Disclosure of Invention
The invention provides a switching network-oriented dynamic ID hiding method aiming at the problems of high cost and influence on the performance of forwarding equipment in the existing ID protection method of the switching network.
In order to achieve the purpose, the invention adopts the following technical scheme:
a switching network-oriented dynamic ID hiding method comprises the following steps:
step 1: setting internal and external network attributes of a port of the switching equipment, and establishing a port internal and external network attribute table to make ID of user data passing through an internal network attribute port, namely, internal network ID, be private ID, and make ID of user data passing through an external network attribute port, namely, external network ID, be public ID;
step 2: constructing a hidden ID pool;
and step 3: setting an internal and external network ID hidden table;
and 4, step 4: the ID mapping algorithm is dynamically adjusted.
Further, the step 2 comprises:
performing logical operation on the intranet ID and the random value, and performing hash operation mapping by taking the intranet ID as input to obtain an output as an extranet ID, wherein the mapping meets the requirements of A-type, B-type or C-type subnet division of the extranet;
and each intranet ID needs to map a plurality of extranet IDs, an internal ID group and an external ID group obtained by operation are stored to form a hidden ID pool, and for each intranet ID, an extranet ID corresponding to the intranet ID is randomly selected to form an internal and external ID pair for configuration of an internal and external ID hidden table.
Further, the step 3 comprises:
configuring an internal and external network ID hidden table according to the internal and external network mapping relation provided by the hidden ID pool, and associating the internal and external network ID hidden table with a routing forwarding table:
checking the internal and external network attributes of the port through the internal and external network attribute table of the port;
if the user data is the user data sent by the internal network to the external network, replacing the source ID of the data in the route forwarding table by the external network ID in the internal and external network ID hidden table, and then carrying out route forwarding search;
if the user data is the user data sent to the intranet by the extranet, firstly carrying out route searching, and then replacing the destination ID of the data in the route forwarding table by the intranet ID in the intranet ID hidden table;
and if the user data is forwarded between the internal networks or between the external networks, directly carrying out route forwarding search.
Further, the step 4 comprises:
and (4) carrying out periodic internal and external network ID mapping transformation according to the mapping method in the step (2).
Compared with the prior art, the invention has the following beneficial effects:
the invention relates to a switching network-oriented dynamic ID hiding method, which achieves ID protection of user data forwarded by switching equipment by setting internal and external network attributes of a port of the switching equipment, constructing a hidden ID pool, setting an internal and external network ID hiding table and periodically and dynamically adjusting ID mapping. Has the following advantages:
aiming at common type attack of specific ID, an attacker can not achieve the purpose of attacking the user by scanning the ID of the user, such as DDos attack and the like;
aiming at the APT attack of a specific ID, an attacker possibly obtains the ID of an external network of the specific user within a certain time and carries out subsequent attack aiming at the corresponding ID of the internal network, but the dynamic ID hiding method provided by the invention can dynamically transform the mapping relation of the ID of the internal network and the ID of the external network, and theoretically, the attack can be avoided as long as the dynamic ID transformation period is less than the cracking period of the attacker.
The method adopts software to construct a hidden ID pool, hardware to realize a hidden table, and realizes dynamic ID conversion by randomly and dynamically scheduling the hidden ID pool, and the method can defend an attack means aiming at the user ID.
example 1:
as shown in fig. 1, a method for hiding a dynamic ID facing a switching network includes:
step S101: setting internal and external network attributes of a port of the switching equipment, and establishing a port internal and external network attribute table to make ID of user data passing through an internal network attribute port, namely, internal network ID, be private ID, and make ID of user data passing through an external network attribute port, namely, external network ID, be public ID;
according to application requirements, internal and external network attribute setting is carried out on the switch port, namely, the switch port is set as an internal network attribute (internal network) port or an external network attribute (external network) port. The ID of the user data passing through the intranet attribute port, namely the intranet ID, is a private ID and is internally visible, namely only an intranet user is visible; the ID of the user data passing through the attribute port of the external network, namely the ID of the external network, is a public ID and is externally visible, namely all external network users and attackers can see the user data.
Step S102: constructing a hidden ID pool;
specifically, the step S102 includes:
performing logical operation on the intranet ID and the random value, and performing hash operation mapping by taking the intranet ID as input to obtain an output as an extranet ID, wherein the mapping meets the requirements of A-type, B-type or C-type subnet division of the extranet;
and each intranet ID needs to map a plurality of extranet IDs, an internal ID group and an external ID group obtained by operation are stored to form a hidden ID pool, and for each intranet ID, an extranet ID corresponding to the intranet ID is randomly selected to form an internal and external ID pair for configuration of an internal and external ID hidden table.
Step S103: setting an internal and external network ID hidden table;
specifically, the step S103 includes:
configuring an internal and external network ID hidden table according to the internal and external network mapping relation provided by the hidden ID pool, and associating the internal and external network ID hidden table with a routing forwarding table:
checking the internal and external network attributes of the port through the internal and external network attribute table of the port;
if the user data is the user data sent by the internal network to the external network, replacing the source ID of the data in the route forwarding table by the external network ID in the internal and external network ID hidden table, and then carrying out route forwarding search;
if the user data is the user data sent to the intranet by the extranet, firstly carrying out route searching, and then replacing the destination ID of the data in the route forwarding table by the intranet ID in the intranet ID hidden table;
and if the user data is forwarded between the internal networks or between the external networks, directly carrying out route forwarding search.
Step S104: the ID mapping algorithm is dynamically adjusted.
Specifically, the step S104 includes:
and performing periodic internal and external network ID mapping transformation according to the mapping method in the step S102, and increasing the dynamic property of mapping so as to ensure the dynamic property of user ID hiding.
It should be noted that, in this embodiment, the ID may be an IP address or a MAC address, so the hidden ID pool may also be referred to as a hidden address pool.
As a specific implementable manner, as shown in fig. 2, the dynamic ID is hidden in a position in the switching network system, and the key module includes: a dynamic ID mapping algorithm, a hidden ID pool, a port internal and external network attribute table and an internal and external network ID hidden table. The dynamic ID mapping algorithm and the hidden ID pool are arranged in a system control management layer, and the port internal and external network attribute table and the internal and external network ID hidden table are arranged in the hardware (a switching chip) of the switching equipment. Among them, the two hidden tables (intranet and extranet ID hidden tables) shown in fig. 2 may be one or two physically.
In a system control management layer, a dynamic ID mapping algorithm for hiding dynamic IDs refers to: firstly, selecting a random number and an intranet ID to carry out logic operation; secondly, will transportAnd taking the calculation result as input, and mapping by using a hash algorithm, wherein the hash algorithm can select CRC-32, and the generating polynomial is as follows: x16+X15+X5+ 1; and finally, mapping each intranet ID for multiple times, storing the mapping relation into a hidden ID pool, randomly and dynamically selecting an intranet ID pair from the hidden pool, storing the mapping relation to be issued, and issuing an updated ID conversion mapping relation to switching equipment hardware (a switching chip).
And issuing configuration to the exchange chip according to a common configuration flow, and realizing dynamic change of an internal and external network ID hidden table in the chip by periodic calling so as to achieve dynamic ID hiding.
Dynamic ID hiding is implemented in the switching hardware (switching chip). Because the dynamic ID is hidden for a specific user, the specific user is set as an intranet user, an unprotected user is set as an extranet user, and for different scenes, the processing modes of data messages through the switching chip are different:
1. when an intranet user sends a data message to an extranet user, firstly, header analysis is carried out, intranet attributes of a data packet are determined through an port intranet attribute table and an extranet attribute table, a target port is inquired through routing forwarding, after the intranet attributes cannot be matched, an intranet ID hidden table and an extranet ID hidden table are inquired, the source ID is replaced by the inquired result, the source ID is modified and hidden, the target port is inquired through routing forwarding, and finally, packet forwarding is carried out;
2. when an external network user sends a data message to an internal network user, firstly, header analysis is carried out, external network attributes of a data packet are determined through an internal and external network attribute table of a port, then a routing forwarding table is carried out to query a target port, then an internal and external network ID hidden table is queried, a corresponding internal network ID is obtained, a query result replaces the target ID in the data packet, and finally, packet forwarding is carried out;
3. when communication is carried out between external network users, firstly, header analysis is carried out, external network attributes of a data packet are determined through an internal and external network attribute table of a port, a destination port is inquired by routing forwarding, and packet forwarding is carried out;
4. when an intranet user sends a data message to the intranet user, firstly, header analysis is carried out, the intranet attribute of the data packet is determined through the port intranet and intranet attribute table, the destination port is inquired through routing forwarding, matching can be carried out, the destination port is inquired through routing forwarding, and after the attribute of the intranet port is confirmed, packet forwarding is carried out.
The embodiment of the invention provides a switching network-oriented dynamic ID hiding method, which achieves ID protection of user data forwarded by switching equipment by setting internal and external network attributes of a port of the switching equipment, constructing a hidden ID pool, setting an internal and external network ID hiding table and periodically and dynamically adjusting ID mapping. Has the following advantages:
aiming at common type attack of specific ID, an attacker can not achieve the purpose of attacking the user by scanning the ID of the user, such as DDos attack and the like;
aiming at the APT attack of a specific ID, an attacker possibly obtains the ID of an external network of the specific user within a certain time and carries out subsequent attack aiming at the corresponding ID of the internal network, but the dynamic ID hiding method provided by the patent can dynamically transform the mapping relation of the ID of the internal network and the ID of the external network, and theoretically, the attack can be avoided as long as the dynamic ID transformation period is less than the cracking period of the attacker.
The method adopts software to construct a hidden ID pool in a control management layer of a switching network system, realizes a hidden table by hardware, and realizes dynamic ID conversion by randomly and dynamically scheduling the address of the hidden pool.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.