WO2021036707A1 - Post ip sovereign network architecture - Google Patents

Post ip sovereign network architecture Download PDF

Info

Publication number
WO2021036707A1
WO2021036707A1 PCT/CN2020/106725 CN2020106725W WO2021036707A1 WO 2021036707 A1 WO2021036707 A1 WO 2021036707A1 CN 2020106725 W CN2020106725 W CN 2020106725W WO 2021036707 A1 WO2021036707 A1 WO 2021036707A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
sovereign
content
data
node
Prior art date
Application number
PCT/CN2020/106725
Other languages
French (fr)
Chinese (zh)
Inventor
李挥
綦九华
张昕淳
谢鑫
侯韩旭
韦国华
李文军
杨昕
王菡
马化军
Original Assignee
北京大学深圳研究生院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京大学深圳研究生院 filed Critical 北京大学深圳研究生院
Publication of WO2021036707A1 publication Critical patent/WO2021036707A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/64Routing or path finding of packets in data switching networks using an overlay routing layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Definitions

  • the invention belongs to the improvement field of interconnection communication technology, and particularly relates to a post-IP sovereign network system architecture.
  • IPv4 mirroring root server Uses the existing IP system to construct a sovereign network, and deploy an IPv4 mirroring root server, an IPv6 mirroring root server, and an IPv6 firewall in the sovereign network.
  • IPv6 mirroring root server Uses the existing IP system to construct a sovereign network, and deploy an IPv4 mirroring root server, an IPv6 mirroring root server, and an IPv6 firewall in the sovereign network.
  • These two kinds of root servers and firewalls ensure that all domain name allocation, address resolution, and information control for IPv4 and IPv6 are within the borders of various countries.
  • the mirroring switch ensures the smooth flow of scientific and technological communication between the domestic network and the international network and the absolute control of security and ideological communication. Its system architecture is shown in Figure 1.
  • the root server is the core of the entire domain name resolution system.
  • the 13 root domain name servers are at the top, all managed by the Internet Corporation for Assigned Names and Mumbers, an Internet name and address allocation agency authorized by the U.S. government.
  • the 13 root domain name servers one of them is the main root server located in Virginia, USA.
  • the remaining 12 are secondary root servers, 9 of which are located in the United States, and the remaining 3 are located in the United Kingdom, Sweden, and Japan.
  • ICANN is a non-profit international organization, its board of directors is composed of committee members from various countries, but the organization is a direct subordinate unit of the U.S. Department of Commerce. The U.S. government also retains the power of supervision. It is a quasi-governmental organization. Laws and regulations are not binding on it. According to the agreement, the US Department of Commerce has the right to veto ICANN's management rights at any time.
  • the management of top-level domain names and the root zone database are controlled and managed by the United States, which in fact constitutes a unilateral network monopoly.
  • the IP protocol is inherently inadequate in terms of security, mobility, and QoS in terms of technology and performance genes, and does not adapt to the development of technology and application requirements.
  • the security of the sovereign network cannot be guaranteed.
  • the sovereign network cannot manage and control user behavior, and cannot guarantee a clean and healthy network environment for minors.
  • the decimal network system is mainly composed of IPv9 address protocol, IPv9 header protocol, IPv9 transition period protocol, digital domain name specification and other protocols and standards.
  • Digital domain name refers to the method of using 0-9 Arabic numerals instead of traditional English letters as domain names to surf the Internet. At the same time, the digital domain name can also be directly used as an overlapped IPv9 address.
  • the digital domain name is an integral part of the decimal network system.
  • the IPv9 protocol refers to the use of Arabic numerals from 0 to 9 as the virtual IP address of the network, and the decimal system as a text representation method, which is a convenient way to find online users; in order to improve efficiency and facilitate end users, some of the addresses are included. It can be used directly as a domain name; at the same time, it adopts the classification and coding of the original computer network, cable broadcasting and television network and telecommunication network.
  • Decimal network refers to a brand-new network that uses decimal arithmetic and text representation methods to connect various computers that use decimal arithmetic to form a network, and can communicate with existing networks.
  • the decimal network system adopts a decimal, multi-protocol digital domain name system in the domain name system, which is compatible with English, Chinese and other domain names, and maps them to unique IP addresses in the world; establishes a distributed root domain name system and introduces the concept of national and regional Each country has its own root domain name system to establish and maintain its status and image as a sovereign country on the Internet.
  • IPv9 increases the IP address length from 32 bits and 128 bits to 2048 bits to support more address levels, more addressable nodes, and simpler automatic address configuration. At the same time, the length of the 32-bit IPv4 address is reduced to 16 bits to solve the quick use of cellular communication in mobile communications.
  • IPv9 addresses specify 256-bit identifiers for interfaces and interface groups. There are three types of addresses: 1. Unicast: A single interface has an identifier. A packet sent to a unicast address is delivered to the interface identified by the address; 2. Any-on-demand: Generally, a group of interfaces belonging to different nodes has an identifier. A packet sent to an arbitrary-on-demand address is delivered to an interface identified by the address and measured according to the routing protocol; 3.
  • Multicast Generally, a group of interfaces belonging to different nodes has an identifier. Packets sent to a multicast address are delivered to all interfaces of that address. There is no broadcast address in IPv9, and its function is replaced by a multicast address.
  • IPv9 addresses There are five types of IPv9 addresses:
  • X represents a hexadecimal number from 0000 to FFFF in the original IPv6.
  • IPv9 has the following characteristics:
  • IPv9 has more addresses, more address methods (fixed length not fixed length, fixed length fixed length, and unique IP address encryption technology), there are more IPv9 extension header definitions to make the network more secure.
  • the address headers, messages, and protocol numbers are not disclosed and form a system of its own. Even if the agreement is open, only the civilian part will be disclosed. The military part will be determined by the military.
  • IPv4/IPv6 my country cannot decide various security measures in the network system.
  • network layer IPSEC, application layer SSL and other measures it is still difficult to guarantee There is a difference in security. From theoretical analysis, the difficulty of cracking dedicated protocols is greater than that of cryptographic algorithms. According to the current IPV4/IPV6 standards, 32-bit/128-bit addresses cannot be encrypted. If encrypted, the destination cannot be found.
  • the TCP/IP protocol of absolute code type and long stream code is adopted to solve the contradiction between sound and image transmission in packet switching circuit. You can directly use the IP address as a domain name, which is especially suitable for mobile phones and home Internet scenarios.
  • IPv9 is also independent of the original IPv4 and IPv6 Internet networking, which can effectively control and manage network security and information security, and can select valuable information for my use by downloading foreign information according to actual needs. In order to avoid the intrusion of bad information from abroad, that is, the network is accidentally attacked by foreign countries. Conducive to business development. Due to the independent networking, relevant departments can independently and flexibly develop public information services under the premise of complying with relevant national policies, which is conducive to the development of advanced application business systems based on the development of Chinese information retrieval in the future.
  • IPv9 is compatible with IPv4 and IPv6.
  • IPv4 can be used as a tunnel to carry data transmission between two IPv9 subnets
  • IPv9 as a tunnel to carry data transmission between two IPv4 subnets.
  • the decimal network system can directly translate the original binary address into decimal text, which caters to people's daily usage habits.
  • the domain name and the IP address are unified, which is the same as the identification code of people and things, which can combine telephone, mobile phone, domain name and IP address, IPTV, IP phone, etc. into one number; domain name and IP address are combined into one, saving
  • the translation between network domain names and IP addresses makes network communication fast and direct, which improves the communication capabilities of existing network switching equipment.
  • IPv9 the decimal network
  • the specific shortcomings are as follows:
  • the basic bits of the source and destination addresses used by IPv9 packets are 256 bits, and the longest is 2048 bits.
  • the address space of 256 bits is 2 256 , and the total number of atoms of ordinary matter in the observable universe N is about 10 80 .
  • the address space can be compared to the total number of atoms of ordinary matter in the observable universe. Using 256 bits as the address space is already very huge, even more unimaginable for 2048 bits. The actual network does not need such a huge address space.
  • IPv9 The address space of IPv9 is huge, and there will be problems with the efficiency of address space usage. Not every address is effectively used, and there will be a lot of free addresses.
  • IPv9 uses 256 bits as the source and destination address, its message header is very huge, which will cause network transmission efficiency and congestion control problems. For very small data, an IPv9 packet header is also needed for transmission, and the network transmission efficiency is low. Moreover, the current Ethernet frame length of IPv4 and IPv6 networks is 1500 bytes. If the IPv9 message header occupies too much space, the amount of data that can be transmitted in each frame will be reduced.
  • IPv9 uses a longer header for data transmission and does not provide good support for Internet of Things usage scenarios.
  • IPv9 requires that the MTU of each link on the Internet is at least 576 bytes. On any link, if it cannot transfer 576 bytes of data in a data packet, then the link-related data segment and reassembly must be supported by layers below IPv9. This undoubtedly increases the data processing pressure on the link layer.
  • IPv9 directly uses the address as the domain name for content request, which has a huge domain name address, how to quickly find, match, and forward in the router will be a problem.
  • IPv9 7. How to quickly find and address the naming and addressing methods used in IPv9 is a big challenge under the huge number of identifications. At the same time, the geographic location-based addressing scheme proposed by IPv9 requires the conversion of IP addresses and geographic addresses. Since geographic addresses and IPv9 addresses are both large, how to quickly convert is also a challenge.
  • IPv9 adopts a new "decimal" address format that is different from IPv4 and IPv6, but the consequence of adopting a unique address format is artificially causing obstacles to the Internet.
  • IPv9 cannot guarantee the true security of the network, because the purpose of the IP protocol suite is to help computers on different networks (such as Ethernet, token ring, FDDI, ATM, etc.) communicate with each other on a virtual "common network". Different IP protocols are only implemented in different ways, and the purpose of helping any computer on the network communicate with each other is the same. Therefore, IPv9 and IPv6 are essentially different protocol versions derived from the same technology and different conventions. The inherent defects of IPv4 and IPv6 also have their own.
  • IPv9 IPv9
  • the purpose of the present invention is to provide a post-IP sovereign network architecture, which aims to solve the inherent security problems of using the IP protocol.
  • the use of the IP protocol to build a sovereign network cannot guarantee the manageability and control of the network.
  • IP is mobile. Insufficient genes are innate and cannot provide good support for many mobile services.
  • the present invention is realized in this way, a post-IP sovereign network system architecture, in which the devices in the post-IP sovereign network system architecture all adopt a new type of network centered on identity identification, and there is no IP network in the new type of network;
  • the sovereign network equipment also includes an ID-ICN router and an EAN node.
  • the ID-ICN router is used to support translation, addressing, and network data transmission between different identities and content identifiers;
  • the EAN node is used to allow users in the sovereign network Freely request data from other networks and the Internet outside the sovereign network within the scope of authority, as well as other sovereign network users who carry the sovereign network visa to access the data within the sovereign network, and block all requests initiated by other networks and the Internet outside the sovereign network.
  • And install the relevant content review program in the EAN node to conduct preliminary review and filtering on the content arriving at the node.
  • a further technical solution of the present invention is that the post-IP sovereign network system architecture uses a distributed storage subsystem with endogenous security for data storage to ensure data security.
  • the further technical scheme of the present invention is: in the post-IP sovereign network system architecture, users are managed through the blockchain management subsystem; users register through personal real identity information, and the user registration information is stored in the block of the sovereign network In the chain node, the user needs to bind the relevant identity information at the time of registration to access the sovereign network; in the sovereign network, the blockchain management subsystem votes on the content published by the user, and the content approved by the vote is allowed to be published, and the user publishes the content The information and the behavior log of the user request data are locked; different identifiers can be defined inside the sovereign network, and the mutual translation between different identifiers is completed in the blockchain management subsystem.
  • both authorized users and broadcasting production networks in the sovereign network can release video and audio
  • the authorized users to release audio and video include the following steps:
  • the blockchain will vote on the request to publish audio and video content. If the vote is passed, it will agree to authorize the user to publish the audio and video content, lock the user and the content information released in the blockchain and perform the next step, such as voting If it fails, the authorized user is prohibited from publishing this audio and video content;
  • the internal production and broadcasting network produces the content and then distributes the content through the network
  • a further technical solution of the present invention is that the ordinary user obtains the data, and the data provider has cached this part of the content in the IP Internet or the sovereign network, or the node of the sovereign network; the IP Internet obtaining data includes the following steps:
  • SIP3, Sovereign Network External Visiting Nodes will review the user's authority in the content request. If the requested content exceeds the user's authority, the content request will be discarded, and if it is within the authority, proceed to the next step;
  • Sovereign network external visiting nodes extract the requested content information and request data from the Internet according to the traditional Internet method
  • step SIP6 the external visitor node of the sovereign network conducts a preliminary review of the requested content data, if the review is passed, execute the next step, if not, discard the data and return to step SIP4;
  • the external visitor node of the sovereign network encapsulates the requested Internet content data into a data packet in the central network with the identity identifier and returns it to the ordinary user according to the path of the content request;
  • the step of obtaining data with this part of content cached in the sovereign network or in the node of the sovereign network includes the following steps:
  • a further technical solution of the present invention is that the data obtained by the production and broadcasting network is mainly obtained by obtaining resources on the Internet, making and distributing them.
  • a further technical solution of the present invention is that when other networks outside the sovereign network or Internet users send a request to a node outside the sovereign network, the node outside the sovereign network discards the request message.
  • the registered user sends a visa request to the overseas visitor node of the sovereign network of the country that represents other sovereign network visas;
  • the external visitor node of the home country's sovereign network sends the visa request to the target requesting country through Overlay IP;
  • the external visitor node of the target requesting national sovereignty network will review the incoming request. If the review is passed, the visa request will be sent to the blockchain for voting and the next step will be implemented. If the review is not passed, the information will be fed back to the visa requester;
  • the content requester uses the visa-carrying interest group to request other sovereign network content
  • the further technical solution of the present invention is that the post-IP sovereign network architecture takes identity as the central network to naturally support multi-path, allowing mobile devices to connect to multiple connectable base stations at the same time without affecting the coverage of the current base station.
  • the transmission of data naturally supports wireless communication.
  • the further technical solution of the present invention is: in the post-IP sovereign network architecture, if the mobile user is in the sovereign network, the mobile user uses the identity identifier as the central network to request content; if the mobile user is located outside the sovereign network, The IP content request first communicates with the base station through the Overlay IP method, and then the base station performs content request and transmission through the traditional IP network; if the mobile user is located outside the sovereign network, the request for the sovereign network content includes the following steps:
  • the wireless terminal device with identity identification first communicates with the base station through Overlay IP;
  • intra-regional stations send data to a target sovereign network externally visited node through traditional IP transmission;
  • Sovereign Network External Visiting Nodes will review the user's identity, and allow access if passed, and reject if not passed.
  • the beneficial effect of the present invention is that the content network centered on the identity is used for bottom data transmission, the transmission mainly relies on the interest grouping and the data grouping, and the transmission mode is driven by the consumer's interest.
  • the communication process since neither the interest group nor the data group uses the traditional IP address for data interaction, the country domain name is prevented from being erased by a specific country or organization, and the security of the national network is effectively improved.
  • the internal identification space of the sovereign network of each country is managed by the country itself, realizing the complete autonomy of each country in the post-IP era; using the sovereign network centered on the identity identification and using the data warehouse to cache the latest data, users in the same domain
  • the same content only needs to be fetched once from the original data provider, and then can be fetched directly in the ID-ICN router, which improves the overall data transmission efficiency of the network and greatly improves the user experience;
  • the identity-centric network is introduced into the network Caching will gradually cache the contents of the Internet into the sovereign network to enrich the resources within the network.
  • the sovereign network is physically disconnected from the Internet, users can still obtain the content they had obtained before the disconnection, without affecting the user's use.
  • Figure 1 is a schematic diagram of the traditional IP sovereign network architecture.
  • Figure 2 is a schematic diagram of a post-IP sovereign network architecture provided by an embodiment of the present invention.
  • Figure 3 is a schematic diagram of a blockchain subsystem signature scheme provided by an embodiment of the present invention.
  • Fig. 4 is a schematic diagram of content published by an authorized user according to an embodiment of the present invention.
  • Fig. 5 is a schematic diagram of content distributed by a radio and television production and broadcasting network provided by an embodiment of the present invention.
  • Fig. 6 is a schematic diagram of data obtained by ordinary users from the Internet according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of a common user obtaining data on a sovereign network according to an embodiment of the present invention.
  • Fig. 8 is a schematic diagram of a production network provided by an embodiment of the present invention going to the Internet to obtain data.
  • Fig. 9 is a schematic diagram of an IP extranet accessing the content of a sovereign network according to an embodiment of the present invention.
  • Fig. 10 is a schematic diagram of a visa acquisition process provided by an embodiment of the present invention.
  • FIG. 11 is a schematic diagram of obtaining content internationally with a visa provided by an embodiment of the present invention.
  • FIG. 12 is a schematic diagram of data transmission through an IP tunnel between multiple national sovereign networks according to an embodiment of the present invention.
  • FIG. 13 is a schematic diagram of a sovereign network mobile user requesting sovereign network content outside the sovereign network according to an embodiment of the present invention.
  • FIG. 14 is a schematic diagram of a three-layer protection of a sovereign network according to an embodiment of the present invention.
  • a network hierarchical management scheme bound with identity identification is proposed, which solves the problem of confusion in network content management at this stage.
  • the hierarchical management plan not only promotes the dissemination of information, but also eliminates the influence of traditional media on unsuitable information for minors to a certain extent.
  • the sovereign network uses identity tags for routing, and its name space is unlimited in principle, avoiding the problem of IPv4 address exhaustion.
  • the network pays more attention to the storage of network resources or users themselves rather than traditional network resources, avoiding the performance problem of traditional IP networks.
  • the post-IP sovereign network architecture provided by the present invention is sufficient, and the devices in the post-IP sovereign network architecture all adopt a new type of network centered on identity identification, and there is no IP network in the new type of network;
  • the sovereign network equipment also includes an ID-ICN router and an EAN node.
  • the ID-ICN router is used to support translation, addressing, and network data transmission between different identities and content identifications;
  • the EAN node is used to allow the sovereign network Internal users freely request data from other networks and Internet outside the sovereign network within the scope of authority, as well as other sovereign network users who carry the sovereign network visa to access the data within the sovereign network, and all requests initiated by other networks and the Internet outside the sovereign network are all Screening is performed, and a related content review program is installed in the EAN node, and the content arriving at the node is initially reviewed and filtered.
  • IPv6 can solve the address space problem, but the use of the IP protocol has inherent security problems. Moreover, using the IP protocol to construct a sovereign network cannot guarantee the manageability and control of the network. At the same time, IP is inherently inadequate in mobility and cannot provide good support for many mobile services.
  • a post-IP sovereign network system architecture, system and software storage medium is used to construct a sovereign network with a new network system centered on identity identification, and achieve de-IP in the sovereign network.
  • the data in the sovereign network is driven by the data consumer receiving end and a caching mechanism is introduced to ensure the efficiency of data transmission.
  • the sovereign network adopts a data transmission method different from IP so that traditional IP attacks such as worms, port scanning and other viruses lose the propagation environment and cannot Launch an effective attack.
  • Public key signatures are also added to interest groups and data groups to ensure data safety and reliability.
  • the invention also introduces the blockchain to store user information and behavior information, prevents data from being tampered with, and ensures the manageability and control of user behavior and content. At the same time, access control is added to ensure the clean and healthy network environment of minors.
  • the present invention also designs a sovereign network external visit node, which is located at the border between the sovereign network and the Internet, and only allows Internet traffic actively requested by users in the sovereign network and authorized data requested by other sovereign network users to flow into the sovereign network. Requests initiated within the network are directly discarded, ensuring that users in the sovereign network can freely access Internet content while ensuring the security of the sovereign network network.
  • EAN node Uni-direction External Visiting Node.
  • ID-ICN router the internal router of the sovereign network (Identify-Information Central Network Router).
  • the architecture design of the sovereign network is shown in Figure 2.
  • the ID-ICN router is a router that supports the translation, addressing, and network data transmission of different identities and content identifiers.
  • the external access node of the sovereign network allows users in the sovereign network to freely request Internet data within the scope of authority. All requests are blocked.
  • relevant content review programs such as AI content review programs are installed in the EAN node to conduct preliminary review and filtering of the content that reaches the node.
  • the background support of the National Sovereign Network is consistent with the functions of the existing radio and television system, and its storage system uses distributed storage to ensure data backup security. Users register with personal identification information such as their own ID card, mobile phone number, fingerprint, etc. The user registration information will be locked in the blockchain node for subsequent user management; the user needs to bind the relevant identification information during registration to access the sovereign network.
  • the blockchain management subsystem is mainly used to lock user registration information, user published content information, and user request data behavior, and vote on user published content, and only approved content is allowed to be published.
  • different logos can be defined within the sovereign network, and the mutual translation between the logos is completed in the blockchain subsystem.
  • the blockchain management subsystem uses tree chain group/ring signatures.
  • Figure 3 is the signature scheme adopted by the blockchain management subsystem. Based on the supervisability and anonymity of the group/ring signature, it can achieve a balance between the controllable and manageable needs of the system and the protection of user privacy. By establishing a group relationship between nodes of different levels and different identities, the administrator of the upper domain can quickly locate the problem domain and identify the corresponding malicious nodes, improving the security of the system.
  • the blockchain node After logging in successfully, request the blockchain node to publish content (the blockchain node can be deployed on the ID-ICN router or the server can be deployed separately);
  • the blockchain is voted on. After the voting is passed, authorized users can publish content.
  • the publisher signs the content with the public key, and locks the user and the content information released in the blockchain;
  • the user can publish the content in a distributed storage system with endogenous security or its own local host.
  • Sovereign Networks is another major source of content distribution from the broadcasting and television production and broadcasting network. The process is shown in Figure 5.
  • the internal production and broadcasting network staff obtain content resources from the Internet through the external visitation node of the sovereign network; secondly, the internal production and broadcasting network work to produce content, when the content is produced, the producer needs to use the public key to sign, and then distribute the content through the network; Second, the content reaches the edge ID-ICN router or EAN node, and then is sent to home users or enterprise users.
  • edge nodes After successful login, ordinary users send content requests to edge nodes, and then the edge nodes transmit the request to the external access nodes of the sovereign network through the network; or ordinary users directly send the request to the external access nodes of the sovereign network connected to it, and the blockchain
  • the node records which user requested which content information
  • Sovereign network external access nodes review the user's authority in the content request.
  • the review methods are mainly as follows: One is to put the user information in the signature, and the sovereign network external access node verifies whether the content of the user's request meets the scope of authority.
  • an authority domain is added to the interest group.
  • the external visitor node of the sovereign network verifies whether the content requested by the user meets the authority scope according to the authority domain.
  • There is a permission control domain in the interest group which can control the scope of its access content for different levels.
  • the specific permission information is shown in Table 1). If the requested content exceeds the user's permission, the content request is directly discarded, and if it is within the permission, proceed to the next step;
  • Sovereign network foreign visitor nodes extract the content information of the content request, and then request data from the Internet according to the traditional Internet method
  • Internet content providers provide their requested data to external nodes on the sovereign network in accordance with traditional Internet methods
  • the external visit node of the sovereign network conducts a preliminary review of the data, such as keyword filtering and AI classification and recognition;
  • the external visitor node of the sovereign network encapsulates the data requested from the Internet into a data packet in the central network with the identity identifier, and then returns it to the ordinary user according to the path of the content request.
  • the second is that the content provider is inside the Sovereign Network (the content publisher is a Sovereign Network user) or has cached this part of the content in the Sovereign Network node, that is, the user himself or other users have previously requested the same content, then Obtain data directly inside the sovereign network as shown in Figure 7.
  • the requested content is cached by the sovereign network node or the external access node of the sovereign network, the content will be directly returned to the user, if not, the data will be fetched from the original data place and returned to the requesting user.
  • the main channel for employees in the production and broadcasting network to obtain data is to go to the Internet to obtain resources for production and distribution.
  • the main access method for the employees of the production and broadcasting network is to access the Internet.
  • the flow chart is shown in Figure 8.
  • the staff of the production and broadcasting network use fingerprint, iris, face, etc. to log in;
  • the production network employee user sends a content request to the edge node, and then the edge node transmits the request to the external visitor node of the sovereign network through the identity identifier as the central network; or the production network employee user directly sends the request to the connected node
  • the blockchain node records which content information is requested by which production network employee user
  • the Sovereign Network's external visit node reviews the authority of the production and broadcast network staff in the content request. If the requested content exceeds the user's authority, such as the request code, directly discard the content request. If it is within the authority, proceed to the next step;
  • Sovereign network foreign visitor nodes extract the content information of the content request, and then request data from the Internet according to the traditional Internet method
  • Internet content providers provide their requested data to external nodes on the sovereign network in accordance with traditional Internet methods
  • the external visit node of the sovereign network conducts preliminary review and filtering of data, such as keyword filtering and AI identification;
  • Sovereign network external access nodes encapsulate the data requested from the Internet into data packets in the sovereign network, and then return to the production network staff users according to the content request path;
  • the internal staff of the production and broadcasting network make content production based on the returned data.
  • the Internet user sends a request to the external visitor node of the sovereign network
  • the visiting node of the sovereign network discards the request message.
  • Each country can build its own sovereign network, thus forming a cyberspace United Nations.
  • the user's visa application process is shown in Figure 10.
  • the user host sends a visa request to the foreign node of the home country's sovereign network
  • the foreign visitor node of the home country's sovereign network sends the visa request to the target requesting country through Overlay IP;
  • the visa will be returned to the requester according to the request path.
  • the visa information can be put into the signature of the interest group, and these individuals or units can directly access the sovereign network of this country by carrying the visa information.
  • the foreign visitor node of the sovereign network of the target country will verify the visa information, and the content can be successfully obtained if the verification is passed, as shown in Figure 11.
  • the content requester sends an interest group with visa information
  • the foreign visitor node of the home country's sovereign network sends the interest group request to the target requesting country through Overlay IP;
  • the visiting node of the sovereign network sends the interest group to the content source
  • the content source returns the content to the content requester in the same way.
  • the other is the content sent actively by the content sender, which only uses the IP tunnel for data transmission.
  • the flow of E-mail is shown in Figure 12.
  • the content sender first sends the data to the external visitor node of the sovereign network according to the data transmission method in the sovereign network;
  • the EAN node transmits the data to the server at IP in the way of TCP/IP;
  • This server then transmits the content to the EAN node of the destination country in the way of TCP/IP;
  • the EAN node of the target country verifies the content, and then sends the verified content to the content receiver according to the data transmission method in the sovereign network.
  • the intra-network cache ensures good mobility. When a user moves to another base station coverage area, the device only needs to send another interest packet. There is a cache on the path of the last request, so that the most recent one can be found on the link. The cached node returns the data directly.
  • the identity-centric network inherently supports multi-path, which allows mobile devices to connect to multiple connectable base stations at the same time. When it is out of the coverage of the current base station, it does not affect data transmission.
  • the mobile user uses the identity identifier as the central network to request content; if the mobile user is located outside the sovereign network, the IP content request is made through the Overlay IP method. Communicate with the base station, and then the base station performs content request and transmission through the traditional IP network; if the mobile user is located outside the sovereign network, the request for the content of the sovereign network includes the following steps, and the data transmission process is shown in Figure 13.
  • the wireless terminal device with identity identification first communicates with the base station through Overlay IP;
  • the station in the area sends the data to a target sovereign network outside visit node through the traditional IP transmission method
  • the external visitor node of the sovereign network verifies the identity of the user, and if it passes, the access is allowed, and if it fails, it is rejected.
  • the security of the sovereign network in the present invention is guaranteed by the following aspects: authentic identity authentication; blockchain technology to prevent data tampering; each data signature authentication; the sovereign network external visit node prevents all active requests initiated by IP; Secure storage system; routers through which data passes through the sovereign network have firewalls, packet inspections, AI program audits and other inspection measures to form an anti-attack Markov chain; the network environment of the identity-centric network is inconsistent with IP, resulting in existing Some malicious viruses and traffic that bypass the filtering mechanism and enter the sovereign network use the IP network to destroy the attack method, and lose their operating environment in the sovereign network.
  • Attacks on the sovereign network can be attacked by IP extranet users and intranet users.
  • the attack protection can be divided into three layers.
  • the first layer is whether users on the external network or on the internal network want to actively send traffic to the sovereign network, they must first crack the key signed during data transmission within the sovereign network;
  • the second layer is the ID-ICN router inside the sovereign network.
  • the third layer is for the protection of distributed storage systems with endogenous security.
  • the schematic diagram is shown in Figure 14.
  • the technical scheme of the present invention is based on the content network centered on the identity identification for bottom data transmission, the transmission mainly relies on interest packets and data packets, and the transmission mode is driven by consumer interests.
  • the country domain name is prevented from being erased by a specific country or organization, and the security of the national network is effectively improved.
  • the internal identification space of each country's sovereign network is managed by the country itself, realizing the complete autonomy of each country in the cyberspace of the post-IP era.
  • the Sovereign Network which uses identity identification as the central network, uses a data warehouse to cache the latest data. Users in the same domain only need to fetch the same content from the original data provider once, and then directly fetch it in the ID-ICN router. , Improve the overall data transmission efficiency of the network, and greatly improve the user experience; because the identity-centric content network introduces in-network caching, the content in the Internet will be gradually cached in the sovereign network, enriching the resources in the network, and when the sovereign network and the After the Internet is physically disconnected, users can still obtain the content they had obtained before the disconnection (this part of the content we think is the content that users care about), and does not affect the user's use. At the same time, the Sovereign Network supports users to actively publish content, enriching the content resources of the Sovereign Network.
  • interest packets are transmitted in the network in a multicast manner, and multiple channels can be selected for data transmission, and the data packets will return along the path of the interest packets.
  • the interest group will automatically select another available shortest path for transmission, without the need to reconnect TCP like IP, which effectively improves the efficiency of data transmission.
  • the sovereign network uses identity tags for routing, and its name space is unlimited in principle, avoiding the problem of IPv4 address exhaustion.
  • the network pays more attention to the storage of network resources or users themselves rather than traditional network resources, avoiding the performance problem of traditional IP networks.
  • the Sovereign Network guarantees the security of the system in a variety of ways and provides extremely high-level security protection.
  • users will bundle the corresponding biometric identity information and other identity information as identity identifiers to log on to the Sovereign Network, and the network content they publish and the network resources they visit will also be bundled with corresponding identity information and recorded on the blockchain. Ensure that the data cannot be tampered with, and the abnormal information and content can be quickly and accurately located to individuals.
  • the management node in the sovereign network will refuse to register, delete and punish the illegal network resources and malicious users in the network. In this way, the content is safe, manageable and controllable.
  • the external visitor nodes of the sovereign network will filter sensitive or malicious text, pictures, video, and audio data through keywords matching, AI detection and other technologies.
  • the network system has complete security features.
  • Sovereign Network introduces a hierarchical management mechanism by adding authority control domains to interest groups, allowing different users to access different ranges of Internet resources, so as to provide minors with a clean, healthy and safe network environment.
  • the sovereign network allows users on the network to actively obtain Internet data and other sovereign network users who have the sovereign network to issue visas to actively access the content of the sovereign network, which can prohibit active requests from external IPs, reduce traditional network data injection attacks, and ensure production and broadcasting
  • the network runs online in real time; at the same time, the new network transmission architecture makes existing IP viruses lose the operating environment, effectively improving network security; and the system will use distributed storage with endogenous security to further ensure the security of data in the sovereign network.
  • a sovereign network architecture under a three-tier network security system is proposed.
  • the sovereign network of each country is managed by each country through distributed consensus technology to ensure that the network resources are authentic and not tampered with.
  • the control rights of the sovereign network are returned to the relevant management agencies of various countries, and it is no longer monopolized by an independent institution, ensuring that the sovereignty of cyberspace of various countries is not violated.
  • Sovereign Network Inside the sovereign network, there are external access nodes of the sovereign network, network supervision nodes, individual users, and corporate users.
  • the Sovereign Network and the traditional Internet conduct data communication through the Sovereign Network's external visitor nodes, which are mainly responsible for network data transmission, content filtering, authority management and other services.
  • each Sovereign Network's external visitor node is responsible for completing the internal identity, content identification and tradition The process of conversion, transmission and verification between the identities of Internet IP addresses.
  • a management scheme for user access to the sovereign network is proposed.
  • the user binds the corresponding biometric identity information and other identity authentication information as the identity identifier to log in to the network, and the network resources it publishes will also bind its identity information.
  • the spatial information identification and the network resources accessed when the user logs on to the network will be recorded on the blockchain of the network supervision node of the domain for security supervision and data protection.
  • the present invention introduces a blockchain technology that integrates a tree-shaped chain group/ring signature, based on the anonymity and supervisability of the group/ring signature, and can achieve a balance between the controllable and manageable requirements of the system and the open and transparent characteristics of the blockchain.
  • the administrator of the upper domain can quickly locate the problem domain and identify the corresponding malicious nodes, improving the security of the system.
  • user information and user behavior information are locked in the blockchain to prevent data from being tampered with, and to ensure that the system can be supervised.
  • a network hierarchical management scheme bound with identity identification is proposed, which solves the problem of confusion in network content management at this stage.
  • the hierarchical management plan not only promotes the dissemination of information, but also eliminates the influence of traditional media on unsuitable information for minors to a certain extent. In this way, when minors use the Internet, the content they visit is effectively managed according to local government regulations (such as not being able to play games, watching adult programs, etc., which greatly purifies the environment for children to surf the Internet).
  • a gradual deployment plan for the smooth transition of the network is proposed.
  • the sovereign network accesses the traditional Internet while realizing the inviolability of the cyberspace of each country.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention is applicable to the field of computer network communications, and provides a post IP sovereign network architecture. All devices in the post IP sovereign network architecture use a new network taking an identity identifier as a center, and there is no IP network in the new network. The sovereign network devices further comprise an ID-ICN router and an EAN node, the ID-ICN router being used for supporting the inter-translation, addressing and network data transmission between different identities and content identifiers, and the EAN node being used for allowing users in the sovereign network to freely request, within a permission range, other networks and Internet data outside the sovereign network, allowing users, carrying the Visa of the present sovereignty network, from the other sovereign networks to access data in the present sovereign network, shielding all the requests actively initiated by other networks outside the sovereign network and the Internet, and installing a relevant content review procedure in the EAN node and preliminarily reviewing and filtering the content reaching the node. The sovereign network uses a blockchain to latch user information and a behavior log, so as to prevent data from being tampered, and can quickly locate an individual or unit for anomalous data. At the same time, a content network taking an identity identifier as a center is used to transmit underlying data, improving the efficiency of network transmission and eliminating the harm of an existing IP attack in the sovereign network. At the same time, the identity identifier is used to make a content request, preventing country domain names from being erased by a specific country or organization, thereby effectively improving the security of national networks.

Description

一种后IP的主权网体系架构A post-IP sovereign network architecture 技术领域Technical field
本发明属于互联通信技术改进领域,尤其涉及一种后IP的主权网体系架构。The invention belongs to the improvement field of interconnection communication technology, and particularly relates to a post-IP sovereign network system architecture.
背景技术Background technique
使用现有IP体系构建主权网,在主权网内部署IPv4镜像根服务器、IPv6镜像根服务器、IPv6防火墙。这两种根服务器加防火墙确保了IPv4、IPv6所有的域名分配、地址解析、信息控制都在各国国境内。同时通过镜像交换机,确保国内网络与国际网络的科技交流畅通并对安全和意识形态联通绝对可控。其系统架构如图1所示。Use the existing IP system to construct a sovereign network, and deploy an IPv4 mirroring root server, an IPv6 mirroring root server, and an IPv6 firewall in the sovereign network. These two kinds of root servers and firewalls ensure that all domain name allocation, address resolution, and information control for IPv4 and IPv6 are within the borders of various countries. At the same time, the mirroring switch ensures the smooth flow of scientific and technological communication between the domestic network and the international network and the absolute control of security and ideological communication. Its system architecture is shown in Figure 1.
基于IP的网络体系,存在2大根本问题缺陷:顶级域名管理和技术先天不足。域名解析是打开网络之门的钥匙,是互联网的基础。根服务器更是整个域名解析系统的核心。在提供域名解析的多级服务器中,处于最顶端的是13台根域名服务器,均由美国政府授权下成立的互联网名称与地址分配机构ICANN(Intenet Corporation for Assigned Names and Mumbers)统一管理。13台根域名服务器中,其中一个为主根服务器放置在美国弗吉尼亚州。其余12个为辅根服务器,有9个放置在美国,其余3个分别位于英国、瑞典和日本。ICANN虽然是一个非营利性的国际组织,其董事会成员由来自各国的委员组成,但该机构为美国商务部的直属下级单位,美国政府还保留了监管权,是一个准政府机构,其他国家的法律法规对其没有约束力。根据协议,美国商务部有权随时否决ICANN的管理权。顶级域名的管理和根区数据库由美国控制管理,事实上构成了网络单边垄断。There are two fundamental flaws in the IP-based network system: the top-level domain name management and technology are inherently inadequate. Domain name resolution is the key to opening the door to the Internet and the foundation of the Internet. The root server is the core of the entire domain name resolution system. Among the multi-level servers that provide domain name resolution, the 13 root domain name servers are at the top, all managed by the Internet Corporation for Assigned Names and Mumbers, an Internet name and address allocation agency authorized by the U.S. government. Among the 13 root domain name servers, one of them is the main root server located in Virginia, USA. The remaining 12 are secondary root servers, 9 of which are located in the United States, and the remaining 3 are located in the United Kingdom, Sweden, and Japan. Although ICANN is a non-profit international organization, its board of directors is composed of committee members from various countries, but the organization is a direct subordinate unit of the U.S. Department of Commerce. The U.S. government also retains the power of supervision. It is a quasi-governmental organization. Laws and regulations are not binding on it. According to the agreement, the US Department of Commerce has the right to veto ICANN's management rights at any time. The management of top-level domain names and the root zone database are controlled and managed by the United States, which in fact constitutes a unilateral network monopoly.
IP协议在安全性、移动性、QoS上技术及性能基因先天不足,不适应技术和应用需求的发展。而且使用现有IP体系后主权网连接互联网后仍然存在互联网中的国家安全三大威胁,即政治颠覆、网络控制、黑客攻击问题,无法保证主权网的安全。同时主权网也无法对用户行为进行管理和控制,无法为未成年保障一个干净、健康的网络环境。The IP protocol is inherently inadequate in terms of security, mobility, and QoS in terms of technology and performance genes, and does not adapt to the development of technology and application requirements. Moreover, after the sovereign network is connected to the Internet using the existing IP system, there are still three major threats to national security in the Internet, namely, political subversion, network control, and hacker attacks. The security of the sovereign network cannot be guaranteed. At the same time, the sovereign network cannot manage and control user behavior, and cannot guarantee a clean and healthy network environment for minors.
十进制网络系统主要由IPv9地址协议、IPv9报头协议、IPv9过渡期协议、数字域名规范等协议和标准构成。数字域名是指用0~9的阿拉伯数字替代传统的英文字母作域名的方法上网。同时,数字域名也可以直接以IPv9地址交叠使用,数字域名是十进制网络系统的一个组成部分。The decimal network system is mainly composed of IPv9 address protocol, IPv9 header protocol, IPv9 transition period protocol, digital domain name specification and other protocols and standards. Digital domain name refers to the method of using 0-9 Arabic numerals instead of traditional English letters as domain names to surf the Internet. At the same time, the digital domain name can also be directly used as an overlapped IPv9 address. The digital domain name is an integral part of the decimal network system.
IPv9协议是指用0~9的阿拉伯数字作网络虚拟的IP地址,并将十进制作为文本的表示方法,即一种便于找到网上用户的使用方法;为提高效率和方便终端用户,其中有一部分地址可直接作域名使用;同时采用了将原有计算机网、有线广播电视网和电信网的业务进行分类编码。The IPv9 protocol refers to the use of Arabic numerals from 0 to 9 as the virtual IP address of the network, and the decimal system as a text representation method, which is a convenient way to find online users; in order to improve efficiency and facilitate end users, some of the addresses are included. It can be used directly as a domain name; at the same time, it adopts the classification and coding of the original computer network, cable broadcasting and television network and telecommunication network.
十进制网络是指采用十进制算法和文本表示方法,将各种采用十进制算法的计算机联成一个网络,并可以与现有网络实现互通的一个崭新的网络。Decimal network refers to a brand-new network that uses decimal arithmetic and text representation methods to connect various computers that use decimal arithmetic to form a network, and can communicate with existing networks.
十进制网络系统在域名系统中采用十进制、多协议的数字域名系统,兼容英文、中文及其他域名,并将他们映射成全球唯一IP地址;建立分布式根域名系统,引入国家地域概念,使每个国家均有自己根域名系统,以确立和维护其在互联网上主权国家的地位和形象。The decimal network system adopts a decimal, multi-protocol digital domain name system in the domain name system, which is compatible with English, Chinese and other domain names, and maps them to unique IP addresses in the world; establishes a distributed root domain name system and introduces the concept of national and regional Each country has its own root domain name system to establish and maintain its status and image as a sovereign country on the Internet.
IPv9将IP的地址长度从32位、128位增加到2048位,以支持更多的地址层次、更多的可寻址节点和更简单的自动地址配置。同时也增加了将IPv4的32位地址长度减少到16位,以解决移动通讯中蜂窝通信的快捷用途。IPv9地址为接口和接口组指定了256位的标识符。有三种地址类型:1.单播:一个单接口有一个标识符。发送给一个单播地址的包传递到由该地址标识的接口上;2.任意点播:一般属于不同节点的一组接口有一个标识符。发送给一个任意点播地址的包传递到该地址标识的、根据选路协议距离度量最近的一个接口上;3.组播:一般属于不同节点的一组接口有一个标识符。发送给一个组播地址的包传递到该地址所有的接口上。在IPv9中没有广播地址,它的功能被组播地址所代替。IPv9 increases the IP address length from 32 bits and 128 bits to 2048 bits to support more address levels, more addressable nodes, and simpler automatic address configuration. At the same time, the length of the 32-bit IPv4 address is reduced to 16 bits to solve the quick use of cellular communication in mobile communications. IPv9 addresses specify 256-bit identifiers for interfaces and interface groups. There are three types of addresses: 1. Unicast: A single interface has an identifier. A packet sent to a unicast address is delivered to the interface identified by the address; 2. Any-on-demand: Generally, a group of interfaces belonging to different nodes has an identifier. A packet sent to an arbitrary-on-demand address is delivered to an interface identified by the address and measured according to the routing protocol; 3. Multicast: Generally, a group of interfaces belonging to different nodes has an identifier. Packets sent to a multicast address are delivered to all interfaces of that address. There is no broadcast address in IPv9, and its function is replaced by a multicast address.
IPv9地址有五种类型:There are five types of IPv9 addresses:
1.纯IPv9地址:这种地址的形式为Y[Y[Y[Y[Y[Y[Y[Y其中每个Y代表一个从0到2 32=4294967296之间的十进制整数。 1. Pure IPv9 address: The form of this address is Y[Y[Y[Y[Y[Y[Y[Y where each Y represents a decimal integer from 0 to 2 32 = 4294967296.
2.兼容IPv4的IPv9地址:这种地址的形式为Y[Y[Y[Y[Y[Y[Y[D.D.D.D其中每个Y代表一个从0到2 32=4294967296之间的十进制整数。D代表一个原来IPv4的0到2 8=255之间的十进制整数。 2. IPv4 compatible IPv9 address: The form of this address is Y[Y[Y[Y[Y[Y[Y[DDDD where each Y represents a decimal integer from 0 to 2 32 = 4294967296. D represents a decimal integer between 0 and 2 8 =255 of the original IPv4.
3.兼容IPv6的IPv9地址:这种地址的形式为Y[Y[Y[Y[X:X:X:X:X:X:X:X其中每个Y代表一个从0到2 32=4294967296之间的十进制整数。X代表一个原来IPv6从0000到FFFF之间的十六进制数。 3. IPv6 compatible IPv9 address: the form of this address is Y[Y[Y[Y[X:X:X:X:X:X:X:X, where each Y represents one from 0 to 2 32 = 4294967296 Decimal integer between. X represents a hexadecimal number from 0000 to FFFF in the original IPv6.
4.特殊兼容地址。4. Special compatible address.
5.[]全十进制地址:为了便于物流码及全十进制地址的应用。[]表示为IPv9全十进制地址简略表示方式就如192.1.1.0/24在IPv4中表示一个C段地址一样。5. []Full decimal address: In order to facilitate the application of logistics code and full decimal address. [] is expressed as an abbreviated representation of an IPv9 full-decimal address, just as 192.1.1.0/24 represents a C segment address in IPv4.
IPv9有以下特点:IPv9 has the following characteristics:
1.采用了定长不定位的方法,可以减少网络开销,就像电话一样可以不定长使用。1. Adopt the method of fixed length without positioning, which can reduce network overhead, just like a telephone, it can be used with variable length.
2.采用特定的加密机制。加密算法控制权掌握在我国手中,因此网络特别安全。由于IPv9有更多的地址,更多的地址方式(定长不定位、定位不定长,及特有的IP地址加密技术),有更多的IPv9扩展头定义使网络有更强的安全性。地址报头、报文、协议号没有公开,自成体系。协议即使公开,公开的也仅是民用部分,军用部分将由军队决定,相对于IPv4/IPv6我国不能决定网络系统中的各种安全措施,尽管使用网络层IPSEC、应用层SSL等措施,仍难以保证安全有差别。从理论分析,专用协议破解难度大于密码算法。按照目前IPV4/IPV6的标准,32位/128位地址不能加密,如加密则找不到目的地。2. Use a specific encryption mechanism. The control of the encryption algorithm is in the hands of our country, so the network is particularly secure. As IPv9 has more addresses, more address methods (fixed length not fixed length, fixed length fixed length, and unique IP address encryption technology), there are more IPv9 extension header definitions to make the network more secure. The address headers, messages, and protocol numbers are not disclosed and form a system of its own. Even if the agreement is open, only the civilian part will be disclosed. The military part will be determined by the military. Compared with IPv4/IPv6, my country cannot decide various security measures in the network system. Although the use of network layer IPSEC, application layer SSL and other measures, it is still difficult to guarantee There is a difference in security. From theoretical analysis, the difficulty of cracking dedicated protocols is greater than that of cryptographic algorithms. According to the current IPV4/IPV6 standards, 32-bit/128-bit addresses cannot be encrypted. If encrypted, the destination cannot be found.
3.采用了绝对码类和长流码的TCP/IP协议,解决了声音和图像在分组交换电路传输的矛盾。可以直接将IP地址当成域名使用,特别适合使用于手机和家庭上网场景。3. The TCP/IP protocol of absolute code type and long stream code is adopted to solve the contradiction between sound and image transmission in packet switching circuit. You can directly use the IP address as a domain name, which is especially suitable for mobile phones and home Internet scenarios.
4.有紧急类别可以解决在战争和国家紧急情况下的线路畅通,由于自己制定协议标准,除了保障了网络通信的密文传输外,协议中还设置了紧急状态位,一旦发生战争,军网被局部破坏的情况下,通过路由器广播方式,将有关民用路由器紧急征用,修改路由表,达到为战争征用的目的。4. There are emergency categories to solve the problem of unblocked lines in wars and national emergencies. Because of their own protocol standards, in addition to ensuring the ciphertext transmission of network communications, the protocol also sets the emergency status bit. Once a war occurs, the military network In the case of partial destruction, the relevant civil routers are urgently requisitioned through router broadcast, and the routing table is modified to achieve the purpose of requisitioning for war.
5.由于实现点对点线路,因此对用户的隐私权加强了。5. Due to the realization of point-to-point lines, the privacy of users is strengthened.
6.特别适合无线网络传输。6. Especially suitable for wireless network transmission.
除了上诉特点IPv9还由于独立于原IPv4和IPv6的Internet组网,可以对网络安全和信息安全进行有效控制和管理,并可根据实际需求,以国外信息下载方式选择有价值的信息为我所用,从而避免国外不良信息的侵入即网络遭到国外的意外攻击。有利于业务的发展。由于独立组网,有关部门可以在符合国家有关政策的前提条件下,自主灵活的发展公众信息服务,有利于将来在发展中文信息检索的基础上拓展高级应用业务系统。In addition to the appealing features, IPv9 is also independent of the original IPv4 and IPv6 Internet networking, which can effectively control and manage network security and information security, and can select valuable information for my use by downloading foreign information according to actual needs. In order to avoid the intrusion of bad information from abroad, that is, the network is accidentally attacked by foreign countries. Conducive to business development. Due to the independent networking, relevant departments can independently and flexibly develop public information services under the premise of complying with relevant national policies, which is conducive to the development of advanced application business systems based on the development of Chinese information retrieval in the future.
同时为了不改变用户习惯IPv9兼容IPv4、IPv6,同时能够使用IPv4作为隧道承载两个IPv9子网之间数据传输,以及IPv9作为隧道承载两个IPv4子网之间进行数据传输。At the same time, in order not to change user habits, IPv9 is compatible with IPv4 and IPv6. At the same time, IPv4 can be used as a tunnel to carry data transmission between two IPv9 subnets, and IPv9 as a tunnel to carry data transmission between two IPv4 subnets.
该发明的主要优势在于:第一,具有独立自主的知识产权体系和庞大的网络空间资源。第二,十进制网络系统可以将原本的二进制地址直接转译为十进制文本,迎合了人们的日常使用习惯。第三,域名与IP地址合一,与人和物的身份识别码同一,可以使电话、手机、域名及IP地址、IPTV、IP电话等合为一个号码;域名与IP地址合一,节约了网络域名与IP地址之间的翻译,网络通讯快速,直接,提高了现有网络交换设备的通讯能力。第四,采用特定的加密机制,保证网络安全。第五,从维护主权的立场出发,创造性地提出了互联网“主权平等”的概念;并在域名系统中采用十进制、多协议的数字域名系统,兼容英文、中文及其他域名,并将他们映射成全球唯一IP地址。The main advantages of this invention are: First, it has an independent intellectual property system and huge cyberspace resources. Second, the decimal network system can directly translate the original binary address into decimal text, which caters to people's daily usage habits. Third, the domain name and the IP address are unified, which is the same as the identification code of people and things, which can combine telephone, mobile phone, domain name and IP address, IPTV, IP phone, etc. into one number; domain name and IP address are combined into one, saving The translation between network domain names and IP addresses makes network communication fast and direct, which improves the communication capabilities of existing network switching equipment. Fourth, use a specific encryption mechanism to ensure network security. Fifth, starting from the standpoint of safeguarding sovereignty, creatively proposed the concept of "sovereign equality" on the Internet; and adopted a decimal, multi-protocol digital domain name system in the domain name system, compatible with English, Chinese and other domain names, and mapped them into The only IP address in the world.
IPv9即十进制网络仍然存在很多方面的不足,具体不足如下:IPv9, the decimal network, still has many shortcomings. The specific shortcomings are as follows:
1.IPv9报文使用源目的地址基本位为256位,最长为2048位。对于256位的地址空间为2 256,而可观测宇宙中普通物质的原子总数N约为10 80。则其地址空间可比拟可观察宇宙中普通物质的原子总数,则使用256位作为地址空间已经非常巨大,对于2048位更是不可想象。实际网络并不需要如此巨量的地址空间。 1. The basic bits of the source and destination addresses used by IPv9 packets are 256 bits, and the longest is 2048 bits. The address space of 256 bits is 2 256 , and the total number of atoms of ordinary matter in the observable universe N is about 10 80 . The address space can be compared to the total number of atoms of ordinary matter in the observable universe. Using 256 bits as the address space is already very huge, even more unimaginable for 2048 bits. The actual network does not need such a huge address space.
2.IPv9的地址空间巨大,会出现地址空间使用效率问题。并不是每个地址都被有效使用,会出现大量空闲地址。2. The address space of IPv9 is huge, and there will be problems with the efficiency of address space usage. Not every address is effectively used, and there will be a lot of free addresses.
3.由于IPv9采用基本位256bit作为源目的地址,其报文头非常巨大,这将引起网络传输效率和拥塞控制问题。对于很小的数据也需要使用一个IPv9报文头进行传输,网络传输效率较低。而且目前IPv4、IPv6网络的以太网帧长度为1500字节,若IPv9报文头占据太大空间将减少每个帧所能传输的数据量。3. Since IPv9 uses 256 bits as the source and destination address, its message header is very huge, which will cause network transmission efficiency and congestion control problems. For very small data, an IPv9 packet header is also needed for transmission, and the network transmission efficiency is low. Moreover, the current Ethernet frame length of IPv4 and IPv6 networks is 1500 bytes. If the IPv9 message header occupies too much space, the amount of data that can be transmitted in each frame will be reduced.
4.对于物联网、工业互联网中设备的内存和计算能力非常有限,通常存储在10KB以下,IPv9使用较长的报文头进行数据传输对于物联网使用场景不能提供很好的支持。4. The memory and computing capabilities of devices in the Internet of Things and Industrial Internet are very limited, usually stored below 10KB. IPv9 uses a longer header for data transmission and does not provide good support for Internet of Things usage scenarios.
5.IPv9要求Internet上每一条链路的MTU至少为576字节。在任何链路上,如果它不能在一个数据分组中传递576字节数据,那么与链路相关的数据段和重新组装必须由IPv9以下的层次提供支持。这无疑增加了链路层的处理数据压力。5. IPv9 requires that the MTU of each link on the Internet is at least 576 bytes. On any link, if it cannot transfer 576 bytes of data in a data packet, then the link-related data segment and reassembly must be supported by layers below IPv9. This undoubtedly increases the data processing pressure on the link layer.
6.IPv9直接使用地址作为域名进行内容请求,其具有庞大的域名地址,如何在路由器中快速查找、匹配、转发将是一个问题。6. IPv9 directly uses the address as the domain name for content request, which has a huge domain name address, how to quickly find, match, and forward in the router will be a problem.
7.IPv9使用的命名和寻址方式如何在巨量标识下快速查找和寻址是一个大的挑战。同时IPv9提出的基于地理位置的寻址方案需要IP地址和地理位置地址的转换,由于地理位置地址和IPv9地址均很大,如何快速转换也是一个挑战。7. How to quickly find and address the naming and addressing methods used in IPv9 is a big challenge under the huge number of identifications. At the same time, the geographic location-based addressing scheme proposed by IPv9 requires the conversion of IP addresses and geographic addresses. Since geographic addresses and IPv9 addresses are both large, how to quickly convert is also a challenge.
8.IPv9采用了新的与IPv4和IPv6不同的“十进制”地址格式,但采用与众不同的地址格式的后果是人为导致与国际互联网连结的障碍。8. IPv9 adopts a new "decimal" address format that is different from IPv4 and IPv6, but the consequence of adopting a unique address format is artificially causing obstacles to the Internet.
9.IPv9无法保证网络的真正安全,因为IP协议簇的目的便是帮助不同网络(例如以太网、令牌环、FDDI、ATM等等)的计算机在一个虚拟的“共同网络”上相互通讯,而不同的IP类协议只是实现方式不同,而帮助网络上的任意计算机相互通讯的目的是相同的。所以IPv9从本质上来说与IPv6是基于相同的技术、不同约定而衍生出来的不同协议版本。IPv4、IPv6的固有缺陷,其本身也具有。9. IPv9 cannot guarantee the true security of the network, because the purpose of the IP protocol suite is to help computers on different networks (such as Ethernet, token ring, FDDI, ATM, etc.) communicate with each other on a virtual "common network". Different IP protocols are only implemented in different ways, and the purpose of helping any computer on the network communicate with each other is the same. Therefore, IPv9 and IPv6 are essentially different protocol versions derived from the same technology and different conventions. The inherent defects of IPv4 and IPv6 also have their own.
10.IPv9协议中没有了广播地址,其使用组播地址代替广播。用IPv9构建主权网会导致主权网数据传输的实时性、广泛性和灵活性受到限制。10. There is no broadcast address in the IPv9 protocol, which uses a multicast address instead of broadcast. The use of IPv9 to construct a sovereign network will lead to restrictions on the real-time, extensive and flexible data transmission of the sovereign network.
发明内容Summary of the invention
本发明的目的在于提供一种后IP的主权网体系架构,旨在解决使用IP协议存在固有的安全问题,使用IP协议构建主权网无法保障对网络的可管可控,同时IP在移动性上天生基因不足,对于很多移动业务无法提供很好的支持的问题。The purpose of the present invention is to provide a post-IP sovereign network architecture, which aims to solve the inherent security problems of using the IP protocol. The use of the IP protocol to build a sovereign network cannot guarantee the manageability and control of the network. At the same time, IP is mobile. Insufficient genes are innate and cannot provide good support for many mobile services.
本发明是这样实现的,一种后IP的主权网体系架构,所述后IP的主权网体系架构中设备均采用以身份标识为中心的新型网络,在该新型网络中没有IP网络;所述主权网设备还包括ID-ICN路由器及EAN节点,所述ID-ICN路由器,用于支持不同身份及内容标识互译、寻址及网络数据传输;所述EAN节点,用于允许主权网内用户在权限范围内自由请求主权网外其他网络和互联网数据,以及携带本主权网签证的其他主权网用户访问本主权网内数据,并对主权网外其他网络和互联网主动发起的所有请求全部进行屏蔽,并且在所述EAN节点中安装相关内容审核程序,对到达该节点的内容进行初步审核和过滤。The present invention is realized in this way, a post-IP sovereign network system architecture, in which the devices in the post-IP sovereign network system architecture all adopt a new type of network centered on identity identification, and there is no IP network in the new type of network; The sovereign network equipment also includes an ID-ICN router and an EAN node. The ID-ICN router is used to support translation, addressing, and network data transmission between different identities and content identifiers; the EAN node is used to allow users in the sovereign network Freely request data from other networks and the Internet outside the sovereign network within the scope of authority, as well as other sovereign network users who carry the sovereign network visa to access the data within the sovereign network, and block all requests initiated by other networks and the Internet outside the sovereign network. , And install the relevant content review program in the EAN node to conduct preliminary review and filtering on the content arriving at the node.
本发明的进一步技术方案是:所述后IP的主权网体系架构中使用具有内生安全的分布式存储子系统进行数据存储,保障数据的安全。A further technical solution of the present invention is that the post-IP sovereign network system architecture uses a distributed storage subsystem with endogenous security for data storage to ensure data security.
本发明的进一步技术方案是:所述后IP的主权网体系架构中通过区块链管理子系统对用户进行管理;用户通过个人真实身份信息进行注册,将用户注册信息存储在主权网的区块链节点中,用户要接入主权网需要绑定注册时的相关身份信息;在主权网中区块链管理子系统对用户发布内容进行投票表决,表决通过的内容允许发布,并将用户发布内容的信息及用户请求数据的行为日志进行锁存;在主权网中内部可以定义不同标识,不同标识之间互译在区块链管理子系统中完成。The further technical scheme of the present invention is: in the post-IP sovereign network system architecture, users are managed through the blockchain management subsystem; users register through personal real identity information, and the user registration information is stored in the block of the sovereign network In the chain node, the user needs to bind the relevant identity information at the time of registration to access the sovereign network; in the sovereign network, the blockchain management subsystem votes on the content published by the user, and the content approved by the vote is allowed to be published, and the user publishes the content The information and the behavior log of the user request data are locked; different identifiers can be defined inside the sovereign network, and the mutual translation between different identifiers is completed in the blockchain management subsystem.
本发明的进一步技术方案是:在主权网中授权用户和广电制播网均可发布视频及音频,授权用户发布音视频包括以下步骤:The further technical solution of the present invention is that: both authorized users and broadcasting production networks in the sovereign network can release video and audio, and the authorized users to release audio and video include the following steps:
SY1、授权用户通过个人信息进行登录;SY1. Authorized users log in through personal information;
SY2、登录后向区块链节点请求发布音视频内容;SY2, after logging in, request the release of audio and video content from the blockchain node;
SY3、区块链对请求发布音视频内容进行投票表决,如表决通过,则同意授权用户发布音视频内容,并将用户及其发布的内容信息锁存在区块链中并执行下一步,如表决不通过, 则禁止授权用户发布本次音视频内容;SY3. The blockchain will vote on the request to publish audio and video content. If the vote is passed, it will agree to authorize the user to publish the audio and video content, lock the user and the content information released in the blockchain and perform the next step, such as voting If it fails, the authorized user is prohibited from publishing this audio and video content;
SY4、在区块链管中授权用户将发布音视频内容发布在具有内生安全的分布式存储系统或者自己本地主机中;所述广电制播网发布内容包括以下步骤:SY4. Authorize users in the blockchain management to publish audio and video content in a distributed storage system with endogenous security or their own local host; the publishing content of the radio and television production network includes the following steps:
SZ1、通过主权网外访节点从互联网中获取内容资源;SZ1. Obtain content resources from the Internet through external access nodes on the sovereign network;
SZ2、内部制播网制作内容后通过网络进行内容分发;SZ2, the internal production and broadcasting network produces the content and then distributes the content through the network;
SZ3、内容达到边缘ID-ICN路由器或者EAN节点后再发送到普通用户。SZ3: After the content reaches the edge ID-ICN router or EAN node, it is sent to ordinary users.
本发明的进一步技术方案是:所述普通用户获取数据,数据提供者在在IP互联网或主权网内部,或者主权网节点中有缓存这部分内容;IP互联网获取数据包括以下步骤:A further technical solution of the present invention is that the ordinary user obtains the data, and the data provider has cached this part of the content in the IP Internet or the sovereign network, or the node of the sovereign network; the IP Internet obtaining data includes the following steps:
SIP1、普通用户使用个人身份信息登录主权网;SIP1. Ordinary users log on to the Sovereign Network with personal identification information;
SIP2、普通用户发送内容请求给边缘节ID-ICN路由器,通过以身份为中心网络传送到主权网外访节点或直接将请求发送到与其相连的主权网外访节点,并在区块链节点记录用户请求的内容信息;SIP2. Ordinary users send content requests to the edge node ID-ICN routers, and send them to the external access nodes of the sovereign network through the identity-centric network or directly send the request to the external access nodes of the sovereign network connected to it, and record it on the blockchain node The content information requested by the user;
SIP3、主权网外访节点对内容请求中用户的权限进行审核,若请求内容超过用户权限直接丢弃内容请求,若在权限内则进行下一步;SIP3, Sovereign Network External Visiting Nodes will review the user's authority in the content request. If the requested content exceeds the user's authority, the content request will be discarded, and if it is within the authority, proceed to the next step;
SIP4、主权网外访节点提取请求内容信息并按照传统互联网方式向互联网请求数据;SIP4, Sovereign network external visiting nodes extract the requested content information and request data from the Internet according to the traditional Internet method;
SIP5、互联网内容提供者按照传统互联网方式向主权网外访节点提供请求内容数据;SIP5, Internet content providers provide requested content data to external nodes of the sovereign network in accordance with traditional Internet methods;
SIP6、主权网外访节点对请求到的内容数据进行初步审核,如审核通过则执行下一步,若不通过则丢弃该数据并返回步骤SIP4;SIP6, the external visitor node of the sovereign network conducts a preliminary review of the requested content data, if the review is passed, execute the next step, if not, discard the data and return to step SIP4;
SIP7、主权网外访节点将请求到的互联网内容数据封装为以身份标识为中心网络中的数据分组并按照内容请求的路径返回给普通用户;SIP7, the external visitor node of the sovereign network encapsulates the requested Internet content data into a data packet in the central network with the identity identifier and returns it to the ordinary user according to the path of the content request;
所述主权网内部或主权网节点中缓存有这部分内容获取数据包括以下步骤:The step of obtaining data with this part of content cached in the sovereign network or in the node of the sovereign network includes the following steps:
SN1、普通用户使用个人身份信息登录主权网;SN1. Ordinary users log on to the Sovereign Network with personal identification information;
SN2、普通用户发送内容请求给主权网内网络节点或者主权网外访节点判断缓存中是否有,若有则主权网节点或者主权网外访节点直接返回缓存的内容给请求用户,若没有则去原数据处拿取数据返回给请求用户。SN2. Ordinary users send content requests to network nodes in the sovereign network or external access nodes of the sovereign network to determine whether there is in the cache. If there is, the sovereign network node or external access node of the sovereign network directly returns the cached content to the requesting user, if not, it goes Take the data from the original data place and return it to the requesting user.
本发明的进一步技术方案是:所述制播网获取的数据主要是在互联网获取资源并进行制作和分发。A further technical solution of the present invention is that the data obtained by the production and broadcasting network is mainly obtained by obtaining resources on the Internet, making and distributing them.
本发明的进一步技术方案是:在主权网外其他网络或互联网用户发送请求到主权网外访节点时,所述主权网外访节点将请求报文丢弃。A further technical solution of the present invention is that when other networks outside the sovereign network or Internet users send a request to a node outside the sovereign network, the node outside the sovereign network discards the request message.
本发明的进一步技术方案是:所述后IP的主权网体系架构中多个国家主权网之间互访包括以下步骤:A further technical solution of the present invention is that the mutual visits between multiple national sovereign networks in the post-IP sovereign network system architecture include the following steps:
SDG1、注册用户向代理其他主权网签证的本国主权网外访节点发送签证请求;SDG1. The registered user sends a visa request to the overseas visitor node of the sovereign network of the country that represents other sovereign network visas;
SDG2、本国主权网外访节点将签证请求通过Overlay IP的方式发送到目标请求国;SDG2, the external visitor node of the home country's sovereign network sends the visa request to the target requesting country through Overlay IP;
SDG3、目标请求国主权网外访节点对到来的请求进行审核,若审核通过则签证请求发送给区块链进行投票表决并执行下一步,若审核不通过,则反馈信息给签证请求方;SDG3, the external visitor node of the target requesting national sovereignty network will review the incoming request. If the review is passed, the visa request will be sent to the blockchain for voting and the next step will be implemented. If the review is not passed, the information will be fed back to the visa requester;
SDG4、对于成功表决的请求按请求路径返回签证给请求者;SDG4. For the request for successful voting, the visa will be returned to the requester according to the request path;
SDG5、内容请求者使用携带签证的兴趣分组请求其他主权网内容;SDG5, the content requester uses the visa-carrying interest group to request other sovereign network content;
SDG6、目的主权网外访节点对签证审核通过后,内容提供者将内容按请求路径返回。After SDG6, the destination sovereign network external visit node has passed the visa review, the content provider will return the content according to the requested path.
本发明的进一步技术方案是:所述后IP的主权网体系架构以身份标识为中心网络天生支持多路径,让移动设备同时连接到多个可连接的基站,在脱离当前基站覆盖范围并不影响数据的传输,天生支持无线通信。The further technical solution of the present invention is that the post-IP sovereign network architecture takes identity as the central network to naturally support multi-path, allowing mobile devices to connect to multiple connectable base stations at the same time without affecting the coverage of the current base station. The transmission of data naturally supports wireless communication.
本发明的进一步技术方案是:在所述后IP的主权网体系架构中若移动用户本身处于主权网内,则移动用户用身份标识为中心网络进行内容请求;若移动用户位于主权网外部则对于IP内容请求先通过Overlay IP方式与基站通信,然后基站通过传统IP网络进行内容请求和传输;若移动用户位于主权网外部对于主权网内容请求包括以下步骤:The further technical solution of the present invention is: in the post-IP sovereign network architecture, if the mobile user is in the sovereign network, the mobile user uses the identity identifier as the central network to request content; if the mobile user is located outside the sovereign network, The IP content request first communicates with the base station through the Overlay IP method, and then the base station performs content request and transmission through the traditional IP network; if the mobile user is located outside the sovereign network, the request for the sovereign network content includes the following steps:
S5G1、具有身份标识的无线终端设备首先通过Overlay IP的方式与基站通信;S5G1, the wireless terminal device with identity identification first communicates with the base station through Overlay IP;
S5G2、区域内站将数据通过传统IP传输方式发送到一个目标主权网外访节点;S5G2, intra-regional stations send data to a target sovereign network externally visited node through traditional IP transmission;
S5G3、主权网外访节点对用户身份进行审核,通过则允许访问,未通过则拒绝。S5G3, Sovereign Network External Visiting Nodes will review the user's identity, and allow access if passed, and reject if not passed.
本发明的有益效果是:使用以身份标识为中心的内容网络进行底层数据传输,传输主要依靠兴趣分组和数据分组,其传输方式是由消费者兴趣驱动。通信过程中,由于兴趣分组和数据分组均不使用传统的IP地址进行数据交互,避免了国家域名被特定国家或者组织抹除,有效提高了国家网络的安全性。各国主权网内部标识空间均由该国自行管理,实现各国在后IP时代网络空间的完全自主权;使用以身份标识为中心的主权网使用数据仓库对最近的数据进行缓存,同一域内的用户对于同一内容只需从数据原始提供者那里拿取一次,随后可直接在ID-ICN路由器中拿取,提高了网络整体数据传输效率,大幅度改善了用户体验;以身份为中心网络由于引入网内缓存,将逐步把互联网内内容缓存到主权网内,丰富网内资源,当主权网与互联网进行物理断网后,用户仍能获取在断网之前其获取过的内容,不影响用户的使用。The beneficial effect of the present invention is that the content network centered on the identity is used for bottom data transmission, the transmission mainly relies on the interest grouping and the data grouping, and the transmission mode is driven by the consumer's interest. In the communication process, since neither the interest group nor the data group uses the traditional IP address for data interaction, the country domain name is prevented from being erased by a specific country or organization, and the security of the national network is effectively improved. The internal identification space of the sovereign network of each country is managed by the country itself, realizing the complete autonomy of each country in the post-IP era; using the sovereign network centered on the identity identification and using the data warehouse to cache the latest data, users in the same domain The same content only needs to be fetched once from the original data provider, and then can be fetched directly in the ID-ICN router, which improves the overall data transmission efficiency of the network and greatly improves the user experience; the identity-centric network is introduced into the network Caching will gradually cache the contents of the Internet into the sovereign network to enrich the resources within the network. When the sovereign network is physically disconnected from the Internet, users can still obtain the content they had obtained before the disconnection, without affecting the user's use.
附图说明Description of the drawings
图1是传统IP主权网体系架构的示意图。Figure 1 is a schematic diagram of the traditional IP sovereign network architecture.
图2是本发明实施例提供的后IP的主权网体系架构的示意图。Figure 2 is a schematic diagram of a post-IP sovereign network architecture provided by an embodiment of the present invention.
图3是本发明实施例提供的区块链子系统签名方案的示意图。Figure 3 is a schematic diagram of a blockchain subsystem signature scheme provided by an embodiment of the present invention.
图4是本发明实施例提供的授权用户发布内容的示意图。Fig. 4 is a schematic diagram of content published by an authorized user according to an embodiment of the present invention.
图5是本发明实施例提供的广电制播网分发内容的示意图。Fig. 5 is a schematic diagram of content distributed by a radio and television production and broadcasting network provided by an embodiment of the present invention.
图6是本发明实施例提供的普通用户互联网获取数据的示意图。Fig. 6 is a schematic diagram of data obtained by ordinary users from the Internet according to an embodiment of the present invention.
图7是本发明实施例提供的普通用户在主权网获取数据的示意图。FIG. 7 is a schematic diagram of a common user obtaining data on a sovereign network according to an embodiment of the present invention.
图8是本发明实施例提供的制播网去互联网获取数据的示意图。Fig. 8 is a schematic diagram of a production network provided by an embodiment of the present invention going to the Internet to obtain data.
图9是本发明实施例提供的IP外网访问主权网内容的示意图。Fig. 9 is a schematic diagram of an IP extranet accessing the content of a sovereign network according to an embodiment of the present invention.
图10是本发明实施例提供的签证获取过程的示意图。Fig. 10 is a schematic diagram of a visa acquisition process provided by an embodiment of the present invention.
图11是本发明实施例提供的携带签证跨国获取内容的示意图。FIG. 11 is a schematic diagram of obtaining content internationally with a visa provided by an embodiment of the present invention.
图12是本发明实施例提供的多个国家主权网之间通过IP隧道传输数据的示意图。FIG. 12 is a schematic diagram of data transmission through an IP tunnel between multiple national sovereign networks according to an embodiment of the present invention.
图13是本发明实施例提供的主权网移动用户在主权网外请求主权网内容的示意图。FIG. 13 is a schematic diagram of a sovereign network mobile user requesting sovereign network content outside the sovereign network according to an embodiment of the present invention.
图14是本发明实施例提供的主权网三层防护示意图的示意图。FIG. 14 is a schematic diagram of a three-layer protection of a sovereign network according to an embodiment of the present invention.
具体实施方式detailed description
提出了一种与身份标识绑定的网络分级化管理方案,解决了现阶段网络内容管理混乱的问题。分级管理方案既促进了信息传播,也在一定程度上消解了传统媒介对未成年人不适宜信息的影响。A network hierarchical management scheme bound with identity identification is proposed, which solves the problem of confusion in network content management at this stage. The hierarchical management plan not only promotes the dissemination of information, but also eliminates the influence of traditional media on unsuitable information for minors to a certain extent.
主权网内部使用身份标识进行路由,其名字空间原则上无上限,避免了IPv4地址耗尽的问题。网络更加关注网络资源本身或者用户本身而非传统网络资源存放的问题,避免了传统IP网络所存在的性能细腰问题。The sovereign network uses identity tags for routing, and its name space is unlimited in principle, avoiding the problem of IPv4 address exhaustion. The network pays more attention to the storage of network resources or users themselves rather than traditional network resources, avoiding the performance problem of traditional IP networks.
如图1所示,本发明提供的后IP的主权网体系架够,所述后IP的主权网体系架构中设备均采用以身份标识为中心的新型网络,在该新型网络中没有IP网络;所述主权网设备还包括ID-ICN路由器及EAN节点,所述ID-ICN路由器,用于支持不同身份及内容标识互译、寻址及网络数据传输;所述EAN节点,用于允许主权网内用户在权限范围内自由请求主权网外其他网络和互联网数据,以及携带本主权网签证的其他主权网用户访问本主权网内数据,并对主权网外其他网络和互联网主动发起的所有请求全部进行屏蔽,并且在所述EAN节点中安装相关内容审核程序,对到达该节点的内容进行初步审核和过滤。As shown in Figure 1, the post-IP sovereign network architecture provided by the present invention is sufficient, and the devices in the post-IP sovereign network architecture all adopt a new type of network centered on identity identification, and there is no IP network in the new type of network; The sovereign network equipment also includes an ID-ICN router and an EAN node. The ID-ICN router is used to support translation, addressing, and network data transmission between different identities and content identifications; the EAN node is used to allow the sovereign network Internal users freely request data from other networks and Internet outside the sovereign network within the scope of authority, as well as other sovereign network users who carry the sovereign network visa to access the data within the sovereign network, and all requests initiated by other networks and the Internet outside the sovereign network are all Screening is performed, and a related content review program is installed in the EAN node, and the content arriving at the node is initially reviewed and filtered.
现有网络体系均是使用IP协议进行构建,但是现在IPv4地址已经消耗殆尽。使用IPv6可解决地址空间问题,但是使用IP协议存在固有的安全问题。而且使用IP协议构建主权网无法保障对网络的可管可控,同时IP在移动性上天生基因不足,对于很多移动业务无法提供很好的支持。Existing network systems are all constructed using the IP protocol, but now IPv4 addresses have been exhausted. The use of IPv6 can solve the address space problem, but the use of the IP protocol has inherent security problems. Moreover, using the IP protocol to construct a sovereign network cannot guarantee the manageability and control of the network. At the same time, IP is inherently inadequate in mobility and cannot provide good support for many mobile services.
针对上述问题,本发明——一种后IP的主权网体系架构,系统及软件存储介质,用以身份标识为中心的新型网络体系构建主权网,在主权网内实现去IP化。在主权网内数据由数据消费者接收端驱动并引入缓存机制保证数据传输的高效,同时主权网采用与IP不同 的数据传输方式使得传统的IP攻击如蠕虫、端口扫描等病毒丧失传播环境从而无法发动有效攻击。还在兴趣分组和数据分组中加入公钥签名,保证数据的安全可靠。本发明还引入区块链进行用户信息和行为信息的存储,防止数据被篡改,保证用户行为和内容的可管可控。同时加入权限控制保障未成年人网络环境的干净、健康。本发明还设计主权网外访节点,其位于主权网和互联网边界,只允许主权网内用户主动请求的互联网流量和经过授权的其他主权网用户请求数据流入主权网内,对于互联网用户主动对主权网内发起的请求直接抛弃,保证主权网内用户能够在自由访问互联网内容的同时保障主权网网络的安全。In view of the above-mentioned problems, the present invention, a post-IP sovereign network system architecture, system and software storage medium, is used to construct a sovereign network with a new network system centered on identity identification, and achieve de-IP in the sovereign network. The data in the sovereign network is driven by the data consumer receiving end and a caching mechanism is introduced to ensure the efficiency of data transmission. At the same time, the sovereign network adopts a data transmission method different from IP so that traditional IP attacks such as worms, port scanning and other viruses lose the propagation environment and cannot Launch an effective attack. Public key signatures are also added to interest groups and data groups to ensure data safety and reliability. The invention also introduces the blockchain to store user information and behavior information, prevents data from being tampered with, and ensures the manageability and control of user behavior and content. At the same time, access control is added to ensure the clean and healthy network environment of minors. The present invention also designs a sovereign network external visit node, which is located at the border between the sovereign network and the Internet, and only allows Internet traffic actively requested by users in the sovereign network and authorized data requested by other sovereign network users to flow into the sovereign network. Requests initiated within the network are directly discarded, ensuring that users in the sovereign network can freely access Internet content while ensuring the security of the sovereign network network.
EAN节点:主权网外访节点(Uni-direction External Visiting Node)。EAN node: Uni-direction External Visiting Node.
ID-ICN路由器:主权网内部路由器(Identify-Information Centric Network Router)。ID-ICN router: the internal router of the sovereign network (Identify-Information Central Network Router).
主权网整体架构设计Sovereign network overall architecture design
主权网的体系结构设计如图2所示。在国家主权网中所有设备都使用以身份标识为中心的新型网络,在网内没有IP网络。其设备与现有系统最大的不同的是增加了ID-ICN路由器和EAN节点。ID-ICN路由器是支持不同身份及内容标识互译、寻址及网络数据传输的路由器,主权网外访节点是允许主权网内用户可以在权限范围内自由请求互联网数据,而对互联网发起的所有请求都屏蔽掉,同时EAN节点中安装相关内容审核程序如AI内容审核程序,对于到达该节点的内容进行初步审核和过滤,通过这两步可以很好的隔绝外面网络攻击保证安全防护。The architecture design of the sovereign network is shown in Figure 2. In the national sovereign network, all devices use a new type of network centered on identity identification, and there is no IP network in the network. The biggest difference between its equipment and the existing system is the addition of ID-ICN routers and EAN nodes. The ID-ICN router is a router that supports the translation, addressing, and network data transmission of different identities and content identifiers. The external access node of the sovereign network allows users in the sovereign network to freely request Internet data within the scope of authority. All requests are blocked. At the same time, relevant content review programs such as AI content review programs are installed in the EAN node to conduct preliminary review and filtering of the content that reaches the node. Through these two steps, external network attacks can be well isolated and security protection can be ensured.
国家主权网的后台支撑与现有广电系统功能保持一致,其存储系统使用分布式存储保证数据的备份安全。用户通过自己身份证、手机号、指纹等个人身份信息进行注册,用户注册信息会锁存在区块链节点中以便后续用户管理;用户需要绑定注册时的相关身份信息以接入主权网。The background support of the National Sovereign Network is consistent with the functions of the existing radio and television system, and its storage system uses distributed storage to ensure data backup security. Users register with personal identification information such as their own ID card, mobile phone number, fingerprint, etc. The user registration information will be locked in the blockchain node for subsequent user management; the user needs to bind the relevant identification information during registration to access the sovereign network.
区块链管理子系统Blockchain management subsystem
区块链管理子系统主要是用来对用户注册时的信息、用户发布内容的信息和用户请求数据的行为进行锁存,以及对于用户发布内容进行投票表决,对于通过的内容才允许发布。同时在主权网内部可定义不同标识,标识之间互译是在区块链子系统中完成。本区块链管理子系统使用树形链式群/环签名,图3是区块链管理子系统所采用的签名方案。基于群/环签名的可监管性和匿名性,能够实现系统可控可管需求和用户隐私保护的平衡。通过在不同层级、不同身份的节点之间建立群组关系,上级域的管理员可以快速定位到问题域并识别相应的恶意节点,提高系统的安全性。The blockchain management subsystem is mainly used to lock user registration information, user published content information, and user request data behavior, and vote on user published content, and only approved content is allowed to be published. At the same time, different logos can be defined within the sovereign network, and the mutual translation between the logos is completed in the blockchain subsystem. The blockchain management subsystem uses tree chain group/ring signatures. Figure 3 is the signature scheme adopted by the blockchain management subsystem. Based on the supervisability and anonymity of the group/ring signature, it can achieve a balance between the controllable and manageable needs of the system and the protection of user privacy. By establishing a group relationship between nodes of different levels and different identities, the administrator of the upper domain can quickly locate the problem domain and identify the corresponding malicious nodes, improving the security of the system.
以身份标识为中心网络各流程实施Implementation of each process of the network with identity identification as the center
用户注册User registration
用户在开通主权网账号时通过身份证号码、手机号码、人脸等真实信息进行注册;系统将用户信息上传到区块链进行锁存。Users register with real information such as ID number, mobile phone number, and face when opening a Sovereign Network account; the system uploads user information to the blockchain for lock-in.
内容发布Content release
在主权网中除了广电制播网可以发布视频、音频等内容外,被授权的用户也可以发布内容。授权的用户自己拍摄或者制作的内容成功经过区块链投票表决之后就可以在主权网发布。授权用户发布内容的流程如图4所示。In the Sovereign Network, in addition to the broadcast and television production network that can publish video, audio and other content, authorized users can also publish content. Authorized users can publish content on the Sovereign Network after they have successfully voted on the blockchain. The flow of authorized users to publish content is shown in Figure 4.
①.首先授权用户通过指纹、虹膜、人脸进行登录;①. First authorize the user to log in through fingerprint, iris, face;
②.登录成功后向区块链节点请求发布内容(区块链节点可以部署在ID-ICN路由器上也可以单独设置服务器部署);②. After logging in successfully, request the blockchain node to publish content (the blockchain node can be deployed on the ID-ICN router or the server can be deployed separately);
③.区块链进行投票表决,投票表决通过之后授权用户可发布内容,发布内容时发布者对内容使用公钥进行签名,并将用户及其发布的内容信息锁存在区块链中;③. The blockchain is voted on. After the voting is passed, authorized users can publish content. When publishing the content, the publisher signs the content with the public key, and locks the user and the content information released in the blockchain;
④用户成功发布内容,用户可将内容发布在具有内生安全的分布式存储系统或者自己本地主机中。④ If the user successfully publishes the content, the user can publish the content in a distributed storage system with endogenous security or its own local host.
主权网另一个主要的内容发布来源是广电制播网分发内容,其流程如图5所示。Sovereign Networks is another major source of content distribution from the broadcasting and television production and broadcasting network. The process is shown in Figure 5.
首先,内部制播网工作人员通主权网外访节点从互联网中获取内容资源;其次,内部制播网工作制作内容,制作内容时需要制作人员使用公钥签名,然后通过网络进行内容分发;在次,内容达到边缘ID-ICN路由器或者EAN节点,然后再发送到家庭用户或企 业用户。First, the internal production and broadcasting network staff obtain content resources from the Internet through the external visitation node of the sovereign network; secondly, the internal production and broadcasting network work to produce content, when the content is produced, the producer needs to use the public key to sign, and then distribute the content through the network; Second, the content reaches the edge ID-ICN router or EAN node, and then is sent to home users or enterprise users.
普通用户获取数据Ordinary users get data
企业用户和家庭用户统称为普通用户。普通用户获取数据有两种情况,第一是数据提供者在IP互联网,主权网普通用户在第一次获取数据时要经过主权网外访节点去互联网获取数据,数据传输过程如图6所示;Enterprise users and home users are collectively referred to as ordinary users. There are two situations for ordinary users to obtain data. The first is that the data provider is on the IP Internet. When obtaining data for the first time, ordinary users of the sovereign network must go to the Internet to obtain data through the external visitor node of the sovereign network. The data transmission process is shown in Figure 6. ;
①.主权网内普通用户使用指纹、虹膜、人脸等登录;①. Ordinary users in the sovereign network use fingerprints, iris, faces, etc. to log in;
②.登录成功后普通用户发送内容请求给边缘节点,然后边缘节点通过网络将请求传送到主权网外访节点;或者普通用户直接将请求发送到与其相连的主权网外访节点,同时区块链节点记录哪个用户请求了哪个内容信息;②. After successful login, ordinary users send content requests to edge nodes, and then the edge nodes transmit the request to the external access nodes of the sovereign network through the network; or ordinary users directly send the request to the external access nodes of the sovereign network connected to it, and the blockchain The node records which user requested which content information;
③.主权网外访节点对内容请求中用户的权限进行审核,其审核方式主要由以下两种:一是将用户信息放在签名里面,主权网外访节点验证用户请求内容是否符合权限范围。另外是在兴趣分组添加一个权限域,主权网外访节点根据权限域验证用户请求内容是否符合权限范围。兴趣分组中有个权限控制域,针对不同级别可以控制其访问内容的范围,其具体权限信息如表1),若请求内容超过了用户权限直接丢弃内容请求,若在权限内则进行下一步;③. Sovereign network external access nodes review the user's authority in the content request. The review methods are mainly as follows: One is to put the user information in the signature, and the sovereign network external access node verifies whether the content of the user's request meets the scope of authority. In addition, an authority domain is added to the interest group. The external visitor node of the sovereign network verifies whether the content requested by the user meets the authority scope according to the authority domain. There is a permission control domain in the interest group, which can control the scope of its access content for different levels. The specific permission information is shown in Table 1). If the requested content exceeds the user's permission, the content request is directly discarded, and if it is within the permission, proceed to the next step;
④.主权网外访节点提取内容请求的内容信息,然后按照传统的互联网方式向互联网请求数据;④. Sovereign network foreign visitor nodes extract the content information of the content request, and then request data from the Internet according to the traditional Internet method;
⑤.互联网内容提供者按照传统的互联网方式向主权网外访节点提供其请求的数据;⑤. Internet content providers provide their requested data to external nodes on the sovereign network in accordance with traditional Internet methods;
⑥.主权网外访节点对数据进行初步审核,例如关键词过滤及AI分类识别;⑥. The external visit node of the sovereign network conducts a preliminary review of the data, such as keyword filtering and AI classification and recognition;
⑦.主权网外访节点将向互联网请求到的数据封装为以身份标识为中心网络中的数据分组,然后按照内容请求的路径返回给普通用户。⑦. The external visitor node of the sovereign network encapsulates the data requested from the Internet into a data packet in the central network with the identity identifier, and then returns it to the ordinary user according to the path of the content request.
第二是内容提供者就在主权网内部(内容发布者为主权网用户)或者已经在主权网节点中有缓存这部分内容,即用户本身或者其他用户在这之前已经请求过同样的内容,则直接在主权网内部获取数据如图7所示。The second is that the content provider is inside the Sovereign Network (the content publisher is a Sovereign Network user) or has cached this part of the content in the Sovereign Network node, that is, the user himself or other users have previously requested the same content, then Obtain data directly inside the sovereign network as shown in Figure 7.
①.主权网内普通用户使用指纹、虹膜、人脸等登录;①. Ordinary users in the sovereign network use fingerprints, iris, faces, etc. to log in;
②.登录成功后普通用户发送内容请求给主权网内网络节点或者主权网外访节点;② After successful login, ordinary users send content requests to network nodes in the sovereign network or nodes outside the sovereign network;
③.若主权网节点或者主权网外访节点缓存有请求的内容则直接返回内容给用户,若没有则去原数据处拿取数据,返回给请求用户。③. If the requested content is cached by the sovereign network node or the external access node of the sovereign network, the content will be directly returned to the user, if not, the data will be fetched from the original data place and returned to the requesting user.
表1用户权限控制等级表Table 1 User access control level table
Figure PCTCN2020106725-appb-000001
Figure PCTCN2020106725-appb-000001
制播网获取数据Production and broadcast network to obtain data
制播网内的员工获取数据的主要渠道是去互联网获取资源并进行制作和分发。则针对制播网的员工主要的访问方式为访问互联网。其流程图如图8所示。The main channel for employees in the production and broadcasting network to obtain data is to go to the Internet to obtain resources for production and distribution. The main access method for the employees of the production and broadcasting network is to access the Internet. The flow chart is shown in Figure 8.
①.制播网员工使用指纹、虹膜、人脸等登录;①. The staff of the production and broadcasting network use fingerprint, iris, face, etc. to log in;
②.登录成功后制播网员工用户发送内容请求给边缘节点,然后边缘节点通过以身份标识为中心网络将请求传送到主权网外访节点;或者制播网员工用户直接将请求发送到与其 相连的主权网外访节点,同时区块链节点记录哪个制播网员工用户请求了哪个内容信息;②. After the login is successful, the production network employee user sends a content request to the edge node, and then the edge node transmits the request to the external visitor node of the sovereign network through the identity identifier as the central network; or the production network employee user directly sends the request to the connected node At the same time, the blockchain node records which content information is requested by which production network employee user;
③.主权网外访节点对内容请求中制播网工作人员的权限进行审核,若请求内容超过了用户权限例如请求代码直接丢弃内容请求,若在权限内则进行下一步;③. The Sovereign Network's external visit node reviews the authority of the production and broadcast network staff in the content request. If the requested content exceeds the user's authority, such as the request code, directly discard the content request. If it is within the authority, proceed to the next step;
④.主权网外访节点提取内容请求的内容信息,然后按照传统的互联网方式向互联网请求数据;④. Sovereign network foreign visitor nodes extract the content information of the content request, and then request data from the Internet according to the traditional Internet method;
⑤.互联网内容提供者按照传统的互联网方式向主权网外访节点提供其请求的数据;⑤. Internet content providers provide their requested data to external nodes on the sovereign network in accordance with traditional Internet methods;
⑥.主权网外访节点对数据进行初步审核和过滤,例如关键词过滤及AI识别;⑥. The external visit node of the sovereign network conducts preliminary review and filtering of data, such as keyword filtering and AI identification;
⑦.主权网外访节点将向互联网请求到的数据封装为主权网中的数据分组,然后按照内容请求的路径返回给制播网员工用户;⑦. Sovereign network external access nodes encapsulate the data requested from the Internet into data packets in the sovereign network, and then return to the production network staff users according to the content request path;
⑧.制播网内部员工针对返回的数据进行内容制作。⑧. The internal staff of the production and broadcasting network make content production based on the returned data.
2.2.4.5 IP外网访问主权网数据2.2.4.5 IP external network access to sovereign network data
除了主权网内用户去访问互联网数据,可能也存在外网用户或者攻击者访问主权网。但是本系统为了安全保障,主权网外访节点禁止外网主动请求主权网内数据。其流程图如图9所示。In addition to users on the sovereign network to access Internet data, there may also be external network users or attackers accessing the sovereign network. However, for the sake of security in this system, the external access nodes of the sovereign network prohibit the external network from actively requesting data in the sovereign network. The flow chart is shown in Figure 9.
①.互联网用户发送请求到主权网外访节点;①. The Internet user sends a request to the external visitor node of the sovereign network;
②.主权网外访节点将请求报文丢弃。②. The visiting node of the sovereign network discards the request message.
多个国家主权网之间传输数据Data transfer between multiple national sovereign networks
每个国家可以构建各国自主的主权网络,从而形成一个网络空间联合国。多个国家主权网络之间进行数据传输有两种方式,其一是对于国家之间可通过目标访问国家的主权网发送的签证进行访问,用户申请签证的流程如图10所示。Each country can build its own sovereign network, thus forming a cyberspace United Nations. There are two ways to transfer data between the sovereign networks of multiple countries. The first is to access visas that can be sent between countries through the sovereign network of the target country to visit. The user's visa application process is shown in Figure 10.
①.首先用户主机向本国主权网外访节点发送签证请求;①. First, the user host sends a visa request to the foreign node of the home country's sovereign network;
②.本国主权网外访节点将签证请求通过Overlay IP的方式发送到目标请求国;②. The foreign visitor node of the home country's sovereign network sends the visa request to the target requesting country through Overlay IP;
③.目标请求国主权网外访节点对到来的请求进行审核;③. The external visiting node of the target requesting country's sovereign network will review the incoming request;
④.审核通过的签证请求发送给区块链进行投票表决;④. The approved visa request is sent to the blockchain for voting;
⑤.对于成功表决的请求按请求路径返回签证给请求者。⑤. For the request for a successful vote, the visa will be returned to the requester according to the request path.
对于已经获得签证的用户访问其想要访问的主权网的内容可以将签证信息放入兴趣分组的签名中,则这些个人或单位可通过携带签证信息直接按照主权网的方式访问这个国家的主权网内容,目标国家主权网外访节点会对签证信息进行验证,验证通过则可成功获取内容,如图11所示。For users who have obtained a visa to visit the content of the sovereign network they want to visit, the visa information can be put into the signature of the interest group, and these individuals or units can directly access the sovereign network of this country by carrying the visa information. Content, the foreign visitor node of the sovereign network of the target country will verify the visa information, and the content can be successfully obtained if the verification is passed, as shown in Figure 11.
①.内容请求者发送携带签证信息的兴趣分组;①. The content requester sends an interest group with visa information;
②.本国主权网外访节点将兴趣分组请求通过Overlay IP的方式发送到目标请求国;②. The foreign visitor node of the home country's sovereign network sends the interest group request to the target requesting country through Overlay IP;
③.目标国家主权网外访节点对签证进行认证;③. The foreign visitor node of the sovereign network of the target country verifies the visa;
④.对于成功认证的请求,主权网外访节点发送兴趣分组到内容源;④. For the request for successful authentication, the visiting node of the sovereign network sends the interest group to the content source;
⑤.内容源将内容按原路返回给内容请求者。⑤. The content source returns the content to the content requester in the same way.
另一种是内容发送者主动发送的内容,其只有通过IP隧道进行数据传输,例如E-mail其流程如图12所示。The other is the content sent actively by the content sender, which only uses the IP tunnel for data transmission. For example, the flow of E-mail is shown in Figure 12.
①.内容发送者首先按照主权网内的数据传输方式将数据发送到主权网外访节点;①. The content sender first sends the data to the external visitor node of the sovereign network according to the data transmission method in the sovereign network;
②.EAN节点将数据按照TCP/IP的方式将内容传输给处于IP的服务器;②. The EAN node transmits the data to the server at IP in the way of TCP/IP;
③.此服务器再将内容按照TCP/IP的方式传输给目的国家的EAN节点;③. This server then transmits the content to the EAN node of the destination country in the way of TCP/IP;
④.目标国家的EAN节点对内容进行审核,然后再把审核通过的内容按主权网内的数据传输方式将数据发送到内容接收者。④. The EAN node of the target country verifies the content, and then sends the verified content to the content receiver according to the data transmission method in the sovereign network.
对5G的支持措施Support measures for 5G
由于以身份标识为中心内容引入了网内缓存和天生支持多路径,其能很好的支持5G通信。网内缓存保证了很好的移动性,当用户移动到另一个基站覆盖区域,其设备只需要再发送一个兴趣分组,在上次请求的路径上有缓存,这样可以在链路上找到最近有缓存的节点直接返回数据。以身份标识为中心网络天生支持多路径可以让移动设备同时连接到多个 可以连接的基站,当脱离了当前基站覆盖范围并不影响数据的传输。在所述后IP的主权网体系架构中若移动用户本身处于主权网内,则移动用户用身份标识为中心网络进行内容请求;若移动用户位于主权网外部则对于IP内容请求先通过Overlay IP方式与基站通信,然后基站通过传统IP网络进行内容请求和传输;若移动用户位于主权网外部对于主权网内容请求包括以下步骤,其数据传输流程如图13所示。Due to the introduction of in-network caching and natural support for multi-pathing with identity identification as the center content, it can well support 5G communication. The intra-network cache ensures good mobility. When a user moves to another base station coverage area, the device only needs to send another interest packet. There is a cache on the path of the last request, so that the most recent one can be found on the link. The cached node returns the data directly. The identity-centric network inherently supports multi-path, which allows mobile devices to connect to multiple connectable base stations at the same time. When it is out of the coverage of the current base station, it does not affect data transmission. In the post-IP sovereign network architecture, if the mobile user is in the sovereign network, the mobile user uses the identity identifier as the central network to request content; if the mobile user is located outside the sovereign network, the IP content request is made through the Overlay IP method. Communicate with the base station, and then the base station performs content request and transmission through the traditional IP network; if the mobile user is located outside the sovereign network, the request for the content of the sovereign network includes the following steps, and the data transmission process is shown in Figure 13.
①.具有身份标识的无线终端设备首先通过Overlay IP的方式与基站通信;①. The wireless terminal device with identity identification first communicates with the base station through Overlay IP;
②.区域内站将数据通过传统IP传输方式发送到一个目标主权网外访节点;②. The station in the area sends the data to a target sovereign network outside visit node through the traditional IP transmission method;
③.主权网外访节点对用户身份进行审核,通过则允许访问,未通过则拒绝。③. The external visitor node of the sovereign network verifies the identity of the user, and if it passes, the access is allowed, and if it fails, it is rejected.
安全保障实施措施Security measures
本发明中主权网的安全由如下几个方面及进行保障:真实身份认证;区块链技术防止数据篡改;每个数据签名认证;主权网外访节点阻止所有IP发起的主动请求;具有内生安全的存储系统;主权网内部数据经过的路由器有防火墙、包检测、AI程序审核等检查措施组成一个防攻击的马尔科夫链;以身份标识为中心网络的网络环境与IP不一致导致现有对于某些绕过过滤机制进入主权网的恶意病毒、流量等,利用IP网络进行破坏的攻击手法,在主权网络中失去其运行环境。The security of the sovereign network in the present invention is guaranteed by the following aspects: authentic identity authentication; blockchain technology to prevent data tampering; each data signature authentication; the sovereign network external visit node prevents all active requests initiated by IP; Secure storage system; routers through which data passes through the sovereign network have firewalls, packet inspections, AI program audits and other inspection measures to form an anti-attack Markov chain; the network environment of the identity-centric network is inconsistent with IP, resulting in existing Some malicious viruses and traffic that bypass the filtering mechanism and enter the sovereign network use the IP network to destroy the attack method, and lose their operating environment in the sovereign network.
对于主权网的攻击可由IP外网用户攻击和内网用户攻击,其攻击防护可分为三层。第一层是无论外网用户还是内网用户要想主动给主权网发送流量,首先得破解主权网内部数据传输时签名的密钥;第二层为主权网内部的ID-ICN路由器上的各种防护检测手段;第三层为具有内生安全的分布式存储系统进行防护。其示意图如图14所示。Attacks on the sovereign network can be attacked by IP extranet users and intranet users. The attack protection can be divided into three layers. The first layer is whether users on the external network or on the internal network want to actively send traffic to the sovereign network, they must first crack the key signed during data transmission within the sovereign network; the second layer is the ID-ICN router inside the sovereign network. A protection and detection method; the third layer is for the protection of distributed storage systems with endogenous security. The schematic diagram is shown in Figure 14.
技术方案带来的有益效果Beneficial effects brought by technical solutions
本发明技术方案是以身份标识为中心的内容网络进行底层数据传输,传输主要依靠兴趣分组和数据分组,其传输方式是由消费者兴趣驱动。通信过程中,由于兴趣分组和数据分组均不使用传统的IP地址进行数据交互,避免了国家域名被特定国家或者组织抹除,有效提高了国家网络的安全性。各国主权网内部标识空间均由该国自行管理,实现各国在后IP时代网络空间的完全自主权。The technical scheme of the present invention is based on the content network centered on the identity identification for bottom data transmission, the transmission mainly relies on interest packets and data packets, and the transmission mode is driven by consumer interests. In the communication process, since neither the interest group nor the data group uses the traditional IP address for data interaction, the country domain name is prevented from being erased by a specific country or organization, and the security of the national network is effectively improved. The internal identification space of each country's sovereign network is managed by the country itself, realizing the complete autonomy of each country in the cyberspace of the post-IP era.
使用以身份标识为中心网络的主权网使用数据仓库对最近的数据进行缓存,同一域内的用户对于同一内容只需从数据原始提供者那里拿取一次,随后可直接在ID-ICN路由器中拿取,提高了网络整体数据传输效率,大幅度改善了用户体验;由于以身份为中心的内容网络引入网内缓存,将逐步把互联网内内容缓存到主权网内,丰富网内资源,当主权网与互联网进行物理断网后,用户仍能获取在断网之前其获取过的内容(这部分内容我们认为才是用户关心的内容),不影响用户的使用。同时主权网支持用户主动发布内容,更加丰富主权网内容资源。The Sovereign Network, which uses identity identification as the central network, uses a data warehouse to cache the latest data. Users in the same domain only need to fetch the same content from the original data provider once, and then directly fetch it in the ID-ICN router. , Improve the overall data transmission efficiency of the network, and greatly improve the user experience; because the identity-centric content network introduces in-network caching, the content in the Internet will be gradually cached in the sovereign network, enriching the resources in the network, and when the sovereign network and the After the Internet is physically disconnected, users can still obtain the content they had obtained before the disconnection (this part of the content we think is the content that users care about), and does not affect the user's use. At the same time, the Sovereign Network supports users to actively publish content, enriching the content resources of the Sovereign Network.
在未来物联网、车联网、工业互联网、4K/8K高清视频、5G发展及个人用户生活习惯的改变下,移动接入方式将成为未来互联网的主要接入方案,因此使用以身份标识为中心网络的主权网在支持移动接入方面具有天生优势,对于满足未来业务需求具有很好的保障。In the future, the Internet of Things, Internet of Vehicles, Industrial Internet, 4K/8K HD video, 5G development and changes in the life habits of individual users, mobile access will become the main Internet access solution in the future, so the use of identity-centric networks The sovereign network of China has a natural advantage in supporting mobile access and has a good guarantee for meeting future business needs.
在主权网中,兴趣分组是以多播的方式传输在网络中传输,可选择多条通路进行数据传输,数据分组将随着兴趣分组的路径原路返回。当这条链路不可用之后,兴趣分组会自动去选择另外一条可用的最短路径进行传输,而无需像IP重新进行TCP连接,有效提高了数据传输的效率。In the sovereign network, interest packets are transmitted in the network in a multicast manner, and multiple channels can be selected for data transmission, and the data packets will return along the path of the interest packets. When this link is unavailable, the interest group will automatically select another available shortest path for transmission, without the need to reconnect TCP like IP, which effectively improves the efficiency of data transmission.
主权网内部使用身份标识进行路由,其名字空间原则上无上限,避免了IPv4地址耗尽的问题。网络更加关注网络资源本身或者用户本身而非传统网络资源存放的问题,避免了传统IP网络所存在的性能细腰问题。The sovereign network uses identity tags for routing, and its name space is unlimited in principle, avoiding the problem of IPv4 address exhaustion. The network pays more attention to the storage of network resources or users themselves rather than traditional network resources, avoiding the performance problem of traditional IP networks.
主权网通过多种方式保障系统的安全,提供极高级别的安全防护。在主权网中用户将捆绑相应的生物身份信息及其他身份信息作为身份标识以登录主权网,其发布的网络内容以及访问的网络资源也将捆绑相应的身份信息,并记录在区块链上,保障数据的不可篡改,对于异常信息和内容能够快速、准确定位到个人。主权网内管理节点将会拒绝注册、删除以及惩处网络中的违规网络资源以及恶意用户。从而保障内容的安全、可管可控,同 时主权网外访节点将通过关键词匹配、AI检测等技术过滤敏感或者恶意的文本、图片、视频及音频等数据。该网络系统具有完备的安全特性。The Sovereign Network guarantees the security of the system in a variety of ways and provides extremely high-level security protection. In the Sovereign Network, users will bundle the corresponding biometric identity information and other identity information as identity identifiers to log on to the Sovereign Network, and the network content they publish and the network resources they visit will also be bundled with corresponding identity information and recorded on the blockchain. Ensure that the data cannot be tampered with, and the abnormal information and content can be quickly and accurately located to individuals. The management node in the sovereign network will refuse to register, delete and punish the illegal network resources and malicious users in the network. In this way, the content is safe, manageable and controllable. At the same time, the external visitor nodes of the sovereign network will filter sensitive or malicious text, pictures, video, and audio data through keywords matching, AI detection and other technologies. The network system has complete security features.
主权网通过在兴趣分组中加入权限控制域引入分级管理机制,允许不同用户的人访问不同范围的互联网资源,从而能够给未成年人提供一个干净、健康、安全的网络环境。Sovereign Network introduces a hierarchical management mechanism by adding authority control domains to interest groups, allowing different users to access different ranges of Internet resources, so as to provide minors with a clean, healthy and safe network environment.
主权网允许网内用户主动去获取互联网数据和拥有主权网签发签证的其他主权网用户主动访问该主权网内容,可以禁止外部IP的主动请求,减少了传统网络的数据注入式攻击,保障制播网实时在线运行;同时新型的网络传输架构使得现有IP病毒等失去运行环境,有效提高了网络安全;并且系统将采用具有内生安全的分布式存储,进一步保障主权网内数据的安全。The sovereign network allows users on the network to actively obtain Internet data and other sovereign network users who have the sovereign network to issue visas to actively access the content of the sovereign network, which can prohibit active requests from external IPs, reduce traditional network data injection attacks, and ensure production and broadcasting The network runs online in real time; at the same time, the new network transmission architecture makes existing IP viruses lose the operating environment, effectively improving network security; and the system will use distributed storage with endogenous security to further ensure the security of data in the sovereign network.
提出了一种三层网络安全体系下的主权网体系架构。各个国家的主权网由各国通过分布式共识技术自行管理,保证网络资源的真实可信、不被篡改。主权网的管控权利交回给各国相关管理机关,不再是某个独立的机构垄断,保证各国网络空间主权不受侵犯。A sovereign network architecture under a three-tier network security system is proposed. The sovereign network of each country is managed by each country through distributed consensus technology to ensure that the network resources are authentic and not tampered with. The control rights of the sovereign network are returned to the relevant management agencies of various countries, and it is no longer monopolized by an independent institution, ensuring that the sovereignty of cyberspace of various countries is not violated.
主权网内部存在主权网外访节点、网络监管节点、个人用户以及企业用户。主权网与传统互联网通过主权网外访节点进行数据通信,其主要负责网络数据传输、内容过滤、权限管理等服务,同时每个主权网外访节点负责完成主权网内部身份标识、内容标识和传统互联网IP地址的标识间转换、传输及验证的过程。Inside the sovereign network, there are external access nodes of the sovereign network, network supervision nodes, individual users, and corporate users. The Sovereign Network and the traditional Internet conduct data communication through the Sovereign Network's external visitor nodes, which are mainly responsible for network data transmission, content filtering, authority management and other services. At the same time, each Sovereign Network's external visitor node is responsible for completing the internal identity, content identification and tradition The process of conversion, transmission and verification between the identities of Internet IP addresses.
提出了一种用户的接入主权网的管理方案,用户将捆绑相应的生物身份信息及其他身份认证信息作为身份标识以登陆网络,其发布的网络资源也将绑定其身份信息。用户登陆网络时的空间信息标识及访问的网络资源将记录在所在域的网络监管节点区块链上用于安全监管及数据保护。A management scheme for user access to the sovereign network is proposed. The user binds the corresponding biometric identity information and other identity authentication information as the identity identifier to log in to the network, and the network resources it publishes will also bind its identity information. The spatial information identification and the network resources accessed when the user logs on to the network will be recorded on the blockchain of the network supervision node of the domain for security supervision and data protection.
提供了一种用户访问其他国家主权网的管理方案,用户将捆绑相应的生物身份信息以及其他身份认证信息作为个人电子护照。其访问其他国家主权网需要取得相应国家电子签证,其电子签证信息包括访问时长以及访问权限等。主权网外访节点对其他国家主权网内用户访问该主权网内信息有完全的监管权。Provides a management solution for users to access the sovereign networks of other countries. Users will bundle the corresponding biometric identity information and other identity authentication information as personal electronic passports. It needs to obtain the corresponding country's electronic visa to visit the sovereign network of other countries, and its electronic visa information includes the length of the visit and the permission of the visit. Sovereign network external visit nodes have complete supervision and control over the access of users in the sovereign network of other countries to the information in the sovereign network.
提供了一种用户访问传统互联网的管理方案,主权网内用户将根据其用户权限进行传统互联网的数据交互。所有传统互联网的数据传输请求均需要通过主权网外访节点来实现,主权网外访节点将对用户提供的标识进行转换及路由寻址,同时对传统互联网传入主权网内的数据进行检测,避免不良及恶意数据进入主权网内部。Provides a management solution for users to access the traditional Internet. Users in the sovereign network will interact with traditional Internet data according to their user rights. All traditional Internet data transmission requests need to be implemented through the sovereign network external visit node, the sovereign network external visit node will convert and route the identification provided by the user, and at the same time detect the data transmitted from the traditional Internet into the sovereign network. Prevent bad and malicious data from entering the sovereign network.
提供了一种主权网内资源注册及管理的方案,所有在主权网内部的产生的资源都将捆绑发布者的身份标识以及对应的内容标识。其标识注册及管理的过程均需要通过域内管理节点的共同确认,解决了传统网络标识注册及管理上存在的抢注、独裁问题,提高了系统网络资源的效率以及整体网络的可扩展性。Provides a solution for the registration and management of resources in the sovereign network. All resources generated in the sovereign network will be bound with the identity of the publisher and the corresponding content identifier. The process of logo registration and management needs to be jointly confirmed by management nodes in the domain, which solves the problems of squatting and dictatorship in traditional network logo registration and management, and improves the efficiency of system network resources and the scalability of the overall network.
本发明引入了融合树形链式群/环签名的区块链技术,基于群/环签名的匿名性和可监管性,能够实现系统可控可管需求和区块链公开透明特性的平衡。通过在不同层级、不同身份的节点之间建立群组关系,上级域的管理员可以快速定位到问题域并识别相应的恶意节点,提高系统的安全性。同时将用户信息和用户行为信息锁存在区块链防止数据被篡改,保证系统的可监管。The present invention introduces a blockchain technology that integrates a tree-shaped chain group/ring signature, based on the anonymity and supervisability of the group/ring signature, and can achieve a balance between the controllable and manageable requirements of the system and the open and transparent characteristics of the blockchain. By establishing a group relationship between nodes of different levels and different identities, the administrator of the upper domain can quickly locate the problem domain and identify the corresponding malicious nodes, improving the security of the system. At the same time, user information and user behavior information are locked in the blockchain to prevent data from being tampered with, and to ensure that the system can be supervised.
提出了一种与身份标识绑定的网络分级化管理方案,解决了现阶段网络内容管理混乱的问题。分级管理方案既促进了信息传播,也在一定程度上消解了传统媒介对未成年人不适宜信息的影响。这样未成年人使用网络,其访问的内容按各地政府的规定,可是受到有效的管理(如不能玩游戏,看成年人的节目等,极大的净化少年儿童上网的环境)。A network hierarchical management scheme bound with identity identification is proposed, which solves the problem of confusion in network content management at this stage. The hierarchical management plan not only promotes the dissemination of information, but also eliminates the influence of traditional media on unsuitable information for minors to a certain extent. In this way, when minors use the Internet, the content they visit is effectively managed according to local government regulations (such as not being able to play games, watching adult programs, etc., which greatly purifies the environment for children to surf the Internet).
在未来物联网、车联网、工业互联网、4K/8K高清视频、5G发展及个人用户生活习惯的改变下,移动接入方式将成为未来互联网的主要接入方案,因此使用以身份标识为中心网络的主权网在支持移动接入方面具有天生优势,对于满足未来业务需求具有很好的保障。In the future, the Internet of Things, Internet of Vehicles, Industrial Internet, 4K/8K HD video, 5G development and changes in the life habits of individual users, mobile access will become the main Internet access solution in the future, so the use of identity-centric networks The sovereign network of China has a natural advantage in supporting mobile access and has a good guarantee for meeting future business needs.
提出了一个网络平滑过渡的渐进式部署方案,主权网在实现各个国家网络空间不受侵犯的同时访问传统的互联网。支持IP网络标识回归国家间信息传输的最初使命。A gradual deployment plan for the smooth transition of the network is proposed. The sovereign network accesses the traditional Internet while realizing the inviolability of the cyberspace of each country. Support the return of IP network identification to the original mission of information transmission between countries.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的 精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。The above descriptions are only the preferred embodiments of the present invention and are not intended to limit the present invention. Any modification, equivalent replacement and improvement made within the spirit and principle of the present invention shall be included in the protection of the present invention. Within range.

Claims (10)

  1. 一种后IP的主权网体系架构,其特征在于,所述后IP的主权网体系架构中设备均采用以身份标识为中心的新型网络,在该新型网络中没有IP网络;所述主权网设备还包括ID-ICN路由器及EAN节点,所述ID-ICN路由器,用于支持不同身份及内容标识互译、寻址及网络数据传输;所述EAN节点,用于允许主权网内用户在权限范围内自由请求主权网外其他网络和互联网数据,以及携带本主权网签证的其他主权网用户访问本主权网内数据,并对主权网外其他网络和互联网主动发起的所有请求全部进行屏蔽,并且在所述EAN节点中安装相关内容审核程序,对到达该节点的内容进行初步审核和过滤。A post-IP sovereign network architecture, which is characterized in that the devices in the post-IP sovereign network architecture all adopt a new type of network centered on identity identification, and there is no IP network in the new type of network; the sovereign network device It also includes an ID-ICN router and an EAN node. The ID-ICN router is used to support translation, addressing, and network data transmission between different identities and content identifiers; the EAN node is used to allow users in the sovereign network to be within the scope of authority Freedom to request other networks and Internet data outside the sovereign network, as well as other sovereign network users carrying the sovereign network visa to access the data in the sovereign network, and all requests initiated by other networks and the Internet outside the sovereign network are blocked, and A related content review program is installed in the EAN node, and the content arriving at the node is initially reviewed and filtered.
  2. 根据权利要求1所述的后IP的主权网体系架构,其特征在于,所述后IP的主权网体系架构中使用具有内生安全的分布式存储子系统进行数据存储,保障数据的安全。The post-IP sovereign network architecture of claim 1, wherein the post-IP sovereign network architecture uses a distributed storage subsystem with endogenous security for data storage to ensure data security.
  3. 根据权利要求2所述的后IP的主权网体系架构,其特征在于,所述后IP的主权网体系架构中通过区块链管理子系统对用户进行管理,保障用户行为可管可控;用户通过个人真实身份信息进行注册,将用户注册信息存储在主权网的区块链节点中,用户要接入主权网需要绑定注册时的相关身份信息;在主权网中区块链管理子系统对用户发布内容进行投票表决,表决通过的内容允许发布,并将用户发布内容的信息及用户请求数据的行为日志进行锁存;在主权网中内部可以定义不同标识,不同标识之间互译在区块链管理子系统中完成。The post-IP sovereign network architecture according to claim 2, characterized in that, in the post-IP sovereign network architecture, users are managed through a blockchain management subsystem to ensure that user behaviors are manageable and controllable; Register through personal real identity information, store user registration information in the blockchain node of the sovereign network, and the user needs to bind the relevant identity information at the time of registration to access the sovereign network; the blockchain management subsystem in the sovereign network Users publish content for voting, the content approved by the vote is allowed to be published, and the information about the content published by the user and the behavior log of the user request data are locked; in the sovereign network, different identifiers can be defined internally, and different identifiers can be translated in the district. Completed in the block chain management subsystem.
  4. 根据权利要求3所述的后IP的主权网体系架构,其特征在于,在主权网中授权用户和广电制播网均可发布视频及音频,授权用户发布音视频包括以下步骤:The post-IP sovereign network system architecture according to claim 3, characterized in that in the sovereign network, both authorized users and radio and television production and broadcasting networks can publish video and audio, and authorized users to publish audio and video include the following steps:
    SY1、授权用户通过个人信息进行登录;SY1. Authorized users log in through personal information;
    SY2、登录后向区块链节点请求发布音视频内容;SY2, after logging in, request the release of audio and video content from the blockchain node;
    SY3、区块链对请求发布音视频内容进行投票表决,如表决通过,则同意授权用户发布音视频内容,并将用户及其发布的内容信息锁存在区块链中并执行下一步,如表决不通过,则禁止授权用户发布本次音视频内容;SY3. The blockchain will vote on the request to publish audio and video content. If the vote is passed, it will agree to authorize the user to publish the audio and video content, lock the user and the content information released in the blockchain and perform the next step, such as voting If it fails, the authorized user is prohibited from publishing this audio and video content;
    SY4、在区块链管中授权用户将发布音视频内容发布在具有内生安全的分布式存储系统或者自己本地主机中;所述广电制播网发布内容包括以下步骤:SY4. Authorize users in the blockchain management to publish audio and video content in a distributed storage system with endogenous security or their own local host; the publishing content of the radio and television production network includes the following steps:
    SZ1、通过主权网外访节点从互联网中获取内容资源;SZ1. Obtain content resources from the Internet through external access nodes on the sovereign network;
    SZ2、内部制播网制作内容后通过网络进行内容分发;SZ2, the internal production and broadcasting network produces the content and then distributes the content through the network;
    SZ3、内容达到边缘ID-ICN路由器或者EAN节点后再发送到普通用户。SZ3: After the content reaches the edge ID-ICN router or EAN node, it is sent to ordinary users.
  5. 根据权利要求4所述的后IP的主权网体系架构,其特征在于,所述普通用户获取数据,数据提供者在IP互联网或主权网内部,或者主权网内部节点缓存有这部分内容;普通用户从IP互联网获取数据包括以下步骤:The post-IP sovereign network architecture according to claim 4, characterized in that the ordinary user obtains data, and the data provider has this part of the content cached in the IP Internet or the sovereign network, or the internal node of the sovereign network; the ordinary user Obtaining data from IP Internet includes the following steps:
    SIP1、普通用户使用个人身份信息登录主权网;SIP1. Ordinary users log on to the Sovereign Network with personal identification information;
    SIP2、普通用户发送内容请求给边缘ID-ICN路由器,通过网络请求传送到主权网外访节点或直接将请求发送到与其相连的主权网外访节点,并在区块链节点记录用户请求的内容信息;SIP2, ordinary users send content requests to edge ID-ICN routers, and send them to the external access nodes of the sovereign network through the network request or directly send the request to the external access nodes of the sovereign network connected to it, and record the content of the user request on the blockchain node information;
    SIP3、主权网外访节点对内容请求中用户的权限进行审核,若请求内容超过用户权限直接丢弃内容请求,若在权限内则进行下一步;SIP3, Sovereign Network External Visiting Nodes will review the user's authority in the content request. If the requested content exceeds the user's authority, the content request will be discarded, and if it is within the authority, proceed to the next step;
    SIP4、主权网外访节点提取请求内容信息并按照传统互联网方式向互联网请求数据;SIP4, Sovereign network external visiting nodes extract the requested content information and request data from the Internet according to the traditional Internet method;
    SIP5、互联网内容提供者按照传统互联网方式向主权网外访节点提供所请求内容数据;SIP5, Internet content providers provide the requested content data to external nodes of the sovereign network in accordance with traditional Internet methods;
    SIP6、主权网外访节点对互联网提供的内容数据进行初步审核,如审核通过则执行下一步,若不通过则丢弃该数据并返回步骤SIP4;SIP6, the Sovereign Network's external visitation node conducts a preliminary review of the content data provided by the Internet, if the review is passed, the next step will be executed, if it is not passed, the data will be discarded and the step SIP4 will be returned;
    SIP7、主权网外访节点将请求到的互联网内容数据封装为以身份标识为中心网络中的数据分组并按照内容请求的路径返回给普通用户;SIP7, the external visitor node of the sovereign network encapsulates the requested Internet content data into a data packet in the central network with the identity identifier and returns it to the ordinary user according to the path of the content request;
    所述主权网内部或主权网节点中缓存有这部分内容获取数据包括以下步骤:The step of obtaining data with this part of content cached in the sovereign network or in the node of the sovereign network includes the following steps:
    SN1、普通用户使用个人身份信息登录主权网;SN1. Ordinary users log on to the Sovereign Network with personal identification information;
    SN2、普通用户发送内容请求给主权网内网络节点或者主权网外访节点判断缓存中是否有,若有则主权网节点或者主权网外访节点将缓存的用户请求的内容直接返回给请求 用户,若没有则去原数据处拿取数据返回给请求用户。SN2. Ordinary users send content requests to network nodes in the sovereign network or external access nodes of the sovereign network to determine whether there is in the cache. If there is, the sovereign network node or external access node of the sovereign network will directly return the content requested by the user to the requesting user. If not, go to the original data place to get the data and return it to the requesting user.
  6. 根据权利要求5所述的后IP的主权网体系架构,其特征在于,所述制播网获取的数据主要是在互联网获取资源并进行制作和分发。The post-IP sovereign network system architecture of claim 5, wherein the data obtained by the production and broadcast network is mainly obtained from the Internet, produced and distributed.
  7. 根据权利要求6所述的后IP的主权网体系架构,其特征在于,在主权网外其他网络或互联网用户发送请求到主权网外访节点时,所述主权网外访节点将请求报文丢弃。The post-IP sovereign network architecture according to claim 6, characterized in that, when other networks or Internet users outside the sovereign network send a request to a sovereign network external visit node, the sovereign network external visit node discards the request message .
  8. 根据权利要求7所述的后IP的主权网体系架构,其特征在于,所述后IP的主权网体系架构中多个国家主权网之间互访包括以下步骤:The post-IP sovereign network architecture of claim 7, wherein the mutual visits between multiple national sovereign networks in the post-IP sovereign network architecture include the following steps:
    SDG1、注册用户向代理其他主权网签证的本国主权网外访节点发送签证请求;SDG1. The registered user sends a visa request to the overseas visitor node of the sovereign network of the country that represents other sovereign network visas;
    SDG2、本国主权网外访节点将签证请求通过Overlay IP的方式发送到目标请求国;SDG2, the external visitor node of the home country's sovereign network sends the visa request to the target requesting country through Overlay IP;
    SDG3、目标请求国主权网外访节点对到来的请求进行审核,若审核通过则签证请求发送给区块链进行投票表决并执行下一步;若审核不通过,则反馈信息给签证请求方;SDG3, the foreign visitor node of the target requesting state sovereignty network will review the incoming request. If the review is passed, the visa request will be sent to the blockchain for voting and the next step; if the review is not passed, the information will be sent back to the visa requester;
    SDG4、对于成功表决的请求按请求路径返回签证给请求者;SDG4. For the request for successful voting, the visa will be returned to the requester according to the request path;
    SDG5、内容请求者使用携带签证的兴趣分组请求其他主权网内容;SDG5, the content requester uses the visa-carrying interest group to request other sovereign network content;
    SDG6、目的主权网外访节点对签证审核通过后,内容提供者将内容按请求路径返回。After SDG6, the destination sovereign network external visit node has passed the visa review, the content provider will return the content according to the requested path.
  9. 根据权利要求8所述的后IP的主权网体系架构,其特征在于,所述后IP的主权网体系架构以身份标识为中心网络天生支持多路径,让移动设备同时连接到多个可连接的基站,在脱离当前基站覆盖范围并不影响数据的传输,天生支持无线通信,及其适用于4K、8K、VR、物联网、车联网的未来业务。The post-IP sovereign network architecture according to claim 8, characterized in that the post-IP sovereign network architecture takes identity as the central network to naturally support multi-path, allowing mobile devices to simultaneously connect to multiple connectable The base station does not affect the transmission of data when it is out of the coverage of the current base station. It naturally supports wireless communication and is suitable for future services of 4K, 8K, VR, Internet of Things, and Internet of Vehicles.
  10. 根据权利要求9所述的后IP的主权网体系架构,其特征在于,在所述后IP的主权网体系架构中若移动用户本身处于主权网内,则移动用户用身份标识为中心网络进行内容请求;若移动用户位于主权网外部则对于IP内容请求先通过Overlay IP方式与基站通信,然后基站通过传统IP网络进行内容请求和传输;若移动用户位于主权网外部对于主权网内容请求包括以下步骤:The post-IP sovereign network architecture according to claim 9, characterized in that, in the post-IP sovereign network architecture, if the mobile user is in the sovereign network, the mobile user uses the identity identifier as the central network for content Request; if the mobile user is located outside the sovereign network, the request for IP content is first communicated with the base station through the Overlay IP method, and then the base station performs content request and transmission through the traditional IP network; if the mobile user is located outside the sovereign network, the request for the content of the sovereign network includes the following steps :
    S5G1、具有身份标识的无线终端设备首先通过Overlay IP的方式与基站通信;S5G1, the wireless terminal device with identity identification first communicates with the base station through Overlay IP;
    S5G2、区域内站将数据通过传统IP传输方式发送到一个目标主权网外访节点;S5G2, intra-regional stations send data to a target sovereign network externally visited node through traditional IP transmission;
    S5G3、主权网外访节点对用户身份进行审核,通过则允许访问,未通过则拒绝。S5G3, Sovereign Network External Visiting Nodes will review the user's identity, and allow access if passed, and reject if not passed.
PCT/CN2020/106725 2019-08-29 2020-08-04 Post ip sovereign network architecture WO2021036707A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910808094.8 2019-08-29
CN201910808094.8A CN110868446A (en) 2019-08-29 2019-08-29 Back IP main power network system architecture

Publications (1)

Publication Number Publication Date
WO2021036707A1 true WO2021036707A1 (en) 2021-03-04

Family

ID=69652425

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/106725 WO2021036707A1 (en) 2019-08-29 2020-08-04 Post ip sovereign network architecture

Country Status (2)

Country Link
CN (1) CN110868446A (en)
WO (1) WO2021036707A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110868446A (en) * 2019-08-29 2020-03-06 北京大学深圳研究生院 Back IP main power network system architecture
CN111464335B (en) * 2020-03-10 2021-04-23 北京邮电大学 Intelligent service customization method and system for endogenous trusted network
CN113298595A (en) * 2020-07-30 2021-08-24 阿里巴巴集团控股有限公司 Method and device for providing data object information and electronic equipment
CN112804152B (en) * 2020-12-30 2022-06-17 佛山赛思禅科技有限公司 Method and system for supporting continuous evolution of packet communication network addressing route identification

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000056035A1 (en) * 1999-03-18 2000-09-21 Walid, Inc. Method and system for internationalizing domain names
CN108881471A (en) * 2018-07-09 2018-11-23 北京信息科技大学 A kind of the whole network based on alliance uniformly trusts anchor system and construction method
CN109922165A (en) * 2019-04-19 2019-06-21 孙红波 A kind of more root DNSs of common grid
CN110868446A (en) * 2019-08-29 2020-03-06 北京大学深圳研究生院 Back IP main power network system architecture

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102130975A (en) * 2010-01-20 2011-07-20 中兴通讯股份有限公司 Method and system for accessing network on public equipment by using identifier
CN101917494B (en) * 2010-09-09 2013-05-15 刁永平 Realization of autonomous Internet
US8495186B1 (en) * 2011-01-03 2013-07-23 Sprint Communications Company L.P. Managing termination of point-to-point sessions between electronic devices
CN109792437B (en) * 2017-05-16 2021-01-12 北京大学深圳研究生院 Consensus method for decentralized domain name system
CN110035081A (en) * 2019-04-11 2019-07-19 中国电子科技集团公司电子科学研究院 A kind of publish/subscribe architectural framework based on block chain

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000056035A1 (en) * 1999-03-18 2000-09-21 Walid, Inc. Method and system for internationalizing domain names
CN108881471A (en) * 2018-07-09 2018-11-23 北京信息科技大学 A kind of the whole network based on alliance uniformly trusts anchor system and construction method
CN109922165A (en) * 2019-04-19 2019-06-21 孙红波 A kind of more root DNSs of common grid
CN110868446A (en) * 2019-08-29 2020-03-06 北京大学深圳研究生院 Back IP main power network system architecture

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WANG XIANGUI; LI KEDAN; LI HUI; LI YINGHUI; LIANG ZHIWEI: "ConsortiumDNS: A Distributed Domain Name Service Based on Consortium Chain", 2017 IEEE 19TH INTERNATIONAL CONFERENCE ON HIGH PERFORMANCE COMPUTING AND COMMUNICATIONS; IEEE 15TH INTERNATIONAL CONFERENCE ON SMART CITY; IEEE 3RD INTERNATIONAL CONFERENCE ON DATA SCIENCE AND SYSTEMS (HPCC/SMARTCITY/DSS), IEEE, 18 December 2017 (2017-12-18), pages 617 - 620, XP033321780, DOI: 10.1109/HPCC-SmartCity-DSS.2017.83 *

Also Published As

Publication number Publication date
CN110868446A (en) 2020-03-06

Similar Documents

Publication Publication Date Title
WO2021036707A1 (en) Post ip sovereign network architecture
WO2020154865A1 (en) Progressive ip removal method and system supporting multi-mode identifier network addressing and storage medium
Ding et al. A survey on future Internet security architectures
CN102769529B (en) Dnssec signing server
Wu et al. Source address validation: Architecture and protocol design
CN101252592A (en) Method and system for tracing network source of IP network
CN103314566A (en) Systems and methods for managing domain name system security (DNSSEC)
US11582241B1 (en) Community server for secure hosting of community forums via network operating system in secure data network
Ma et al. An architecture for accountable anonymous access in the internet-of-things network
Punarselvam et al. Effective and Efficient Traffic Scrutiny in Sweet Server with Data Privacy
Mohammed et al. Honeypots and Routers: Collecting internet attacks
Wang et al. MIS: A multi-identifier management and resolution system in the metaverse
CN112132581B (en) PKI identity authentication system and method based on IOTA
CN112995139B (en) Trusted network, trusted network construction method and trusted network construction system
Gupta et al. On the role of named data networking for IoT content distribution
CN106211136B (en) Naming-based secure communication method in smart power grid
Song et al. A novel frame switching model based on virtual MAC in SDN
CN110581843B (en) Mimic Web gateway multi-application flow directional distribution method
Li et al. Architecture of sovereignty network
Kent Securing the border gateway protocol
Kohler One, Two, or Two Hundred Internets?: The Politics of Future Internet Architectures
Wang et al. MIS: A multi-identifier management and resolution system based on consortium blockchain in metaverse
WO2012075768A1 (en) Method and system for monitoring locator/identifier separation network
Wachs A secure and resilient communication infrastructure for decentralized networking applications
Raman et al. Blockchain technology for privacy and security issues and challenges in IOT-based systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20857364

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20857364

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 03/08/2022)