equipment on the domain name analyzing device.
3. the method for claim 1 is characterized in that, first Business Stream between said first gateway equipment foundation and said first communication equipment comprises:
The said first gateway equipment generates first agent address corresponding with the address of the said second gateway equipment and notifies said first communication equipment;
Set up first Business Stream between said first gateway equipment and said first communication equipment; In the address port information of said first Business Stream; Source address is the address of first communication equipment; Source port is that first communication equipment is set up the port that said first Business Stream uses, and destination address is said first agent address in the said first gateway equipment, and destination interface is that the said first gateway equipment is the port of said first traffic flow assignment.
4. method as claimed in claim 3 is characterized in that, the said first gateway equipment is according to the address of the said second gateway equipment, and foundation comprises with second Business Stream of the said second gateway equipment room:
The said first gateway equipment is sent as the request that new service flow is distributed destination interface to the said second gateway equipment, receives the destination interface of the said second gateway devices allocation;
Said first gateway equipment and the said second gateway equipment room are set up second Business Stream; In the address port information of said second Business Stream; Source address is the address of the first gateway equipment; Source port is to set up the employed port of said second Business Stream in the first gateway equipment, and destination address is the address of the said second gateway equipment, and destination interface is that the said second gateway equipment is the port of said second traffic flow assignment.
5. method as claimed in claim 4 is characterized in that, the said second gateway equipment is set up and the 3rd Business Stream of said second communication equipment room comprises:
The said second gateway equipment generates second agent address corresponding with the address of said second communication equipment;
The said second gateway equipment is set up the 3rd Business Stream with said second communication equipment room; In the address port information of said the 3rd Business Stream; Source address is said second agent address in the said second gateway equipment; Source port is that the said second gateway equipment is the port of said the 3rd traffic flow assignment, and destination address is the address of said second communication equipment, and destination interface is to set up the employed port of said the 3rd Business Stream on the said second communication equipment.
6. the method for claim 1; It is characterized in that; The said first gateway equipment according to the said first address port dynamic translation concern, the said second address port dynamic translation of said second gateway equipment relation, realize that said first communication equipment comprises with communicating by letter of second communication equipment room:
The said first gateway equipment concerns that according to the said first address port dynamic translation data transaction that first communication equipment described in said first Business Stream is sent is the data in said second Business Stream, and sends to the said second gateway equipment; The data transaction that second communication equipment described in said second Business Stream is sent is the data in said first Business Stream, and sends to said first communication equipment;
The said second gateway equipment concerns that according to the said second address port dynamic translation data transaction that first communication equipment described in said second Business Stream is sent is the data in said the 3rd Business Stream, and sends to said second communication equipment; The data transaction that second communication equipment described in said the 3rd Business Stream is sent is the data in said second Business Stream, and sends to the said first gateway equipment.
7. communication system; Comprise first communication equipment and second communication equipment; Said first communication equipment is arranged in first network, and said second communication equipment is arranged in second network, and said first network is separated through the first gateway equipment and external network; Said second network is separated through the second gateway equipment and external network, it is characterized in that:
The said first gateway equipment, when being used to receive said first communication equipment to the communication request of said second communication equipment, the address that obtains the said second gateway equipment, set up and said first communication equipment between first Business Stream; According to the address of the said second gateway equipment, second Business Stream of foundation and the said second gateway equipment room, and set up the first address port dynamic translation relation between said first Business Stream and said second Business Stream; Realize communicating by letter of said first communication equipment and second communication equipment room according to said first address port dynamic translation relation with the said second gateway equipment;
The said second gateway equipment is used to set up the 3rd Business Stream with said second communication equipment room, and sets up the second address port dynamic translation relation between said second Business Stream and said the 3rd Business Stream; Realize communicating by letter of said first communication equipment and second communication equipment room according to said second address port dynamic translation relation with the said first gateway equipment;
