CN113839968B - Security plane isolation method and system based on channel division - Google Patents
Security plane isolation method and system based on channel division Download PDFInfo
- Publication number
- CN113839968B CN113839968B CN202111427304.2A CN202111427304A CN113839968B CN 113839968 B CN113839968 B CN 113839968B CN 202111427304 A CN202111427304 A CN 202111427304A CN 113839968 B CN113839968 B CN 113839968B
- Authority
- CN
- China
- Prior art keywords
- channel
- initiator
- receiver
- message
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
- H04L41/0813—Configuration setting characterised by the conditions triggering a change of settings
- H04L41/082—Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
- H04L47/76—Admission control; Resource allocation using dynamic resource allocation, e.g. in-call renegotiation requested by the user or requested by the network in response to changing network conditions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Abstract
The invention provides a safety plane isolation method and system based on channel division. The method comprises the following steps: step S1, channel establishment and parameter negotiation; step S2, after the channel is established, the safe transmission of the plane service is executed; step S3, after the channel is established, updating the bandwidth of the channel; step S4, after the channel is established, based on the configuration deletion of the network management device or the failure of the device, the channel is closed; step S5, after the channel is established, the process when the initiator sends the message and the process when the receiver sends the message.
Description
Technical Field
The invention belongs to the field of communication transmission, and particularly relates to a security plane isolation method and system based on channel division.
Background
In recent years, with the development of network technology, the range of network attacks is wider and the diffusion speed is faster, and in order to prevent the network attacks from diffusing in the network, the attack influence suffered by the network attacks is minimized, and the network needs to be divided and isolated into safe areas. The advantages of plane isolation mainly include two parts, firstly, the safety of the system is improved through the plane isolation, and the mutual influence between different plane services is avoided; secondly, under the condition of limited network resources, different service levels can be provided for different planes.
At present, different service flows can be isolated by different physical networks, virtualization technologies, VLANs, routing mechanisms, and the like through plane isolation, and the security capability of a plane is reinforced by adopting an additional security mechanism, such as VPN, and the like. When designing network equipment, the design of integrating a security mechanism with plane isolation is lacked.
Disclosure of Invention
Aiming at the technical problem, the invention provides a safety plane isolation scheme based on channel division. The scheme integrally designs a plane isolation function, a routing function and a safety mechanism, divides a link into a control channel, a management channel and a service channel, supports plane isolation functions such as channel establishment and parameter negotiation, plane service safety transmission, channel bandwidth updating, channel closing and the like, and supports plane isolation-oriented routing forwarding, thereby realizing plane isolation and service safety transmission based on channel division.
Specifically, a channel establishing process is tightly coupled with validity identification, and the channel establishing process judges channel negotiation validity based on parameters such as node numbers, equipment type matching and the like while negotiating channel parameters such as IP addresses, bandwidths and the like; secondly, parameters such as channel bandwidth, IP address and the like are seamlessly bound with the upper layer service application, and the service message is transmitted through a corresponding channel interface by encryption, decryption and integrity check; thirdly, the router architecture is designed to support the plane isolation function, and efficient message receiving and sending are achieved through mapping of the physical port and the plane.
The invention discloses a safety plane isolation method based on channel division in a first aspect. The transmission link among the network devices comprises three independent logical channels which are respectively a control channel, a management channel and a service channel so as to correspondingly form a control plane, a management plane and a service plane; one or more of the control channel, the management channel and the traffic channel coexist on the transmission link; each channel is a bidirectional channel, the channels are isolated from each other, and messages in the channels are transmitted independently;
the method comprises the following steps:
step S1, channel establishment and parameter negotiation: sending a channel establishment request message to a receiver by an initiator, receiving and processing the channel establishment request message by the receiver, sending a channel establishment response message to the initiator by the receiver, receiving and processing the channel establishment response message by the initiator to complete parameter negotiation; the initiator and the receiver comprise a routing module, a channel table, an encryption module and an interface;
step S2, after the channel is established, performing secure transmission of the plane service: when the initiator needs to send a message, encrypting the message, sending the encrypted message to the receiver, receiving the encrypted message by the receiver and decrypting the encrypted message to inquire a corresponding channel table and submit the channel table to corresponding upper-layer software according to the channel type;
step S3, after the channel is established, updating the bandwidth of the channel: when the receiver receives the message that the channel bandwidth configuration is changed, if the receiver completes the channel establishment, the channel bandwidth updating process is triggered, and the bandwidth of the channel is updated;
step S4, after the channel is established, based on the network management configuration deletion or the opposite terminal equipment failure, executing the channel closing: the initiator actively closes the channel link between the initiator and the receiver, and the initiator and the receiver respectively close the channel and the link and clear the information of respective channel tables to return to the initial stage of the interface, reply a channel termination response to the initiator and simultaneously inform the routing module of the channel state;
step S5, after the channel is established, the processing procedure when the initiator sends a message and the processing procedure when the receiver sends a message are: the mapping work from the physical port, the plane and the virtual link on the interface board to the logic port is realized through the virtual interface drive, thereby realizing the isolation of the service layer.
According to the method of the first aspect of the present invention, in step S1, the method specifically includes:
step S11, the initiator sends a channel establishment request message carrying IP and bandwidth parameters to the receiver;
step S12, the receiver receives the channel establishing request message and extracts the parameter information, including matching the parameter negotiation strategy table based on the node number and the device type, to judge the negotiation parameter and complete the parameter negotiation;
step S13, after parameter negotiation, the receiver sends channel establishing response message to the initiator, and configures channel table and informs the routing module of channel connection state and parameter information;
step S14, after the initiator receives the channel establishment response message and completes the parameter negotiation, configures the channel table and reports the channel connection status of the routing module and the parameter information.
According to the method of the first aspect of the present invention, in step S2, the method specifically includes:
step S21, when the initiator needs to send the message, the port number is inquired according to the algorithm in the routing module, then the channel table is inquired according to the channel type, the corresponding channel is found, the channel is matched based on the security label and is sent to the encryption module for encryption and integrity calculation after being packaged, an encrypted message is formed, and the encrypted message is sent to the receiver through the interface;
and step S22, when the receiver receives the encrypted message, the encrypted message is sent to the encryption module to complete decryption and integrity check, a corresponding channel table is inquired, and the channel table is handed to corresponding upper-layer software according to the channel type.
According to the method of the first aspect of the present invention, in step S3, the method specifically includes:
step S31, the initiator sends a channel bandwidth updating request and carries new channel bandwidth information;
step S32, after the receiving party receives the channel updating request and completes the channel negotiation, the receiving party updates the channel table, and simultaneously sends a channel updating response to the routing module to update the bandwidth information of the real link virtual network card in the routing module;
and step S33, the initiator receives the channel updating response, and sends the channel updating response to the routing module to update the bandwidth information of the real link virtual network card in the routing module.
According to the method of the first aspect of the present invention, in step S4, the method specifically includes:
step S41, the initiator actively closes the channel link with the receiver and sends a channel termination request to the receiver;
step S42, the receiver closes the channel and link and clears the information of the channel list, returns to the initial stage of the interface, replies the channel termination response to the initiator, and simultaneously announces the channel state to the routing module;
step S43, after receiving the channel update response, the initiator closes the channel and the link and clears the information of the channel table, returns to the interface initial stage, replies the channel termination response to the initiator, and notifies the routing module of the channel status.
According to the method of the first aspect of the present invention, in step S5, the method specifically includes:
the processing procedure when the initiator sends the message comprises the following steps:
step S51, the virtual interface driving layer preprocesses the message, encapsulates the virtual channel parameter information corresponding to the virtual interface according to the data structure information stored in the virtual logic port, and sends the virtual channel parameter information to the interface;
step S52, the interface completes the mapping to the virtual channel according to the Ethernet header virtual interface parameter information, and finally sends out the message;
the processing process when the receiver receives the message is as follows:
step S53, after virtual channel mapping processing, when the receiver receives the message, the plane information of the physical port is added to the Ethernet header;
step S54, after the virtual interface driver receives the packet, matching the virtual logical port based on the virtual channel information, adding an interface pointer corresponding to the virtual logical port in the data structure of the virtual interface driver, and sending the interface pointer to the protocol stack kernel for subsequent processing, so that the virtual router can correctly identify the purpose of receiving the packet.
According to the method of the first aspect of the present invention, the initiator and the receiver are routers, the routers have a virtual router function, and the initiator and the receiver are a plurality of different virtual routers.
The invention discloses a safety plane isolation system based on channel division in a second aspect. The transmission link among the network devices comprises three independent logical channels which are respectively a control channel, a management channel and a service channel so as to correspondingly form a control plane, a management plane and a service plane; one or more of the control channel, the management channel and the traffic channel coexist on the transmission link; each channel is a bidirectional channel, the channels are isolated from each other, and messages in the channels are transmitted independently; the system comprises:
a first processing unit configured to perform channel establishment and parameter negotiation: sending a channel establishment request message to a receiver by an initiator, receiving and processing the channel establishment request message by the receiver, sending a channel establishment response message to the initiator by the receiver, receiving and processing the channel establishment response message by the initiator to complete parameter negotiation; the initiator and the receiver comprise a routing module, a channel table, an encryption module and an interface;
a second processing unit configured to, after the channel is established, perform secure transmission of plane traffic: when the initiator needs to send a message, encrypting the message, sending the encrypted message to the receiver, receiving the encrypted message by the receiver and decrypting the encrypted message to inquire a corresponding channel table and submit the channel table to corresponding upper-layer software according to the channel type;
a third processing unit configured to update the bandwidth of the channel after the channel is established: when the receiver receives the message that the channel bandwidth configuration is changed, if the receiver completes the channel establishment, the channel bandwidth updating process is triggered, and the bandwidth of the channel is updated;
a fourth processing unit, configured to, after the channel is established, based on network management configuration deletion or opposite end device failure, execute channel closing: the initiator actively closes the channel link between the initiator and the receiver, and the initiator and the receiver respectively close the channel and the link and clear the information of respective channel tables to return to the initial stage of the interface, reply a channel termination response to the initiator and simultaneously inform the routing module of the channel state;
a fifth processing unit, configured to, after the channel is established, perform a processing procedure when the initiator sends a packet and perform a processing procedure when the receiver sends a packet by: the mapping work from the physical port, the plane and the virtual link on the interface board to the logic port is realized through the virtual interface drive, thereby realizing the isolation of the service layer.
According to the system of the second aspect of the invention, the first processing unit is specifically configured to perform the steps of:
step S11, the initiator sends a channel establishment request message carrying IP and bandwidth parameters to the receiver;
step S12, the receiver receives the channel establishing request message and extracts the parameter information, including matching the parameter negotiation strategy table based on the node number and the device type, to judge the negotiation parameter and complete the parameter negotiation;
step S13, after parameter negotiation, the receiver sends channel establishing response message to the initiator, and configures channel table and informs the routing module of channel connection state and parameter information;
step S14, after the initiator receives the channel establishment response message and completes the parameter negotiation, configures the channel table and reports the channel connection status of the routing module and the parameter information.
According to the system of the second aspect of the invention, the second processing unit is specifically configured to perform the steps of:
step S21, when the initiator needs to send the message, the port number is inquired according to the algorithm in the routing module, then the channel table is inquired according to the channel type, the corresponding channel is found, the channel is matched based on the security label and is sent to the encryption module for encryption and integrity calculation after being packaged, an encrypted message is formed, and the encrypted message is sent to the receiver through the interface;
and step S22, when the receiver receives the encrypted message, the encrypted message is sent to the encryption module to complete decryption and integrity check, a corresponding channel table is inquired, and the channel table is handed to corresponding upper-layer software according to the channel type.
According to the system of the second aspect of the invention, the third processing unit is specifically configured to perform the steps of:
step S31, the initiator sends a channel bandwidth updating request and carries new channel bandwidth information;
step S32, after the receiving party receives the channel updating request and completes the channel negotiation, the receiving party updates the channel table, and simultaneously sends a channel updating response to the routing module to update the bandwidth information of the real link virtual network card in the routing module;
and step S33, the initiator receives the channel updating response, and sends the channel updating response to the routing module to update the bandwidth information of the real link virtual network card in the routing module.
According to the system of the second aspect of the invention, the fourth processing unit is specifically configured to perform the steps of:
step S41, the initiator actively closes the channel link with the receiver and sends a channel termination request to the receiver;
step S42, the receiver closes the channel and link and clears the information of the channel list, returns to the initial stage of the interface, replies the channel termination response to the initiator, and simultaneously announces the channel state to the routing module;
step S43, after receiving the channel update response, the initiator closes the channel and the link and clears the information of the channel table, returns to the interface initial stage, replies the channel termination response to the initiator, and notifies the routing module of the channel status.
According to the system of the second aspect of the invention, the fifth processing unit is specifically configured to perform the steps of:
the processing procedure when the initiator sends the message comprises the following steps:
step S51, the virtual interface driving layer preprocesses the message, encapsulates the virtual channel parameter information corresponding to the virtual interface according to the data structure information stored in the virtual logic port, and sends the virtual channel parameter information to the interface;
step S52, the interface completes the mapping to the virtual channel according to the Ethernet header virtual interface parameter information, and finally sends out the message;
the processing process when the receiver receives the message is as follows:
step S53, after virtual channel mapping processing, when the receiver receives the message, the plane information of the physical port is added to the Ethernet header;
step S54, after the virtual interface driver receives the packet, matching the virtual logical port based on the virtual channel information, adding an interface pointer corresponding to the virtual logical port in the data structure of the virtual interface driver, and sending the interface pointer to the protocol stack kernel for subsequent processing, so that the virtual router can correctly identify the purpose of receiving the packet.
According to the system of the second aspect of the present invention, the initiator and the receiver are routers, the routers have a virtual router function, and the initiator and the receiver are a plurality of different virtual routers.
A third aspect of the invention discloses an electronic device. The electronic device comprises a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the method for isolating the security plane based on the channel division according to any one of the first aspect of the disclosure when executing the computer program.
A fourth aspect of the invention discloses a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of any one of the first aspect of the present disclosure in a method for secure plane isolation based on channel partitioning.
In summary, the technical scheme provided by the invention supports channel establishment and parameter negotiation, plane service transmission, channel bandwidth update and channel closing, thereby realizing plane isolation and service security transmission based on the channel. Meanwhile, the scheme supports the function of a standard virtual router, and realizes the mapping work from a physical port, a plane and a virtual link to a logic port on an interface board through the driving of a virtual interface, thereby realizing the isolation purpose of a service layer. The mapping relation naming rule, the stored data structure format, the default parameter setting and the like of the plane isolation architecture are not limited.
The scheme provides a safety plane isolation method based on channel division, which integrally designs plane isolation, routing function and safety, isolates a control plane, a management plane and a service plane from each other, and encrypts and transmits service in the plane; the router architecture supports plane isolation and can perform service isolation forwarding facing different planes.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description in the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a security plane isolation method based on channel partitioning according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating channel establishment and parameter negotiation according to an embodiment of the present invention;
FIG. 3 is a flow chart illustrating channel closing according to an embodiment of the present invention;
FIG. 4 is an architecture diagram of a routing device supporting plane isolation according to an embodiment of the present invention;
FIG. 5 is a diagram of virtual interface naming conventions, according to an embodiment of the invention;
FIG. 6 is a block diagram of a secure plane isolation system based on channel partitioning according to an embodiment of the present invention;
fig. 7 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to support the plane isolation function, a transmission link between network devices is divided into three independent logical channels, namely a control channel, a management channel and a service channel, so that a control plane, a management plane and a service plane are formed. Lanes are logical connections from end to end, and there may be three lanes on a link: the system comprises a control channel, a management channel and a service channel, wherein all the channels are bidirectional channels. The messages in each channel are transmitted independently, and the channels are isolated from each other. The channel separation mechanism can effectively isolate various information, avoid the abnormal influence of a single channel on the work of other channels, and effectively improve the network safety protection capability of equipment.
The channel information base builds a table based on the port number and the channel type. The channel information base stores all information parameters related to control, management and service channels, initiates a channel establishment request to opposite terminal equipment when applying for establishing the channel, and distributes channel related parameter information after the opposite terminal equipment judges the validity of the request. The basic content of the channel information base comprises the following information, and the table entries can be expanded according to actual application:
1. the channel type: and identifying the channel type, and dividing the channel type into 3 channels of control, management and service.
2. Channel bandwidth: and allocating logic bandwidth for the channel, wherein the channel bandwidth is not greater than the link bandwidth.
3. Port number: physical port number.
4. Negotiating the bandwidth: in the course of establishing channel link, the channel bandwidth negotiated by the local terminal and the opposite terminal device.
5. Security marking: and binding with a channel number for quick forwarding and indexing.
6. Data type: the method includes channel number, router type identification, etc. for use when issuing channel table entry.
7. Flow identification: and sending the unique identifier of the data table item to the interface.
8. Source IP address: the address negotiation when a tunnel link connection is established authenticates the initiator IP address.
9. Destination IP address: address negotiation when a channel link connection is established authenticates the IP address of the receiver.
10. Virtual port number: and the virtual port number is allocated when the virtual link is established.
The invention discloses a safety plane isolation method based on channel division in a first aspect. The transmission link among the network devices comprises three independent logical channels which are respectively a control channel, a management channel and a service channel so as to correspondingly form a control plane, a management plane and a service plane; one or more of the control channel, the management channel and the traffic channel coexist on the transmission link; each channel is a bidirectional channel, the channels are isolated from each other, and messages in the channels are transmitted independently; fig. 1 is a flowchart of a security plane isolation method based on channel partitioning according to an embodiment of the present invention; as shown in fig. 1, the method includes:
step S1, channel establishment and parameter negotiation: sending a channel establishment request message to a receiver by an initiator, receiving and processing the channel establishment request message by the receiver, sending a channel establishment response message to the initiator by the receiver, receiving and processing the channel establishment response message by the initiator to complete parameter negotiation; the initiator and the receiver comprise a routing module, a channel table, an encryption module and an interface;
step S2, after the channel is established, performing secure transmission of the plane service: when the initiator needs to send a message, encrypting the message, sending the encrypted message to the receiver, receiving the encrypted message by the receiver and decrypting the encrypted message to inquire a corresponding channel table and submit the channel table to corresponding upper-layer software according to the channel type;
step S3, after the channel is established, updating the bandwidth of the channel: when the receiver receives the message that the channel bandwidth configuration is changed, if the receiver completes the channel establishment, the channel bandwidth updating process is triggered, and the bandwidth of the channel is updated;
step S4, after the channel is established, based on the network management configuration deletion or the opposite terminal equipment failure, executing the channel closing: the initiator actively closes the channel link between the initiator and the receiver, and the initiator and the receiver respectively close the channel and the link and clear the information of respective channel tables to return to the initial stage of the interface, reply a channel termination response to the initiator and simultaneously inform the routing module of the channel state;
step S5, after the channel is established, the processing procedure when the initiator sends a message and the processing procedure when the receiver sends a message are: the mapping work from the physical port, the plane and the virtual link on the interface board to the logic port is realized through the virtual interface drive, thereby realizing the isolation of the service layer.
In some embodiments, in step S1, the method specifically includes:
step S11, the initiator sends a channel establishment request message carrying IP and bandwidth parameters to the receiver;
step S12, the receiver receives the channel establishing request message and extracts the parameter information, including matching the parameter negotiation strategy table based on the node number and the device type, to judge the negotiation parameter and complete the parameter negotiation;
step S13, after parameter negotiation, the receiver sends channel establishing response message to the initiator, and configures channel table and informs the routing module of channel connection state and parameter information;
step S14, after the initiator receives the channel establishment response message and completes the parameter negotiation, configures the channel table and reports the channel connection status of the routing module and the parameter information.
FIG. 2 is a flow chart illustrating channel establishment and parameter negotiation according to an embodiment of the present invention; as shown in fig. 2, in the channel establishment and parameter negotiation process, the initiator sends a channel establishment request message carrying IP and bandwidth parameters to the peer device. After the processing of the sending side and the receiving side, the opposite terminal device receives the channel establishment request and extracts the parameter information therein, and matches the parameter negotiation policy table based on the node number and the device type to judge the negotiation mechanism. After parameter negotiation is completed, the receiving party sends a channel establishment response message to the initiating party equipment, and meanwhile, a channel table is configured and the routing module is informed of the channel connection state and the parameter information. After receiving the channel establishment response and completing parameter negotiation, the initiator configures a channel table and reports the channel connection state and parameter information of the routing module. After the channel establishment and the parameter negotiation, the channel separation and the upper-layer application seamless binding can be realized according to the parameters of the channel bandwidth, the IP address and the like which are passed through the negotiation.
In some embodiments, in step S2, the method specifically includes:
step S21, when the initiator needs to send the message, the port number is inquired according to the algorithm in the routing module, then the channel table is inquired according to the channel type, the corresponding channel is found, the channel is matched based on the security label and is sent to the encryption module for encryption and integrity calculation after being packaged, an encrypted message is formed, and the encrypted message is sent to the receiver through the interface;
and step S22, when the receiver receives the encrypted message, the encrypted message is sent to the encryption module to complete decryption and integrity check, a corresponding channel table is inquired, and the channel table is handed to corresponding upper-layer software according to the channel type.
When a message needs to be sent, firstly, the port number is inquired according to a routing algorithm, then, the channel table is inquired according to the channel type, the corresponding channel is found, the channel is matched based on the security mark, the channel is packaged and then sent to the encryption module for encryption and integrity calculation, and the encrypted channel is sent out through the interface. When the opposite end receives the message, the interface receives the encrypted message from the line, sends the encrypted message to the encryption module to complete decryption and integrity check, queries the corresponding channel table, and delivers the channel table to the corresponding upper-layer software according to the channel type.
In some embodiments, in step S3, the method specifically includes:
step S31, the initiator sends a channel bandwidth updating request and carries new channel bandwidth information;
step S32, after the receiving party receives the channel updating request and completes the channel negotiation, the receiving party updates the channel table, and simultaneously sends a channel updating response to the routing module to update the bandwidth information of the real link virtual network card in the routing module;
and step S33, the initiator receives the channel updating response, and sends the channel updating response to the routing module to update the bandwidth information of the real link virtual network card in the routing module.
When the router receives the change of the channel bandwidth configuration, if the router on the corresponding interface finishes the access authentication and the channel establishment, the router triggers the channel bandwidth updating process. The router sends a channel bandwidth updating request, wherein the channel bandwidth updating request carries new channel bandwidth information. After the opposite terminal equipment receives the channel updating request and completes the channel negotiation, the channel table is updated, a channel updating response is sent to the router initiating the request, and meanwhile, the bandwidth information of the real link virtual network card in the routing module is updated. The router receiving the channel update response also completes the above steps.
In some embodiments, in step S4, the method specifically includes:
step S41, the initiator actively closes the channel link with the receiver and sends a channel termination request to the receiver;
step S42, the receiver closes the channel and link and clears the information of the channel list, returns to the initial stage of the interface, replies the channel termination response to the initiator, and simultaneously announces the channel state to the routing module;
step S43, after receiving the channel update response, the initiator closes the channel and the link and clears the information of the channel table, returns to the interface initial stage, replies the channel termination response to the initiator, and notifies the routing module of the channel status.
FIG. 3 is a flow chart illustrating channel closing according to an embodiment of the present invention; as shown in fig. 3, based on the network management device configuration deletion or device failure, the router actively closes the path link with the peer node, and sends a path termination request to the peer device. The opposite terminal equipment closes the channel and the link and clears the channel table information, returns to the initial stage of the interface, replies a channel termination response to the initiator and informs the routing module of the channel state during communication. The router receiving the channel update response also completes the above steps.
In some embodiments, in step S5, the method specifically includes:
the processing procedure when the initiator sends the message comprises the following steps:
step S51, the virtual interface driving layer preprocesses the message, encapsulates the virtual channel parameter information corresponding to the virtual interface according to the data structure information stored in the virtual logic port, and sends the virtual channel parameter information to the interface;
step S52, the interface completes the mapping to the virtual channel according to the Ethernet header virtual interface parameter information, and finally sends out the message;
the processing process when the receiver receives the message is as follows:
step S53, after virtual channel mapping processing, when the receiver receives the message, the plane information of the physical port is added to the Ethernet header;
step S54, after the virtual interface driver receives the packet, matching the virtual logical port based on the virtual channel information, adding an interface pointer corresponding to the virtual logical port in the data structure of the virtual interface driver, and sending the interface pointer to the protocol stack kernel for subsequent processing, so that the virtual router can correctly identify the purpose of receiving the packet.
FIG. 4 is an architecture diagram of a routing device supporting plane isolation according to an embodiment of the present invention; to support plane isolation, routers are provided with Virtual Router functionality, as shown in fig. 4, and multiple different Virtual Routers (VRs) may be created and mapped to different VR IDs.
FIG. 5 is a diagram of virtual interface naming conventions, according to an embodiment of the invention; as shown in fig. 5, the router virtual interface driving common module is responsible for completing creation and management of mapping logical ports to the distributed interfaces "physical port + plane", and the interface names of the virtual logical ports have a one-to-one correspondence relationship with "physical port + plane".
When the router sends the message: the virtual interface driving layer preprocesses the message, encapsulates the virtual channel parameter information corresponding to the virtual interface in the Ethernet header of the message according to the data structure information stored in the virtual logic port, and sends the virtual channel parameter information to the interface; and the interface completes the mapping to the virtual channel according to the Ethernet header virtual interface parameter information and finally sends the message out.
When the router receives the message: after virtual channel mapping processing, adding 'physical port + plane' information to the Ethernet header; when the virtual interface driver receives the message, the virtual logical port is matched based on the virtual channel information, an interface pointer corresponding to the virtual logical port is added in a data structure of the virtual interface driver and is sent to a protocol stack kernel for subsequent processing, and therefore the virtual router can correctly identify the purpose of receiving the message.
The invention discloses a safety plane isolation system based on channel division in a second aspect. The transmission link among the network devices comprises three independent logical channels which are respectively a control channel, a management channel and a service channel so as to correspondingly form a control plane, a management plane and a service plane; one or more of the control channel, the management channel and the traffic channel coexist on the transmission link; each channel is a bidirectional channel, the channels are isolated from each other, and messages in the channels are transmitted independently; FIG. 6 is a block diagram of a secure plane isolation system based on channel partitioning according to an embodiment of the present invention; as shown in fig. 6, the system 600 includes:
a first processing unit 601, configured to perform channel establishment and parameter negotiation: sending a channel establishment request message to a receiver by an initiator, receiving and processing the channel establishment request message by the receiver, sending a channel establishment response message to the initiator by the receiver, receiving and processing the channel establishment response message by the initiator to complete parameter negotiation; the initiator and the receiver comprise a routing module, a channel table, an encryption module and an interface;
a second processing unit 602, configured to, after the channel is established, perform secure transmission of plane traffic: when the initiator needs to send a message, encrypting the message, sending the encrypted message to the receiver, receiving the encrypted message by the receiver and decrypting the encrypted message to inquire a corresponding channel table and submit the channel table to corresponding upper-layer software according to the channel type;
a third processing unit 603, configured to, after the channel is established, update a bandwidth of the channel: when the receiver receives the message that the channel bandwidth configuration is changed, if the receiver completes the channel establishment, the channel bandwidth updating process is triggered, and the bandwidth of the channel is updated;
a fourth processing unit 604, configured to, after the channel is established, based on network management configuration deletion or peer device failure, execute channel closing: the initiator actively closes the channel link between the initiator and the receiver, and the initiator and the receiver respectively close the channel and the link and clear the information of respective channel tables to return to the initial stage of the interface, reply a channel termination response to the initiator and simultaneously inform the routing module of the channel state;
a fifth processing unit 605, configured to, after the channel is established, perform a processing procedure when the initiator sends a packet and a processing procedure when the receiver sends a packet by: the mapping work from the physical port, the plane and the virtual link on the interface board to the logic port is realized through the virtual interface drive, thereby realizing the isolation of the service layer.
According to the system of the second aspect of the present invention, the first processing unit 601 is specifically configured to perform the following steps:
step S11, the initiator sends a channel establishment request message carrying IP and bandwidth parameters to the receiver;
step S12, the receiver receives the channel establishing request message and extracts the parameter information, including matching the parameter negotiation strategy table based on the node number and the device type, to judge the negotiation parameter and complete the parameter negotiation;
step S13, after parameter negotiation, the receiver sends channel establishing response message to the initiator, and configures channel table and informs the routing module of channel connection state and parameter information;
step S14, after the initiator receives the channel establishment response message and completes the parameter negotiation, configures the channel table and reports the channel connection status of the routing module and the parameter information.
According to the system of the second aspect of the present invention, the second processing unit 602 is specifically configured to perform the following steps:
step S21, when the initiator needs to send the message, the port number is inquired according to the algorithm in the routing module, then the channel table is inquired according to the channel type, the corresponding channel is found, the channel is matched based on the security label and is sent to the encryption module for encryption and integrity calculation after being packaged, an encrypted message is formed, and the encrypted message is sent to the receiver through the interface;
and step S22, when the receiver receives the encrypted message, the encrypted message is sent to the encryption module to complete decryption and integrity check, a corresponding channel table is inquired, and the channel table is handed to corresponding upper-layer software according to the channel type.
According to the system of the second aspect of the present invention, the third processing unit 603 is specifically configured to perform the following steps:
step S31, the initiator sends a channel bandwidth updating request and carries new channel bandwidth information;
step S32, after the receiving party receives the channel updating request and completes the channel negotiation, the receiving party updates the channel table, and simultaneously sends a channel updating response to the routing module to update the bandwidth information of the real link virtual network card in the routing module;
and step S33, the initiator receives the channel updating response, and sends the channel updating response to the routing module to update the bandwidth information of the real link virtual network card in the routing module.
According to the system of the second aspect of the present invention, the fourth processing unit 604 is specifically configured to perform the following steps:
step S41, the initiator actively closes the channel link with the receiver and sends a channel termination request to the receiver;
step S42, the receiver closes the channel and link and clears the information of the channel list, returns to the initial stage of the interface, replies the channel termination response to the initiator, and simultaneously announces the channel state to the routing module;
step S43, after receiving the channel update response, the initiator closes the channel and the link and clears the information of the channel table, returns to the interface initial stage, replies the channel termination response to the initiator, and notifies the routing module of the channel status.
According to the system of the second aspect of the present invention, the fifth processing unit 605 is specifically configured to perform the following steps:
the processing procedure when the initiator sends the message comprises the following steps:
step S51, the virtual interface driving layer preprocesses the message, encapsulates the virtual channel parameter information corresponding to the virtual interface according to the data structure information stored in the virtual logic port, and sends the virtual channel parameter information to the interface;
step S52, the interface completes the mapping to the virtual channel according to the Ethernet header virtual interface parameter information, and finally sends out the message;
the processing process when the receiver receives the message is as follows:
step S53, after virtual channel mapping processing, when the receiver receives the message, the plane information of the physical port is added to the Ethernet header;
step S54, after the virtual interface driver receives the packet, matching the virtual logical port based on the virtual channel information, adding an interface pointer corresponding to the virtual logical port in the data structure of the virtual interface driver, and sending the interface pointer to the protocol stack kernel for subsequent processing, so that the virtual router can correctly identify the purpose of receiving the packet.
According to the system of the second aspect of the present invention, the initiator and the receiver are routers, the routers have a virtual router function, and the initiator and the receiver are a plurality of different virtual routers.
A third aspect of the invention discloses an electronic device. The electronic device comprises a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the method for isolating the security plane based on the channel division according to any one of the first aspect of the disclosure when executing the computer program.
Fig. 7 is a block diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 7, the electronic device includes a processor, a memory, a communication interface, a display screen, and an input device, which are connected by a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic equipment comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the electronic device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, Near Field Communication (NFC) or other technologies. The display screen of the electronic equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the electronic equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the electronic equipment, an external keyboard, a touch pad or a mouse and the like.
It will be understood by those skilled in the art that the structure shown in fig. 7 is only a partial block diagram related to the technical solution of the present disclosure, and does not constitute a limitation of the electronic device to which the solution of the present application is applied, and a specific electronic device may include more or less components than those shown in the drawings, or combine some components, or have a different arrangement of components.
A fourth aspect of the invention discloses a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of any one of the first aspect of the present disclosure in a method for secure plane isolation based on channel partitioning.
In summary, the technical scheme provided by the invention supports channel establishment and parameter negotiation, plane service transmission, channel bandwidth update and channel closing, thereby realizing plane isolation and service security transmission based on the channel. Meanwhile, the scheme supports the function of a standard virtual router, and realizes the mapping work from a physical port, a plane and a virtual link to a logic port on an interface board through the driving of a virtual interface, thereby realizing the isolation purpose of a service layer. The mapping relation naming rule, the stored data structure format, the default parameter setting and the like of the plane isolation architecture are not limited.
The scheme provides a safety plane isolation method based on channel division, which integrally designs plane isolation, routing function and safety, isolates a control plane, a management plane and a service plane from each other, and encrypts and transmits service in the plane; the router architecture supports plane isolation, and service isolation forwarding can be performed facing different planes.
It should be noted that the technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, however, as long as there is no contradiction between the combinations of the technical features, the scope of the present description should be considered. The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A safety plane isolation method based on channel division is characterized in that:
the transmission link among the network devices comprises three independent logical channels which are respectively a control channel, a management channel and a service channel so as to correspondingly form a control plane, a management plane and a service plane; one or more of the control channel, the management channel and the traffic channel coexist on the transmission link; each channel is a bidirectional channel, the channels are isolated from each other, and messages in the channels are transmitted independently;
the method comprises the following steps:
step S1, channel establishment and parameter negotiation: sending a channel establishment request message to a receiver by an initiator, receiving and processing the channel establishment request message by the receiver, sending a channel establishment response message to the initiator by the receiver, receiving and processing the channel establishment response message by the initiator to complete parameter negotiation; the initiator and the receiver comprise a routing module, a channel table, an encryption module and an interface;
step S2, after the channel is established, performing secure transmission of the plane service: when the initiator needs to send a message, encrypting the message, sending the encrypted message to the receiver, receiving the encrypted message by the receiver and decrypting the encrypted message to inquire a corresponding channel table and submit the channel table to corresponding upper-layer software according to the channel type;
step S3, after the channel is established, updating the bandwidth of the channel: when the receiver receives the message that the channel bandwidth configuration is changed, if the receiver completes the channel establishment, the channel bandwidth updating process is triggered, and the bandwidth of the channel is updated;
step S4, after the channel is established, based on the network management configuration deletion or the opposite terminal equipment failure, executing the channel closing: the initiator actively closes the channel link between the initiator and the receiver, and the initiator and the receiver respectively close the channel and the link and clear the information of respective channel tables to return to the initial stage of the interface, reply a channel termination response to the initiator and simultaneously inform the routing module of the channel state;
step S5, after the channel is established, the processing procedure when the initiator sends a message and the processing procedure when the receiver sends a message are: the mapping work from the physical port, the plane and the virtual link on the interface board to the logic port is realized through the virtual interface drive, thereby realizing the isolation of the service layer.
2. The method for isolating a security plane based on channel division according to claim 1, wherein in the step S1, the specific method includes:
step S11, the initiator sends a channel establishment request message carrying IP and bandwidth parameters to the receiver;
step S12, the receiver receives the channel establishing request message and extracts the parameter information, including matching the parameter negotiation strategy table based on the node number and the device type, to judge the negotiation parameter and complete the parameter negotiation;
step S13, after parameter negotiation, the receiver sends channel establishing response message to the initiator, and configures channel table and informs the routing module of channel connection state and parameter information;
step S14, after the initiator receives the channel establishment response message and completes the parameter negotiation, configures the channel table and reports the channel connection status of the routing module and the parameter information.
3. The method for isolating a security plane based on channel division according to claim 2, wherein in the step S2, the method specifically includes:
step S21, when the initiator needs to send the message, the port number is inquired according to the algorithm in the routing module, then the channel table is inquired according to the channel type, the corresponding channel is found, the channel is matched based on the security label and is sent to the encryption module for encryption and integrity calculation after being packaged, an encrypted message is formed, and the encrypted message is sent to the receiver through the interface;
and step S22, when the receiver receives the encrypted message, the encrypted message is sent to the encryption module to complete decryption and integrity check, a corresponding channel table is inquired, and the channel table is handed to corresponding upper-layer software according to the channel type.
4. The method for isolating a security plane based on channel division according to claim 3, wherein in the step S3, the method specifically includes:
step S31, the initiator sends a channel bandwidth updating request and carries new channel bandwidth information;
step S32, after the receiving party receives the channel updating request and completes the channel negotiation, the receiving party updates the channel table, and simultaneously sends a channel updating response to the routing module to update the bandwidth information of the real link virtual network card in the routing module;
and step S33, the initiator receives the channel updating response, and sends the channel updating response to the routing module to update the bandwidth information of the real link virtual network card in the routing module.
5. The method for isolating a security plane based on channel division according to claim 4, wherein in the step S4, the method specifically includes:
step S41, the initiator actively closes the channel link with the receiver and sends a channel termination request to the receiver;
step S42, the receiver closes the channel and link and clears the information of the channel list, returns to the initial stage of the interface, replies the channel termination response to the initiator, and simultaneously announces the channel state to the routing module;
step S43, after receiving the channel update response, the initiator closes the channel and the link and clears the information of the channel table, returns to the interface initial stage, replies the channel termination response to the initiator, and notifies the routing module of the channel status.
6. The method for isolating a security plane based on channel division according to claim 5, wherein in the step S5, the method specifically includes:
the processing procedure when the initiator sends the message comprises the following steps:
step S51, the virtual interface driving layer preprocesses the message, encapsulates the virtual channel parameter information corresponding to the virtual interface according to the data structure information stored in the virtual logic port, and sends the virtual channel parameter information to the interface;
step S52, the interface completes the mapping to the virtual channel according to the Ethernet header virtual interface parameter information, and finally sends out the message;
the processing process when the receiver receives the message is as follows:
step S53, after virtual channel mapping processing, when the receiver receives the message, the plane information of the physical port is added to the Ethernet header;
step S54, after the virtual interface driver receives the packet, matching the virtual logical port based on the virtual channel information, adding an interface pointer corresponding to the virtual logical port in the data structure of the virtual interface driver, and sending the interface pointer to the protocol stack kernel for subsequent processing, so that the virtual router can correctly identify the purpose of receiving the packet.
7. The method of any one of claims 1 to 6, wherein the initiator and the receiver are routers, the routers have a virtual router function, and the initiator and the receiver are multiple different virtual routers.
8. A security plane isolation system based on channel division is characterized in that a transmission link among network devices comprises three mutually independent logic channels which are respectively a control channel, a management channel and a service channel so as to correspondingly form a control plane, a management plane and a service plane; one or more of the control channel, the management channel and the traffic channel coexist on the transmission link; each channel is a bidirectional channel, the channels are isolated from each other, and messages in the channels are transmitted independently; the system comprises:
a first processing unit configured to perform channel establishment and parameter negotiation: sending a channel establishment request message to a receiver by an initiator, receiving and processing the channel establishment request message by the receiver, sending a channel establishment response message to the initiator by the receiver, receiving and processing the channel establishment response message by the initiator to complete parameter negotiation; the initiator and the receiver comprise a routing module, a channel table, an encryption module and an interface;
a second processing unit configured to, after the channel is established, perform secure transmission of plane traffic: when the initiator needs to send a message, encrypting the message, sending the encrypted message to the receiver, receiving the encrypted message by the receiver and decrypting the encrypted message to inquire a corresponding channel table and submit the channel table to corresponding upper-layer software according to the channel type;
a third processing unit configured to update the bandwidth of the channel after the channel is established: when the receiver receives the message that the channel bandwidth configuration is changed, if the receiver completes the channel establishment, the channel bandwidth updating process is triggered, and the bandwidth of the channel is updated;
a fourth processing unit, configured to, after the channel is established, based on network management configuration deletion or opposite end device failure, execute channel closing: the initiator actively closes the channel link between the initiator and the receiver, and the initiator and the receiver respectively close the channel and the link and clear the information of respective channel tables to return to the initial stage of the interface, reply a channel termination response to the initiator and simultaneously inform the routing module of the channel state;
a fifth processing unit, configured to, after the channel is established, perform a processing procedure when the initiator sends a packet and perform a processing procedure when the receiver sends a packet by: the mapping work from the physical port, the plane and the virtual link on the interface board to the logic port is realized through the virtual interface drive, thereby realizing the isolation of the service layer.
9. An electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the method for isolating a security plane based on channel partition according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, implements the steps of a method for secure plane isolation based on channel partitioning as claimed in any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111427304.2A CN113839968B (en) | 2021-11-29 | 2021-11-29 | Security plane isolation method and system based on channel division |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111427304.2A CN113839968B (en) | 2021-11-29 | 2021-11-29 | Security plane isolation method and system based on channel division |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113839968A CN113839968A (en) | 2021-12-24 |
| CN113839968B true CN113839968B (en) | 2022-02-18 |
Family
ID=78971784
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111427304.2A Active CN113839968B (en) | 2021-11-29 | 2021-11-29 | Security plane isolation method and system based on channel division |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113839968B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116827692B (en) * | 2023-08-28 | 2023-11-21 | 北京华耀科技有限公司 | Secure communication method and secure communication system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891835A (en) * | 2011-07-20 | 2013-01-23 | 桂林长海科技有限责任公司 | Security isolation method for multi-network access of computer terminal |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104601550B (en) * | 2014-12-24 | 2020-08-11 | 国家电网公司 | Reverse isolation file transmission system and method based on cluster array |
| US10120809B2 (en) * | 2015-09-26 | 2018-11-06 | Intel Corporation | Method, apparatus, and system for allocating cache using traffic class |
| CN111654322A (en) * | 2020-06-03 | 2020-09-11 | 贵州电网有限责任公司 | Electric power data transmission method and device based on parallel processing and storage medium |
| CN112910749B (en) * | 2021-01-18 | 2022-02-01 | 国汽智控(北京)科技有限公司 | CAN channel connection equipment identification method and data transmission method and system |
-
2021
- 2021-11-29 CN CN202111427304.2A patent/CN113839968B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102891835A (en) * | 2011-07-20 | 2013-01-23 | 桂林长海科技有限责任公司 | Security isolation method for multi-network access of computer terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113839968A (en) | 2021-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11171836B2 (en) | Providing virtual networking functionality for managed computer networks | |
| US11936524B2 (en) | Providing extendible network capabilities for managed computer networks | |
| JP6306640B2 (en) | Providing logical networking capabilities for managed computer networks | |
| US11290420B2 (en) | Dynamic VPN address allocation | |
| US7738457B2 (en) | Method and system for virtual routing using containers | |
| US6438612B1 (en) | Method and arrangement for secure tunneling of data between virtual routers | |
| US8560646B1 (en) | Managing communications using alternative packet addressing | |
| JP5859519B2 (en) | Data packet delivery management method | |
| US10250571B2 (en) | Systems and methods for offloading IPSEC processing to an embedded networking device | |
| WO2017143611A1 (en) | Method, device and system for processing vxlan packet | |
| US20030055968A1 (en) | System and method for dynamic configuration of network resources | |
| US10154004B2 (en) | DHCP communications configuration system | |
| US11936613B2 (en) | Port and loopback IP addresses allocation scheme for full-mesh communications with transparent TLS tunnels | |
| US20150288651A1 (en) | Ip packet processing method and apparatus, and network system | |
| WO2010020151A1 (en) | A method, apparatus and system for packet processing | |
| CN113839968B (en) | Security plane isolation method and system based on channel division | |
| US11418354B2 (en) | Authentication method, device, and system | |
| US20190124011A1 (en) | Enhanced quality of service management for inter-computing system communication | |
| US10554633B2 (en) | Enhanced packet formating for security inter-computing system communication | |
| CN113595848B (en) | Communication tunnel establishing method, device, equipment and storage medium | |
| US20240039702A1 (en) | Distribution and use of encryption keys to direct communications | |
| US20230038620A1 (en) | Method of setting user-defined virtual network | |
| WO2023199189A1 (en) | Methods and systems for implementing secure communication channels between systems over a network | |
| Fowler | Cloud Network Engineering | |
| CN117097804A (en) | Method for obtaining application-aware network identification and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |