CN110166450B - Data transmission method and device based on industrial Ethernet and communication equipment - Google Patents

Data transmission method and device based on industrial Ethernet and communication equipment Download PDF

Info

Publication number
CN110166450B
CN110166450B CN201910412689.1A CN201910412689A CN110166450B CN 110166450 B CN110166450 B CN 110166450B CN 201910412689 A CN201910412689 A CN 201910412689A CN 110166450 B CN110166450 B CN 110166450B
Authority
CN
China
Prior art keywords
access request
message
industrial
request message
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910412689.1A
Other languages
Chinese (zh)
Other versions
CN110166450A (en
Inventor
黄廉真
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Solid High Tech Co ltd
Original Assignee
Solid High Tech Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Solid High Tech Co ltd filed Critical Solid High Tech Co ltd
Priority to CN201910412689.1A priority Critical patent/CN110166450B/en
Publication of CN110166450A publication Critical patent/CN110166450A/en
Application granted granted Critical
Publication of CN110166450B publication Critical patent/CN110166450B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

The application relates to a data transmission method and device based on industrial Ethernet and communication equipment. The method comprises the following steps: the method comprises the following steps: mapping a port according to configuration information of the industrial equipment, wherein the configuration information comprises an MAC address of the industrial equipment; adopting the mapped port to receive an access request message which is transmitted by a network side and comprises the MAC address of the industrial equipment, and analyzing the access request message; verifying the access request message according to the analyzed message content; and when the verification is passed, sending an access request message to the industrial equipment. By adopting the method, the MAC address of the industrial equipment is mapped to the communication equipment through address mapping, so that the communication equipment has the MAC address same as that of the industrial equipment, the communication equipment is responsible for communicating with the network side, and the industrial equipment is invisible on the network side, therefore, the safety of the industrial equipment is effectively improved, and the privacy of data is ensured.