Concrete, the said first gateway equipment comprises: address acquisition unit, and receive said first communication equipment and obtain the request of the address of said second communication equipment according to the domain name of said second communication equipment, send request to domain name mapping equipment; And receive the address of the said second gateway equipment that the domain name analyzing device returns according to the domain name of said second communication equipment.
8. communication system as claimed in claim 7 is characterized in that, the said first gateway equipment also comprises:
First acts on behalf of scalar/vector, is used to generate first agent address corresponding with the address of the said second gateway equipment and notifies said first communication equipment;
First Business Stream is set up the unit; Be used for and said first communication equipment between set up first Business Stream; In the address port information of said first Business Stream, source address is the address of first communication equipment, and source port is that first communication equipment is set up the port that said first Business Stream uses; Destination address is said first agent address in the said first gateway equipment, and destination interface is that the said first gateway equipment is the port of said first traffic flow assignment.
9. communication system as claimed in claim 8 is characterized in that, the said first gateway equipment also comprises:
The port acquiring unit is used for the said second gateway equipment and is sent as the request that new service flow is distributed destination interface, receives the destination interface of the said second gateway devices allocation;
Second Business Stream is set up the unit; Be used for setting up second Business Stream with the said second gateway equipment room; In the address port information of said second Business Stream, source address is the address of the first gateway equipment, and source port is to set up the employed port of said second Business Stream in the first gateway equipment; Destination address is the address of the said second gateway equipment, and destination interface is that the said second gateway equipment is the port of said second traffic flow assignment.
10. like claim 8 or 9 described communication systems, it is characterized in that the said first gateway equipment also comprises:
First address port dynamic translation relation is set up the unit, is used for the first address port dynamic translation relation between said first Business Stream and said second Business Stream;
First retransmission unit is used for according to said first address port dynamic translation relation, and the data transaction that first communication equipment described in said first Business Stream is sent is the data in said second Business Stream, and sends to the said second gateway equipment; The data transaction that second communication equipment described in said second Business Stream is sent is the data in said first Business Stream, and sends to said first communication equipment.
11. communication system as claimed in claim 7 is characterized in that, the said second gateway equipment comprises:
The port assignment unit is used for the request according to the said first gateway equipment, is the second traffic flow assignment destination interface;
Second acts on behalf of scalar/vector, is used to generate second agent address corresponding with the address of said second communication equipment;
The 3rd Business Stream is set up the unit; Be used to set up the 3rd Business Stream with said second communication equipment room; In the address port information of said the 3rd Business Stream, source address is said second agent address in the said second gateway equipment, and source port is that the said second gateway equipment is the port of said the 3rd traffic flow assignment; Destination address is the address of said second communication equipment, and destination interface is to set up the employed port of said the 3rd Business Stream on the said second communication equipment.
12. communication system as claimed in claim 11 is characterized in that, the said second gateway equipment also comprises:
Second address port dynamic translation relation is set up the unit, is used for the second address port dynamic translation relation between said second Business Stream and said the 3rd Business Stream;
Second retransmission unit is used for according to said second address port dynamic translation relation, and the data transaction that first communication equipment described in said second Business Stream is sent is the data in said the 3rd Business Stream, and sends to said second communication equipment; The data transaction that second communication equipment described in said the 3rd Business Stream is sent is the data in said second Business Stream, and sends to the said first gateway equipment.
13. communication system as claimed in claim 7 is characterized in that, also comprises:
Domain name mapping equipment is used to store the domain name mapping corresponding relation of address of domain name and the said second gateway equipment of said second communication equipment.
CN2009100002152A 2009-01-13 2009-01-13 Cross-GAP communication method and communication system using same Expired - Fee Related CN101447956B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100002152A CN101447956B (en) 2009-01-13 2009-01-13 Cross-GAP communication method and communication system using same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100002152A CN101447956B (en) 2009-01-13 2009-01-13 Cross-GAP communication method and communication system using same

Publications (2)

Publication Number Publication Date
CN101447956A CN101447956A (en) 2009-06-03
CN101447956B true CN101447956B (en) 2012-01-04

Family

ID=40743362

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100002152A Expired - Fee Related CN101447956B (en) 2009-01-13 2009-01-13 Cross-GAP communication method and communication system using same

Country Status (1)

Country Link
CN (1) CN101447956B (en)

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104009956B (en) * 2013-02-22 2017-05-03 杭州海康威视数字技术股份有限公司 Communication method based on embedded multi-core co-processing gatekeeper system
CN103997495A (en) * 2014-05-23 2014-08-20 中国人民解放军理工大学 Security isolation file transmission control method
CN106170008A (en) * 2016-05-17 2016-11-30 北京畅游天下网络技术有限公司 A kind of inter-network means of communication, device and load equalizer
CN107872542B (en) * 2016-09-27 2021-05-04 阿里巴巴集团控股有限公司 Data transmission method and network equipment
CN106375493B (en) * 2016-10-10 2020-12-18 腾讯科技(深圳)有限公司 Cross-network communication method and proxy server
CN106506510A (en) * 2016-11-18 2017-03-15 江苏方天电力技术有限公司 Dynamic vibration signal data inter-network lock Transmission system and its method
CN108243143B (en) * 2016-12-23 2020-05-19 北京明朝万达科技股份有限公司 Web agent-based gatekeeper penetration method and system
EP3367194B1 (en) * 2017-02-23 2022-06-22 Siemens Aktiengesellschaft Commissioning of machines with virtual components in isolated operation without ip address allocation
CN107483333A (en) * 2017-09-22 2017-12-15 烽火通信科技股份有限公司 A kind of universal across routed domain interworking unit and method
CN108173810B (en) * 2017-12-07 2020-10-13 新华三信息安全技术有限公司 Method and device for transmitting network data
CN108092971A (en) * 2017-12-13 2018-05-29 新华三信息安全技术有限公司 A kind of method and device of processing business message
CN108984725A (en) * 2018-07-11 2018-12-11 浪潮软件股份有限公司 A kind of inter-network lock method of data synchronization
CN109302432B (en) * 2018-12-17 2021-09-07 何书霞 Network communication data combination encryption transmission method based on network security isolation technology
CN109474628B (en) * 2018-12-27 2021-06-08 奇安信科技集团股份有限公司 Data transmission method, system, equipment and medium based on double unidirectional network gates
CN110677409B (en) * 2019-09-26 2021-09-10 北京明略软件系统有限公司 Unidirectional safe transmission method and data transmission system for heterogeneous network data access
CN110890984B (en) * 2019-11-27 2022-07-22 山东九州信泰信息科技股份有限公司 Dual-computer hot standby switching method based on isolation device
CN113596184B (en) * 2020-04-30 2023-08-08 华为云计算技术有限公司 Hybrid cloud system, gatekeeper, network access method and storage medium
CN112887192B (en) * 2021-01-12 2023-05-30 讯飞智元信息科技有限公司 Cross-network communication method, electronic equipment and computer readable storage medium thereof
CN114091058A (en) * 2021-11-08 2022-02-25 支付宝(杭州)信息技术有限公司 Method and system for secure sharing of data between a first area and a second area
CN114615082B (en) * 2022-04-07 2023-09-12 西安热工研究院有限公司 System and method for simulating TCP duplex safety communication by using forward and reverse gatekeepers

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1525711A (en) * 2003-01-21 2004-09-01 ���ǵ�����ʽ���� Gateway for supporting communications between network devices of different private networks
CN1747457A (en) * 2005-09-09 2006-03-15 北京中星微电子有限公司 Communication for spanning gateway

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1525711A (en) * 2003-01-21 2004-09-01 ���ǵ�����ʽ���� Gateway for supporting communications between network devices of different private networks
CN1747457A (en) * 2005-09-09 2006-03-15 北京中星微电子有限公司 Communication for spanning gateway

Also Published As

Publication number Publication date
CN101447956A (en) 2009-06-03

Similar Documents

Publication Publication Date Title
CN101447956B (en) Cross-GAP communication method and communication system using same
EP2569902B1 (en) Interconnecting members of a virtual network
CN101252509B (en) Application of dual-NAT method in packet data processing and routing of dynamic virtual private network (VPN)
EP2253123B1 (en) Method and apparatus for communication of data packets between local networks
CN110191031B (en) Network resource access method and device and electronic equipment
CN1586065B (en) Peer to peer network communication with network address translation
TWI545446B (en) A method and system for use with a public cloud network
CN107743075B (en) Multi-system network interconnection equipment, method and device
US20030140142A1 (en) Initiating connections through firewalls and network address translators
US10454880B2 (en) IP packet processing method and apparatus, and network system
CN105430059A (en) Smart client routing
CN106878133B (en) Message forwarding method and device
CN101088264A (en) Address conversion device and address conversion method
TW201511508A (en) Systems and methods for application-specific access to virtual private networks
KR101472685B1 (en) Network connection gateway, a network isolation method and a computer network system using such a gateway
CN102684969A (en) VPN (virtual private network) node, VPN node identification analysis agency and VPN node identification analysis, VPN server
CN111131448B (en) Edge management method, edge proxy equipment and computer readable storage medium for ADSL Nat operation and maintenance management
US10652204B2 (en) ReNAT systems and methods
CN105635335A (en) Social resource access method, apparatus, and system
CN104539752B (en) Access method and system between multilevel field platform
CN106027354A (en) Backflow method and device for VPN (Virtual Private Network) client
JP2019050628A (en) System and method for providing ReNAT communication environment
CN105812499B (en) Communication means and communication system and virtual client terminal device
US10542082B2 (en) Communication control apparatus, communication control method and communication control program
US20140219164A1 (en) Hardware-Based Private Network Using WiMAX

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CP03 Change of name, title or address
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120104

Termination date: 20200113

CF01 Termination of patent right due to non-payment of annual fee