WO2021115449A1 - Cross-domain access system, method and device, storage medium, and electronic device - Google Patents

Cross-domain access system, method and device, storage medium, and electronic device Download PDF

Info

Publication number
WO2021115449A1
WO2021115449A1 PCT/CN2020/135884 CN2020135884W WO2021115449A1 WO 2021115449 A1 WO2021115449 A1 WO 2021115449A1 CN 2020135884 W CN2020135884 W CN 2020135884W WO 2021115449 A1 WO2021115449 A1 WO 2021115449A1
Authority
WO
WIPO (PCT)
Prior art keywords
cross
domain
domain access
user node
distributed controller
Prior art date
Application number
PCT/CN2020/135884
Other languages
French (fr)
Chinese (zh)
Inventor
穆志纯
徐恪
付松涛
甘玉玺
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2021115449A1 publication Critical patent/WO2021115449A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls

Definitions

  • the present invention relates to the field of communications, and in particular to a cross-domain access system, method and device, storage medium and electronic device.
  • the embodiments of the present invention provide a cross-domain access system, method and device, storage medium, and electronic device to at least solve one of the related technical problems to a certain extent, including the problem that security cannot be guaranteed during the cross-domain access process.
  • a cross-domain access method including: a first user node configured to initiate a cross-domain access request to request cross-domain access to a second user node; and a first distributed controller configured In response to the cross-domain access request initiated by the first user node, to send the cross-domain access request to a second distributed controller; the second distributed controller is configured to receive the cross-domain access request Access request; the first distributed controller and/or the second distributed controller are further configured to determine a network slice according to the cross-domain access request; the second user node is configured to respond to the Access by a first user node through the network slice; wherein, the first distributed controller is configured to control a first network domain, and the first user node is a node belonging to the first network domain User node; the second distributed controller is configured to control a second network domain, and the second user node is a user node belonging to the second network domain.
  • a cross-domain access method which is applied to a first user node, and the first user node is a user node belonging to a first network domain; the method includes: initiating a cross-domain access Domain access request, and send the cross-domain access request to the second distributed controller through the first distributed controller; wherein, the cross-domain access request is used to request cross-domain access to the second user node; The second user node performs access; wherein, the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request; wherein, the first distributed The type controller is set to control the first network domain; the second distributed controller is set to control a second network domain, and the second user node belongs to the second network domain The user node.
  • a cross-domain access method which is applied to a second user node, where the second user node is a user node belonging to a second network domain; the method includes: responding to The access of the first user node through the network slice; wherein the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request; the first distributed controller is Is configured to control a first network domain; the second distributed controller is configured to control a second network domain, and the first user node is a user node belonging to the first network domain; The cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the second distributed controller through the first distributed controller.
  • a cross-domain access device which is applied to a first user node, where the first user node is a user node belonging to a first network domain;
  • the device includes: a request module , Is configured to initiate a cross-domain access request, and send the cross-domain access request to the second distributed controller through the first distributed controller; wherein, the cross-domain access request is used to request cross-domain access to the second user Node; an access module configured to access a second user node through a network slice; wherein the network slice is controlled by the first distributed controller and/or the second distributed controller according to the cross-domain The access request is determined; wherein the first distributed controller is configured to control the first network domain; the second distributed controller is configured to control a second network domain, and the first The second user node is a user node belonging to the second network domain.
  • a cross-domain access device which is applied to a second user node, where the second user node is a user node belonging to a second network domain;
  • the device includes: a response module , Configured to respond to the access by the first user node through the network slice; wherein the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request;
  • the first A distributed controller is configured to control a first network domain;
  • the second distributed controller is configured to control a second network domain, and the first user node belongs to the first network domain
  • the cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the second distributed controller through the first distributed controller.
  • a computer-readable storage medium and a computer program is stored in the computer-readable storage medium, wherein the computer program is configured to execute any one of the foregoing when running. The steps in the method embodiment.
  • an electronic device including a memory and a processor, the memory is stored with a computer program, and the processor is configured to run the computer program to execute any of the above Steps in the method embodiment.
  • Figure 1 is a system diagram (1) of a cross-domain access system according to an embodiment of the present invention
  • Figure 2 is a system schematic diagram (2) of a cross-domain access system according to an embodiment of the present invention.
  • Fig. 3 is a system schematic diagram of a cross-domain access system according to a specific embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a scenario of cross-domain access between domains according to a specific embodiment of the present invention.
  • FIG. 5 is a schematic diagram of functions inside domain A according to a specific embodiment of the present invention.
  • FIG. 6 is a schematic diagram of a scenario in which sensors perform cross-domain access according to a specific embodiment of the present invention.
  • FIG. 7 is a schematic diagram of the interaction of sensors for cross-domain access according to a specific embodiment of the present invention.
  • Fig. 8 is a flowchart (1) of a cross-domain access method according to an embodiment of the present invention.
  • Figure 9 is a flowchart (2) of a cross-domain access method provided according to an embodiment of the present invention.
  • Fig. 10 is a structural block diagram of a cross-domain access device according to an embodiment of the present invention (1);
  • Figure 11 is a structural block diagram of a cross-domain access device according to an embodiment of the present invention (2);
  • Fig. 12 is a schematic diagram of an electronic device according to an embodiment of the present invention.
  • FIG. 1 is a system schematic diagram (1) of the cross-domain access system according to an embodiment of the present invention. As shown in Fig. 1, the cross-domain access system in this embodiment includes:
  • the first user node 102 is configured to initiate a cross-domain access request to request cross-domain access to the second user node;
  • the first distributed controller 104 is configured to respond to the cross-domain access request initiated by the first user node 102 to send the cross-domain access request to the second distributed controller 106;
  • the second distributed controller 106 is configured to receive a cross-domain access request; the first distributed controller 104 and/or the second distributed controller 106 are further configured to determine a network slice according to the cross-domain access request;
  • the second user node 108 is configured to respond to the access by the first user node 102 through the network slicing;
  • the first distributed controller 104 is configured to control the first network domain, and the first user node 102 is a user node belonging to the first network domain; the second distributed controller 106 is configured to control the second network domain.
  • the domain performs control, and the second user node 108 is a user node belonging to the second network domain.
  • the cross-domain access referred to in this embodiment is a process in which the first user node belonging to the first network domain requests access to the second visiting node;
  • the two network domains are respectively used to indicate physical network domains with different domain names, where the first network domain is uniformly controlled by the first distributed controller, and the second network domain is uniformly controlled by the second distributed controller.
  • the cross-domain access system in this embodiment since the first user node belonging to the first network domain requests cross-domain access to the second user node belonging to the second network domain, it can be used to access the first user node.
  • the first distributed controller that controls the network domain responds to the cross-domain access request initiated by the first user node to send the cross-domain access request to the second distributed controller for controlling the second network domain;
  • the distributed controller receives the cross-domain access request, it further determines the network slice according to the cross-domain access request through the first distributed controller and/or the second distributed controller; in this way, the second user node can respond to The first user node accesses through network slicing; therefore, the cross-domain access system in this embodiment can solve the problem of the inability to ensure security performance in the cross-domain access process in related technologies, so as to effectively ensure the cross-domain access process The effect of safety performance.
  • the cross-domain access system in this embodiment adopts a hierarchical design of user nodes and distributed controllers in the first network domain and the second network domain in the architectural design, so as to pass the first distribution
  • the integrated controller and the second distributed controller implement cross-domain access processing, and thus can achieve data isolation during cross-domain access between the first user node and the second user node, so as to significantly improve the security performance of cross-domain access.
  • the system architecture in this embodiment can also improve the expansion performance of the system.
  • FIG. 2 is a system schematic diagram (2) of a cross-domain access system according to an embodiment of the present invention. As shown in FIG. 2, the system in this embodiment further includes:
  • the first gateway 110 is connected to the first user node 102 through the first switch 112; the first gateway 110 is configured to obtain the cross-domain access request initiated by the first user node 102, and forward the cross-domain access request to the first distributed Controller 104;
  • the second gateway 114 is connected to the second user node 108 through the second switch 116; the second gateway 114 is configured to obtain the cross-domain access command sent by the second distributed controller 106, and send the cross-domain access command to the first user according to the cross-domain access command.
  • the node 102 performs authentication; wherein, the cross-domain access command is generated by the second distributed controller 106 according to the cross-domain access information.
  • a first gateway is provided between the first user node and the first distributed controller, and the first gateway may be specifically connected to the first user through the first switch.
  • a node that is, a layered structure of the first distributed controller, the first gateway, the first switch, and the first user node is formed in the first network domain.
  • a second gateway is provided between the second user node and the second distributed controller. The second gateway can be specifically connected to the second user node through the second switch, that is, in the second network domain.
  • a layered structure of the second distributed controller, the second gateway, the second switch and the second user node is formed in the.
  • the first gateway and the first distributed controller jointly constitute the control layer in the first network domain to carry out information interaction in the first network domain and the invocation of related resources;
  • the second gateway and the second distributed control The devices together constitute the control layer in the second network domain to perform operations such as information interaction in the second network domain and invocation of related resources.
  • the first gateway may specifically forward the cross-domain access request generated by the first user node to the first distributed controller, so that the first distributed controller further sends the cross-domain access request to the second distributed controller.
  • Distributed controller After the second distributed controller receives the cross-domain access request, it can generate a cross-domain access command based on the cross-domain access information, and issue the cross-domain access command to the second gateway, so that the second gateway can access Command to authenticate the first user node.
  • the first gateway and the second gateway in the first network domain and the second network domain are set to realize a further hierarchical structure in different network domains, so as to enable the cross-domain access system in this embodiment
  • the scalability is further improved; and the above-mentioned settings of the first gateway and the second gateway can realize the invocation of related resources, so that resources in different network domains can be used cooperatively, thereby realizing the remarkable efficiency of resource utilization in the system of this embodiment
  • Improve, in this way can save the cost of IoT infrastructure construction, and improve the effectiveness and reliability of cross-domain access to IoT nodes.
  • the above-mentioned second gateway 114 authenticates the first user node 102 according to the cross-domain access command, and may be further configured to call the identity authentication server to perform identity authentication on the first user node according to the cross-domain access command. And, calling the authorization mapping server to authenticate the access authority of the first user node.
  • the identity authentication server is used to authenticate the identity of the first user node to identify whether the first user node is an authenticated user;
  • the above-mentioned authorization mapping server is used to authenticate the first user node Authority to determine whether the first user node has authority to access the corresponding service.
  • the second gateway may call the identity authentication server and the authorization mapping server at the same time or in a preset order, which is not limited in the present invention.
  • the identity authentication server and/or the authorization mapping server After the identity authentication server and/or the authorization mapping server complete the corresponding authentication, if the authentication is passed, it can return a receipt to execute an authentication process or perform subsequent operations; if any of the authentication fails, the authentication can be suspended and Cross-domain access processing.
  • the above-mentioned identity authentication server and authorization mapping server may be servers set in the second network domain, or other network domains, such as servers set in the first network domain.
  • the identity authentication server and the authorization mapping server can be called to realize the cooperative utilization of resources in the cross-domain access system in this embodiment.
  • the above-mentioned first gateway 110 is further configured to call the first key agreement server, so that the first key agreement server and the second key agreement server perform key agreement according to the cross-domain access request, so as to obtain the cross-domain access request.
  • Domain access key
  • the cross-domain access key is used for the encryption and/or decryption processing in cross-domain access between the first user node and the second user node;
  • the first key agreement server is a key agreement server belonging to the first network domain,
  • the second key agreement server is a key agreement server belonging to the second network domain.
  • the first gateway invokes the first key agreement server and the second gateway completes the corresponding authentication of the first user node. If the second gateway confirms that the first user node is authenticated, that is, The first gateway may invoke the first key agreement server after receiving the corresponding confirmation message that the first user node is authenticated.
  • the first key agreement server belonging to the first network domain and the second key agreement server belonging to the second network domain perform key agreement according to the cross-domain access request.
  • the key of the node and the second user node in the process of cross-domain access using this key for encryption and decryption, can effectively ensure data isolation and information security during the process of cross-domain access by the first user node.
  • the above-mentioned first gateway 110 is further configured to send authentication confirmation information to the first distributed controller;
  • the second gateway 114 is further configured to send authentication confirmation information to the second distributed controller;
  • the first distributed controller and/or the second distributed controller are further configured to establish a connection between the first distributed controller and the second distributed controller according to the authentication confirmation information.
  • the above-mentioned first distributed controller 104 is further configured to write a first access control list (Access Control Lists, ACL) rule to the firewall through Network Functions Virtualization (NFV), where:
  • ACL Access Control Lists
  • NFV Network Functions Virtualization
  • the second distributed controller 106 is further configured to write a second ACL rule to the firewall through NFV, where the second ACL rule is used to instruct the firewall to allow cross-domain access information to enter the second network domain.
  • both the first distributed controller and the second distributed controller can write corresponding ACL rules to the firewall through NFV, so that during the cross-domain access process, NFV provides flexible orchestration of middleware services to further improve the efficiency of system access through the support of NFV in the Internet of Things scenario where the capabilities of user nodes are limited.
  • the above-mentioned first distributed controller 104 is further configured to encrypt the cross-domain access information sent by the first user node, and send the encrypted cross-domain access information to the second distributed controller ;
  • the second distributed processor 106 is also configured to decrypt the encrypted cross-domain access information, and send the decrypted cross-domain access information to the second user node to achieve cross-domain access of the first user node.
  • the encryption process performed by the first distributed controller and the decryption process performed by the second distributed controller can be implemented using the key in the foregoing embodiment, or can be implemented according to a preset Encryption and decryption methods are realized.
  • the aforementioned cross-domain access request includes: a first cross-domain access request, and a second cross-domain access request;
  • the first user node is further configured to initiate a first cross-domain access request to request cross-domain access to the second user node;
  • the first distributed controller is further configured to generate a second cross-domain access request in response to the first cross-domain access request initiated by the first user node, and send the second cross-domain access request to the second distributed controller;
  • the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
  • the second cross-domain access request includes at least one of the following: second user node address information, first user node address information, service type information, and service quality requirement information.
  • the first cross-domain access information is the cross-domain access request generated by the first user node
  • the above-mentioned second cross-domain access information is the cross-domain access request received by the second distributed controller.
  • Access request specifically, after the first distributed controller obtains the first cross-domain access information generated by the first user node, the first cross-domain access information is processed accordingly to generate the second cross-domain access Information and send the second cross-domain access information to the second distributed controller; in the foregoing processing, the first distributed controller replaces the second user node domain name information in the first cross-domain access request with the second User node address information, and on the basis of the first cross-domain request information, the first user node address information is added.
  • first distributed controller 104 and/or second distributed controller 106 are further configured to:
  • the network slice is determined according to the quality of service requirements in the cross-domain access request, and specifically, the corresponding network slice can be determined according to, for example, delay requirements.
  • first distributed controller 104 and/or second distributed controller 106 are further configured to:
  • the routing information is determined according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate the transmission path of the access information within the first network domain or the second network domain, and between the first network domain and the second network domain The transmission path.
  • the routing information is determined according to the quality of service requirements in the cross-domain access request, and the corresponding routing information can be determined according to, for example, delay requirements and bandwidth requirements.
  • system in this embodiment further includes:
  • the consortium chain is set between the first distributed controller and the second distributed controller; the consortium chain is configured to maintain cross-domain access records; wherein, the cross-domain access records are managed by the first gateway and/or the second gateway.
  • the first user node obtains the second user node after finishing the cross-domain access; the cross-domain access record includes: the cross-domain access event, the occurrence and end time of the cross-domain access event.
  • the setting of the alliance chain can form a non-repudiation top-level access record between the first distributed controller and the second distributed controller, so that the records of each cross-domain access are equal. It can be traced back to further ensure the safety guarantee during the operation of the cross-domain access system in this embodiment.
  • the above alliance chain is further configured to record abnormal access records, where the abnormal access records are used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access record is controlled by the first gateway and/or the second user node. Second, the gateway reports.
  • the abnormal access record in the cross-domain access process is recorded through the alliance chain, which can ensure that the abnormal access record can be traced on the one hand, and on the other hand, it can be used in the subsequent During the process of cross-domain access, abnormal problems or objects are dealt with accordingly to further improve the efficiency and security of the access.
  • FIG. 3 is a system schematic diagram of a cross-domain access system according to a specific embodiment of the present invention.
  • each domain includes several IoT nodes through access points or directly connected to home switches, and several home switches are connected
  • Incoming tandem switch that is, gateway, several gateways connect to a distributed controller to form a domain, and configure identity authentication, authorized access, key agreement server, and firewall, encryption and decryption and other middleware services in the domain; the above-mentioned distributed control
  • the server, gateway and authentication/authorization/key agreement server, middleware service are directly connected or indirectly connected through a switch.
  • Fig. 4 is a schematic diagram of a scenario for cross-domain access between domains according to a specific embodiment of the present invention.
  • domain A and domain B perform cross-domain access.
  • the above-mentioned distributed controller is configured as follows Module: Intra-domain information exchange module, which exchanges control information with intra-domain gateways, and receives requests sent by the gateway; domain name resolution module, which establishes the mapping relationship between domain names and addresses; inter-domain information exchange module, which exchanges control information with other domain controllers; policy formulation Module, according to the requirements of access rules and QoS, make corresponding network slices; routing information module, plan the optimal transmission path, and transmit the flow table to the switch on the transmission path.
  • Inter-domain abnormal access record module which receives abnormal user access records reported by gateways in each domain.
  • the above-mentioned gateway includes: a service acceptance module, which is responsible for accepting service requests and sending them to distributed controllers in the domain; an authentication and authorization module, which completes cross-domain access identity authentication, authorization management, and communication keys by calling the identity authentication/authorization mapping/key agreement server Negotiation; Intra-domain access log recording module, which records user access logs for easy access record tracing; Abnormal access reporting module, which judges the current access abnormal situation, and reports to the distributed controller in a timely manner.
  • FIG. 5 is a schematic diagram of functions inside domain A according to a specific embodiment of the present invention. The configuration of the distributed controller and gateway in domain A is shown in FIG. 5.
  • domain B has the same composition as domain A, so it will not be repeated here; the distributed controllers between domains are directly connected or indirectly connected through a switch.
  • the sensor of the user located in the domain A detects that the user's heartbeat data is abnormal to request the corresponding service from the hospital located in the domain D is specifically described.
  • the sensor constitutes the first user node in the above embodiment
  • the server or diagnostic equipment of the hospital constitutes the second user node in the above embodiment.
  • FIG. 6 is a schematic diagram of a scenario in which sensors perform cross-domain access according to a specific embodiment of the present invention.
  • domain A constitutes the first network domain in this embodiment.
  • the corresponding distributed controllers, gateways, etc. in domain A are the first distributed controllers and first gateways in this embodiment; similarly, domain D constitutes the second network domain in this embodiment, domain D
  • the corresponding distributed controllers, gateways, etc. in this embodiment are the second distributed controllers and second gateways in this embodiment.
  • the IP address of the user's sensor node is FF00::1109
  • the address of the gateway where the user is located is FF00::1103
  • the address of the distributed controller where the user is located is FF00::1101.
  • the service acceptance module parses out (D i , LR i , M i , LT i , B i , P i ) in the cross-domain access request, and distributes the information in the domain to the controller
  • the interaction module sends; the intra-domain information interaction module first performs the out-of-domain access number for cross-domain access
  • the intra-domain information exchange module sends the information of the distributed controller where the visited node is located to the inter-domain information exchange module, and the inter-domain information exchange module queries the routing information module to find the visited domain Distributed controller routing information If you need to pass through two distributed controllers, domain B and domain C, whose addresses are FF01::1101 and FF02::1101, the routing information passed is (FF00::1101,FF01::1101,FF02::1101, FF03::1101), the sequence of switches passed is The inter-domain information interaction module sends an access request to the inter-domain information interaction module of the distributed controller where the visited node is located which is
  • the visited node determines the server that invokes the identity authentication, authorization and key agreement process to select LR iden_i , LR auth_i , and LR key_i according to the feedback delay request LR i to ensure that LR iden_i +LR auth_i +LR key_i ⁇ LR i , set LR iden_i , LR auth_i , and LR key_i are 300ms respectively, which meets the requirement of less than 1s.
  • the gateway calls the identity authentication server service, the identity authentication server recognizes the identity of the visiting user, and sends a receipt indicating whether the identity authentication is passed or not Set the return value to TRUE (indicating pass); after receiving the pass receipt, the gateway calls the authorization mapping authorization server service, and the authorization mapping authorization server checks whether the accessing user has the authority to access the corresponding service according to the requested business, and whether it is authorized to access is generated after passing 'S receipt
  • the sensor node address is consistent with the IP address reserved by the user database, and TRUE is returned.
  • the gateway After the gateway receives the authorization receipt, it sends authentication feedback to the information interaction module in the distributed controller domain in the domain
  • the accessed distributed controller FF03::1101 sends the authentication result to the distributed controller FF01::1101 where the access node is located, and the distributed controller FF01::1101 where the access node is located sends the authentication result to the access node gateway FF00 through the information exchange module in the domain.
  • ::1103 sends the authentication pass and prepares the key agreement message, the privacy level P i is required to be a high level, the gateway FF00::1103 calls the key agreement server FF00::1112, and the key called by the accessed node gateway FF03::1103
  • the negotiation server FF03::1112 obtains the communication key (K sour , K des ) through negotiation.
  • the gateway of the visited node sends an authentication process completion message to the distributed controller of the visited node, and the gateway of the visited node sends an authentication process completion message to the distributed controller of the visited node.
  • the distributed controller FF03::1101 in the domain establishes a connection, and negotiates to determine the network slice required for this service according to the service QoS requirements, including calling the firewall by NFV, dynamically writing ACL rules; encryption and decryption and other middleware resources, set this time
  • the virtual functions required by the service are Represents firewall and encryption and decryption services respectively.
  • the processing delay in the domain where the access node is found Processing delay for 10ms and within the domain of the visited node It is 10ms, which meets the requirements.
  • the routing information module plans network resources such as the optimal transmission path between the domains and the domains.
  • the inter-domain routing includes the distributed controller sequence (FF00::1101,FF01). ::1101,FF02::1101,FF03::1101 meets the requirements. At this time, the sequence of switches passed by each intra-domain route is: within domain A Within domain B In domain C In domain D
  • the access node gateway FF00::1103 sends the access feedback result to the access node FF00::1109
  • the visited node gateway FF03::1103 sends the access feedback result to the visited node FF03::110F.
  • the sensor FF00::1109 sends the data recorded by the sensor to the hospital server FF03::110F.
  • the access node dynamically writes ACL rules to the NFV firewall in the domain to allow cross-domain access to the information transmitted from FF00::1109 to FF03::110F, and the information is encrypted and transmitted through the encryption server; the accessed node is in the domain through NFV to
  • the firewall dynamically writes ACL rules to allow FF00::1109 to be transmitted to FF03::110F to enter the domain and complete the decryption operation through the server; the reverse data also goes through the firewall, encryption and decryption operations to establish a two-way connection to achieve strong logical isolation across Domain access.
  • the gateway where the visited node is located records the visit and the end time of the visit which is Consortium chain maintenance is established by gateways in domain D to ensure traceability of access records.
  • the hospital server deducts the corresponding fees, and the whole process is normal, so there is no need to report abnormal situations. If the sensor node reports invalid data multiple times, or fails to pay the agreed fee within a certain period of time, the visit will be regarded as abnormal Access: Report abnormal access records and abnormal reasons to distributed controllers through the gateway, and the abnormal access records are maintained by the alliance chain maintained between the distributed controllers.
  • the method according to the above embodiment can be implemented by means of software plus the necessary general hardware platform, of course, it can also be implemented by hardware, but in many cases the former is Better implementation.
  • the technical solution of the present invention essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes a number of instructions to enable a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the method described in each embodiment of the present invention.
  • FIG. 8 is a flow chart of the cross-domain access method according to an embodiment of the present invention Figure (1), as shown in Figure 8, the cross-domain access method in this embodiment includes:
  • S202 Initiate a cross-domain access request, and send the cross-domain access request to the second distributed controller through the first distributed controller; wherein the cross-domain access request is used to request cross-domain access to the second user node;
  • S204 Access the second user node through the network slice; where the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request;
  • the first distributed controller is set to control the first network domain; the second distributed controller is set to control the second network domain, and the second user node is a user node belonging to the second network domain .
  • the method before sending the cross-domain access request to the second distributed controller through the first distributed controller, the method includes:
  • the foregoing sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
  • the second gateway is connected to the second user node through the second switch; the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command.
  • the above-mentioned cross-domain access command to instruct the second gateway to authenticate the first user node according to the cross-domain access command includes:
  • the cross-domain access command is used to instruct the second gateway to call the identity authentication server to perform identity authentication authentication on the first user node according to the cross-domain access command, and to call the authorization mapping server to perform access authority authentication on the first user node.
  • the method further includes:
  • the cross-domain access key is used for the encryption and/or decryption processing in cross-domain access between the first user node and the second user node;
  • the first key agreement server is a key agreement server belonging to the first network domain,
  • the second key agreement server is a key agreement server belonging to the second network domain.
  • the method further includes:
  • the above method further includes:
  • the second distributed controller is used to write a second ACL rule to the firewall via NFV, where the second ACL rule is used to instruct the firewall to allow cross-domain access information to enter the second network domain.
  • the above method further includes:
  • the encrypted cross-domain access information is decrypted by the second distributed processor, and the decrypted cross-domain access information is sent to the second user node to realize the cross-domain access of the first user node.
  • the aforementioned cross-domain access request includes: a first cross-domain access request, and a second cross-domain access request;
  • Initiating a cross-domain access request and sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
  • the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
  • the second cross-domain access request includes at least one of the following: second user node address information, first user node address information, service type information, and service quality requirement information.
  • the method before the foregoing access to the second user node through network slicing, the method further includes:
  • the first distributed controller and/or the second distributed controller are used to determine the network slice according to the quality of service requirements in the cross-domain access request.
  • the method before the foregoing access to the second user node through network slicing, the method further includes:
  • the routing information is determined by the first distributed controller and/or the second distributed controller according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate that the access information is in the first network domain or the second network domain.
  • the internal transmission path, and the transmission path between the first network domain and the second network domain are determined by the first distributed controller and/or the second distributed controller according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate that the access information is in the first network domain or the second network domain.
  • the above method further includes:
  • cross-domain access records include: cross-domain access events, cross-domain access The occurrence and end time of the event.
  • the above-mentioned maintaining the cross-domain access record through the alliance chain further includes:
  • the abnormal access record where the abnormal access record is used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access record is reported by the first gateway and/or the second gateway.
  • the method according to the above embodiment can be implemented by means of software plus the necessary general hardware platform, of course, it can also be implemented by hardware, but in many cases the former is Better implementation.
  • the technical solution of the present invention essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes a number of instructions to enable a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the method described in each embodiment of the present invention.
  • FIG. 9 is a flow chart of the cross-domain access method according to an embodiment of the present invention Figure (2), as shown in Figure 9, the method in this embodiment includes:
  • the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request; the first distributed controller is Set to control the first network domain; the second distributed controller is set to control the second network domain, and the first user node is a user node belonging to the first network domain;
  • the cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the second distributed controller through the first distributed controller.
  • the aforementioned cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the first gateway, so as to send the cross-domain access request to the first distributed controller through the first gateway; wherein, The first gateway is connected to the first user node through the first switch.
  • the aforementioned cross-domain access request sends the cross-domain access request to the second distributed controller through the first distributed controller, so that the second distributed controller generates the cross-domain access command according to the cross-domain access information, And forward the cross-domain access command to the second gateway;
  • the second gateway is connected to the second user node through the second switch; the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command.
  • the above-mentioned cross-domain access command to instruct the second gateway to authenticate the first user node according to the cross-domain access command includes:
  • the cross-domain access command is used to instruct the second gateway to call the identity authentication server to perform identity authentication authentication on the first user node according to the cross-domain access command, and to call the authorization mapping server to perform access authority authentication on the first user node.
  • the method further includes:
  • the cross-domain access key is used for the encryption and/or decryption processing in cross-domain access between the first user node and the second user node;
  • the first key agreement server is a key agreement server belonging to the first network domain,
  • the second key agreement server is a key agreement server belonging to the second network domain.
  • the method further includes:
  • the above method further includes:
  • the second distributed controller is used to write a second ACL rule to the firewall via NFV, where the second ACL rule is used to instruct the firewall to allow cross-domain access information to enter the second network domain.
  • the above method further includes:
  • the encrypted cross-domain access information is decrypted by the second distributed processor, and the decrypted cross-domain access information is sent to the second user node to realize the cross-domain access of the first user node.
  • the aforementioned cross-domain access request includes: a first cross-domain access request, and a second cross-domain access request;
  • Initiating a cross-domain access request and sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
  • the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
  • the second cross-domain access request includes at least one of the following: second user node address information, first user node address information, service type information, and service quality requirement information.
  • the method before the above response to the access by the first user node through the network slicing, the method further includes:
  • the first distributed controller and/or the second distributed controller are used to determine the network slice according to the quality of service requirements in the cross-domain access request.
  • the method before the above response to the access by the first user node through the network slicing, the method further includes:
  • the routing information is determined by the first distributed controller and/or the second distributed controller according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate that the access information is in the first network domain or the second network domain.
  • the internal transmission path, and the transmission path between the first network domain and the second network domain are determined by the first distributed controller and/or the second distributed controller according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate that the access information is in the first network domain or the second network domain.
  • the above method further includes:
  • cross-domain access records include: cross-domain access events, cross-domain access The occurrence and end time of the event.
  • the above-mentioned maintaining the cross-domain access record through the alliance chain further includes:
  • the abnormal access record where the abnormal access record is used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access record is reported by the first gateway and/or the second gateway.
  • the method according to the above embodiment can be implemented by means of software plus the necessary general hardware platform, of course, it can also be implemented by hardware, but in many cases the former is Better implementation.
  • the technical solution of the present invention essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes a number of instructions to enable a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the method described in each embodiment of the present invention.
  • Fig. 10 is a structural block diagram (1) of a cross-domain access device according to an embodiment of the present invention. As shown in Fig. 10, the cross-domain access device in this embodiment includes:
  • the request module 402 is configured to initiate a cross-domain access request and send the cross-domain access request to the second distributed controller through the first distributed controller; wherein the cross-domain access request is used to request cross-domain access to the second user node ;
  • the access module 404 is configured to access the second user node through a network slice; wherein the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request;
  • the first distributed controller is set to control the first network domain; the second distributed controller is set to control the second network domain, and the second user node is a user node belonging to the second network domain .
  • the method before sending the cross-domain access request to the second distributed controller through the first distributed controller, the method includes:
  • the foregoing sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
  • the second gateway is connected to the second user node through the second switch; the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command.
  • the above-mentioned cross-domain access command to instruct the second gateway to authenticate the first user node according to the cross-domain access command includes:
  • the cross-domain access command is used to instruct the second gateway to call the identity authentication server to perform identity authentication authentication on the first user node according to the cross-domain access command, and to call the authorization mapping server to perform access authority authentication on the first user node.
  • the method further includes:
  • the cross-domain access key is used for the encryption and/or decryption processing in cross-domain access between the first user node and the second user node;
  • the first key agreement server is a key agreement server belonging to the first network domain,
  • the second key agreement server is a key agreement server belonging to the second network domain.
  • the method further includes:
  • the above method further includes:
  • the second distributed controller is used to write a second ACL rule to the firewall via NFV, where the second ACL rule is used to instruct the firewall to allow cross-domain access information to enter the second network domain.
  • the above method further includes:
  • the encrypted cross-domain access information is decrypted by the second distributed processor, and the decrypted cross-domain access information is sent to the second user node to realize the cross-domain access of the first user node.
  • the aforementioned cross-domain access request includes: a first cross-domain access request, and a second cross-domain access request;
  • Initiating a cross-domain access request and sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
  • the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
  • the second cross-domain access request includes at least one of the following: second user node address information, first user node address information, service type information, and service quality requirement information.
  • the method before the foregoing access to the second user node through network slicing, the method further includes:
  • the first distributed controller and/or the second distributed controller are used to determine the network slice according to the quality of service requirements in the cross-domain access request.
  • the method before the foregoing access to the second user node through network slicing, the method further includes:
  • the routing information is determined by the first distributed controller and/or the second distributed controller according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate that the access information is in the first network domain or the second network domain.
  • the internal transmission path, and the transmission path between the first network domain and the second network domain are determined by the first distributed controller and/or the second distributed controller according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate that the access information is in the first network domain or the second network domain.
  • the above method further includes:
  • cross-domain access records include: cross-domain access events, cross-domain access The occurrence and end time of the event.
  • the above-mentioned maintaining the cross-domain access record through the alliance chain further includes:
  • the abnormal access record where the abnormal access record is used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access record is reported by the first gateway and/or the second gateway.
  • each of the above modules can be implemented by software or hardware.
  • it can be implemented in the following manner, but not limited to this: the above modules are all located in the same processor; or, the above modules can be combined in any combination.
  • the forms are located in different processors.
  • Fig. 11 is a structural block diagram (2) of a cross-domain access device according to an embodiment of the present invention. As shown in Fig. 11, the cross-domain access device in this embodiment includes:
  • the response module 502 is configured to respond to the access by the first user node through the network slice; wherein the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request; first The distributed controller is set to control the first network domain; the second distributed controller is set to control the second network domain, and the first user node is a user node belonging to the first network domain;
  • the cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the second distributed controller through the first distributed controller.
  • the aforementioned cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the first gateway, so as to send the cross-domain access request to the first distributed controller through the first gateway; wherein, The first gateway is connected to the first user node through the first switch.
  • the aforementioned cross-domain access request sends the cross-domain access request to the second distributed controller through the first distributed controller, so that the second distributed controller generates the cross-domain access command according to the cross-domain access information, And forward the cross-domain access command to the second gateway;
  • the second gateway is connected to the second user node through the second switch; the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command.
  • the above-mentioned cross-domain access command to instruct the second gateway to authenticate the first user node according to the cross-domain access command includes:
  • the cross-domain access command is used to instruct the second gateway to call the identity authentication server to perform identity authentication authentication on the first user node according to the cross-domain access command, and to call the authorization mapping server to perform access authority authentication on the first user node.
  • the method further includes:
  • the cross-domain access key is used for the encryption and/or decryption processing in cross-domain access between the first user node and the second user node;
  • the first key agreement server is a key agreement server belonging to the first network domain,
  • the second key agreement server is a key agreement server belonging to the second network domain.
  • the method further includes:
  • the above method further includes:
  • the second distributed controller is used to write a second ACL rule to the firewall via NFV, where the second ACL rule is used to instruct the firewall to allow cross-domain access information to enter the second network domain.
  • the above method further includes:
  • the encrypted cross-domain access information is decrypted by the second distributed processor, and the decrypted cross-domain access information is sent to the second user node to realize the cross-domain access of the first user node.
  • the aforementioned cross-domain access request includes: a first cross-domain access request, and a second cross-domain access request;
  • Initiating a cross-domain access request and sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
  • the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
  • the second cross-domain access request includes at least one of the following: second user node address information, first user node address information, service type information, and service quality requirement information.
  • the method before the above-mentioned response to the access by the first user node through the network slicing, the method further includes:
  • the first distributed controller and/or the second distributed controller are used to determine the network slice according to the quality of service requirements in the cross-domain access request.
  • the method before the above-mentioned response to the access by the first user node through the network slicing, the method further includes:
  • the routing information is determined by the first distributed controller and/or the second distributed controller according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate that the access information is in the first network domain or the second network domain.
  • the internal transmission path, and the transmission path between the first network domain and the second network domain are determined by the first distributed controller and/or the second distributed controller according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate that the access information is in the first network domain or the second network domain.
  • the above method further includes:
  • cross-domain access records include: cross-domain access events, cross-domain access The occurrence and ending time of the event.
  • the above-mentioned maintaining the cross-domain access record through the alliance chain further includes:
  • abnormal access records where the abnormal access records are used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access records are reported by the first gateway and/or the second gateway.
  • each of the above modules can be implemented by software or hardware.
  • it can be implemented in the following manner, but not limited to this: the above modules are all located in the same processor; or, the above modules can be combined in any combination.
  • the forms are located in different processors.
  • the embodiment of the present invention also provides a computer-readable storage medium, and a computer program is stored in the computer-readable storage medium, wherein the computer program is configured to execute any of the foregoing method embodiments when running. step.
  • the foregoing computer-readable storage medium may be configured to store a computer program for executing the method steps recorded in the foregoing embodiment:
  • the foregoing computer-readable storage medium may include, but is not limited to: U disk, Read-Only Memory (Read-Only Memory, ROM for short), Random Access Memory (Random Access Memory, for short)
  • ROM Read-Only Memory
  • Random Access Memory Random Access Memory
  • Various media that can store computer programs such as RAM
  • mobile hard disks such as hard disks, magnetic disks, or optical disks.
  • the embodiment of the present invention also provides an electronic device, including a memory 1201 and a processor 1202, the memory 1201 stores a computer program, the processor 1202 is configured to run the computer program to perform any of the above Steps in the method embodiment.
  • the above-mentioned electronic device may further include a transmission device and an input-output device, wherein the transmission device is connected to the aforementioned processor, and the input-output device is connected to the aforementioned processor.
  • the above-mentioned processor may be configured to execute the method steps recorded in the above-mentioned embodiment through a computer program.
  • the first user node belonging to the first network domain since the first user node belonging to the first network domain requests cross-domain access to the second user node belonging to the second network domain, it can be configured to perform operations on the first network domain.
  • the controlled first distributed controller responds to the cross-domain access request initiated by the first user node to send the cross-domain access request to the second distributed controller that is set to control the second network domain; the second distributed After the controller receives the cross-domain access request, it further determines the network slice according to the cross-domain access request through the first distributed controller and/or the second distributed controller; in this way, the second user node can respond to the first
  • the user node accesses through network slicing; therefore, the embodiment of the present invention is configured to solve the problem of being unable to ensure security performance during cross-domain access in some cases at least to a certain extent, so as to achieve cross-domain access during cross-domain access. Effectively ensure the effect of safety performance.
  • modules or steps of the present invention can be implemented by a general computing device, and they can be concentrated on a single computing device or distributed in a network composed of multiple computing devices.
  • they can be implemented with program codes executable by the computing device, so that they can be stored in the storage device for execution by the computing device, and in some cases, can be executed in a different order than here.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A cross-domain access system, method and device, a storage medium, and an electronic device. The cross-domain access system comprises: a first user node; a first distributed controller, configured to send a cross-domain access request to a second distributed controller in response to the cross-domain access request initiated by the first user node; the second distributed controller, configured to receive the cross-domain access request; the first distributed controller and/or the second distributed controller being further configured to determine a network slice according to the cross-domain access request; and a second user node.

Description

跨域访问系统、方法及装置、存储介质及电子装置Cross-domain access system, method and device, storage medium and electronic device
相关申请的交叉引用Cross-references to related applications
本申请基于申请号为201911285474.4、申请日为2019年12月13日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。This application is filed based on a Chinese patent application with application number 201911285474.4 and an application date of December 13, 2019, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby incorporated into this application by reference.
技术领域Technical field
本发明涉及通信领域,具体而言,涉及一种跨域访问系统、方法及装置、存储介质及电子装置。The present invention relates to the field of communications, and in particular to a cross-domain access system, method and device, storage medium and electronic device.
背景技术Background technique
目前,在一些情况下,在实现数据的跨域访问时,存在如基于软件定义网络(Software Defined Network,SDN)实现,或基于边缘计算资源分配方式(Distributed Resource AssiGnment and Orchestration,DRAGON)实现等多种实现方式;但上述实现方式中,由于仅能提供基本的数据连接通道,并未考虑防火墙、负载均衡等中间件服务,故无法实现通道与通道之间的强逻辑隔离及提供相应的保护能力。对于隐私保护要求高的场景,如物联网应用场景等,由于相关技术中的跨域访问的安全性能不足,故难以对相关技术中的跨域访问技术直接应用。At present, in some cases, when implementing cross-domain access to data, there are many implementations such as software-defined network (Software Defined Network, SDN) implementation, or edge computing resource allocation (Distributed Resource Asset and Orchestration, DRAGON) implementation. This kind of realization method; but in the above realization method, since only basic data connection channels can be provided, and middleware services such as firewalls and load balancing are not considered, it is impossible to achieve strong logical isolation between channels and provide corresponding protection capabilities . For scenarios with high privacy protection requirements, such as Internet of Things application scenarios, due to insufficient cross-domain access security performance in related technologies, it is difficult to directly apply cross-domain access technologies in related technologies.
针对上述情况中,无法在跨域访问过程中保证安全性能的问题,尚未提出有效的解决方案。In view of the above-mentioned problem that the security performance cannot be guaranteed during the cross-domain access process, no effective solution has been proposed yet.
发明内容Summary of the invention
本发明实施例提供一种跨域访问系统、方法及装置、存储介质及电子装置,以至少在一定程度上解决相关的技术问题之一,包括无法在跨域访问过程中保证安全性的问题。The embodiments of the present invention provide a cross-domain access system, method and device, storage medium, and electronic device to at least solve one of the related technical problems to a certain extent, including the problem that security cannot be guaranteed during the cross-domain access process.
根据本发明的一个实施例,提供了一种跨域访问方法,包括:第一用户节点,配置为发起跨域访问请求,以请求跨域访问第二用户节点;第一分布式控制器,配置为响应于所述第一用户节点发起的所述跨域访问请求,以发送所述跨域访问请求至第二分布式控制器;所述第二分布式控制器,配置为接收所述跨域访问请求;所述第一分布式控制器和/或所述第二分布式控制器还配置为,根据所述跨域访问请求确定网络切片;所述第二用户节点,配置为响应于所述第一用户节点通过所述网络切片进行的访问;其中,所述第一分布式控制器被设置成对第一网域进行控制,所述第一用户节点为归属于所述第一网域的用户节点;所述第二分布式控制器被设置成对第二网域进行控制,所述第二用户节点为归属于所述第二网域的用户节点。According to an embodiment of the present invention, there is provided a cross-domain access method, including: a first user node configured to initiate a cross-domain access request to request cross-domain access to a second user node; and a first distributed controller configured In response to the cross-domain access request initiated by the first user node, to send the cross-domain access request to a second distributed controller; the second distributed controller is configured to receive the cross-domain access request Access request; the first distributed controller and/or the second distributed controller are further configured to determine a network slice according to the cross-domain access request; the second user node is configured to respond to the Access by a first user node through the network slice; wherein, the first distributed controller is configured to control a first network domain, and the first user node is a node belonging to the first network domain User node; the second distributed controller is configured to control a second network domain, and the second user node is a user node belonging to the second network domain.
根据本发明的另一个实施例,还提供了一种跨域访问方法,应用于第一用户节点,所述第一用户节点为归属于第一网域的用户节点;所述方法包括:发起跨域访问请求,并通过第一分布式控制器发送所述跨域访问请求至第二分布式控制器;其中,所述跨域访问请求用于请求跨域访问第二用户节点;通过网络切片对第二用户节点进行访问;其中,所述网络切片由所述第一分布式控制器和/或所述第二分布式控制器根据所述跨域访问请求进行确定;其中,所述第一分布式控制器被设置成对所述第一网域进行控制;所述第二分布式控制器被设置成对第二网域进行控制,所述第二用户节点为归属于所述第二网域的用户节点。According to another embodiment of the present invention, there is also provided a cross-domain access method, which is applied to a first user node, and the first user node is a user node belonging to a first network domain; the method includes: initiating a cross-domain access Domain access request, and send the cross-domain access request to the second distributed controller through the first distributed controller; wherein, the cross-domain access request is used to request cross-domain access to the second user node; The second user node performs access; wherein, the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request; wherein, the first distributed The type controller is set to control the first network domain; the second distributed controller is set to control a second network domain, and the second user node belongs to the second network domain The user node.
根据本发明的另一个实施例,还提供了一种跨域访问方法,应用于第二用户节点,所述第二用户节点为归属于第二网域的用户节点;所述方法包括:响应于第一用户节点通过网络切片进行的访问;其中,所述网络切片由第一分布式控制器和/或第二分布式控制器根据跨域访问请求进行确定;所述第一分布式控制器被设置成对第一网域进行控制;所述第二分布式控制器被设置成对第二网域进行控制,所述第一用户节点为归属于所述第一网域的用户节点;所述跨域访问请求由所述第一用户节点发起,并通过所述第一分布式控制器发送所述跨域访问请求至第二分布式控制器。According to another embodiment of the present invention, there is also provided a cross-domain access method, which is applied to a second user node, where the second user node is a user node belonging to a second network domain; the method includes: responding to The access of the first user node through the network slice; wherein the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request; the first distributed controller is Is configured to control a first network domain; the second distributed controller is configured to control a second network domain, and the first user node is a user node belonging to the first network domain; The cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the second distributed controller through the first distributed controller.
根据本发明的另一个实施例,还提供了一种跨域访问装置,应用于第一用户节点,所述第一用户节点为归属于第一网域的用户节点;所述装置包括:请求模块,被设置成发起跨域访问请求,并通过第一分布式控制器发送所述跨域访问请求至第二分布式控制器;其中,所述跨域访问请求用于请求跨域访问第二用户节点;访问模块,被设置成通过网络切片对第二用户节点进行访问;其中,所述网络切片由所述第一分布式控制器和/或所述第二分布式控制器根据所述跨域访问请求进行确定;其中,所述第一分布式控制器被设置成对所述第一网域进行控制;所述第二分布式控制器被设置成对第二网域进行控制,所述第二用户节点为归属于所述第二网域的用户节点。According to another embodiment of the present invention, there is also provided a cross-domain access device, which is applied to a first user node, where the first user node is a user node belonging to a first network domain; the device includes: a request module , Is configured to initiate a cross-domain access request, and send the cross-domain access request to the second distributed controller through the first distributed controller; wherein, the cross-domain access request is used to request cross-domain access to the second user Node; an access module configured to access a second user node through a network slice; wherein the network slice is controlled by the first distributed controller and/or the second distributed controller according to the cross-domain The access request is determined; wherein the first distributed controller is configured to control the first network domain; the second distributed controller is configured to control a second network domain, and the first The second user node is a user node belonging to the second network domain.
根据本发明的另一个实施例,还提供了一种跨域访问装置,应用于第二用户节点,所述第二用户节点为 归属于第二网域的用户节点;所述装置包括:响应模块,被设置成响应于第一用户节点通过网络切片进行的访问;其中,所述网络切片由第一分布式控制器和/或第二分布式控制器根据跨域访问请求进行确定;所述第一分布式控制器被设置成对第一网域进行控制;所述第二分布式控制器被设置成对第二网域进行控制,所述第一用户节点为归属于所述第一网域的用户节点;所述跨域访问请求由所述第一用户节点发起,并通过所述第一分布式控制器发送所述跨域访问请求至第二分布式控制器。According to another embodiment of the present invention, there is also provided a cross-domain access device, which is applied to a second user node, where the second user node is a user node belonging to a second network domain; the device includes: a response module , Configured to respond to the access by the first user node through the network slice; wherein the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request; the first A distributed controller is configured to control a first network domain; the second distributed controller is configured to control a second network domain, and the first user node belongs to the first network domain The cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the second distributed controller through the first distributed controller.
根据本发明的另一个实施例,还提供了一种计算机可读的存储介质,所述计算机可读的存储介质中存储有计算机程序,其中,所述计算机程序被设置为运行时执行上述任一项方法实施例中的步骤。According to another embodiment of the present invention, there is also provided a computer-readable storage medium, and a computer program is stored in the computer-readable storage medium, wherein the computer program is configured to execute any one of the foregoing when running. The steps in the method embodiment.
根据本发明的另一个实施例,还提供了一种电子装置,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行上述任一项方法实施例中的步骤。According to another embodiment of the present invention, there is also provided an electronic device, including a memory and a processor, the memory is stored with a computer program, and the processor is configured to run the computer program to execute any of the above Steps in the method embodiment.
附图说明Description of the drawings
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described here are used to provide a further understanding of the present invention and constitute a part of this application. The exemplary embodiments and descriptions of the present invention are used to explain the present invention, and do not constitute an improper limitation of the present invention. In the attached picture:
图1是根据本发明实施例提供的跨域访问系统的系统示意图(一);Figure 1 is a system diagram (1) of a cross-domain access system according to an embodiment of the present invention;
图2是根据本发明实施例提供的跨域访问系统的系统示意图(二);Figure 2 is a system schematic diagram (2) of a cross-domain access system according to an embodiment of the present invention;
图3是根据本发明具体实施例提供的跨域访问系统的系统示意图;Fig. 3 is a system schematic diagram of a cross-domain access system according to a specific embodiment of the present invention;
图4是根据本发明具体实施例提供的域间进行跨域访问的场景示意图;FIG. 4 is a schematic diagram of a scenario of cross-domain access between domains according to a specific embodiment of the present invention;
图5是根据本发明具体实施例提供的域A内部的功能示意图;FIG. 5 is a schematic diagram of functions inside domain A according to a specific embodiment of the present invention;
图6是根据本发明具体实施例提供的传感器进行跨域访问的场景示意图;FIG. 6 is a schematic diagram of a scenario in which sensors perform cross-domain access according to a specific embodiment of the present invention;
图7是根据本发明具体实施例提供的传感器进行跨域访问的交互示意图;FIG. 7 is a schematic diagram of the interaction of sensors for cross-domain access according to a specific embodiment of the present invention;
图8是根据本发明实施例提供的跨域访问方法的流程图(一);Fig. 8 is a flowchart (1) of a cross-domain access method according to an embodiment of the present invention;
图9是根据本发明实施例提供的跨域访问方法的流程图(二);Figure 9 is a flowchart (2) of a cross-domain access method provided according to an embodiment of the present invention;
图10是根据本发明实施例提供的跨域访问装置的结构框图(一);Fig. 10 is a structural block diagram of a cross-domain access device according to an embodiment of the present invention (1);
图11是根据本发明实施例提供的跨域访问装置的结构框图(二);Figure 11 is a structural block diagram of a cross-domain access device according to an embodiment of the present invention (2);
图12是根据本发明实施例提供的电子装置的示意图。Fig. 12 is a schematic diagram of an electronic device according to an embodiment of the present invention.
具体实施方式Detailed ways
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。Hereinafter, the present invention will be described in detail with reference to the drawings and in conjunction with the embodiments. It should be noted that the embodiments in the application and the features in the embodiments can be combined with each other if there is no conflict.
需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that the terms "first" and "second" in the description and claims of the present invention and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence.
实施例1Example 1
本实施例提供了一种跨域访问系统,图1是根据本发明实施例提供的跨域访问系统的系统示意图(一),如图1所示,本实施例中的跨域访问系统包括:This embodiment provides a cross-domain access system. Fig. 1 is a system schematic diagram (1) of the cross-domain access system according to an embodiment of the present invention. As shown in Fig. 1, the cross-domain access system in this embodiment includes:
第一用户节点102,配置为发起跨域访问请求,以请求跨域访问第二用户节点;The first user node 102 is configured to initiate a cross-domain access request to request cross-domain access to the second user node;
第一分布式控制器104,配置为响应于第一用户节点102发起的跨域访问请求,以发送跨域访问请求至第二分布式控制器106;The first distributed controller 104 is configured to respond to the cross-domain access request initiated by the first user node 102 to send the cross-domain access request to the second distributed controller 106;
第二分布式控制器106,配置为接收跨域访问请求;第一分布式控制器104和/或第二分布式控制器106还配置为,根据跨域访问请求确定网络切片;The second distributed controller 106 is configured to receive a cross-domain access request; the first distributed controller 104 and/or the second distributed controller 106 are further configured to determine a network slice according to the cross-domain access request;
第二用户节点108,配置为响应于第一用户节点102通过网络切片进行的访问;The second user node 108 is configured to respond to the access by the first user node 102 through the network slicing;
其中,第一分布式控制器104被设置成对第一网域进行控制,第一用户节点102为归属于第一网域的用户节点;第二分布式控制器106被设置成对第二网域进行控制,第二用户节点108为归属于第二网域的用户节点。Among them, the first distributed controller 104 is configured to control the first network domain, and the first user node 102 is a user node belonging to the first network domain; the second distributed controller 106 is configured to control the second network domain. The domain performs control, and the second user node 108 is a user node belonging to the second network domain.
需要进一步说明的是,本实施例中,本实施例所指的跨域访问为归属于第一网域的第一用户节点请求访问归属于第二访问节点的过程;上述第一网域与第二网域分别用于指示具有不同域名的物理网域,其中,第一网域统一由第一分布式控制器进行控制,第二网域统一由第二分布式控制器进行控制。It should be further explained that, in this embodiment, the cross-domain access referred to in this embodiment is a process in which the first user node belonging to the first network domain requests access to the second visiting node; The two network domains are respectively used to indicate physical network domains with different domain names, where the first network domain is uniformly controlled by the first distributed controller, and the second network domain is uniformly controlled by the second distributed controller.
通过本实施例中的跨域访问系统,由于归属于第一网域的第一用户节点在请求跨域访问归属于第二网域的第二用户节点的过程中,可通过用于对第一网域进行控制的第一分布式控制器响应于第一用户节点发起的 跨域访问请求,以发送跨域访问请求至用于对第二网域进行控制的第二分布式控制器;第二分布式控制器接收跨域访问请求后,进一步通过第一分布式控制器和/或第二分布式控制器根据所述跨域访问请求确定网络切片;以此,第二用户节点即可响应于第一用户节点通过网络切片进行的访问;因此,本实施例中的跨域访问系统可以解决相关技术中无法在跨域访问过程中保证安全性能的问题,以达到在跨域访问过程中有效确保安全性能的效果。Through the cross-domain access system in this embodiment, since the first user node belonging to the first network domain requests cross-domain access to the second user node belonging to the second network domain, it can be used to access the first user node. The first distributed controller that controls the network domain responds to the cross-domain access request initiated by the first user node to send the cross-domain access request to the second distributed controller for controlling the second network domain; second After the distributed controller receives the cross-domain access request, it further determines the network slice according to the cross-domain access request through the first distributed controller and/or the second distributed controller; in this way, the second user node can respond to The first user node accesses through network slicing; therefore, the cross-domain access system in this embodiment can solve the problem of the inability to ensure security performance in the cross-domain access process in related technologies, so as to effectively ensure the cross-domain access process The effect of safety performance.
具体而言,本实施例中的跨域访问系统一方面在构架设计上于第一网域与第二网域中分别采用了用户节点与分布式控制器的分层设计,以通过第一分布式控制器与第二分布式控制器实现跨域访问处理,进而可以在第一用户节点与第二用户节点进行跨域访问过程中实现了数据隔离,以显著改善跨域访问的安全性能。在此基础上,由于第一网域以及第二网域均通过分布式控制器进行整体控制,故本实施例中的系统构架还可以使得系统的扩展性能得以提升。Specifically, on the one hand, the cross-domain access system in this embodiment adopts a hierarchical design of user nodes and distributed controllers in the first network domain and the second network domain in the architectural design, so as to pass the first distribution The integrated controller and the second distributed controller implement cross-domain access processing, and thus can achieve data isolation during cross-domain access between the first user node and the second user node, so as to significantly improve the security performance of cross-domain access. On this basis, since the first network domain and the second network domain are all controlled by the distributed controller, the system architecture in this embodiment can also improve the expansion performance of the system.
在一实施例中,图2是根据本发明实施例提供的跨域访问系统的系统示意图(二),如图2所示,本实施例中的系统还包括:In an embodiment, FIG. 2 is a system schematic diagram (2) of a cross-domain access system according to an embodiment of the present invention. As shown in FIG. 2, the system in this embodiment further includes:
第一网关110,通过第一交换机112连接至第一用户节点102;第一网关110配置为,获取第一用户节点102发起的跨域访问请求,并将跨域访问请求转发至第一分布式控制器104;The first gateway 110 is connected to the first user node 102 through the first switch 112; the first gateway 110 is configured to obtain the cross-domain access request initiated by the first user node 102, and forward the cross-domain access request to the first distributed Controller 104;
第二网关114,通过第二交换机116连接至第二用户节点108;第二网关114配置为,获取第二分布式控制器106发送的跨域访问命令,并根据跨域访问命令对第一用户节点102进行认证;其中,跨域访问命令由第二分布式控制器106根据跨域访问信息生成。The second gateway 114 is connected to the second user node 108 through the second switch 116; the second gateway 114 is configured to obtain the cross-domain access command sent by the second distributed controller 106, and send the cross-domain access command to the first user according to the cross-domain access command. The node 102 performs authentication; wherein, the cross-domain access command is generated by the second distributed controller 106 according to the cross-domain access information.
需要进一步说明的是,上述实施例中,第一网域中,第一用户节点与第一分布式控制器之间设置有第一网关,第一网关具体可以通过第一交换机连接至第一用户节点,即在第一网域中形成了第一分布式控制器、第一网关、第一交换机以及第一用户节点的分层结构。类似的,第二网域中,第二用户节点与第二分布式控制器之间设置有第二网关,第二网关具体可以通过第二交换机连接至第二用户节点,即在第二网域中形成了第二分布式控制器、第二网关、第二交换机以及第二用户节点的分层结构。It should be further explained that, in the above-mentioned embodiment, in the first network domain, a first gateway is provided between the first user node and the first distributed controller, and the first gateway may be specifically connected to the first user through the first switch. A node, that is, a layered structure of the first distributed controller, the first gateway, the first switch, and the first user node is formed in the first network domain. Similarly, in the second network domain, a second gateway is provided between the second user node and the second distributed controller. The second gateway can be specifically connected to the second user node through the second switch, that is, in the second network domain. A layered structure of the second distributed controller, the second gateway, the second switch and the second user node is formed in the.
第一网关与第一分布式控制器共同构成了第一网域中的控制层,以进行第一网域中的信息交互,以及相关资源的调用等操作;第二网关与第二分布式控制器共同构成了第二网域中的控制层,以进行第二网域中的信息交互,以及相关资源的调用等操作。The first gateway and the first distributed controller jointly constitute the control layer in the first network domain to carry out information interaction in the first network domain and the invocation of related resources; the second gateway and the second distributed control The devices together constitute the control layer in the second network domain to perform operations such as information interaction in the second network domain and invocation of related resources.
在跨域访问过程中,第一网关具体可将第一用户节点生成的跨域访问请求转发至第一分布式控制器,以令第一分布式控制器将跨域访问请求进一步发送至第二分布式控制器。第二分布式控制器接收到上述跨域访问请求后,即可根据跨域访问信息生成跨域访问命令,并将跨域访问命令下发至第二网关,以令第二网关根据跨域访问命令对第一用户节点进行认证。During the cross-domain access process, the first gateway may specifically forward the cross-domain access request generated by the first user node to the first distributed controller, so that the first distributed controller further sends the cross-domain access request to the second distributed controller. Distributed controller. After the second distributed controller receives the cross-domain access request, it can generate a cross-domain access command based on the cross-domain access information, and issue the cross-domain access command to the second gateway, so that the second gateway can access Command to authenticate the first user node.
基于此,上述实施例通过第一网域以及第二网域中第一网关与第二网关设置,以实现不同网域中进一步的分层结构,以此使得本实施例中跨域访问系统的扩展性进一步改善;并且,上述第一网关以及第二网关的设置可实现对相关资源的调用,以使得不同网域中的资源可以进行协作利用,进而实现本实施例系统中资源利用效率的显著提高,以此,能够节省物联网基础设施建设成本,提高物联网节点跨域访问的有效性和可靠性。Based on this, in the above embodiment, the first gateway and the second gateway in the first network domain and the second network domain are set to realize a further hierarchical structure in different network domains, so as to enable the cross-domain access system in this embodiment The scalability is further improved; and the above-mentioned settings of the first gateway and the second gateway can realize the invocation of related resources, so that resources in different network domains can be used cooperatively, thereby realizing the remarkable efficiency of resource utilization in the system of this embodiment Improve, in this way, can save the cost of IoT infrastructure construction, and improve the effectiveness and reliability of cross-domain access to IoT nodes.
在一实施例中,上述第二网关114根据跨域访问命令对第一用户节点102进行认证,进一步可以配置为,根据跨域访问命令,调用身份认证服务器对第一用户节点进行身份识别认证,以及,调用授权映射服务器对第一用户节点进行访问权限认证。In an embodiment, the above-mentioned second gateway 114 authenticates the first user node 102 according to the cross-domain access command, and may be further configured to call the identity authentication server to perform identity authentication on the first user node according to the cross-domain access command. And, calling the authorization mapping server to authenticate the access authority of the first user node.
需要进一步说明的是,上述实施例中,身份认证服务器用以认证第一用户节点的身份,以识别第一用户节点是否为已通过认证的用户;上述授权映射服务器用以认证第一用户节点的权限,以确定第一用户节点是否有权限访问相应的服务。It should be further explained that, in the above-mentioned embodiment, the identity authentication server is used to authenticate the identity of the first user node to identify whether the first user node is an authenticated user; the above-mentioned authorization mapping server is used to authenticate the first user node Authority to determine whether the first user node has authority to access the corresponding service.
需要进一步说明的是,上述实施例中,第二网关调用身份认证服务器以及授权映射服务器可以是同时进行调用,也可以是按照预设的顺序进行调用,本发明对此不作限定。It should be further explained that, in the foregoing embodiment, the second gateway may call the identity authentication server and the authorization mapping server at the same time or in a preset order, which is not limited in the present invention.
当身份认证服务器和/或授权映射服务器完成相应的认证后,如若认证通过,则可返回回执,以执行令一项认证处理或执行后续操作;如若任何一项认证不通过,则可中止认证以及跨域访问处理。此外,上述身份认证服务器与授权映射服务器可以是第二网域中设置的服务器,也可以是其它网域,如第一网域中设置的服务器,第二网关通过对非第二网域中的身份认证服务器与授权映射服务器进行调用,即可实现本实施例中的 跨域访问系统中的资源协作利用。After the identity authentication server and/or the authorization mapping server complete the corresponding authentication, if the authentication is passed, it can return a receipt to execute an authentication process or perform subsequent operations; if any of the authentication fails, the authentication can be suspended and Cross-domain access processing. In addition, the above-mentioned identity authentication server and authorization mapping server may be servers set in the second network domain, or other network domains, such as servers set in the first network domain. The identity authentication server and the authorization mapping server can be called to realize the cooperative utilization of resources in the cross-domain access system in this embodiment.
在一实施例中,上述第一网关110还配置为,调用第一密钥协商服务器,使得第一密钥协商服务器与第二密钥协商服务器根据跨域访问请求进行密钥协商,以获取跨域访问密钥;In an embodiment, the above-mentioned first gateway 110 is further configured to call the first key agreement server, so that the first key agreement server and the second key agreement server perform key agreement according to the cross-domain access request, so as to obtain the cross-domain access request. Domain access key;
其中,跨域访问密钥用于第一用户节点与第二用户节点进行跨域访问中的加密和/或解密处理;第一密钥协商服务器为归属于第一网域的密钥协商服务器,第二密钥协商服务器为归属于第二网域的密钥协商服务器。Wherein, the cross-domain access key is used for the encryption and/or decryption processing in cross-domain access between the first user node and the second user node; the first key agreement server is a key agreement server belonging to the first network domain, The second key agreement server is a key agreement server belonging to the second network domain.
需要进一步说明的是,上述实施例中,第一网关调用第一密钥协商服务器由第二网关完成对第一用户节点的对应认证后执行,如若第二网关确认第一用户节点通过认证,即可由第一网关在接收到第一用户节点通过认证的相应确认消息后,进行第一密钥协商服务器的调用。It should be further explained that, in the above embodiment, the first gateway invokes the first key agreement server and the second gateway completes the corresponding authentication of the first user node. If the second gateway confirms that the first user node is authenticated, that is, The first gateway may invoke the first key agreement server after receiving the corresponding confirmation message that the first user node is authenticated.
上述实施例中,归属于第一网域的第一密钥协商服务器与归属于第二网域的第二密钥协商服务器根据跨域访问请求进行密钥协商,即可得到仅针对第一用户节点与第二用户节点在跨域访问过程中的密钥,以此密钥进行加解密处理,即可在第一用户节点进行跨域访问的过程中,有效的确保数据隔离以及信息安全性。In the above-mentioned embodiment, the first key agreement server belonging to the first network domain and the second key agreement server belonging to the second network domain perform key agreement according to the cross-domain access request. The key of the node and the second user node in the process of cross-domain access, using this key for encryption and decryption, can effectively ensure data isolation and information security during the process of cross-domain access by the first user node.
在一实施例中,上述第一网关110还配置为,发送认证确认信息至第一分布式控制器;第二网关114还配置为,发送认证确认信息至第二分布式控制器;In an embodiment, the above-mentioned first gateway 110 is further configured to send authentication confirmation information to the first distributed controller; the second gateway 114 is further configured to send authentication confirmation information to the second distributed controller;
第一分布式控制器和/或第二分布式控制器还配置为,根据认证确认信息,在第一分布式控制器与第二分布式控制器之间建立连接。The first distributed controller and/or the second distributed controller are further configured to establish a connection between the first distributed controller and the second distributed controller according to the authentication confirmation information.
在一实施例中,上述第一分布式控制器104还配置为,通过网络功能虚拟化(Network Functions Virtualization,NFV)向防火墙写入第一访问控制列表(Access Control Lists,ACL)规则,其中,第一ACL规则用于指示防火墙允许第一用户节点向第二用户节点发送跨域访问信息;In an embodiment, the above-mentioned first distributed controller 104 is further configured to write a first access control list (Access Control Lists, ACL) rule to the firewall through Network Functions Virtualization (NFV), where: The first ACL rule is used to instruct the firewall to allow the first user node to send cross-domain access information to the second user node;
第二分布式控制器106还配置为,通过NFV向防火墙写入第二ACL规则,其中,第二ACL规则用于指示防火墙允许跨域访问信息进入第二网域。The second distributed controller 106 is further configured to write a second ACL rule to the firewall through NFV, where the second ACL rule is used to instruct the firewall to allow cross-domain access information to enter the second network domain.
需要进一步说明的是,上述实施例中,第一分布式控制器以及第二分布式控制器均可通过NFV以向防火墙写入对应的ACL规则,以此即可在跨域访问过程中,通过NFV提供灵活编排的中间件服务,以在用户节点自身能力受限的物联网场景下,通过NFV的支持以使得系统访问的效率得以进一步改善。It should be further explained that, in the above-mentioned embodiment, both the first distributed controller and the second distributed controller can write corresponding ACL rules to the firewall through NFV, so that during the cross-domain access process, NFV provides flexible orchestration of middleware services to further improve the efficiency of system access through the support of NFV in the Internet of Things scenario where the capabilities of user nodes are limited.
在一实施例中,上述第一分布式控制器104还配置为,对第一用户节点发送的跨域访问信息进行加密处理,并将加密后的跨域访问信息发送至第二分布式控制器;第二分布式处理器106还配置为,对加密后的跨域访问信息进行解密,并将解密后的跨域访问信息发送至第二用户节点以实现第一用户节点的跨域访问。In an embodiment, the above-mentioned first distributed controller 104 is further configured to encrypt the cross-domain access information sent by the first user node, and send the encrypted cross-domain access information to the second distributed controller ; The second distributed processor 106 is also configured to decrypt the encrypted cross-domain access information, and send the decrypted cross-domain access information to the second user node to achieve cross-domain access of the first user node.
需要进一步说明的是,上述第一分布式控制器所进行的加密处理以及所述第二分布式控制器所进行的解密处理可以采用前述实施例中的密钥得以实现,也可以根据预设的加解密方式得以实现。It should be further explained that the encryption process performed by the first distributed controller and the decryption process performed by the second distributed controller can be implemented using the key in the foregoing embodiment, or can be implemented according to a preset Encryption and decryption methods are realized.
在一实施例中,上述跨域访问请求包括:第一跨域访问请求,第二跨域访问请求;In an embodiment, the aforementioned cross-domain access request includes: a first cross-domain access request, and a second cross-domain access request;
第一用户节点还配置为,发起第一跨域访问请求,以请求跨域访问第二用户节点;The first user node is further configured to initiate a first cross-domain access request to request cross-domain access to the second user node;
第一分布式控制器还配置为,响应于第一用户节点发起的第一跨域访问请求以生成第二跨域访问请求,并发送第二跨域访问请求至第二分布式控制器;The first distributed controller is further configured to generate a second cross-domain access request in response to the first cross-domain access request initiated by the first user node, and send the second cross-domain access request to the second distributed controller;
其中,第一跨域访问请求包括以下至少之一:第二用户节点域名信息、服务类型信息、服务质量要求信息;Wherein, the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
第二跨域访问请求包括以下至少之一:第二用户节点地址信息、第一用户节点地址信息、服务类型信息,服务质量要求信息。The second cross-domain access request includes at least one of the following: second user node address information, first user node address information, service type information, and service quality requirement information.
需要进一步说明的是,上述实施例中,第一跨域访问信息即为第一用户节点生成的跨域访问请求,上述第二跨域访问信息即为第二分布式控制器接收到的跨域访问请求;具体而言,即第一分布式控制器获取到上述第一用户节点生成的第一跨域访问信息后,对该第一跨域访问信息进行相应处理,以生成第二跨域访问信息,并将该第二跨域访问信息发送至第二分布式控制器;上述处理过程中,第一分布式控制器将第一跨域访问请求中的第二用户节点域名信息替换为了第二用户节点地址信息,并在第一跨域请求信息的基础上,添加了第一用户节点地址信息。It should be further explained that, in the above embodiment, the first cross-domain access information is the cross-domain access request generated by the first user node, and the above-mentioned second cross-domain access information is the cross-domain access request received by the second distributed controller. Access request; specifically, after the first distributed controller obtains the first cross-domain access information generated by the first user node, the first cross-domain access information is processed accordingly to generate the second cross-domain access Information and send the second cross-domain access information to the second distributed controller; in the foregoing processing, the first distributed controller replaces the second user node domain name information in the first cross-domain access request with the second User node address information, and on the basis of the first cross-domain request information, the first user node address information is added.
在一实施例中,上述第一分布式控制器104和/或第二分布式控制器106还配置为,In an embodiment, the above-mentioned first distributed controller 104 and/or second distributed controller 106 are further configured to:
根据跨域访问请求中的服务质量要求确定网络切片。Determine the network slice according to the quality of service requirements in the cross-domain access request.
需要进一步说明的是,上述实施例中,根据跨域访问请求中的服务质量要求确定网络切片,具体可根据如时延要求等,以确定对应的网络切片。It should be further explained that, in the foregoing embodiment, the network slice is determined according to the quality of service requirements in the cross-domain access request, and specifically, the corresponding network slice can be determined according to, for example, delay requirements.
在一实施例中,上述第一分布式控制器104和/或第二分布式控制器106还配置为,In an embodiment, the above-mentioned first distributed controller 104 and/or second distributed controller 106 are further configured to:
根据跨域访问请求中的服务质量要求确定路由信息,其中,路由信息用于指示访问信息在第一网域或第二网域内部的传输路径,以及第一网域与第二网域之间的传输路径。The routing information is determined according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate the transmission path of the access information within the first network domain or the second network domain, and between the first network domain and the second network domain The transmission path.
需要进一步说明的是,上述实施例中,根据跨域访问请求中的服务质量要求确定路由信息,具体可根据如时延要求、带宽要求等,以确定对应的路由信息。It should be further explained that, in the above-mentioned embodiment, the routing information is determined according to the quality of service requirements in the cross-domain access request, and the corresponding routing information can be determined according to, for example, delay requirements and bandwidth requirements.
在一实施例中,本实施例中的系统还包括:In an embodiment, the system in this embodiment further includes:
联盟链,设置在第一分布式控制器以及第二分布式控制器之间;联盟链配置为对跨域访问记录进行维护;其中,跨域访问记录由第一网关和/或第二网关在第一用户节点结束跨域访问第二用户节点后进行获取;跨域访问记录包括:跨域访问事件,跨域访问事件的发生及结束时间。The consortium chain is set between the first distributed controller and the second distributed controller; the consortium chain is configured to maintain cross-domain access records; wherein, the cross-domain access records are managed by the first gateway and/or the second gateway The first user node obtains the second user node after finishing the cross-domain access; the cross-domain access record includes: the cross-domain access event, the occurrence and end time of the cross-domain access event.
需要进一步说明的是,上述实施例中,联盟链的设置可在第一分布式控制器以及第二分布式控制器之间形成不可抵赖的顶层访问记录,进而令每一次跨域访问的记录均可追溯,以进一步确保本实施例中的跨域访问系统运行过程中的安全保障。It should be further explained that, in the above-mentioned embodiment, the setting of the alliance chain can form a non-repudiation top-level access record between the first distributed controller and the second distributed controller, so that the records of each cross-domain access are equal. It can be traced back to further ensure the safety guarantee during the operation of the cross-domain access system in this embodiment.
在一实施例中,上述联盟链还配置为,记录异常访问记录,其中,异常访问记录用于指示第一用户节点跨域访问第二用户节点异常;异常访问记录由第一网关和/或第二网关上报。In an embodiment, the above alliance chain is further configured to record abnormal access records, where the abnormal access records are used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access record is controlled by the first gateway and/or the second user node. Second, the gateway reports.
需要进一步说明的是,上述实施例中,通过联盟链以对于跨域访问过程中的异常访问记录进行记录,即可一方面在确保可对该异常访问记录进行追溯,另一方面,可在后续的跨域访问过程中对异常问题或对象进行相应处理,以进一步改善访问中的效率与安全性。It should be further explained that, in the above embodiment, the abnormal access record in the cross-domain access process is recorded through the alliance chain, which can ensure that the abnormal access record can be traced on the one hand, and on the other hand, it can be used in the subsequent During the process of cross-domain access, abnormal problems or objects are dealt with accordingly to further improve the efficiency and security of the access.
以下通过具体实施例的方式进一步说明本实施例中的跨域访问系统的构成以及工作原理。The structure and working principle of the cross-domain access system in this embodiment are further described below by means of specific embodiments.
图3是根据本发明具体实施例提供的跨域访问系统的系统示意图,如图3所示,每一个域内包括若干个物联网节点通过接入点或直接接入家庭交换机,若干个家庭交换机接入汇接交换机,即网关,若干个网关接入一个分布式控制器,组成一个域,域内配置身份认证、授权访问、密钥协商服务器,以及防火墙、加解密等中间件服务;上述分布式控制器、网关与认证/授权/密钥协商服务器、中间件服务直接连接或通过交换机间接连接。Figure 3 is a system schematic diagram of a cross-domain access system according to a specific embodiment of the present invention. As shown in Figure 3, each domain includes several IoT nodes through access points or directly connected to home switches, and several home switches are connected Incoming tandem switch, that is, gateway, several gateways connect to a distributed controller to form a domain, and configure identity authentication, authorized access, key agreement server, and firewall, encryption and decryption and other middleware services in the domain; the above-mentioned distributed control The server, gateway and authentication/authorization/key agreement server, middleware service are directly connected or indirectly connected through a switch.
图4是根据本发明具体实施例提供的域间进行跨域访问的场景示意图,如图4所示,域A与域B进行跨域访问,以域A为例,上述分布式控制器配置以下模块:域内信息交互模块,与域内网关交互控制信息,接收网关发送的请求;域名解析模块,建立域名与地址间的映射关系;域间信息交互模块,与其它域控制器交互控制信息;策略制定模块,根据访问规则及QoS等要求制定相应的网络切片;路由信息模块,规划最优传输路径,向传输路径上交换机传送流表。域间异常访问记录模块,接收各域内网关上报异常用户访问记录。Fig. 4 is a schematic diagram of a scenario for cross-domain access between domains according to a specific embodiment of the present invention. As shown in Fig. 4, domain A and domain B perform cross-domain access. Taking domain A as an example, the above-mentioned distributed controller is configured as follows Module: Intra-domain information exchange module, which exchanges control information with intra-domain gateways, and receives requests sent by the gateway; domain name resolution module, which establishes the mapping relationship between domain names and addresses; inter-domain information exchange module, which exchanges control information with other domain controllers; policy formulation Module, according to the requirements of access rules and QoS, make corresponding network slices; routing information module, plan the optimal transmission path, and transmit the flow table to the switch on the transmission path. Inter-domain abnormal access record module, which receives abnormal user access records reported by gateways in each domain.
上述网关包括:服务受理模块,负责接受服务请求并向域内分布式控制器发送;认证授权模块,通过调用身份认证/授权映射/密钥协商服务器完成跨域访问身份认证、授权管理和通信密钥协商;域内访问日志记录模块,记录用户访问日志,便于访问记录追溯;异常访问上报模块,判断当前访问异常情况,及时向分布式控制器上报。图5是根据本发明具体实施例提供的域A内部的功能示意图,上述域A中的分布式控制器以及网关的设置如图5所示。The above-mentioned gateway includes: a service acceptance module, which is responsible for accepting service requests and sending them to distributed controllers in the domain; an authentication and authorization module, which completes cross-domain access identity authentication, authorization management, and communication keys by calling the identity authentication/authorization mapping/key agreement server Negotiation; Intra-domain access log recording module, which records user access logs for easy access record tracing; Abnormal access reporting module, which judges the current access abnormal situation, and reports to the distributed controller in a timely manner. FIG. 5 is a schematic diagram of functions inside domain A according to a specific embodiment of the present invention. The configuration of the distributed controller and gateway in domain A is shown in FIG. 5.
上述域B的构成与域A相同,故在此不再赘述;域与域之间的分布式控制器直接连接或通过交换机间接连接。The above-mentioned domain B has the same composition as domain A, so it will not be repeated here; the distributed controllers between domains are directly connected or indirectly connected through a switch.
本具体实施例中具体以位于域A中的用户的传感器监测到用户的心跳数据异常以向位于域D中的医院请求相应服务的场景进行说明。本具体实施例中,传感器构成了上述实施例中的第一用户节点,医院的服务器或诊断设备构成了上述实施例中的第二用户节点。In this specific embodiment, a scenario in which the sensor of the user located in the domain A detects that the user's heartbeat data is abnormal to request the corresponding service from the hospital located in the domain D is specifically described. In this specific embodiment, the sensor constitutes the first user node in the above embodiment, and the server or diagnostic equipment of the hospital constitutes the second user node in the above embodiment.
图6是根据本发明具体实施例提供的传感器进行跨域访问的场景示意图,如图6所示,本具体实施例的跨域访问系统中,域A即构成本实施例中的第一网域,域A中相应的分布式控制器、网关等即为本实施例中的第一分布式控制器、第一网关;类似的,域D即构成本实施例中的第二网域,域D中相应的分布式控制器、网关等即为本实施例中的第二分布式控制器、第二网关。FIG. 6 is a schematic diagram of a scenario in which sensors perform cross-domain access according to a specific embodiment of the present invention. As shown in FIG. 6, in the cross-domain access system of this specific embodiment, domain A constitutes the first network domain in this embodiment. , The corresponding distributed controllers, gateways, etc. in domain A are the first distributed controllers and first gateways in this embodiment; similarly, domain D constitutes the second network domain in this embodiment, domain D The corresponding distributed controllers, gateways, etc. in this embodiment are the second distributed controllers and second gateways in this embodiment.
本具体实施例中,用户的传感器节点IP地址为FF00::1109,所处网关地址为FF00::1103,所处分布式控制器地址为FF00::1101。当传感器节点在某种情况下(如心率低于某一阈值)向医院请求诊断,医院结合用户历史数据和病例库给出诊断,并将结果返回至传感器节点。图7是根据本发明具体实施例提供的传感器进 行跨域访问的交互示意图,如图7所示,上述传感器进行跨域访问的过程如下:In this specific embodiment, the IP address of the user's sensor node is FF00::1109, the address of the gateway where the user is located is FF00::1103, and the address of the distributed controller where the user is located is FF00::1101. When a sensor node requests a diagnosis from the hospital under certain circumstances (such as a heart rate lower than a certain threshold), the hospital combines the user's historical data and the case database to give a diagnosis, and returns the result to the sensor node. Fig. 7 is a schematic diagram of the interaction of a sensor for cross-domain access according to a specific embodiment of the present invention. As shown in Fig. 7, the process of the above-mentioned sensor for cross-domain access is as follows:
S1,跨域访问用户节点传感器S向所在域A内网关发送跨域访问请求R i,对被访问节点医院自动诊断服务器进行访问,被访问节点域名D i为server_1.beijing.hos.chinese,QoS要求包括访问结果反馈时延LR i=1s,中间件处理时延要求M i=30ms,传输时延LT i=50ms,带宽B i=1Mbps,隐私等级P i=高级。 Sl, a user domain access node sends to the sensor S is domain A domain access gateway request R i, to the access point hospital diagnosis automatically access the server, the visited domain D i to node server_1.beijing.hos.chinese, QoS result of accessing the feedback delay requirements include LR i = 1s, the middleware processing delay requirements M i = 30ms, transmission delay LT i = 50ms, the bandwidth B i = 1Mbps, P i = advanced privacy level.
S2,服务受理模块接收跨域访问请求后,解析出上述跨域访问请求中的(D i,LR i,M i,LT i,B i,P i),并向域内分布式控制器域内信息交互模块发送;域内信息交互模块首先为跨域访问进行出域访问编号
Figure PCTCN2020135884-appb-000001
编号通过被访问服务器域名和当前时间戳(设为2019-08-07 22:45 00)文本合并后的哈希值HASH(2019-08-07 22:45 00server_1.beijing.hos.chinese)=122e207244c368a098112ea1dd2572df47d5045c2b569beb64922ba13598f150,向域名解析模块查询被访问节点地址IP地址ADDRESS des,得到FF03::110F,得到被访问节点所处域D分布式控制器地址ADDRESS des_ctr为FF03::1101。 S2. After receiving the cross-domain access request, the service acceptance module parses out (D i , LR i , M i , LT i , B i , P i ) in the cross-domain access request, and distributes the information in the domain to the controller The interaction module sends; the intra-domain information interaction module first performs the out-of-domain access number for cross-domain access
Figure PCTCN2020135884-appb-000001
The number is the hash value HASH (2019-08-07 22:45 00server_1.beijing.hos.chinese) after the merged text of the accessed server domain name and the current timestamp (set to 2019-08-07 22:45 00) = 122e207244c368a098112ea1dd2572df47d5045c2b569beb64922ba13598f150 , Query the domain name resolution module for the IP address ADDRESS des of the visited node, get FF03::110F, and get the domain D distributed controller address ADDRESS des_ctr where the visited node is located as FF03::1101.
S3,访问节点所处分布式控制器中,域内信息交互模块将被访问节点所处的分布式控制器信息向域间信息交互模块发送,域间信息交互模块向路由信息模块查询到被访问域分布式控制器路由信息
Figure PCTCN2020135884-appb-000002
如需要经过域B、域C两个分布式控制器,其地址为FF01::1101和FF02::1101,则经过的路由信息为(FF00::1101,FF01::1101,FF02::1101,FF03::1101),所经过的交换机序列为
Figure PCTCN2020135884-appb-000003
域间信息交互模块向被访问节点所处分布式控制器域间信息交互模块发送访问请求
Figure PCTCN2020135884-appb-000004
Figure PCTCN2020135884-appb-000005
S3: In the distributed controller where the visited node is located, the intra-domain information exchange module sends the information of the distributed controller where the visited node is located to the inter-domain information exchange module, and the inter-domain information exchange module queries the routing information module to find the visited domain Distributed controller routing information
Figure PCTCN2020135884-appb-000002
If you need to pass through two distributed controllers, domain B and domain C, whose addresses are FF01::1101 and FF02::1101, the routing information passed is (FF00::1101,FF01::1101,FF02::1101, FF03::1101), the sequence of switches passed is
Figure PCTCN2020135884-appb-000003
The inter-domain information interaction module sends an access request to the inter-domain information interaction module of the distributed controller where the visited node is located
Figure PCTCN2020135884-appb-000004
which is
Figure PCTCN2020135884-appb-000005
S4,被访问节点所处分布式控制器域间信息交互模块收到访问请求后,解析出被访问节点ADDRESS des为FF01::110F,为本次入域访问分配编号
Figure PCTCN2020135884-appb-000006
编号通过访问节点地址和当前时间戳文本相加后的哈希值,即
Figure PCTCN2020135884-appb-000007
Figure PCTCN2020135884-appb-000008
向路由信息模块查询到被访问节点所处网关,地址为FF03::1103处所经过的交换机序列(S 0,S 1,S 2……S n),向被访问节点所处网关发送跨域访问命令。 S4: After receiving the access request, the inter-domain information interaction module of the distributed controller where the visited node is located, parses out the ADDRESS des of the visited node as FF01::110F, and assigns a number for this domain access
Figure PCTCN2020135884-appb-000006
The number is obtained by adding the hash value of the access node address and the current timestamp text, that is
Figure PCTCN2020135884-appb-000007
Figure PCTCN2020135884-appb-000008
Inquire the gateway of the visited node from the routing information module, the address is FF03::1103 through the switch sequence (S 0 , S 1 , S 2 ……S n ), and send cross-domain access to the gateway where the visited node is located command.
S5,被访问节点根据反馈时延要求LR i确定调用身份认证、授权和密钥协商过程的服务器选取LR iden_i、LR auth_i、LR key_i,保证LR iden_i+LR auth_i+LR key_i≤LR i,设LR iden_i、LR auth_i、LR key_i分别为300ms,满足低于1s的要求。网关调用身份认证服务器服务,身份认证服务器识别访问用户身份,发送是否通过身份认证的回执
Figure PCTCN2020135884-appb-000009
设返回值为TRUE(表示通过);接收到通过回执后,网关调用授权映射授权服务器服务,授权映射授权服务器根据请求的业务查看访问用户是否有权限访问相应的服务,通过后生成是否有权访问的回执
Figure PCTCN2020135884-appb-000010
传感器节点地址与用户数据库预留的IP地址一致,返回TRUE。网关接收授权回执后,向本域内分布式控制器域内信息交互模块发送认证反馈
Figure PCTCN2020135884-appb-000011
S5, the visited node determines the server that invokes the identity authentication, authorization and key agreement process to select LR iden_i , LR auth_i , and LR key_i according to the feedback delay request LR i to ensure that LR iden_i +LR auth_i +LR key_i ≤LR i , set LR iden_i , LR auth_i , and LR key_i are 300ms respectively, which meets the requirement of less than 1s. The gateway calls the identity authentication server service, the identity authentication server recognizes the identity of the visiting user, and sends a receipt indicating whether the identity authentication is passed or not
Figure PCTCN2020135884-appb-000009
Set the return value to TRUE (indicating pass); after receiving the pass receipt, the gateway calls the authorization mapping authorization server service, and the authorization mapping authorization server checks whether the accessing user has the authority to access the corresponding service according to the requested business, and whether it is authorized to access is generated after passing 'S receipt
Figure PCTCN2020135884-appb-000010
The sensor node address is consistent with the IP address reserved by the user database, and TRUE is returned. After the gateway receives the authorization receipt, it sends authentication feedback to the information interaction module in the distributed controller domain in the domain
Figure PCTCN2020135884-appb-000011
S6,被访问分布式控制器FF03::1101向访问节点所在分布式控制器FF01::1101发送认证结果,由访问节点所在分布式控制器FF01::1101通过域内信息交互模块向访问节点网关FF00::1103发送认证通过、准备密钥协商消息,隐私等级P i要求为高等级,网关FF00::1103调用密钥协商服务器FF00::1112,与被访问节点网关FF03::1103调用的密钥协商服务器FF03::1112,协商得到通信密钥(K sour,K des)。 S6, the accessed distributed controller FF03::1101 sends the authentication result to the distributed controller FF01::1101 where the access node is located, and the distributed controller FF01::1101 where the access node is located sends the authentication result to the access node gateway FF00 through the information exchange module in the domain. ::1103 sends the authentication pass and prepares the key agreement message, the privacy level P i is required to be a high level, the gateway FF00::1103 calls the key agreement server FF00::1112, and the key called by the accessed node gateway FF03::1103 The negotiation server FF03::1112 obtains the communication key (K sour , K des ) through negotiation.
S7,被访问节点网关向被访问节点分布式控制器,访问节点网关向访问节点分布式控制器,各自发送认证过程完成消息,访问节点所处分布式控制器FF00::1101与被访问用户所处域内分布式控制器FF03::1101建立连接,根据服务QoS要求协商确定本次服务所需的网络切片,包括由NFV调用防火墙,动态写入ACL规则;加解密等中间件资源,设本次服务所需虚拟功能为
Figure PCTCN2020135884-appb-000012
分别代表防火墙和加解密服务,根据中间件处理时延要求M i为30ms,找到访问节点所处域内处理时延
Figure PCTCN2020135884-appb-000013
为10ms和被访问节点所处域内处理时延
Figure PCTCN2020135884-appb-000014
为10ms,满足要求。以及由路由信息模块根据传输时延LT i为50ms,带宽B i为1Mbps,规划域间、域内最优传输路径等网络资源,设域间路由包括分布式控制器序列(FF00::1101,FF01::1101,FF02::1101,FF03::1101满足要求,此时每个域内路由所经过的交换机序列分别为:域A内
Figure PCTCN2020135884-appb-000015
域B内
Figure PCTCN2020135884-appb-000016
域C内
Figure PCTCN2020135884-appb-000017
域D内
Figure PCTCN2020135884-appb-000018
S7, the gateway of the visited node sends an authentication process completion message to the distributed controller of the visited node, and the gateway of the visited node sends an authentication process completion message to the distributed controller of the visited node. The distributed controller FF03::1101 in the domain establishes a connection, and negotiates to determine the network slice required for this service according to the service QoS requirements, including calling the firewall by NFV, dynamically writing ACL rules; encryption and decryption and other middleware resources, set this time The virtual functions required by the service are
Figure PCTCN2020135884-appb-000012
Represents firewall and encryption and decryption services respectively. According to the middleware processing delay requirement M i is 30ms, the processing delay in the domain where the access node is found
Figure PCTCN2020135884-appb-000013
Processing delay for 10ms and within the domain of the visited node
Figure PCTCN2020135884-appb-000014
It is 10ms, which meets the requirements. And according to the transmission delay LT i of 50 ms and the bandwidth B i of 1 Mbps, the routing information module plans network resources such as the optimal transmission path between the domains and the domains. The inter-domain routing includes the distributed controller sequence (FF00::1101,FF01). ::1101,FF02::1101,FF03::1101 meets the requirements. At this time, the sequence of switches passed by each intra-domain route is: within domain A
Figure PCTCN2020135884-appb-000015
Within domain B
Figure PCTCN2020135884-appb-000016
In domain C
Figure PCTCN2020135884-appb-000017
In domain D
Figure PCTCN2020135884-appb-000018
S8,访问节点网关FF00::1103向访问节点FF00::1109发送访问反馈结果,被访问节点网关FF03::1103向被访问节点FF03::110F发送访问反馈结果。传感器FF00::1109向医院服务器FF03::110F发送传感器记录的数据。访问节点向所处域内NFV防火墙动态写入ACL规则,允许FF00::1109传送至FF03::110F的信息跨域访问,并通过加密服务器将信息加密后传送;被访问节点所处域内通过NFV向防火墙动态写入ACL规则,允 许FF00::1109传送至FF03::110F信息进入域内,并通过服务器完成解密操作;反向数据同样经过防火墙、加解密等操作,建立双向连接,实现强逻辑隔离跨域访问。S8, the access node gateway FF00::1103 sends the access feedback result to the access node FF00::1109, and the visited node gateway FF03::1103 sends the access feedback result to the visited node FF03::110F. The sensor FF00::1109 sends the data recorded by the sensor to the hospital server FF03::110F. The access node dynamically writes ACL rules to the NFV firewall in the domain to allow cross-domain access to the information transmitted from FF00::1109 to FF03::110F, and the information is encrypted and transmitted through the encryption server; the accessed node is in the domain through NFV to The firewall dynamically writes ACL rules to allow FF00::1109 to be transmitted to FF03::110F to enter the domain and complete the decryption operation through the server; the reverse data also goes through the firewall, encryption and decryption operations to establish a two-way connection to achieve strong logical isolation across Domain access.
S9,访问结束后,被访问节点所处网关记录本次访问及访问结束时间
Figure PCTCN2020135884-appb-000019
Figure PCTCN2020135884-appb-000020
由域D内各网关组建联盟链维护,保证访问记录可追溯。本次访问结束后,医院服务器扣除相应费用,整个过程正常,则无需上报异常情况,如传感器节点多次上报无效数据,或一定时间段内未能缴纳约定的费用,则将本次访问作为异常访问,通过网关向分布式控制器上报异常访问记录及异常原因,由分布式控制器之间维护的联盟链维护异常访问记录。 S9: After the visit is over, the gateway where the visited node is located records the visit and the end time of the visit
Figure PCTCN2020135884-appb-000019
which is
Figure PCTCN2020135884-appb-000020
Consortium chain maintenance is established by gateways in domain D to ensure traceability of access records. After this visit, the hospital server deducts the corresponding fees, and the whole process is normal, so there is no need to report abnormal situations. If the sensor node reports invalid data multiple times, or fails to pay the agreed fee within a certain period of time, the visit will be regarded as abnormal Access: Report abnormal access records and abnormal reasons to distributed controllers through the gateway, and the abnormal access records are maintained by the alliance chain maintained between the distributed controllers.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus the necessary general hardware platform, of course, it can also be implemented by hardware, but in many cases the former is Better implementation. Based on this understanding, the technical solution of the present invention essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes a number of instructions to enable a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the method described in each embodiment of the present invention.
实施例2Example 2
本实施例提供了一种跨域访问方法,应用于第一用户节点,第一用户节点为归属于第一网域的用户节点;图8是根据本发明实施例提供的跨域访问方法的流程图(一),如图8所示,本实施例中的跨域访问方法包括:This embodiment provides a cross-domain access method, which is applied to a first user node, and the first user node is a user node belonging to the first network domain; FIG. 8 is a flow chart of the cross-domain access method according to an embodiment of the present invention Figure (1), as shown in Figure 8, the cross-domain access method in this embodiment includes:
S202,发起跨域访问请求,并通过第一分布式控制器发送跨域访问请求至第二分布式控制器;其中,跨域访问请求用于请求跨域访问第二用户节点;S202: Initiate a cross-domain access request, and send the cross-domain access request to the second distributed controller through the first distributed controller; wherein the cross-domain access request is used to request cross-domain access to the second user node;
S204,通过网络切片对第二用户节点进行访问;其中,网络切片由第一分布式控制器和/或第二分布式控制器根据跨域访问请求进行确定;S204: Access the second user node through the network slice; where the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request;
其中,第一分布式控制器被设置成对第一网域进行控制;第二分布式控制器被设置成对第二网域进行控制,第二用户节点为归属于第二网域的用户节点。Wherein, the first distributed controller is set to control the first network domain; the second distributed controller is set to control the second network domain, and the second user node is a user node belonging to the second network domain .
本实施例中的跨域访问方法的其余实施例与技术效果均与实施例1中的跨域访问系统对应,故在此不再赘述。The remaining embodiments and technical effects of the cross-domain access method in this embodiment all correspond to the cross-domain access system in Embodiment 1, and therefore will not be repeated here.
在一实施例中,上述通过第一分布式控制器发送跨域访问请求至第二分布式控制器之前,包括:In an embodiment, before sending the cross-domain access request to the second distributed controller through the first distributed controller, the method includes:
发送跨域访问请求至第一网关,并通过第一网关将跨域访问请求发送至第一分布式控制器;其中,第一网关通过第一交换机连接至第一用户节点。Send a cross-domain access request to the first gateway, and send the cross-domain access request to the first distributed controller through the first gateway; wherein the first gateway is connected to the first user node through the first switch.
在一实施例中,上述通过第一分布式控制器发送跨域访问请求至第二分布式控制器,包括:In an embodiment, the foregoing sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
通过第一分布式控制器发送跨域访问请求至第二分布式控制器,使得第二分布式控制器根据跨域访问信息生成跨域访问命令,并将跨域访问命令转发至第二网关;Sending a cross-domain access request to the second distributed controller through the first distributed controller, so that the second distributed controller generates a cross-domain access command according to the cross-domain access information, and forwards the cross-domain access command to the second gateway;
其中,第二网关通过第二交换机连接至第二用户节点;跨域访问命令用以指示第二网关根据跨域访问命令对第一用户节点进行认证。The second gateway is connected to the second user node through the second switch; the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command.
在一实施例中,上述跨域访问命令用以指示第二网关根据跨域访问命令对第一用户节点进行认证,包括:In an embodiment, the above-mentioned cross-domain access command to instruct the second gateway to authenticate the first user node according to the cross-domain access command includes:
跨域访问命令用以指示第二网关根据跨域访问命令,调用身份认证服务器对第一用户节点进行身份识别认证,以及,调用授权映射服务器对第一用户节点进行访问权限认证。The cross-domain access command is used to instruct the second gateway to call the identity authentication server to perform identity authentication authentication on the first user node according to the cross-domain access command, and to call the authorization mapping server to perform access authority authentication on the first user node.
在一实施例中,上述跨域访问命令用以指示第二网关根据跨域访问命令对第一用户节点进行认证之后,还包括:In an embodiment, after the above-mentioned cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command, the method further includes:
通过第一网关调用第一密钥协商服务器,使得第一密钥协商服务器与第二密钥协商服务器根据跨域访问请求进行密钥协商,以获取跨域访问密钥;Invoking the first key agreement server through the first gateway, so that the first key agreement server and the second key agreement server perform key agreement according to the cross-domain access request, so as to obtain the cross-domain access key;
其中,跨域访问密钥用于第一用户节点与第二用户节点进行跨域访问中的加密和/或解密处理;第一密钥协商服务器为归属于第一网域的密钥协商服务器,第二密钥协商服务器为归属于第二网域的密钥协商服务器。Wherein, the cross-domain access key is used for the encryption and/or decryption processing in cross-domain access between the first user node and the second user node; the first key agreement server is a key agreement server belonging to the first network domain, The second key agreement server is a key agreement server belonging to the second network domain.
在一实施例中,上述获取跨域访问密钥之后,还包括:In an embodiment, after obtaining the cross-domain access key, the method further includes:
通过第一网关发送认证确认信息至第一分布式控制器,并通过第二网关发送认证确认信息至第二分布式控制器,以使得第一分布式控制器和/或第二分布式控制器根据认证确认信息在第一分布式控制器与第二分布式控制器之间建立连接。Send authentication confirmation information to the first distributed controller through the first gateway, and send authentication confirmation information to the second distributed controller through the second gateway, so that the first distributed controller and/or the second distributed controller A connection is established between the first distributed controller and the second distributed controller according to the authentication confirmation information.
在一实施例中,上述方法还包括:In an embodiment, the above method further includes:
通过第一分布式控制器以经由网络功能虚拟化NFV向防火墙写入第一访问控制列表ACL规则,其中, 第一ACL规则用于指示防火墙允许第一用户节点向第二用户节点发送跨域访问信息;Write a first access control list ACL rule to the firewall via the network function virtualization NFV through the first distributed controller, where the first ACL rule is used to instruct the firewall to allow the first user node to send cross-domain access to the second user node information;
通过第二分布式控制器以经由NFV向防火墙写入第二ACL规则,其中,第二ACL规则用于指示防火墙允许跨域访问信息进入第二网域。The second distributed controller is used to write a second ACL rule to the firewall via NFV, where the second ACL rule is used to instruct the firewall to allow cross-domain access information to enter the second network domain.
在一实施例中,上述方法还包括:In an embodiment, the above method further includes:
通过第一分布式对第一用户节点发送的跨域访问信息进行加密处理,并将加密后的跨域访问信息发送至第二分布式控制器;Encrypting the cross-domain access information sent by the first user node through the first distribution, and sending the encrypted cross-domain access information to the second distributed controller;
通过第二分布式处理器对加密后的跨域访问信息进行解密,并将解密后的跨域访问信息发送至第二用户节点以实现第一用户节点的跨域访问。The encrypted cross-domain access information is decrypted by the second distributed processor, and the decrypted cross-domain access information is sent to the second user node to realize the cross-domain access of the first user node.
在一实施例中,上述跨域访问请求包括:第一跨域访问请求,第二跨域访问请求;In an embodiment, the aforementioned cross-domain access request includes: a first cross-domain access request, and a second cross-domain access request;
发起跨域访问请求,并通过第一分布式控制器发送跨域访问请求至第二分布式控制器,包括:Initiating a cross-domain access request and sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
发起第一跨域访问请求,以请求跨域访问第二用户节点;Initiate a first cross-domain access request to request cross-domain access to the second user node;
通过第一分布式控制器响应于第一用户节点发起的第一跨域访问请求以生成第二跨域访问请求,并发送第二跨域访问请求至第二分布式控制器;Responding to the first cross-domain access request initiated by the first user node through the first distributed controller to generate a second cross-domain access request, and send the second cross-domain access request to the second distributed controller;
其中,第一跨域访问请求包括以下至少之一:第二用户节点域名信息、服务类型信息、服务质量要求信息;Wherein, the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
第二跨域访问请求包括以下至少之一:第二用户节点地址信息、第一用户节点地址信息、服务类型信息,服务质量要求信息。The second cross-domain access request includes at least one of the following: second user node address information, first user node address information, service type information, and service quality requirement information.
在一实施例中,上述通过网络切片对第二用户节点进行访问之前,还包括:In an embodiment, before the foregoing access to the second user node through network slicing, the method further includes:
通过第一分布式控制器和/或第二分布式控制器以根据跨域访问请求中的服务质量要求确定网络切片。The first distributed controller and/or the second distributed controller are used to determine the network slice according to the quality of service requirements in the cross-domain access request.
在一实施例中,上述通过网络切片对第二用户节点进行访问之前,还包括:In an embodiment, before the foregoing access to the second user node through network slicing, the method further includes:
通过第一分布式控制器和/或第二分布式控制器以根据跨域访问请求中的服务质量要求确定路由信息,其中,路由信息用于指示访问信息在第一网域或第二网域内部的传输路径,以及第一网域与第二网域之间的传输路径。The routing information is determined by the first distributed controller and/or the second distributed controller according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate that the access information is in the first network domain or the second network domain The internal transmission path, and the transmission path between the first network domain and the second network domain.
在一实施例中,上述方法还包括:In an embodiment, the above method further includes:
通过第一网关和/或第二网关在第一用户节点结束跨域访问第二用户节点后获取跨域访问记录;Obtaining the cross-domain access record after the first user node ends the cross-domain access to the second user node through the first gateway and/or the second gateway;
在第一分布式控制器以及第二分布式控制器之间设置并维持联盟链,并通过联盟链对跨域访问记录进行维护;其中,跨域访问记录包括:跨域访问事件,跨域访问事件的发生及结束时间。Set up and maintain a consortium chain between the first distributed controller and the second distributed controller, and maintain cross-domain access records through the consortium chain; among them, cross-domain access records include: cross-domain access events, cross-domain access The occurrence and end time of the event.
在一实施例中,上述通过联盟链对跨域访问记录进行维护还包括:In an embodiment, the above-mentioned maintaining the cross-domain access record through the alliance chain further includes:
记录异常访问记录,其中,异常访问记录用于指示第一用户节点跨域访问第二用户节点异常;异常访问记录由第一网关和/或第二网关上报。Record the abnormal access record, where the abnormal access record is used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access record is reported by the first gateway and/or the second gateway.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus the necessary general hardware platform, of course, it can also be implemented by hardware, but in many cases the former is Better implementation. Based on this understanding, the technical solution of the present invention essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes a number of instructions to enable a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the method described in each embodiment of the present invention.
实施例3Example 3
本实施例提供了一种跨域访问方法,应用于第二用户节点,第一用户节点为归属于第二网域的用户节点;图9是根据本发明实施例提供的跨域访问方法的流程图(二),如图9所示,本实施例中的方法包括:This embodiment provides a cross-domain access method, which is applied to a second user node, and the first user node is a user node belonging to the second network domain; FIG. 9 is a flow chart of the cross-domain access method according to an embodiment of the present invention Figure (2), as shown in Figure 9, the method in this embodiment includes:
S302,响应于第一用户节点通过网络切片进行的访问;其中,网络切片由第一分布式控制器和/或第二分布式控制器根据跨域访问请求进行确定;第一分布式控制器被设置成对第一网域进行控制;第二分布式控制器被设置成对第二网域进行控制,第一用户节点为归属于第一网域的用户节点;S302. Respond to the access by the first user node through the network slice; where the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request; the first distributed controller is Set to control the first network domain; the second distributed controller is set to control the second network domain, and the first user node is a user node belonging to the first network domain;
跨域访问请求由第一用户节点发起,并通过第一分布式控制器发送跨域访问请求至第二分布式控制器。The cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the second distributed controller through the first distributed controller.
本实施例中的跨域访问方法的其余实施例以及技术效果均与实施例1中的跨域访问系统对应,故在此不再赘述。The remaining embodiments and technical effects of the cross-domain access method in this embodiment all correspond to the cross-domain access system in Embodiment 1, so they will not be repeated here.
在一实施例中,上述跨域访问请求由第一用户节点发起,并发送跨域访问请求至第一网关,以通过第一网关将跨域访问请求发送至第一分布式控制器;其中,第一网关通过第一交换机连接至第一用户节点。In an embodiment, the aforementioned cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the first gateway, so as to send the cross-domain access request to the first distributed controller through the first gateway; wherein, The first gateway is connected to the first user node through the first switch.
在一实施例中,上述跨域访问请求通过第一分布式控制器发送跨域访问请求至第二分布式控制器,以使得第二分布式控制器根据跨域访问信息生成跨域访问命令,并将跨域访问命令转发至第二网关;In an embodiment, the aforementioned cross-domain access request sends the cross-domain access request to the second distributed controller through the first distributed controller, so that the second distributed controller generates the cross-domain access command according to the cross-domain access information, And forward the cross-domain access command to the second gateway;
其中,第二网关通过第二交换机连接至第二用户节点;跨域访问命令用以指示第二网关根据跨域访问命令对第一用户节点进行认证。The second gateway is connected to the second user node through the second switch; the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command.
在一实施例中,上述跨域访问命令用以指示第二网关根据跨域访问命令对第一用户节点进行认证,包括:In an embodiment, the above-mentioned cross-domain access command to instruct the second gateway to authenticate the first user node according to the cross-domain access command includes:
跨域访问命令用以指示第二网关根据跨域访问命令,调用身份认证服务器对第一用户节点进行身份识别认证,以及,调用授权映射服务器对第一用户节点进行访问权限认证。The cross-domain access command is used to instruct the second gateway to call the identity authentication server to perform identity authentication authentication on the first user node according to the cross-domain access command, and to call the authorization mapping server to perform access authority authentication on the first user node.
在一实施例中,上述跨域访问命令用以指示第二网关根据跨域访问命令对第一用户节点进行认证之后,还包括:In an embodiment, after the above-mentioned cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command, the method further includes:
通过第一网关调用第一密钥协商服务器,使得第一密钥协商服务器与第二密钥协商服务器根据跨域访问请求进行密钥协商,以获取跨域访问密钥;Invoking the first key agreement server through the first gateway, so that the first key agreement server and the second key agreement server perform key agreement according to the cross-domain access request, so as to obtain the cross-domain access key;
其中,跨域访问密钥用于第一用户节点与第二用户节点进行跨域访问中的加密和/或解密处理;第一密钥协商服务器为归属于第一网域的密钥协商服务器,第二密钥协商服务器为归属于第二网域的密钥协商服务器。Wherein, the cross-domain access key is used for the encryption and/or decryption processing in cross-domain access between the first user node and the second user node; the first key agreement server is a key agreement server belonging to the first network domain, The second key agreement server is a key agreement server belonging to the second network domain.
在一实施例中,上述获取跨域访问密钥之后,还包括:In an embodiment, after obtaining the cross-domain access key, the method further includes:
通过第一网关发送认证确认信息至第一分布式控制器,并通过第二网关发送认证确认信息至第二分布式控制器,以使得第一分布式控制器和/或第二分布式控制器根据认证确认信息在第一分布式控制器与第二分布式控制器之间建立连接。Send authentication confirmation information to the first distributed controller through the first gateway, and send authentication confirmation information to the second distributed controller through the second gateway, so that the first distributed controller and/or the second distributed controller A connection is established between the first distributed controller and the second distributed controller according to the authentication confirmation information.
在一实施例中,上述方法还包括:In an embodiment, the above method further includes:
通过第一分布式控制器以经由网络功能虚拟化NFV向防火墙写入第一访问控制列表ACL规则,其中,第一ACL规则用于指示防火墙允许第一用户节点向第二用户节点发送跨域访问信息;Write a first access control list ACL rule to the firewall via the network function virtualization NFV through the first distributed controller, where the first ACL rule is used to instruct the firewall to allow the first user node to send cross-domain access to the second user node information;
通过第二分布式控制器以经由NFV向防火墙写入第二ACL规则,其中,第二ACL规则用于指示防火墙允许跨域访问信息进入第二网域。The second distributed controller is used to write a second ACL rule to the firewall via NFV, where the second ACL rule is used to instruct the firewall to allow cross-domain access information to enter the second network domain.
在一实施例中,上述方法还包括:In an embodiment, the above method further includes:
通过第一分布式对第一用户节点发送的跨域访问信息进行加密处理,并将加密后的跨域访问信息发送至第二分布式控制器;Encrypting the cross-domain access information sent by the first user node through the first distribution, and sending the encrypted cross-domain access information to the second distributed controller;
通过第二分布式处理器对加密后的跨域访问信息进行解密,并将解密后的跨域访问信息发送至第二用户节点以实现第一用户节点的跨域访问。The encrypted cross-domain access information is decrypted by the second distributed processor, and the decrypted cross-domain access information is sent to the second user node to realize the cross-domain access of the first user node.
在一实施例中,上述跨域访问请求包括:第一跨域访问请求,第二跨域访问请求;In an embodiment, the aforementioned cross-domain access request includes: a first cross-domain access request, and a second cross-domain access request;
发起跨域访问请求,并通过第一分布式控制器发送跨域访问请求至第二分布式控制器,包括:Initiating a cross-domain access request and sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
发起第一跨域访问请求,以请求跨域访问第二用户节点;Initiate a first cross-domain access request to request cross-domain access to the second user node;
通过第一分布式控制器响应于第一用户节点发起的第一跨域访问请求以生成第二跨域访问请求,并发送第二跨域访问请求至第二分布式控制器;Responding to the first cross-domain access request initiated by the first user node through the first distributed controller to generate a second cross-domain access request, and send the second cross-domain access request to the second distributed controller;
其中,第一跨域访问请求包括以下至少之一:第二用户节点域名信息、服务类型信息、服务质量要求信息;Wherein, the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
第二跨域访问请求包括以下至少之一:第二用户节点地址信息、第一用户节点地址信息、服务类型信息,服务质量要求信息。The second cross-domain access request includes at least one of the following: second user node address information, first user node address information, service type information, and service quality requirement information.
在一实施例中,上述响应于第一用户节点通过网络切片进行的访问之前,还包括:In an embodiment, before the above response to the access by the first user node through the network slicing, the method further includes:
通过第一分布式控制器和/或第二分布式控制器以根据跨域访问请求中的服务质量要求确定网络切片。The first distributed controller and/or the second distributed controller are used to determine the network slice according to the quality of service requirements in the cross-domain access request.
在一实施例中,上述响应于第一用户节点通过网络切片进行的访问之前,还包括:In an embodiment, before the above response to the access by the first user node through the network slicing, the method further includes:
通过第一分布式控制器和/或第二分布式控制器以根据跨域访问请求中的服务质量要求确定路由信息,其中,路由信息用于指示访问信息在第一网域或第二网域内部的传输路径,以及第一网域与第二网域之间的传输路径。The routing information is determined by the first distributed controller and/or the second distributed controller according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate that the access information is in the first network domain or the second network domain The internal transmission path, and the transmission path between the first network domain and the second network domain.
在一实施例中,上述方法还包括:In an embodiment, the above method further includes:
通过第一网关和/或第二网关在第一用户节点结束跨域访问第二用户节点后获取跨域访问记录;Obtaining the cross-domain access record after the first user node ends the cross-domain access to the second user node through the first gateway and/or the second gateway;
在第一分布式控制器以及第二分布式控制器之间设置并维持联盟链,并通过联盟链对跨域访问记录进行维护;其中,跨域访问记录包括:跨域访问事件,跨域访问事件的发生及结束时间。Set up and maintain a consortium chain between the first distributed controller and the second distributed controller, and maintain cross-domain access records through the consortium chain; among them, cross-domain access records include: cross-domain access events, cross-domain access The occurrence and end time of the event.
在一实施例中,上述通过联盟链对跨域访问记录进行维护还包括:In an embodiment, the above-mentioned maintaining the cross-domain access record through the alliance chain further includes:
记录异常访问记录,其中,异常访问记录用于指示第一用户节点跨域访问第二用户节点异常;异常访问记录由第一网关和/或第二网关上报。Record the abnormal access record, where the abnormal access record is used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access record is reported by the first gateway and/or the second gateway.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus the necessary general hardware platform, of course, it can also be implemented by hardware, but in many cases the former is Better implementation. Based on this understanding, the technical solution of the present invention essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes a number of instructions to enable a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the method described in each embodiment of the present invention.
实施例4Example 4
本实施例提供了一种跨域访问装置,应用于第一用户节点,第一用户节点为归属于第一网域的用户节点;该装置用于实现上述实施例及其他一些实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。图10是根据本发明实施例提供的跨域访问装置的结构框图(一),如图10所示,本实施例中的跨域访问装置包括:This embodiment provides a cross-domain access device, which is applied to a first user node, and the first user node is a user node belonging to the first network domain; the device is used to implement the above-mentioned embodiment and some other implementation manners, and has been implemented I won’t go into details that have been explained. As used below, the term "module" can implement a combination of software and/or hardware with predetermined functions. Although the devices described in the following embodiments are preferably implemented by software, implementation by hardware or a combination of software and hardware is also possible and conceived. Fig. 10 is a structural block diagram (1) of a cross-domain access device according to an embodiment of the present invention. As shown in Fig. 10, the cross-domain access device in this embodiment includes:
请求模块402,被设置成发起跨域访问请求,并通过第一分布式控制器发送跨域访问请求至第二分布式控制器;其中,跨域访问请求用于请求跨域访问第二用户节点;The request module 402 is configured to initiate a cross-domain access request and send the cross-domain access request to the second distributed controller through the first distributed controller; wherein the cross-domain access request is used to request cross-domain access to the second user node ;
访问模块404,被设置成通过网络切片对第二用户节点进行访问;其中,网络切片由第一分布式控制器和/或第二分布式控制器根据跨域访问请求进行确定;The access module 404 is configured to access the second user node through a network slice; wherein the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request;
其中,第一分布式控制器被设置成对第一网域进行控制;第二分布式控制器被设置成对第二网域进行控制,第二用户节点为归属于第二网域的用户节点。Wherein, the first distributed controller is set to control the first network domain; the second distributed controller is set to control the second network domain, and the second user node is a user node belonging to the second network domain .
本实施例中的跨域访问装置的其余实施例与技术效果均与实施例2中的跨域访问方法对应,故在此不再赘述。The remaining embodiments and technical effects of the cross-domain access apparatus in this embodiment all correspond to the cross-domain access method in Embodiment 2, and therefore will not be repeated here.
在一实施例中,上述通过第一分布式控制器发送跨域访问请求至第二分布式控制器之前,包括:In an embodiment, before sending the cross-domain access request to the second distributed controller through the first distributed controller, the method includes:
发送跨域访问请求至第一网关,并通过第一网关将跨域访问请求发送至第一分布式控制器;其中,第一网关通过第一交换机连接至第一用户节点。Send a cross-domain access request to the first gateway, and send the cross-domain access request to the first distributed controller through the first gateway; wherein the first gateway is connected to the first user node through the first switch.
在一实施例中,上述通过第一分布式控制器发送跨域访问请求至第二分布式控制器,包括:In an embodiment, the foregoing sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
通过第一分布式控制器发送跨域访问请求至第二分布式控制器,使得第二分布式控制器根据跨域访问信息生成跨域访问命令,并将跨域访问命令转发至第二网关;Sending a cross-domain access request to the second distributed controller through the first distributed controller, so that the second distributed controller generates a cross-domain access command according to the cross-domain access information, and forwards the cross-domain access command to the second gateway;
其中,第二网关通过第二交换机连接至第二用户节点;跨域访问命令用以指示第二网关根据跨域访问命令对第一用户节点进行认证。The second gateway is connected to the second user node through the second switch; the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command.
在一实施例中,上述跨域访问命令用以指示第二网关根据跨域访问命令对第一用户节点进行认证,包括:In an embodiment, the above-mentioned cross-domain access command to instruct the second gateway to authenticate the first user node according to the cross-domain access command includes:
跨域访问命令用以指示第二网关根据跨域访问命令,调用身份认证服务器对第一用户节点进行身份识别认证,以及,调用授权映射服务器对第一用户节点进行访问权限认证。The cross-domain access command is used to instruct the second gateway to call the identity authentication server to perform identity authentication authentication on the first user node according to the cross-domain access command, and to call the authorization mapping server to perform access authority authentication on the first user node.
在一实施例中,上述跨域访问命令用以指示第二网关根据跨域访问命令对第一用户节点进行认证之后,还包括:In an embodiment, after the above-mentioned cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command, the method further includes:
通过第一网关调用第一密钥协商服务器,使得第一密钥协商服务器与第二密钥协商服务器根据跨域访问请求进行密钥协商,以获取跨域访问密钥;Invoking the first key agreement server through the first gateway, so that the first key agreement server and the second key agreement server perform key agreement according to the cross-domain access request, so as to obtain the cross-domain access key;
其中,跨域访问密钥用于第一用户节点与第二用户节点进行跨域访问中的加密和/或解密处理;第一密钥协商服务器为归属于第一网域的密钥协商服务器,第二密钥协商服务器为归属于第二网域的密钥协商服务器。Wherein, the cross-domain access key is used for the encryption and/or decryption processing in cross-domain access between the first user node and the second user node; the first key agreement server is a key agreement server belonging to the first network domain, The second key agreement server is a key agreement server belonging to the second network domain.
在一实施例中,上述获取跨域访问密钥之后,还包括:In an embodiment, after obtaining the cross-domain access key, the method further includes:
通过第一网关发送认证确认信息至第一分布式控制器,并通过第二网关发送认证确认信息至第二分布式控制器,以使得第一分布式控制器和/或第二分布式控制器根据认证确认信息在第一分布式控制器与第二分布式控制器之间建立连接。Send authentication confirmation information to the first distributed controller through the first gateway, and send authentication confirmation information to the second distributed controller through the second gateway, so that the first distributed controller and/or the second distributed controller A connection is established between the first distributed controller and the second distributed controller according to the authentication confirmation information.
在一实施例中,上述方法还包括:In an embodiment, the above method further includes:
通过第一分布式控制器以经由网络功能虚拟化NFV向防火墙写入第一访问控制列表ACL规则,其中,第一ACL规则用于指示防火墙允许第一用户节点向第二用户节点发送跨域访问信息;Write a first access control list ACL rule to the firewall via the network function virtualization NFV through the first distributed controller, where the first ACL rule is used to instruct the firewall to allow the first user node to send cross-domain access to the second user node information;
通过第二分布式控制器以经由NFV向防火墙写入第二ACL规则,其中,第二ACL规则用于指示防火墙允许跨域访问信息进入第二网域。The second distributed controller is used to write a second ACL rule to the firewall via NFV, where the second ACL rule is used to instruct the firewall to allow cross-domain access information to enter the second network domain.
在一实施例中,上述方法还包括:In an embodiment, the above method further includes:
通过第一分布式对第一用户节点发送的跨域访问信息进行加密处理,并将加密后的跨域访问信息发送至第二分布式控制器;Encrypting the cross-domain access information sent by the first user node through the first distribution, and sending the encrypted cross-domain access information to the second distributed controller;
通过第二分布式处理器对加密后的跨域访问信息进行解密,并将解密后的跨域访问信息发送至第二用户节点以实现第一用户节点的跨域访问。The encrypted cross-domain access information is decrypted by the second distributed processor, and the decrypted cross-domain access information is sent to the second user node to realize the cross-domain access of the first user node.
在一实施例中,上述跨域访问请求包括:第一跨域访问请求,第二跨域访问请求;In an embodiment, the aforementioned cross-domain access request includes: a first cross-domain access request, and a second cross-domain access request;
发起跨域访问请求,并通过第一分布式控制器发送跨域访问请求至第二分布式控制器,包括:Initiating a cross-domain access request and sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
发起第一跨域访问请求,以请求跨域访问第二用户节点;Initiate a first cross-domain access request to request cross-domain access to the second user node;
通过第一分布式控制器响应于第一用户节点发起的第一跨域访问请求以生成第二跨域访问请求,并发送第二跨域访问请求至第二分布式控制器;Responding to the first cross-domain access request initiated by the first user node through the first distributed controller to generate a second cross-domain access request, and send the second cross-domain access request to the second distributed controller;
其中,第一跨域访问请求包括以下至少之一:第二用户节点域名信息、服务类型信息、服务质量要求信息;Wherein, the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
第二跨域访问请求包括以下至少之一:第二用户节点地址信息、第一用户节点地址信息、服务类型信息,服务质量要求信息。The second cross-domain access request includes at least one of the following: second user node address information, first user node address information, service type information, and service quality requirement information.
在一实施例中,上述通过网络切片对第二用户节点进行访问之前,还包括:In an embodiment, before the foregoing access to the second user node through network slicing, the method further includes:
通过第一分布式控制器和/或第二分布式控制器以根据跨域访问请求中的服务质量要求确定网络切片。The first distributed controller and/or the second distributed controller are used to determine the network slice according to the quality of service requirements in the cross-domain access request.
在一实施例中,上述通过网络切片对第二用户节点进行访问之前,还包括:In an embodiment, before the foregoing access to the second user node through network slicing, the method further includes:
通过第一分布式控制器和/或第二分布式控制器以根据跨域访问请求中的服务质量要求确定路由信息,其中,路由信息用于指示访问信息在第一网域或第二网域内部的传输路径,以及第一网域与第二网域之间的传输路径。The routing information is determined by the first distributed controller and/or the second distributed controller according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate that the access information is in the first network domain or the second network domain The internal transmission path, and the transmission path between the first network domain and the second network domain.
在一实施例中,上述方法还包括:In an embodiment, the above method further includes:
通过第一网关和/或第二网关在第一用户节点结束跨域访问第二用户节点后获取跨域访问记录;Obtaining the cross-domain access record after the first user node ends the cross-domain access to the second user node through the first gateway and/or the second gateway;
在第一分布式控制器以及第二分布式控制器之间设置并维持联盟链,并通过联盟链对跨域访问记录进行维护;其中,跨域访问记录包括:跨域访问事件,跨域访问事件的发生及结束时间。Set up and maintain a consortium chain between the first distributed controller and the second distributed controller, and maintain cross-domain access records through the consortium chain; among them, cross-domain access records include: cross-domain access events, cross-domain access The occurrence and end time of the event.
在一实施例中,上述通过联盟链对跨域访问记录进行维护还包括:In an embodiment, the above-mentioned maintaining the cross-domain access record through the alliance chain further includes:
记录异常访问记录,其中,异常访问记录用于指示第一用户节点跨域访问第二用户节点异常;异常访问记录由第一网关和/或第二网关上报。Record the abnormal access record, where the abnormal access record is used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access record is reported by the first gateway and/or the second gateway.
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述各个模块以任意组合的形式分别位于不同的处理器中。It should be noted that each of the above modules can be implemented by software or hardware. For the latter, it can be implemented in the following manner, but not limited to this: the above modules are all located in the same processor; or, the above modules can be combined in any combination. The forms are located in different processors.
实施例5Example 5
本实施例提供了一种跨域访问装置,应用于第二用户节点,第一用户节点为归属于第二网域的用户节点;该装置用于实现上述实施例及其他一些实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。图11是根据本发明实施例提供的跨域访问装置的结构框图(二),如图11所示,本实施例中的跨域访问装置包括:This embodiment provides a cross-domain access device, which is applied to a second user node, and the first user node is a user node belonging to the second network domain; the device is used to implement the above-mentioned embodiments and some other implementation manners, and has been implemented I won’t go into details that have been explained. As used below, the term "module" can implement a combination of software and/or hardware with predetermined functions. Although the devices described in the following embodiments are preferably implemented by software, implementation by hardware or a combination of software and hardware is also possible and conceived. Fig. 11 is a structural block diagram (2) of a cross-domain access device according to an embodiment of the present invention. As shown in Fig. 11, the cross-domain access device in this embodiment includes:
响应模块502,被设置成响应于第一用户节点通过网络切片进行的访问;其中,网络切片由第一分布式控制器和/或第二分布式控制器根据跨域访问请求进行确定;第一分布式控制器被设置成对第一网域进行控制;第二分布式控制器被设置成对第二网域进行控制,第一用户节点为归属于第一网域的用户节点;The response module 502 is configured to respond to the access by the first user node through the network slice; wherein the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request; first The distributed controller is set to control the first network domain; the second distributed controller is set to control the second network domain, and the first user node is a user node belonging to the first network domain;
跨域访问请求由第一用户节点发起,并通过第一分布式控制器发送跨域访问请求至第二分布式控制器。The cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the second distributed controller through the first distributed controller.
本实施例中的跨域访问装置的其余实施例以及技术效果均与实施例3中的跨域访问方法对应,故在此不再赘述。The remaining embodiments and technical effects of the cross-domain access device in this embodiment all correspond to the cross-domain access method in Embodiment 3, so they will not be repeated here.
在一实施例中,上述跨域访问请求由第一用户节点发起,并发送跨域访问请求至第一网关,以通过第一网关将跨域访问请求发送至第一分布式控制器;其中,第一网关通过第一交换机连接至第一用户节点。In an embodiment, the aforementioned cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the first gateway, so as to send the cross-domain access request to the first distributed controller through the first gateway; wherein, The first gateway is connected to the first user node through the first switch.
在一实施例中,上述跨域访问请求通过第一分布式控制器发送跨域访问请求至第二分布式控制器,以使 得第二分布式控制器根据跨域访问信息生成跨域访问命令,并将跨域访问命令转发至第二网关;In an embodiment, the aforementioned cross-domain access request sends the cross-domain access request to the second distributed controller through the first distributed controller, so that the second distributed controller generates the cross-domain access command according to the cross-domain access information, And forward the cross-domain access command to the second gateway;
其中,第二网关通过第二交换机连接至第二用户节点;跨域访问命令用以指示第二网关根据跨域访问命令对第一用户节点进行认证。The second gateway is connected to the second user node through the second switch; the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command.
在一实施例中,上述跨域访问命令用以指示第二网关根据跨域访问命令对第一用户节点进行认证,包括:In an embodiment, the above-mentioned cross-domain access command to instruct the second gateway to authenticate the first user node according to the cross-domain access command includes:
跨域访问命令用以指示第二网关根据跨域访问命令,调用身份认证服务器对第一用户节点进行身份识别认证,以及,调用授权映射服务器对第一用户节点进行访问权限认证。The cross-domain access command is used to instruct the second gateway to call the identity authentication server to perform identity authentication authentication on the first user node according to the cross-domain access command, and to call the authorization mapping server to perform access authority authentication on the first user node.
在一实施例中,上述跨域访问命令用以指示第二网关根据跨域访问命令对第一用户节点进行认证之后,还包括:In an embodiment, after the above-mentioned cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command, the method further includes:
通过第一网关调用第一密钥协商服务器,使得第一密钥协商服务器与第二密钥协商服务器根据跨域访问请求进行密钥协商,以获取跨域访问密钥;Invoking the first key agreement server through the first gateway, so that the first key agreement server and the second key agreement server perform key agreement according to the cross-domain access request, so as to obtain the cross-domain access key;
其中,跨域访问密钥用于第一用户节点与第二用户节点进行跨域访问中的加密和/或解密处理;第一密钥协商服务器为归属于第一网域的密钥协商服务器,第二密钥协商服务器为归属于第二网域的密钥协商服务器。Wherein, the cross-domain access key is used for the encryption and/or decryption processing in cross-domain access between the first user node and the second user node; the first key agreement server is a key agreement server belonging to the first network domain, The second key agreement server is a key agreement server belonging to the second network domain.
在一实施例中,上述获取跨域访问密钥之后,还包括:In an embodiment, after obtaining the cross-domain access key, the method further includes:
通过第一网关发送认证确认信息至第一分布式控制器,并通过第二网关发送认证确认信息至第二分布式控制器,以使得第一分布式控制器和/或第二分布式控制器根据认证确认信息在第一分布式控制器与第二分布式控制器之间建立连接。Send authentication confirmation information to the first distributed controller through the first gateway, and send authentication confirmation information to the second distributed controller through the second gateway, so that the first distributed controller and/or the second distributed controller A connection is established between the first distributed controller and the second distributed controller according to the authentication confirmation information.
在一实施例中,上述方法还包括:In an embodiment, the above method further includes:
通过第一分布式控制器以经由网络功能虚拟化NFV向防火墙写入第一访问控制列表ACL规则,其中,第一ACL规则用于指示防火墙允许第一用户节点向第二用户节点发送跨域访问信息;Write a first access control list ACL rule to the firewall via the network function virtualization NFV through the first distributed controller, where the first ACL rule is used to instruct the firewall to allow the first user node to send cross-domain access to the second user node information;
通过第二分布式控制器以经由NFV向防火墙写入第二ACL规则,其中,第二ACL规则用于指示防火墙允许跨域访问信息进入第二网域。The second distributed controller is used to write a second ACL rule to the firewall via NFV, where the second ACL rule is used to instruct the firewall to allow cross-domain access information to enter the second network domain.
在一实施例中,上述方法还包括:In an embodiment, the above method further includes:
通过第一分布式对第一用户节点发送的跨域访问信息进行加密处理,并将加密后的跨域访问信息发送至第二分布式控制器;Encrypting the cross-domain access information sent by the first user node through the first distribution, and sending the encrypted cross-domain access information to the second distributed controller;
通过第二分布式处理器对加密后的跨域访问信息进行解密,并将解密后的跨域访问信息发送至第二用户节点以实现第一用户节点的跨域访问。The encrypted cross-domain access information is decrypted by the second distributed processor, and the decrypted cross-domain access information is sent to the second user node to realize the cross-domain access of the first user node.
在一实施例中,上述跨域访问请求包括:第一跨域访问请求,第二跨域访问请求;In an embodiment, the aforementioned cross-domain access request includes: a first cross-domain access request, and a second cross-domain access request;
发起跨域访问请求,并通过第一分布式控制器发送跨域访问请求至第二分布式控制器,包括:Initiating a cross-domain access request and sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
发起第一跨域访问请求,以请求跨域访问第二用户节点;Initiate a first cross-domain access request to request cross-domain access to the second user node;
通过第一分布式控制器响应于第一用户节点发起的第一跨域访问请求以生成第二跨域访问请求,并发送第二跨域访问请求至第二分布式控制器;Responding to the first cross-domain access request initiated by the first user node through the first distributed controller to generate a second cross-domain access request, and send the second cross-domain access request to the second distributed controller;
其中,第一跨域访问请求包括以下至少之一:第二用户节点域名信息、服务类型信息、服务质量要求信息;Wherein, the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
第二跨域访问请求包括以下至少之一:第二用户节点地址信息、第一用户节点地址信息、服务类型信息,服务质量要求信息。The second cross-domain access request includes at least one of the following: second user node address information, first user node address information, service type information, and service quality requirement information.
在一实施例中,上述响应于第一用户节点通过网络切片进行的访问之前,还包括:In an embodiment, before the above-mentioned response to the access by the first user node through the network slicing, the method further includes:
通过第一分布式控制器和/或第二分布式控制器以根据跨域访问请求中的服务质量要求确定网络切片。The first distributed controller and/or the second distributed controller are used to determine the network slice according to the quality of service requirements in the cross-domain access request.
在一实施例中,上述响应于第一用户节点通过网络切片进行的访问之前,还包括:In an embodiment, before the above-mentioned response to the access by the first user node through the network slicing, the method further includes:
通过第一分布式控制器和/或第二分布式控制器以根据跨域访问请求中的服务质量要求确定路由信息,其中,路由信息用于指示访问信息在第一网域或第二网域内部的传输路径,以及第一网域与第二网域之间的传输路径。The routing information is determined by the first distributed controller and/or the second distributed controller according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate that the access information is in the first network domain or the second network domain The internal transmission path, and the transmission path between the first network domain and the second network domain.
在一实施例中,上述方法还包括:In an embodiment, the above method further includes:
通过第一网关和/或第二网关在第一用户节点结束跨域访问第二用户节点后获取跨域访问记录;Obtaining the cross-domain access record after the first user node ends the cross-domain access to the second user node through the first gateway and/or the second gateway;
在第一分布式控制器以及第二分布式控制器之间设置并维持联盟链,并通过联盟链对跨域访问记录进行维护;其中,跨域访问记录包括:跨域访问事件,跨域访问事件的发生及结束时间。Set up and maintain a consortium chain between the first distributed controller and the second distributed controller, and maintain cross-domain access records through the consortium chain; among them, cross-domain access records include: cross-domain access events, cross-domain access The occurrence and ending time of the event.
在一实施例中,上述通过联盟链对跨域访问记录进行维护还包括:In an embodiment, the above-mentioned maintaining the cross-domain access record through the alliance chain further includes:
记录异常访问记录,其中,异常访问记录用于指示第一用户节点跨域访问第二用户节点异常;异常访问记录由第一网关和/或第二网关上报。Record abnormal access records, where the abnormal access records are used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access records are reported by the first gateway and/or the second gateway.
需要说明的是,上述各个模块是可以通过软件或硬件来实现的,对于后者,可以通过以下方式实现,但不限于此:上述模块均位于同一处理器中;或者,上述各个模块以任意组合的形式分别位于不同的处理器中。It should be noted that each of the above modules can be implemented by software or hardware. For the latter, it can be implemented in the following manner, but not limited to this: the above modules are all located in the same processor; or, the above modules can be combined in any combination. The forms are located in different processors.
实施例6Example 6
本发明的实施例还提供了一种计算机可读的存储介质,该计算机可读的存储介质中存储有计算机程序,其中,该计算机程序被设置为运行时执行上述任一项方法实施例中的步骤。The embodiment of the present invention also provides a computer-readable storage medium, and a computer program is stored in the computer-readable storage medium, wherein the computer program is configured to execute any of the foregoing method embodiments when running. step.
在本实施例的一些实例中,上述计算机可读的存储介质可以被设置为存储用于执行上述实施例中记载的方法步骤的计算机程序:In some examples of this embodiment, the foregoing computer-readable storage medium may be configured to store a computer program for executing the method steps recorded in the foregoing embodiment:
在本实施例的一些实例中,上述计算机可读的存储介质可以包括但不限于:U盘、只读存储器(Read-Only Memory,简称为ROM)、随机存取存储器(Random Access Memory,简称为RAM)、移动硬盘、磁碟或者光盘等各种可以存储计算机程序的介质。In some instances of this embodiment, the foregoing computer-readable storage medium may include, but is not limited to: U disk, Read-Only Memory (Read-Only Memory, ROM for short), Random Access Memory (Random Access Memory, for short) Various media that can store computer programs such as RAM), mobile hard disks, magnetic disks, or optical disks.
实施例7Example 7
参照图12,本发明的实施例还提供了一种电子装置,包括存储器1201和处理器1202,该存储器1201中存储有计算机程序,该处理器1202被设置为运行计算机程序以执行上述任一项方法实施例中的步骤。12, the embodiment of the present invention also provides an electronic device, including a memory 1201 and a processor 1202, the memory 1201 stores a computer program, the processor 1202 is configured to run the computer program to perform any of the above Steps in the method embodiment.
在一些实例中,上述电子装置还可以包括传输设备以及输入输出设备,其中,该传输设备和上述处理器连接,该输入输出设备和上述处理器连接。In some examples, the above-mentioned electronic device may further include a transmission device and an input-output device, wherein the transmission device is connected to the aforementioned processor, and the input-output device is connected to the aforementioned processor.
在本实施例的一些实例中,上述处理器可以被设置为通过计算机程序执行上述实施例中记载的方法步骤。In some examples of this embodiment, the above-mentioned processor may be configured to execute the method steps recorded in the above-mentioned embodiment through a computer program.
本实施例中的具体示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。For specific examples in this embodiment, reference may be made to the examples described in the above-mentioned embodiments and alternative implementations, and this embodiment will not be repeated here.
通过本发明的实施例,由于归属于第一网域的第一用户节点在请求跨域访问归属于第二网域的第二用户节点的过程中,可通过被设置成对第一网域进行控制的第一分布式控制器响应于第一用户节点发起的跨域访问请求,以发送跨域访问请求至被设置成对第二网域进行控制的第二分布式控制器;第二分布式控制器接收跨域访问请求后,进一步通过第一分布式控制器和/或第二分布式控制器根据所述跨域访问请求确定网络切片;以此,第二用户节点即可响应于第一用户节点通过网络切片进行的访问;因此,本发明实施例被设置成可以至少在一定程度上解决在一些情况中无法在跨域访问过程中保证安全性能的问题,以达到在跨域访问过程中有效确保安全性能的效果。According to the embodiment of the present invention, since the first user node belonging to the first network domain requests cross-domain access to the second user node belonging to the second network domain, it can be configured to perform operations on the first network domain. The controlled first distributed controller responds to the cross-domain access request initiated by the first user node to send the cross-domain access request to the second distributed controller that is set to control the second network domain; the second distributed After the controller receives the cross-domain access request, it further determines the network slice according to the cross-domain access request through the first distributed controller and/or the second distributed controller; in this way, the second user node can respond to the first The user node accesses through network slicing; therefore, the embodiment of the present invention is configured to solve the problem of being unable to ensure security performance during cross-domain access in some cases at least to a certain extent, so as to achieve cross-domain access during cross-domain access. Effectively ensure the effect of safety performance.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。Obviously, those skilled in the art should understand that the above-mentioned modules or steps of the present invention can be implemented by a general computing device, and they can be concentrated on a single computing device or distributed in a network composed of multiple computing devices. Above, alternatively, they can be implemented with program codes executable by the computing device, so that they can be stored in the storage device for execution by the computing device, and in some cases, can be executed in a different order than here. Perform the steps shown or described, or fabricate them into individual integrated circuit modules respectively, or fabricate multiple modules or steps of them into a single integrated circuit module for implementation. In this way, the present invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的一些实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only some embodiments of the present invention and are not used to limit the present invention. For those skilled in the art, the present invention can have various modifications and changes. Any modifications, equivalent substitutions, improvements, etc. made within the principles of the present invention should be included in the protection scope of the present invention.

Claims (42)

  1. 一种跨域访问系统,包括:A cross-domain access system, including:
    第一用户节点,配置为发起跨域访问请求,以请求跨域访问第二用户节点;The first user node is configured to initiate a cross-domain access request to request cross-domain access to the second user node;
    第一分布式控制器,配置为响应于所述第一用户节点发起的所述跨域访问请求,以发送所述跨域访问请求至第二分布式控制器;The first distributed controller is configured to respond to the cross-domain access request initiated by the first user node to send the cross-domain access request to the second distributed controller;
    所述第二分布式控制器,配置为接收所述跨域访问请求;所述第一分布式控制器和/或所述第二分布式控制器还配置为,根据所述跨域访问请求确定网络切片;The second distributed controller is configured to receive the cross-domain access request; the first distributed controller and/or the second distributed controller is further configured to determine according to the cross-domain access request Network slicing
    所述第二用户节点,配置为响应于所述第一用户节点通过所述网络切片进行的访问;The second user node is configured to respond to the access by the first user node through the network slice;
    其中,所述第一分布式控制器用于对第一网域进行控制,所述第一用户节点为归属于所述第一网域的用户节点;所述第二分布式控制器用于对第二网域进行控制,所述第二用户节点为归属于所述第二网域的用户节点。Wherein, the first distributed controller is used to control a first network domain, the first user node is a user node belonging to the first network domain; the second distributed controller is used to control a second The network domain performs control, and the second user node is a user node belonging to the second network domain.
  2. 根据权利要求1所述的系统,还包括:The system according to claim 1, further comprising:
    第一网关,通过第一交换机连接至所述第一用户节点;所述第一网关配置为,获取所述第一用户节点发起的所述跨域访问请求,并将所述跨域访问请求转发至所述第一分布式控制器;A first gateway is connected to the first user node through a first switch; the first gateway is configured to obtain the cross-domain access request initiated by the first user node, and forward the cross-domain access request To the first distributed controller;
    第二网关,通过第二交换机连接至所述第二用户节点;所述第二网关配置为,获取所述第二分布式控制器发送的跨域访问命令,并根据所述跨域访问命令对所述第一用户节点进行认证;其中,所述跨域访问命令由所述第二分布式控制器根据所述跨域访问信息生成。The second gateway is connected to the second user node through a second switch; the second gateway is configured to obtain a cross-domain access command sent by the second distributed controller, and pair according to the cross-domain access command The first user node performs authentication; wherein the cross-domain access command is generated by the second distributed controller according to the cross-domain access information.
  3. 根据权利要求2所述的系统,其中,所述第二网关还配置为,The system according to claim 2, wherein the second gateway is further configured to:
    根据所述跨域访问命令,调用身份认证服务器对所述第一用户节点进行身份识别认证,以及,调用授权映射服务器对所述第一用户节点进行访问权限认证。According to the cross-domain access command, the identity authentication server is invoked to perform identity recognition authentication on the first user node, and the authorization mapping server is invoked to perform access authority authentication on the first user node.
  4. 根据权利要求2所述的方法,其中,所述第一网关还配置为,The method according to claim 2, wherein the first gateway is further configured to:
    调用第一密钥协商服务器,使得所述第一密钥协商服务器与第二密钥协商服务器根据所述跨域访问请求进行密钥协商,以获取跨域访问密钥;Invoking the first key agreement server, so that the first key agreement server and the second key agreement server perform key agreement according to the cross-domain access request to obtain a cross-domain access key;
    其中,所述跨域访问密钥用于所述第一用户节点与所述第二用户节点进行跨域访问中的加密和/或解密处理;所述第一密钥协商服务器为归属于所述第一网域的密钥协商服务器,所述第二密钥协商服务器为归属于所述第二网域的密钥协商服务器。Wherein, the cross-domain access key is used for the encryption and/or decryption processing in the cross-domain access between the first user node and the second user node; the first key agreement server belongs to the The key agreement server of the first network domain, and the second key agreement server is a key agreement server belonging to the second network domain.
  5. 根据权利要求2所述的系统,其中,所述第一网关还配置为,发送认证确认信息至所述第一分布式控制器;所述第二网关还配置为,发送认证确认信息至所述第二分布式控制器;The system according to claim 2, wherein the first gateway is further configured to send authentication confirmation information to the first distributed controller; and the second gateway is further configured to send authentication confirmation information to the Second distributed controller;
    所述第一分布式控制器和/或所述第二分布式控制器还配置为,根据所述认证确认信息,在所述第一分布式控制器与所述第二分布式控制器之间建立连接。The first distributed controller and/or the second distributed controller are further configured to, according to the authentication confirmation information, between the first distributed controller and the second distributed controller establish connection.
  6. 根据权利要求2所述的系统,其中,所述第一分布式控制器还配置为,通过网络功能虚拟化NFV向所述防火墙写入第一访问控制列表ACL规则,其中,所述第一ACL规则用于指示所述防火墙允许所述第一用户节点向所述第二用户节点发送跨域访问信息;The system according to claim 2, wherein the first distributed controller is further configured to write a first access control list ACL rule to the firewall through network function virtualization NFV, wherein the first ACL The rule is used to instruct the firewall to allow the first user node to send cross-domain access information to the second user node;
    所述第二分布式控制器还配置为,通过所述NFV向所述防火墙写入第二ACL规则,其中,所述第二ACL规则用于指示所述防火墙允许所述跨域访问信息进入所述第二网域。The second distributed controller is further configured to write a second ACL rule to the firewall through the NFV, where the second ACL rule is used to instruct the firewall to allow the cross-domain access information to enter the The second domain.
  7. 根据权利要求6所述的系统,其中,所述第一分布式控制器还配置为,对所述第一用户节点发送的所述跨域访问信息进行加密处理,并将所述加密后的所述跨域访问信息发送至所述第二分布式控制器;The system according to claim 6, wherein the first distributed controller is further configured to perform encryption processing on the cross-domain access information sent by the first user node, and perform encryption processing on the encrypted all Sending the cross-domain access information to the second distributed controller;
    所述第二分布式处理器还配置为,对所述加密后的所述跨域访问信息进行解密,并将所述解密后的所述跨域访问信息发送至所述第二用户节点以实现所述第一用户节点的跨域访问。The second distributed processor is further configured to decrypt the encrypted cross-domain access information, and send the decrypted cross-domain access information to the second user node to implement Cross-domain access of the first user node.
  8. 根据权利要求7所述的系统,其中,所述跨域访问请求包括:第一跨域访问请求,第二跨域访问请求;The system according to claim 7, wherein the cross-domain access request comprises: a first cross-domain access request and a second cross-domain access request;
    所述第一用户节点还配置为,发起第一跨域访问请求,以请求跨域访问所述第二用户节点;The first user node is further configured to initiate a first cross-domain access request to request cross-domain access to the second user node;
    所述第一分布式控制器还配置为,响应于所述第一用户节点发起的所述第一跨域访问请求以生成第二跨域访问请求,并发送所述第二跨域访问请求至所述第二分布式控制器;The first distributed controller is further configured to generate a second cross-domain access request in response to the first cross-domain access request initiated by the first user node, and send the second cross-domain access request to The second distributed controller;
    其中,所述第一跨域访问请求包括以下至少之一:第二用户节点域名信息、服务类型信息、服务质量要求信息;Wherein, the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
    所述第二跨域访问请求包括以下至少之一:第二用户节点地址信息、第一用户节点地址信息、所述服务 类型信息,所述服务质量要求信息。The second cross-domain access request includes at least one of the following: second user node address information, first user node address information, the service type information, and the service quality requirement information.
  9. 根据权利要求8所述的系统,其中,所述第一分布式控制器和/或所述第二分布式控制器还配置为,The system according to claim 8, wherein the first distributed controller and/or the second distributed controller are further configured to,
    根据所述跨域访问请求中的所述服务质量要求确定所述网络切片。The network slice is determined according to the service quality requirement in the cross-domain access request.
  10. 根据权利要求8所述的系统,其中,所述第一分布式控制器和/或所述第二分布式控制器还配置为,The system according to claim 8, wherein the first distributed controller and/or the second distributed controller are further configured to,
    根据所述跨域访问请求中的所述服务质量要求确定路由信息,其中,所述路由信息用于指示所述访问信息在所述第一网域或所述第二网域内部的传输路径,以及所述第一网域与所述第二网域之间的传输路径。Determining routing information according to the quality of service requirement in the cross-domain access request, where the routing information is used to indicate a transmission path of the access information within the first network domain or the second network domain, And the transmission path between the first network domain and the second network domain.
  11. 根据权利要求2至10任一项中所述的系统,还包括:The system according to any one of claims 2 to 10, further comprising:
    联盟链,设置在所述第一分布式控制器以及所述第二分布式控制器之间;所述联盟链配置为对跨域访问记录进行维护;其中,所述跨域访问记录由所述第一网关和/或所述第二网关在所述第一用户节点结束跨域访问所述第二用户节点后进行获取;The alliance chain is set between the first distributed controller and the second distributed controller; the alliance chain is configured to maintain cross-domain access records; wherein, the cross-domain access records are controlled by the The first gateway and/or the second gateway obtain the second user node after the first user node ends the cross-domain access to the second user node;
    所述跨域访问记录包括:跨域访问事件,所述跨域访问事件的发生及结束时间。The cross-domain access record includes: a cross-domain access event, the occurrence and end time of the cross-domain access event.
  12. 根据权利要求11所述的系统,其中,所述联盟链还配置为,The system according to claim 11, wherein the alliance chain is further configured to:
    记录异常访问记录,其中,所述异常访问记录用于指示所述第一用户节点跨域访问所述第二用户节点异常;所述异常访问记录由所述第一网关和/或所述第二网关上报。Record abnormal access records, where the abnormal access record is used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access record is controlled by the first gateway and/or the second user node Reported by the gateway.
  13. 一种跨域访问方法,应用于第一用户节点,其中,所述第一用户节点为归属于第一网域的用户节点;所述方法包括:A cross-domain access method applied to a first user node, wherein the first user node is a user node belonging to a first network domain; the method includes:
    发起跨域访问请求,并通过第一分布式控制器发送所述跨域访问请求至第二分布式控制器;其中,所述跨域访问请求用于请求跨域访问第二用户节点;Initiating a cross-domain access request, and sending the cross-domain access request to the second distributed controller through the first distributed controller; wherein the cross-domain access request is used to request cross-domain access to the second user node;
    通过网络切片对第二用户节点进行访问;其中,所述网络切片由所述第一分布式控制器和/或所述第二分布式控制器根据所述跨域访问请求进行确定;Access to the second user node through a network slice; wherein the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request;
    其中,所述第一分布式控制器用于对所述第一网域进行控制;所述第二分布式控制器用于对第二网域进行控制,所述第二用户节点为归属于所述第二网域的用户节点。Wherein, the first distributed controller is used to control the first network domain; the second distributed controller is used to control a second network domain, and the second user node belongs to the first network domain. User node of the second domain.
  14. 根据权利要求13所述的方法,所述的通过第一分布式控制器发送所述跨域访问请求至第二分布式控制器的步骤之前,包括:The method according to claim 13, before the step of sending the cross-domain access request to the second distributed controller through the first distributed controller, the method comprises:
    发送所述跨域访问请求至第一网关,并通过所述第一网关将所述跨域访问请求发送至第一分布式控制器;其中,所述第一网关通过第一交换机连接至所述第一用户节点。Send the cross-domain access request to a first gateway, and send the cross-domain access request to a first distributed controller through the first gateway; wherein the first gateway is connected to the first distributed controller through a first switch The first user node.
  15. 根据权利要求14所述的方法,其中,所述通过第一分布式控制器发送所述跨域访问请求至第二分布式控制器,包括:The method according to claim 14, wherein the sending the cross-domain access request to the second distributed controller through the first distributed controller comprises:
    通过所述第一分布式控制器发送所述跨域访问请求至所述第二分布式控制器,使得所述第二分布式控制器根据所述跨域访问信息生成跨域访问命令,并将所述跨域访问命令转发至第二网关;The first distributed controller sends the cross-domain access request to the second distributed controller, so that the second distributed controller generates a cross-domain access command according to the cross-domain access information, and The cross-domain access command is forwarded to the second gateway;
    其中,所述第二网关通过第二交换机连接至所述第二用户节点;所述跨域访问命令用以指示所述第二网关根据所述跨域访问命令对所述第一用户节点进行认证。The second gateway is connected to the second user node through a second switch; the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command .
  16. 根据权利要求15所述的方法,其中,所述跨域访问命令用以指示所述第二网关根据所述跨域访问命令对所述第一用户节点进行认证,包括:The method according to claim 15, wherein the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command, comprising:
    所述跨域访问命令用以指示所述第二网关根据所述跨域访问命令,调用身份认证服务器对所述第一用户节点进行身份识别认证,以及,调用授权映射服务器对所述第一用户节点进行访问权限认证。The cross-domain access command is used to instruct the second gateway to call an identity authentication server to perform identity authentication on the first user node according to the cross-domain access command, and to call an authorization mapping server to perform identity verification on the first user. The node performs access authorization authentication.
  17. 根据权利要求15所述的方法,所述的跨域访问命令用以指示所述第二网关根据所述跨域访问命令对所述第一用户节点进行认证的步骤之后,还包括:The method according to claim 15, after the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command, the method further comprises:
    通过所述第一网关调用第一密钥协商服务器,使得所述第一密钥协商服务器与第二密钥协商服务器根据所述跨域访问请求进行密钥协商,以获取跨域访问密钥;Invoking a first key agreement server through the first gateway, so that the first key agreement server and the second key agreement server perform key agreement according to the cross-domain access request, so as to obtain a cross-domain access key;
    其中,所述跨域访问密钥用于所述第一用户节点与所述第二用户节点进行跨域访问中的加密和/或解密处理;所述第一密钥协商服务器为归属于所述第一网域的密钥协商服务器,所述第二密钥协商服务器为归属于所述第二网域的密钥协商服务器。Wherein, the cross-domain access key is used for the encryption and/or decryption processing in the cross-domain access between the first user node and the second user node; the first key agreement server belongs to the The key agreement server of the first network domain, and the second key agreement server is a key agreement server belonging to the second network domain.
  18. 根据权利要求17所述的方法,所述的获取跨域访问密钥的步骤之后,还包括:The method according to claim 17, after the step of obtaining the cross-domain access key, further comprising:
    通过所述第一网关发送认证确认信息至所述第一分布式控制器,并通过所述第二网关发送认证确认信息至所述第二分布式控制器,以使得所述第一分布式控制器和/或所述第二分布式控制器根据所述认证确认信息 在所述第一分布式控制器与所述第二分布式控制器之间建立连接。Send authentication confirmation information to the first distributed controller through the first gateway, and send authentication confirmation information to the second distributed controller through the second gateway, so that the first distributed control And/or the second distributed controller establishes a connection between the first distributed controller and the second distributed controller according to the authentication confirmation information.
  19. 根据权利要求18所述的方法,还包括:The method of claim 18, further comprising:
    通过所述第一分布式控制器以经由网络功能虚拟化NFV向所述防火墙写入第一访问控制列表ACL规则,其中,所述第一ACL规则用于指示所述防火墙允许所述第一用户节点向所述第二用户节点发送跨域访问信息;Write a first access control list ACL rule to the firewall via the network function virtualization NFV through the first distributed controller, where the first ACL rule is used to instruct the firewall to allow the first user The node sends cross-domain access information to the second user node;
    通过所述第二分布式控制器以经由所述NFV向所述防火墙写入第二ACL规则,其中,所述第二ACL规则用于指示所述防火墙允许所述跨域访问信息进入所述第二网域。The second distributed controller is used to write a second ACL rule to the firewall via the NFV, where the second ACL rule is used to instruct the firewall to allow the cross-domain access information to enter the first Two domains.
  20. 根据权利要求19所述的方法,还包括:The method of claim 19, further comprising:
    通过所述第一分布式对所述第一用户节点发送的所述跨域访问信息进行加密处理,并将所述加密后的所述跨域访问信息发送至所述第二分布式控制器;Encrypting the cross-domain access information sent by the first user node through the first distribution, and send the encrypted cross-domain access information to the second distributed controller;
    通过所述第二分布式处理器对所述加密后的所述跨域访问信息进行解密,并将所述解密后的所述跨域访问信息发送至所述第二用户节点以实现所述第一用户节点的跨域访问。The encrypted cross-domain access information is decrypted by the second distributed processor, and the decrypted cross-domain access information is sent to the second user node to realize the first Cross-domain access of a user node.
  21. 根据权利要求13所述的方法,其中,所述跨域访问请求包括:第一跨域访问请求,第二跨域访问请求;The method according to claim 13, wherein the cross-domain access request comprises: a first cross-domain access request and a second cross-domain access request;
    所述发起跨域访问请求,并通过第一分布式控制器发送所述跨域访问请求至第二分布式控制器,包括:The initiating a cross-domain access request and sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
    发起第一跨域访问请求,以请求跨域访问所述第二用户节点;Initiating a first cross-domain access request to request cross-domain access to the second user node;
    通过所述第一分布式控制器响应于所述第一用户节点发起的所述第一跨域访问请求以生成第二跨域访问请求,并发送所述第二跨域访问请求至所述第二分布式控制器;The first distributed controller responds to the first cross-domain access request initiated by the first user node to generate a second cross-domain access request, and sends the second cross-domain access request to the first user node. Two distributed controller;
    其中,所述第一跨域访问请求包括以下至少之一:第二用户节点域名信息、服务类型信息、服务质量要求信息;Wherein, the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
    所述第二跨域访问请求包括以下至少之一:第二用户节点地址信息、第一用户节点地址信息、所述服务类型信息,所述服务质量要求信息。The second cross-domain access request includes at least one of the following: second user node address information, first user node address information, the service type information, and the service quality requirement information.
  22. 根据权利要求21所述的方法,所述的通过网络切片对第二用户节点进行访问的步骤之前,还包括:The method according to claim 21, before the step of accessing the second user node through network slicing, the method further comprises:
    通过所述第一分布式控制器和/或所述第二分布式控制器以根据所述跨域访问请求中的所述服务质量要求确定所述网络切片。The first distributed controller and/or the second distributed controller are used to determine the network slice according to the service quality requirement in the cross-domain access request.
  23. 根据权利要求21所述的方法,所述的通过网络切片对第二用户节点进行访问的步骤之前,还包括:The method according to claim 21, before the step of accessing the second user node through network slicing, the method further comprises:
    通过所述第一分布式控制器和/或所述第二分布式控制器以根据所述跨域访问请求中的所述服务质量要求确定路由信息,其中,所述路由信息用于指示所述访问信息在所述第一网域或所述第二网域内部的传输路径,以及所述第一网域与所述第二网域之间的传输路径。The first distributed controller and/or the second distributed controller are used to determine routing information according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate the A transmission path of access information within the first network domain or the second network domain, and a transmission path between the first network domain and the second network domain.
  24. 根据权利要求15至23任一项中所述的方法,还包括:The method according to any one of claims 15 to 23, further comprising:
    通过所述第一网关和/或所述第二网关在所述第一用户节点结束跨域访问所述第二用户节点后获取跨域访问记录;Acquiring, through the first gateway and/or the second gateway, a cross-domain access record after the first user node ends the cross-domain access to the second user node;
    在所述第一分布式控制器以及所述第二分布式控制器之间设置并维持联盟链,并通过所述联盟链对跨域访问记录进行维护;其中,所述跨域访问记录包括:跨域访问事件,所述跨域访问事件的发生及结束时间。An alliance chain is set up and maintained between the first distributed controller and the second distributed controller, and cross-domain access records are maintained through the alliance chain; wherein, the cross-domain access records include: A cross-domain access event, the occurrence and end time of the cross-domain access event.
  25. 根据权利要求24所述的方法,其中,所述通过所述联盟链对跨域访问记录进行维护还包括:The method according to claim 24, wherein the maintaining the cross-domain access record through the alliance chain further comprises:
    记录异常访问记录,其中,所述异常访问记录用于指示所述第一用户节点跨域访问所述第二用户节点异常;所述异常访问记录由所述第一网关和/或所述第二网关上报。Record abnormal access records, where the abnormal access record is used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access record is controlled by the first gateway and/or the second user node Reported by the gateway.
  26. 一种跨域访问方法,应用于第二用户节点,其中,所述第二用户节点为归属于第二网域的用户节点;所述方法包括:A cross-domain access method applied to a second user node, wherein the second user node is a user node belonging to a second network domain; the method includes:
    响应于第一用户节点通过网络切片进行的访问;其中,所述网络切片由第一分布式控制器和/或第二分布式控制器根据跨域访问请求进行确定;所述第一分布式控制器用于对第一网域进行控制;所述第二分布式控制器用于对第二网域进行控制,所述第一用户节点为归属于所述第一网域的用户节点;In response to the access by the first user node through the network slice; wherein the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request; the first distributed control The device is used to control a first network domain; the second distributed controller is used to control a second network domain, and the first user node is a user node belonging to the first network domain;
    所述跨域访问请求由所述第一用户节点发起,并通过所述第一分布式控制器发送所述跨域访问请求至第二分布式控制器。The cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the second distributed controller through the first distributed controller.
  27. 根据权利要求26所述的方法,其中,所述跨域访问请求由所述第一用户节点发起,并发送所述跨域访问请求至第一网关,以通过所述第一网关将所述跨域访问请求发送至第一分布式控制器;其中,所述第一网关通过第一交换机连接至所述第一用户节点。The method according to claim 26, wherein the cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to a first gateway, so as to transfer the cross-domain access request through the first gateway. The domain access request is sent to the first distributed controller; wherein, the first gateway is connected to the first user node through a first switch.
  28. 根据权利要求27所述的方法,其中,所述跨域访问请求通过所述第一分布式控制器发送所述跨域访问请求至所述第二分布式控制器,以使得所述第二分布式控制器根据所述跨域访问信息生成跨域访问命令,并将所述跨域访问命令转发至第二网关;The method according to claim 27, wherein the cross-domain access request is sent to the second distributed controller through the first distributed controller, so that the second distributed controller The mode controller generates a cross-domain access command according to the cross-domain access information, and forwards the cross-domain access command to the second gateway;
    其中,所述第二网关通过第二交换机连接至所述第二用户节点;所述跨域访问命令用以指示所述第二网关根据所述跨域访问命令对所述第一用户节点进行认证。The second gateway is connected to the second user node through a second switch; the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command .
  29. 根据权利要求28所述的方法,其中,所述跨域访问命令用以指示所述第二网关根据所述跨域访问命令对所述第一用户节点进行认证,包括:The method according to claim 28, wherein the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command, comprising:
    所述跨域访问命令用以指示所述第二网关根据所述跨域访问命令,调用身份认证服务器对所述第一用户节点进行身份识别认证,以及,调用授权映射服务器对所述第一用户节点进行访问权限认证。The cross-domain access command is used to instruct the second gateway to call an identity authentication server to perform identity authentication on the first user node according to the cross-domain access command, and to call an authorization mapping server to perform identity verification on the first user. The node performs access authorization authentication.
  30. 根据权利要求28所述的方法,所述的跨域访问命令用以指示所述第二网关根据所述跨域访问命令对所述第一用户节点进行认证的步骤之后,还包括:The method according to claim 28, after the cross-domain access command is used to instruct the second gateway to authenticate the first user node according to the cross-domain access command, the method further comprises:
    通过所述第一网关调用第一密钥协商服务器,使得所述第一密钥协商服务器与第二密钥协商服务器根据所述跨域访问请求进行密钥协商,以获取跨域访问密钥;Invoking a first key agreement server through the first gateway, so that the first key agreement server and the second key agreement server perform key agreement according to the cross-domain access request, so as to obtain a cross-domain access key;
    其中,所述跨域访问密钥用于所述第一用户节点与所述第二用户节点进行跨域访问中的加密和/或解密处理;所述第一密钥协商服务器为归属于所述第一网域的密钥协商服务器,所述第二密钥协商服务器为归属于所述第二网域的密钥协商服务器。Wherein, the cross-domain access key is used for the encryption and/or decryption processing in the cross-domain access between the first user node and the second user node; the first key agreement server belongs to the The key agreement server of the first network domain, and the second key agreement server is a key agreement server belonging to the second network domain.
  31. 根据权利要求30所述的方法,所述的获取跨域访问密钥的步骤之后,还包括:The method according to claim 30, after the step of obtaining the cross-domain access key, further comprising:
    通过所述第一网关发送认证确认信息至所述第一分布式控制器,并通过所述第二网关发送认证确认信息至所述第二分布式控制器,以使得所述第一分布式控制器和/或所述第二分布式控制器根据所述认证确认信息在所述第一分布式控制器与所述第二分布式控制器之间建立连接。Send authentication confirmation information to the first distributed controller through the first gateway, and send authentication confirmation information to the second distributed controller through the second gateway, so that the first distributed control And/or the second distributed controller establishes a connection between the first distributed controller and the second distributed controller according to the authentication confirmation information.
  32. 根据权利要求31所述的方法,还包括:The method of claim 31, further comprising:
    通过所述第一分布式控制器以经由网络功能虚拟化NFV向所述防火墙写入第一访问控制列表ACL规则,其中,所述第一ACL规则用于指示所述防火墙允许所述第一用户节点向所述第二用户节点发送跨域访问信息;Write a first access control list ACL rule to the firewall via the network function virtualization NFV through the first distributed controller, where the first ACL rule is used to instruct the firewall to allow the first user The node sends cross-domain access information to the second user node;
    通过所述第二分布式控制器以经由所述NFV向所述防火墙写入第二ACL规则,其中,所述第二ACL规则用于指示所述防火墙允许所述跨域访问信息进入所述第二网域。The second distributed controller is used to write a second ACL rule to the firewall via the NFV, where the second ACL rule is used to instruct the firewall to allow the cross-domain access information to enter the first Two domains.
  33. 根据权利要求32所述的方法,还包括:The method of claim 32, further comprising:
    通过所述第一分布式对所述第一用户节点发送的所述跨域访问信息进行加密处理,并将所述加密后的所述跨域访问信息发送至所述第二分布式控制器;Encrypting the cross-domain access information sent by the first user node through the first distribution, and send the encrypted cross-domain access information to the second distributed controller;
    通过所述第二分布式处理器对所述加密后的所述跨域访问信息进行解密,并将所述解密后的所述跨域访问信息发送至所述第二用户节点以实现所述第一用户节点的跨域访问。The encrypted cross-domain access information is decrypted by the second distributed processor, and the decrypted cross-domain access information is sent to the second user node to realize the first Cross-domain access of a user node.
  34. 根据权利要求26所述的方法,其中,所述跨域访问请求包括:第一跨域访问请求,第二跨域访问请求;The method according to claim 26, wherein the cross-domain access request comprises: a first cross-domain access request and a second cross-domain access request;
    所述发起跨域访问请求,并通过第一分布式控制器发送所述跨域访问请求至第二分布式控制器,包括:The initiating a cross-domain access request and sending the cross-domain access request to the second distributed controller through the first distributed controller includes:
    发起第一跨域访问请求,以请求跨域访问所述第二用户节点;Initiating a first cross-domain access request to request cross-domain access to the second user node;
    通过所述第一分布式控制器响应于所述第一用户节点发起的所述第一跨域访问请求以生成第二跨域访问请求,并发送所述第二跨域访问请求至所述第二分布式控制器;The first distributed controller responds to the first cross-domain access request initiated by the first user node to generate a second cross-domain access request, and sends the second cross-domain access request to the first user node. Two distributed controller;
    其中,所述第一跨域访问请求包括以下至少之一:第二用户节点域名信息、服务类型信息、服务质量要求信息;Wherein, the first cross-domain access request includes at least one of the following: domain name information of the second user node, service type information, and service quality requirement information;
    所述第二跨域访问请求包括以下至少之一:第二用户节点地址信息、第一用户节点地址信息、所述服务类型信息,所述服务质量要求信息。The second cross-domain access request includes at least one of the following: second user node address information, first user node address information, the service type information, and the service quality requirement information.
  35. 根据权利要求34所述的方法,所述的响应于第一用户节点通过网络切片进行的访问的步骤之前,还包括:The method according to claim 34, before the step of responding to the access by the first user node through the network slicing, further comprising:
    通过所述第一分布式控制器和/或所述第二分布式控制器以根据所述跨域访问请求中的所述服务质量要求确定所述网络切片。The first distributed controller and/or the second distributed controller are used to determine the network slice according to the service quality requirement in the cross-domain access request.
  36. 根据权利要求34所述的方法,其特征在于,所述的响应于第一用户节点通过网络切片进行的访问的步骤之前,还包括:The method according to claim 34, characterized in that, before the step of responding to the access by the first user node through the network slicing, the method further comprises:
    通过所述第一分布式控制器和/或所述第二分布式控制器以根据所述跨域访问请求中的所述服务质量要求确定路由信息,其中,所述路由信息用于指示所述访问信息在所述第一网域或所述第二网域内部的传输路径,以及所述第一网域与所述第二网域之间的传输路径。The first distributed controller and/or the second distributed controller are used to determine routing information according to the quality of service requirements in the cross-domain access request, where the routing information is used to indicate the A transmission path of access information within the first network domain or the second network domain, and a transmission path between the first network domain and the second network domain.
  37. 根据权利要求28至36任一项中所述的方法,还包括:The method according to any one of claims 28 to 36, further comprising:
    通过所述第一网关和/或所述第二网关在所述第一用户节点结束跨域访问所述第二用户节点后获取跨域访问记录;Acquiring, through the first gateway and/or the second gateway, a cross-domain access record after the first user node ends the cross-domain access to the second user node;
    在所述第一分布式控制器以及所述第二分布式控制器之间设置并维持联盟链,并通过所述联盟链对跨域访问记录进行维护;其中,所述跨域访问记录包括:跨域访问事件,所述跨域访问事件的发生及结束时间。An alliance chain is set up and maintained between the first distributed controller and the second distributed controller, and cross-domain access records are maintained through the alliance chain; wherein, the cross-domain access records include: A cross-domain access event, the occurrence and end time of the cross-domain access event.
  38. 根据权利要求37所述的方法,其中,所述通过所述联盟链对跨域访问记录进行维护还包括:The method according to claim 37, wherein the maintaining the cross-domain access record through the alliance chain further comprises:
    记录异常访问记录,其中,所述异常访问记录用于指示所述第一用户节点跨域访问所述第二用户节点异常;所述异常访问记录由所述第一网关和/或所述第二网关上报。Record abnormal access records, where the abnormal access record is used to indicate that the first user node cross-domain access to the second user node is abnormal; the abnormal access record is controlled by the first gateway and/or the second user node Reported by the gateway.
  39. 一种跨域访问装置,应用于第一用户节点,其中,所述第一用户节点为归属于第一网域的用户节点;所述装置包括:A cross-domain access device applied to a first user node, wherein the first user node is a user node belonging to a first network domain; the device includes:
    请求模块,被设置成发起跨域访问请求,并通过第一分布式控制器发送所述跨域访问请求至第二分布式控制器;其中,所述跨域访问请求用于请求跨域访问第二用户节点;The request module is configured to initiate a cross-domain access request, and send the cross-domain access request to the second distributed controller through the first distributed controller; wherein, the cross-domain access request is used to request cross-domain access to the first Two user nodes;
    访问模块,被设置成通过网络切片对第二用户节点进行访问;其中,所述网络切片由所述第一分布式控制器和/或所述第二分布式控制器根据所述跨域访问请求进行确定;The access module is configured to access the second user node through a network slice; wherein, the network slice is controlled by the first distributed controller and/or the second distributed controller according to the cross-domain access request Make sure
    其中,所述第一分布式控制器被设置成对所述第一网域进行控制;所述第二分布式控制器被设置成对第二网域进行控制,所述第二用户节点为归属于所述第二网域的用户节点。Wherein, the first distributed controller is configured to control the first network domain; the second distributed controller is configured to control a second network domain, and the second user node is attribution A user node in the second network domain.
  40. 一种跨域访问装置,应用于第二用户节点,其中,所述第二用户节点为归属于第二网域的用户节点;所述装置包括:A cross-domain access device applied to a second user node, wherein the second user node is a user node belonging to a second network domain; the device includes:
    响应模块,被设置成响应于第一用户节点通过网络切片进行的访问;其中,所述网络切片由第一分布式控制器和/或第二分布式控制器根据跨域访问请求进行确定;所述第一分布式控制器被设置成对第一网域进行控制;所述第二分布式控制器被设置成对第二网域进行控制,所述第一用户节点为归属于所述第一网域的用户节点;The response module is configured to respond to the access by the first user node through the network slice; wherein the network slice is determined by the first distributed controller and/or the second distributed controller according to the cross-domain access request; The first distributed controller is configured to control a first network domain; the second distributed controller is configured to control a second network domain, and the first user node is attributable to the first User node of the domain;
    所述跨域访问请求由所述第一用户节点发起,并通过所述第一分布式控制器发送所述跨域访问请求至第二分布式控制器。The cross-domain access request is initiated by the first user node, and the cross-domain access request is sent to the second distributed controller through the first distributed controller.
  41. 一种计算机可读的存储介质,存储有计算机程序,其中,所述计算机程序被设置为运行时执行所述权利要求13至25、权利要求26至38任一项中所述的方法。A computer-readable storage medium storing a computer program, wherein the computer program is configured to execute the method described in any one of claims 13 to 25 and claims 26 to 38 when running.
  42. 一种电子装置,包括存储器和处理器,其中,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以执行所述权利要求13至25、权利要求26至38任一项中所述的方法。An electronic device comprising a memory and a processor, wherein a computer program is stored in the memory, and the processor is configured to run the computer program to execute any of claims 13 to 25 and claims 26 to 38 The method described in one item.
PCT/CN2020/135884 2019-12-13 2020-12-11 Cross-domain access system, method and device, storage medium, and electronic device WO2021115449A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911285474.4 2019-12-13
CN201911285474.4A CN112995097B (en) 2019-12-13 2019-12-13 Cross-domain access system, method and device

Publications (1)

Publication Number Publication Date
WO2021115449A1 true WO2021115449A1 (en) 2021-06-17

Family

ID=76329117

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/135884 WO2021115449A1 (en) 2019-12-13 2020-12-11 Cross-domain access system, method and device, storage medium, and electronic device

Country Status (2)

Country Link
CN (1) CN112995097B (en)
WO (1) WO2021115449A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114024749A (en) * 2021-11-05 2022-02-08 西北工业大学 Industrial equipment logic cross-domain access authentication method based on inter-domain cooperation of central nodes
CN114079632A (en) * 2021-10-09 2022-02-22 中国互联网络信息中心 Credible inter-domain routing method and system based on block chain
CN114513530A (en) * 2022-04-19 2022-05-17 山东省计算中心(国家超级计算济南中心) Cross-domain storage space bidirectional supply method and system
CN114900439A (en) * 2022-05-06 2022-08-12 北京中睿天下信息技术有限公司 Visualization technology of inter-domain access relation
CN115022324A (en) * 2022-06-08 2022-09-06 中国银行股份有限公司 Network point cluster processing method and system based on edge calculation
CN115065679A (en) * 2022-06-02 2022-09-16 湖南天河国云科技有限公司 Block chain based electronic health profile sharing model, method, system, and medium
CN115776389A (en) * 2022-11-01 2023-03-10 龙应斌 Anti-theft data access security method and system based on trusted authentication link
WO2023202461A1 (en) * 2022-04-20 2023-10-26 京东方科技集团股份有限公司 Method for controlling cross-domain device, and control terminal, server and system
CN117254977A (en) * 2023-11-16 2023-12-19 联通(广东)产业互联网有限公司 Network security monitoring method and system and storage medium
CN115065679B (en) * 2022-06-02 2024-06-07 湖南天河国云科技有限公司 Electronic health record sharing model, method, system and medium based on blockchain

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115664870B (en) * 2022-12-28 2023-04-07 北京志翔科技股份有限公司 Cross-distributed-node desktop access method, device and system and electronic equipment
CN116846547B (en) * 2023-05-10 2024-05-24 成都信息工程大学 Quantum technology-based political data cross-domain secure transmission method
CN117354305B (en) * 2023-12-04 2024-02-06 中国信息通信研究院 Intercommunication cooperative control method and architecture

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741568A (en) * 2009-12-18 2010-06-16 成都市华为赛门铁克科技有限公司 Surfing method, client, security gateway and surfing system
US20120226824A1 (en) * 2011-03-02 2012-09-06 Ciena Corporation Distributed network planning systems and methods
CN103795530A (en) * 2012-10-31 2014-05-14 华为技术有限公司 Cross-domain controller authentication method, cross-domain controller authentication device and host
CN105812273A (en) * 2014-12-31 2016-07-27 华为软件技术有限公司 Load balancing method and device
CN109560955A (en) * 2017-09-27 2019-04-02 华为技术有限公司 The deployment information of network determines method and apparatus
CN109962937A (en) * 2017-12-14 2019-07-02 中兴通讯股份有限公司 A kind of multiple domain multilayer connection service establishing method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7568218B2 (en) * 2002-10-31 2009-07-28 Microsoft Corporation Selective cross-realm authentication
CN104506480B (en) * 2014-06-27 2018-11-23 深圳市永达电子信息股份有限公司 The cross-domain access control method and system combined based on label with audit
CN106559408B (en) * 2015-11-27 2019-12-13 国网智能电网研究院 SDN authentication method based on trust management
US10205706B2 (en) * 2016-05-11 2019-02-12 Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. System and method for programmable network based encryption in software defined networks
CN107302498B (en) * 2017-06-21 2019-08-27 安徽大学 The multiple domain QoS path calculation method of secret protection is supported in a kind of SDN network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741568A (en) * 2009-12-18 2010-06-16 成都市华为赛门铁克科技有限公司 Surfing method, client, security gateway and surfing system
US20120226824A1 (en) * 2011-03-02 2012-09-06 Ciena Corporation Distributed network planning systems and methods
CN103795530A (en) * 2012-10-31 2014-05-14 华为技术有限公司 Cross-domain controller authentication method, cross-domain controller authentication device and host
CN105812273A (en) * 2014-12-31 2016-07-27 华为软件技术有限公司 Load balancing method and device
CN109560955A (en) * 2017-09-27 2019-04-02 华为技术有限公司 The deployment information of network determines method and apparatus
CN109962937A (en) * 2017-12-14 2019-07-02 中兴通讯股份有限公司 A kind of multiple domain multilayer connection service establishing method and device

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114079632A (en) * 2021-10-09 2022-02-22 中国互联网络信息中心 Credible inter-domain routing method and system based on block chain
CN114024749B (en) * 2021-11-05 2022-11-29 西北工业大学 Industrial equipment logic cross-domain access authentication method based on inter-domain cooperation of central nodes
CN114024749A (en) * 2021-11-05 2022-02-08 西北工业大学 Industrial equipment logic cross-domain access authentication method based on inter-domain cooperation of central nodes
CN114513530A (en) * 2022-04-19 2022-05-17 山东省计算中心(国家超级计算济南中心) Cross-domain storage space bidirectional supply method and system
WO2023202461A1 (en) * 2022-04-20 2023-10-26 京东方科技集团股份有限公司 Method for controlling cross-domain device, and control terminal, server and system
CN114900439A (en) * 2022-05-06 2022-08-12 北京中睿天下信息技术有限公司 Visualization technology of inter-domain access relation
CN115065679A (en) * 2022-06-02 2022-09-16 湖南天河国云科技有限公司 Block chain based electronic health profile sharing model, method, system, and medium
CN115065679B (en) * 2022-06-02 2024-06-07 湖南天河国云科技有限公司 Electronic health record sharing model, method, system and medium based on blockchain
CN115022324A (en) * 2022-06-08 2022-09-06 中国银行股份有限公司 Network point cluster processing method and system based on edge calculation
CN115022324B (en) * 2022-06-08 2024-04-19 中国银行股份有限公司 Method and system for processing network point cluster based on edge calculation
CN115776389A (en) * 2022-11-01 2023-03-10 龙应斌 Anti-theft data access security method and system based on trusted authentication link
CN115776389B (en) * 2022-11-01 2023-11-07 龙应斌 Anti-theft data security access method and system based on trusted authentication link
CN117254977A (en) * 2023-11-16 2023-12-19 联通(广东)产业互联网有限公司 Network security monitoring method and system and storage medium
CN117254977B (en) * 2023-11-16 2024-03-01 联通(广东)产业互联网有限公司 Network security monitoring method and system and storage medium

Also Published As

Publication number Publication date
CN112995097A (en) 2021-06-18
CN112995097B (en) 2023-09-22

Similar Documents

Publication Publication Date Title
WO2021115449A1 (en) Cross-domain access system, method and device, storage medium, and electronic device
US10706427B2 (en) Authenticating and enforcing compliance of devices using external services
US10042665B2 (en) Customer premises equipment (CPE) with virtual machines for different service providers
WO2018095416A1 (en) Information processing method, device and system
CN103404103A (en) System and method for combining an access control system with a traffic management system
EP2534889B1 (en) Method and apparatus for redirecting data traffic
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
US10595320B2 (en) Delegating policy through manufacturer usage descriptions
EP3529950B1 (en) Method for managing data traffic within a network
JP2020535530A (en) Resource processing methods, equipment, systems and computer readable media
CN109936515B (en) Access configuration method, information providing method and device
US7424736B2 (en) Method for establishing directed circuits between parties with limited mutual trust
CN105743922B (en) The method, apparatus and system of inter-domain communication
KR20150067044A (en) Methods and apparatuses for optimizing common service execution based on node resources
CN115314323B (en) Information transmission method and system
KR20100060130A (en) System for protecting private information and method thereof
KR20150067041A (en) Method and apparatus of controlling registration in M2M system for load balancing
CN114666341A (en) Decentralized SDP controller implementation method and computer storage medium
KR20150066401A (en) Data handling technique in the M2M Environment
US20140325672A1 (en) Method of providing lawful interception of data in a secure communication system
WO2023227067A1 (en) Quantum network communication method and apparatus, electronic device and storage medium
WO2023202412A1 (en) Communication method and apparatus
CN114640512B (en) Security service system, access control method, and computer-readable storage medium
CN116074125B (en) End-to-end password middle station zero trust security gateway system
CN117356073A (en) Indicating a web-based agreement contract using packet-level data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20899710

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20899710

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 01/03/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 20899710

Country of ref document: EP

Kind code of ref document: A1