Description

Data transmission method and device based on industrial Ethernet and communication equipment
Technical Field
The present application relates to the field of communications technologies, and in particular, to a data transmission method and apparatus based on an industrial ethernet, and a communication device.
Background
With the development of communication technology, the application of building a network through ethernet in an industrial scene is wider. More and more devices can be interconnected through a network. As shown in fig. 1, according to a conventional network architecture, by directly connecting the industrial device 10 to a network, a server or a remote client 20 can directly access the industrial device 10 connected to the network through the network.
However, the industrial device 10 connected to the network is at risk of being vulnerable to cyber attack, resulting in low system security.
Disclosure of Invention
In view of the above, it is necessary to provide a data transmission method, device and communication device based on industrial ethernet, which can effectively improve the system security, in order to solve the problem of low system security.
In order to achieve the above object, in one aspect, an embodiment of the present application provides a data transmission method based on an industrial ethernet network, including: mapping a port according to configuration information of the industrial equipment, wherein the configuration information comprises an MAC address of the industrial equipment; adopting the mapped port to receive an access request message which is transmitted by a network side and comprises the MAC address of the industrial equipment, and analyzing the access request message; verifying the access request message according to the analyzed message content; and when the verification is passed, sending an access request message to the industrial equipment.
In one embodiment, after the verification passes, the method further includes: carrying out format conversion on the access request message; sending an access request message to the industrial equipment, wherein the access request message comprises: and sending the access request message subjected to format conversion to the industrial equipment.
In one embodiment, the parsed message content includes a source address; verifying the access request message according to the analyzed message content, including: when the analyzed source address exists in the pre-stored network address white list, the verification is passed; and when the analyzed source address does not exist in the pre-stored network address white list, discarding the access request message.
In one embodiment, the parsed message content includes a message format; when the pre-stored network address white list has the analyzed source address, the access request message is verified according to the analyzed message content, and the method further comprises the following steps: when the analyzed message format is matched with the preset network message format, the verification is passed; and when the analyzed message format is not matched with the preset network message format, discarding the access request message.
In one embodiment, the parsed message content includes message data; when the analyzed message format is matched with the preset network message format, the access request message is verified according to the analyzed message content, and the method further comprises the following steps: when the analyzed message data meets the preset filtering condition, the verification is passed; and when the analyzed message data does not meet the preset filtering condition, discarding the access request message.
On the other hand, the embodiment of the present application further provides a data transmission method based on an industrial ethernet, including: mapping a port according to configuration information of the industrial equipment, wherein the configuration information comprises an MAC address of the industrial equipment; receiving a data packet sent by an industrial equipment side by adopting a mapped port, wherein the data packet carries a source address and a target address; when the source address is matched with the MAC address of the industrial equipment, the data packet is verified according to the target address; and when the verification is passed, sending a data packet to the network side.
In one embodiment, after the verification passes, the method further includes: carrying out format conversion on the data packet; then sending a data packet to the network side, including: and sending the data packet subjected to the format conversion to a network side.
In one embodiment, verifying the packet based on the destination address includes: when the same target address exists in the pre-stored network address white list, the verification is passed; and when the same target address does not exist in the prestored network address white list, discarding the data packet.
In another aspect, an embodiment of the present application further provides an industrial ethernet-based data transmission apparatus, including: the configuration module is used for mapping the port according to configuration information of the industrial equipment, wherein the configuration information comprises an MAC address of the industrial equipment; the receiving module is used for receiving an access request message which is transmitted by a network side and comprises the MAC address of the industrial equipment; the analysis module is used for analyzing the access request message; the verification module is used for verifying the access request message according to the analyzed message content; and the sending module is used for sending the access request message to the industrial equipment when the verification is passed.
In still another aspect, an embodiment of the present application further provides a communication device, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the method when executing the computer program.
According to the data transmission method, the device and the communication equipment based on the industrial Ethernet, the MAC address of the industrial equipment is mapped to the communication equipment through address mapping, so that the communication equipment has the same MAC address as the industrial equipment, the communication equipment is responsible for communication with the network side, and the industrial equipment is invisible on the network side, so that the safety of the industrial equipment is effectively improved, and the privacy of data is guaranteed.
Drawings
FIG. 1 is a diagram of an application environment for data transmission in an industrial Ethernet network using conventional techniques;
FIG. 2 is a diagram of an embodiment of an application environment of a data transmission method based on industrial Ethernet;
FIG. 3 is a diagram of another application environment for data transmission in an industrial Ethernet network using conventional techniques;
FIG. 4 is a diagram of an application environment of a data transmission method based on industrial Ethernet in another embodiment;
