CN101383813A - Method and system for network uni-directional forwarding - Google Patents
Method and system for network uni-directional forwarding Download PDFInfo
- Publication number
- CN101383813A CN101383813A CNA2007100768552A CN200710076855A CN101383813A CN 101383813 A CN101383813 A CN 101383813A CN A2007100768552 A CNA2007100768552 A CN A2007100768552A CN 200710076855 A CN200710076855 A CN 200710076855A CN 101383813 A CN101383813 A CN 101383813A
- Authority
- CN
- China
- Prior art keywords
- data
- module
- submodule
- receiver module
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method of one-way forwarding of the network and a system. The system comprises a transmitting module used for receiving source host information with one-way forwarding and a receiving module used for sending information to a target host with one-way forwarding; the method comprises the following steps: (A) the source host sends a request signal for requesting to receive data to the receiving module by the transmitting module; (B) after receiving the request, the receiving module sends the received and prepared signal to the transmitting module under the condition of preparing to receive the data; (C) after receiving the prepared signal, the transmitting module receives a source host data block and forwards the data block to the receiving module; after receiving the data block, the receiving module sends a checking signal of the data back to the transmitting module; and (D) after the process of receiving the data block transmitted by the transmitting module is completed, the receiving module forwards the data block to the target host. The method and the system are used for realizing one-way transmission and forwarding of the network with feedback signals and further improve the reliability of network data.
Description
Technical field
The present invention relates to a kind of method and system of network uni-directional visit.
Background technology
Data diode (being called for short unidirectional gateway) is based on the security boundary safeguard (being based on the network security transmission equipment of uni-directional physical transmission technology) of pure one-way transmission technical concept.
The absolute one-way transmission feature of unidirectional gateway, determined it to be applicable to following two kinds of application scenarioss: one is data importing, guarantees that Intranet information does not leak into outer net in importing process; It two is the unidirectional issue of information, guarantees Intranet to the unidirectional passing data of outer net the time, and outer net can't be invaded inner sensitive network.
From hardware configuration, unidirectional gateway is a two main process equipment, and it is made up of four parts: outer terminal, unidirectional isolation card, optical-fibre channel and interior terminal (physical transmission channel, transport module, receiver module).Wherein outer terminal and interior terminal are the main frames of two platform independent, have only connecting interface between outer terminal and the interior terminal, promptly by optical-fibre channel and unidirectional isolation card physical transmission channel, transport module, receiver module) data sheet that forms is to transmission channel.Unidirectional gateway has two unidirectional isolation modules altogether, links to each other with inside and outside terminal by the PCI-E interface respectively.Adopt unidirectional optical channel continuous (adopting the individual event physical connection) between two unidirectional isolation cards, the unidirectional isolation card that inserts in outer terminal only has light emission module, the unidirectional isolation card that inserts in interior terminal only has light and accepts module, guarantees light signal one-way transmission between inner-mesh network thus.
Some limitation of the mode of above-mentioned one-way transmission: one, just on time slot, realized isolation, failed to realize real one-way transmission; Two, adopt the time slot isolation, therefore on transfer of data, certainly existed time-delay, can not realize synchronous transmission; Three, xegregating unit requires height, cost height.
Summary of the invention
Technical problem to be solved by this invention is: the method that provides a kind of network uni-directional to transmit, be used for realizing having the network uni-directional transmission forwarding of feedback signal, and then the fail safe and the reliability of raising network data, reduce the delay time of transmission course, and reduce cost by the input that reduces hardware device.
The further technical problem to be solved of the present invention is: the system that provides a kind of network uni-directional to transmit, be used for realizing having the network uni-directional transmission forwarding of feedback signal, and then the fail safe and the reliability of raising network data, reduce the delay time of transmission course, and reduce cost by the input that reduces hardware device.
For solving above-mentioned first technical problem, the present invention adopts following technical scheme: the method that a kind of network uni-directional is transmitted comprises the steps:
A, source host send the request signal that request receives data by transit module to receiver module;
After B, receiver module are received request, be ready to receive under the data conditions, sending the receive ready signal to transit module;
After C, transit module are received described receive ready signal, reception sources host data piece, and transmit this data block to receiver module; Receiver module postbacks the checking signal of data to transit module after receiving data block;
After the process of the data block that D, receiver module reception transit module transmit is finished, again data block is transmitted to destination host.
In order to solve second technical problem, the present invention proposes the system that a kind of network uni-directional is transmitted, and it is characterized in that:
Described system comprises the transit module of the source host information that receives unidirectional forwarding and sends the receiver module of information to the destination host of unidirectional forwarding;
Described transit module comprise with source host shake hands the reception submodule that is connected, transmit the unidirectional transmission submodule and the instruction implementation sub-module of data to described receiver module; The control of instruction implementation sub-module receives submodule reception sources host data and sends response message to source host, and the instruction implementation sub-module is also controlled unidirectional transmission submodule and sent data and handle the instruction that receiver module sends to receiver module; Receive the data of submodule reception sources main frame; Unidirectional sending module sends data to receiver module;
Described receiver module comprises the transmission submodule that receives data submodule, commands for controlling submodule and send data to destination host; Receive the data submodule and receive the data that transit module sends over; Send submodule and send data to destination host; Commands for controlling submodule control receives the data submodule and receives data and and send feedback information to transit module.
The invention has the beneficial effects as follows: compared to existing technology, the present invention needn't cut off the physical connection between source host and the destination host when network uni-directional is transmitted data, so just can reduce the high standard requirement of transferring equipment to equipment such as memories, and minimizing hardware input cost, can realize simultaneously the data feedback function in the transfer process again, make transfer of data in time, efficient, complete sum safety; The present invention can satisfy the requirement to fail safe of network uni-directional transmission data fully.
Description of drawings
Fig. 1 is the schematic diagram of invention.
Embodiment
The invention provides the method that a kind of network uni-directional is transmitted, this method comprises the steps:
A, source host send the request signal that request receives data by transit module to receiver module;
After B, receiver module are received request, be ready to receive under the data conditions, sending the receive ready signal to transit module;
After C, transit module are received described receive ready signal, reception sources host data piece, and transmit this data block to receiver module; Receiver module postbacks the checking signal of data to transit module after receiving data block;
After the process of the data block that D, receiver module reception transit module transmit is finished, again data block is transmitted to destination host.
The present invention also proposes the system that a kind of network uni-directional is transmitted, and this system comprises the transit module of the source host information that receives unidirectional forwarding and sends the receiver module of information to the destination host of unidirectional forwarding;
Transit module comprise with source host shake hands the reception submodule that is connected, transmit the unidirectional transmission submodule and the instruction implementation sub-module of data to receiver module; The control of instruction implementation sub-module receives submodule reception sources host data and sends response message to source host, and the instruction implementation sub-module is also controlled unidirectional transmission submodule and sent data and handle the instruction that receiver module sends to receiver module; Receive the data of submodule reception sources main frame; Unidirectional sending module sends data to receiver module.
Receiver module comprises the transmission submodule that receives data submodule, commands for controlling submodule and send data to destination host; Receive the data submodule and receive the data that transit module sends over; Send submodule and send data to destination host; Commands for controlling submodule control receives the data submodule and receives data and and send feedback information to transit module.
The structure of system of the present invention and principle are referring to Fig. 1.Be the unidirectional repeater system of the present invention among Fig. 1 in the frame of broken lines.
This system sees from the outside and comprises input (input), output (output).Input in inside again corresponding to transit module end (transmitter), output in inside again corresponding to receiver module end (receiver).Be that input obtains the outside communication information (comprising the information and the application layer data that connect), be transmitted to inner receiver module as transmitting terminal after treatment in inside, receiver module externally outputs to outside destination host as output with information.Transit module and receiver module all have Ethernet interface to be connected communication by Ethernet to the outer end with other main frames or network.Native system realizes that on the unidirectional basis of physics UDP communicates by letter with limited TCP.To packet based on TCP/UDP, separate application layer data and add that self-defining control protocol information is forwarded to output by input, output is repacked data and is mail to destination host.
Native system is divided into three layers from the bottom to top on software is realized:
1, data link layer---guarantee the underlying protocol of reliable one-way transmission;
2, key-course---the control command agreement of sending to output by input;
3, application layer---according to the pattern difference of work, to the TCP of outside, UDP, packets such as ARP bag are taked different forwardings or responder action.
What the present invention was the most basic is applied as:
Transit module is received the packet of source host, if be connected with the TCP of destination host for setting up, transit module can replace the destination host connection of shaking hands, and connection request is forwarded.If same for removing connection, transit module can replace the destination host dismounting to connect.If issue the UDP bag of destination host or the packet of TCP (rather than the connection request that need answer), then be transmitted to receiver module.Agreement can take place to receive by the comparable data link layer in the process that the input of system (transit module) is issued data or other solicited messages the output (receiver module) of system.The packing data that the output of system will need to transmit is issued destination host.And the control information of passback is limited.
According to the occasion difference of using, native system can work in three kinds of patterns: port forward mode, proxy mode and transparent mode.
1, port forward mode:
The source host of outside global network transmits data by native system to the destination host of inner private network, because of can not directly being visited by the public network main frame IP address of private network, so the listening port of host ip in the private network and service all is mapped as each different port of native system, the main frame of public network is directly visited the different port of native system, gives corresponding private network main frame and port according to mapping table with data forwarding by native system.
2, proxy mode:
The destination host of Intranet sends request msg by native system to the host of data sources of outer net, because of the IP of Intranet can not be exposed to outer net, intranet host directly and native system connect, by agency agreement to the native system apply for agency, after authentication was passed through, native system is replied to the main frame of Intranet apply for agency can proxy information.Outer net Target IP that intranet host will be visited and port and the data that will send are passed to native system.Native system and outer net destination host connect, and with outer net main frame and the port of data forwarding to the intranet host appointment.
3, transparent mode:
When working in this pattern, native system is equivalent to a transparent bridge (but one-way transmission data only, and linking number is limited).In native system, configure the IP scope of the network that connects output in advance.When source host in the network of welding system input will initiate to be connected and transmit data with the destination host at welding system output networking, the MAC Address of the first broadcast arp bag inquiry of source host meeting destination host, native system is tabled look-up and is learnt that destination host is in the network range of output, just the MAC with oneself answers ARP inquiry, therefore for source host, native system is exactly a destination host, source host and destination host connect, native system simulated target main frame and source host connect, and to hyphen N of this connection, with hyphen N, the IP+ port of source host and the IP+ port of destination host, protocol type is kept in the connection pool.The input of simultaneity factor can ask output can set up a connection with destination host again, and should connect corresponding with hyphen N.After connecting foundation, source host sends data, and native system replaces destination host to answer the affirmation bag, and input sends data and hyphen to output, and output is about to data and sends with the pairing connection of hyphen N.
Method embodiment of the present invention such as following table.
| Transit module (Transmitter) | Receiver module (Receiver) | |
| 1 | Send a pulse signal SEND_REQ, wait for up to RCV_RDY again being cleared | |
| 2 | After receiving the interrupt signal of SEND_REQ generation, with RCV_RDY, CRC_OK, APP_OK zero clearing | |
| 3 | After reading RCV_RDY and be zero, send data block by TX.Be masked as 1 transmission current data block if retransmit, be masked as 0, then send next data block if retransmit.If next data block then forwards last step to and finishes this transmission for empty (be last piece correctly send finish).A maximum MAX_BLOCK_SIZE of data block (tentative 100KB) is divided into several Frames, and each Frame maximum is no more than MTU byte, and CRC check sign indicating number and " frame end sign indicating number " are all arranged.Last frame comprises " end-of-block code " in the data block. | The previous frame of verification on one side is Yi Bian receive present frame and put into buffer memory. |
| 4 | After blocks of data sends and to finish, then wait for up to RCV_RDY and put 1 or timer expired | |
| 5 | After receiving end-of-block code, if all frame checks are all correct, |
| Then data block is given upper-layer protocol to soar buffer memory and CRC_OK=1 is set and RCV_RDY=1., if vicious frame, then with CRC_OK=0, RCV_RDY=1, and all buffer memorys of removing current data block | ||
| 6 | After detecting RCV_RDY=1, further read CRC_OK again, if zero, then establish re-transmission and be masked as 1, otherwise retransmit the sign zero clearing.And turn back to step 1 if do not detect RCV_RDY=1 and then do not establish receiving terminal error flag RCVR_ERR=1 and finish this transmission before the timer expired | |
| 7 | Finish | Wait for the interruption of SEND_REQ |
Signal name:
| SEND_REQ | Send Request sends request, and transmitting terminal sends, and pulse signal produces receiving terminal and interrupts |
| RCV_RDY | Ready to receive prepares to receive, and receiving terminal sends, and 1: be ready to 0: unripe |
| CRC_OK | CRC check is correct, and receiving terminal sends, and 1: correct 0: mistake, this signal will be just to can read in 1 o'clock at RCV_RDY |
| APP1_OK APP2_OK | The application layer answer signal, standby, receiving terminal sends, and this signal will be just to can read in 1 o'clock at RCV_RDY |
Claims (2)
1, a kind of method of network uni-directional forwarding is characterized in that comprising the steps:
A, source host send the request signal that request receives data by transit module to receiver module;
After B, receiver module are received request, be ready to receive under the data conditions, sending the receive ready signal to transit module;
After C, transit module are received described receive ready signal, reception sources host data piece, and transmit this data block to receiver module; Receiver module postbacks the checking signal of data to transit module after receiving data block;
After the process of the data block that D, receiver module reception transit module transmit is finished, again data block is transmitted to destination host.
2, a kind of system of network uni-directional forwarding is characterized in that:
Described system comprises the transit module of the source host information that receives unidirectional forwarding and sends the receiver module of information to the destination host of unidirectional forwarding;
Described transit module comprise with source host shake hands the reception submodule that is connected, transmit the unidirectional transmission submodule and the instruction implementation sub-module of data to described receiver module; The control of instruction implementation sub-module receives submodule reception sources host data and sends response message to source host, and the instruction implementation sub-module is also controlled unidirectional transmission submodule and sent data and handle the instruction that receiver module sends to receiver module; Receive the data of submodule reception sources main frame; Unidirectional sending module sends data to receiver module;
Described receiver module comprises the transmission submodule that receives data submodule, commands for controlling submodule and send data to destination host; Receive the data submodule and receive the data that transit module sends over; Send submodule and send data to destination host; The control of commands for controlling submodule receives the data submodule and receives data and send feedback information to transit module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100768552A CN101383813A (en) | 2007-09-03 | 2007-09-03 | Method and system for network uni-directional forwarding |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100768552A CN101383813A (en) | 2007-09-03 | 2007-09-03 | Method and system for network uni-directional forwarding |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101383813A true CN101383813A (en) | 2009-03-11 |
Family
ID=40463437
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007100768552A Pending CN101383813A (en) | 2007-09-03 | 2007-09-03 | Method and system for network uni-directional forwarding |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101383813A (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102984283A (en) * | 2012-12-25 | 2013-03-20 | 北京理工大学 | System and method for remote monitoring and service of electric vehicle |
| WO2013086930A1 (en) * | 2011-12-15 | 2013-06-20 | 优视科技有限公司 | Cross-device file transmission method, apparatus, transit server and device |
| CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
| CN104363231A (en) * | 2014-11-17 | 2015-02-18 | 北京锐驰信安技术有限公司 | Network security isolation and information exchange method and system based on one-way channel |
| CN106452792A (en) * | 2016-11-21 | 2017-02-22 | 济南浪潮高新科技投资发展有限公司 | Data single transmission module based on digital signature integrity checking |
| CN107395482A (en) * | 2017-06-26 | 2017-11-24 | 深圳市中创鑫和科技有限公司 | A kind of unidirectional bridge of COFDM and its IP data transferring methods |
| CN108810011A (en) * | 2018-06-29 | 2018-11-13 | 南京南瑞继保电气有限公司 | A kind of universal network secure accessing sound zone system and message processing method suitable for power private network |
| CN109756475A (en) * | 2018-11-27 | 2019-05-14 | 中国船舶重工集团公司第七0九研究所 | Data transmission method and device in a kind of unilateral network |
| CN109766485A (en) * | 2018-12-07 | 2019-05-17 | 中国电力科学研究院有限公司 | A kind of sensitive information inspection method and system |
| CN110515575A (en) * | 2018-05-21 | 2019-11-29 | 北京仁光科技有限公司 | Device and method for being interacted to the computer in a subnet |
| CN111614694A (en) * | 2020-05-29 | 2020-09-01 | 腾讯音乐娱乐科技(深圳)有限公司 | Communication method, communication device, electronic equipment and computer-readable storage medium |
-
2007
- 2007-09-03 CN CNA2007100768552A patent/CN101383813A/en active Pending
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013086930A1 (en) * | 2011-12-15 | 2013-06-20 | 优视科技有限公司 | Cross-device file transmission method, apparatus, transit server and device |
| US9430047B2 (en) | 2011-12-15 | 2016-08-30 | Uc Mobile Limited | Method, device, and system of cross-device data transfer |
| CN102984283A (en) * | 2012-12-25 | 2013-03-20 | 北京理工大学 | System and method for remote monitoring and service of electric vehicle |
| CN102984283B (en) * | 2012-12-25 | 2016-05-25 | 北京理工大学 | A kind of electric vehicle remote monitoring and service system and method |
| CN103491072B (en) * | 2013-09-06 | 2017-03-15 | 中国航天系统科学与工程研究院 | A kind of border access control method based on double unidirection insulation network brakes |
| CN103491072A (en) * | 2013-09-06 | 2014-01-01 | 北京信息控制研究所 | Boundary access control method based on double one-way separation gatekeepers |
| CN104363231B (en) * | 2014-11-17 | 2017-09-19 | 北京锐驰信安技术有限公司 | A kind of network security isolation and information switching method and system based on half-duplex channel |
| CN104363231A (en) * | 2014-11-17 | 2015-02-18 | 北京锐驰信安技术有限公司 | Network security isolation and information exchange method and system based on one-way channel |
| CN106452792A (en) * | 2016-11-21 | 2017-02-22 | 济南浪潮高新科技投资发展有限公司 | Data single transmission module based on digital signature integrity checking |
| CN107395482A (en) * | 2017-06-26 | 2017-11-24 | 深圳市中创鑫和科技有限公司 | A kind of unidirectional bridge of COFDM and its IP data transferring methods |
| CN110515575A (en) * | 2018-05-21 | 2019-11-29 | 北京仁光科技有限公司 | Device and method for being interacted to the computer in a subnet |
| CN108810011A (en) * | 2018-06-29 | 2018-11-13 | 南京南瑞继保电气有限公司 | A kind of universal network secure accessing sound zone system and message processing method suitable for power private network |
| CN109756475A (en) * | 2018-11-27 | 2019-05-14 | 中国船舶重工集团公司第七0九研究所 | Data transmission method and device in a kind of unilateral network |
| CN109756475B (en) * | 2018-11-27 | 2021-07-16 | 中国船舶重工集团公司第七0九研究所 | Data transmission method and device in unidirectional network |
| CN109766485A (en) * | 2018-12-07 | 2019-05-17 | 中国电力科学研究院有限公司 | A kind of sensitive information inspection method and system |
| CN111614694A (en) * | 2020-05-29 | 2020-09-01 | 腾讯音乐娱乐科技(深圳)有限公司 | Communication method, communication device, electronic equipment and computer-readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101383813A (en) | Method and system for network uni-directional forwarding | |
| CN101753530B (en) | Data transmission method and device for traversing physical unidirectional isolation device of power network | |
| JP5930355B1 (en) | Data diode device with specific packet relay function and setting method thereof | |
| CN102035751A (en) | Data transmission method and equipment | |
| CN103795632A (en) | Data message transmission method, related equipment and system | |
| CN103973414B (en) | A kind of data transmission method and device | |
| CN101778093A (en) | UDP (User Datagram Protocol) based data transmission method | |
| CN105791252A (en) | UDP (User Datagram Protocol) IP (Intellectual Property) core based on FPGA (Field Programmable Gate Array) | |
| CN101494585B (en) | Method and equipment for implementing reliable transmission of universal route encapsulation tunnel | |
| ATE467284T1 (en) | DISCONNECTED CONNECTIONS | |
| JP6083549B1 (en) | Data diode device with specific packet relay function | |
| CN104394234A (en) | Multi-window UDP (user datagram protocol) wireless transmission method applied to environment monitoring | |
| CN101741849B (en) | Method, system and device for transmitting serial port service data | |
| US10841132B2 (en) | Data diode device with specific packet relay function, and method for specifying same | |
| CN101309169A (en) | Network management method and network management system, network apparatus | |
| CN104579973A (en) | Message forwarding method and device of virtual cluster | |
| CN104536934A (en) | Serial port communication method and system | |
| KR101953552B1 (en) | Apparatus for one-way transmission, apparatus for one-way reception, and one-way retransmission method for using same | |
| CN1976259B (en) | Directive non-feedback optical fiber one-way transmitting physical isolating method and one-way transmitting system therefor | |
| JPH01218148A (en) | Information distributing system, its transmission station and terminal equipment | |
| CN103051436A (en) | System and method for improving reliability of user datagram protocol (UDP) connection | |
| US20150341145A1 (en) | Data packet for bidirectional transmission of data packets during data transmission between a first and a second communication appliance, and method for transmitting such a data packet | |
| US20030120800A1 (en) | Network layer protocol | |
| KR20080051275A (en) | Message transmitting system based on udp control and method for the same | |
| CN201957033U (en) | Node adapter for optical fiber and wireless integrated sensing network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20090311 |