CN112866074A

CN112866074A - Virtual network connection method and virtual network system

Info

Publication number: CN112866074A
Application number: CN201911192078.7A
Authority: CN
Inventors: 张勇
Original assignee: Fiberhome Telecommunication Technologies Co Ltd
Current assignee: Fiberhome Telecommunication Technologies Co Ltd
Priority date: 2019-11-28
Filing date: 2019-11-28
Publication date: 2021-05-28
Anticipated expiration: 2039-11-28
Also published as: CN112866074B

Abstract

The invention discloses a virtual network connection method and a virtual network system, and relates to the technical field of networks. The virtual network connection method comprises the following steps: configuring at least one global coordinator and a repeater in a host connected with the Internet, wherein the repeater registers with the reachable global coordinator and keeps long connection; under the coordination of a global coordinator, establishing a penetration connection between repeaters; the repeater at one end of the penetration connection provides proxy forwarding service for the local application client, the repeater at the other end of the penetration connection is connected with the local application service, and virtual network connection is established between the application client and the cross-host application service. The present invention provides a virtual network connection that automatically penetrates NAT and firewalls.

Description

Virtual network connection method and virtual network system

Technical Field

The present invention relates to the field of network technologies, and in particular, to a virtual network connection method and a virtual network system.

Background

Software virtual networks are widely used in distributed network environments, and as the network scale continues to expand, the complexity of the network environment increases day by day. When application software is distributed in a plurality of independent Network Address Translation (NAT) subnets, a user needs to configure port mapping to open a service port to establish a software virtual Network, and thus automatic deployment of the software virtual Network is difficult to achieve. In addition, most software virtual networks adopt virtual network cards, root authority and operating system support are needed, and deployment difficulty is high when different operating system types and versions exist in the networks.

Disclosure of Invention

Aiming at the defects in the prior art, the invention aims to provide a virtual network connection method and a virtual network system, which can provide virtual network connection which automatically penetrates NAT and a firewall.

The invention provides a virtual network connection method, which comprises the following steps:

configuring at least one global coordinator and a repeater in a host connected with the Internet, wherein the repeater registers with the reachable global coordinator and keeps long connection;

under the coordination of a global coordinator, establishing a penetration connection between repeaters;

the repeater at one end of the penetration connection provides proxy forwarding service for the local application client, the repeater at the other end of the penetration connection is connected with the local application service, and virtual network connection is established between the application client and the cross-host application service.

On the basis of the technical scheme, the host at any end of the penetrating connection is non-NAT and has no firewall;

the hosts at the two ends of the penetrating connection are both asymmetric NAT or provided with firewalls;

the hosts at the two ends of the penetrating connection are both symmetrical NAT; alternatively, the first and second electrodes may be,

and the host at one end of the penetrating connection is a symmetric NAT, and the host at the other end of the penetrating connection is an asymmetric NAT.

On the basis of the above technical solution, the configuring at least one global coordinator and configuring a repeater in each host connected to the internet, the registering and maintaining a long connection of a repeater to a reachable global coordinator includes:

the global coordinator binds the two TCP ports as service ports and monitors;

the repeater sends registration information to the two service ports through the local port, and establishes and maintains long connection with one service port, wherein the registration information comprises a local IP, the local port, a local application IP and a local application port;

the global coordinator determines the network information of the repeater according to the registration information; when the number of the global coordinators is multiple, the global coordinators broadcast the network information of the repeater to other global coordinators.

On the basis of the above technical solution, the configuring at least one global coordinator and configuring a repeater in a host connected to the internet further includes:

respectively allocating unique virtual network IDs to all the global coordinator and the hosts, and generating and issuing digital certificates according to the virtual network IDs, the characteristic information and the application service information, wherein the virtual network ID of each host is a local loopback IP used as the local application IP;

and identity authentication is carried out between the repeaters and the global coordinator based on digital certificates.

On the basis of the technical scheme, encrypted communication is carried out between the repeaters and the global coordinator based on the digital certificates;

when the application client enables a customized secure encryption protocol, the repeater closes encrypted communication based on the digital certificate.

On the basis of the above technical solution, the providing, by the forwarder at the end of the through connection, a proxy forwarding service for the native application client includes:

and after the application client is started, calling a pre-configured virtual network application access SDK for validity verification, and after the verification is passed, communicating with the repeater through the virtual network application access SDK.

On the basis of the technical scheme, the application client replaces a connection function of the socket library with an interface function provided by the virtual network application access SDK;

and the interface function transmits the IP and the port which are requested to be accessed by the application client to the forwarder and calls a connect function to be connected to the native application port.

On the basis of the above technical solution, the establishing of the through connection between the repeaters under the coordination of the global coordinator includes:

under the coordination of the global coordinator, a plurality of NAT penetrating connections are pre-established among the repeaters and stored in a penetrating connection pool; alternatively, the first and second electrodes may be,

and responding to the access request of the application client, and under the coordination of the global coordinator, creating NAT penetrating connection between the repeaters.

On the basis of the technical scheme, the repeater multiplexes and maintains the NAT traversal connection in the traversal connection pool.

On the basis of the technical scheme, the NAT traversal connection is established based on a predetermined path policy, wherein the path policy is a main/standby protection policy, a load balancing policy or an application QoS selection policy.

The invention also provides a virtual network system, which comprises at least one global coordinator and a repeater in a host connected with the Internet, wherein the repeater is configured to register with the reachable global coordinator and maintain long connection;

the repeater is used for establishing a penetration connection with other repeaters under the coordination of the global coordinator; the method includes the steps of providing a proxy forwarding service for a native application client, and connecting with the native application service, and establishing a virtual network connection between the application client and a cross-host application service.

the host at one end of the penetrating connection is a symmetric NAT, and the host at the other end of the penetrating connection is an asymmetric NAT.

On the basis of the technical scheme, the global coordinator is used for binding the two TCP ports into a service port and monitoring; determining network information of the repeater according to the registration information sent by the repeater; when the number of the global coordinators is multiple, the global coordinators are further used for broadcasting the network information of the forwarder to other global coordinators;

the repeater is used for sending registration information to the two service ports through the local port, and establishing and maintaining long connection with one service port, wherein the registration information comprises a local IP, the local port, a local application IP and the local application port.

On the basis of the technical scheme, the system also comprises an identity certificate service module;

the identity certificate service module is used for respectively allocating unique virtual network IDs to all the global coordinators and the hosts and generating and issuing digital certificates according to the virtual network IDs, the characteristic information and the application service information, wherein the virtual network ID of each host is a local loopback IP used as the local application IP;

the repeater is used for carrying out identity verification with other repeaters and the global coordinator based on digital certificates.

On the basis of the technical scheme, the repeater is used for carrying out encrypted communication with other repeaters and the global coordinator based on the digital certificate;

the repeater is further configured to close encrypted communications based on the digital certificate when the application client enables a custom secure encryption protocol.

On the basis of the technical scheme, the application client is used for calling the pre-configured virtual network application access SDK for validity verification after being started, and communicating with the repeater through the virtual network application access SDK after the verification is passed.

On the basis of the technical scheme, the application client is further used for replacing a connection connect function of the socket library with an interface function provided by the virtual network application access SDK;

and the interface function is used for transmitting the IP and the port which are requested to be accessed by the application client to the repeater and calling the connect function to be connected to the native application port.

On the basis of the technical scheme, under the coordination of the global coordinator, a plurality of NAT penetrating connections are pre-established among the repeaters and stored in a penetrating connection pool; and responding to the access request of the application client, and creating NAT penetrating connection between the repeaters.

On the basis of the above technical solution, the repeater is further configured to multiplex and periodically maintain the NAT traversal connection in the traversal connection pool.

Compared with the prior art, the virtual network connection method provided by the embodiment of the invention comprises the following steps: configuring at least one global coordinator and a repeater in a host connected with the Internet, wherein the repeater registers with the reachable global coordinator and keeps long connection; under the coordination of a global coordinator, establishing a penetration connection between repeaters; the repeater at one end of the penetration connection provides proxy forwarding service for the application client of the local machine, the repeater at the other end of the penetration connection is connected with the application service of the local machine, and virtual network connection is established between the application client and the application service of the cross-host machine.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

FIG. 1 is a schematic diagram of a virtual network system according to an embodiment of the present invention;

FIG. 2 is a flowchart of a virtual network connection method according to an embodiment of the present invention;

FIG. 3 is another schematic diagram of a virtual network system according to an embodiment of the invention;

FIG. 4 is a further schematic diagram of a virtual network system according to an embodiment of the invention;

FIG. 5 is a schematic diagram of a conventional distributed software multi-NAT deployment;

fig. 6 is a schematic diagram of a distributed software multi-NAT deployment in a virtual network system to which an embodiment of the present invention is applied.

Detailed Description

The invention is described in further detail below with reference to the figures and the embodiments.

Embodiments of the present invention provide a virtual network system, which includes at least one global coordinator and a repeater in a host connected to the internet, where the repeater is configured to register with a reachable global coordinator and maintain a long connection.

The repeater is used for establishing a penetration connection with other repeaters under the coordination of the global coordinator; and the proxy forwarding server is also used for providing proxy forwarding service for the native application client and connecting with the native application service, and establishing virtual network connection between the application client and the cross-host application service.

Specifically, the global coordinator is located at a position accessible by all NAT subnets, and the global coordinator is used as a third party to coordinate, so as to exchange information between hosts that cannot be directly connected due to firewalls or NATs or the like. When the number of the global coordinators is multiple, network connection is established between the global coordinators. The virtual network system can also comprise at least one local coordinator, the local coordinator is positioned at a position which can be accessed in one NAT subnet, and the local coordinator establishes network connection with a global coordinator in the NAT subnet so as to realize global transmission and sharing of information.

Specifically, each host is provided with a repeater, and the repeaters serve as packet forwarding agents to realize automatic and uniform network penetration processing, so that each application client is prevented from performing complex penetration operation respectively. In a local area network, a repeater in each internet-connected host is called a local repeater, and a repeater in a host that is not directly connected to the internet is called a local repeater. The local forwarder can provide network proxy service for other local forwarders in the same local area network besides providing proxy forwarding service function for the local application client.

Hereinafter, unless otherwise specified, the repeater refers to a local repeater.

The application client directly accesses the native application service without virtual network connection. When the application client accesses the non-native application service, the connection needs to be through the virtual network.

The native application client may be a process that the operating system allocates to the launched application service, which is a typical model of application client process C and server process S.

For example, if the application client process C in the subnet a wants to connect to the server process S in the subnet B, the application client process C only needs to connect to the communication proxy port of the repeater TA in the subnet a, the repeater TA automatically completes the NAT holing action with the repeater TB in the opposite-end subnet B, the penetration connection from the repeater TA to the repeater TB is realized, the repeater TB completes the connection to the server process S, and after the chain formed by the above 3 connections is completed, the repeater TA and the repeater TB are responsible for forwarding all communication data between the application client process C and the server process S, and the application client process C and the server process S do not sense the complex process of the whole connection chain, which is equivalent to establishing a virtual network connection between the application client process C and the server process S, and the virtual network connection in the application is also referred to as virtual connection for short.

Referring to FIG. 1, host A1 and host B1 are both directly connected to the Internet, and repeater 102 in host A1 and repeater 103 in host B1 are both registered with global coordinator 101 and maintain a long connection. The repeater of each host provides respective registration information, and realizes fast and small-data-volume coordinated communication with other hosts through the global coordinator 101, thereby realizing fast penetration interconnection.

The application client 104 directly accesses the native application service 105 without a virtual network connection. When the application client 104 accesses the non-native application service 106, it needs to connect through a virtual network.

Under the coordination of global coordinator M1, a pass through connection is established between repeater 102 and repeater 103.

When the application client 104 requests the local forwarder 102 to access the non-local application service 106, the forwarder 102 provides the proxy forwarding service for the local application client 104, the forwarder 103 is connected with the local application service 106, and a virtual connection is established between the application client 104 and the cross-host application service 106 through the penetration connection between the forwarder 102 and the forwarder 103.

For example, distributed software generally comprises a plurality of application programs (such as the application client 104 and the application service 106 in fig. 1), when the plurality of application programs are respectively deployed in a plurality of mutually isolated NAT subnets, data needs to be exchanged between the application programs of different NAT subnets, so that the application programs can penetrate the NAT subnets and the local area network firewall without sensing to communicate with other application programs.

Based on the virtual network system in the foregoing embodiment, an embodiment of the present invention provides a virtual network connection method for automatically penetrating an NAT and a firewall, and referring to fig. 2, the virtual network connection method includes:

s110 configures at least one global coordinator and configures a repeater in the internet-connected host, the repeater registering with the reachable global coordinator and maintaining the long connection.

S120, under the coordination of the global coordinator, the penetration connection is established between the repeaters.

S130, the repeater at one end is connected in a penetrating mode to provide proxy forwarding service for the application client side of the local machine, the repeater at the other end is connected with the application service of the local machine, and virtual network connection is established between the application client side and the application service of the cross-host machine.

Step S110 includes:

the S111 global coordinator binds two Transmission Control Protocol (TCP) ports to be service ports, and performs monitoring.

The S112 repeater sends registration information to the two service ports through the local port, and establishes and maintains a long connection with one service port, where the registration information includes a local Internet Protocol (IP), the local port, a local application IP, and a local application port.

S113 the global coordinator determines the network information of the repeater according to the registration information; when the number of the global coordinators is plural, the global coordinators broadcast the network information of the repeater to the other global coordinators.

Specifically, after receiving the registration information of the repeater, the two service ports of the global coordinator compare the difference between the local IP and the local port bound in the registration information and the remote IP and the remote port which are actually connected and received by the global coordinator, and can calculate the information such as the internet IP and the NAT subnet type of the subnet where the repeater is corresponding to. The global coordinator buffers this information and broadcasts it to other global coordinators via connections to them.

In one embodiment, step S120 includes:

under the coordination of a global coordinator, a plurality of NAT penetrating connections are created among the repeaters in advance and stored in a penetrating connection pool.

In another embodiment, step S120 includes:

and responding to an access request of the application client, and under the coordination of the global coordinator, creating NAT (network address translation) penetrating connection between the repeaters.

In step S120, in the process of creating a penetrating connection by NAT tunneling, different processing needs to be performed according to the types of the NATs of the subnets of both sides, and the global coordinator may be configured to support the following 4 cases:

1) the host at any end of the penetration connection is non-NAT and has no firewall;

without actually making holes, the global coordinator coordinates that NAT subnet terminals initiate direct connection to non-NAT subnet terminals without firewall terminals.

2) Hosts at two ends of the penetrating connection are both asymmetric NAT or provided with firewalls;

specifically, the asymmetric NAT at both ends or the firewall at both ends, and the hole punching at any end can be initiated, and the step of establishing the through connection under the assumption that the transponder TA is initiated includes:

s121, repeaters TA and TB all have completed registration with the global coordinator in advance and maintain long connections, where the repeater TA registration connection may have the following information: bound native ports LPA, internet IP and ports (IPA and PA); the TB registered connection has the following information: bound native ports LPB, internet IP and ports (IPB and PB). The repeaters TA and TB have already acquired their registration connection information when the registration is completed.

S122, the repeater TA sends request information R1 to the global coordinator through TA registration connection, and requests coordination and hole punching to the repeater TB.

S123, the global coordinator returns a response message a1 (containing IPB and PB) to the TA.

S124, the transponder TA receives the response information a1, the transponder TA still binds the local port LPA, and sends a TCP connection or User Datagram Protocol (UDP) packet to the IPB: PB as a punching detection packet, but the detection packet does not meet the NAT and firewall security requirements of the subnet B temporarily, and can be discarded by the subnet B.

S125, the forwarder TA sends request information R2 (including IPA and PA) to the global coordinator, the forwarder TB is required to initiate reverse connection to the forwarder TA, the global coordinator receives R2 and forwards the request information to the forwarder TB, the forwarder TB still binds the local port LPB after receiving R2 and sends a reverse connection request packet R3 to IPA and PA.

S126, because of the characteristic of the asymmetric NAT, the Internet IP and the port which are reversely connected to the repeater TA by the repeater TB are still converted into the IPB: PB by the NAT, so the source and destination ports of the reverse connection request packet R3 are in accordance with the security requirement of the asymmetric NAT (and the firewall) of the subnet A, can be released by the subnet NAT equipment (and the firewall), and the repeater TA can receive the R3 from the repeater TB.

The transponder TA sends a response packet a3 to the IPB: PB, the response packet a3 also meets the security requirement of the subnet B at this time and is released, and the transponder TB receives a3, so that the penetration connection between the transponder TA and the transponder TB is established and the hole punching is completed.

The perforated connection established by punching differs from the ordinary connection in that the firewalls of both parties of the ordinary connection are identified as a connection in the direction from the transponder TA to the transponder TB, but the perforated connection is identified on the firewall of the transponder TA as a connection in the direction from the transponder TA to the transponder TB, and on the firewall of the transponder TB as a connection in the direction from the transponder TB to the transponder TA, i.e. they are both identified as connections originating from the local machine outwards.

3) The host at one end of the penetrating connection is a symmetric NAT, and the host at the other end of the penetrating connection is an asymmetric NAT. The global coordinator must coordinate the TA's required to initiate the hole-making process on its own initiative.

S121 to S123 are executed, and then the flow proceeds to step S127.

S127, each connection of the transponder TA is bound with different local ports, and N TCP connections or UDP packets are initiated to the IPB PB as a hole-making detection packet, for example, N is more than or equal to 100 and less than or equal to 1000. Due to the characteristics of the symmetric NAT, the internet IP behind the NAT of these probe packets is still IPA, but the internet port is random and cannot be easily predicted. These probe packets are discarded by subnet B.

S128, the forwarder TA sends request information R4 (including IPA and PA) to the global coordinator, the forwarder TB is required to initiate reverse scanning to the forwarder TA, and the global coordinator receives the R4 and forwards the R4 to the forwarder TB. The repeater TB, upon receiving R4, still binding the native port LPB, attempts to traverse all ports connected to IPA (except PA), sending a reverse connection request packet R5 to each port.

S129, once the repeater TA receives a certain reverse connection request packet R5 of the repeater TB, that is, the reverse connection conforms to the security requirement of the symmetric NAT (and firewall) of the subnet A, the repeater TA responds to the IPB with the connection, namely the packet a5 is responded to the PB, the a5 also conforms to the security requirement of the asymmetric NAT (and firewall) of the subnet B, the repeater TB receives a5, the port traversal connection attempt of the repeater TB can be terminated, and the hole punching is successful.

4) The hosts at the two ends of the penetrating connection are both symmetrical NAT;

both ends are drilled by symmetrical NAT, which is difficult to drill directly, and the network position of the global coordinator can be designed and deployed with a repeater, and the penetration connection is completed through a packet forwarding proxy channel.

In step S130, after the penetration connection between the repeater TA and the repeater TB is successful, the repeater TB initiates a connection to the server process S of the local machine, and after the connection is successful, initiates a virtual connection to the repeater TA to finally establish a notification, and the repeater TA establishes a forwarding service in the local machine, notifies the application client process C to connect the forwarding port, and starts forwarding a subsequent data packet between the application client process C and the server process S. Therefore, the virtual connection which automatically penetrates the NAT and the firewall is successfully established between the application client process C and the server process S, namely the virtual connection which automatically penetrates the NAT and the firewall is established between the native application service and the non-native application service.

At present, a plurality of services are known for distributed application, a plurality of service ports are used, and unknown conventional network threats exist in local area networks and wide area networks, including port scanning, service denial, wiretapping, man-in-the-middle attack and the like, and the system can be attacked through the ports.

The software virtual network itself usually has no security protection mechanism, and the network security of the application software completely depends on external tools such as a firewall, antivirus software and the like. However, distributed software services not only have many programs and ports, but also are continuously increased and changed, so that the firewall configuration process is complicated. Users with high security awareness complain that the firewall is configured inconveniently, and users without security awareness leave ports open, which easily causes network attacks, for example, after the software virtual network is established, a native illegal application may attack other hosts through the software virtual network, so once one host node is breached, the security of the whole software virtual network is difficult to guarantee.

The software virtual network adopts a single transmission encryption connection to bear the communication data of the whole application layer, once a network transmission layer has a problem, the whole application layer is unavailable, the influence on application software is large, performance bottleneck is easy to occur, the transmission encryption is not open to the application, and under some special scenes, a user needs to designate an own encryption algorithm or an encryption mechanism, so that the expansion is difficult.

The embodiment of the invention also provides a virtual network system for preventing network attack and a virtual network connection method, which can prevent the conventional network attack from other hosts to the distributed software system even if the firewall is not opened; even if a certain host is infected with malicious software, the malicious software can be prevented from directly attacking other healthy hosts by using a virtual network established by the host.

Referring to fig. 3, a host a2 and a host B2 are both directly connected to the internet, and the virtual network system according to the embodiment of the present invention includes an identity certificate service module 200, a global coordinator 201, a forwarder 202, and a forwarder 203.

The forwarder 202 in host a2 and the forwarder 203 in host B2 both register with the global coordinator 201 and maintain long connections.

The identity certificate service module 200 is configured to allocate unique virtual network Identity (ID) to the global coordinator 201, the host a2, and the host B2, respectively, and generate and issue a digital certificate according to the virtual network ID, the feature information, and the application service information, where the virtual network ID of each host is a native loopback IP as a native application IP.

The repeater 202 is used for authentication with other repeaters 203 and the global coordinator 201 based on digital certificates.

The virtual network connection method for preventing network attack in the embodiment of the invention comprises the following steps:

s210 configures at least one global coordinator and configures a repeater in a host connected to the internet, the repeater registering with a reachable global coordinator and maintaining a long connection.

S220, under the coordination of the global coordinator, the penetration connection is established between the repeaters.

S230 provides proxy forwarding service for the native application client through the repeater connected to one end, and the repeater connected to the native application service at the other end establishes virtual network connection between the application client and the cross-host application service.

Specifically, step S210 includes:

s211 assigns unique virtual network IDs to all the global coordinators and the hosts, respectively, where the virtual network ID of each host is a native loopback IP as a native application IP.

S212 generates and issues a digital certificate according to the virtual network ID, the feature information, and the application service information.

S213 authentication is performed between repeaters and between a repeater and a global coordinator based on digital certificates.

S214 the forwarder registers and maintains the long connection with the reachable global coordinator.

In step S211, the external port is not opened in order to prevent attacks such as external port scanning and denial of service. Therefore, a unique native loopback IP is assigned to each host as the virtual network ID, and the native application IP is the native loopback IP.

For example, in the whole distributed software system, each host is allocated with a unique local loopback IP in the system at 127.0.0.0/8, and the unique local loopback IP serves as the identification of the host. All the IP monitored by the application service is changed into the local loopback IP, and the IP configured by the network card or 0.0.0.0 cannot be used.

In step S212, the host needs to be authenticated in order to identify the host and prevent counterfeiting and tampering with the host. The method is characterized in that an independent digital certificate is issued for each host by using a digital certificate principle, and some fixed, anti-counterfeiting or anti-tampering important information of the host, such as distributed local loopback IP and a host serviceable port list, is bound and stored in the digital certificate. When applying for a digital Certificate, it is also necessary to provide characteristic information of the host (e.g., Media Access Control (MAC) address, motherboard serial number, etc. are defined by the application system itself, and finally a segment of data stream guaranteed to be uniquely associated with the host is generated), and a Certificate Agency (CA) authentication program calculates a HASH value according to an irreversible algorithm, and this local characteristic HASH value is also put into the digital Certificate, so as to prevent an illegal host from falsifying the Certificate.

Step S214 is substantially the same as step S110 of the previous embodiment for registering and establishing the long connection, and is not described herein again.

In step S220, after the pass-through connection between the forwarder 202 and the forwarder 203 is successful, in step S230, when the forwarder 203 initiates a connection to the native application service 206, the native loopback IP of the binding host a2 is bound; when the repeater 202 establishes forwarding service in the local machine, the local machine loopback IP of the host B2 is bound, so that not only is the attacks such as external port scanning and service denial prevented, and external ports are not opened, but also the problem that the IP at the two ends of the C/S changes due to NAT can be avoided, the application service is facilitated to record the IP in the log, and the problem host is located through the IP.

In one possible implementation, encrypted communication is performed between repeaters and between a repeater and a global coordinator based on digital certificates.

For example, in step S214 and subsequent steps, in order to prevent external eavesdropping and man-in-the-middle attacks, when the repeaters communicate with each other and the repeaters communicate with the global coordinator, a basic encrypted communication Layer, for example, a standard encrypted communication protocol such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS), or a custom encrypted protocol, needs to be implemented using respective digital certificates.

Furthermore, in order to avoid counterfeiting or stealing the identity of the host computer, the digital certificate and the characteristic information of the host computer can be used for double verification. After the encrypted communication is established, the characteristic information of the host needs to be exchanged, the HASH of the characteristic information of the host at the opposite end is calculated, and then whether the HASH of the characteristic information of the host stored in the digital certificate at the opposite end is consistent with the calculated value is compared, so that whether the host at the opposite end has a legal identity is judged.

Further, the forwarder closes the encrypted communication based on the digital certificate when the application client enables the customized secure encryption protocol.

In order to prevent an illegal application program from directly utilizing the virtual network to launch an attack, the identity of an application client accessing the virtual network needs to be verified.

In one possible implementation, after the application client is started, a preconfigured virtual network application access Software Development Kit (SDK) is called for validity verification, and after the verification is passed, the SDK is accessed through the virtual network application to communicate with the repeater.

Further, the application client replaces a connection function of a socket library with an interface function provided by the virtual network application access SDK;

the interface function passes the IP and port that the application client requests access to the forwarder and calls the connect function to connect to the native application port.

The existing internet also has a plurality of unstable factors, a single network connection penetrating the NAT is easily interfered, so that the whole virtual connection is interrupted or blocked, the NAT holing establishment process is long, and the single virtual connection establishment efficiency is low.

The embodiment of the invention also provides a high-availability virtual network system and a virtual network connection method, which shorten the average connection establishment time of virtual connection to be close to the direct connection time, avoid the influence of single-point network failure on all network connections and quickly recover the connection after the single-point failure occurs.

The highly available virtual network connection method of the embodiment of the invention comprises the following steps:

s310, before the access request is sent by the local application client, under the coordination of the global coordinator, a plurality of NAT penetrating connections are pre-established among the repeaters and stored in a penetrating connection pool.

For the description of the foregoing embodiments, reference may be made to create the NAT traversal connection, which is not described herein again.

The repeater regularly checks to maintain NAT traversal connections in the traversal connection pool S320.

S330, responding to the access request of the application client, judging whether an idle NAT penetration connection exists in the penetration connection pool, if so, entering the step S340; if not, the process proceeds to step S350.

S340 uses the idle NAT traversal connection, and proceeds to step S360.

S350 creates a new NAT traversal connection.

In order to enable the application layer to efficiently establish the virtual connection, the embodiment of the invention establishes the penetration connection between the NAT and the firewall in advance, because only the middle penetration connection is time-consuming, the local proxy connections at two ends of the penetration connection do not depend on a physical network card, the time consumption is less, and the virtual connection is efficiently established at the application layer. In addition, to ensure availability of the virtual connection, the communication quality of the intermediate pass-through connection may be monitored to maintain a high availability status of the pass-through connection.

In an alternative embodiment, in step S320, the repeater may uniformly use a mechanism that adds a heartbeat packet transceiver in the communication encryption layer, periodically check whether the NAT traversal connection is interrupted or blocked, and once an unhealthy NAT traversal connection is checked, need to timely reject and supplement a certain number of new NAT traversal connections.

In order to realize the high efficiency of information transmission, avoid repeated encryption, allow users to reduce the information security of network transmission for high-efficiency transmission, and allow users to customize an encryption mechanism.

After step S350, the method for connecting a highly available virtual network further includes:

s360, if the application program enables the communication encryption of the application program or has higher requirements on performance, the safety encryption mechanism of NAT penetrating connection can be required to be closed, and the transmission efficiency is improved.

S370 responds to the request for closing the virtual connection, releases the NAT traversal connection occupied by the virtual connection, and puts the NAT traversal connection back into the traversal connection pool.

The repeater reuses NAT (network address translation) penetration connection in the penetration connection pool, the penetration connection is reused as much as possible, the efficiency of virtual connection is realized, and waste is avoided.

In order to realize that single path failure is available, the system needs to have multiple communication paths, and can adopt a flexible multi-path selection strategy according to the physical path condition of a user to realize the optimal reliability and performance.

In an optional implementation manner, the global coordinator establishes NAT traversal connections with the multiple other repeaters respectively based on a predetermined path policy, where the path policy is a primary/standby protection policy, a load balancing policy, or a Quality of Service (QoS) selection policy.

Specifically, if the host has the capability of connecting with the external network through multiple physical paths, a multi-path strategy can be configured, multi-path through connection is realized, and the reliability or performance of the network can be improved relative to the through connection with a single path.

The multipath strategy can be simplified into three types: the system comprises a main/standby protection strategy, a load balancing strategy and an application QoS selection strategy.

Main and standby protection strategies: and a certain path is designated as a main path, the other paths are designated as standby paths, the penetration connection on the main path is only distributed when the main path is available, the penetration connection is switched to the standby path when the main path fails, and the main path is switched back to the main path after the main path is recovered. The method is suitable for the conditions that the main path communication quality is high and the standby path quality is low (for example, the wired network card and the wireless network card are both available, the wired network card is preferentially used, and the wireless network card with poor stability is used when the wired network card is disconnected).

And (3) load balancing strategy: all paths are used in balance, and if one path fails, the through connection on the path is averagely switched to the other paths. The method is suitable for the condition that the communication quality of each path is similar (for example, a plurality of wired network cards can be used simultaneously).

Applying a QoS selection policy: all paths are used simultaneously, the QoS grade of each path is measured, then the path with corresponding quality is allocated according to different QoS requirements, if one path fails, the connection on the path is switched to other paths, but the connection quality with high QoS is preferentially ensured. The method is suitable for the condition that the application has higher requirement on communication quality, and the strategy is used by default.

Based on the foregoing embodiments, the embodiments of the present invention further provide a secure and highly available virtual network system and a virtual network connection method, which have a secure, highly available, and highly adaptive distributed deployment capability.

Referring to fig. 4, a virtual network system according to an embodiment of the present invention includes:

m1, global coordinator, whose functions include:

the identity authentication is carried out on the repeater and other coordinators, and the intrusion attack is prevented;

the repeater information is forwarded to other coordinators or repeaters, single-point registration is realized for the repeaters, and the repeaters can communicate with any other nodes in the whole network;

NAT and firewall penetration is completed between the coordination repeaters.

M2, a repeater, the functions include:

the communication data forwarding agent of the native application and the remote application realizes application virtual connection;

completing NAT and firewall penetrating connection with other repeater service;

establishing and maintaining a penetration connection pool to ensure the efficient establishment of application virtual connection;

multi-path protection or QoS of the penetration connection is realized, and high availability of the virtual connection is ensured;

the system is responsible for encryption and decryption of forwarded data, and is resistant to eavesdropping and man-in-the-middle attacks;

and (4) carrying out identity authentication on other connected repeaters to prevent intrusion attacks.

And the validity of the application is verified, and the illegal application is prevented from attacking other hosts by utilizing a virtual network.

M3, identity certificate service module, its function includes:

authenticating a certificate applicant and preventing intrusion attack;

according to the host characteristics, a local loopback IP is distributed to each host as a virtual network ID of the host, so that the unified management of the virtual network is facilitated;

associating the virtual network ID, the characteristic information of the host, the service information of the host and the like, and generating and issuing a server certificate for each transponder as a unique identity authentication credential of each transponder;

associating the virtual network ID, the characteristic information of the coordinators, the coordinator service information and the like, and generating and issuing a server certificate for each coordinator as a unique identity authentication credential of each coordinator;

the method does not participate in the communication and authentication process of the virtual network, completes certificate distribution before the deployment of the repeater and the coordinator, and can be deployed on a host isolated from a physical network where the virtual network is located, thereby avoiding network attack.

M4, virtual network application access SDK, whose functions include:

a fast method of using a virtual network is provided for applications.

A control method for customizing a virtual network is provided for an application.

And the validity of the application is verified in an auxiliary mode.

The virtual network system of the embodiment of the invention not only realizes the basic virtual network networking function by reasonably distributing technical methods of local loopback IP, penetration connection pool, digital certificate and the like, but also has the following advantages compared with other software and hardware virtual network schemes:

no special function requirement and no configuration requirement are required on a physical network, particularly a router, the adaptability of the network environment is high, and the cost is low;

various conventional network attacks from the outside can be resisted without depending on firewall configuration;

the method can resist denial of service attack for the application software without additional software and hardware;

preventing the illegal program from entering a virtual network and initiating internal attack;

physical connections are independently allocated to each virtual connection, and all virtual connection failures caused by single physical connection failures can be avoided;

the penetration connection pool is used, the application layer is prevented from remotely holding TCP and SSL again, and the average establishment speed of virtual connection between applications is high;

the method supports multi-physical path protection, clustering and QoS control, and has higher reliability and flexibility;

the drive is not installed, the root authority is not needed, and the adaptability of the software environment is wide;

can be directly integrated into an application system as a component, and the transmission encryption layer can be directly controlled and expanded by the application layer.

The distributed application software using the virtual network system needs to provide the following modules:

m5, application service:

defining the application service deployed on a host computer with an application client as M5.1, namely the native application service; the application services that are not deployed on one host are M5.2, non-native application services. The application service does not need to make application logic modification for the system, but the monitored IP needs to be modified into the native loopback IP allocated by the system.

M6, application client process:

the application client process needs to initiate a connection to the service to implement the application logic. The application client process need not modify the main application logic, but its network connection related code needs to be modified to call the M4 module related function to use the virtual network system of the present invention.

In FIG. 4, host A0 and host B0 are both directly connected to the Internet, and both the forwarder M2.1 in host A0 and the forwarder M2.2 in host B0 are registered with the global coordinator M1 and maintain a long connection.

Under the coordination of the global coordinator M1, a pass through connection is established between the repeater M2.1 and the repeater M2.2.

When the application client M6 requests the repeater M2.1 to access the non-native application service M5.2, the repeater M2.1 provides the proxy forwarding service for the application client M6, the repeater M2.2 is connected with the native application service M5.2, and a virtual connection is established between the application client M6 and the cross-host application service M5.2 through the through connection between the repeater M2.1 and the repeater M2.2.

The typical application of the virtual connection method provided by the embodiment of the invention comprises the following steps:

s1, before deploying other modules, a system administrator or a program firstly uses M3 to distribute local loopback IP and identity certificates for M1, M2.1 and M2.2.

S1.1, the allocation method of the local loopback IP comprises the following steps:

s1.1.1, setting the IP type of a physical network card of a host machine capable of communicating with a global coordinator as a.b.c.d, and allocating a unique local loopback IP in a system for the host machine, wherein the type is 127. x.y.z.

S1.1.2, if the network card IP is a B-type subnet and the host provides application service, then a unique value is allocated to the B-type subnet within the range that x is more than or equal to 1 and less than or equal to 50, and y and z directly use c and d of the network card IP respectively. The local loopback IP type assigned by the service host is 127. x.c.d.

S1.1.3, if the network card IP is a C-type subnet and the host provides application service, then a unique value is allocated to the C-type subnet within the ranges of x being more than or equal to 51 and less than or equal to 99 and y being more than or equal to 1 and less than or equal to 254, and z directly uses d of the network card IP. The local loopback IP type assigned by the service host is 127. x.y.d.

S1.1.4, if the host is only the client application, then a unique value is allocated to the client host within the range of 100 ≦ x ≦ 255, 1 ≦ y ≦ 254, and 1 ≦ z ≦ 254, and the host is allocated with the local loopback IP type 127. x.y.z.

According to the allocation method, the virtual network system can connect 600 ten thousand service hosts and 1000 ten thousand client hosts, and can meet the requirement of large-scale distributed application.

S1.2, the construction method of the identity certificate refers to the digital certificate in the virtual network connection method for preventing the network attack in the previous embodiment.

S2, the system administrator deploys M1, M2.1 and M2.2, configures the identity certificate, deploys and configures M5.1 and M5.1 to use the respective allocated native loopback IP to monitor the network.

Other configurations may also include:

a firewall should be configured on M1 to allow both incoming and outgoing connections from the two registration service ports of M1 and to disallow other incoming and outgoing connections (i.e., only the coordinator registration service is opened).

And all other application hosts can be provided with no firewall. But if the firewall is configured, it is recommended that unsolicited incoming connections be prohibited and outgoing connections be allowed (this is the default firewall configuration for most operating systems).

SSL communication is enabled between the M1 and the M2, mutual identity certificate verification is enabled, and the M1 is prevented from being attacked by a network.

M2.1 and M2.2 register with M1, and the initialization of the virtual network system is completed after the registration is successful.

S3, M6 provide M2.1 with a proof of legitimate applications, M2.1 verifies and allows M6 to use the virtual network.

S3.1, the application client M6 communicates with the local repeater M2.1 through the SDK M4.

S3.1.1, M4 is in the form of dynamic link library, providing a series of interface functions for M6 to use. The M4 interface function completes the native communication internally to M2.1.

S3.1.2, local communication can adopt various methods of shared memory, pipelines, sockets and the like of an operating system, and the implementation method uses the shared memory as a local communication method and is most efficient.

S3.2, the legal application certification method comprises the following steps:

s3.2.1, the system administrator configures M2.1 in advance, adds M6 process path, process file HASH value into M2.1 trust application list configuration item.

S3.2.2 and M6 call the application initialization and verification function initApp of M4 after the process is started.

S3.2.3, the InitApp function uses the system function to obtain the current process path, calculates the process file HASH, puts the path and the file HASH into the shared memory, M2.1 reads the path and HASH in the shared memory, finds whether the path and HASH match with the trusted application list information, and puts the result of whether matching succeeds into the shared memory.

S3.2.4, the InitApp reads the result in the shared memory, the success result allows the M6 to continue to call other interface functions of the M4 to access the virtual network, and the failure result returns an error.

S3.3, the method for accessing the virtual network by the application client M6 comprises the following steps:

s3.3.1, M4 provide an interface function M4_ connect that can completely replace the connect function of the socket library.

S3.3.2 and M6 change the code that calls the connect function to call the M4_ connect function, to realize automatic access to a certain IP (local loop IP allocated to the host) port on the virtual network.

S3.3.3M4_ connect function transfers IP and port to be accessed to M2.1 through shared memory, after M2.1 establishes virtual network connection with the repeater where the target IP host is located, it monitors the IP and port of the target IP as communication forwarding port, M4_ connect function recalls real connect function to the port to complete access.

After this step is successfully completed, the application client M6 may begin normal use of the virtual network.

S4 and M6 hope to access the service M5.1, and M4 finds that the IP to be accessed is the local loop-back IP allocated to the local machine, and then the access is direct without using a virtual network.

The M4_ connect function makes the above judgment, and binds the socket to the local loop IP before calling the connect function, so that the IP address in the log recorded by the application is stable, and the problem of positioning is facilitated.

S5, M6 want to access service M5.2, M4 finds that the accessed IP is not allocated locally, and requests M2.1 to establish a virtual connection with M5.2.

S6, M2.1 finds that it is the first time to communicate with M5.2, or there is no free through connection in the through connection pool, then through M1 establishes a through connection with M2.2, and the through connection is maintained in the through connection pool.

The method for establishing the penetration connection refers to the virtual network connection method of the foregoing embodiment, which automatically penetrates the NAT and the firewall.

The method for maintaining the through connection pool refers to the highly available virtual network connection method in the foregoing embodiment.

In this embodiment, because the traversal connection pool is used, multiple traversal connections can be established at a time and then stopped, thereby improving the efficiency of traversal connection establishment in a symmetric NAT scenario.

S7, M2.1 obtains an idle penetration connection from the penetration connection pool, informs M2.2 to connect the service port of M5.2, after M2.2 succeeds, M2.1 establishes the forwarding service in the local machine, informs M6 to connect the forwarding port.

When M2.2 connects to the service port of M5.2, it should bind the native loopback IP of M6, and simulate the network environment of M6 on the M2.2 host. When the M2.1 establishes the forwarding service, the local loopback IP of the M5.2 is bound, the service port of the M5.2 is bound as much as possible, and the network environment of the M5.2 is simulated on the host of the M2.1.

Therefore, the IP and port information in the log recorded by the application client M6 and the server M5.2 are basically stable, which is beneficial to the positioning problem.

After S8 and M6 connect to the forwarding service of M2.1, the virtual connection is successfully established, and M2.1 and M2.2 start forwarding all virtual network data streams between M6 and M5.2.

And S9, M6 or M5.2 no longer needs virtual connection, the forwarding connection with M2.1 and M2.2 is disconnected, and M2.1 and M2.2 put the middle penetration connection back to the penetration connection pool to wait for the next use.

Fig. 5 is a schematic diagram illustrating a conventional distributed software multi-NAT deployment, where:

the NAT subnet of the server needs an administrator to perform port mapping configuration on a router, opens a server port to the Internet, performs firewall configuration on a server host, and allows an external access to the server port.

The client NAT network does not need configuration, and the firewall is opened by default.

Attacks from either the wide area network or the local area network may enter the server application by opening a port through a port map and a firewall.

If a traditional virtual network is established between the client and the server, the local malicious program can attack other host programs by the aid of the virtual network.

FIG. 6 is a schematic diagram of multi-NAT deployment of a virtual network system according to an embodiment of the present invention, where neither a server nor a client network need to be configured, and a default firewall is opened

An application within the virtual network establishes communication with other applications across the host through the coordinator.

Attacks from either the wide area network or the local area network cannot reach the application through any port.

The malicious program of the local computer can only attack the application of the local computer and can not attack the application of other host computers by virtue of the virtual network.

The present invention is not limited to the above-described embodiments, and it will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and such modifications and improvements are also considered to be within the scope of the present invention. Those not described in detail in this specification are within the skill of the art.

Claims

1. A virtual network connection method, comprising:

2. The virtual network connection method according to claim 1, wherein:

the host at any end of the penetrating connection is non-NAT and has no firewall;

3. The virtual network connection method of claim 1, wherein the configuring at least one global coordinator and configuring a repeater in each internet-connected host, the repeater registering with the reachable global coordinator and maintaining the long connection comprises:

the global coordinator binds the two TCP ports as service ports and monitors;

4. The virtual network connection method of claim 3, wherein the configuring at least one global coordinator and configuring a repeater in the internet-connected host further comprises:

5. The virtual network connection method according to claim 4, wherein:

encrypted communication is carried out between the repeaters and the global coordinator based on the digital certificates;

6. The virtual network connection method of claim 4 wherein the providing, by the forwarder at one end of the pass through connection, proxy forwarding services for native application clients comprises:

7. The virtual network connection method according to claim 6, wherein:

the application client replaces a connection connect function of the socket library with an interface function provided by the virtual network application access SDK;

8. The virtual network connection method of claim 1, wherein the establishing of the pass-through connection between the repeaters under coordination of the global coordinator comprises:

9. The virtual network connection method according to claim 8, wherein:

and the repeater multiplexes and maintains the NAT penetration connection in the penetration connection pool.

10. The virtual network connection method according to claim 8, wherein:

the NAT traversal connection is established based on a preset path strategy, wherein the path strategy is a main/standby protection strategy, a load balancing strategy or an application QoS selection strategy.

11. A virtual network system, characterized by:

the system includes at least one global coordinator and a repeater in an internet-connected host, the repeater configured to register with a reachable global coordinator and maintain a long connection;

12. The virtual network system of claim 11, wherein:

13. The virtual network system of claim 11, wherein:

the global coordinator is used for binding the two TCP ports into a service port and monitoring; determining network information of the repeater according to the registration information sent by the repeater; when the number of the global coordinators is multiple, the global coordinators are further used for broadcasting the network information of the forwarder to other global coordinators;

14. The virtual network system of claim 13, wherein:

the system also includes an identity certificate service module;

15. The virtual network system of claim 14, wherein:

the repeater is used for carrying out encrypted communication with other repeaters and the global coordinator based on the digital certificate;

16. The virtual network system of claim 15, wherein:

and the application client is used for calling the pre-configured virtual network application access SDK for validity verification after starting, and communicating with the repeater through the virtual network application access SDK after the verification is passed.

17. The virtual network system of claim 16, wherein:

the application client is also used for replacing a connection connect function of the socket library with an interface function provided by the virtual network application access SDK;

18. The virtual network system of claim 11, wherein:

under the coordination of the global coordinator, a plurality of NAT penetrating connections are pre-established among the repeaters and stored in a penetrating connection pool; and responding to the access request of the application client, and creating NAT penetrating connection between the repeaters.

19. The virtual network system of claim 18, wherein:

the repeater is also used for multiplexing and regularly maintaining the NAT penetrating connection in the penetrating connection pool.

20. The virtual network system of claim 18, wherein: