WO2020154865A1 - Progressive ip removal method and system supporting multi-mode identifier network addressing and storage medium - Google Patents

Abstract

The present invention provides a progressive IP removal method and system supporting multi-mode identifier network addressing and a storage medium. In the present invention, a novel network multi-mode identifier generation management and routing addressing system incorporating a blockchain is provided, and the performance and security bottleneck of existing networks completely dependent on the IP layer are eliminated by means of dynamic multi-mode identifier adaptation and interworking technology. Collective Internet management and governance is achieved by means of a distributed blockchain consensus algorithm. All network resources of a network are locked and stored in the blockchain, thereby ensuring that the network resources are authentic and reliable and cannot be tampered with. Secure and tamper-proof multi-mode identification addressing is achieved by means of efficient and low-overhead distributed storage technology. In addition, a user real-name registration and network login management policy incorporating biometric information and a signature policy for privacy protection are used, thereby reducing system management costs, and improving the privacy security of access node information.

Description

Method, system and storage medium for supporting multi-mode identification network addressing and progressively removing IP Technical field

The present invention relates to the field of computers, and in particular to a method, system and storage medium for supporting multi-mode identification network addressing to gradually remove IP.

Background technique

With the increasing innovation of today's Internet technology, the Internet has become an indispensable part of social development. As a carrier of information, it has penetrated into various fields of human life including national politics, economic development, culture, education, and medical health. . The core service of the Internet is the domain name resolution service, which completes the process of mapping between IP addresses and target servers. However, with the vigorous development of 5G mobile technology, the reduction of data storage equipment costs, and the expansion of new application scenarios, information on the Internet is exponentially expanding. The Cisco report predicts that the global mobile phone share will be 69% in 2019, and its wireless data traffic will reach 292 billion GB, of which streaming media will account for about 80%. At the same time, its network information sources are showing a diversified development trend, and users no longer care about the storage location of the content but care more about the content information itself. This means that the traditional IP-based Internet is facing unprecedented challenges. Due to the overload characteristics of IP addresses and identities, the data content in the traditional Internet is completely transparent to the routing layer. Therefore, in the current stage, many of the same content is repeatedly transmitted on the Internet, causing a waste of network resources and energy, and becoming a major pain point that restricts the development of network performance.

Not only that, but traditional networks also have problems that seriously threaten social development, such as poor supervision and weak security performance. At the same time, the security problems of the DNS domain name resolution system itself cannot be ignored. On January 12, 2010, the Baidu domain name was hijacked, causing many regions to be unable to access Baidu normally for up to 4 hours, and some regions only returned to normal after 24 hours .

In response to the many security problems and performance pain points of the Internet, more and more domestic and foreign scientific research institutions and companies have focused their research and development on the new network architecture. In many newly proposed network systems, they naturally support content delivery. And the subscribed content center network CCN is the most eye-catching.

CCN has changed from the traditional focus on server and host IP addresses to just whether the content of the data meets the requirements. Users no longer care about which host provides services. It's about how to get data faster, more accurately, and more efficiently. So in this age when content is king, researchers have devised a content-based network architecture. After several years of development, significant results have been achieved in the CCN architecture and test bed construction. However, due to its subversive network architecture, there are many technical difficulties in its network deployment and large-scale deployment. CCN only builds the overall network from the content as the core, and does not consider the reasonable planning and application of user identification and satellite ground-air identification in the future Internet of Everything era, which leads to the defect of insufficient scalability when facing different business processes. At the same time, the CCN network does not manage the security of the content reasonably, and cannot solve the problems of data leakage in the IP network at this stage.

DNS resolution The domain name resolution service is the most important core service of the Internet. Through DNS, users can access the Internet more conveniently, without the need to remember IP addresses that can be directly read by machines but are difficult for humans to understand and remember. The DNS protocol is an application layer protocol, running on top of the UDP protocol, using port number 53.

DNS uses a tree-like directory structure to distribute the management of host names among different levels of DNS servers. Through a hierarchical management strategy, the current stage of rapid resolution and access from IP to domain names can be realized. Generally, the general structure of Internet host domain name is: host name. third-level domain name. second-level domain name. top-level domain name. The top-level domain name of the Internet is registered and managed by the Internet Network Association Domain Name Registration and Inquiry Committee (ICANN) responsible for network address allocation. It also assigns a unique IP address to each host on the Internet. The resolution process is roughly as follows: When a DNS user needs to query the name used in the program, it will query the local DNS server to resolve the name. Each query message sent by the user includes 3 pieces of information to specify the question that the server should answer. DNS queries are resolved in a variety of different ways. Users can sometimes answer queries on the spot by using cached information obtained from previous queries. The DNS server can use its own resource record information cache to answer the query, and can also query or contact other DNS servers on behalf of the requesting user to completely resolve the name, and then return the response to the user.

The main shortcomings of DNS are that, first, domain name management is too centralized: In the existing DNS, the generation and distribution of top-level domain names are completely dependent on ICANN, and the lack of a fair competition mechanism cannot achieve the development of Internet co-management and co-governance. The transaction and change procedures are cumbersome, which also leads to inefficient domain name management. Second, security issues: The DNS system is a centralized recursive architecture system, making it vulnerable to DDoS and other network attacks. Thirdly, privacy issues: the Internet’s effective privacy protection strategies at this stage have led to serious data theft and abuse.

Summary of the invention

The present invention provides a method for supporting multi-mode identification network addressing and progressively removing IP, which is characterized in that it includes constructing a network, which is divided into hierarchical network domains from top to bottom, wherein the top-level domain of the network is divided by each country As a top-level identity management node, government agencies form a global alliance to jointly manage the generation, registration and analysis management of the logo. All network resources in the network will be locked on the blockchain; the first-level domain and the following levels are the corresponding administrative or professional institutions Management, logo management methods, logo registration schemes and consensus algorithms within the domain can be different;

There are supervision nodes, individual users, and corporate user network nodes in the network. Each domain has a corresponding network supervision node. The network supervision node is responsible for user management, logo registration, inter-identity intercommunication and logo routing services in the domain. At the same time, each network supervision node There are multi-mode identifications for content network identification, spatial geographic location identification, identity information and IP address; the upper and lower domains use network supervision nodes as data access interfaces to achieve hierarchical data transmission; individual users include individual users in the traditional sense and The terminal nodes in the Internet of Things era are network access nodes with mobile characteristics in the network. Enterprise users include government agencies, professional institutions, companies, and organizations with content publishing rights;

The network supports network layer routing addressing in which multiple identities including identity, content, geographic location and IP address coexist, and the content identities of all resources in the network are bound to the publisher’s identity. The geographical location identification of the user when logging in to the network and the network resources accessed will be recorded on the blockchain of the network supervision node of the domain for security supervision and data protection

As a further improvement of the present invention, the method includes an identity registration step and a network resource request step;

The logo registration step includes:

Step 1. Register the resource: the network node receives the user's resource registration content, and the network node adds the geospatial location identifier and the identity identifier of the content publisher according to the location node where the content is stored;

Step 2: Network node authentication: After the network node in this domain receives the identity registration request transmitted by the user, the network node will review its content and user information, then register the resource identity, and then register the generated identity Request to upload to the upper level domain and add the local identification prefix;

Step 3. Identity registration request transmission: After the upper-level network node receives the identity registration request, it will transmit its registration identity message to the controller of its domain according to the set data transmission protocol for subsequent authentication and registration operations;

Step 4. Identity verification: After receiving the identity registration request of its subordinate network domain, the network node in the top-level domain will verify the requested data and return the corresponding confirmation signal to the original application node; at the same time, it will adopt the design A distributed storage scheme is set to ensure that all registered logos cannot be tampered with. The original identification information will be stored in the distributed database of the top-level domain. After a set time has passed, the entire network will synchronize the corresponding database. To confirm that the resource identification information between each top-level domain name is equal and unified;

The network resource request step includes:

Step A, query request: send a query request to the nearest network node;

Step B, local identification data query: When the nearest multi-mode network node receives the request from the user, it will distinguish according to the query identification. If it is an IP address, continue the traditional DNS query process, if it is an identity or content identification , Then query the forwarding table, the forwarding table records whether the identification content exists in the local database, if it is, then return the corresponding identification content, otherwise go to step C;

Step C, request for query transmission: when there is no corresponding identification content in the local database, upload the query request to the upper-level network node. After receiving the query request sent by the next-level network node, Follow steps A to B to query. If the corresponding identification content is queried, it will be returned to the corresponding content identification to the next-level network node. Otherwise, the query request will be passed to the upper-level network node until the top-level domain Network node

Step D, identification query verification and intercommunication: If the top-level domain node finds the related registered identification, it will automatically issue the related shortest path according to the dynamic topology of the existing network. There are many related links on the forwarding line in the network. The modular network node will receive the new forwarding path table and establish a data transmission path through multi-hop routing; if the node in the top-level domain does not find the corresponding identifier, at the same time query the database for other network identifier information corresponding to the identifier, proceed to step E;

Step E: Issuing the identification request: The network node in the top-level domain will issue the query request to the specified network domain according to the original identification and the first prefix after the conversion, until it reaches the lowest-level network node specified by the query request for local Query; if the corresponding identification content is successfully queried, the corresponding resource content will be passed to the query requester, otherwise, the query error message will be returned.

As a further improvement of the present invention, the resources in the network system all have corresponding multiple identifiers to refer to their content name, publisher identity, and spatial geographic location. Through the binding and intercommunication between the identifiers, all parties in the network The content publishing and access behavior of the Internet can be effectively controlled and supervised; at the same time, the multi-mode network identity is directly used in the addressing process of the network layer. Through the dynamic matching and intercommunication technology of the multi-mode identity, users can Choose between methods to deal with complex and changeable application requirements and network environments.

As a further improvement of the present invention, in addition to the traditional IP address, the addressing process is based on the following three types of identification:

Content name-oriented addressing: Use hierarchical character strings to identify each resource in the network. In order to support the addressing process directly facing content names, multi-mode network nodes have forwarding information tables with names as keys to record each resource. Forwarding port information corresponding to each name; data transmission is carried out in a user-driven manner: the content requester enters the content list into the interest message and sends it to the network; the multi-mode network node records the arrival port of the interest message in the pending In the interest table, and query the forwarding information table to forward the message until it reaches a content holder; by querying the pending interest table, the data packet containing the requested content will be traced back to the request along the arrival path of the interest message The content name-oriented addressing process decouples the data itself and the specific location of the data, providing greater flexibility for the network system;

Identity-oriented addressing: Identity is used to uniquely refer to a user locally or globally. The user's behavior on the network, including the release and access to network resources, will be subject to the specific authority determined by its identity, and any behavior Identity information that can be traced back to the user;

Addressing for spatial and geographic location: Location information can not only represent geographic location in the real sense, but also virtual location in abstract space. To prevent ambiguity during addressing, the location of two users in this system will not Coincidence occurs; the addressing process for spatial and geographic location is: multi-mode network nodes calculate the geometric distance between each neighbor and the destination, and greedily select the smallest one as the forwarding object.

As a further improvement of the present invention, in the identity-oriented addressing, the identity identifier includes the public key, the user's own certificate ID, and the IMEI code of the mobile phone.

As a further improvement of the present invention, in the name-oriented addressing and identity-oriented addressing, a security mechanism based on identification and a combination matrix is adopted. In the security mechanism, the password mechanism adopted is elliptic curve encryption, If the base point G on the elliptic curve and its order n are given, a positive integer r<n is used as the private key, and the r multiple point rG=R of G is the public key, and the private key matrix (r _ij ) _m×n is m×n order, where each element r _ij is a positive integer satisfying r _ij <n; and the public key matrix (R _ij ) _{m×n is} generated through the corresponding relationship r _ij G=R _ij ; the private key matrix is only composed of secret The key management agency holds the user’s private key distribution; the public key matrix is held by each network node and is used for data signature authentication; the key management agency uses the user’s identity ID and the private key matrix (r _ij ) Generate the user's private key r _ID .

As a further improvement of the present invention, in the security mechanism based on identification and combination matrix, the private key generation process is implemented in the following way: Based on encryption chips and cryptographic operations, each identification ID can uniquely generate a string Subscript sequence:

GenerateSub(ID)={i ₁ , i ₂ ,...i _l , j ₁ , j ₂ ,...j _l }

GenerateSub(ID) represents the function of generating subscripts from the identity ID, i ₁ , i ₂ ... i _l represent the row coordinates of the matrix, and j ₁ , j ₂ ... j _l represent the column coordinates of the matrix;

At this time, the private key corresponding to the ID is the sum of the subscript corresponding items in the private key matrix:

r _ID represents the user's private key,

Represents the elements with row coordinates i ₁ , i ₂ ... i _l and column coordinates j ₁ , j ₂ ... j _l in the private key matrix (r _ij );

Similarly, the public key corresponding to the ID can be calculated by the verifier through the public key matrix and the identity ID:

R _ID represents the public key of the user,

Represents the elements with row coordinates i ₁ , i ₂ ... i _l and column coordinates j ₁ , j ₂ ... j _l in the public key matrix (R _ij );

Since the multiple points of G constitute a commutative group, there are:

G r _ID r _ID of the representative base point G times points;

Therefore, (r _ID , R _ID ) constitutes a private-public key pair relationship. In this way, not only the one-to-one binding between the identity and the public key is completed, and the supervisability and traceability of network behavior are guaranteed. It also saves the frequent public key request process, and improves the actual performance of the network.

As a further improvement of the present invention, the method includes an inter-passing process between name and identity. In the inter-passing process between name and identity, the name of the content is bound to the identity of the original publisher, and a verifiable extension is adopted. Used to identify network resources, the form is as follows:

/UniqueID _A /SubID _A /Name/Sig(Name, PrK _A )

Among them, UniqueID _A is the globally unique identity of publisher A. There will be no collision. The user’s public-private key pair is generated from this identity; SubID _A is the secondary identity used by A when publishing the content. The same user may have multiple identities; Name is a hierarchical content name; Sig (Name, PrK _A ) is A's signature on the content name; when the content is received by the user or cached by the multi-mode network node, its The signature must be verified to ensure its legitimacy; the data structure of the prefix tree is used to support the storage and query operations of names and identities. In the prefix tree, each connection edge of the root node corresponds to a user, and we use global uniqueness The identity identifier UniqueID _{A is} used to refer to each user. Each user node records the entries and spatial location information of the F forwarding information table corresponding to the user. The second layer of the prefix tree represents what each user has Multiple identities, if user A1 is

If the resource Name1 is released, its corresponding name node will become the identity

The name node will record the signature Sig (Name1, PrK _A1 ), as well as the entry and space location information of the forwarding information table corresponding to the name. Through the query operation in the prefix tree, the name and identity identification can be completed , Or the mutual conversion between multiple identities owned by the same user.

As a further improvement of the present invention, the method includes the conversion process between location, name and identity. In the process of mutual passing between content name and identity, each user corresponds to a unique real or virtual spatial geographic location identifier, and For a certain content name in the network, in order to reduce the routing delay, we set its location identifier to "the position of the nearest node holding the content corresponding to the name", which is calculated and delivered by the upper control node; by setting the corresponding The location information is recorded in the prefix tree, which can complete the interoperability from the name, identity to the spatial geographic location; in order to prevent the location of each user from colliding, we use the spatial geographic location-identity hash table to complete the mapping between them operating.

As a further improvement of the present invention, the method includes user management and privacy protection policies. In the user management and privacy protection policies, when all user terminals send identification registration requests in the network, they will bind corresponding identification information to ensure the normal operation of the network. , The user uses a specified hash function and adds the user’s identity information to generate an identity certificate. The identity certificate will be the identity proof of the user in the network, and the spatial geographic location identifier will be used as the user’s auxiliary identification information; , The system will send the user’s public key to the network supervision node, and then the user uses his own identity certificate to sign the identity registration request, and sends it to the network supervision node together with the identity registration request; the network supervision node first uses the same The hash function verifies the legitimacy of the user from the received logo registration request, then decrypts the attached signature according to the user’s public key, compares the two hash values, and if they are the same, it can be confirmed that the signature belongs to the user; The registration request is confirmed by the network supervision node. The system will store the user’s identity certificate in distributed data to ensure that the identification content will be traced and supervised in the future; the system will classify the network content published by the user, and when the user accesses network resources The access authority will be determined based on the identity information of its visitors.

As a further improvement of the present invention, the method includes the step of personal user accessing the network. In the step of personal user accessing the network, when the user accesses the network system through the traditional Internet, the network node will record the MAC address of the user terminal as an identity identifier Stored in the network, it will also record the spatial geographic location of the user terminal in the form of three-dimensional coordinates. For mobile phone users, the IMEI code of the mobile phone will be recorded as part of the identity authentication information at the same time. Corresponding gateway equipment is installed at the border of the, to ensure that users can access Internet resources through a variety of network identifiers; when users access the network through the new network identifier, relevant identity information will be stored in the user’s local node, including but not limited to the user’s fingerprint , Iris and other biological information with traceable user identity, the identity information is only stored locally in the user node to generate user signatures, and is not transmitted in the multi-mode identity network; at the same time, the identity of the individual user is identified with various content identifications published In combination, its identity is used as an addressing identifier for the network content, which facilitates other nodes in the network to directly address network resources through user identifiers, and improves the efficiency of network resource query.

As a further improvement of the present invention, the method includes the step of enterprise user accessing the network. In the step of enterprise user accessing the network, the enterprise user will bind the identity identification code issued by the government or professional organization as the identity identifier to log on to the network, and the The network resources will also be bound to their corporate identity information, and the network resources issued by corporate users and the spatial geographic location identification of the server will be recorded on the blockchain of the network supervision node in the domain for security supervision and data protection.

The present invention also provides a system supporting multi-mode identification network addressing progressively IP, including: a memory, a processor, and a computer program stored on the memory, the computer program is configured to be called by the processor Implement the steps of the method described in the present invention.

The present invention also provides a computer-readable storage medium that stores a computer program, and the computer program is configured to implement the steps of the method of the present invention when called by a processor.

The beneficial effects of the present invention are: the present invention proposes a new network multi-mode identification generation management and routing addressing system that integrates blockchain, and uses multi-mode identification dynamic adaptation and intercommunication technology to break through the existing network IP layer fineness The performance and security bottlenecks of the waist; the use of distributed blockchain consensus algorithms to achieve the original wish of Internet co-management and co-governance All network resources of the network will be locked on the blockchain to ensure that the network resources are authentic and not tampered with; high-performance, low-overhead distributed storage technology is used to realize the security and non-tampering of multi-mode identification routing; At the same time, the introduction of user real-name registration and network login management strategies combined with biometric identity information and signature strategies for privacy protection are introduced to reduce system management costs and improve the privacy and security of access node information.

Description of the drawings

Figure 1 is a diagram of the overall architecture of the present invention.

Figure 2 is a schematic diagram of the security mechanism based on the identity identification and the combined matrix of the present invention.

Figure 3 is a schematic diagram of the data structure of the prefix tree of the present invention.

detailed description

Definitions of acronyms and key terms:

Multi-mode identification network: a network where multiple routing identifications coexist. The coexistence of multiple routes refers to the establishment of a network routing process that satisfies various constraint attributes based on a specific addressing mode (polymorphic addressing). It mainly supports the coexistence of multiple network architectures to meet the needs of multiple application services.

SDN (Software Defined Network), software defined network. Its core realizes flexible control of network traffic by separating the control plane and data plane of network equipment, making the network more intelligent as a pipeline, and providing a good platform for the innovation of core networks and applications.

CCN (Content-Centric Networking), named data network. The name is used as the network routing identifier, and the content is cached through multi-mode network nodes, so that data transmission is faster and the retrieval efficiency of content can be improved.

The present invention discloses a method for supporting multi-mode identification network addressing to gradually remove IP. Figure 1 shows the overall network architecture of the present invention. The entire new multi-mode identification network system is divided into hierarchical network domains from top to bottom. . Among them, the top-level domains of the network are managed by the government agencies of various countries as the top-level identity management nodes, and they jointly maintain an alliance chain to reach a consensus of the entire network and realize the original wish of Internet co-management and co-governance. All network resources on the network will be locked on the blockchain to ensure that the network resources are authentic and not tampered with. The first-level domains and other domains are managed by corresponding countries and professional institutions. The logo management methods, logo registration schemes and consensus algorithms in their domains can be different, and their specific implementation details can also be different. Low coupling is used to ensure the security between systems And to realize the particularity and customization between each level. The upper and lower domains use network supervisory nodes as data access interfaces to realize hierarchical data transmission. The power of Internet management and control is handed over to Internet participants all over the world, and is no longer monopolized by an independent organization. It realizes multilateral co-management, co-governance and sharing of cyberspace in the post-IP era, and equality and openness.

There are network nodes such as supervisory nodes, individual users and enterprise users in the new network system. Each domain has a corresponding network supervision node, which is mainly responsible for services such as user management, identity registration, identity conversion and identity routing in the domain. At the same time, each network supervision node has content-oriented network identity, spatial geographic location identity, identity information and IP address And other multi-mode logos. Individual users include individual users in the traditional sense and terminal nodes in the Internet of Things era that have mobile network access nodes in the network. Enterprise users include government agencies, professional organizations, companies, and websites with content publishing rights and other organizations.

The new network supports network layer routing addressing where multiple identifiers such as identity identifiers, content identifiers, spatial geographic location identifiers, and IP address identifiers coexist. The content identifiers of all resources in its network will be bound to the identity of the publisher. The spatial information identifiers and network resources accessed when users log on to the network will be recorded on the blockchain of the network supervision node of the domain for use Security supervision and data protection.

Since all parties in the new network publish content and access behaviors are effectively protected and managed, the behaviors generated by their access to the network cannot be denied. Any cyber attacks or illegal behaviors will also be recorded by the blockchain within the domain. Therefore, the use of these identifiers will make the cyberspace in an orderly and safe state, and will guide users' various traffic to a new type of identity bound to the identity The network is for content identification and identity identification. The natural reduction in IP network traffic without any security guarantees. Information publishers pursuing high-credibility services will publish their information on the new logo, which will naturally lead to the de-IPization of network traffic and systems.

The present invention includes the user access network process, specifically including the steps of individual users accessing the network and enterprise users accessing the network.

Steps for individual users to access the network:

The IP identification is not used as the main routing identification in this network. When a user accesses the network system through the traditional Internet, the network node will record the MAC address of the user terminal as an identification and store it in the network in the form of cn/guangdong/shenzhen/44-8A-5B-85-58-D2. At the same time, the spatial geographic location identifier of the user terminal will be recorded in the form of three-dimensional spatial coordinates. For mobile phone users, the IMEI code of the mobile phone will be recorded as part of the identity authentication information. Corresponding gateway equipment is provided at the boundary of each network domain to ensure that users can access Internet resources through multiple network identifiers.

When a user accesses the network through the new network identifier, all information about the user's access to the traditional Internet will be stored. At the same time, relevant identity information will be stored in the user's local node, including but not limited to the user's fingerprint, iris and other specific biological information with traceable user identity. The identity information is only stored locally in the user node for generating user signatures, and is not transmitted in the new multi-mode identification network. At the same time, in the future Internet of Things scenes, 5G development, and changes in individual users’ living habits, mobile access will become one of the main Internet access methods. Bind the specific identity of an individual user with the various content identities that it publishes, and its identity is used as an addressing identifier for the network content, which facilitates the other nodes in the network to directly route and address network resources through the user’s identity, improving The efficiency of network resource query.

Steps for enterprise users to access the network:

Enterprise users will bind the ID code issued by the government or professional organization as their identity to log on to the network, and the network resources they publish will also be bound to their corporate identity information. The network resources issued by the enterprise users and the spatial information identification of the server will be recorded on the blockchain of the network supervision node of the domain for security supervision and data protection.

The present invention includes a network routing scheme, which includes an identification registration step and a network resource request step.

The logo registration step includes:

Step 1. Register resources: The network node receives the user's resource registration content, that is, in the network, any resource that can be routed must be registered with the network node before being accessed by other network devices. So the user must first register the content named "/pku/movie/hello.mkv" to any network node. Claim its ownership of the content. At the same time, the network node will add the geospatial location identifier and the identity identifier of the content publisher according to the location node where the content is stored.

Step 2: Network node authentication: After the network node in this domain receives the identity registration request transmitted by the user, the network node will review its content and user information (review includes manual review or automatic review, and automatic review can use blocks Chain smart contract), then register the resource identifier, and then upload the generated identifier registration request to the upper-level domain and add the local identifier prefix;

Step 3. Identity registration request transmission: After the upper-level network node receives the identity registration request, it will transmit its registration identity message to the controller of its domain according to the set data transmission protocol for subsequent authentication and registration operations;

Step 4. Identity verification: After receiving the identity registration request of its subordinate network domain, the network node in the top-level domain will verify the requested data and return the corresponding confirmation signal to the original application node; at the same time, it will adopt the design A distributed storage scheme is set to ensure that all registered logos cannot be tampered with. The original identification information will be stored in the distributed database of the top-level domain. After a set time has passed, the entire network will synchronize the corresponding database. To confirm that the resource identification information between each top-level domain name is equal and unified.

The network resource request step includes:

Step A, query request: send a query request to the nearest network node; when the requested content has been registered on the network, the client can use the corresponding uniform resource identifier to obtain the required network resources.

Step B, local identification data query: When the nearest multi-mode network node receives the request from the user, it will distinguish according to the query identification. If it is an IP address, continue the traditional DNS query process, if it is an identity or content identification , Then query the forwarding table, the forwarding table records whether the identification content exists in the local database, if it is, then return the corresponding identification content, otherwise go to step C;

Step C, request for query transmission: when there is no corresponding identification content in the local database, upload the query request to the upper-level network node. After receiving the query request sent by the next-level network node, Follow steps A to B to query. If the corresponding identification content is queried, it will be returned to the corresponding content identification to the next-level network node. Otherwise, the query request will be passed to the upper-level network node until the top-level domain Network node

Step D, identification query verification and intercommunication: If the top-level domain node finds the related registered identification, it will automatically issue the related shortest path according to the dynamic topology of the existing network. There are many related links on the forwarding line in the network. The modular network node will receive the new forwarding path table and establish a data transmission path through multi-hop routing; if the node in the top-level domain does not find the corresponding identifier, at the same time query the database for other network identifier information corresponding to the identifier, proceed to step E;

Step E: Issuing the identification request: The network node in the top-level domain will issue the query request to the specified network domain according to the original identification and the first prefix after the conversion, until it reaches the lowest-level network node specified by the query request for local Query; if the corresponding identification content is successfully queried, the corresponding resource content will be passed to the query requester, otherwise, the query error message will be returned.

Multi-mode identification network addressing:

The resources in the new network system have a variety of corresponding identifiers to refer to their content name, publisher identity, network location and other information. Through the binding and intercommunication between the identifiers, the content release and access of all parties in the network Behavior can be effectively controlled and supervised. At the same time, we apply the multi-mode network identification directly to the addressing process of the network layer. Through the dynamic matching and intercommunication technology of the multi-mode identification, the user can choose between multiple addressing methods to cope with complex and changeable applications. Demands and network environment have improved the stability and adaptability of the system, and made it possible for us to design more innovative intelligent addressing strategies in the future.

In addition to the traditional IP address, the addressing process is mainly based on the following three identifiers (with the advancement of technology, it can be extended to include other identifiers):

Content name-oriented addressing: Similar to Named Data Networking (NDN), we use hierarchical strings to identify each resource in the network, like "com/ndn/pku/document/01.pdf" . In order to support the addressing process directly facing content names, multi-mode network nodes all have a forwarding information table (FIB) with names as keys to record the forwarding port information corresponding to each name. The data transmission is carried out in a user-driven manner: the content requester enters the content list into the Interest message and sends it to the network; the multi-mode network node records the arrival port of the interest message in the pending interest table (Pending Information). Table, PIT), and query FIB to forward the message until it reaches a content holder; by querying PIT, the data packet containing the requested content will be traced back to the requester along the arrival path of the interest message. The name-oriented addressing process decouples the data itself and the specific location of the data, which provides greater flexibility for the network system. At the same time, the name can convey richer information, effectively solving the semantic overload of the IP address. problem.

Identity-oriented addressing: Identity is used to uniquely refer to a user locally or globally. Commonly used identities include public keys, user IDs, IMEI codes of mobile phones, and so on. The user’s behavior on the network, including the release and access to network resources, will be subject to the specific authority determined by his identity, and any behavior can be traced back to the user’s identity information, thereby improving the network’s supervisability and eliminating The breeding ground for wrongdoing.

Addressing for spatial geographic location: spatial geographic location can not only represent geographic location in a realistic sense, such as Beidou satellite system or GPS global positioning location information, but also represent virtual locations in abstract space, such as mapping the network to geometric space The mathematical coordinates obtained by the back node. In order to prevent ambiguity in the addressing process, the positions of the two users in this system will not overlap.

The location-oriented addressing process is generally based on distance calculation, that is, multi-mode network nodes calculate the geometric distance between each neighbor and the destination, and greedily select the smallest one as the forwarding object. Because this method has very small storage occupation and computational overhead, location-oriented addressing can effectively deal with the expansion of the routing table when the network is large, thereby improving the scalability of the network.

Multi-mode logo conversion process:

1. Security mechanism based on identification and combination matrix:

The name-oriented addressing process separates the data from the specific location, providing greater flexibility and scalability; but in contrast, the unbinding of data and location also introduces certain security risks.

Therefore, the existing content center network architecture usually uses "verifiable names" for the data request process, that is, each name must include the publisher's public key acquisition method, and the publisher's signature on the name and content . Before a data message is cached by a multi-mode network node or received by a requester, its signature must first be verified to ensure the integrity, safety and reliability of its name and content.

Due to the frequent public key request process in the network, in order to save bandwidth resources and reduce the transmission pressure of the network, this system adopts a public and private key generation scheme based on identification and a combination matrix. The brief description of the scheme is as follows:

The cryptographic mechanism we use is Elliptic Curve Cryptography (ECC). In ECC, if the base point G on the elliptic curve and its order n are given, a positive integer r<n is used as the private key, and G’s r times point rG=R as the public key. It is very simple to calculate R by (r, G), but due to the difficulty of the elliptic curve discrete logarithm problem, it is computationally infeasible to solve for r by (R, G). The private key matrix (rij) _m×n is of order m×n, where each element r _ij is a positive integer satisfying r _ij <n; and the public key matrix (R _ij ) is generated through the correspondence relation r _ij G=R _{ij m×n} . The private key matrix is only held by the key management agency and used for the user's private key distribution; while the public key matrix is held by each network node and used for data signature authentication.

As shown in Figure 2, the key management agency generates the user’s private key r _ID through the user’s identity ID and private key matrix (r _ij ). For example, the private key generation process can be implemented in the following ways: based on an encryption chip and In cryptographic operations, each identification ID can uniquely generate a sequence of subscripts:

GenerateSub(ID)={i ₁ , i ₂ ,...i _l , j ₁ , j ₂ ,...j _l }

GenerateSub(ID) represents the function of generating subscripts from the identity ID, i ₁ , i ₂ ... i _l represent the row coordinates of the matrix, and j ₁ , j ₂ ... j _l represent the column coordinates of the matrix;

At this time, the private key corresponding to the ID is the sum of the subscript corresponding items in the private key matrix:

r _ID represents the user's private key,

Represents the elements with row coordinates i ₁ , i ₂ ... i _l and column coordinates j ₁ , j ₂ ... j _l in the private key matrix (r _ij );

Similarly, the public key corresponding to the ID can be calculated by the verifier through the public key matrix and the identity ID:

R _ID represents the public key of the user,

Represents the elements with row coordinates i ₁ , i ₂ ... i _l and column coordinates j ₁ , j ₂ ... j _l in the public key matrix (R _ij );

Since the multiple points of G constitute a commutative group, there are:

G r _ID r _ID of the representative base point G times points;

Therefore (r _ID , R _ID ) constitutes a private-public key pair relationship. In this way, not only the one-to-one binding between the identity identifier and the public key is completed, which ensures the supervisability and traceability of network behavior, but also eliminates the frequent public key request process and improves the actual network performance.

2. The conversion process between name and identity:

In order to maintain a secure network environment, we bind the name of the content to the identity of the original publisher, and use verifiable extensions to identify network resources. The form is as follows:

/UniqueID _A /SubID _A /Name/Sig(Name, PrK _A )

Among them, UniqueID _A is the globally unique identity of publisher A. There will be no collision. The user’s public-private key pair is generated from this identity; SubID _A is the secondary identity used by A when publishing the content. The same user may have multiple identities; Name is a hierarchical content name; Sig (Name, PrK _A ) is A's signature on the content name. Before the content is received by the user or cached by the multi-mode network node, based on the above-mentioned security mechanism, its signature must be verified to ensure its legality. As a result, any resource in the network can be traced back to its original publisher, ensuring the supervision of publishing behavior and the security of network transmission.

Under this representation method, the identity can be regarded as a special form of the extension name, that is, the content name is empty. Therefore, we use the prefix tree as a data structure to support the storage and query operations of the name and identity. :

Figure 3 is an example of a prefix tree with component granularity. Each connection edge of the root node corresponds to a user. We use the globally unique identity UniqueID _A to refer to each user. Each user node records the FIB entry and spatial location information corresponding to the user. The second level of the tree represents the multiple identities owned by each user. If user A1 is

If the resource Name1 is released, its corresponding name node will become the identity

The name node will record the signature Sig (Name1, PrK _A1 ), as well as the FIB entry and space location information corresponding to the name. Through the query operation in the prefix tree, we can complete the mutual conversion between name and identity, or multiple identities owned by the same user.

Using the prefix tree can obtain the following advantages: 1. The prefix tree compresses and merges the same prefix information, thereby reducing storage overhead; 2. The nature of the prefix tree determines that it naturally supports the longest prefix matching (Longest Prefix Matching, LPM) query mode, consistent with the matching mode of the name in the FIB; 3. The prefix tree records the logical relationship between names and identities to achieve binding and conversion operations between them.

3. The conversion process between location, name and identity:

As mentioned above, each user corresponds to a unique real or virtual spatial location identifier. For a certain name in the network, in order to reduce the routing delay, we set its location identifier to "hold the name The nearest node location of the corresponding content is calculated and delivered by the upper control node.

By recording the corresponding location information in the above prefix tree, we can complete the conversion from name, identity to location. On the other hand, considering that the location of each user will not collide, we use a location-identity hash table to complete the mapping operation between them.

User management and privacy protection strategy:

When all user terminals send an identity registration request in the network, they will bind corresponding identity information to ensure the normal operation of the network. The user uses a specific hash function and adds the user's identity information to generate an identity certificate. The certificate will be the identity proof of the user in the network, and the ground-air identity will be used as the user's auxiliary identification information. At the same time, the system will send the user's public key to the network supervision node. Then the user signs the identity registration request with his own identity certificate and sends it to the network supervision node together with the identity registration request. The network supervision node first uses the same hash function as the user to verify the legitimacy of the user from the received identification registration request, and then decrypts the additional signature according to the user's public key. Compare these two hash values, if they are the same, it can be confirmed that the signature belongs to the user. If the logo registration request is confirmed by the network supervision node, the system will store the user's identity certificate in the distributed data to ensure the traceability and supervision of the logo content in the future. At the same time, the system requires that all logos must be registered before they can be routed in the network and the identity information of the publisher must be added when the logo is registered, which can effectively reduce the spread of illegal network content on the network. These include the dark web and personal privacy data that are not limited to traditional IP networks, effectively improving users' privacy and security.

The new network system will introduce rights management strategies. The system will classify the network content posted by users. When users access network resources, they will determine their access permissions based on the identity information of their visitors, such as restricting the daily online time and game time of specific groups such as students. Online content classification can effectively protect the physical and mental health of minors and promote the development of reasonable and compliant Internet content.

The present invention discloses a system that supports multi-mode identification network addressing and progressive IP, including: a memory, a processor, and a computer program stored on the memory, and the computer program is configured to be implemented when called by the processor The steps of the method of the present invention.

The present invention also discloses a computer-readable storage medium, the computer-readable storage medium stores a computer program, and the computer program is configured to implement the steps of the method of the present invention when called by a processor.

The present invention has the following beneficial effects:

1. The domain name resolution service is no longer provided by the specific 13 servers and their affiliated mirror servers. The power of Internet management and control is handed over to Internet participants all over the world, and is no longer monopolized by an independent organization. It realizes multilateral co-management, co-governance and sharing of cyberspace in the post-IP era, and equality and openness.

2. For the government, the multi-mode identity network realizes global co-management through decentralized blockchain technology, which prevents country domain names from being erased by specific countries and improves the security of the national network. At the same time, all parties’ published content and access behaviors are effectively protected and managed, and their access to the network cannot be denied, which reduces the country’s network supervision costs.

3. For network service providers, in the future Internet of Things scenes, 5G development, and changes in personal user habits, mobile access will become one of the main Internet access methods. The new multi-mode identity network improves the overall addressing efficiency of the network by introducing multiple network identities, especially identity identities that naturally support mobility. Reduce the operation and maintenance costs of network service providers due to mobile users in traditional networks. At the same time, the security of the network has been greatly improved, effectively reducing the network security risks of ISPs.

4. For enterprise users, the enterprise user will bind the identity identification code issued by the government or professional organization as the identity mark to log in to the network, and the network resources issued by it will also bind its corporate identity information. Since its content is locked on the blockchain, the risk of tampering by hackers is avoided.

5. For an individual user, the individual user will bind the corresponding biometric identity information and other identity authentication information as an identity identifier to log in to the network, and the network resources it publishes will also bind its identity information. The spatial information identification and network resources accessed by individual users when they log on to the network will be recorded on the blockchain of the network supervision node in the domain for security supervision and data protection. The network supervision node will refuse to register, delete and punish violating network resources and malicious users in the network. Compared with the privacy and security problems of traditional IP networks, this network system has good privacy protection and security.

6. For underage users, the new multi-mode identity network introduces a hierarchical management mechanism while identity registration. When minors use the Internet, the content they visit is subject to effective management in accordance with local government regulations. Reduce the possibility of minors indulging in the Internet and effectively purify minors’ online environment.

7. Introducing multi-mode identification addressing routing, the network will pay more attention to the network resource itself or the user itself rather than the storage location of traditional network resources. It avoids the performance problem of the traditional IP network and greatly improves the efficiency of network resource transmission.

8. Introduce user identification to improve network security and usability. All logos need to bind user-specific biometric identity information and password keys to complete logo registration when registering. Each step of the registration information in the network will be fully saved, which can effectively trace malicious behaviors. All network resources in the network can be managed and controlled. At the same time, the risk of user privacy leakage is greatly reduced.

9. Since all parties of the new network publish content and access behaviors are effectively protected and managed, the behaviors generated by their access to the network cannot be denied. Any cyber attacks or illegal behaviors will also be recorded by the blockchain within the domain. Therefore, the use of these identifiers will make the cyberspace in an orderly and safe state, and will guide users' various traffic to a new type of identity bound to the identity The network is for content identification and identity identification. The natural reduction in IP network traffic without any security guarantees. Information publishers pursuing high-credibility services will publish their information on the new logo, which will naturally lead to the de-IPization of network traffic and systems.

10. It can support the resolution of object storage addresses and the existing domain name resolution system without changing the system architecture.

11. Proposed a key generation mechanism based on identification and combination matrix. Through the encryption chip and cryptographic algorithm, on the basis of the combination matrix, each identification can uniquely generate the key pair of the elliptic curve encryption algorithm . Therefore, only relying on the public key matrix and the identity of the issuer, the recipient of the data can calculate its public key, thereby completing its signature verification. This mechanism not only binds the identity identifier to the cryptographic information, which is conducive to identity-oriented network management; it also eliminates the frequent public key distribution and request process, and improves the efficiency of network utilization.

12. An addressing strategy that supports multi-mode network identification is proposed. Through the mutual conversion between name identification, identity identification and spatial location identification, users can flexibly choose the most suitable addressing method to cope with complex and changeable network environments And actual demand, thereby enhancing the adaptability of the system. At the same time, the binding of the network resource name and the original publisher's identity improves the supervisability and traceability of network behavior, and ensures the safety and reliability of network transmission.

13. Introduce an asymmetric signature mechanism combined with identification to enable users to encrypt published network resources. At the same time, network supervision nodes will refuse to register, delete and punish illegal network resources and malicious users in the network. Compared with the privacy and security problems of traditional IP networks, the network system has good privacy protection and security.

14. A gradual deployment expansion plan for a smooth transition of the network is proposed, which can support the existing DNS domain name resolution system without changing the system architecture. Users can access the network in a variety of ways and gradually replace it. Existing domain name resolution system.

The above content is a further detailed description of the present invention in conjunction with specific preferred embodiments, and it cannot be considered that the specific implementation of the present invention is limited to these descriptions. For those of ordinary skill in the technical field to which the present invention belongs, a number of simple deductions or substitutions can be made without departing from the concept of the present invention, which should be regarded as falling within the protection scope of the present invention.

Claims (14)

1. A method for supporting multi-mode identification network addressing and gradually removing IP, which is characterized in that it includes constructing a network, which is divided into hierarchical network domains from top to bottom. The identity management nodes form a global alliance to jointly manage the generation, registration and analysis management of the identity. All network resources in the network will be locked on the blockchain; the first-level domain and the lower-level domains are managed by the corresponding administrative or professional institutions. Logo management methods, logo registration schemes and consensus algorithms can be different;

   There are supervision nodes, individual users, and enterprise user network nodes in the network. Each domain has a corresponding network supervision node. The network supervision node is responsible for user management, logo registration, logo intercommunication and logo routing services in the domain. At the same time, each network supervision node exists For content network identification, spatial geographic location identification, identity information and IP address multi-mode identification; upper and lower domains use network supervision nodes as data access interfaces to achieve hierarchical data transmission; individual users include individual users and objects in the traditional sense The terminal nodes in the networking era have mobile network access nodes in the network. Enterprise users include government agencies, professional institutions, companies, and organizations with content publishing rights;

   The network supports network layer routing addressing in which multiple identities including identity, content, geographic location and IP address coexist, and the content identities of all resources in the network are bound to the publisher’s identity. The geographical location identification of the user when logging in to the network and the network resources accessed will be recorded on the blockchain of the network supervision node of the domain for security supervision and data protection.
2. The method according to claim 1, wherein the method comprises an identity registration step and a network resource request step;

   The logo registration step includes:

   Step 1. Register resources: The network node receives the user's resource registration content, and at the same time, the network node adds the spatial geographic location identifier and the identity identifier of the content publisher according to the location where the content is stored;

   Step 2: Network node authentication: After the network node in this domain receives the identity registration request transmitted by the user, the network node will review its content and user information, then register the resource identity, and then register the generated identity Request to upload to the upper level domain and add the local identification prefix;

   Step 3. Identity registration request transmission: After the upper-level network node receives the identity registration request, it will transmit its registration identity message to the controller of its domain according to the set data transmission protocol for subsequent authentication and registration operations;

   Step 4. Identity verification: After receiving the identity registration request of its subordinate network domain, the network node in the top-level domain will verify the requested data and return the corresponding confirmation signal to the original application node; at the same time, it will adopt the design A distributed storage scheme is set to ensure that all registered logos cannot be tampered with. The original identification information will be stored in the distributed database of the top-level domain. After a set time has passed, the entire network will synchronize the corresponding database. To confirm that the resource identification information between each top-level domain name is equal and unified;

   The network resource request step includes:

   Step A, query request: send a query request to the nearest network node;

   Step B, local identification data query: When the nearest multi-mode network node receives the request from the user, it will distinguish according to the query identification. If it is an IP address, continue the traditional DNS query process, if it is an identity or content identification , Then query the forwarding table, the forwarding table records whether the identification content exists in the local database, if it is, then return the corresponding identification content, otherwise go to step C;

   Step C, request for query transmission: when there is no corresponding identification content in the local database, upload the query request to the upper-level network node. After receiving the query request sent by the next-level network node, Follow steps A to B to query. If the corresponding identification content is queried, it will be returned to the corresponding content identification to the next-level network node. Otherwise, the query request will be passed to the upper-level network node until the top-level domain Network node

   Step D, identification query verification and intercommunication: If the top-level domain node finds the related registered identification, it will automatically issue the related shortest path according to the dynamic topology of the existing network. There are many related links on the forwarding line in the network. The modular network node will receive the new forwarding path table and establish a data transmission path through multi-hop routing; if the node in the top-level domain does not find the corresponding identifier, at the same time query the database for other network identifier information corresponding to the identifier, proceed to step E;

   Step E: Issuing the identification request: The network node in the top-level domain will issue the query request to the specified network domain according to the original identification and the first prefix after the conversion of the identification, until it reaches the lowest-level network node specified by the query request for local Query; if the corresponding identification content is successfully queried, the corresponding resource content will be passed to the query requester, otherwise, the query error message will be returned.
3. The method according to claim 1, characterized in that the resources in the network system all have corresponding multiple identifiers to refer to their content name, publisher identity, spatial geographic location, and through the binding and Interoperability, the content release and access behavior of all parties in the network can be effectively controlled and supervised; at the same time, the multi-mode network identity is directly used in the addressing process of the network layer, through the dynamic matching and intercommunication technology of the multi-mode identity, users You can choose between a variety of addressing methods to cope with complex and changeable application requirements and network environments.
4. The method according to claim 3, characterized in that, in addition to the traditional IP address, the addressing process is based on the following three types of identification:

   Content name-oriented addressing: Use hierarchical character strings to identify each resource in the network. In order to support the addressing process directly facing content names, multi-mode network nodes have forwarding information tables with names as keys to record each resource. Forwarding port information corresponding to each name; data transmission is carried out in a user-driven manner: the content requester enters the content list into the interest message and sends it to the network; the routing node records the arrival port of the interest message in the pending interest table , And query the forwarding information table to forward the message until it reaches a content holder; by querying the pending interest table, the data packet containing the requested content will be traced back to the requester along the arrival path of the interest message; The name-oriented addressing process decouples the data itself from the specific location of the data, providing greater flexibility for the network system;

   Identity-oriented addressing: Identity is used to uniquely refer to a user locally or globally. The user's behavior on the network, including the release and access to network resources, will be subject to the specific authority determined by its identity, and any behavior Identity information that can be traced back to the user;

   Addressing for spatial and geographic location: Location information can not only represent geographic location in the real sense, but also virtual location in abstract space. To prevent ambiguity during addressing, the location of two users in this system will not Coincidence occurs; the addressing process for spatial and geographic location is: multi-mode network nodes calculate the geometric distance between each neighbor and the destination, and greedily select the smallest one as the forwarding object.
5. The method according to claim 4, wherein, in the identity-oriented addressing, the identity identifier includes a public key, a user ID, an IMEI code of a mobile phone, an email address, and other identity identifiers.
6. The method according to claim 4, characterized in that, in the name-oriented addressing and identity-oriented addressing, a security mechanism based on an identity identifier and a combination matrix is adopted, and in the security mechanism, a password is adopted The mechanism is elliptic curve encryption. If the base point G on the elliptic curve and its order n are given, the positive integer r<n is used as the private key, and the r multiple point of G = R is used as the public key, and the private key matrix (r _ij ) _m×n is of order m×n, where each element r _ij is a positive integer satisfying r _ij <n; and the public key matrix (R _ij ) _{m×n is} generated through the corresponding relationship r _ij G=R _ij ; The private key matrix is only held by the key management agency and used for the user's private key distribution; while the public key matrix is held by each network node and used for data signature authentication; the key management agency uses the user's identity ID And the private key matrix (r _ij ) to generate the user's private key r _ID .
7. The method according to claim 6, characterized in that, in the security mechanism based on the identity and the combination matrix, the private key generation process is implemented in the following manner: based on an encryption chip and cryptographic operations, each identity ID is A sequence of subscripts can be generated uniquely:

   GenerateSub(ID)={i ₁ , i ₂ ,...i _l , j ₁ , j ₂ ,...j _l }

   GenerateSub(ID) represents the function of generating subscripts from the identity ID, i ₁ , i ₂ ... i _l represent the row coordinates of the matrix, and j ₁ , j ₂ ... j _l represent the column coordinates of the matrix;

   At this time, the private key corresponding to the ID is the sum of the subscript corresponding items in the private key matrix:

   

   r _ID represents the user's private key,

   

   Represents the elements with row coordinates i ₁ , i ₂ ... i _l and column coordinates j ₁ , j ₂ ... j _l in the private key matrix (r _ij );

   Similarly, the public key corresponding to the ID can be calculated by the verifier through the public key matrix and the identity ID:

   

   R _ID represents the public key of the user,

   

   Represents the elements with row coordinates i ₁ , i ₂ ... i _l and column coordinates j ₁ , j ₂ ... j _l in the public key matrix (R _ij );

   Since the multiple points of G constitute a commutative group, there are:

   

   G r _ID r _ID of the representative base point G times points;

   Therefore, (r _ID , R _ID ) constitutes a private-public key pair relationship. In this way, not only the one-to-one binding between the identity and the public key is completed, and the supervisability and traceability of network behavior are guaranteed. It also saves the frequent public key request process, and improves the actual performance of the network.
8. The method according to claim 1, characterized in that the method comprises an inter-passing process between the name and the identity, in the inter-passing process between the name and the identity, the name of the content is bound to the identity of the original publisher, and A verifiable extension is used to identify network resources, and its form is as follows:

   /UniqueID _A /SubID _A /Name/Sig(Name,PrK _A )

   Among them, UniqueID _A is the globally unique identity of publisher A. There will be no collision. The user’s public-private key pair is generated from this identity; SubID _A is the secondary identity used by A when publishing the content. The same user may have multiple identities; Name is a hierarchical content name; Sig (Name, PrK _A ) is A's signature on the content name; when the content is received by the user or is cached by a multi-mode network node, its The signature must be verified to ensure its legitimacy; the data structure of the prefix tree is used to support the storage and query operations of names and identities. In the prefix tree, each connection edge of the root node corresponds to a user, and we use global uniqueness UniqueID _{A is} used to refer to each user, and each user node records the user’s corresponding

   

   The entries and spatial location information of the forwarding information table. The second layer of the prefix tree represents the multiple identities owned by each user. If user A1 is

   

   If the resource Name1 is released, its corresponding name node will become the identity

   

   The name node will record the signature Sig (Name1, PrK _A1 ), as well as the entry and space location information of the forwarding information table corresponding to the name. Through the query operation in the prefix tree, the name and identity identification can be completed , Or the mutual conversion between multiple identities owned by the same user.
9. The method according to claim 8, characterized in that the method includes an interworking process between location, content name, and identity. In the interworking process between location, name, and identity, each user corresponds to a unique reality or Virtual spatial location identification, and for a certain content name in the network, in order to reduce the routing delay, we set its location identification to "the position of the nearest node holding the content corresponding to the name", which is calculated by the upper control node Concurrent delivery; by recording the corresponding location information in the prefix tree, the interoperability from name, identity to spatial geographic location can be completed; in order to avoid collisions between the locations of users, we use spatial geographic location-identity Hash table to complete the mapping operation between them.
10. The method according to claim 1, wherein the method includes user management and privacy protection policies. In the user management and privacy protection policies, when all user terminals send identification registration requests in the network, they will bind corresponding identification information In order to ensure the normal operation of the network, the user uses a specified hash function and adds the user’s identity information to generate an identity certificate. The identity certificate will be the identity certificate of the user in the network, and the geographical location identifier is used as the user At the same time, the system will send the user’s public key to the network supervision node, and then the user signs the identity registration request with his own identity certificate, and sends it to the network supervision node together with the identity registration request; the network supervision node First, use the same hash function as the user to verify the legitimacy of the user from the received logo registration request, and then decrypt the additional signature according to the user's public key, compare the two hash values, and confirm if they are the same The signature belongs to the user; if the logo registration request is confirmed by the network supervision node, the system will store the user's identity certificate in distributed data to ensure that the logo content will be traced and supervised in the future; the system will classify the network content published by the user , When a user accesses network resources, the access authority will be determined according to the identity information of the visitor.
11. The method according to claim 1, characterized in that the method comprises the step of personal user accessing the network, in the step of personal user accessing the network, when the user accesses the network system through the traditional Internet, the network node will record the user terminal The MAC address of the mobile phone is stored in the network as the identity identifier. At the same time, the spatial geographic location of the user terminal will be recorded in the form of spatial three-dimensional coordinates. For mobile phone users, the IMEI code of the mobile phone will be recorded as part of the identity authentication information. , There is a corresponding gateway device at the boundary of each network domain to ensure that users can access Internet resources through a variety of network identifiers; when users access the network through a new network identifier, relevant identity information will be stored in the user’s local node. Including but not limited to the user’s fingerprint, iris and other biological information with traceable user identity. The identity information is only stored locally on the user node for generating user signatures, and is not transmitted in the multi-mode identification network; at the same time, the identity of the individual user The identifier is bound to various content identifiers issued, and its identity identifier serves as an addressing identifier of the network content, which facilitates other nodes in the network to directly address network resources through user identifiers, and improves the efficiency of network resource query.
12. The method according to claim 1, characterized in that the method comprises a step of enterprise users accessing the network, and in the step of enterprise users accessing the network, the enterprise user binds the identity identification code issued by the government or professional organization as the identity identifier. Log on to the network, the network resources released by the company will also be bound to its corporate identity information. The network resources released by corporate users and the spatial information identification of the server will be recorded on the blockchain of the network supervision node of the domain for security supervision and data protection.
13. A system that supports multi-mode identification network addressing and progressive IP, which is characterized by comprising: a memory, a processor, and a computer program stored on the memory, and the computer program is configured to be implemented when called by the processor The steps of the method of any one of claims 1-12.
14. A computer-readable storage medium, wherein the computer-readable storage medium stores a computer program configured to implement the method according to any one of claims 1-12 when called by a processor step.

Images