CN113676390A - VXLAN-based trigger type dynamic security channel method, user side and central console - Google Patents
VXLAN-based trigger type dynamic security channel method, user side and central console Download PDFInfo
- Publication number
- CN113676390A CN113676390A CN202110822373.7A CN202110822373A CN113676390A CN 113676390 A CN113676390 A CN 113676390A CN 202110822373 A CN202110822373 A CN 202110822373A CN 113676390 A CN113676390 A CN 113676390A
- Authority
- CN
- China
- Prior art keywords
- access request
- access
- user side
- point
- analysis result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000004458 analytical method Methods 0.000 claims abstract description 51
- 238000012546 transfer Methods 0.000 claims abstract description 39
- 230000005540 biological transmission Effects 0.000 claims abstract description 30
- 238000012545 processing Methods 0.000 claims description 4
- 102100035475 Blood vessel epicardial substance Human genes 0.000 description 22
- 101001094636 Homo sapiens Blood vessel epicardial substance Proteins 0.000 description 22
- 101000608194 Homo sapiens Pyrin domain-containing protein 1 Proteins 0.000 description 22
- 101000595404 Homo sapiens Ribonucleases P/MRP protein subunit POP1 Proteins 0.000 description 22
- 238000005516 engineering process Methods 0.000 description 15
- 238000010586 diagram Methods 0.000 description 13
- 230000006854 communication Effects 0.000 description 9
- 101000942586 Homo sapiens CCR4-NOT transcription complex subunit 8 Proteins 0.000 description 8
- 101001094629 Homo sapiens Popeye domain-containing protein 2 Proteins 0.000 description 8
- 101000608230 Homo sapiens Pyrin domain-containing protein 2 Proteins 0.000 description 8
- 102100035482 Popeye domain-containing protein 2 Human genes 0.000 description 8
- 238000004590 computer program Methods 0.000 description 8
- 230000001960 triggered effect Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- -1 at this time Proteins 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 101150025129 POP1 gene Proteins 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000002957 persistent organic pollutant Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Abstract
The embodiment of the application discloses a VXLAN-based method for triggering a dynamic security channel, a user side and a central console, which are used for transmitting data in an established temporary channel, and can avoid security problems such as intranet data leakage, tampering, attack and the like to a great extent. The method in the embodiment of the application comprises the following steps: a user side sends a first access request to a central console, wherein the first access request is a Domain Name System (DNS) resolution request for accessing a target service; the user side receives an analysis result sent by the central console, wherein the analysis result comprises an address of a transfer point of network; the user side sends a second access request to the transfer access point according to the analysis result, the access control information of the second access request comprises quintuple information, and the access control information of the second access request is used for establishing a temporary channel between the transfer access point and a target node; and the user side performs data transmission with the target node through the temporary channel.
Description
Technical Field
The present application relates to the field of clusters, and in particular, to a method, a user side, a central console, and a storage medium for a triggered dynamic security channel based on VXLAN.
Background
The establishment of a Virtual channel of an existing VXLAN (Virtual eXtensible Local Area Network) is static, and when a user does not transmit data, the Virtual channel still occupies resources of a VXLAN Network Identifier (VNI). From the perspective of zero trust, the static tunnel identifier still faces security problems such as being cracked, tampered, attacked and the like.
Disclosure of Invention
The embodiment of the application provides a VXLAN-based method for triggering a dynamic security channel, a user side, a central console and a storage medium, which are used for establishing a temporary channel between a target node and the user side, performing data transmission in the temporary channel, wherein the whole communication process is performed in the temporary virtual channel, and thus the security problems of intranet data leakage, tampering, attack and the like can be avoided to a great extent.
A first aspect of the present application provides a method for triggering a dynamic security channel based on VXLAN, which may include: a user side sends a first access request to a central console, wherein the first access request is a Domain Name System (DNS) resolution request for accessing a target service; the user side receives an analysis result sent by the central console, wherein the analysis result comprises an address of a transfer point of network; the user side sends a second access request to the transfer access point according to the analysis result, the access control information of the second access request comprises quintuple information, and the access control information of the second access request is used for establishing a temporary channel between the transfer access point and a target node; and the user side performs data transmission with the target node through the temporary channel.
Optionally, after the data transmission is completed, the temporary channel is in a closed state.
Optionally, the number of the transit point of presence is at least one, or the transit point of presence includes a point of presence closest to the user end.
Optionally, the access control information of the second access request includes user side information and target service information; or the like, or, alternatively,
the quintuple information of the user side comprises: source internet protocol IP address, source port, destination IP address, destination port, transport layer protocol.
A second aspect of the present application provides a VXLAN-based triggered dynamic security channel method, which may include: a central console receives a first access request sent by a user side, wherein the first access request is a Domain Name System (DNS) resolution request for accessing a target service; the central console sends an analysis result to the user side according to the first access request, wherein the analysis result comprises an address of a transfer point of network; the central console receives access control information of a second access request sent by the transit access network node, wherein the access control information of the second access request comprises quintuple information; and the central console transmits a control instruction to a target node and the transit access network node according to the access control information of the second access request, wherein the control instruction is used for establishing a temporary channel between the target node and the transit access network node.
Optionally, after the data transmission is completed, the temporary channel is in a closed state.
Optionally, the number of the transit point of presence is at least one, or the transit point of presence includes a point of presence closest to the user end.
A third aspect of the present application provides a user terminal, which may include:
the system comprises a receiving and sending module, a sending and receiving module and a sending and receiving module, wherein the receiving and sending module is used for sending a first access request to a central console, and the first access request is a Domain Name System (DNS) resolution request for accessing a target service; receiving an analysis result sent by the central console, wherein the analysis result comprises an address of a transfer point of network; sending a second access request to the transit point-of-entry according to the analysis result, wherein the access control information of the second access request comprises quintuple information, and the access control information of the second access request is used for establishing a temporary channel between the transit point-of-entry and a target node;
and the processing module is used for carrying out data transmission with the target node through the temporary channel.
Optionally, after the data transmission is completed, the temporary channel is in a closed state.
Optionally, the number of the transit point of presence is at least one, or the transit point of presence includes a point of presence closest to the user end.
Optionally, the access control information of the second access request further includes user side information and target service information; or the like, or, alternatively,
the quintuple information of the user side comprises: source internet protocol IP address, source port, destination IP address, destination port, transport layer protocol.
A fourth aspect of the present application provides a center console, which may include:
the system comprises a receiving and sending module, a sending and receiving module and a sending and receiving module, wherein the receiving and sending module is used for receiving a first access request sent by a user side, and the first access request is a Domain Name System (DNS) resolution request for accessing a target service; sending an analysis result to the user side according to the first access request, wherein the analysis result comprises an address of a transfer-in point; receiving access control information of a second access request sent by the transit access network node, wherein the access control information of the second access request comprises quintuple information; and issuing a control instruction to a target node and the transit access network node according to the access control information of the second access request, wherein the control instruction is used for establishing a temporary channel between the target node and the transit access network node.
Optionally, after the data transmission is completed, the temporary channel is in a closed state.
Optionally, the number of the transit point of presence is at least one, or the transit point of presence includes a point of presence closest to the user end.
A fifth aspect of the present application provides a user terminal, which may include:
a memory storing executable program code;
a processor and transceiver coupled with the memory;
the processor calls the executable program code stored in the memory for the processor and the transceiver to perform the method according to the first aspect of the application.
A sixth aspect of the present application provides a center console, which may include:
a memory storing executable program code;
a transceiver coupled with the memory;
the memory is used for storing executable program codes;
the transceiver performs a method as described in the second aspect of the application.
A further aspect of the application provides a computer readable storage medium comprising instructions which, when executed on a processor, cause the processor to perform a method as described in the first or second aspect of the application.
A further aspect of the invention discloses a computer program product for causing a computer to perform the method of the first or second aspect of the application when the computer program product runs on the computer.
In a further aspect, the present invention discloses an application publishing platform for publishing a computer program product, wherein the computer program product, when run on a computer, causes the computer to perform the method of the first or second aspect of the present application.
According to the technical scheme, the embodiment of the application has the following advantages:
in the embodiment of the application, a user side sends a first access request to a central console, wherein the first access request is a Domain Name System (DNS) resolution request for accessing a target service; the user side receives an analysis result sent by the central console, wherein the analysis result comprises an address of a transfer point of network; the user side sends a second access request to the transfer access point according to the analysis result, the access control information of the second access request comprises quintuple information, and the access control information of the second access request is used for establishing a temporary channel between the transfer access point and a target node; and the user side performs data transmission with the target node through the temporary channel. Namely, a temporary channel is established between the target node and the user side, data transmission is carried out in the temporary channel, the whole communication process is carried out in the temporary virtual channel, and safety problems such as intranet data leakage, tampering, attack and the like can be avoided to a great extent.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following briefly introduces the embodiments and the drawings used in the description of the prior art, and obviously, the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained according to the drawings.
Fig. 1 is a schematic diagram of an embodiment of a method for triggered dynamic secure channel based on VXLAN in the embodiment of the present application;
fig. 2 is a schematic diagram illustrating that a target node and a client need to transit a POP once in the embodiment of the present application;
fig. 3 is a schematic diagram illustrating that a target node and a client need to transit a POP multiple times in the embodiment of the present application;
fig. 4 is a schematic diagram of an embodiment of a user side in the embodiment of the present application;
FIG. 5 is a schematic diagram of one embodiment of a center console in an embodiment of the present application;
fig. 6 is a schematic diagram of another embodiment of a user side in the embodiment of the present application;
fig. 7 is a schematic diagram of another embodiment of the center console in the embodiment of the present application.
Detailed Description
The embodiment of the application provides a VXLAN-based method for triggering a dynamic security channel, a user side, a central console and a storage medium, which are used for establishing a temporary channel between a target node and the user side, performing data transmission in the temporary channel, wherein the whole communication process is performed in the temporary virtual channel, and thus the security problems of intranet data leakage, tampering, attack and the like can be avoided to a great extent.
For a person skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. The embodiments in the present application shall fall within the protection scope of the present application.
With the development of network communication Technology, cloud computing has become a new trend of enterprise IT (Information Technology) construction at present by virtue of ITs advantages of high system utilization rate, low manpower/management cost, strong flexibility/extensibility, and the like. Server virtualization is one of the core technologies of cloud computing, and is applied more and more widely. The wide deployment of server virtualization technologies has greatly increased the computational density of data centers. However, as a currently mainstream Network isolation technology, a conventional VLAN (Virtual Local Area Network) has only 12 bits in a standard definition, and thus the number of available VLANs is only 4096. For a scenario of tens of thousands or even more tenants, such as a public cloud or other large virtualized cloud computing service, the isolation capability of the VLAN cannot be satisfied.
A VLAN expansion scheme VXLAN (Virtual eXtensible Local Area Network) is gradually emerging. VXLAN encapsulates an original message sent by a VM in the same area planned by an administrator into a new UDP (User Datagram Protocol) message, and uses an IP (Internet Protocol) and a MAC (media Access Control) address of a physical network as an outer header, thereby greatly reducing the requirement of the network on the MAC address specification.
Compared with VLAN technology, VXLAN technology has the following advantages:
(1) the VXLAN Network Identifier (VNI) field value with the length of 24 bits can support up to 16M VXLAN segments, and the problem of the limitation that the number of VLANs is 4094 is solved.
(2) The VXLAN technology virtualizes a two-layer network in a physical three-layer network through a tunnel technology, and a terminal in the VXLAN network cannot perceive the communication process of the VXLAN, so that the logical network topology and the physical network topology are decoupled to a certain degree, the dependence degree of the network topology configuration on the physical equipment configuration is reduced, and the configuration is more flexible and convenient.
However, there are still some problems with existing VXLAN channel technology.
The problems of the existing VXLAN technology are as follows:
the virtual channel setup of VXLAN is static, and when the user does not transmit data, the virtual channel still occupies the resources identified by the VNI. From the perspective of zero trust, the static tunnel identifier still faces security problems such as being cracked, tampered, attacked and the like.
In order to solve the problem, the application provides a triggered dynamic secure channel technology based on VXLAN technology. When a user side initiates a DNS analysis request for accessing a target service to a central control console, the central control console returns an analysis result: generally speaking, the address of the POP (Point-of-Presence) closest to the user end, the user end accesses the POP, the POP forwards the access control information of the access request to the central control station, the central control station issues a control instruction to the POP Network connection Point between the target node and the user end through collecting the node and POP information in advance, a Temporary VXLAN virtual channel (if the Identifier is T-VNI, a temporal VXLAN Network Identifier) is established, data transmission is performed in the Temporary channel, the T-VNI is destroyed when the data transmission is completed, the channel resource identified by the T-VNI is not occupied, the whole communication process is performed in the Temporary virtual channel, and the security problems of intranet data leakage, tampering, attack and the like can be avoided to a great extent.
The following further describes the technical solution of the present application by way of an embodiment, as shown in fig. 1, which is a schematic diagram of an embodiment of a method for triggering a dynamic secure channel based on VXLAN in the embodiment of the present application, and the method may include:
101. the user side initiates a first access request to the central control console, wherein the first access request is a Domain Name System (DNS) resolution request for accessing a target service.
The method comprises the steps that a central console receives a first access request sent by a user side, wherein the first access request is a domain name DNS analysis request for accessing a target service.
102. And the central console sends an analysis result to the user side according to the first access request, wherein the analysis result comprises the address of the transfer point of network.
And the user side receives an analysis result sent by the central console, wherein the analysis result comprises an address of a transfer-in point.
Optionally, the number of transit transfer points is at least one. It is to be understood that a transit point of mesh may also be referred to as a transit node.
Optionally, the transit point of presence includes a point of presence closest to the user end (i.e., transit POP).
Optionally, the sending, by the central console, the analysis result to the user side according to the first access request may include: and the central console selects the transit point of access by acquiring the network card and routing data information of each transit point of access according to the first access request, and sends an analysis result to the user side.
103. And the user side sends a second access request to the transfer access point according to the analysis result, the access control information of the second access request comprises quintuple information, and the access control information of the second access request is used for establishing a temporary channel between the transfer access point and the target node.
Optionally, the access control information of the second access request may further include, but is not limited to, user side information, target service information (also referred to as target resource information); or the like, or, alternatively,
optionally, the quintuple information of the user side includes: source internet protocol IP address, source port, destination IP address, destination port, transport layer protocol.
Optionally, the user side establishes a connection with the transit point according to the analysis result.
104. And the transit point-of-entry sends access control information of a second access request to the central console.
And the central console receives the access control information of the second access request sent by the transit network node.
105. And the central console transmits a control instruction to a target node and the transit access network node according to the access control information of the second access request, wherein the control instruction is used for establishing a temporary channel between the target node and the transit access network node.
Optionally, the issuing, by the central console, a control instruction to a target node and the transit network-accessing node according to the access control information of the second access request, where the control instruction is used for the target node and the transit network-accessing node to establish a temporary channel, and the issuing may include: and the central console selects an exit node of the target service according to the access control information of the second access request, and issues a control instruction to the exit node of the target service and the transit network-accessing node, wherein the control instruction is used for establishing a temporary channel between the exit node of the target service and the transit network-accessing node.
106. And the target node and the transit network-accessing node establish a temporary channel according to the control instruction.
Optionally, the target node and the transit point of access each generate their own NAT tables.
Optionally, the NAT table includes a channel identifier and access control information of the second access request, and the control information of the second access request may include quintuple information. Optionally, the information may also include, but is not limited to, user side information and target service information.
107. And the user side performs data transmission with the target node through the temporary channel.
Optionally, after the temporary tunnel is established, the transit transfer point performs data transmission in the temporary tunnel corresponding to the quintuple information by querying its own NAT table.
Optionally, after the data transmission is completed, the temporary channel is in a closed state.
For example, (1) as shown in fig. 2, it is a schematic diagram that a target node and a user side need to transit POP once in this embodiment of the present application. When the target node and the user terminal need to transit the POP once, the following is shown:
step 1: the user terminal initiates an access request (i.e., a first access request) for accessing the target service.
Step 2: the user terminal requests DNS resolution from the central console.
And step 3: the central control station selects the transfer POP nearest to the user side by collecting the network card, route and other data information of the transfer network point. If POP1 is preferred, the IP address of POP1 is returned to the user side.
And 4, step 4: the user side sends a second access request to POP1, and establishes connection with POP1, at this time, POP1 obtains access control information of the second access request, which can include quintuple information; optionally, but not limited to, the user side information and the target service information may also be included.
And 5: the POP1 uploads the access control information of the second access request to the central console.
Step 6: the central console selects an egress node of the target service (where the egress node may be in the intranet of the target service) according to the access control information of the second access request, and issues a control instruction for establishing a temporary channel to the egress node and the POP1 node.
And 7: the exit node A and the transfer POP1 of the target service establish a temporary T-VNI1 channel according to the control instruction, and simultaneously generate a self NAT table (containing channel identification and five-tuple information).
And 8: after the temporary T-VNI1 channel is established, the POP1 inquires the NAT table of the POP1 and transmits data in the T-VNI corresponding to the access control information.
And step 9: and carrying out data transmission on the target service of the enterprise intranet and the user side through the exit node A, closing a T-VNI1 channel by the exit node A and the POP1 when the data transmission is finished, and destroying the temporary T-VNI1 identifier.
Step 10: and (6) ending.
(2) Fig. 3 is a schematic diagram illustrating that a target node and a user terminal need to transit a POP multiple times in the embodiment of the present application. When the target node and the user terminal only need to transfer the POPs for multiple times, the following steps are performed:
step 1: the user terminal initiates a request for access to the target service (i.e., a first access request).
Step 2: the user terminal requests DNS resolution from the central console.
And step 3: the central console collects the network card and route data information of the transit point of network, if the transit POP is closest to the user terminal. And if the POP1 is preferred, the IP address of the POP1 is returned to the user side.
And 4, step 4: the user side sends a second access request to POP1, and establishes connection with POP1, at this time, POP1 obtains access control information of the second access request, which can include quintuple information; optionally, but not limited to, the user side information and the target service information may also be included.
And 5: the POP1 uploads the access control information of the second access request to the central console.
Step 6: the central console selects an optimal path (if the optimal user side is the client side, the client side is the client side, the central console selects an optimal path (if the optimal user side is the client side, the client side is the client side, the central console selects an optimal path (if the optimal user side is the client side, the client side is the client side, the central console selects an optimal path) according to the access control information of the second access request, the POP1, the POP2 and the node A), and sends control instructions for establishing temporary channels to the egress nodes A, the POP2, the POP2 and the POP 1.
And 7: POP1 and POP2 establish a temporary T-VNI1 channel, and the egress node A and POP2 establish a temporary T-VNI2 channel, and simultaneously generate respective NAT tables (containing channel identification and quintuple information).
And 8: after temporary T-VNI1 and T-VNI2 channels are established, POP1 inquires a self NAT table and transmits data in the T-VNI1 channel corresponding to the access control information, and POP2 receives the data of POP1, inquires the self NAT table and transmits the data in the T-VNI2 channel.
And step 9: and carrying out data transmission on the target service of the enterprise intranet and the user side through the outlet node A, closing a T-VNI1 channel by using POP1 and POP2 and destroying a temporary T-VNI1 identifier, closing a T-VNI2 channel by using the outlet node A and POP2 and destroying a temporary T-VNI2 identifier when the data transmission is finished.
Step 10: and (6) ending.
In the embodiment of the present application, a triggered dynamic secure channel technology based on VXLAN technology is provided. When a user side initiates a first access request, requesting DNS resolution of a domain name from a central console; the central console returns the analysis result, namely the central console returns the IP (Internet Protocol) address of the preferred transfer POP (generally selected to be nearest to the user end) to the user end by acquiring the network cards and routing information of the edge node and the transfer POP node in real time; and the client accesses the transfer POP, the transfer POP receives a second access request of the client, uploads access control information of the second access request to the central control console, the central control console finds out an exit node of the target service, sends an instruction for establishing a temporary channel to the exit node and the transfer POP node, the exit node and the POP node establish the temporary T-VNI channel after receiving the instruction, respectively establish a Network Address Translation (NAT) table (containing the access control information and virtual channel identification information), subsequently transmits data of the target service to the client through the T-VNI channel, and the exit node and the transfer POP destroy the T-VNI channel after the data transmission is finished.
In the embodiment of the application, a user side initiates a first access request to a central console, namely a Domain Name System (DNS) resolution request for accessing a target service; the user side receives an analysis result sent by the central console, wherein the analysis result comprises an address of a transfer point of network; the user side sends a second access request to the transfer access point according to the analysis result, the access control information of the second access request comprises quintuple information, and the access control information of the second access request is used for establishing a temporary channel between the transfer access point and the target node; and the user side performs data transmission with the target node through the temporary channel. Namely, a temporary channel can be dynamically established between the target node and the user side, data transmission is carried out in the temporary channel, the whole communication process is carried out in the temporary virtual channel, the safety problems of intranet data leakage, tampering, attack and the like can be avoided to a great extent, and the data safety is improved. Moreover, the temporary virtual tunnel is established in a triggering mode, namely the temporary virtual tunnel is used as a sale, and resources are not occupied.
As shown in fig. 4, a schematic diagram of an embodiment of a user side in the embodiment of the present application may include:
a transceiver module 401, configured to send a first access request to a central console, where the first access request is a domain name DNS resolution request for accessing a target service; receiving an analysis result sent by the central console, wherein the analysis result comprises an address of a transfer point of network; sending a second access request to the transit point-of-entry according to the analysis result, wherein the access control information of the second access request comprises quintuple information, and the access control information of the second access request is used for establishing a temporary channel between the transit point-of-entry and a target node;
a processing module 402, configured to perform data transmission with the target node through the temporary channel.
Optionally, after the data transmission is completed, the temporary channel is in a closed state.
Optionally, the number of the transit point of presence is at least one, or the transit point of presence includes a point of presence closest to the user end.
Optionally, the access control information of the second access request further includes user side information and target service information; or the like, or, alternatively,
the quintuple information of the user side comprises: source internet protocol IP address, source port, destination IP address, destination port, transport layer protocol.
As shown in fig. 5, which is a schematic diagram of an embodiment of a center console in the embodiment of the present application, the center console may include:
a transceiver module 501, configured to receive a first access request sent by a user, where the first access request is a Domain Name System (DNS) resolution request for accessing a target service; sending an analysis result to the user side according to the first access request, wherein the analysis result comprises an address of a transfer-in point; receiving access control information of a second access request sent by the transit access network node; and issuing a control instruction to a target node and the transit access network node according to the access control information of the second access request, wherein the control instruction is used for establishing a temporary channel between the target node and the transit access network node.
Optionally, after the data transmission is completed, the temporary channel is in a closed state.
Optionally, the number of the transit point of presence is at least one, or the transit point of presence includes a point of presence closest to the user end.
As shown in fig. 6, a schematic view of another embodiment of the user side in the embodiment of the present application may include:
a memory 601 in which executable program code is stored;
a processor 602 and transceiver 603 coupled to memory 601;
a transceiver 603, configured to send a first access request to a central console, where the first access request is a domain name DNS resolution request for accessing a target service; receiving an analysis result sent by the central console, wherein the analysis result comprises an address of a transfer point of network; sending a second access request to the transit point-of-entry according to the analysis result, wherein the access control information of the second access request comprises quintuple information, and the access control information of the second access request is used for establishing a temporary channel between the transit point-of-entry and a target node;
processor 602 invokes the executable program code stored in memory 601 for data transfer with the target node over the temporary channel.
Optionally, after the data transmission is completed, the temporary channel is in a closed state.
Optionally, the number of the transit point of presence is at least one, or the transit point of presence includes a point of presence closest to the user end.
Optionally, the access control information of the second access request further includes user side information and target service information; or the like, or, alternatively,
the quintuple information of the user side comprises: source internet protocol IP address, source port, destination IP address, destination port, transport layer protocol.
As shown in fig. 7, which is a schematic diagram of another embodiment of the center console in the embodiment of the present application, the center console may include:
a memory 701 in which executable program code is stored;
a transceiver 702 coupled with the memory 701;
the memory 701 is used for storing executable program codes;
a transceiver 702, configured to receive a first access request sent by a user, where the first access request is a domain name DNS resolution request for accessing a target service; sending an analysis result to the user side according to the first access request, wherein the analysis result comprises an address of a transfer-in point; receiving access control information of a second access request sent by the transit access network node; and issuing a control instruction to a target node and the transit access network node according to the access control information of the second access request, wherein the control instruction is used for establishing a temporary channel between the target node and the transit access network node.
Optionally, after the data transmission is completed, the temporary channel is in a closed state.
Optionally, the number of the transit point of presence is at least one, or the transit point of presence includes a point of presence closest to the user end.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.
Claims (10)
1. A method for triggering dynamic security channels based on VXLAN, comprising:
a user side sends a first access request to a central console, wherein the first access request is a Domain Name System (DNS) resolution request for accessing a target service;
the user side receives an analysis result sent by the central console, wherein the analysis result comprises an address of a transfer point of network;
the user side sends a second access request to the transfer access point according to the analysis result, the access control information of the second access request comprises quintuple information, and the access control information of the second access request is used for establishing a temporary channel between the transfer access point and a target node;
and the user side performs data transmission with the target node through the temporary channel.
2. The method of claim 1, wherein the temporary channel is closed after the data transfer is completed.
3. The method according to claim 1 or 2, wherein the number of transit point-of-presence is at least one, or wherein the transit point-of-presence comprises a point-of-presence closest to the user terminal.
4. The method according to claim 1 or 2, wherein the access control information of the second access request further comprises user side information, target service information; or the like, or, alternatively,
the quintuple information of the user side comprises: source internet protocol IP address, source port, destination IP address, destination port, transport layer protocol.
5. A method for triggering dynamic security channels based on VXLAN, comprising:
a central console receives a first access request sent by a user side, wherein the first access request is a Domain Name System (DNS) resolution request for accessing a target service;
the central console sends an analysis result to the user side according to the first access request, wherein the analysis result comprises an address of a transfer point of network;
the central console receives access control information of a second access request sent by the transit access network node, wherein the access control information of the second access request comprises quintuple information;
and the central console transmits a control instruction to a target node and the transit access network node according to the access control information of the second access request, wherein the control instruction is used for establishing a temporary channel between the target node and the transit access network node.
6. The method of claim 5, wherein the temporary channel is closed after the data transfer is completed.
7. The method according to claim 5 or 6, wherein the number of transit point-of-presence is at least one, or wherein the transit point-of-presence comprises the point-of-presence closest to the user terminal.
8. A user terminal, comprising:
the system comprises a receiving and sending module, a sending and receiving module and a sending and receiving module, wherein the receiving and sending module is used for sending a first access request to a central console, and the first access request is a Domain Name System (DNS) resolution request for accessing a target service; receiving an analysis result sent by the central console, wherein the analysis result comprises an address of a transfer point of network; sending a second access request to the transit point-of-entry according to the analysis result, wherein the access control information of the second access request comprises quintuple information, and the access control information of the second access request is used for establishing a temporary channel between the transit point-of-entry and a target node;
and the processing module is used for carrying out data transmission with the target node through the temporary channel.
9. A center console, comprising:
the system comprises a receiving and sending module, a sending and receiving module and a sending and receiving module, wherein the receiving and sending module is used for receiving a first access request sent by a user side, and the first access request is a Domain Name System (DNS) resolution request for accessing a target service; sending an analysis result to the user side according to the first access request, wherein the analysis result comprises an address of a transfer-in point; receiving access control information of a second access request sent by the transit access network node, wherein the access control information of the second access request comprises quintuple information; and issuing a control instruction to a target node and the transit access network node according to the access control information of the second access request, wherein the control instruction is used for establishing a temporary channel between the target node and the transit access network node.
10. A computer-readable storage medium comprising instructions that, when executed on a processor, cause the processor to perform the method of any of claims 1-4, or any of claims 5-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110822373.7A CN113676390B (en) | 2021-07-21 | 2021-07-21 | VXLAN-based trigger type dynamic security channel method, user side and central console |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110822373.7A CN113676390B (en) | 2021-07-21 | 2021-07-21 | VXLAN-based trigger type dynamic security channel method, user side and central console |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113676390A true CN113676390A (en) | 2021-11-19 |
CN113676390B CN113676390B (en) | 2022-10-25 |
Family
ID=78539663
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110822373.7A Active CN113676390B (en) | 2021-07-21 | 2021-07-21 | VXLAN-based trigger type dynamic security channel method, user side and central console |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113676390B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114500450A (en) * | 2021-12-22 | 2022-05-13 | 天翼云科技有限公司 | Domain name resolution method, device and computer readable storage medium |
CN115379016A (en) * | 2022-08-22 | 2022-11-22 | 深信服科技股份有限公司 | Resource access method, access service platform, device, equipment and storage medium |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101043475A (en) * | 2006-06-30 | 2007-09-26 | 华为技术有限公司 | Process and system for media flow transverse network address conversion |
CN102917042A (en) * | 2012-10-12 | 2013-02-06 | 中兴通讯股份有限公司 | Method and device for realizing internet services based on convergence of CDN (content distribution network) and network |
US20140380460A1 (en) * | 2013-06-24 | 2014-12-25 | Cisco Technology, Inc. | Dynamic Communication Between Secure Endpoints |
CN107294711A (en) * | 2017-07-11 | 2017-10-24 | 国网辽宁省电力有限公司 | A kind of power information Intranet message encryption dissemination method based on VXLAN technologies |
EP3247082A1 (en) * | 2016-05-18 | 2017-11-22 | Zscaler, Inc. | Cloud-based virtual private access systems and methods |
CN107493297A (en) * | 2017-09-08 | 2017-12-19 | 安徽皖通邮电股份有限公司 | A kind of method of VxLAN tunnels access authentication |
CN110430288A (en) * | 2019-09-16 | 2019-11-08 | 腾讯科技(深圳)有限公司 | Node visit method, apparatus, computer equipment and storage medium |
CN111092863A (en) * | 2019-11-29 | 2020-05-01 | 视联动力信息技术股份有限公司 | Method, client, server, device and medium for accessing internet website |
WO2020155491A1 (en) * | 2019-01-31 | 2020-08-06 | 平安科技(深圳)有限公司 | Geographical location-based intelligent domain name resolution method and device |
CN111885036A (en) * | 2020-07-16 | 2020-11-03 | 武汉秒开网络科技有限公司 | Method and system for realizing multi-device access by router penetrating intranet |
-
2021
- 2021-07-21 CN CN202110822373.7A patent/CN113676390B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101043475A (en) * | 2006-06-30 | 2007-09-26 | 华为技术有限公司 | Process and system for media flow transverse network address conversion |
CN102917042A (en) * | 2012-10-12 | 2013-02-06 | 中兴通讯股份有限公司 | Method and device for realizing internet services based on convergence of CDN (content distribution network) and network |
US20140380460A1 (en) * | 2013-06-24 | 2014-12-25 | Cisco Technology, Inc. | Dynamic Communication Between Secure Endpoints |
EP3247082A1 (en) * | 2016-05-18 | 2017-11-22 | Zscaler, Inc. | Cloud-based virtual private access systems and methods |
CN107294711A (en) * | 2017-07-11 | 2017-10-24 | 国网辽宁省电力有限公司 | A kind of power information Intranet message encryption dissemination method based on VXLAN technologies |
CN107493297A (en) * | 2017-09-08 | 2017-12-19 | 安徽皖通邮电股份有限公司 | A kind of method of VxLAN tunnels access authentication |
WO2020155491A1 (en) * | 2019-01-31 | 2020-08-06 | 平安科技(深圳)有限公司 | Geographical location-based intelligent domain name resolution method and device |
CN110430288A (en) * | 2019-09-16 | 2019-11-08 | 腾讯科技(深圳)有限公司 | Node visit method, apparatus, computer equipment and storage medium |
CN111092863A (en) * | 2019-11-29 | 2020-05-01 | 视联动力信息技术股份有限公司 | Method, client, server, device and medium for accessing internet website |
CN111885036A (en) * | 2020-07-16 | 2020-11-03 | 武汉秒开网络科技有限公司 | Method and system for realizing multi-device access by router penetrating intranet |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114500450A (en) * | 2021-12-22 | 2022-05-13 | 天翼云科技有限公司 | Domain name resolution method, device and computer readable storage medium |
CN114500450B (en) * | 2021-12-22 | 2023-10-10 | 天翼云科技有限公司 | Domain name resolution method, device and computer readable storage medium |
CN115379016A (en) * | 2022-08-22 | 2022-11-22 | 深信服科技股份有限公司 | Resource access method, access service platform, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN113676390B (en) | 2022-10-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11895154B2 (en) | Method and system for virtual machine aware policy management | |
US10389542B2 (en) | Multicast helper to link virtual extensible LANs | |
US8954992B2 (en) | Distributed and scaled-out network switch and packet processing | |
CN116057910B (en) | Virtual private cloud communication and configuration method and related device | |
US9838261B2 (en) | Method, apparatus, and system for providing network traversing service | |
US20130024553A1 (en) | Location independent dynamic IP address assignment | |
US20140230044A1 (en) | Method and Related Apparatus for Authenticating Access of Virtual Private Cloud | |
EP3720100A1 (en) | Service request processing method and device | |
EP2922246B1 (en) | Method and data center network for cross-service zone communication | |
US10594586B2 (en) | Dialing test method, dialing test system, and computing node | |
US10454880B2 (en) | IP packet processing method and apparatus, and network system | |
CN113676390B (en) | VXLAN-based trigger type dynamic security channel method, user side and central console | |
US20180069787A1 (en) | Exposing a subset of hosts on an overlay network to components external to the overlay network without exposing another subset of hosts on the overlay network | |
CN112583618B (en) | Method, device and computing equipment for providing network service for business | |
US9716688B1 (en) | VPN for containers and virtual machines in local area networks | |
CN113364741A (en) | Application access method and proxy server | |
US20230283589A1 (en) | Synchronizing dynamic host configuration protocol snoop information | |
EP3618407B1 (en) | Method for implementing three-layer communication | |
CN113489646A (en) | Segmented routing transmission method based on VXLAN, server, source node and storage medium | |
CN113014680B (en) | Broadband access method, device, equipment and storage medium | |
WO2016206562A1 (en) | Method, device and system for configuring user equipment forwarding table | |
CN112994928B (en) | Virtual machine management method, device and system | |
CN113973101A (en) | Method and device for processing table item information | |
US11258720B2 (en) | Flow-based isolation in a service network implemented over a software-defined network | |
CN111147345B (en) | Cloud environment network isolation device and method and cloud system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20231229 Address after: 518000, B-1503, Zhongdian Changcheng Building, No.3 Kefa Road, Science and Technology Park Community, Yuehai Street, Nanshan District, Shenzhen, Guangdong Province Patentee after: Shenzhen Netju Yunlian Technology Co.,Ltd. Address before: 101199 3091, floor 3, No. 64, Xinhua South Road, Tongzhou District, Beijing Patentee before: Beijing Wangju Yunlian Technology Co.,Ltd. |