CN112217771B - Data forwarding method and data forwarding device based on tenant information - Google Patents
Data forwarding method and data forwarding device based on tenant information Download PDFInfo
- Publication number
- CN112217771B CN112217771B CN201910625856.0A CN201910625856A CN112217771B CN 112217771 B CN112217771 B CN 112217771B CN 201910625856 A CN201910625856 A CN 201910625856A CN 112217771 B CN112217771 B CN 112217771B
- Authority
- CN
- China
- Prior art keywords
- information
- service providing
- network service
- tenant
- providing point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
Abstract
The invention provides a data forwarding method and a data forwarding device based on tenant information, wherein the method comprises the following steps: the network service providing point establishes a VPN channel with the client device; the network service providing point stores a first corresponding relation between VPN channel information and tenant information, wherein the VPN channel information is used for uniquely identifying the VPN channel, and the tenant information is used for uniquely identifying a tenant to which the client device belongs; the network service providing point receives a data packet from the client device and acquires target VPN channel information from the data packet; the network service providing point inquires target tenant information corresponding to the target VPN channel information from the first corresponding relation; and the network service providing point forwards the data packet to a preset virtual machine corresponding to the target tenant information.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a data forwarding method and a data forwarding apparatus based on tenant information.
Background
The existing SD-WAN architecture supporting cloud computing establishes a plurality of network service providing (POP) points on an SD-WAN backbone network, and a VXLAN + IPSec architecture is adopted to distinguish the traffic of different users on the SD-WAN backbone network. And using VXLANtag to identify the flow of different tenants, matching the different tenants at the POP point according to different VXLANIDs, and scheduling the corresponding flow to different security resource pools for corresponding processing according to the strategy of arranging the flow of the different tenants. Since a single vxlnidrfc supports a maximum of 16M as defined by a length of 24 bits, a single POP point can support a maximum of 16M tenant access.
The adoption of the scheme has the defects that the slicing of a multi-tenant network on an SD-WAN backbone network is complex, and the establishment of an overlay network by adopting an IPSec technology on the basis of an underlay network such as the Internet, an optical fiber and the like is more complex, so that the technology for managing thousands of IPSec tunnels is more complex, and the IPSec needs to be combined with VXLAN, which is equivalent to double the management complexity, namely the IPSec tunnel and the VXLAN tunnel need to be managed simultaneously in the overlay network, and two pieces of tunnel information are maintained.
Disclosure of Invention
The invention aims to provide a data forwarding scheme which is simple in design, easy to maintain and capable of effectively isolating different tenant flows so as to overcome the defects in the prior art.
In order to achieve the above object, the present invention provides a data forwarding method based on tenant information, which includes the following steps:
the network service providing point establishes a VPN channel with the client device;
the network service providing point stores a first corresponding relation between VPN channel information and tenant information, wherein the VPN channel information is used for uniquely identifying the VPN channel, and the tenant information is used for uniquely identifying a tenant to which the client device belongs;
the network service providing point receives a data packet from the client device and acquires target VPN channel information from the data packet;
the network service providing point inquires target tenant information corresponding to the target VPN channel information from the first corresponding relation;
and the network service providing point forwards the data packet to a preset virtual machine corresponding to the target tenant information.
According to the data forwarding method provided by the present invention, the step of establishing the VPN channel with the client device by the network service providing point includes:
the network service providing point receives a VPN channel configuration template issued by a control platform, wherein the configuration template comprises client equipment information and tenant information for establishing a VPN channel with the network service providing point;
and the POP establishes a VPN channel with the CPE equipment based on the configuration template.
According to the data forwarding method provided by the present invention, the step of storing the first corresponding relationship between the VPN channel information and the tenant information by the network service providing point includes:
acquiring security association information in the IPSec tunnel, and extracting a security parameter index based on the security association information;
and saving a first corresponding relation between the security parameter index and the tenant information.
According to the data forwarding method provided by the present invention, the network service providing point receives a data packet from the client device, and the step of acquiring the target VPN channel information from the data packet includes:
the network service providing point receives a data packet from the client equipment, analyzes security association information from the data packet and extracts a security parameter index in the security association information;
the step of querying, by the network service providing point, target tenant information corresponding to the target VPN channel information from the first corresponding relationship includes:
the network service providing point queries target tenant information corresponding to the security parameter index from the first corresponding relation based on the extracted security parameter index.
According to the data forwarding method provided by the present invention, before the step of obtaining the security association information in the IPSec tunnel and extracting the security parameter index based on the security association information, the method further includes:
acquiring source IP address information of the data packet, and judging whether the source IP address information is legal or not;
and if not, discarding the data packet.
In order to achieve the above object, the present invention further provides a data forwarding apparatus based on tenant information, including:
the channel establishing module is suitable for the network service providing point and the client equipment to establish a VPN channel;
a correspondence storage module adapted to store, by the network service providing point, a first correspondence between VPN path information and tenant information, where the VPN path information is used to uniquely identify the VPN path, and the tenant information is used to uniquely identify a tenant to which the client device belongs;
the data receiving module is suitable for the network service providing point to receive a data packet from the client equipment and acquire target VPN channel information from the data packet;
the tenant inquiry module is suitable for the network service providing point to inquire target tenant information corresponding to the target VPN channel information from the first corresponding relation;
and the data forwarding module is suitable for forwarding the data packet to a preset virtual machine corresponding to the target tenant information by the network service providing point.
According to the data forwarding apparatus provided by the present invention, the channel establishing module includes:
a configuration template receiving unit, adapted to receive, by the network service providing point, a VPN channel configuration template issued by a management and control platform, where the configuration template includes client device information and tenant information for establishing a VPN channel with the network service providing point;
and the channel establishing unit is suitable for the network service providing point to establish a VPN channel with the client equipment based on the configuration template information.
According to the data forwarding apparatus provided by the present invention, the VPN tunnel is an IPSec tunnel, and the VPN tunnel information is a security parameter index extracted from security association information of the IPSec tunnel.
The data forwarding device provided by the invention further comprises:
the data judgment module is suitable for acquiring the source IP address information of the data packet after the network service providing point receives the data packet and judging whether the source IP address information is legal or not; and if not, discarding the data packet.
To achieve the above object, the present invention further provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the above method when executing the computer program.
To achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the above method.
The data forwarding method and the data forwarding device based on the tenant information can realize the purpose of isolating the flow data from different tenants at the same POP point only by maintaining one piece of tunnel information. Specifically, the present invention identifies the client device in the IPSec tunnel by using the characteristic that the security parameter index SPI in the IPSec protocol can uniquely identify one tunnel, and finally forms the corresponding relationship between the IPSec tunnel and the tenant according to the preset relationship between the client device and the tenant. When receiving traffic data sent by a certain client device through an IPSec tunnel, extracting identification information of the IPSec tunnel, and then querying corresponding tenant information according to the identification information of the IPSec tunnel, so that the traffic data can be correctly forwarded to a virtual machine of a corresponding tenant. Compared with the prior art, the tenant data isolation method and the tenant data isolation system can realize tenant data isolation only by supporting the IPSec protocol, are simple to operate and convenient to realize, and can effectively save network resources. In addition, most client devices support the IPSec protocol, so when a client breaks access to the SD-WAN network or adds a new client device, the access can be easily realized without upgrading the device, the access threshold of the client device is reduced, and the attraction of more client resources is facilitated.
Drawings
FIG. 1 is a schematic diagram of the SD-WAN architecture of the present invention;
fig. 2 is a flowchart of a first embodiment of a data forwarding method according to the present invention;
FIG. 3 is a schematic diagram of program modules of a first embodiment of a data forwarding device according to the present invention;
fig. 4 is a schematic diagram of a hardware structure of a first embodiment of the data forwarding device of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The data forwarding method and the data forwarding device based on the tenant information can realize the purpose of isolating the flow data from different tenants at the same POP point only by maintaining one piece of tunnel information. Specifically, the present invention utilizes the characteristic that the security parameter index SPI in the IPSec protocol can uniquely identify one tunnel, identifies the client device in the IPSec tunnel, and finally forms the corresponding relationship between the IPSec tunnel and the tenant according to the preset relationship between the client device and the tenant. When receiving traffic data sent by a certain client device through an IPSec tunnel, extracting identification information of the IPSec tunnel, and then querying corresponding tenant information according to the identification information of the IPSec tunnel, so that the traffic data can be correctly forwarded to a virtual machine of a corresponding tenant. Compared with the prior art, the tenant data isolation method and the tenant data isolation system can realize tenant data isolation only by supporting the IPSec protocol, are simple to operate and convenient to realize, and can effectively save network resources.
Example one
SD-WAN is a service that is formed by applying SDN technology to a wide area network scenario for connecting a wide geographic range of enterprise networks, including branches and data centers of the enterprise. Hereinafter, the present invention is explained with an SD-WAN service as a specific application example.
The SD-WAN architecture supporting cloud computing adds a network service providing point (POP) on a backbone network to utilize and manage Internet broadband, and constructs a stronger network for enterprise application, so that the performance of the network is improved to a new level.
As shown in fig. 1, the SD-WAN backbone network includes a management and control platform, a network service providing (POP) point and a Customer Premise Equipment (CPE), wherein the management and control platform is connected to all devices in the SD-WAN backbone network to implement global deployment and control functions for all devices. For simplicity, the present invention is shown in fig. 1 with only one network service provision point POP- cA and two client devices CPE- cA and CPE-B. In an actual SD-WAN network, the management and control platform may be connected to a plurality of network service providing points, and each network service providing point corresponds to a plurality of client devices at the same time.
As shown in fig. 1, the client devices CPE- cA and CPE-B transmit information with the network service providing point POP- cA under the control of the management and control platform, where the client device CPE- cA communicates with the POP- cA through the VPN channel cA, and the client device CPE- cA communicates with the POP- cA through the VPN channel B.
Referring to fig. 2, the present embodiment provides a data forwarding method based on tenant information, which specifically includes the following steps:
s1: and the network service providing point establishes a VPN channel with the client equipment.
The improvement of the invention is mainly applied to the side of a network service providing point in an SD-WAN network. The network service providing point (POP point) may be any network operator provided service network point, such as a telecommunication service point, a mobile service point, a unicom service point, etc., which provides a link to external services and sites for client devices of an enterprise. The client device is a terminal device deployed in an enterprise and is connected with the POP point through a VPN channel. In the SD-WAN network, an enterprise obtains corresponding network resources, for example, a certain virtual machine storage space, by purchasing in advance. The invention regards an enterprise as a tenant, and it can be understood that each enterprise includes a plurality of CPE devices, so that each tenant name can correspond to a plurality of CPE devices, and each CPE device uniquely corresponds to one tenant. The invention saves the association information between the CPE equipment and the tenant through the management and control platform.
When the client device CPE needs to transmit data to the network service providing point POP, a data transmission request is firstly sent to the management and control platform. After receiving a data transmission request sent by the CPE device, the management and control platform extracts device information related to the requested CPE device, for example, a device number uniquely identifying the CPE device, and issues template configuration information to the requested CPE device and a POP point closest to the CPE device based on the device information. The template configuration information is used for establishing a VPN channel between the CPE equipment and the POP point, and the specific template configuration information at least comprises an equipment ID and a tenant ID, wherein the tenant ID is obtained by inquiring the association information between the CPE equipment and the tenant which is stored in advance in the management and control platform. In addition, the template configuration information may further include a series of necessary information such as authentication information, protocol information, key information, and the like for establishing a VPN channel between the CPE device and the POP point.
S2, the network service providing point stores a first corresponding relation between VPN channel information and tenant information, wherein the VPN channel information is used for uniquely identifying the VPN channel, and the tenant information is used for uniquely identifying the tenant to which the client device belongs.
The VPN channel information in the invention is used for uniquely identifying the VPN channel established between the CPE sending the data transmission request and the POP point. In addition, the CPE device as the VPN channel initiator has a unique device identifier, and simultaneously has unique corresponding tenant information, and the one-to-one correspondence between the VPN channel information and the tenant information can be obtained through the relationship.
In this embodiment, the VPN channel is an IPSec tunnel, and the VPN channel information uniquely identifying the current VPN channel is a Security Parameter Index (SPI) in a Security Association (SA) used by a POP point in the current IPSec tunnel.
A Security Association (SA) is data defining how two entities using IPSec communicate using a security service, and its constituent elements include a Security Parameter Index (SPI), an IP destination address, a security protocol, and the like. Where the Security Parameter Index (SPI) is a 32-bit unique serial number used to identify different SAs. In one communication, IPSec requires the establishment of two SAs for inbound and outbound communications, i.e., corresponding to the CPE device of the initiator and the POP point of the responder, respectively. The SA and SPI referred to in this disclosure are attributed to the responder POP point.
Based on the uniqueness of the SPI in the SA, the SPI of the POP point is used as information for identifying the current IPSec channel. Because the current IPSec channel uniquely corresponds to one piece of CPE equipment which also uniquely corresponds to one piece of tenant information, the unique corresponding relation between the SPI and the tenant information is generated and stored at the POP point.
And S3, the network service providing point receives the data packet from the client device and acquires the target VPN channel information from the data packet.
On the basis of establishing the first corresponding relation between the SPI and the tenant information, the method distinguishes different flow data through the corresponding relation, and forwards the data from different tenants to the virtual machines corresponding to the tenants.
Specifically, when a POP point receives an IPSec packet from a CPE device, the packet is analyzed to obtain a corresponding SPI, where the SPI refers to an SPI in an SA used by the POP point and is referred to as a target SPI.
Furthermore, the invention can also obtain the source IP address of the data packet at the same time, judge whether the source IP address is a legal user after authentication, if not, discard the data packet. By legitimate, it is meant that the source IP address has been previously authorized or authenticated and is a trusted address. For the purpose of security, all devices in the SD-WAN network must be authenticated before coming online, and the devices that are not authenticated do not allow data transmission through the SD-WAN network. The invention adds the step of judging the source IP address, and aims to discover and intercept malicious data packets at the first time, improve the network security performance and save network resources at the same time. In the prior art, after receiving an IPSec packet, the POP point needs to perform a complicated verification and analysis step to acquire data in the packet, and if any packet is accepted without filtering, it is likely that the data is invalid or malicious data after analysis, which brings a potential safety hazard to the entire network and may invisibly waste a large amount of network resources. Therefore, the invention firstly determines whether the data packet is from the authenticated legal user by judging the source IP address, if not, the data packet is directly discarded without analyzing steps, thereby avoiding unnecessary waste of network resources.
S4, the network service providing point inquires the target VPN channel information corresponding target tenant information from the first corresponding relation.
The POP point of the invention inquires the target tenant information corresponding to the target SPI according to the stored first corresponding relation between the SPI and the tenant information and uses the target tenant information to identify the data packet.
The first corresponding relation of the invention stores a plurality of SPI information and tenant information corresponding to the SPI information, wherein the SPI information refers to a security index parameter in a security management SA applied when a POP point end establishes an IPSec tunnel. When the client device sends an IPSec protocol data packet to the POP point, the data packet contains SPI information of a receiver, namely an index parameter SPI generated by the POP point. The security index parameter SPI is stored in the POP memory in the form of a first correspondence. Therefore, when the POP point receives the IPSec protocol data packet sent by the client device, the SPI information of the receiver is obtained by analyzing the data packet, and the tenant information corresponding to the SPI information one-to-one is queried in the first correspondence according to the SPI information, where the tenant information is the tenant to which the client device sending the current data packet is uniquely attached.
And S5, the network service providing point forwards the data packet to a preset virtual machine corresponding to the target tenant information.
According to the identified tenant information, the POP point sends the received data packet to the virtual machine corresponding to the tenant information in the step, and therefore flow isolation between different tenants is achieved. In the SD-WAN network, one enterprise is equivalent to a tenant, and corresponding network resources are purchased in advance to obtain corresponding virtual machine addresses at the place where the enterprise joins the SD-WAN network. And virtual machine addresses corresponding to different tenants are stored in the management and control platform.
And in the step of issuing the configuration template to the POP point by the control platform, sending tenant information and virtual machine information at the same time. Therefore, the POP point can clear the address of the virtual machine corresponding to each tenant, and the corresponding data packet is forwarded to the virtual machine corresponding to the tenant information according to the obtained tenant information.
In summary, the present invention utilizes the characteristic that the security parameter index SPI generated in the IPSec tunnel has uniqueness, and uses the SPI to identify each IPSec tunnel, so that when a data packet is received through a certain IPSec tunnel, the tenant information to which the data packet belongs can be quickly determined, and the data packet is correctly forwarded to the virtual machine corresponding to the tenant information. Compared with the prior art that the tenant isolation is realized by combining IPSec and VXLAN, the tenant isolation method and the system can realize tenant isolation more simply and efficiently, and effectively save network resources, thereby greatly improving the network utilization rate and improving user experience.
Continuing to refer to fig. 2, a data forwarding apparatus based on tenant information is shown, in the embodiment, the data forwarding apparatus 10 may include or be divided into one or more program modules, and the one or more program modules are stored in a storage medium and executed by one or more processors to complete the present invention, and implement the data forwarding method. The program modules referred to herein are a series of computer program instruction segments that perform particular functions and are more suitable than the program itself for describing the execution of the data transfer device 10 on a storage medium. The following description will specifically describe the functions of the program modules of the present embodiment:
the channel establishing module 11 is suitable for establishing a VPN channel between a network service providing point and the client device;
a correspondence storage module 12, adapted to store, by the network service providing point, a first correspondence between VPN path information and tenant information, where the VPN path information is used to uniquely identify the VPN path, and the tenant information is used to uniquely identify a tenant to which the client device belongs;
a data receiving module 13, adapted to receive a data packet from the client device by the network service providing point, and obtain target VPN channel information from the data packet;
a data determining module 14, adapted to obtain source IP address information of the data packet after the network service providing point receives the data packet, and determine whether the source IP address information is legal; if not, discarding the data packet;
a tenant query module 15, adapted to query, by the network service providing point, target tenant information corresponding to the target VPN channel information from the first corresponding relationship;
and a data forwarding module 16, adapted to forward the data packet to a preset virtual machine corresponding to the target tenant information by the network service providing point.
According to the data forwarding apparatus provided by the present invention, the channel establishing module 11 includes:
a configuration template receiving unit 111, adapted to receive, by the network service providing point, a VPN channel configuration template issued by the management and control platform, where the configuration template includes client device information and tenant information for establishing a VPN channel with the network service providing point;
a channel establishing unit 112, adapted to establish a VPN channel with the client device by the network service providing point based on the configuration template information.
According to the data forwarding apparatus provided by the present invention, the VPN tunnel is an IPSec tunnel, and the VPN tunnel information is a security parameter index extracted from security association information of the IPSec tunnel.
The embodiment also provides a computer device, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of a plurality of servers) capable of executing programs, and the like. The computer device 20 of the present embodiment includes at least but is not limited to: a memory 21, a processor 22, which may be communicatively coupled to each other via a system bus, as shown in FIG. 3. It is noted that fig. 3 only shows the computer device 20 with components 21-22, but it is to be understood that not all shown components are required to be implemented, and that more or less components may alternatively be implemented.
In the present embodiment, the memory 21 (i.e., a readable storage medium) includes a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 21 may be an internal storage unit of the computer device 20, such as a hard disk or a memory of the computer device 20. In other embodiments, the memory 21 may also be an external storage device of the computer device 20, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like, provided on the computer device 20. Of course, the memory 21 may also include both internal and external storage devices of the computer device 20. In this embodiment, the memory 21 is generally used for storing an operating system installed in the computer device 20 and various application software, such as the program codes of the data forwarding apparatus 10 in the first embodiment. Further, the memory 21 may also be used to temporarily store various types of data that have been output or are to be output.
Processor 22 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 22 is typically used to control the overall operation of the computer device 20. In this embodiment, the processor 22 is configured to operate the program code stored in the memory 21 or process data, for example, operate the data forwarding apparatus 10, so as to implement the data forwarding method of the first embodiment.
The present embodiments also provide a computer-readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application store, etc., on which a computer program is stored, which when executed by a processor, implements corresponding functions. The computer-readable storage medium of this embodiment is used for the storage data forwarding apparatus 10, and when executed by a processor, implements the data forwarding method of the first embodiment.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable medium, and when executed, the program includes one or a combination of the steps of the method embodiments.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example" or "some examples" or the like are intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A data forwarding method based on tenant information is characterized by comprising the following steps:
the network service providing point establishes a VPN channel with the client device;
the network service providing point stores a first corresponding relation between VPN channel information and tenant information, wherein the VPN channel information is used for uniquely identifying the VPN channel, and the tenant information is used for uniquely identifying a tenant to which the client device belongs;
the network service providing point receives a data packet from the client device and acquires target VPN channel information from the data packet;
the network service providing point inquires target tenant information corresponding to the target VPN channel information from the first corresponding relation;
and the network service providing point forwards the data packet to a preset virtual machine corresponding to the target tenant information.