FIG. 5 is a flow chart illustrating a data transmission method based on industrial Ethernet according to an embodiment;
FIG. 6 is a flow chart illustrating a data transmission method based on industrial Ethernet in another embodiment;
FIG. 7 is a flow chart illustrating a data transmission method based on industrial Ethernet in another embodiment;
FIG. 8 is a flow chart illustrating a data transmission method based on industrial Ethernet in accordance with still another embodiment;
FIG. 9 is a flow chart illustrating a method for industrial Ethernet based data transmission according to an embodiment;
FIG. 10 is a block diagram of an industrial Ethernet based data transmission device according to an embodiment;
FIG. 11 is an internal block diagram of an industrial Ethernet based data transfer device in one embodiment;
fig. 12 is an internal configuration diagram of a communication device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The industrial ethernet-based data transmission method provided by the present application can be applied to the application environment shown in fig. 2. As shown in fig. 2, the remote device 102 is in communication connection with the industrial device 104 through a network, wherein a communication device 106 is disposed between the industrial device 104 and the network, the communication device 106 operates at a data link layer, and maps a Media Access Control Address (MAC Address) of the industrial device 104, so that the industrial device 104 performs data interaction with the remote device 102 in the network through the communication device 106, thereby avoiding interaction between the industrial device 104 and the network directly, and effectively improving security of the industrial device 104. In this embodiment, the remote device 102 may be a server or a remote client, where the server may be implemented by a stand-alone server or a server cluster composed of a plurality of servers, and the remote client may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices. The industrial equipment 104 can be various electromechanical or controller devices, and the like.
Generally, in industrial applications, the industrial device 104 can also be a network-type industrial device composed of a plurality of network modules. As shown in fig. 3, the industrial device 104 itself may be a complex system, and includes a plurality of network modules, for example, the industrial device 104 includes a main control unit and n components, which may be a network driver, a network IO module, a network signal acquisition module, and the like. As is conventional, all units of the industrial device 104 need to be connected to the network, so that each unit is at risk of being vulnerable to the network, and therefore, the security requirements for each unit of the industrial device 104 are higher, and the interaction data between the main control unit and each component is visible in the whole network, and has no confidentiality.
In the solution of the present application, as shown in fig. 4, each unit of the industrial device 104 is connected to the communication device 106, and the MAC address of the main control unit of the industrial device 104 is mapped to the communication device 106, so that each unit of the industrial device 104 can communicate with the network through the communication device 106, and therefore, only the communication device 106 can be seen on the network side, and each unit of the industrial device 104 cannot be directly accessed, and the interactive data between each unit in the industrial device 104 is invisible to the network, thereby effectively improving the security of the industrial device 104, reducing the security requirement on each unit of the industrial device 104, and ensuring the privacy of the data.
In an embodiment, as shown in fig. 5, a data transmission method based on an industrial ethernet is provided, which is described by taking the method as an example applied to the communication device in fig. 2 or fig. 4, and is specifically applied to the communication device receiving data from a network side and forwarding the data to a device side, where the method includes the following steps:
step 502, mapping ports according to configuration information of the industrial equipment.
The configuration information comprises the MAC address of the industrial equipment, so that the MAC address of the industrial equipment is mapped to the communication equipment through address mapping, the communication equipment has the same MAC address as the industrial equipment, the communication equipment is responsible for communication with the network side, and the industrial equipment is invisible on the network side.
And 504, receiving an access request message including the MAC address of the industrial equipment transmitted by the network side by using the mapped port, and analyzing the access request message.
When the network side needs to access the industrial equipment, a corresponding access request message is sent, wherein the access request message carries a target address, namely the MAC address of the industrial equipment. Since the communication device maps the MAC address of the industrial device, the mapped communication device is responsible for communication with the network side, and therefore the access request message including the MAC address of the industrial device sent by the network side is received by the mapped communication device. After receiving the access request message transmitted by the network side, the communication equipment analyzes the access request message to obtain the analyzed message content.
Step 506, the access request message is verified according to the analyzed message content.
The analyzed message content may include a source address, a message format, message data, and the like. The communication equipment verifies the access request message according to the analyzed message content so as to verify the validity of the access request message.
And step 508, when the verification is passed, sending an access request message to the industrial equipment.
When the verification is passed, the access request message is legal, so that the communication equipment forwards the legal access request message to the industrial equipment.
Step 510, when the verification fails, discarding the corresponding access request message.
According to the data transmission method based on the industrial Ethernet, the MAC address of the industrial equipment is mapped to the communication equipment through address mapping, so that the communication equipment has the same MAC address as the industrial equipment, the communication equipment is responsible for communication with the network side, and the industrial equipment is invisible on the network side, so that the risk that the industrial equipment is directly attacked by the network is reduced, the safety of the industrial equipment is effectively improved, and the privacy of data interaction is guaranteed.
In one embodiment, the parsed message content includes a source address; verifying the access request message according to the analyzed message content, which may specifically include: verifying the access request message according to the analyzed source address, and when the corresponding source address exists in the pre-stored network address white list, indicating that the verification is passed; and when the corresponding source address does not exist in the prestored network address white list, the verification is not passed. In this embodiment, when the verification fails, the corresponding access request packet is discarded. According to the embodiment, the source address in the access request message is verified, so that the transmission path of the corresponding access request message is ensured to be legal and then forwarded to the industrial equipment, and the industrial equipment is prevented from being attacked illegally.
In one embodiment, the parsed message content may further include a message format; when the corresponding source address exists in the pre-stored network address white list, verifying the access request message according to the analyzed message content may further include: and verifying the access request message according to the analyzed message format. The message format refers to a protocol type to which the access request message belongs, and for example, a hypertext Transfer protocol (http) is a network protocol that is widely applied. In this embodiment, when the analyzed message format matches the preset network message format, it indicates that the verification is passed; when the analyzed message format is not matched with the preset network message format, the verification is not passed, and the corresponding access request message can be discarded.
Specifically, in this embodiment, the message format of the access request message may be used as a further verification condition. Because the message format of the transmission message in the network is usually the standard format under normal conditions, the common standard format can be preset into a safe network message format, and the message format of the received access request message is forwarded to the industrial equipment only when the message format belongs to the safe network message format, so that the safety of the industrial equipment is further improved.
In one embodiment, the parsed message content may further include message data; when the analyzed message format matches the preset network message format, verifying the access request message according to the analyzed message content may further include: and verifying the access request message according to the analyzed message data. In this embodiment, the communication device may preset a certain data filtering condition that meets the characteristics of the industrial device according to the application scenario or the specificity of the industrial device. When the analyzed message data meets the preset filtering condition, the verification is passed; and when the analyzed message data does not meet the preset filtering condition, the verification is failed, so that the corresponding access request message can be discarded.
Specifically, it is assumed that a certain industrial device has a high requirement on time delay, and therefore it is not desirable to occupy a large amount of bandwidth when receiving data to affect the normal operation of the industrial device, and therefore, a data filtering condition of a receivable data size may be preset by the communication device, and only when the data size of the analyzed message data satisfies the data filtering condition, the corresponding access request message is forwarded to the industrial device. Thus, the flexibility of the system is also increased while meeting the security requirements. In addition, in this embodiment, the industrial device may also perform further security protection measures in the application layer according to its own actual situation, for example, add other filtering conditions in the application layer, thereby being more beneficial to the implementation of the customization scheme.
In an embodiment, as shown in fig. 6, after the verification is passed, the data transmission method based on the industrial ethernet may further include the following steps:
step 507, converting the format of the access request message.
Specifically, the message format of the message transmitted in the network usually follows a standard network Protocol, such as HTTP, TCP (Transmission Control Protocol), FTP (File Transfer Protocol), and the like, and the data Transmission format running inside the industrial device may be a standard physical layer Protocol or a personalized Protocol customized according to the production requirement. Therefore, after the communication device verifies and passes the access request message, format conversion can be further performed on the access request message according to the format requirement of the industrial device, so that the access request message with the standard network protocol is converted into a message with a protocol format meeting the requirement of the industrial device, and the access request message after format conversion is further sent to the industrial device.
Specifically, when the industrial device is a complex system including one main control unit and n components as shown in fig. 4, the communication device sends the format-converted access request message to the main control unit, and the main control unit controls other components according to a specific command of the access request message or returns corresponding data to the communication device according to the access request message. Therefore, data interaction inside the industrial equipment is invisible to the network side, and the confidentiality and the safety of the data interaction inside the industrial equipment are improved.
In an embodiment, as shown in fig. 7, there is further provided a data transmission method based on an industrial ethernet, which is described by taking the method as an example of being applied to the communication device in fig. 2 or fig. 4, and is specifically applied to the communication device receiving data from the device side and forwarding the data to the network side, where the method includes the following steps:
step 702, mapping the ports according to the configuration information of the industrial equipment.
The configuration information comprises the MAC address of the industrial equipment, so that the MAC address of the industrial equipment is mapped to the communication equipment through address mapping, the communication equipment has the same MAC address as the industrial equipment, the communication equipment is responsible for communication with the network side, and the industrial equipment is invisible on the network side.
And 704, receiving a data packet sent by the industrial equipment side by using the mapped port, wherein the data packet carries a source address and a target address.
Step 706, when the source address matches the MAC address of the industrial device, the data packet is verified according to the destination address.
And step 708, when the verification is passed, sending a data packet to the network side.
And step 710, when the verification fails, discarding the corresponding data packet.
In this embodiment, the communication device receives a data packet sent by the device side, and determines whether the data packet is sent by the mapped industrial device according to a source address carried in the data packet, and when the source address is the same as the MAC address of the mapped industrial device, the communication device further verifies the data packet according to the destination address. And when the verification is passed, forwarding the corresponding data packet to the network side, otherwise, discarding the corresponding data packet.
According to the data transmission method based on the industrial Ethernet, the MAC address of the industrial equipment is mapped to the communication equipment through address mapping, so that the communication equipment has the MAC address same as that of the industrial equipment, when the industrial equipment needs to transmit data to the network side, the communication equipment forwards the data to the network side, and the industrial equipment is invisible on the network side, so that the risk that the industrial equipment is directly attacked by the network is reduced, and the safety of the industrial equipment is effectively improved.
In an embodiment, verifying the data packet according to the destination address may specifically include: and when the same target address exists in the prestored network address white list, the verification is passed. And when the same target address does not exist in the pre-stored network address white list, the verification is not passed, so that the corresponding data packet is discarded. According to the embodiment, the source address and the target address in the data packet are verified, so that the data packet is forwarded to the network side after the transmission path of the data packet is legal, the data interacted inside the industrial equipment is prevented from being leaked to the network, and the safety of data transmission is improved.
In an embodiment, as shown in fig. 8, after the verification is passed, the data transmission method based on the industrial ethernet may further include the following steps:
step 707, format conversion is performed on the data packet.
Specifically, the message format of the transmission message in the network usually follows a standard network protocol, such as HTTP, TCP, or FTP, and the data transmission format run inside the industrial device may be a standard physical layer protocol or a personalized protocol customized according to the production requirement. Therefore, after the data packet sent by the industrial equipment is verified and passes through, the communication equipment can further convert the format of the data packet, so that the data packet with the personalized format is converted into a network message with a standard network format, and the network message with the converted format is further sent to the network side, so that a safe and convenient communication bridge is established between the equipment side and the network side.
In an embodiment, as shown in fig. 9, a data transmission method based on an industrial ethernet is provided, which is described by taking the method as an example of being applied to the communication device in fig. 2 or fig. 4, and specifically includes the following steps:
at step 902, the communication device powers up and enters an initial wait state.
At step 904, configuration information for the industrial device is received to map the port.
The configuration information comprises the MAC address of the industrial equipment, and the MAC address of the industrial equipment is mapped to the communication equipment through address mapping, so that the communication equipment has the same MAC address with the industrial equipment. Certainly, the configuration information may also include other configuration parameters, such as a network address white list, a common standard network message format list, a message format list suitable for the industrial device, a corresponding format conversion protocol, and other data filtering conditions.
Step 906, starting a network side function of the communication device through the industrial device, so that the communication device enters a working mode.
Step 908, receiving the access request message transmitted by the network side or the data packet transmitted by the industrial equipment side.
Step 910, when receiving the access request message transmitted from the network side, parsing the message content of the access request message.
The message content includes a source address, a destination address, a message format, message data, and the like.
Step 912, verify the source address and destination address of the access request message.
Step 914, when the verification is passed, the message format of the access request message is verified; otherwise, discarding the access request message.
Step 916, when the message format passes the verification, the message data of the access request message is verified; otherwise, discarding the access request message.
Step 918, when the message data passes the verification, the format of the access request message is converted into a protocol format corresponding to the industrial equipment.
And step 920, sending the format-converted access request message to the industrial equipment.
And step 922, when receiving the data packet transmitted by the industrial equipment side, analyzing the source address and the target address of the data packet.
Step 924, verify the source address and the destination address of the packet.
Step 926, when the verification passes, format conversion is performed on the data packet; otherwise, the data packet is discarded.
Step 928, sending the data packet after format conversion to the network side.
According to the data transmission method based on the industrial Ethernet, the MAC address of the industrial equipment is mapped to the communication equipment through address mapping, so that the communication equipment has the same MAC address as the industrial equipment, the communication equipment is responsible for communication with the network side, and the industrial equipment is invisible on the network side, so that the safety of the industrial equipment is effectively improved, and the privacy of data is guaranteed.
It should be understood that although the various steps in the flowcharts of fig. 5-9 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 5-9 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternating with other steps or at least some of the sub-steps or stages of other steps.
In one embodiment, as shown in fig. 10, there is provided an industrial ethernet-based data transmission apparatus, including: a configuration module 1010, a receiving module 1020, a parsing module 1030, a verification module 1040, and a sending module 1050, wherein:
a configuration module 1010, configured to map the port according to configuration information of the industrial device, where the configuration information includes a MAC address of the industrial device. The receiving module 1020 is configured to receive an access request message including a MAC address of an industrial device, which is transmitted by a network side. And an analysis module 1030, configured to analyze the access request packet. The verification module 1040 is configured to verify the access request message according to the analyzed message content. And the sending module 1050 is configured to send the access request message to the industrial device when the authentication is passed.
In one embodiment, the format conversion module 1060 is further included for performing format conversion on the access request message.
In one embodiment, the receiving module 1020 is further configured to receive a data packet transmitted by the industrial device. The parsing module 1030 is further configured to parse a source address and a destination address of the data packet. The verification module 1040 is further configured to verify the data packet according to the source address and the destination address. The sending module 1050 is further configured to send the data packet to the network side when the verification is passed. The format conversion module 1060 is also used for converting the format of the data packet.
For specific limitations of the data transmission apparatus based on the industrial ethernet, refer to the above limitations of the data transmission method based on the industrial ethernet, and are not described herein again. The modules in the industrial ethernet-based data transmission device can be implemented in whole or in part by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In a specific application scenario, as shown in fig. 11, an internal structure of the data transmission apparatus based on the industrial ethernet may specifically include a network side state management and configuration module, a device side state management and configuration module, a network side and device side protocol conversion module, a device side and network side protocol conversion module, a network side data link layer protocol stack, a device side data link layer protocol stack, a network side data packet filter, a device side data packet filter, a network side physical Rx port, and a device side physical Tx port. The network side state management and configuration module and the device side state management and configuration module are equivalent to the configuration module 1010 in fig. 10; the network side and device side protocol conversion module, the device side and network side protocol conversion module, the network side data link layer protocol stack, and the device side data link layer protocol stack jointly constitute the format conversion module 1060 in fig. 10; the network-side datagram filter and the device-side datagram filter correspond to the verification module 1040 in fig. 10; the network-side physical Rx port and the device-side physical Tx port have the same functions as the receiving module 1020 and the transmitting module 1050 in fig. 10, respectively. In one embodiment, a communication device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 11. The communication device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the communication device is configured to provide computing and control capabilities. The memory of the communication device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the communication device is used for connecting and communicating with an external terminal through a network. The computer program is executed by a processor to implement a method of industrial ethernet based data transmission.
Those skilled in the art will appreciate that the configuration shown in fig. 11 is a block diagram of only a portion of the configuration associated with the present application and does not constitute a limitation on the communication device to which the present application applies, and that a particular communication device may include more or less components than those shown, or combine certain components, or have a different arrangement of components.
In one embodiment, a communication device is provided, comprising a memory and a processor, wherein the memory stores a computer program which when executed by the processor implements the steps of:
mapping a port according to configuration information of the industrial equipment, wherein the configuration information comprises an MAC address of the industrial equipment; adopting the mapped port to receive an access request message which is transmitted by a network side and comprises the MAC address of the industrial equipment, and analyzing the access request message; verifying the access request message according to the analyzed message content; and when the verification is passed, sending an access request message to the industrial equipment.
In one embodiment, after the verification passes, the method further comprises: carrying out format conversion on the access request message; sending an access request message to the industrial equipment, wherein the access request message comprises: and sending the access request message subjected to format conversion to the industrial equipment.
In one embodiment, the parsed message content includes a source address; verifying the access request message according to the analyzed message content, including: when the source address exists in the pre-stored network address white list, the verification is passed; and when the source address does not exist in the pre-stored network address white list, discarding the corresponding access request message.
In one embodiment, the parsed message content includes a message format; then, when the source address exists in the pre-stored white list of network addresses, the access request message is verified according to the analyzed message content, which further includes: when the analyzed message format is matched with the preset network message format, the verification is passed; and when the analyzed message format is not matched with the preset network message format, discarding the access request message.
In one embodiment, the parsed message content includes message data; then, when the analyzed message format matches the preset network message format, verifying the access request message according to the analyzed message content, further comprising: when the analyzed message data meets the preset filtering condition, the verification is passed; and when the analyzed message data does not meet the preset filtering condition, discarding the access request message.
In one embodiment, the processor when executing the computer program may further implement the steps of:
mapping a port according to configuration information of the industrial equipment, wherein the configuration information comprises an MAC address of the industrial equipment; receiving a data packet sent by an industrial equipment side by adopting a mapped port, wherein the data packet carries a source address and a target address; when the source address is matched with the MAC address of the industrial equipment, verifying the data packet according to the source address and the target address; and when the verification is passed, sending a data packet to the network side.
In one embodiment, after the verification passes, the method further comprises: carrying out format conversion on the data packet; then sending a data packet to the network side, including: and sending the data packet subjected to the format conversion to a network side.
In one embodiment, validating the data packet based on the source address and the destination address comprises: when the source address is matched with the MAC address of the industrial equipment and the same target address exists in a pre-stored network address white list, the verification is passed; and when the source address does not match the MAC address of the industrial equipment or the same target address does not exist in the prestored network address white list, discarding the data packet.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A data transmission method based on industrial ethernet, wherein the method is applied to a communication device, the communication device operates at a data link layer, and the method comprises:
mapping a port according to configuration information of an industrial device, wherein the configuration information comprises a MAC address of the industrial device, and mapping the MAC address of the industrial device into the communication device so that the communication device has the same MAC address as the industrial device and the industrial device is invisible to a network side;
adopting the mapped port to receive an access request message which is transmitted by a network side and comprises the MAC address of the industrial equipment, and analyzing the access request message;
verifying the access request message according to the analyzed message content;
when the verification is passed, sending the access request message to the industrial equipment;
the analyzed message content comprises a source address, a message format and message data, and the verification of the access request message according to the analyzed message content comprises the following steps: and verifying the access request message according to the analyzed source address, message format and message data.
2. The industrial ethernet-based data transmission method according to claim 1, wherein after the authentication is passed, the method further comprises:
carrying out format conversion on the access request message;
the sending the access request message to the industrial device includes:
and sending the access request message subjected to format conversion to the industrial equipment.
3. The industrial ethernet-based data transmission method according to claim 1 or 2, wherein the parsed message content comprises a source address; the verifying the access request message according to the analyzed message content comprises the following steps:
when the analyzed source address exists in the pre-stored network address white list, the verification is passed;
and when the analyzed source address does not exist in the pre-stored network address white list, discarding the access request message.
4. The industrial ethernet-based data transmission method according to claim 3, wherein the parsed message content comprises a message format; when the pre-stored network address white list has the analyzed source address, the verifying the access request message according to the analyzed message content further includes:
when the analyzed message format is matched with the preset network message format, the verification is passed;
and when the analyzed message format is not matched with the preset network message format, discarding the access request message.
5. The industrial ethernet-based data transmission method according to claim 4, wherein the parsed message content comprises message data; when the analyzed message format is matched with the preset network message format, the verifying the access request message according to the analyzed message content further comprises:
when the analyzed message data meets the preset filtering condition, the verification is passed;
and when the analyzed message data does not meet the preset filtering condition, discarding the access request message.
6. The industrial ethernet-based data transmission method according to claim 1, wherein said method further comprises:
receiving a data packet sent by an industrial equipment side by adopting a mapped port, wherein the data packet carries a source address and a target address;
when the source address is matched with the MAC address of the industrial equipment, verifying the data packet according to the target address;
and when the verification is passed, sending the data packet to a network side.
7. The industrial ethernet-based data transmission method according to claim 6, wherein after the authentication is passed, the method further comprises:
carrying out format conversion on the data packet;
the sending the data packet to the network side includes:
and sending the data packet subjected to the format conversion to the network side.
8. The industrial ethernet-based data transmission method according to claim 6 or 7, wherein said verifying the data packet according to the destination address comprises:
when the same target address exists in a pre-stored network address white list, the verification is passed;
and when the same target address does not exist in the pre-stored network address white list, discarding the data packet.
9. An industrial ethernet-based data transmission apparatus, wherein the apparatus is applied to a communication device, the communication device operates at a data link layer, and the apparatus comprises:
a configuration module, configured to map a port according to configuration information of an industrial device, where the configuration information includes a MAC address of the industrial device, and map the MAC address of the industrial device into the communication device, so that the communication device has the same MAC address as the industrial device, and the industrial device is invisible to a network side;
the receiving module is used for receiving an access request message which is transmitted by a network side and comprises the MAC address of the industrial equipment;
the analysis module is used for analyzing the access request message;
the verification module is used for verifying the access request message according to the analyzed message content;
the sending module is used for sending the access request message to the industrial equipment when the verification is passed;
the analyzed message content includes a source address, a message format and message data, and the verification module is specifically configured to: and verifying the access request message according to the analyzed source address, message format and message data.
10. A communication device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor realizes the steps of the method of any one of claims 1 to 8 when executing the computer program.
CN201910412689.1A 2019-05-17 2019-05-17 Data transmission method and device based on industrial Ethernet and communication equipment Active CN110166450B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910412689.1A CN110166450B (en) 2019-05-17 2019-05-17 Data transmission method and device based on industrial Ethernet and communication equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910412689.1A CN110166450B (en) 2019-05-17 2019-05-17 Data transmission method and device based on industrial Ethernet and communication equipment

Publications (2)

Publication Number Publication Date
CN110166450A CN110166450A (en) 2019-08-23
CN110166450B true CN110166450B (en) 2021-11-05

Family

ID=67631132

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910412689.1A Active CN110166450B (en) 2019-05-17 2019-05-17 Data transmission method and device based on industrial Ethernet and communication equipment

Country Status (1)

Country Link
CN (1) CN110166450B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112929329B (en) * 2021-01-15 2021-12-28 西安交通大学 Cluster control system based on Ethernet/IP protocol and communication method thereof
CN113194075B (en) * 2021-04-09 2023-04-18 海尔数字科技(青岛)有限公司 Access request processing method, device, equipment and storage medium
CN114615080B (en) * 2022-03-30 2023-12-05 阿里巴巴(中国)有限公司 Remote communication method and device for industrial equipment and equipment
CN115297187B (en) * 2022-07-12 2023-11-17 重庆大学 Conversion device of network communication protocol and bus protocol and cluster system

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100488171C (en) * 2006-01-14 2009-05-13 华为技术有限公司 Data transmission method and system between operator ether net and customer network
CN101888296B (en) * 2010-01-20 2012-10-10 北京星网锐捷网络技术有限公司 Method, device, equipment and system for detecting shadow user
CN103516820B (en) * 2012-06-25 2017-08-25 中兴通讯股份有限公司 Port mapping method and device based on MAC Address
WO2015127643A1 (en) * 2014-02-28 2015-09-03 Telefonaktiebolaget L M Ericsson (Publ) Method and communication node for learning mac address in a layer-2 communication network
CN105208685A (en) * 2015-09-06 2015-12-30 杭州敦崇科技股份有限公司 Proxy AP realization method
CN105939348B (en) * 2016-05-16 2019-09-17 杭州迪普科技股份有限公司 MAC address authentication method and device
CN106658426A (en) * 2016-12-02 2017-05-10 杭州华橙网络科技有限公司 Wireless WiFi based remote control communication establishing method and terminal
CN107018136A (en) * 2017-04-06 2017-08-04 福建中金在线信息科技有限公司 A kind of detection method and device of ARP attacks

Also Published As

Publication number Publication date
CN110166450A (en) 2019-08-23

Similar Documents

Publication Publication Date Title
CN110166450B (en) Data transmission method and device based on industrial Ethernet and communication equipment
US11171936B2 (en) Method, device, and system for offloading algorithms
US11164674B2 (en) Multimodal cryptographic data communications in a remote patient monitoring environment
US20160248734A1 (en) Multi-Wrapped Virtual Private Network
US9294463B2 (en) Apparatus, method and system for context-aware security control in cloud environment
CN110365701B (en) Client terminal equipment management method and device, computing equipment and storage medium
US9215227B2 (en) Systems and methods for network communications
EP3157195A1 (en) Communication protocol testing method, and tested device and testing platform thereof
WO2017012142A1 (en) Dual-connection security communication method and apparatus
CN114124929B (en) Cross-network data processing method and device
WO2019009807A1 (en) Communication method and apparatus for an industrial control system
CN105491169A (en) Data proxy method and system
CN114157649A (en) Reliable data transmission method and device, computer equipment and storage medium
CN110769482B (en) Method and device for network connection of wireless equipment and wireless router equipment
CN111901116B (en) Identity authentication method and system based on EAP-MD5 improved protocol
CN114499990A (en) Vehicle control method, device, equipment and storage medium
CN113872957A (en) Intranet equipment connection method and system based on SSH reverse tunnel
CN110943992B (en) Entrance authentication system, method, device, computer equipment and storage medium
US10972912B1 (en) Dynamic establishment of trust between locally connected devices
CN110808975B (en) Sensitive data transmission method and device, computer equipment and storage medium
CN113347168B (en) Protection method and system based on zero trust model
CN113098685B (en) Security verification method and device based on cloud computing and electronic equipment
CN108712398A (en) Port authentication method, server, interchanger and the storage medium of certificate server
CN110557374B (en) Power data acquisition method and device, computer equipment and storage medium
CN106600754A (en) Cloud calculation iris identification access control apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: Room W211, second floor, west block, Shenzhen Hong Kong industry university research base, South District, high tech Zone, Nanshan District, Shenzhen City, Guangdong Province

Applicant after: Solid High Tech Co.,Ltd.

Address before: Room W211, second floor, west block, Shenzhen Hong Kong industry university research base, South District, high tech Zone, Nanshan District, Shenzhen City, Guangdong Province

Applicant before: GOOGOL TECHNOLOGY (SHENZHEN) Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant