CN112333209B

CN112333209B - Resource transmission method and device with boundary protection function

Info

Publication number: CN112333209B
Application number: CN202110001069.6A
Authority: CN
Inventors: 杨春晖; 韩杰; 王艳辉; 陆宏成
Original assignee: Visionvera Information Technology Co Ltd
Current assignee: Hainan Shilian Communication Technology Co ltd
Priority date: 2021-01-04
Filing date: 2021-01-04
Publication date: 2021-04-16
Anticipated expiration: 2041-01-04
Also published as: CN112333209A

Abstract

The embodiment of the invention provides a resource transmission method and a device with a boundary protection function, wherein the method comprises the following steps: if the data comprises the signaling of the IP protocol, converting the signaling into the signaling of the video networking protocol, encrypting the signaling, transmitting the encrypted signaling in the video networking, decrypting the signaling through other border gateways of the video networking, converting the decrypted signaling into the signaling of the IP protocol, and then transmitting the signaling to a second communication object; if the data comprises the audio and video data of the IP protocol, converting the audio and video data into the audio and video data of a preset format, packaging the audio and video data into the audio and video data of the video networking protocol, transmitting the audio and video data in the video networking, converting the audio and video data into the audio and video data of the IP protocol through other boundary gateways of the video networking, and transmitting the audio and video data to the second communication object. The multiple gateways and the characteristics of the video network are applied, so that data cannot be intercepted and analyzed in the real-time data transmission process, and the safety of the network and the link safety of data transmission are protected through the border gateway.

Description

Resource transmission method and device with boundary protection function

Technical Field

The present invention relates to the field of video networking technologies, and in particular, to a resource transmission method with a boundary protection function and a resource transmission device with a boundary protection function.

Background

With the development of communication technology and network technology, the transmission of various data resources increasingly depends on the network to ensure safe, reliable and efficient operation, namely, the security of the network is directly related to the security of the various data resources for transmission.

In the prior art, a boundary protection technology is usually adopted to protect multiple data resource transmissions between heterogeneous networks, and the existing boundary protection technology includes a firewall technology, a multiple security gateway technology, a gatekeeper technology, and the like. The above technology protects the network boundary when the data resources are not real-time, but solves the problems of video effect blockage, screen splash and large delay caused by real-time ultrahigh-definition and high-definition real-time video transmission, and is not beneficial to protecting the data resources transmitted in real time among heterogeneous networks.

Disclosure of Invention

In view of the above problems, embodiments of the present invention are provided to provide a resource transmission method with a boundary guard function and a corresponding resource transmission apparatus with a boundary guard function, which overcome or at least partially solve the above problems.

In order to solve the above problem, an embodiment of the present invention discloses a resource transmission method with a boundary protection function, where the method is applied to a situation where data is transmitted between a first communication object and a second communication object in an IP network through a video network, where the first communication object and the second communication object both have registered video network virtual numbers, and the method includes:

when data requested to be transmitted to a second communication object by the first communication object is received, if the data is determined to comprise a first signaling of an IP protocol, converting the first signaling into a second signaling of a video networking protocol and encrypting the second signaling, transmitting the encrypted second signaling in the video networking, decrypting the second signaling through other border gateways of the video networking, converting the second signaling into the first signaling of the IP protocol, and then transmitting the first signaling to the second communication object;

if the data comprises first audio and video data of an IP protocol, converting the first audio and video data into audio and video data of a preset format, packaging the audio and video data into second audio and video data of a video networking protocol, transmitting the second audio and video data in the video networking, converting the second audio and video data into the first audio and video data of the IP protocol through other boundary gateways of the video networking, and transmitting the first audio and video data to the second communication object.

The embodiment of the invention also discloses a resource transmission device with a boundary protection function, which is applied to the condition that data is transmitted between a first communication object and a second communication object in an IP network through the video network, wherein the first communication object and the second communication object both have registered video network virtual numbers, the method is applied to a boundary gateway of the video network, and the device comprises the following steps:

a signaling transmission module, configured to, when receiving data requested by the first communication object to be transmitted to a second communication object, convert the first signaling into a second signaling of an internet protocol and encrypt the second signaling if it is determined that the data includes a first signaling of an IP protocol, transmit the encrypted second signaling in the internet, decrypt the second signaling through another border gateway of the internet, convert the second signaling into the first signaling of the IP protocol, and send the first signaling to the second communication object;

and the audio and video data transmission module is used for converting the first audio and video data into audio and video data in a preset format if the data comprises first audio and video data of an IP protocol, packaging the audio and video data into second audio and video data of a video networking protocol, transmitting the second audio and video data in the video networking, converting the second audio and video data into the first audio and video data of the IP protocol through other boundary gateways of the video networking, and transmitting the first audio and video data to the second communication object.

The embodiment of the invention also discloses a resource transmission device with the boundary protection function, which comprises: one or more processors; and one or more machine readable media having instructions stored thereon, which when executed by the one or more processors, cause the apparatus to perform any of the boundary guard enabled resource transfer methods.

The embodiment of the invention also discloses a computer readable storage medium, and a stored computer program enables a processor to execute any resource transmission method with the boundary protection function.

The embodiment of the invention has the following advantages:

the embodiment of the invention is applied to the condition that the first communication object and the second communication object in the IP network which are mutually isolated are transmitted through the video network, the border gateway of the video network can process the data which is requested to be transmitted to the second communication object by the first communication object and then transmits the data in the video network, and other border gateways of the video network send the received data to the second communication object, thereby realizing the data transmission between the first communication object and the second communication object which are mutually isolated. The encryption transmission of signaling between networks which are isolated from each other can be realized through the video networking, so that the encryption security of the transmitted link resource data packet is ensured not to be tampered, and the security of the network and the link security of the data transmission are protected through the border gateway.

Drawings

FIG. 1 is a flowchart illustrating the steps of a method for transmitting resources with boundary protection according to the present invention;

FIG. 2 is a flowchart illustrating steps of another method for transmitting resources with boundary protection according to the present invention;

FIG. 3 is a diagram of an application scenario of resource transmission with a boundary protection function according to an embodiment of the present invention;

FIG. 4 is a diagram illustrating an exemplary resource transmission with boundary protection function according to an embodiment of the present invention;

FIG. 5 is a schematic structural diagram of a resource transmission apparatus with a boundary protection function according to the present invention;

FIG. 6 is a networking schematic of a video network of the present invention;

FIG. 7 is a diagram of a hardware architecture of a node server according to the present invention;

fig. 8 is a schematic diagram of a hardware architecture of an access switch of the present invention;

fig. 9 is a schematic diagram of a hardware structure of an ethernet protocol conversion gateway according to the present invention.

Detailed Description

In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.

For data transmission of mutually isolated heterogeneous networks, the existing boundary protection technology may include a firewall technology, a multiple security gateway technology, and a gatekeeper technology. The firewall has the functions that a necessary channel for controlling data transmission to enter a network is established by establishing an urban gate aiming at the network, but the firewall cannot identify an application layer, namely, cannot intercept viruses or trojans hidden in the application; multiple safety gateway technologies are added with multiple gateways of safety protection technologies, but the multiple gateways play a role of a check station and cannot control other networks in the network; the gatekeeper technology realizes service intercommunication mainly through buffer zone ferry service data, namely heterogeneous networks are not connected, the risk of disconnection is low in principle, but the data simplicity cannot be guaranteed, especially when gatekeepers face different levels of network security requirements, the non-real-time data service is not influenced, but real-time data transmission brings many problems.

It should be noted that, in the process of resource transmission based on the video network, the video network server, the video network border gateway server, and the video network virtual number may be involved.

The video network is an entity network which is different from the existing internet and has a tree structure formed by dividing regions; the video network server can be an independently developed video network controller, can integrate the functions of video network audio and video forwarding, set-top box control, registration and the like, and is provided with a distribution installation machine box type and portable server.

An internet of view virtual number may be a number having a length of 20 bits whose device number is used to locate a device in an internet of view service, which may typically be associated with a user using the internet of view. And when the equipment of a certain user is replaced due to failure, the original equipment number can be bound to the new equipment without changing the equipment number.

The video network border gateway server can be a device for converting an IP protocol and a video network protocol, can convert video and audio resources in a heterogeneous network, and can meet the requirement of the device in the video network on management and calling of the video and audio resources after conversion.

Referring to fig. 1, a flowchart illustrating steps of a resource transmission method with a boundary protection function according to the present invention is shown, and is applied to a border gateway of a video network, which may specifically include the following steps:

step 101, when receiving data requested by a first communication object to be transmitted to a second communication object, if the data includes a first signaling of an IP protocol, converting the first signaling into a second signaling of a video networking protocol and encrypting the second signaling, transmitting the encrypted second signaling in the video networking, decrypting the second signaling through other border gateways of the video networking, converting the second signaling into the first signaling of the IP protocol, and then transmitting the first signaling to the second communication object;

in the embodiment of the present invention, the method and the device can be applied to the case of transmitting data between a first communication object in an IP network and a second communication object in a second IP network through a video network, where the first communication object and the second communication object both have registered video network virtual numbers, that is, the first communication object and the second communication object both have the capability of accessing the video network.

In one embodiment of the present invention, data between heterogeneous networks (e.g., a first IP network and a second IP network are isolated from each other) can be transmitted based on an internet-of-view networking architecture with boundary protection, then the IP networks may include the first IP network and the second IP network which are isolated from each other, and a boundary gateway may receive data requested to be sent by one or more first communication objects, so as to process the received data according to characteristics of the internet-of-view.

Upon receiving data requested by a first communication object for transmission to a second communication object, the border gateway may perform different processing according to different objects included in the received data. Specifically, it may be determined first whether the received data includes signaling and/or audio-video data.

In one case, the received data includes signaling of IP protocol, such as request signaling, response signaling, etc., when the protocol of the data packet can be converted according to the video networking protocol for the purpose of enabling the signaling to be transmitted in the video networking, so as to convert the data packet according to the IP network protocol into the data packet according to the video networking protocol; in order to ensure the security in the transmission process in the video network, the signaling contained in the data can be encrypted. And decrypting the encrypted signaling through the border gateways of other video networks and sending the decrypted signaling to the second communication object. The method specifically comprises the steps of converting a received first signaling which is requested to be transmitted by a first communication object into a second signaling of a video networking protocol, encrypting the second signaling, transmitting the encrypted second signaling in the video networking, decrypting the second signaling through other border gateways of the video networking, converting the second signaling into the first signaling of an IP protocol, and then transmitting the first signaling to a second communication object.

The encryption processing mode can comprise an asymmetric encryption mode and a symmetric encryption mode, wherein the asymmetric encryption mode refers to the existence of a pair of keys comprising a public key and a private key, the private key is adopted to sign the public key to verify the signature, and the public key is adopted to encrypt the private key for decryption; the symmetric encryption mode refers to that a sender and a receiver share one secret key and only have one secret key, and the secret key is used for encryption and decryption. The embodiment of the present invention does not limit this to the encryption processing manner.

Step 102, if the data is determined to include first audio/video data of an IP protocol, converting the first audio/video data into audio/video data of a preset format, packaging the audio/video data into second audio/video data of a video networking protocol, transmitting the second audio/video data in the video networking, converting the second audio/video data into the first audio/video data of the IP protocol through other boundary gateways of the video networking, and then sending the first audio/video data to a second communication object.

The border gateway can perform different processing according to different objects contained in the received data, and in another case, the received data includes audio and video data of an IP protocol, it can be first judged whether the audio and video data conforms to a preset format, and if so, protocol conversion can be performed on the audio and video data according to a video networking protocol so as to convert the audio and video data according to the IP network protocol into the video networking data conforming to the video networking protocol.

And after receiving the video networking data, the video networking data can be subjected to protocol conversion through other video networking boundary gateways, converted into an IP protocol, and transmitted to a second communication object, so that the data transmission of the third-party IP network which is mutually isolated through the video networking can be realized.

The method specifically comprises the steps of converting received first audio and video data requested to be transmitted by a first communication object into audio and video data in a preset format, packaging the audio and video data into second audio and video data of a video networking protocol, transmitting the second audio and video data in the video networking, converting the second audio and video data into first audio and video data of an IP protocol through other boundary gateways of the video networking, and transmitting the first audio and video data to a second communication object. In a preferred embodiment, the networking architecture of the video network with the boundary protection may be a networking architecture including at least one boundary gateway of the video network and the video network, wherein at least one IP network may perform data transmission through the networking architecture of the video network, a plurality of IP networks are isolated from each other, that is, a plurality of communication objects cannot communicate with each other, and a plurality of boundary gateways may be boundary gateways that perform one-to-one correspondence with a plurality of communication objects.

It should be noted that, in this embodiment of the present invention, there may be a border gateway connected to at least one first communication object, and another border gateway connected to at least one second communication object, where if the first communication object is a sender of resource data, after performing protocol conversion on the resource data sent by the first communication object and performing encryption processing on signaling included in the resource data, the border gateway may transmit the resource data to another border gateway connected to the second communication object based on a video network, so that the another border gateway connected to the second communication object may decrypt the signaling after the encryption processing, and transmit the decrypted signaling and audio/video data to the second communication object, thereby implementing calling of the second communication object on the resource of the first communication object.

In practical applications, the first communication object or the second communication object connected to a border gateway in the above process may be both used as a sender of resource data and a receiver of resource data. The embodiments of the present invention are not limited thereto.

In an alternative embodiment of the present invention, there may be a first border gateway connected to the first IP network and a second border gateway connected to the second IP network, so as to implement resource data transmission between the first IP network and the second IP network which are isolated from each other, specifically, between the first communication object in the first IP network and the second communication object in the second IP network, based on a network architecture of the first IP network-the first border gateway-the view network-the second border gateway-the second IP network, or the second IP network-the second border gateway-the view network-the first border gateway-the first IP network.

It should be noted that the first border gateway and the second border gateway may ensure that only the gateway service is run through the pre-written daemon program, that is, other service processes are closed, and only the gateway service for accessing the video network and performing the identity verification on the first communication object and the second communication object is run, so that the application layer does not need to be identified.

Referring to fig. 2, a flowchart illustrating steps of another resource transmission method with a border protection function in the embodiment of the present invention is shown, where the video network includes a border gateway, and specifically includes the following steps:

step 201, connecting a first communication object and a second communication object which are isolated from each other to a video network;

the service calls between the first communication object and the second communication object are isolated from each other in corresponding network areas, and both cannot penetrate through the inside of the video network or directly transmit through the video network, so that data transmission is performed based on a network structure of a first border gateway, the video network and a second border gateway, the first communication object and the second communication object which are isolated from each other need to be connected to the video network, and particularly, the third-party IP network can be connected to the video network through the first border gateway and the second border gateway.

In one embodiment of the present invention, step 201 may include the following sub-steps:

substep S11, obtaining a white list through a border gateway of the video network, and judging whether the first communication object and the second communication object are legal or not according to the white list;

in one embodiment of the invention, a first communication object in a first IP network that initiates a request may be legitimately detected by a first border gateway and a second communication object in a second IP network that is requested may be legitimately detected by a second border gateway.

In the process of connecting the communication object of the third-party IP network to the video network, the border gateway can carry out legal verification on the identity of the communication object of the third-party IP network. Specifically, the first border gateway and the second border gateway may respectively obtain a white list, and simultaneously determine whether the first communication object and the second communication object that are connected to the first border gateway and the second border gateway are legal according to the white list, which may be expressed as performing identity detection on the first communication object and the second communication object, so as to perform identity legal detection, so that only an access device with a legal identity can perform a service (e.g., a video conference, a video phone, video monitoring, etc.), thereby implementing protection against an illegal service performed by an illegal access device. The communication object accessing the IP network may be an entity device or a virtual network device, which is not limited in the embodiments of the present invention.

In practical application, the border gateway (including the first border gateway and the second border gateway) may have a white list module, where the white list module may store information including network or specific network address information within an allowable range and information of the docking device and the platform whose identities are legal in advance, and at this time, the identities of the docking device and the platform related to the docking network in the white list may be verified, so as to ensure that the identities of the docking device or the platform related to the two docking networks are legal.

Substep S12, if the first communication object and the second communication object are legal, respectively obtaining the registered first video network virtual number and the registered second video network virtual number which are pre-allocated to the first communication object and the second communication object through the border gateway of the video network;

the border gateway of the video network can perform service communication with the video network server by using the video network virtual number, namely when the video network virtual number needs to perform video network access, the border gateway can perform corresponding processing on the video network virtual number.

Specifically, if the first border gateway and the second border gateway respectively verify that the identities of the first communication object and the second communication object which are docked with the first border gateway are legal, the first communication object which initiates the request in the first IP network and the second communication object which requests in the second IP network can be allowed to be connected to the video network at this time. The first communication object can have a pre-allocated registered first video network virtual number, and the second communication object can have a pre-allocated registered second video network virtual number, so that the first video network virtual number and the second video network virtual number which need to be accessed to the network are processed through the first border gateway and the second border gateway respectively.

And a substep S13 of accessing the first communication object and the second communication object to the video network according to the first video network virtual number and the second video network virtual number respectively through the border gateway of the video network.

The network of sight may also include a network management server that may be used to manage network entry authentication as long as the virtual number of the network of sight registered with the network management server allows participation in the network of sight.

Specifically, the first border gateway and the second border gateway may respectively generate a first network access authentication application and a second network access authentication application carrying a first video network virtual number and a second video network virtual number, and send the first network access authentication application and the second network access authentication application to the network management server; the network management server can respond to the first network access authentication application and the second network access authentication application, and perform network access authentication on the virtual number of the video network carried in the network access authentication application, and if the network access authentication is successful, the network management server can generate network access success information and respectively send the network access success information to the first boundary gateway and the second boundary gateway; the first border gateway and the second border gateway can receive successful network access information sent by the network management server, and know that the first communication object and the second communication object are successfully accessed to the network, so that the first communication object and the second communication object which are accessed to the video network can subsequently transmit data through the video network.

The border gateway may also carry a random number to improve security of data transmission while sending a network access authentication application to the network management server. It should be noted that the random number may be a number, a letter, or a combination of a number and a subtitle, and the form of the random number is not limited in the embodiments of the present invention.

In a preferred embodiment, the video network may further include a key management server, which may be used to generate key information for encryption and decryption, such as key information comprising a pair of a public key and a private key.

Under the condition that the identities of a first communication object initiating a request in a first IP network and a second communication object requested by a second IP network are legal, a network management server can respond to a network access authentication application sent by a border gateway (comprising a first border gateway and a second border gateway) and simultaneously acquire key information required by the IP network for subsequent signaling data transmission from a key management server.

The border gateway (including the first border gateway and the second border gateway) may further receive key information sent by the key management server, and store the key information; the key information may be generated by the key management server in response to a key acquisition request sent by the network management server, and the key acquisition request may be generated by the network management server in response to a network access authentication application initiated by a border gateway of the video network.

Specifically, the network management server may generate a key acquisition request and a certificate acquisition request according to the network access authentication application, send the key acquisition request to the key management server, and send the certificate acquisition request to the certificate server, where the key management server may generate key information in response to the key acquisition request, and return the generated key information and the certificate sent by the certificate server to the border gateway, so that the border gateway may store the key information and the certificate, and may perform sending and receiving of encrypted data in subsequent service. The key information may carry a video networking key, a random number, a video networking broadcast key for encryption protection, and the like.

Step 202, the first border gateway processes the resource data sent by the first communication object;

in an embodiment of the present invention, after the first communication object initiating the request in the first IP network and the second communication object requesting the second IP network are successfully accessed to the video network through the first border gateway and the second border gateway, when the first communication object is used as a sender of the resource data and the second communication object is used as a receiver of the resource data, the first border gateway may perform a protocol conversion and an encryption process on the resource data sent by the first communication object, which may be specifically embodied as performing a protocol conversion and an encryption process on the received resource data.

The first boundary gateway can perform protocol conversion on the received resource data according to a video networking protocol, wherein the resource data not only can comprise signaling of an IP protocol, but also can comprise audio and video data of the IP protocol, namely, the signaling contained in the resource data is subjected to protocol conversion respectively, and the audio and video data which are contained in the resource data and conform to a preset format are subjected to protocol conversion so as to be converted into the video networking protocol; and if the resource data does not contain the audio and video data or the contained audio and video data does not conform to the preset format, only converting the video networking protocol for the signaling of the IP protocol.

It should be noted that the preset format that the audio and video data needs to conform to may be a data packing format of a PS (Program Stream, which is an audio and video encapsulation format), that is, if the audio and video data cannot be analyzed according to the PS packing format, the audio and video data is discarded and is not processed and transmitted, and the preset format that the audio and video data needs to conform to may be a TS, an FLV, or the like, in addition to the above PS format, which is not limited in the embodiment of the present invention.

And the first border gateway may encrypt the signaling in the resource data according to pre-stored key information, where the pre-stored key information may include a video networking key, a random number, and a video networking broadcast key, and then the key information obtained for encryption at this time may be in the form of the video networking key and the random number, or in the form of the video networking broadcast key and the random number.

In a specific implementation, since the first communication object in the first IP network and the second communication object in the second IP network are isolated from each other and do not communicate with each other, although the object of the first communication object transmitting the resource data is the second communication object, the destination address directed to access the second communication object by the source address in the packet of the resource data transmitted by the first communication object, and is invalid for the second communication object, then performing protocol translation of the internet-of-things protocol on the resource data of the IP protocol may appear as a stripping operation on the destination address in the communication object for the source IP address, namely, information about a destination address IP and the like in the resource data is eliminated, only relevant information of data streams (such as service data and signaling data such as video data) is reserved, performing video network conversion on the data with the destination address IP removed so as to convert destination address information in the source IP address into a number address in the video network; and removing the IP protocol header in the received resource data sent by the communication object, and encapsulating the resource data after the address information conversion according to the video networking protocol header.

In one case, when only a single second communication object is requested in the second IP network as the resource data receiver, for the protocol conversion of the resource data, the destination internet-of-view number address information may be generated first according to the second internet-of-view virtual number previously assigned to the second communication object; and then, the destination address information aiming at the second communication object contained in the received resource data sent by the first communication object can be converted into destination video networking number address information generated according to the second video networking virtual number through the first border gateway, and the converted resource data is encapsulated according to a video networking protocol to obtain the first video networking resource data.

In this case, when the signaling in the data is encrypted according to the pre-stored key information, the video networking key in the pre-stored key information may be used as the key information, and specifically, the signaling converted into the video networking protocol may be encrypted according to the video networking key to obtain an encrypted first video networking resource packet; wherein only signaling other than the video networking protocol header is encrypted, i.e., the video networking protocol header is not encrypted.

In another case, when a plurality of second communication objects requested in the second IP network as the resource data receiver include, for protocol conversion of the resource data packet, multicast address information corresponding to the plurality of second communication objects allocated in advance may be acquired first; and then, the first border gateway can convert the destination address information aiming at the second communication object contained in the received resource data sent by the first communication object into multicast address information to obtain second video network resource data.

In this case, when the signaling is encrypted according to the pre-stored key information, the video network broadcast key in the pre-stored key information may be used as the key information, and specifically, the signaling may be encrypted according to the video network broadcast key.

It should be noted that the video networking protocol conversion process for converting the signaling data and the audio/video data in the resource data may be the same.

In a preferred embodiment, the first border gateway may distribute the audio/video data subjected to the protocol conversion and the encrypted signaling according to the video networking key or the video networking broadcast key, and may specifically distribute the audio/video data and the encrypted signaling in a video networking addressing communication manner, that is, according to destination video networking number address information or multicast address information, and transmit the audio/video data and the encrypted signaling to the second border gateway in docking with the second communication object based on the video networking. It should be noted that, when calling an extranet resource (which may refer to a resource data sent by a first communication object) for an intranet (which may refer to a second communication object), an external network structure docked by a gateway cannot be perceived, that is, the second communication object cannot perceive the video network, thereby ensuring the security in the video network.

And step 203, the second border gateway processes the processed resource data and transmits the processed resource data to the second communication object.

The first border gateway transmits audio and video data subjected to protocol conversion of the video networking protocol and a signaling subjected to the video networking protocol conversion and encryption processing to the second border gateway based on the video networking, namely, the signaling transmitted in the video network is encrypted data, and the audio and video data transmitted in the video network is video network audio and video data, then the signaling of the resource data called by the second communication object is encrypted in the video network and encapsulated according to the video network protocol, at this time, the encrypted signaling needs to be decrypted by the second border gateway and the IP protocol conversion processing needs to be carried out on the video network signaling data, and the audio and video data of the resource data called by the second communication object are encapsulated in the video network according to a video network protocol, and at the moment, IP protocol conversion processing needs to be carried out on the video network signaling data through the second border gateway.

In an embodiment of the present invention, when receiving the encrypted signaling sent by the first border gateway, the second border gateway may decrypt the encrypted signaling according to the pre-stored encryption information, and transmit the decrypted signaling and the protocol-converted audio/video data to the second communication object of the second IP network.

Specifically, since the encrypted signaling received by the second border gateway may be encrypted according to the video networking key or the video networking broadcast key, the encrypted signaling may be decrypted by using the video networking key and/or the video networking broadcast key. And when receiving the resource data converted by the first border gateway aiming at the video networking protocol, the second border gateway can convert the resource data of the video networking protocol into the IP protocol according to the video networking destination information of the second video networking virtual number pre-allocated to the second communication object and the destination IP network address of the second IP network of the second communication object, remove the video networking protocol header in the resource data and encapsulate the resource data after the address information conversion according to the IP protocol header. It should be noted that, the IP protocol conversion process for the video networking signaling data and the video networking audio/video data in the video networking resource data may be the same.

In the embodiment of the invention, the protocols of the data packets are converted by applying the multiple gateways and the characteristics of the video network, so that the encrypted transmission of the resource data packets between the networks which are isolated from each other through the video network is realized, and when the encrypted data packets are transmitted in real time, the data cannot be intercepted and analyzed in the real-time data transmission process, so that the safety of the transmitted resource data packets is ensured, and the safety of the network and the link safety of the data transmission are protected through the boundary gateway.

Referring to fig. 3, a diagram of an application scenario of resource transmission with a boundary protection function in an embodiment of the present invention is shown, which is mainly based on a network architecture with a boundary protection function, and may involve an IP network (which may refer to any third-party IP network isolated from each other), a boundary gateway interfacing with the third-party IP network, and an internet of view, where the internet of view may have therein an internet of view based on cryptographic communication composed of a core server, an autonomous server, and a certificate server and a key server for cryptographic communication, and the boundary gateway of the internet of view may have therein a firmware supporting a cryptographic module for number service communication of the internet of view.

In the data transmission process based on the visual networking, the following stages can exist: the third-party IP network accesses the video network and the third-party IP network data transmission stage.

In the stage of accessing the third-party IP network into the video network, the video network border gateway can ensure that the video network server only operates gateway service through a daemon program, namely, IP address white list management can be carried out on the third-party IP network butted by the border gateway through a white list module so as to protect the threat from a bad IP network, meanwhile, identity verification can be carried out on the butting equipment and the platform in the white list, the identity of the butting equipment or the platform is ensured to be legal, so that identity legal detection is carried out, service can be carried out only if the identity is legal, and the protection against illegal service is realized.

And the video network border gateway can usually use the video network virtual number to perform service communication, and when the video network virtual number pre-allocated to the third-party IP network needs to perform video network access, the video network border gateway can send a "fast access authentication request" instruction (for example, an access authentication application) to a network management server or a video network server according to the virtual number required to access the network and simultaneously carry a random number. At this time, a key and a certificate can be applied to the key management server through the network management server, so that the key management server can send key information containing the applied key and integer in the video network, and the key information can carry a video network key, a random number and a video network broadcast key for encryption protection. At this time, the cipher key information is cached through the cipher module firmware of the border gateway, so that encrypted data is received and sent during subsequent service, and the network access process of the third-party IP network is completed.

In the third-party IP network data transmission stage, the video network border gateway can perform protocol analysis on an IP data packet communicated with the accessed third-party IP network, convert a destination address contained in a source IP address of the IP data packet, specifically eliminate information such as the destination address in the source IP address, perform video network conversion on information which is reserved in a data packet of a communication signaling and is related to data flow, so as to convert the destination address IP into a number address in the video network, and perform video network data packet encapsulation and distribution on the resource data packet in a video network addressing communication mode.

And, can encrypt the signalling data included in the data according to the protocol of the video network at the same time, namely the signalling data transmitted in the video network are the encrypted data, and the data that is called in the video network are the encrypted data, can use after needing the key information to decipher. The video network boundary gateway can realize protocol conversion, namely for data exchange, the video network boundary gateway can convert data in the video network from an IP network, or convert the data in the video network into the IP network, encrypt signaling data and realize data encryption protection of a protocol layer.

In a preferred embodiment, after the border gateway performs protocol conversion, encryption processing and decryption processing on different objects contained in the resource data sent by the third-party IP network, the resource data can be sent to other isolated third-party IP networks through the video networking border gateway, and the resource data after being converted according to the video networking protocol can be internally called by the video networking terminal inside the video networking, so that the video networking terminal can internally call the resource data accessed by the border gateway.

In the embodiment of the invention, any mutually isolated third-party IP networks can be IP networks with different security levels or IP networks with the same level, and when a superior third-party network calls resource data in a subordinate third-party network, the data in the whole video network is provided for the superior third party after protocol conversion, encryption of signaling contained in the data, encryption transmission and decryption completion. The network security protection method has the advantages that the network security is guaranteed based on the video networking architecture with the boundary protection, and the network isolation, the security protection and the network with the high security level are achieved when the resource data with the high security level and the low security level are called.

Referring to fig. 4, a specific example diagram of resource transmission with an edge protection function in the embodiment of the present invention is shown, where the device in question may include a first communication object accessing a first IP network, which may be an IP network third party platform, a first edge gateway, which may be an edge sharing service system, a second edge gateway, which may be a video network edge access service system, and a second communication object accessing a second IP network, which may be a surveillance video device or a third party platform. The first IP network and the second IP network are isolated from each other and do not communicate with each other.

The embodiment of the invention can be applied to the IP network third-party platform to watch the monitoring video equipment or the scenes monitored by the third-party platform. Suppose that both the IP network third party platform and the surveillance video device or the third party platform pass identity legitimacy detection and both successfully access the video network.

When receiving a signaling of watching a monitoring video by an IP network third-party platform, the border sharing gateway device may search a corresponding monitoring resource through device information carried in the signaling, and call the video, specifically, the signaling may be a request signaling, may perform video networking protocol conversion and encryption processing on the request signaling, and access a service system through a video networking border for decryption, and then send the decrypted request signaling to the monitoring video device or the third-party platform.

When the monitoring data to be watched is successfully called, the video network boundary access service system can analyze the video and audio data of the receiving equipment in a video packaging format, and if the video and audio data do not conform to the data packaging format, the analysis fails, and the data is discarded; and when the analysis is normal, performing data encapsulation on the analyzed bare data according to the video networking audio and video encapsulation format, sending the data to the boundary sharing service system, and then performing IP format conversion on the video networking audio and video through the boundary sharing service system and sending the video networking audio and video to the IP network third-party platform. It should be noted that the third-party IP scheduling platform cannot sense the IP information of the access gateway, and can only acquire the video stream.

In an optional embodiment, the video networking boundary access service system can further perform data encapsulation on the analyzed bare data according to a video networking audio/video encapsulation format, and send the bare data to a video networking core server, so that a video networking user can watch a monitoring video.

In the embodiment of the invention, the video network border access gateway can process data according to the video and audio packaging format, if disguised or other illegal data exist, the data are discarded, the video data are not encrypted, and the border sharing service gateway packages the IP data packet of the video data and provides the IP scheduling platform of a third party; however, all other scheduling signaling needs to implement encrypted transmission in the video network to ensure encrypted transmission of data in the video network and ensure security of audio and video data sent to the video network.

It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.

Referring to fig. 5, a schematic structural diagram of a resource transmission apparatus with a boundary protection function in an embodiment of the present invention is shown, where the apparatus is applied to a case where data is transmitted between a first communication object and a second communication object in an IP network through a video network, where the first communication object and the second communication object both have registered video network virtual numbers, and the method is applied to a boundary gateway of the video network, and specifically may include the following modules:

a signaling transmission module 501, configured to, when receiving data requested by the first communication object to be transmitted to a second communication object, convert the first signaling into a second signaling of an internet protocol and encrypt the second signaling if it is determined that the data includes a first signaling of an IP protocol, transmit the encrypted second signaling in the internet, decrypt the second signaling through another border gateway of the internet, convert the second signaling into the first signaling of the IP protocol, and send the first signaling to the second communication object;

the audio and video data transmission module 502 is configured to, if it is determined that the data includes first audio and video data of an IP protocol, convert the first audio and video data into audio and video data of a preset format, encapsulate the first audio and video data into second audio and video data of a video networking protocol, transmit the second audio and video data in the video networking, convert the second audio and video data into the first audio and video data of the IP protocol through other border gateways of the video networking, and send the first audio and video data to the second communication object.

In an embodiment of the present invention, the signaling transmission module 501 may include the following sub-modules:

the destination video networking number address information generating submodule is used for generating destination video networking number address information according to the video networking virtual number which is pre-allocated to the second communication object;

and the second signaling generation sub-module is used for removing the IP protocol header contained in the first signaling, converting the first destination IP address information contained in the first signaling into destination video networking number address information, and encapsulating the converted first signaling according to the video networking protocol header to obtain a second signaling.

a second destination IP address information generation sub-module, configured to generate, by other border gateways of the video network, second destination IP address information for the second communication object according to a video network virtual number pre-assigned to the second communication object;

and the first signaling generation sub-module is used for removing the video networking protocol header contained in the second signaling, converting the destination video networking number address information contained in the second signaling into the second destination IP address information, and encapsulating the converted second signaling according to the IP protocol header to obtain the first signaling converted into the IP protocol.

the signaling encryption submodule is used for encrypting the second signaling according to prestored key information; the key information includes an internet of view key and/or an internet of view broadcast key.

the key information acquisition submodule is used for acquiring key information through other border gateways of the video network; the key information comprises an internet of view key and/or an internet of view broadcast key;

and the signaling decryption submodule is used for decrypting the second signaling by adopting the video networking key and/or the networking broadcast key through other border gateways of the video networking.

In an embodiment of the present invention, before receiving the data requested by the first communication object to be transmitted to the second communication object, the following modules may be further included:

the first legality judging module is used for acquiring a white list and judging whether the first communication object is legal or not according to the white list;

the first video networking virtual number acquisition module is used for acquiring a registered first video networking virtual number which is pre-allocated to the first communication object if the first communication object is legal;

and the first communication object access module is used for generating a first network access authentication request carrying the first video network virtual number, and accessing the first communication object into the video network according to the first network access authentication request so as to enable the first communication object accessed into the video network to subsequently transmit data through the video network.

the second legality judging module is used for acquiring a white list through other border gateways of the video network and judging whether the second communication object is legal or not according to the white list;

a second video network virtual number obtaining module, configured to, if the second communication object is legal, obtain, through other border gateways of the video network, a registered second video network virtual number that is pre-assigned to the second communication object;

and the second communication object access module is used for generating a second network access authentication request carrying the second video network virtual number through other border gateways of the video network, and accessing the second communication object into the video network according to the second network access authentication request so as to enable the second communication object accessed into the video network to subsequently transmit data through the video network.

For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.

The embodiment of the invention also provides a conference control device based on the video network, which comprises: one or more processors; and one or more machine-readable media having instructions stored thereon, which, when executed by the one or more processors, enable the apparatus to perform various processes for implementing the above-described resource transmission method with a boundary guard function, and achieve the same technical effects, which are not described herein again to avoid repetition.

The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when being executed by a processor, the computer program implements each process of the resource transmission method embodiment with the boundary protection function, and can achieve the same technical effect, and is not described herein again to avoid repetition.

The video networking is an important milestone for network development, is a real-time network, can realize high-definition video real-time transmission, and pushes a plurality of internet applications to high-definition video, and high-definition faces each other.

The video networking adopts a real-time high-definition video exchange technology, can integrate required services such as dozens of services of video, voice, pictures, characters, communication, data and the like on a system platform on a network platform, such as high-definition video conference, video monitoring, intelligent monitoring analysis, emergency command, digital broadcast television, delayed television, network teaching, live broadcast, VOD on demand, television mail, Personal Video Recorder (PVR), intranet (self-office) channels, intelligent video broadcast control, information distribution and the like, and realizes high-definition quality video broadcast through a television or a computer.

To better understand the embodiments of the present invention, the following description refers to the internet of view:

some of the technologies applied in the video networking are as follows:

network Technology (Network Technology)

Network technology innovation in video networking has improved over traditional Ethernet (Ethernet) to face the potentially enormous video traffic on the network. Unlike pure network Packet Switching (Packet Switching) or network Circuit Switching (Circuit Switching), the Packet Switching is adopted by the technology of the video networking to meet the Streaming requirement. The video networking technology has the advantages of flexibility, simplicity and low price of packet switching, and simultaneously has the quality and safety guarantee of circuit switching, thereby realizing the seamless connection of the whole network switching type virtual circuit and the data format.

Switching Technology (Switching Technology)

The video network adopts two advantages of asynchronism and packet switching of the Ethernet, eliminates the defects of the Ethernet on the premise of full compatibility, has end-to-end seamless connection of the whole network, is directly communicated with a user terminal, and directly bears an IP data packet. The user data does not require any format conversion across the entire network. The video networking is a higher-level form of the Ethernet, is a real-time exchange platform, can realize the real-time transmission of the whole-network large-scale high-definition video which cannot be realized by the existing Internet, and pushes a plurality of network video applications to high-definition and unification.

Server Technology (Server Technology)

The server technology on the video networking and unified video platform is different from the traditional server, the streaming media transmission of the video networking and unified video platform is established on the basis of connection orientation, the data processing capacity of the video networking and unified video platform is independent of flow and communication time, and a single network layer can contain signaling and data transmission. For voice and video services, the complexity of video networking and unified video platform streaming media processing is much simpler than that of data processing, and the efficiency is greatly improved by more than one hundred times compared with that of a traditional server.

Storage Technology (Storage Technology)

The super-high speed storage technology of the unified video platform adopts the most advanced real-time operating system in order to adapt to the media content with super-large capacity and super-large flow, the program information in the server instruction is mapped to the specific hard disk space, the media content is not passed through the server any more, and is directly sent to the user terminal instantly, and the general waiting time of the user is less than 0.2 second. The optimized sector distribution greatly reduces the mechanical motion of the magnetic head track seeking of the hard disk, the resource consumption only accounts for 20% of that of the IP internet of the same grade, but concurrent flow which is 3 times larger than that of the traditional hard disk array is generated, and the comprehensive efficiency is improved by more than 10 times.

Network Security Technology (Network Security Technology)

The structural design of the video network completely eliminates the network security problem troubling the internet structurally by the modes of independent service permission control each time, complete isolation of equipment and user data and the like, generally does not need antivirus programs and firewalls, avoids the attack of hackers and viruses, and provides a structural carefree security network for users.

Service Innovation Technology (Service Innovation Technology)

The unified video platform integrates services and transmission, and is not only automatically connected once whether a single user, a private network user or a network aggregate. The user terminal, the set-top box or the PC are directly connected to the unified video platform to obtain various multimedia video services in various forms. The unified video platform adopts a menu type configuration table mode to replace the traditional complex application programming, can realize complex application by using very few codes, and realizes infinite new service innovation.

Networking of the video network is as follows:

the video network is a centralized control network structure, and the network can be a tree network, a star network, a ring network and the like, but on the basis of the centralized control node, the whole network is controlled by the centralized control node in the network.

As shown in fig. 6, the video network is divided into an access network and a metropolitan network.

The devices of the access network part can be mainly classified into 3 types: node server, access switch, terminal (including various set-top boxes, coding boards, memories, etc.). The node server is connected to an access switch, which may be connected to a plurality of terminals and may be connected to an ethernet network.

The node server is a node which plays a centralized control function in the access network and can control the access switch and the terminal. The node server can be directly connected with the access switch or directly connected with the terminal.

Similarly, devices of the metropolitan network portion may also be classified into 3 types: a metropolitan area server, a node switch and a node server. The metro server is connected to a node switch, which may be connected to a plurality of node servers.

The node server is a node server of the access network part, namely the node server belongs to both the access network part and the metropolitan area network part.

The metropolitan area server is a node which plays a centralized control function in the metropolitan area network and can control a node switch and a node server. The metropolitan area server can be directly connected with the node switch or directly connected with the node server.

Therefore, the whole video network is a network structure with layered centralized control, and the network controlled by the node server and the metropolitan area server can be in various structures such as tree, star and ring.

The access network part can form a unified video platform (the part in the dotted circle), and a plurality of unified video platforms can form a video network; each unified video platform may be interconnected via metropolitan area and wide area video networking.

Video networking device classification

1.1 devices in the video network of the embodiment of the present invention can be mainly classified into 3 types: servers, switches (including ethernet gateways), terminals (including various set-top boxes, code boards, memories, etc.). The video network as a whole can be divided into a metropolitan area network (or national network, global network, etc.) and an access network.

1.2 wherein the devices of the access network part can be mainly classified into 3 types: node servers, access switches (including ethernet gateways), terminals (including various set-top boxes, code boards, memories, etc.).

The specific hardware structure of each access network device is as follows:

a node server:

as shown in fig. 7, the system mainly includes a network interface module 701, a switching engine module 702, a CPU module 703, and a disk array module 704;

the network interface module 701, the CPU module 703 and the disk array module 704 enter the switching engine module 702; the switching engine module 702 performs an operation of looking up the address table 705 on the incoming packet, thereby obtaining the direction information of the packet; and stores the packet in a corresponding queue of the packet buffer 706 based on the packet's steering information; if the queue of the packet buffer 706 is nearly full, discard; the switching engine module 702 polls all packet buffer queues for forwarding if the following conditions are met: 1) the port send buffer is not full; 2) the queue packet counter is greater than zero. The disk array module 704 mainly implements control over the hard disk, including initialization, read-write, and other operations; the CPU module 703 is mainly responsible for protocol processing with an access switch and a terminal (not shown in the figure), configuring an address table 705 (including a downlink protocol packet address table, an uplink protocol packet address table, and a data packet address table), and configuring the disk array module 704.

The access switch:

as shown in fig. 8, the network interface module mainly includes a network interface module (a downlink network interface module 801, an uplink network interface module 802), a switching engine module 803, and a CPU module 804;

wherein, the packet (uplink data) coming from the downlink network interface module 801 enters the packet detection module 805; the packet detection module 805 detects whether the Destination Address (DA), the Source Address (SA), the packet type, and the packet length of the packet meet the requirements, and if so, allocates a corresponding stream identifier (stream-id) and enters the switching engine module 803, otherwise, discards the stream identifier; the packet (downstream data) coming from the upstream network interface module 802 enters the switching engine module 803; the incoming data packet from the CPU module 804 enters the switching engine module 803; the switching engine module 803 performs an operation of looking up the address table 806 on the incoming packet, thereby obtaining the direction information of the packet; if the packet entering the switching engine module 803 is from the downstream network interface to the upstream network interface, the packet is stored in a queue of the corresponding packet buffer 807 in association with a stream-id; if the queue of the packet buffer 807 is nearly full, it is discarded; if the packet entering the switching engine module 803 is not from the downlink network interface to the uplink network interface, the data packet is stored in the queue of the corresponding packet buffer 807 according to the packet guiding information; if the queue of the packet buffer 807 is nearly full, it is discarded.

The switching engine module 803 polls all packet buffer queues, which in this embodiment of the invention is divided into two cases:

if the queue is from the downlink network interface to the uplink network interface, the following conditions are met for forwarding: 1) the port send buffer is not full; 2) the queued packet counter is greater than zero; 3) obtaining a token generated by a code rate control module;

if the queue is not from the downlink network interface to the uplink network interface, the following conditions are met for forwarding: 1) the port send buffer is not full; 2) the queue packet counter is greater than zero.

The rate control module 808 is configured by the CPU module 804, and generates tokens for packet buffer queues from all downlink network interfaces to uplink network interfaces at programmable intervals to control the rate of uplink forwarding.

The CPU module 804 is mainly responsible for protocol processing with the node server, configuration of the address table 806, and configuration of the code rate control module 808.

Ethernet protocol conversion gateway：

As shown in fig. 9, the system mainly includes a network interface module (a downlink network interface module 901 and an uplink network interface module 902), a switching engine module 903, a CPU module 904, a packet detection module 905, a rate control module 908, an address table 906, a packet buffer 907, a MAC adding module 909, and a MAC deleting module 910.

Wherein, the data packet coming from the downlink network interface module 901 enters the packet detection module 905; the packet detection module 905 detects whether the ethernet MAC DA, the ethernet MAC SA, the ethernet length or frame type, the video network destination address DA, the video network source address SA, the video network packet type, and the packet length of the packet meet the requirements, and if so, allocates a corresponding stream identifier (stream-id); then, the MAC deleting module 810 subtracts MAC DA, MAC SA, length or frame type (2 byte), and enters the corresponding receiving buffer, otherwise, discards it;

the downlink network interface module 901 detects the sending buffer of the port, and if there is a packet, obtains the ethernet MAC DA of the corresponding terminal according to the destination address DA of the packet, adds the ethernet MAC DA of the terminal, the MAC SA of the ethernet protocol gateway, and the ethernet length or frame type, and sends the packet.

The other modules in the ethernet protocol gateway function similarly to the access switch.

A terminal:

the system mainly comprises a network interface module, a service processing module and a CPU module; for example, the set-top box mainly comprises a network interface module, a video and audio coding and decoding engine module and a CPU module; the coding board mainly comprises a network interface module, a video and audio coding engine module and a CPU module; the memory mainly comprises a network interface module, a CPU module and a disk array module.

1.3 devices of the metropolitan area network part can be mainly classified into 2 types: node server, node exchanger, metropolitan area server. The node switch mainly comprises a network interface module, a switching engine module and a CPU module; the metropolitan area server mainly comprises a network interface module, a switching engine module and a CPU module.

2. Video networking packet definition

2.1 Access network packet definition

The data packet of the access network mainly comprises the following parts: destination Address (DA), Source Address (SA), reserved bytes, payload (pdu), CRC.

As shown in the following table, the data packet of the access network mainly includes the following parts:

DA

SA

Reserved

Payload

CRC

wherein:

the Destination Address (DA) is composed of 8 bytes (byte), the first byte represents the type of the data packet (such as various protocol packets, multicast data packets, unicast data packets, etc.), there are 256 possibilities at most, the second byte to the sixth byte are metropolitan area network addresses, and the seventh byte and the eighth byte are access network addresses;

the Source Address (SA) is also composed of 8 bytes (byte), defined as the same as the Destination Address (DA);

the reserved byte consists of 2 bytes;

the payload part has different lengths according to the types of different datagrams, and is 64 bytes if the datagram is various protocols, and is 32 + 1024 = 1056 bytes if the datagram is a unicast datagram, and is of course not limited to the above 2 types;

the CRC consists of 4 bytes and is calculated in accordance with the standard ethernet CRC algorithm.

2.2 metropolitan area network packet definition

The topology of a metropolitan area network is a graph and there may be 2, or even more than 2, connections between two devices, i.e., there may be more than 2 connections between a node switch and a node server, a node switch and a node switch, and a node switch and a node server. However, the metro network address of the metro network device is unique, and in order to accurately describe the connection relationship between the metro network devices, parameters are introduced in the embodiment of the present invention: a label to uniquely describe a metropolitan area network device.

In this specification, the definition of the Label is similar to that of the Label of MPLS (Multi-Protocol Label Switch), and assuming that there are two connections between the device a and the device B, there are 2 labels for the packet from the device a to the device B, and 2 labels for the packet from the device B to the device a. The label is classified into an incoming label and an outgoing label, and assuming that the label (incoming label) of the packet entering the device a is 0x0000, the label (outgoing label) of the packet leaving the device a may become 0x 0001. The network access process of the metro network is a network access process under centralized control, that is, address allocation and label allocation of the metro network are both dominated by the metro server, and the node switch and the node server are both passively executed, which is different from label allocation of MPLS, and label allocation of MPLS is a result of mutual negotiation between the switch and the server.

As shown in the following table, the data packet of the metro network mainly includes the following parts:

DA

SA

Reserved

label (R)

Payload

CRC

Namely Destination Address (DA), Source Address (SA), Reserved byte (Reserved), tag, payload (pdu), CRC. The format of the tag may be defined by reference to the following: the tag is 32 bits with the upper 16 bits reserved and only the lower 16 bits used, and its position is between the reserved bytes and payload of the packet.

Based on the above characteristics of the video network, one of the core concepts of the embodiments of the present invention is provided, and the security in the network is ensured by a video network networking architecture with boundary protection, that is, mutually isolated preset networks (which may be third party networks with respect to the video network) may perform mutual resource retrieval through the video network, wherein data in the entire video network is provided to the third party network for use after protocol conversion, encryption of signaling contained in the data, completion of encryption transmission and decryption, and completion of decryption, so as to ensure the security of data transmission between heterogeneous networks.

The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.

Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.

The resource transmission method with the boundary protection function and the resource transmission device with the boundary protection function provided by the invention are introduced in detail, and a specific example is applied in the text to explain the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims

1. A resource transmission method with a boundary protection function is applied to the condition that data is transmitted between a first communication object and a second communication object in an IP network through a video network, the IP network where the first communication object and the second communication object are located comprises IP networks which are isolated from each other and have different security levels, the first communication object and the second communication object both have registered video network virtual numbers, and the method is applied to a boundary gateway of the video network, and comprises the following steps:

when data requested to be transmitted to the second communication object by the first communication object is received, if the data is determined to comprise a first signaling of an IP protocol, the first signaling is converted into a second signaling of a video networking protocol and is encrypted, the encrypted second signaling is transmitted in the video networking, and the second signaling is decrypted and converted into the first signaling of the IP protocol through other border gateways of the video networking and is then transmitted to the second communication object;

2. The method of claim 1, wherein translating the first signaling into second signaling of an internet of video protocol comprises:

generating destination video networking number address information according to the video networking virtual number pre-allocated to the second communication object;

and removing the IP protocol header contained in the first signaling, converting the first destination IP address information contained in the first signaling into destination video networking number address information, and encapsulating the converted first signaling according to the video networking protocol header to obtain the second signaling.

3. The method of claim 1, wherein converting the second signaling to the first signaling of the IP protocol via other border gateways of the video network comprises:

generating second destination IP address information aiming at the second communication object according to the video networking virtual number which is pre-allocated to the second communication object by other boundary gateways of the video networking;

and removing the video networking protocol header contained in the second signaling, converting the destination video networking number address information contained in the second signaling into second destination IP address information, and encapsulating the converted second signaling according to the IP protocol header to obtain the first signaling converted into the IP protocol.

4. The method according to any one of claims 1 to 3, wherein the converting the first signaling into a second signaling of an video networking protocol and encrypting comprises:

encrypting the second signaling according to prestored key information; the key information includes an internet of view key and/or an internet of view broadcast key.

5. The method of claim 4, wherein decrypting the second signaling by the other border gateways of the video network comprises:

obtaining key information through other border gateways of the video network; the key information comprises an internet of view key and/or an internet of view broadcast key;

decrypting the second signaling with the video networking key and/or the networking broadcast key by other border gateways of the video networking.

6. A method according to any of claims 1 to 3, further comprising, before receiving the first communication object requesting data for transmission to the second communication object:

acquiring a white list, and judging whether the first communication object is legal or not according to the white list;

if the first communication object is legal, acquiring a registered first video networking virtual number which is pre-allocated to the first communication object;

and generating a first network access authentication request carrying the first video network virtual number, and accessing the first communication object to the video network according to the first network access authentication request, so that the first communication object accessed to the video network transmits data through the video network subsequently.

7. A method according to any of claims 1 to 3, further comprising, before receiving the first communication object requesting data for transmission to the second communication object:

acquiring a white list through other border gateways of the video network, and judging whether the second communication object is legal or not according to the white list;

if the second communication object is legal, acquiring a registered second video network virtual number which is pre-allocated to the second communication object through other border gateways of the video network;

and generating a second network access authentication request carrying the second video network virtual number through other border gateways of the video network, and accessing the second communication object to the video network according to the second network access authentication request so as to enable the second communication object accessed to the video network to subsequently transmit data through the video network.

8. A resource transmission apparatus with a boundary protection function, wherein the apparatus is applied to a case of transmitting data between a first communication object and a second communication object in an IP network through a video network, the IP network in which the first communication object and the second communication object are located includes IP networks which are isolated from each other and have different security levels, the first communication object and the second communication object both have registered video network virtual numbers, the apparatus is applied to a boundary gateway of the video network, and the apparatus comprises:

9. A resource transmission device with a boundary guard function, comprising:

one or more processors; and

one or more machine-readable media having instructions stored thereon, which when executed by the one or more processors, cause the apparatus to perform the boundary guard capable resource transfer method of any of claims 1-7.

10. A computer-readable storage medium storing a computer program for causing a processor to execute the boundary guarded resource transmission method according to any one of claims 1 to 7.