2. The data forwarding method of claim 1,
the step of establishing a VPN channel with the client device by the network service providing point includes:
the network service providing point receives a VPN channel configuration template issued by a control platform, wherein the configuration template comprises client equipment information and tenant information for establishing a VPN channel with the network service providing point;
and the network service providing point establishes a VPN channel with the client equipment based on the configuration template.
3. The data forwarding method according to claim 2, wherein the VPN tunnel is an IPSec tunnel, and the step of the network service providing point storing the first correspondence between VPN tunnel information and tenant information comprises:
acquiring security association information in the IPSec tunnel, and extracting a security parameter index based on the security association information;
and saving a first corresponding relation between the security parameter index and the tenant information.
4. The data forwarding method of claim 3, wherein the network service providing point receives a data packet from the client device, and the step of obtaining target VPN channel information from the data packet comprises:
the network service providing point receives a data packet from the client equipment, analyzes security association information from the data packet and extracts a security parameter index in the security association information;
the step of querying, by the network service providing point, target tenant information corresponding to the target VPN channel information from the first corresponding relationship includes:
the network service providing point queries target tenant information corresponding to the security parameter index from the first corresponding relation based on the extracted security parameter index.
5. The data forwarding method according to claim 3, wherein before the step of obtaining the security association information in the IPSec tunnel and extracting the security parameter index based on the security association information, the method further comprises:
acquiring source IP address information of the data packet, and judging whether the source IP address information is legal or not;
and if not, discarding the data packet.
6. A data forwarding apparatus based on tenant information, comprising:
the channel establishing module is suitable for the network service providing point and the client equipment to establish a VPN channel;
a correspondence storage module adapted to store, by the network service providing point, a first correspondence between VPN path information and tenant information, where the VPN path information is used to uniquely identify the VPN path, and the tenant information is used to uniquely identify a tenant to which the client device belongs;
the data receiving module is suitable for the network service providing point to receive a data packet from the client equipment and acquire target VPN channel information from the data packet;
the tenant query module is suitable for the network service providing point to query target tenant information corresponding to the target VPN channel information from the first corresponding relation;
and the data forwarding module is suitable for forwarding the data packet to a preset virtual machine corresponding to the target tenant information by the network service providing point.
7. The data forwarding device of claim 6 wherein the path establishment module comprises:
a configuration template receiving unit, adapted to receive, by the network service providing point, a VPN channel configuration template issued by a management and control platform, where the configuration template includes client device information and tenant information for establishing a VPN channel with the network service providing point;
and the channel establishing unit is suitable for the network service providing point to establish a VPN channel with the client equipment based on the configuration template information.
8. The data forwarding apparatus of claim 6, wherein the VPN tunnel is an IPSec tunnel, and the VPN tunnel information is a security parameter index extracted from security association information of the IPSec tunnel.
9. The data forwarding device of claim 8, further comprising:
the data judgment module is suitable for acquiring the source IP address information of the data packet after the network service providing point receives the data packet and judging whether the source IP address information is legal or not; and if not, discarding the data packet.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910625856.0A CN112217771B (en) | 2019-07-11 | 2019-07-11 | Data forwarding method and data forwarding device based on tenant information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910625856.0A CN112217771B (en) | 2019-07-11 | 2019-07-11 | Data forwarding method and data forwarding device based on tenant information |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112217771A CN112217771A (en) | 2021-01-12 |
| CN112217771B true CN112217771B (en) | 2022-08-23 |
Family
ID=74048119
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910625856.0A Active CN112217771B (en) | 2019-07-11 | 2019-07-11 | Data forwarding method and data forwarding device based on tenant information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112217771B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112954069A (en) * | 2021-03-15 | 2021-06-11 | 观脉科技(北京)有限公司 | Method, device and system for accessing mobile equipment to SD-WAN (secure digital-Wide area network) |
| CN112804112B (en) * | 2021-04-12 | 2021-07-30 | 杭州网银互联科技股份有限公司 | Multi-cloud access method in SD-WAN (secure digital-Wide area network) network environment |
| CN113904866B (en) * | 2021-10-29 | 2024-02-09 | 中国电信股份有限公司 | SD-WAN traffic safety treatment drainage method, device, system and medium |
| CN114285661B (en) * | 2021-12-28 | 2023-06-30 | 中国银联股份有限公司 | Private network access method, device, equipment and storage medium |
| CN114338500B (en) * | 2021-12-30 | 2023-10-31 | 北京青云科技股份有限公司 | Data forwarding method, device, equipment and storage medium |
| CN114944952B (en) * | 2022-05-20 | 2023-11-07 | 深信服科技股份有限公司 | Data processing method, device, system, equipment and readable storage medium |
| CN115037573B (en) * | 2022-05-25 | 2023-08-08 | 天翼云科技有限公司 | Network interconnection method, device, equipment and storage medium |
| CN115529206A (en) * | 2022-09-30 | 2022-12-27 | 上海地面通信息网络股份有限公司 | Remote and mobile office cooperative control system and access method based on dial-up cloud VPN |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106462408A (en) * | 2014-05-20 | 2017-02-22 | 亚马逊科技公司 | Low latency connections to workspaces in a cloud computing environment |
| CN107770026A (en) * | 2016-08-17 | 2018-03-06 | 中国电信股份有限公司 | Tenant network data transmission method, tenant network system and relevant device |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9250941B2 (en) * | 2011-09-30 | 2016-02-02 | Telefonaktiebolaget L M Ericsson (Publ) | Apparatus and method for segregating tenant specific data when using MPLS in openflow-enabled cloud computing |
| US20140331337A1 (en) * | 2013-05-02 | 2014-11-06 | International Business Machines Corporation | Secure isolation of tenant resources in a multi-tenant storage system using a gatekeeper |
| US11075888B2 (en) * | 2017-12-04 | 2021-07-27 | Nicira, Inc. | Scaling gateway to gateway traffic using flow hash |
-
2019
- 2019-07-11 CN CN201910625856.0A patent/CN112217771B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106462408A (en) * | 2014-05-20 | 2017-02-22 | 亚马逊科技公司 | Low latency connections to workspaces in a cloud computing environment |
| CN107770026A (en) * | 2016-08-17 | 2018-03-06 | 中国电信股份有限公司 | Tenant network data transmission method, tenant network system and relevant device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112217771A (en) | 2021-01-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112217771B (en) | Data forwarding method and data forwarding device based on tenant information | |
| EP3800934A1 (en) | Method for routing internet of things service | |
| CN110311929B (en) | Access control method and device, electronic equipment and storage medium | |
| CN106464534B (en) | Sheet for provisioning and managing customer premises equipment devices | |
| EP3016329B1 (en) | Service path allocation method, router and service execution entity | |
| RU2562438C2 (en) | Network system and network management method | |
| WO2016119631A1 (en) | Method for accessing cloud service and access device | |
| CN108881308B (en) | User terminal and authentication method, system and medium thereof | |
| CN106878199B (en) | Configuration method and device of access information | |
| CN108900484B (en) | Access right information generation method and device | |
| CN111371664B (en) | Virtual private network access method and equipment | |
| CN113037761B (en) | Login request verification method and device, storage medium and electronic equipment | |
| WO2023041039A1 (en) | Secure access control method, system and apparatus based on dns resolution, and device | |
| WO2019009263A1 (en) | Apparatus and method for remotely managing devices, and program therefor | |
| CN103441883A (en) | System-user management method | |
| US10785147B2 (en) | Device and method for controlling route of traffic flow | |
| CN105323128B (en) | method, device and system for accessing front-end equipment to server | |
| CN114024845A (en) | Method and system for opening service | |
| CN112953764A (en) | Networking terminal configuration method and device, networking terminal and computer storage medium | |
| CN110768870B (en) | Quality monitoring method and device for intelligent special line | |
| CN107911496A (en) | A kind of VPN service terminal acts on behalf of the method and device of DNS | |
| US9313627B2 (en) | Multimedia messaging service (MMS) originator authentication | |
| CN113824789B (en) | Configuration method, device, equipment and storage medium of access descriptor | |
| CN110839231B (en) | Method and equipment for acquiring terminal identification | |
| WO2021254622A1 (en) | Methods, system and communication devices related to lawful interception |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: Qianxin Technology Group Co.,Ltd. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: Qianxin Technology Group Co.,Ltd. Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |