CN107395764B - Method and system for data exchange between devices in different data domains - Google Patents

Method and system for data exchange between devices in different data domains Download PDF

Info

Publication number
CN107395764B
CN107395764B CN201710766632.2A CN201710766632A CN107395764B CN 107395764 B CN107395764 B CN 107395764B CN 201710766632 A CN201710766632 A CN 201710766632A CN 107395764 B CN107395764 B CN 107395764B
Authority
CN
China
Prior art keywords
data
storage device
domain
exchange
data domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710766632.2A
Other languages
Chinese (zh)
Other versions
CN107395764A (en
Inventor
王梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
LANSWON TECHNOLOGIES Co.,Ltd.
Original Assignee
Lanswon Technologies Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lanswon Technologies Co ltd filed Critical Lanswon Technologies Co ltd
Priority to CN202010637687.5A priority Critical patent/CN111901391A/en
Priority to CN201710766632.2A priority patent/CN107395764B/en
Priority to CN202010637677.1A priority patent/CN112039939A/en
Publication of CN107395764A publication Critical patent/CN107395764A/en
Application granted granted Critical
Publication of CN107395764B publication Critical patent/CN107395764B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/563Data redirection of data network streams
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/14Direct-mode setup

Abstract

The invention discloses a method and a system for exchanging data among devices in different data domains of a storage network, wherein the method comprises the following steps: establishing a wireless connection between the first storage device and the second storage device for data exchange in response to the data exchange indication sent by the exchange server; the first storage device measures a first data exchange state of the first storage device and receives a second data exchange state sent by the second storage device; when determining that a third storage device in a third data domain is needed to perform auxiliary exchange on partial data in the first data to be exchanged, the first storage device sends the partial data and the network address of the second storage device to the third storage device; and the third storage device establishes wireless connection with the second storage device, transmits the partial data to the second storage device and notifies the exchange server of the transmission of the partial data.

Description

Method and system for data exchange between devices in different data domains
Technical Field
The present invention relates to the field of computing network storage, and more particularly, to a method and system for data exchange between devices in different data domains of a storage network.
Background
Typically, a storage network is a private network established specifically for storage services independent of the general network. The storage network can provide transmission rates of 2Gb/S to 4Gb/S, and the storage network exists independently of the data network, so that the access speed is high. The storage network is based on a private network, and therefore is very scalable. It is convenient to add a certain amount of storage space or several servers using storage space in a storage network.
However, current storage networks are virus isolated only by security software and do not provide additional protection against user data that needs to be secured. In this case, user data to be secured is usually subjected to various malicious attacks, which causes great loss to users.
Disclosure of Invention
According to an aspect of the present invention, there is provided a method for data exchange between devices in different data domains of a storage network, wherein a first storage device is located in a first data domain and a second storage device is located in a second data domain, the first data domain and the second data domain being isolated from each other, the method comprising:
establishing a wireless connection between the first storage device and a second storage device in response to a data exchange instruction sent by an exchange server, and enabling the first storage device and the second storage device to perform data exchange on first data to be exchanged and second data to be exchanged determined in the data exchange instruction through the wireless connection within an authorized data exchange time period indicated by the exchange server, wherein the first data to be exchanged is located in the first storage device and the second data to be exchanged is located in the second storage device;
when the first storage device and the second storage device exchange data through the wireless connection, measuring a first data exchange state of the first storage device, wherein the first data exchange state comprises data receiving progress and wireless connection quality of the first storage device;
the first storage device receives a second data exchange state sent by the second storage device, wherein the second data exchange state comprises a data receiving progress and wireless connection quality of the second storage device;
when the first storage device determines that a third storage device in a third data domain is required to perform auxiliary exchange on partial data in first data to be exchanged in the first storage device based on the first data exchange state and the second data exchange state, the first storage device sends the partial data and the network address of the second storage device to the third storage device; and
after receiving the partial data and the network address of the second storage device, the third storage device establishes a wireless connection with the second storage device based on the network address of the second storage device, transmits the partial data to the second storage device, and notifies the switching server of the transmission of the partial data.
Before the establishing a wireless connection between the first storage device and the second storage device in response to the data exchange indication sent by the exchange server, the method further includes:
the exchange server receives a data exchange request of the first storage device, selects a second storage device which has the acquired data item and needs the acquired data item from the second data domain according to the provided data item and the acquired data item related to the data exchange request, and sends a network address of the second storage device to the first storage device;
the first storage device sends a challenge message carrying an authentication character string and a first storage device identifier to the second storage device based on the network address;
the second storage device extracting the authentication string from the challenge message and querying a processing rule for the authentication string based on the first storage device identifier, processing the authentication string based on the queried processing rule to generate a processed authentication string;
the second storage device calculating an authentication hash value of the processed authentication string using a one-way hash function and transmitting the authentication hash value to the first storage device;
the first storage device determines whether the authentication hash value is correct, sets an authentication result of the second storage device to be successful if it is determined that the authentication hash value is correct, and notifies the exchange server of a message indicating that authentication is successful;
and after receiving the message indicating the successful authentication, the exchange server establishes a wireless tunnel connection between the first storage device and the second storage device and authorizes a data exchange time period for data exchange for the first storage device and the second storage device.
The exchange server stores a second data domain trust list, and the second data domain trust list records storage equipment which passes identity authentication of the exchange server, wherein the exchange server periodically performs identity authentication on all the storage equipment in the second data domain and updates the second data domain trust list based on the result of the identity authentication;
when the first storage device joins the first data domain, sending a list acquisition request to the switching server to prompt the switching server to send the second data domain trust list to the first storage device, wherein the first storage device sends the processing rule of the first storage device to the storage devices in the second data domain trust list;
or, when the second storage device joins the second data domain and passes the identity authentication of the switching server, sending a processing rule obtaining request to the switching server, when the switching server receives the obtaining request and confirms that the second storage device is located in the second data domain trust list, sending a processing rule pushing request to all storage devices in the first data domain, and after receiving the processing rule pushing request, sending respective current processing rules to the switching server and sending the respective current processing rules to the second storage device by the switching server;
the processing rule comprises: replacing one or more characters in the authentication character string with corresponding preset characters; circularly shifting the authentication character string to the left or the right by a specific number of bits; adding one or more additional characters to a specific position of the authentication character string; and deleting one or more characters for the authentication string.
The first storage device determining whether the hash value is correct comprises: the first storage device processes the authentication string based on a processing rule to generate a processed authentication string, and calculates a local hash value of the processed authentication string using a one-way hash function;
and when the local hash value calculated by the first storage device is the same as the authentication hash value sent by the second storage device, determining that the authentication hash value is correct.
The first data domain is a secure data domain, and when data exchange is performed between any storage devices in the first data domain, direct data exchange can be performed without receiving a data exchange instruction sent by the exchange server; and under the condition that the data exchange instruction sent by the exchange server is not received, the storage equipment in the first data domain and the storage equipment in the second data domain cannot exchange data.
The second data domain is an insecure data domain, and under the condition that a data exchange instruction sent by the exchange server is not received, the storage equipment in the second data domain and the storage equipment in the first data domain cannot exchange data; and under the condition that the data exchange indication initiated by the exchange server is not received, data exchange cannot be carried out between any storage devices in the second data domain.
The third data domain is a dynamic data domain, the storage devices in the dynamic data domain have a temporary data domain attribute and a local data domain attribute, the temporary data domain attribute is used for indicating that a specific storage device belongs to the first data domain or the second data domain in a cross-domain time period, and the local data domain attribute is used for indicating that the specific storage device belongs to the third data domain; wherein upon expiration of the cross-domain time period, the particular storage device no longer belongs to the first data domain or the second data domain, but only belongs to the third data domain; wherein in response to the indication message sent by the switching server to enter the first data domain, the particular device modifies the temporary data domain attribute to the first data domain and modifies the local data domain attribute to null; wherein in response to the indication message sent by the switching server to enter the second data domain, the particular device modifies the temporary data domain attribute to the second data domain and modifies the local data domain attribute to null; when the cross-domain time period expires, the particular device modifies the temporary data domain attribute to null and the local data domain attribute to a third data domain.
When it is determined that the completion time of the data reception of the second storage device will be later than the completion time of the data reception of the first storage device by a first predetermined time period and the data reception of the second storage device can be completed before the expiration of the authorized data exchange time period, wherein the first predetermined time period exceeds a threshold value, it is determined that a third storage device in a third data domain is required to perform auxiliary exchange on a part of data in the first data to be exchanged in the first storage device; wherein the partial data is data content that the second storage device has not received from the first storage device when data reception by the first storage device is complete.
The first storage device sending the partial data and the network address of the second storage device to a third storage device comprises: the first storage device dividing the partial data into a plurality of data packets, and setting a sender address in a header field of each data packet as a network address of the first storage device and setting a sending time in the header field as a time within the authorization period; transmitting the plurality of data packets with the set header field and the network address of the second storage device to the third storage device.
After receiving the plurality of data packets with the set header fields and the network address of the second storage device, the third storage device sends a data domain switching request for switching to the second data domain to the switching server; in response to receiving the data domain switch request, the switching server sending a data domain switch notification to a border firewall of the first data domain and sending a switch message to the third storage device to indicate a data domain switch; the boundary firewall scans all data packets in the third storage device and deletes the data packets which do not meet the transfer requirement; when determining that all the data packets in the third storage device meet the transfer requirement, allowing the third storage device to switch to a second data domain; wherein when the sender address of the data packet in the third storage device is not the network address of the storage device in the first data domain and the sending time in the header field is not within the authorization period of the corresponding storage device, the data packet is determined to be a data packet that does not comply with the transfer requirement.
When it is determined that data reception of the second storage device cannot be completed at the expiration of the authorized data exchange time period through the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, it is determined that a third storage device in a third data domain is required to perform auxiliary exchange on a part of data in the first data to be exchanged in the first storage device; wherein the partial data is data content that the second storage device has not received from the first storage device at a time of completion of data reception by the first storage device.
The first storage device sending the partial data and the network address of the second storage device to a third storage device comprises: the first storage device dividing the partial data into a plurality of data packets, and setting a sender address in a header field of each data packet as a network address of the first storage device and setting a sending time in the header field as a time within the authorization period; transmitting the plurality of data packets with the set header field and the network address of the second storage device to the third storage device.
After receiving the plurality of data packets with the set header fields and the network address of the second storage device, the third storage device sends a data domain switching request for switching to the second data domain to the switching server; in response to receiving the data domain switch request, the switching server sending a data domain switch notification to a border firewall of the first data domain and sending a switch message to the third storage device to indicate a data domain switch; the boundary firewall scans all data packets in the third storage device and deletes the data packets which do not meet the transfer requirement; when determining that all the data packets in the third storage device meet the transfer requirement, allowing the third storage device to switch to a second data domain; wherein when the sender address of the data packet in the third storage device is not the network address of the storage device in the first data domain and the sending time in the header field is not within the authorization period of the corresponding storage device, the data packet is determined to be a data packet that does not comply with the transfer requirement.
When it is determined that the completion time of the data reception of the second storage device is later than the completion time of the data reception of the first storage device by a second predetermined time, which does not exceed a threshold, through the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, and it is determined that the data reception of the second storage device can be completed before the authorized data exchange period expires, the first storage device continues data exchange with the second storage device. That is, it is determined that the third storage device in the third data domain is not required to perform the auxiliary exchange on the partial data in the first data to be exchanged in the first storage device.
When it is determined that the completion time of the data reception of the second storage device will be earlier than the completion time of the data reception of the first storage device by the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, and it is determined that the data reception of the second storage device can be completed before the authorized data exchange period expires, the first storage device continues the data exchange with the second storage device. That is, it is determined that the third storage device in the third data domain is not required to perform the auxiliary exchange on the partial data in the first data to be exchanged in the first storage device.
Wherein the first storage device receives the second data to be exchanged, and the second storage device receives the first data to be exchanged.
When the authorized data exchange time period expires and the data reception of the first storage device is not completed, the second storage device sends part of data which is not received by the first storage device in second data to be exchanged to an exchange server; and the exchange server performs security check on the part of the data which is not received by the first storage device, and sends the part of the data which is not received by the first storage device to the first storage device after the part of the data passes the security check.
Wherein the data reception progress is used to indicate a ratio of the data amount of the partial data that the second storage device has received to the data amount of the first data to be exchanged, or the data reception progress is used to indicate a ratio of the partial data that the first storage device has received to the second data to be exchanged.
The radio connection quality includes a radio transmission rate indicating a data transmission.
According to another aspect of the present invention, there is provided a system for data exchange between devices in different data domains of a storage network, wherein a first storage device is located in a first data domain and a second storage device is located in a second data domain, the first data domain and the second data domain being isolated from each other, the system comprising:
the switching server sends a data exchange instruction to the first storage device and the second storage device, establishes a wireless connection between the first storage device and the second storage device, and causes the first storage device and the second storage device to perform data exchange on first data to be exchanged and second data to be exchanged determined in the data exchange instruction through the wireless connection within an authorized data exchange time period carried in the data exchange instruction, wherein the first data to be exchanged is located in the first storage device and the second data to be exchanged is located in the second storage device;
a second storage device measuring a second data exchange status of the second storage device and transmitting the second data exchange status to the first storage device, the second data exchange status including a data reception progress and a wireless connection quality of the second storage device;
the first storage equipment measures a first data exchange state of the first storage equipment when performing data exchange with second storage equipment through the wireless connection, wherein the first data exchange state comprises the data receiving progress and the wireless connection quality of the first storage equipment; the first storage device receives a second data exchange state sent by the second storage device, wherein the second data exchange state comprises a data receiving progress and wireless connection quality of the second storage device; when the first storage device determines that a third storage device in a third data domain is required to perform auxiliary exchange on partial data in first data to be exchanged in the first storage device based on the first data exchange state and the second data exchange state, the first storage device sends the partial data and the network address of the second storage device to the third storage device; and
and the third storage equipment establishes wireless connection with the second storage equipment based on the network address of the second storage equipment after receiving the partial data and the network address of the second storage equipment, sends the partial data to the second storage equipment and notifies the exchange server of the sending of the partial data.
Further comprising: the exchange server receives a data exchange request of the first storage device, selects a second storage device which has the acquired data item and needs the acquired data item from the second data domain according to the provided data item and the acquired data item related to the data exchange request, and sends a network address of the second storage device to the first storage device;
the first storage device sends a challenge message carrying an authentication character string and a first storage device identifier to the second storage device based on the network address;
the second storage device extracting the authentication string from the challenge message and querying a processing rule for the authentication string based on the first storage device identifier, processing the authentication string based on the queried processing rule to generate a processed authentication string;
the second storage device calculating an authentication hash value of the processed authentication string using a one-way hash function and transmitting the authentication hash value to the first storage device;
the first storage device determines whether the authentication hash value is correct, sets an authentication result of the second storage device to be successful if it is determined that the authentication hash value is correct, and notifies the exchange server of a message indicating that authentication is successful;
and after receiving the message indicating the successful authentication, the exchange server establishes a wireless tunnel connection between the first storage device and the second storage device and authorizes a data exchange time period for data exchange for the first storage device and the second storage device.
The exchange server stores a second data domain trust list, and the second data domain trust list records storage equipment which passes identity authentication of the exchange server, wherein the exchange server periodically performs identity authentication on all the storage equipment in the second data domain and updates the second data domain trust list based on the result of the identity authentication;
when the first storage device joins the first data domain, sending a list acquisition request to the switching server to prompt the switching server to send the second data domain trust list to the first storage device, wherein the first storage device sends the processing rule of the first storage device to the storage devices in the second data domain trust list;
or, when the second storage device joins the second data domain and passes the identity authentication of the switching server, sending a processing rule obtaining request to the switching server, when the switching server receives the obtaining request and confirms that the second storage device is located in the second data domain trust list, sending a processing rule pushing request to all storage devices in the first data domain, and after receiving the processing rule pushing request, sending respective current processing rules to the switching server and sending the respective current processing rules to the second storage device by the switching server;
the processing rule comprises: replacing one or more characters in the authentication character string with corresponding preset characters; circularly shifting the authentication character string to the left or the right by a specific number of bits; adding one or more additional characters to a specific position of the authentication character string; and deleting one or more characters for the authentication string.
The first storage device determining whether the hash value is correct comprises: the first storage device processes the authentication string based on a processing rule to generate a processed authentication string, and calculates a local hash value of the processed authentication string using a one-way hash function; and when the local hash value calculated by the first storage device is the same as the authentication hash value sent by the second storage device, determining that the authentication hash value is correct.
The first data domain is a secure data domain, and when data exchange is performed between any storage devices in the first data domain, direct data exchange can be performed without receiving a data exchange instruction initiated by the exchange server; under the condition that a data exchange instruction sent by the exchange server is not received, the storage equipment in the first data domain and the storage equipment in the second data domain cannot exchange data;
the second data domain is an insecure data domain, and under the condition that a data exchange instruction sent by the exchange server is not received, the storage equipment in the second data domain and the storage equipment in the first data domain cannot exchange data; and in the case of not receiving the data exchange instruction sent by the exchange server, the data exchange between any storage devices in the second data domain cannot be carried out.
The third data domain is a dynamic data domain, the storage devices in the dynamic data domain have a temporary data domain attribute and a local data domain attribute, the temporary data domain attribute is used for indicating that a specific storage device belongs to the first data domain or the second data domain in a cross-domain time period, and the local data domain attribute is used for indicating that the specific storage device belongs to the third data domain; wherein upon expiration of the cross-domain time period, the particular storage device no longer belongs to the first data domain or the second data domain, but only belongs to the third data domain; wherein in response to the indication message sent by the switching server to enter the first data domain, the particular device modifies the temporary data domain attribute to the first data domain and modifies the local data domain attribute to null; wherein in response to the indication message sent by the switching server to enter the second data domain, the particular device modifies the temporary data domain attribute to the second data domain and modifies the local data domain attribute to null; when the cross-domain time period expires, the particular device modifies the temporary data domain attribute to null and the local data domain attribute to a third data domain.
When it is determined that the completion time of the data reception of the second storage device will be later than the completion time of the data reception of the first storage device by a first predetermined time period and the data reception of the second storage device can be completed before the expiration of the authorized data exchange time period, wherein the first predetermined time period exceeds a threshold value, it is determined that a third storage device in a third data domain is required to perform auxiliary exchange on a part of data in the first data to be exchanged in the first storage device; wherein the partial data is data content that the second storage device has not received from the first storage device when data reception by the first storage device is complete.
The first storage device sending the partial data and the network address of the second storage device to a third storage device comprises: the first storage device dividing the partial data into a plurality of data packets, and setting a sender address in a header field of each data packet as a network address of the first storage device and setting a sending time in the header field as a time within the authorization period; transmitting the plurality of data packets with the set header field and the network address of the second storage device to the third storage device.
After receiving the plurality of data packets with the set header fields and the network address of the second storage device, the third storage device sends a data domain switching request for switching to the second data domain to the switching server; in response to receiving the data domain switch request, the switching server sending a data domain switch notification to a border firewall of the first data domain and sending a switch message to the third storage device to indicate a data domain switch; the boundary firewall scans all data packets in the third storage device and deletes the data packets which do not meet the transfer requirement; when determining that all the data packets in the third storage device meet the transfer requirement, allowing the third storage device to switch to a second data domain; wherein when the sender address of the data packet in the third storage device is not the network address of the storage device in the first data domain and the sending time in the header field is not within the authorization period of the corresponding storage device, the data packet is determined to be a data packet that does not comply with the transfer requirement.
When it is determined that data reception of the second storage device cannot be completed at the expiration of the authorized data exchange time period through the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, it is determined that a third storage device in a third data domain is required to perform auxiliary exchange on a part of data in the first data to be exchanged in the first storage device; wherein the partial data is data content that the second storage device has not received from the first storage device at a time of completion of data reception by the first storage device.
The first storage device sending the partial data and the network address of the second storage device to a third storage device comprises: the first storage device dividing the partial data into a plurality of data packets, and setting a sender address in a header field of each data packet as a network address of the first storage device and setting a sending time in the header field as a time within the authorization period; transmitting the plurality of data packets with the set header field and the network address of the second storage device to the third storage device.
After receiving the plurality of data packets with the set header fields and the network address of the second storage device, the third storage device sends a data domain switching request for switching to the second data domain to the switching server; in response to receiving the data domain switch request, the switching server sending a data domain switch notification to a border firewall of the first data domain and sending a switch message to the third storage device to indicate a data domain switch; the boundary firewall scans all data packets in the third storage device and deletes the data packets which do not meet the transfer requirement; when determining that all the data packets in the third storage device meet the transfer requirement, allowing the third storage device to switch to a second data domain; wherein when the sender address of the data packet in the third storage device is not the network address of the storage device in the first data domain and the sending time in the header field is not within the authorization period of the corresponding storage device, the data packet is determined to be a data packet that does not comply with the transfer requirement.
When it is determined that the completion time of the data reception of the second storage device is later than the completion time of the data reception of the first storage device by a second predetermined time, which does not exceed a threshold, through the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, and it is determined that the data reception of the second storage device can be completed before the authorized data exchange period expires, the first storage device continues data exchange with the second storage device. That is, it is determined that the third storage device in the third data domain is not required to perform the auxiliary exchange on the partial data in the first data to be exchanged in the first storage device.
When it is determined that the completion time of the data reception of the second storage device will be earlier than the completion time of the data reception of the first storage device by the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, and it is determined that the data reception of the second storage device can be completed before the authorized data exchange period expires, the first storage device continues the data exchange with the second storage device. That is, it is determined that the third storage device in the third data domain is not required to perform the auxiliary exchange on the partial data in the first data to be exchanged in the first storage device.
Wherein the first storage device receives the second data to be exchanged, and the second storage device receives the first data to be exchanged. When the authorized data exchange time period expires and the data reception of the first storage device is not completed, the second storage device sends part of data which is not received by the first storage device in second data to be exchanged to an exchange server; and the exchange server performs security check on the part of the data which is not received by the first storage device, and sends the part of the data which is not received by the first storage device to the first storage device after the part of the data passes the security check.
Wherein the data reception progress is used to indicate a ratio of the data amount of the partial data that the second storage device has received to the data amount of the first data to be exchanged, or the data reception progress is used to indicate a ratio of the partial data that the first storage device has received to the second data to be exchanged.
The radio connection quality includes a radio transmission rate indicating a data transmission.
Drawings
A more complete understanding of exemplary embodiments of the present invention may be had by reference to the following drawings in which:
FIG. 1 is a schematic diagram of a storage network according to a preferred embodiment of the present invention;
FIG. 2 is a block diagram of a system for exchanging data between devices in different data domains of a storage network in accordance with a preferred embodiment of the present invention;
FIG. 3 is a block diagram of a system for exchanging data between devices in different data domains of a storage network in accordance with another preferred embodiment of the present invention; and
fig. 4 is a flow chart of a method for data exchange between devices in different data domains of a storage network according to another preferred embodiment of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.
Fig. 1 is a schematic diagram of a storage network 100 according to a preferred embodiment of the present invention. As shown in fig. 1, the storage network 100 includes: a first data field 101, a second data field 102, a third data field 103, and a switching server 104. Wherein the first data field 101 and the second data field 102 are isolated from each other. The data in the first data field 101 and the data in the second data field 102 are isolated from each other, i.e. cannot be freely or uncontrollably moved or exchanged. However, the first data field 101 and the second data field 102 may have the same data, except that such same data is controlled differently.
The first data field 101 is a secure data field and thus the data in the first data field 101 is all data that needs to be secured. Such data that needs to be secured are, for example, various types of data such as user privacy data, government statistics, network measurement data, and the like. Included in first data field 101 are storage device a1, storage device a 2. When data is exchanged between any storage devices in the first data domain, direct data exchange can be performed without receiving a data exchange instruction transmitted by the exchange server 104. For example, when the storage apparatus a1 and the storage apparatus a2 exchange data, direct data exchange can be performed without receiving a data exchange instruction transmitted from the exchange server 104. However, when the storage device in the first data domain exchanges data with the storage device in the external data domain (for example, the second data domain 102) without receiving the data exchange instruction sent by the exchange server 104, the data exchange cannot be performed. For example, if the data exchange instruction transmitted from the exchange server 104 is not received, the storage apparatus a1 and the storage apparatus B2 cannot exchange data.
The second data domain 102 is a non-secure data domain and, thus, the data in the second data domain 102 is data that does not require security protection. Such data that does not need security protection is, for example, various types of public data such as network public data, encyclopedia knowledge data, and the like. Included in the second data field 102 are storage device B1, storage device B2. When the storage device in the second data domain exchanges data with the storage device in the first data domain without receiving the data exchange instruction sent by the exchange server 104, the data exchange cannot be performed. For example, in a case where the data exchange instruction transmitted from the exchange server 104 is not received, the storage apparatus B2 in the second data domain 102 cannot exchange data with the storage apparatus a1 in the first data domain 101. In the case that the data exchange instruction sent by the exchange server 104 is not received, data exchange cannot be performed between any storage devices in the second data domain. For example, in a case where a data exchange instruction sent by the exchange server 104 is not received, data exchange between any two of the storage device B1, the storage device B2.
The third data field 103 is a dynamic data field. Storage devices in the dynamic data domain can be switched between the first data domain 101, the second data domain 102 and the third data domain 103. Included in the third data field 103 are storage device C1, storage device C2. In order to enable storage devices in the dynamic data domain to switch between the first data domain 101, the second data domain 102, and the third data domain 103, temporary data domain attributes and local data domain attributes are assigned to the storage devices in the dynamic data domain. Wherein the temporary data domain attribute is to indicate that a particular storage device belongs to the first data domain or the second data domain within the cross-domain time period, and the local data domain attribute is to indicate that the particular storage device belongs to the third data domain. For example, when the temporary data domain attribute of storage device C2 is set to the first data domain and the local data domain attribute is set to null, then storage device C2 belongs to the first data domain during the cross-domain time period. For example, when the temporary data domain attribute of storage device C3 is set to the second data domain and the local data domain attribute is set to null, then storage device C3 belongs to the second data domain during the cross-domain time period.
Wherein upon expiration of the cross-domain time period, the particular storage device no longer belongs to the first data domain or the second data domain, but only belongs to the third data domain. When the cross-domain time period expires, the particular device (storage device C1, storage device C2.. or storage device CN) modifies the temporary data domain attribute to null and the local data domain attribute to a third data domain. Preferably, a particular storage device may set a timer to indicate the expiration of the cross-domain time period. Alternatively, exchange server 104 may send a message to a particular storage device to indicate the expiration of the cross-domain time period. Alternatively, the temporary data field attribute includes a field for indicating a cross-domain time period.
In response to the indication message sent by switching server 104 to enter the first data domain, the particular device modifies the temporary data domain attribute to the first data domain and modifies the local data domain attribute to null. In response to the indication message sent by the switching server to enter the second data domain, the specific device modifies the temporary data domain attribute to the second data domain and modifies the local data domain attribute to null.
The switching server 104 is configured to send a data exchange indication to cause a wireless connection to be established between the first storage device and the second storage device. The exchange server 104 authorizes a data exchange time period for the first storage device and the second storage device, and causes the first storage device and the second storage device to exchange data for the first data to be exchanged and the second data to be exchanged determined in the data exchange indication through the wireless connection during the data exchange time period. The first data to be exchanged is data required by the second storage device, and the second data to be exchanged is data required by the first storage device.
Before establishing a wireless connection between a first storage device and a second storage device, the switching server 104 receives a data exchange request of the first storage device, selects a second storage device having a get data item (first data to be exchanged) and requiring the get data item from the second data domain according to the get data item (second data to be exchanged) and the provide data item to which the data exchange request relates, and sends a network address of the second storage device to the first storage device. And the first storage equipment sends a challenge message carrying the authentication character string, the first storage equipment identifier and the first storage equipment network address to the second storage equipment based on the network address. The second storage device extracts the authentication string from the challenge message and queries a processing rule for the authentication string based on the first storage device identifier. Processing the authentication string based on the queried processing rule to generate a processed authentication string. The second storage device calculates an authentication hash value of the processed authentication string using a one-way hash function, and transmits the authentication hash value to the first storage device based on a network address of the first storage device. The first storage device determines whether the authentication hash value is correct. In the case where it is determined that the authentication hash value is correct, the first storage device sets the authentication result of the second storage device to success, and notifies the exchange server 104 of a message indicating that authentication is successful. After receiving the message indicating that the authentication is successful, the exchange server 104 establishes a wireless tunnel connection between the first storage device and the second storage device and authorizes the first storage device and the second storage device for a data exchange time period for data exchange.
The exchange server 104 stores a second data domain trust list, in which a plurality of storage devices authenticated by the identity of the exchange server 104 are recorded. Wherein the switching server 104 periodically authenticates all storage devices in the second data domain and updates the second data domain trust list based on the result of the authentication. When a first storage device joins the first data domain 101, a list acquisition request is sent to the switching server 104 to prompt the switching server 104 to send the second data domain trust list to the first storage device, and the first storage device sends the processing rule of the first storage device to the storage devices in the second data domain trust list.
Or, when the second storage device joins the second data domain 102 and passes the identity authentication of the switching server 104, sending a processing rule obtaining request to the switching server 104, and when receiving the obtaining request and confirming that the second storage device is located in the second data domain trust list, the switching server 104 sending a processing rule pushing request to all the storage devices in the first data domain 101. After receiving the processing rule push request, all the storage devices in the first data domain 101 send respective current processing rules to the switching server 104 and the switching server 104 sends the respective current processing rules to the second storage device.
Wherein the processing rule comprises: and replacing one or more characters in the authentication character string with corresponding preset characters. For example, if the authentication string is helloworld2017, replacing one or more characters in the authentication string with corresponding preset characters may be replacing the/letter with i, i.e., heiioworld 2017. Alternatively, each letter in the authentication string may be replaced with a letter positioned one-first or next, for example, with a letter positioned one-second next, i.e., ifmmpxpsme 2017. Preferably, the number may be replaced with 3128. Preferably, when boundary letters or numbers are involved, a round-robin fashion is used, e.g., 0 is substituted and z is substituted with a. The authentication string is cyclically shifted by a certain number of bits to the left or right. For example, the authentication string helloworld2017 is circularly moved 2 bits to the right, resulting in 17helloworld 20. One or more additional characters are added to the specific location of the authentication string. For example, add "00" to the authentication string helloworld2017, resulting in helloworld 002017. One or more characters are deleted for the authentication string. For example, add "20" to the authentication string helloworld2017, resulting in helloworld 17.
The first storage device determining whether the hash value is correct comprises: the first storage device processes the authentication string based on a processing rule to generate a processed authentication string, and calculates a local hash value of the processed authentication string using a one-way hash function. And when the local hash value calculated by the first storage device is the same as the authentication hash value sent by the second storage device, determining that the authentication hash value is correct.
Fig. 2 is a block diagram of a system 200 for exchanging data between devices in different data domains of a storage network, according to a preferred embodiment of the present invention. Wherein a first storage device is located in a first data domain 201 and a second storage device is located in a second data domain 202, the first data domain 201 and the second data domain 202 being isolated from each other. Wherein the first data domain 201 has a border firewall at its border. The border firewall is responsible for checking the data packets leaving the first data domain 201 in addition to performing information security protection, virus isolation, external attack protection, and other tasks. This check is to avoid that the storage device carries the secured data packets outside when leaving the first data domain 201.
In response to the data exchange indication sent by the exchange server 203, a wireless connection is established between the first storage device and the second storage device. And the first storage device and the second storage device are caused to perform data exchange on the first data to be exchanged and the second data to be exchanged determined in the data exchange indication through the wireless connection within the data exchange time period authorized by the exchange server 203. The first data to be exchanged is located in the first storage device and is thus known to be data that needs to be secured. The second data to be exchanged is located in the second storage device and thus is known to be data that does not need to be secured.
However, in actual operation, the second storage device in the second data domain 202 may need to use secure data, such as the first data to be exchanged, to perform the processing of a particular task. For example, the second storage device may need to use network measurement data to refine the network topology information. For example, the first storage device may need to use network public data to complete internal data. It should be appreciated that data entering the first data domain becomes data that needs to be protected, and the second storage device cannot send data to any other storage device after the data enters the second data domain from the first data domain.
Preferably, when the first storage device and the second storage device exchange data through the wireless connection, the first storage device measures a first data exchange state of the first storage device. Wherein the first data exchange state includes a data reception progress and a wireless connection quality of the first storage device. In addition, when the first storage device and the second storage device exchange data through the wireless connection, the second storage device measures a second data exchange state of the second storage device. Wherein the second data exchange state includes a data reception progress and a wireless connection quality of the second storage device. And the first storage device receives the second data exchange state sent by the second storage device. Wherein the second data exchange state includes a data reception progress and a wireless connection quality of the second storage device.
Then, when the first storage device determines that a third storage device in a third data domain is required to perform auxiliary exchange on partial data in the first data to be exchanged in the first storage device based on the first data exchange state and the second data exchange state, the first storage device sends the partial data and the network address of the second storage device to the third storage device. Preferably, when it is determined that the completion time of the data reception of the second storage device will be later than the completion time of the data reception of the first storage device by a first predetermined time, which exceeds a threshold, through the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, it is determined that the third storage device in the third data domain is required to perform the auxiliary exchange on the part of the data in the first data to be exchanged in the first storage device. Wherein the partial data is data content that the second storage device has not received from the first storage device at a time of completion of data reception by the first storage device.
For example, when the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device are passed, it is determined that the completion time of the data reception of the second storage device is 8 pm on 8 months and 8 months in 2017, and the completion time of the data reception of the first storage device is 5 pm on 8 months and 8 months in 2017, where the threshold is 2 hours. In this case, since the completion time of the data reception by the second storage device is 3 hours later (more than the threshold value) than the completion time of the data reception by the first storage device, the present application determines that the third storage device in the third data domain is required to perform the auxiliary exchange of the part of the data in the first to-be-exchanged data in the first storage device.
Preferably, the completion time of data reception is calculated by the data reception progress and the wireless connection quality. Here, the data reception progress may be expressed by a percentage, for example, when no data is received, the data reception progress is 0%, and when all data is received, the data reception progress is 100%. Therefore, the data receiving progress is determined by calculating the ratio of the received data quantity to the total data quantity which should be received. Typically, the quality of the wireless connection is used to indicate the link quality and may typically include parameters such as transmission rate, bit error rate, signal strength, etc. The completion time of data reception is calculated by determining the transmission rate in the quality of the radio connection and based on the data amount of the data to be received.
In addition, when it is determined that the data reception of the second storage device cannot be completed when the authorized time period expires through the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, it is determined that the third storage device in the third data domain is required to perform the auxiliary exchange on the part of the data in the first data to be exchanged in the first storage device. Wherein the partial data is data content that the second storage device has not received from the first storage device at a time of completion of data reception by the first storage device.
When determining that a third storage device in a third data domain is needed to perform auxiliary switching on partial data in first data to be switched in a first storage device, dividing the partial data into a plurality of data packets by the first storage device, setting a sender address in a header field of each data packet as a network address of the first storage device and setting a sending time in the header field as a time in the authorization time period. Transmitting the plurality of data packets with the set header field and the network address of the second storage device to the third storage device.
When it is determined that the completion time of the data reception of the second storage device is later than the completion time of the data reception of the first storage device by a first predetermined time, which does not exceed a threshold, through the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, and it is determined that the data reception of the second storage device can be completed before the authorization period expires, the first storage device continues data exchange with the second storage device. And when it is determined that the completion time of the data reception of the second storage device will be earlier than the completion time of the data reception of the first storage device by the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, and it is determined that the data reception of the second storage device can be completed before the authorization period expires, the first storage device continues data exchange with the second storage device.
Wherein the first storage device receives the second data to be exchanged, and the second storage device receives the first data to be exchanged.
Fig. 3 is a block diagram of a system 300 for exchanging data between devices in different data domains of a storage network according to another preferred embodiment of the present invention. After receiving the partial data and the network address of the second storage device, the third storage device establishes a wireless connection with the second storage device based on the network address of the second storage device, sends the partial data to the second storage device, and notifies the switching server 303 of the sending of the partial data.
After receiving the plurality of packets with the set header field and the network address of the second storage device, the third storage device sends a data domain switching request for switching to the second data domain to the switching server 303. In response to receiving the data domain switch request, the switching server 303 sends a data domain switch notification to the border firewall of the first data domain and sends a switch message to the third storage device to indicate that a data domain switch is to be performed. And the boundary firewall scans all the data packets in the third storage equipment and deletes the data packets which do not meet the transfer requirement. And when the data packets in the third storage device are determined to all meet the transfer requirement, allowing the third storage device to switch to a second data domain. Wherein when the sender address of the data packet in the third storage device is not the network address of the storage device in the first data domain and the sending time in the header field is not within the authorization period of the corresponding storage device, the data packet is determined to be a data packet that does not comply with the transfer requirement.
When the authorized time period expires and the data reception of the first storage device is not completed, the second storage device sends a part of the second data to be exchanged, which is not received by the first storage device, to the exchange server 303. The switching server 303 performs security check on the part of data that has not been received by the first storage device, and sends the part of data that has not been received by the first storage device to the first storage device after passing the security check.
Fig. 4 is a flow chart of a method 400 for data exchange between devices in different data domains of a storage network according to another preferred embodiment of the present invention. Wherein the first storage device is located in a first data domain and the second storage device is located in a second data domain, the first data domain and the second data domain being isolated from each other. The method 400 begins at step 401.
In step 401, in response to a data exchange indication sent by an exchange server, establishing a wireless connection between the first storage device and a second storage device, and causing the first storage device and the second storage device to perform data exchange on first data to be exchanged and second data to be exchanged determined in the data exchange indication through the wireless connection within an authorized data exchange time period indicated by the exchange server, where the first data to be exchanged is located in the first storage device and the second data to be exchanged is located in the second storage device.
Before the establishing a wireless connection between the first storage device and the second storage device in response to the data exchange indication sent by the exchange server, the method further includes: the exchange server receives a data exchange request of the first storage device, selects a second storage device which has the acquired data item and needs the acquired data item from the second data domain according to the provided data item and the acquired data item related to the data exchange request, and sends a network address of the second storage device to the first storage device; the first storage device sends a challenge message carrying an authentication character string and a first storage device identifier to the second storage device based on the network address; the second storage device extracting the authentication string from the challenge message and querying a processing rule for the authentication string based on the first storage device identifier, processing the authentication string based on the queried processing rule to generate a processed authentication string; the second storage device calculating an authentication hash value of the processed authentication string using a one-way hash function and transmitting the authentication hash value to the first storage device; the first storage device determines whether the authentication hash value is correct, sets an authentication result of the second storage device to be successful if it is determined that the authentication hash value is correct, and notifies the exchange server of a message indicating that authentication is successful; and after receiving the message indicating the successful authentication, the exchange server establishes a wireless tunnel connection between the first storage device and the second storage device and authorizes a data exchange time period for data exchange for the first storage device and the second storage device.
The exchange server stores a second data domain trust list, and the second data domain trust list records storage equipment which passes identity authentication of the exchange server, wherein the exchange server periodically performs identity authentication on all the storage equipment in the second data domain and updates the second data domain trust list based on the result of the identity authentication; when the first storage device joins the first data domain, sending a list acquisition request to the switching server to prompt the switching server to send the second data domain trust list to the first storage device, wherein the first storage device sends the processing rule of the first storage device to the storage devices in the second data domain trust list; or, when the second storage device joins the second data domain and passes the identity authentication of the switching server, sending a processing rule obtaining request to the switching server, when the switching server receives the obtaining request and confirms that the second storage device is located in the second data domain trust list, sending a processing rule pushing request to all storage devices in the first data domain, and after receiving the processing rule pushing request, sending respective current processing rules to the switching server and sending the respective current processing rules to the second storage device by the switching server;
the processing rule comprises: replacing one or more characters in the authentication character string with corresponding preset characters; circularly shifting the authentication character string to the left or the right by a specific number of bits; adding one or more additional characters to a specific position of the authentication character string; and deleting one or more characters for the authentication string.
Wherein the first storage device determining whether the hash value is correct comprises: the first storage device processes the authentication string based on a processing rule to generate a processed authentication string, and calculates a local hash value of the processed authentication string using a one-way hash function. And when the local hash value calculated by the first storage device is the same as the authentication hash value sent by the second storage device, determining that the authentication hash value is correct.
The first data domain is a secure data domain, and when data exchange is performed between any storage devices in the first data domain, direct data exchange can be performed without receiving a data exchange instruction sent by the exchange server. And under the condition that the data exchange instruction sent by the exchange server is not received, the storage equipment in the first data domain and the storage equipment in the second data domain cannot exchange data.
And the second data domain is an insecure data domain, and under the condition that a data exchange instruction sent by the exchange server is not received, the storage equipment in the second data domain and the storage equipment in the first data domain cannot exchange data. And in the case of not receiving the data exchange instruction sent by the exchange server, the data exchange between any storage devices in the second data domain cannot be carried out.
The third data domain is a dynamic data domain, the storage device in the dynamic data domain has a temporary data domain attribute and a local data domain attribute, the temporary data domain attribute is used for indicating that a specific storage device belongs to the first data domain or the second data domain in a cross-domain time period, and the local data domain attribute is used for indicating that the specific storage device belongs to the third data domain. Wherein upon expiration of the cross-domain time period, the particular storage device no longer belongs to the first data domain or the second data domain, but only belongs to the third data domain. Wherein in response to the indication message sent by the switching server to enter the first data domain, the particular device modifies the temporary data domain attribute to the first data domain and modifies the local data domain attribute to null. Wherein in response to the indication message sent by the switching server to enter the second data domain, the particular device modifies the temporary data domain attribute to the second data domain and modifies the local data domain attribute to null. When the cross-domain time period expires, the particular device modifies the temporary data domain attribute to null and the local data domain attribute to a third data domain.
In step 402, when the first storage device and the second storage device perform data exchange through the wireless connection, a first data exchange state of the first storage device is measured, where the first data exchange state includes a data reception progress and a wireless connection quality of the first storage device.
In step 403, the first storage device receives a second data exchange status sent by the second storage device, where the second data exchange status includes a data reception progress and a wireless connection quality of the second storage device.
In step 404, when the first storage device determines that a third storage device in a third data domain is required to perform auxiliary exchange on partial data in the first data to be exchanged in the first storage device based on the first data exchange state and the second data exchange state, the first storage device sends the partial data and the network address of the second storage device to the third storage device.
When the data receiving progress and the wireless connection quality of the first storage device and the data receiving progress and the wireless connection quality of the second storage device are passed, the completion time of the data receiving of the second storage device is determined to be later than the completion time of the data receiving of the first storage device by a first preset time, wherein the first preset time exceeds a threshold value, and the third storage device in a third data domain is determined to be needed to perform auxiliary exchange on partial data in the first data to be exchanged in the first storage device. Wherein the partial data is data content that the second storage device has not received from the first storage device when data reception by the first storage device is complete.
And when the data receiving progress and the wireless connection quality of the first storage device and the data receiving progress and the wireless connection quality of the second storage device are determined to be over and the data receiving of the second storage device cannot be completed in the authorized time period, determining that the third storage device in the third data domain is required to perform auxiliary exchange on part of the data in the first data to be exchanged in the first storage device. Wherein the partial data is data content that the second storage device has not received from the first storage device at a time of completion of data reception by the first storage device.
The first storage device sending the partial data and the network address of the second storage device to a third storage device comprises: the first storage device divides the partial data into a plurality of data packets, and sets a sender address in a header field of each data packet as a network address of the first storage device and sets a transmission time in the header field as a time within the grant period. Transmitting the plurality of data packets with the set header field and the network address of the second storage device to the third storage device.
And after receiving the plurality of data packets with the set header fields and the network address of the second storage device, the third storage device sends a data domain switching request for switching to the second data domain to the switching server. In response to receiving the data domain switch request, the switching server sends a data domain switch notification to a border firewall of the first data domain and sends a switch message to the third storage device to indicate a data domain switch is performed. And the boundary firewall scans all the data packets in the third storage equipment and deletes the data packets which do not meet the transfer requirement. And when the data packets in the third storage device are determined to all meet the transfer requirement, allowing the third storage device to switch to a second data domain. Wherein when the sender address of the data packet in the third storage device is not the network address of the storage device in the first data domain and the sending time in the header field is not within the authorization period of the corresponding storage device, the data packet is determined to be a data packet that does not comply with the transfer requirement.
When it is determined that the completion time of the data reception of the second storage device is later than the completion time of the data reception of the first storage device by a first predetermined time, which does not exceed a threshold, through the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, and it is determined that the data reception of the second storage device can be completed before the authorization period expires, the first storage device continues data exchange with the second storage device.
When it is determined that the completion time of the data reception of the second storage device will be earlier than the completion time of the data reception of the first storage device by the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, and it is determined that the data reception of the second storage device can be completed before the expiration of the authorization period, the first storage device continues the data exchange with the second storage device.
In step 405, after receiving the partial data and the network address of the second storage device, the third storage device establishes a wireless connection with the second storage device based on the network address of the second storage device, transmits the partial data to the second storage device, and notifies the switching server of the transmission of the partial data.
Wherein the first storage device receives the second data to be exchanged, and the second storage device receives the first data to be exchanged. When the authorization time period expires and the data reception of the first storage device is not completed, the second storage device sends part of the data which is not received by the first storage device in the second data to be exchanged to an exchange server. And the exchange server performs security check on the part of the data which is not received by the first storage device, and sends the part of the data which is not received by the first storage device to the first storage device after the part of the data passes the security check.
The invention has been described with reference to a few embodiments. However, other embodiments of the invention than the one disclosed above are equally possible within the scope of the invention, as would be apparent to a person skilled in the art from the appended patent claims.
Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the [ device, component, etc ]" are to be interpreted openly as referring to at least one instance of said device, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.

Claims (10)

1. A method for data exchange between devices within different data domains of a storage network, wherein a first storage device is located in a first data domain and a second storage device is located in a second data domain, the first and second data domains being isolated from each other, the method comprising:
establishing a wireless connection between the first storage device and a second storage device in response to a data exchange instruction sent by an exchange server, and enabling the first storage device and the second storage device to perform data exchange on first data to be exchanged and second data to be exchanged determined in the data exchange instruction through the wireless connection within an authorized data exchange time period indicated by the exchange server, wherein the first data to be exchanged is located in the first storage device and the second data to be exchanged is located in the second storage device;
when the first storage device and the second storage device exchange data through the wireless connection, measuring a first data exchange state of the first storage device, wherein the first data exchange state comprises data receiving progress and wireless connection quality of the first storage device;
the first storage device receives a second data exchange state sent by the second storage device, wherein the second data exchange state comprises a data receiving progress and wireless connection quality of the second storage device;
when the first storage device determines that a third storage device in a third data domain is required to perform auxiliary exchange on partial data in the first data to be exchanged in the first storage device based on the first data exchange state and the second data exchange state, the first storage device establishes a wireless connection with the third storage device to send the partial data and the network address of the second storage device to the third storage device; and
after receiving the partial data and the network address of the second storage device, the third storage device establishes a wireless connection with the second storage device based on the network address of the second storage device, transmits the partial data to the second storage device, and notifies the switching server of the transmission of the partial data.
2. The method of claim 1, wherein the first data domain is a secure data domain,
when data exchange is carried out between any storage devices in the first data domain, direct data exchange can be carried out under the condition that a data exchange instruction sent by the exchange server is not received;
and under the condition that the data exchange instruction sent by the exchange server is not received, the storage equipment in the first data domain and the storage equipment in the second data domain cannot exchange data.
3. The method of claim 2, wherein the second data domain is a non-secure data domain,
under the condition that a data exchange instruction sent by the exchange server is not received, the storage equipment in the second data domain and the storage equipment in the first data domain cannot exchange data;
and under the condition that the data exchange indication initiated by the exchange server is not received, data exchange cannot be carried out between any storage devices in the second data domain.
4. The method of claim 3, wherein the first and second light sources are selected from the group consisting of,
the third data domain is a dynamic data domain, the storage devices in the dynamic data domain have a temporary data domain attribute and a local data domain attribute, the temporary data domain attribute is used for indicating that a specific storage device belongs to the first data domain or the second data domain in a cross-domain time period, and the local data domain attribute is used for indicating that the specific storage device belongs to the third data domain;
wherein upon expiration of the cross-domain time period, the particular storage device no longer belongs to the first data domain or the second data domain, but only belongs to the third data domain;
wherein in response to the indication message sent by the switching server to enter the first data domain, the particular device modifies the temporary data domain attribute to the first data domain and modifies the local data domain attribute to null;
wherein in response to the indication message sent by the switching server to enter the second data domain, the particular device modifies the temporary data domain attribute to the second data domain and modifies the local data domain attribute to null;
when the cross-domain time period expires, the particular device modifies the temporary data domain attribute to null and the local data domain attribute to a third data domain.
5. The method according to claim 1 or 4, when it is determined that the completion time of the data reception of the second storage device will be later than the completion time of the data reception of the first storage device by a first predetermined time period and the data reception of the second storage device can be completed before the expiration of the authorized data exchange time period, which exceeds a threshold, through the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, it is determined that the third storage device in the third data domain is required to perform the auxiliary exchange of the partial data in the first to-be-exchanged data in the first storage device;
wherein the partial data is data content that the second storage device has not received from the first storage device when data reception by the first storage device is complete.
6. A system for data exchange between devices within different data domains of a storage network, wherein a first storage device is located in a first data domain and a second storage device is located in a second data domain, the first and second data domains being isolated from each other, the system comprising:
the switching server sends a data exchange instruction to the first storage device and the second storage device, establishes a wireless connection between the first storage device and the second storage device, and causes the first storage device and the second storage device to perform data exchange on first data to be exchanged and second data to be exchanged determined in the data exchange instruction through the wireless connection within an authorized data exchange time period carried in the data exchange instruction, wherein the first data to be exchanged is located in the first storage device and the second data to be exchanged is located in the second storage device;
a second storage device measuring a second data exchange status of the second storage device and transmitting the second data exchange status to the first storage device, the second data exchange status including a data reception progress and a wireless connection quality of the second storage device;
the first storage equipment measures a first data exchange state of the first storage equipment when performing data exchange with second storage equipment through the wireless connection, wherein the first data exchange state comprises the data receiving progress and the wireless connection quality of the first storage equipment; the first storage device receives a second data exchange state sent by the second storage device, wherein the second data exchange state comprises a data receiving progress and wireless connection quality of the second storage device; when the first storage device determines that a third storage device in a third data domain is required to perform auxiliary exchange on partial data in the first data to be exchanged in the first storage device based on the first data exchange state and the second data exchange state, the first storage device establishes a wireless connection with the third storage device to send the partial data and the network address of the second storage device to the third storage device; and
and the third storage equipment establishes wireless connection with the second storage equipment based on the network address of the second storage equipment after receiving the partial data and the network address of the second storage equipment, sends the partial data to the second storage equipment and notifies the exchange server of the sending of the partial data.
7. The system of claim 6, wherein the first data domain is a secure data domain,
when data exchange is carried out between any storage devices in the first data domain, direct data exchange can be carried out under the condition that a data exchange instruction initiated by the exchange server is not received;
and under the condition that the data exchange instruction sent by the exchange server is not received, the storage equipment in the first data domain and the storage equipment in the second data domain cannot exchange data.
8. The system of claim 7, wherein the second data domain is a non-secure data domain,
under the condition that a data exchange instruction sent by the exchange server is not received, the storage equipment in the second data domain and the storage equipment in the first data domain cannot exchange data;
and in the case of not receiving the data exchange instruction sent by the exchange server, the data exchange between any storage devices in the second data domain cannot be carried out.
9. The system of claim 8, wherein the third data domain is a dynamic data domain, the storage devices in the dynamic data domain having a temporary data domain attribute to indicate that a particular storage device belongs to the first data domain or the second data domain for a cross-domain time period and a local data domain attribute to indicate that the particular storage device belongs to the third data domain;
wherein upon expiration of the cross-domain time period, the particular storage device no longer belongs to the first data domain or the second data domain, but only belongs to the third data domain;
wherein in response to the indication message sent by the switching server to enter the first data domain, the particular device modifies the temporary data domain attribute to the first data domain and modifies the local data domain attribute to null;
wherein in response to the indication message sent by the switching server to enter the second data domain, the particular device modifies the temporary data domain attribute to the second data domain and modifies the local data domain attribute to null;
when the cross-domain time period expires, the particular device modifies the temporary data domain attribute to null and the local data domain attribute to a third data domain.
10. The system according to claim 6 or 9, when it is determined that the completion time of the data reception of the second storage device will be later than the completion time of the data reception of the first storage device by a first predetermined time period and the data reception of the second storage device can be completed before the expiration of the data exchange time period, by the data reception progress and the wireless connection quality of the first storage device and the data reception progress and the wireless connection quality of the second storage device, wherein the first predetermined time period exceeds a threshold, it is determined that the third storage device in the third data domain is required to perform the auxiliary exchange of the partial data in the first to-be-exchanged data in the first storage device;
wherein the partial data is data content that the second storage device has not received from the first storage device when data reception by the first storage device is complete.
CN201710766632.2A 2017-08-30 2017-08-30 Method and system for data exchange between devices in different data domains Active CN107395764B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN202010637687.5A CN111901391A (en) 2017-08-30 2017-08-30 Method and system for data exchange between devices in different data domains
CN201710766632.2A CN107395764B (en) 2017-08-30 2017-08-30 Method and system for data exchange between devices in different data domains
CN202010637677.1A CN112039939A (en) 2017-08-30 2017-08-30 Method and system for data exchange between devices in different data domains

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710766632.2A CN107395764B (en) 2017-08-30 2017-08-30 Method and system for data exchange between devices in different data domains

Related Child Applications (2)

Application Number Title Priority Date Filing Date
CN202010637677.1A Division CN112039939A (en) 2017-08-30 2017-08-30 Method and system for data exchange between devices in different data domains
CN202010637687.5A Division CN111901391A (en) 2017-08-30 2017-08-30 Method and system for data exchange between devices in different data domains

Publications (2)

Publication Number Publication Date
CN107395764A CN107395764A (en) 2017-11-24
CN107395764B true CN107395764B (en) 2020-09-01

Family

ID=60348496

Family Applications (3)

Application Number Title Priority Date Filing Date
CN202010637677.1A Pending CN112039939A (en) 2017-08-30 2017-08-30 Method and system for data exchange between devices in different data domains
CN201710766632.2A Active CN107395764B (en) 2017-08-30 2017-08-30 Method and system for data exchange between devices in different data domains
CN202010637687.5A Pending CN111901391A (en) 2017-08-30 2017-08-30 Method and system for data exchange between devices in different data domains

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202010637677.1A Pending CN112039939A (en) 2017-08-30 2017-08-30 Method and system for data exchange between devices in different data domains

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202010637687.5A Pending CN111901391A (en) 2017-08-30 2017-08-30 Method and system for data exchange between devices in different data domains

Country Status (1)

Country Link
CN (3) CN112039939A (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108897808B (en) * 2018-06-16 2023-11-24 王梅 Method and system for storing data in cloud storage system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102624621A (en) * 2012-03-11 2012-08-01 上海宜云物联科技有限公司 Heterogeneous network adaptive data communication method and sensor network multi-protocol gateway
CN103200635A (en) * 2012-01-05 2013-07-10 华为技术有限公司 Method, device and system for relocating user equipment among wireless network controllers
CN103595727A (en) * 2013-11-22 2014-02-19 中国航天科工集团第二研究院七〇六所 Cross-domain incremental data exchange model and method based on exchange identification
CN106101210A (en) * 2016-06-08 2016-11-09 常熟理工学院 A kind of data-centered radio network data communication method
CN107071011A (en) * 2017-03-29 2017-08-18 常熟理工学院 A kind of network data communication method based on cloud

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9225602B2 (en) * 2013-07-30 2015-12-29 Aruba Networks, Inc. Dynamic grouping and configuration of access points

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103200635A (en) * 2012-01-05 2013-07-10 华为技术有限公司 Method, device and system for relocating user equipment among wireless network controllers
CN102624621A (en) * 2012-03-11 2012-08-01 上海宜云物联科技有限公司 Heterogeneous network adaptive data communication method and sensor network multi-protocol gateway
CN103595727A (en) * 2013-11-22 2014-02-19 中国航天科工集团第二研究院七〇六所 Cross-domain incremental data exchange model and method based on exchange identification
CN106101210A (en) * 2016-06-08 2016-11-09 常熟理工学院 A kind of data-centered radio network data communication method
CN107071011A (en) * 2017-03-29 2017-08-18 常熟理工学院 A kind of network data communication method based on cloud

Also Published As

Publication number Publication date
CN107395764A (en) 2017-11-24
CN112039939A (en) 2020-12-04
CN111901391A (en) 2020-11-06

Similar Documents

Publication Publication Date Title
EP3481029B1 (en) Internet defense method and authentication server
CN103596173B (en) Wireless network authentication method, client and service end wireless network authentication device
US10419411B2 (en) Network-visitability detection
CN103701700B (en) Node discovery method in a kind of communication network and system
US10931636B2 (en) Method and system for restricting transmission of data traffic for devices with networking capabilities
CN107438074A (en) The means of defence and device of a kind of ddos attack
CN106304264B (en) Wireless network access method and device
US20150373006A1 (en) Secure Non-Geospatially Derived Device Presence Information
CN113746788A (en) Data processing method and device
CN108667601A (en) A kind of method, apparatus and equipment of transmission data
KR20150135032A (en) System and method for updating secret key using physical unclonable function
US20080126455A1 (en) Methods of protecting management frames exchanged between two wireless equipments, and of receiving and transmitting such frames, computer programs, and data media containing said computer programs
US8209537B2 (en) Secure information distribution between nodes (network devices)
US8688077B2 (en) Communication system and method for providing a mobile communications service
Park et al. Session management for security systems in 5g standalone network
CN107395764B (en) Method and system for data exchange between devices in different data domains
JP2023535474A (en) ASSOCIATION CONTROL METHOD AND RELATED DEVICE
CN110830421B (en) Data transmission method and device
US11811817B2 (en) SSL proxy whitelisting
CN104954125A (en) Key agreement method, user equipment, router and location server
Swati et al. Design and analysis of DDoS mitigating network architecture
WO2015136842A1 (en) Network management device, network system, network management method, and recording medium
Diep et al. Detecting flooding attack in delay tolerant networks by piggybacking encounter records
CN1913439B (en) Authentication method and method for transmitting successful authentication information
Younes Modeling and performance analysis of a new secure address resolution protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20200723

Address after: Xuelang Street Melia Binhu District in Jiangsu province 214125 Ze road Wuxi City No. 28 Software Science Park B District No. 7

Applicant after: LANSWON TECHNOLOGIES Co.,Ltd.

Address before: 110034 No. 2 building, No. 1, building 14, gate 6, No. 10, building No. 2, censer Hill Road, Shenyang District, Huanggu District, Liaoning, Shenyang

Applicant before: Wang Mei

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Method and system of data exchange between devices in different data fields

Effective date of registration: 20210413

Granted publication date: 20200901

Pledgee: Bank of Communications Ltd. Wuxi branch

Pledgor: LANSWON TECHNOLOGIES Co.,Ltd.

Registration number: Y2021320010129

PE01 Entry into force of the registration of the contract for pledge of patent right