CN114024933A

CN114024933A - Address protection method and device, network equipment and computer storage medium

Info

Publication number: CN114024933A
Application number: CN202010691089.6A
Authority: CN
Inventors: 何申; 程叶霞; 付俊; 李江; 李肖肖; 陈福祥
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Priority date: 2020-07-17
Filing date: 2020-07-17
Publication date: 2022-02-08

Abstract

The embodiment of the invention discloses an address protection method, an address protection device, network equipment and a computer storage medium. The method comprises the following steps: an intranet router receives a first data packet, wherein the first data packet comprises an acquisition node address; judging whether the acquisition node address is the address of an intranet management node; if the acquisition node address is not the address of the intranet management node, sending a second data packet to the intranet management node, wherein the second data packet is used for indicating the intranet management node to send an internet protocol sixth edition (IPv6) address converted according to a first conversion mode to the acquisition node address; the second data packet comprises the acquisition node address.

Description

Address protection method and device, network equipment and computer storage medium

Technical Field

The invention relates to the field of internet security, in particular to an address protection method, an address protection device, network equipment and a computer storage medium.

Background

With the rapid development of technologies such as mobile Internet and Internet of things, and the rapid application of communication network technologies such as 5G, the address of Internet Protocol Version four (IPv4, Internet Protocol Version 4) has been already allocated, and the next generation Internet based on Internet Protocol Version six (IPv6, Internet Protocol Version 6) has made great progress in network deployment, application construction, and the like. However, with the development of IPv6, network vulnerabilities and network attacks against IPv6 are continuously emerging, and the development and application of the vulnerabilities and the network attacks face various challenges and problems. Among them, fast scanning for IPv6 addresses and protection for IPv6 addresses are two key challenges.

When the IPv6 address is rapidly scanned, it is necessary to protect the IPv6 address to improve privacy protection and auditability of IPv6 assets, and at present, no effective solution exists for protecting the IPv6 address.

Disclosure of Invention

In order to solve the existing technical problem, embodiments of the present invention provide an address protection method, apparatus, network device, and computer storage medium.

In order to achieve the above purpose, the technical solution of the embodiment of the present invention is realized as follows:

in a first aspect, an embodiment of the present invention provides an address protection method, where the method includes:

an intranet router receives a first data packet, wherein the first data packet comprises an acquisition node address;

judging whether the acquisition node address is the address of an intranet management node;

if the acquisition node address is not the address of the intranet management node, sending a second data packet to the intranet management node, wherein the second data packet is used for indicating the intranet management node to send the IPv6 address converted according to the first conversion mode to the acquisition node address; the second data packet comprises the acquisition node address.

In the above scheme, the method further comprises: and if the acquisition node address is the address of the intranet management node, sending a real IPv6 address to the acquisition node address.

In the above scheme, the method further comprises:

the intranet router receives a scanning task data packet from a scanner; the scanning task data packet comprises the address of the acquisition node associated with the scanner;

if the address of the acquisition node is not the address of the intranet management node, converting a destination address in the scanning task data packet according to a second conversion mode, and forwarding the scanning task data packet after the destination address conversion processing; wherein the second conversion mode is the reverse conversion process of the first conversion mode; and the destination address in the scanning task data packet is the IPv6 address converted and processed according to the first conversion mode.

In the above scheme, the method further comprises:

if the address of the acquisition node is not the address of the intranet management node, sending a third data packet to the intranet management node, wherein the third data packet is used for instructing the intranet management node to forward the scanning task data packet after the destination address in the scanning task data packet is converted according to a second conversion mode; wherein the second conversion mode is the reverse conversion process of the first conversion mode; and the destination address in the scanning task data packet is the IPv6 address converted and processed according to the first conversion mode.

In the above scheme, the method further comprises:

and if the acquisition node is the intranet management node, forwarding the scanning task data packet.

In the above solution, if the acquisition node address is not the address of the intranet management node, the method further includes: and the intranet router saves the acquisition node address and discards the first data packet.

In a second aspect, an embodiment of the present invention further provides an address protection method, where the method includes:

the intranet management node receives a second data packet sent by the intranet router; the second data packet is sent when the intranet router judges that the collection node address in the received first data packet is not the address of the intranet management node; the second data packet comprises an acquisition node address;

and converting the acquired IPv6 address according to a first conversion mode based on the second data packet, and sending the converted IPv6 address to the acquisition node address.

In the above scheme, the method further comprises:

the intranet management node receives a third data packet sent by the intranet router; the third data packet is sent when the intranet router judges that the address of the acquisition node in the received scanning task data packet is not the address of the intranet management node;

the intranet management node converts the destination address in the scanning task data packet according to a second conversion mode and forwards the scanning task data packet after the destination address conversion processing; wherein the second conversion mode is the reverse conversion process of the first conversion mode; and the destination address in the scanning task data packet is the IPv6 address converted and processed according to the first conversion mode.

In a third aspect, an embodiment of the present invention further provides an address protection device, where the address protection device includes: the device comprises a first receiving unit, a first processing unit and a first sending unit; wherein the content of the first and second substances,

the first receiving unit is configured to receive a first data packet, where the first data packet includes an acquisition node address;

the first processing unit is used for judging whether the acquisition node address is the address of an intranet management node;

the first sending unit is configured to send a second data packet to an intranet management node if the first processing unit determines that the acquisition node address is not the address of the intranet management node, where the second data packet is used to instruct the intranet management node to send the IPv6 address of the sixth version of the internet protocol, which is converted and processed in the first conversion manner, to the acquisition node address; the second data packet comprises the acquisition node address.

In the foregoing solution, the first sending unit is further configured to send a real IPv6 address to the collection node address if the first processing unit determines that the collection node address is an address of an intranet management node.

In the above scheme, the first receiving unit is further configured to receive a scan task data packet from a scanner; the scanning task data packet comprises the address of the acquisition node associated with the scanner;

the first processing unit is further configured to perform conversion processing on a destination address in the scan task data packet according to a second conversion manner if the address of the acquisition node is not the address of the intranet management node; the second conversion mode is the reverse conversion process of the first conversion mode; the destination address in the scanning task data packet is an IPv6 address converted and processed according to the first conversion mode;

the first sending unit is further configured to forward the scan task data packet after the destination address conversion processing.

the first sending unit is further configured to send a third data packet to the intranet management node if the address of the acquisition node is not the address of the intranet management node, where the third data packet is used to instruct the intranet management node to forward the scan task data packet after the destination address in the scan task data packet is converted according to a second conversion mode; wherein the second conversion mode is the reverse conversion process of the first conversion mode; and the destination address in the scanning task data packet is the IPv6 address converted and processed according to the first conversion mode.

In the above scheme, the first sending unit is further configured to forward the scan task data packet if the acquisition node is the intranet management node.

In the above scheme, the apparatus further includes a first storage unit, configured to store the acquisition node address if the acquisition node address is not an address of an intranet management node;

the first processing unit is further configured to discard the first data packet.

In a fourth aspect, an embodiment of the present invention further provides an address protection device, where the address protection device includes: the second receiving unit, the second processing unit and the second sending unit; wherein the content of the first and second substances,

the second receiving unit is configured to receive a second data packet sent by the intranet router; the second data packet is sent when the intranet router judges that the collection node address in the received first data packet is not the address of the intranet management node; the second data packet comprises an acquisition node address;

the second processing unit is configured to perform conversion processing on the acquired IPv6 address according to a first conversion manner based on the second data packet;

and the second sending unit is used for sending the converted IPv6 address to the acquisition node address.

In the above scheme, the second receiving unit is further configured to receive a third data packet sent by the intranet router; the third data packet is sent when the intranet router judges that the address of the acquisition node in the received scanning task data packet is not the address of the intranet management node;

the second processing unit is further configured to perform conversion processing on a destination address in the scan task data packet according to a second conversion manner; wherein the second conversion mode is the reverse conversion process of the first conversion mode; the destination address in the scanning task data packet is an IPv6 address converted and processed according to the first conversion mode;

and the second sending unit is further configured to forward the scan task data packet after the destination address conversion processing.

In a fifth aspect, an embodiment of the present invention further provides an address protection method, where the method includes:

and if the acquisition node address is not the address of the intranet management node, sending the IPv6 address converted according to the first conversion mode to the acquisition node address.

In the above scheme, the method further comprises:

In the above solution, if the acquisition node address is not the address of the intranet management node, the method further includes:

and the intranet router saves the acquisition node address and discards the first data packet.

In a sixth aspect, an embodiment of the present invention further provides an address protection device, where the address protection device includes: a third receiving unit, a third processing unit and a third transmitting unit; wherein the content of the first and second substances,

the third receiving unit is configured to receive a first data packet, where the first data packet includes an acquisition node address;

the third processing unit is used for judging whether the acquisition node address is the address of an intranet management node;

and the third sending unit is configured to send the IPv6 address converted in the first conversion manner to the collection node address if the third processing unit determines that the collection node address is not the address of the intranet management node.

In the foregoing solution, the third sending unit is further configured to send a real IPv6 address to the collection node address if the third processing unit determines that the collection node address is an address of an intranet management node.

In the above scheme, the third receiving unit is further configured to receive a scan task data packet from a scanner; the scanning task data packet comprises the address of the acquisition node associated with the scanner;

the third processing unit is further configured to, if the address of the acquisition node is not the address of the intranet management node, perform conversion processing on the destination address in the scan task data packet according to a second conversion method, where the second conversion method is an inverse conversion process of the first conversion method; the destination address in the scanning task data packet is an IPv6 address converted and processed according to the first conversion mode;

the third sending unit is further configured to forward the scan task data packet after the destination address conversion processing.

the third sending unit is further configured to send a third data packet to the intranet management node if the address of the acquisition node is not the address of the intranet management node, where the third data packet is used to instruct the intranet management node to forward the scan task data packet after the destination address in the scan task data packet is converted according to a second conversion method; wherein the second conversion mode is the reverse conversion process of the first conversion mode; and the destination address in the scanning task data packet is the IPv6 address converted and processed according to the first conversion mode.

In the above scheme, the third sending unit is further configured to forward the scan task data packet if the acquisition node is the intranet management node.

In the above solution, the apparatus further includes a second storage unit, configured to store the acquisition node address if the acquisition node address is not the address of the intranet management node;

the third processing unit is further configured to discard the first data packet.

In a seventh aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the address protection method according to the first aspect, the second aspect, or the fifth aspect of the embodiment of the present invention.

In an eighth aspect, an embodiment of the present invention further provides a network device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the steps of the address protection method according to the first aspect, the second aspect, or the fifth aspect of the embodiment of the present invention.

The embodiment of the invention provides an address protection method, an address protection device, network equipment and a computer storage medium, wherein the method comprises the following steps: an intranet router receives a first data packet, wherein the first data packet comprises an acquisition node address; judging whether the acquisition node address is the address of an intranet management node; if the acquisition node address is not the address of the intranet management node, sending a second data packet to the intranet management node, wherein the second data packet is used for indicating the intranet management node to send the IPv6 address converted according to the first conversion mode to the acquisition node address; the second data packet comprises the acquisition node address. By adopting the technical scheme of the embodiment of the invention, under the condition that the acquisition node is not an intranet management node, the IPv6 address of the acquisition node to be sent to the non-intranet is converted, and the converted IPv6 address is sent to the non-intranet acquisition node, so that the protection of the IPv6 address is realized, the privacy of the IPv6 address is improved, the risk of network asset exposure is reduced, and the overall safety protection of the network is improved.

Drawings

FIG. 1 is a schematic diagram of a system architecture for applying an address protection method according to an embodiment of the present invention;

FIG. 2 is a first flowchart illustrating an address protection method according to an embodiment of the present invention;

FIG. 3 is a first schematic interaction flow chart of an address protection method according to an embodiment of the present invention;

FIG. 4 is a schematic diagram illustrating an interaction flow of an address protection method according to an embodiment of the present invention;

FIG. 5 is a first block diagram of an address protection device according to an embodiment of the present invention;

FIG. 6 is a schematic diagram of a second exemplary embodiment of an address protection device;

FIG. 7 is a second flowchart illustrating an address protection method according to an embodiment of the present invention;

FIG. 8 is a third schematic diagram illustrating a structure of an address protection device according to an embodiment of the present invention;

fig. 9 is a schematic diagram of a hardware component structure of a network device according to an embodiment of the present invention.

Detailed Description

The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.

FIG. 1 is a schematic diagram of a system architecture for applying an address protection method according to an embodiment of the present invention; as shown in fig. 1, the system may include network devices for both intranet and non-intranet networks. The network device of the intranet may include each terminal node with an IPv6 address in the intranet, an intranet router, an operator management node of the intranet (i.e., an intranet management node in the following embodiments of the present invention), an upper-level router and a scanner of the intranet router, and the like; the non-intranet network devices may include: a collection node of a non-intranet, an upper-level router and a scanner of the non-intranet, and the like.

The terminal node with the IPv6 address can be various networking devices such as a notebook computer, a desktop computer, Internet of things equipment and industrial Internet equipment.

The intranet router refers to a router in a routing path of an intranet network; the number of the intranet routers in this embodiment may be one or more.

The operator management node of the intranet (i.e., the intranet management node in the following embodiments of the present invention) is a node having an IPv6 address management authority in the operator of the intranet network, and may also be understood as a Collection node (Collection Point) of the intranet. The IP address of the intranet operator management node needs to be configured in advance on each device in the intranet.

Wherein, the upper level router of the intranet router is the upper level router of the intranet boundary router, or the upper level router of the intranet boundary router, and so on. The upper-level router of the intranet router is a non-intranet router, and may be, for example, a router of an operator.

The non-intranet collection nodes are collection nodes except an intranet operator management node and belong to non-intranet nodes.

The scanner is a device for scanning the terminal device, and the scanner and the acquisition node have a linkage relation. The scanner can be a scanner of an intranet and is in scanning linkage with an operator management node of the intranet; the scanner can also be a scanner in a non-intranet and scan and link with the acquisition nodes in the non-intranet.

The following embodiments of the present invention are proposed based on the above system architecture.

The embodiment of the invention provides an address protection method which is applied to an intranet router. FIG. 2 is a first flowchart illustrating an address protection method according to an embodiment of the present invention; as shown in fig. 2, the method includes:

step 101: an intranet router receives a first data packet, wherein the first data packet comprises an acquisition node address;

step 102: judging whether the acquisition node address is the address of an intranet management node;

step 103: if the acquisition node address is not the address of the intranet management node, sending a second data packet to the intranet management node, wherein the second data packet is used for indicating the intranet management node to send the IPv6 address converted according to the first conversion mode to the acquisition node address; the second data packet comprises the acquisition node address.

The embodiment is proposed on the basis of realizing the rapid discovery of the IPv6 address in advance. In some optional embodiments, each Router (including an intranet Router, etc.) modifies a Router Advertisement (RA) packet in a Neighbor Discovery Protocol (NDP), and specifically, each Router (including an intranet Router, etc.) adds a global unicast Address (Collection Point Address) of a Collection node in the RA packet and sends the RA packet; wherein, the RA data packet can also comprise an acquisition node address; wherein, the option in the RA packet may include the address of the collection node. After receiving the packet containing the global unicast Address, each terminal sends another data packet (e.g., echo packet) to the Collection node Address; the data packet comprises the IPv6 address of the terminal, so that the rapid discovery of the IPv6 address is realized.

In this embodiment, the first packet is an RA packet. Wherein the intranet router may receive the first data packet from a previous-level node. The first data packet includes a Collection node Address (Collection Point Address).

In this embodiment, the intranet router extracts the collection node address from the first data packet, and performs role and authority determination on the collection node corresponding to the collection node address. Illustratively, the intranet router is preconfigured with an address of an intranet management node, and the acquisition node address is determined whether to be the address of the intranet management node by comparing whether the acquisition node address is consistent with the preconfigured address of the intranet management node.

If the acquisition node address is not the address of the intranet management node, that is, it indicates that the acquisition node address is the address of an acquisition node of a non-intranet, in order to protect the IPv6 address, the real IPv6 address needs to be converted according to a first conversion method or obfuscated according to a specific algorithm, and the converted or obfuscated IPv6 address is sent to the acquisition node address, that is, the converted or obfuscated IPv6 address is sent to the non-intranet acquisition node corresponding to the acquisition node address. In this embodiment, the intranet router sends a second data packet to the intranet management node, and the intranet management node is instructed by the second data packet to send the converted or obfuscated IPv6 address to the collection node address.

In some optional embodiments of the invention, the method further comprises: and if the acquisition node address is the address of the intranet management node, sending a real IPv6 address to the acquisition node address.

In this embodiment, if the acquisition node address is an address of an intranet management node, that is, it indicates that the acquisition node address is an address of an acquisition node of an intranet, the real IPv6 address may be directly sent to the acquisition node address, that is, the real IPv6 address is directly sent to the intranet management node corresponding to the acquisition node address.

In some optional embodiments, if the acquisition node address is not an address of an intranet management node, the method further includes: and the intranet router saves the acquisition node address and discards the first data packet.

Based on the above embodiment, the embodiment of the present invention further provides an address protection method, which is applied to an intranet management node. The method comprises the following steps:

step 201: the intranet management node receives a second data packet sent by the intranet router; the second data packet is sent when the intranet router judges that the collection node address in the received first data packet is not the address of the intranet management node; the second data packet comprises an acquisition node address;

step 202: and converting the acquired IPv6 address according to a first conversion mode based on the second data packet, and sending the converted IPv6 address to the acquisition node address.

By adopting the technical scheme of the embodiment of the invention, under the condition that the acquisition node is not an intranet management node, the IPv6 address of the acquisition node to be sent to the non-intranet is converted, and the converted IPv6 address is sent to the non-intranet acquisition node, so that the protection of the IPv6 address is realized, the privacy of the IPv6 address is improved, the risk of network asset exposure is reduced, and the overall safety protection of the network is improved.

In some optional embodiments, the method further comprises: the intranet router receives a scanning task data packet from a scanner; the scanning task data packet comprises the address of the acquisition node associated with the scanner; if the address of the acquisition node is not the address of the intranet management node, converting a destination address in the scanning task data packet according to a second conversion mode, and forwarding the scanning task data packet after the destination address conversion processing; wherein the second conversion mode is the reverse conversion process of the first conversion mode; and the destination address in the scanning task data packet is the IPv6 address converted and processed according to the first conversion mode.

In this embodiment, the intranet router receives a scanning task data packet that may come from a non-intranet collection node or an intranet collection node (i.e., an intranet management node), where a destination address in the scanning task data packet is an address of a terminal to be scanned with an IPv6 address. If the collection node is not the intranet management node, that is, the collection node is a non-intranet collection node, based on the foregoing embodiment, the non-intranet collection node may obtain an IPv6 address after conversion processing or obfuscation processing; after receiving the scanning task data packet, the intranet router performs reverse conversion processing on the destination address in the scanning task data packet, that is, performs conversion processing on the destination address according to a second conversion mode opposite to the first conversion mode, so as to obtain a real IPv6 address corresponding to the IPv6 address after conversion processing or confusion processing, and further forwards the scanning task data packet according to the real IPv6 address, so that the scanning task data packet can reach a terminal corresponding to the real IPv6 address.

In further alternative embodiments, the method further comprises: the intranet router receives a scanning task data packet from a scanner; the scanning task data packet comprises the address of the acquisition node associated with the scanner; if the address of the acquisition node is not the address of the intranet management node, sending a third data packet to the intranet management node, wherein the third data packet is used for instructing the intranet management node to forward the scanning task data packet after the destination address in the scanning task data packet is converted according to a second conversion mode; wherein the second conversion mode is the reverse conversion process of the first conversion mode; and the destination address in the scanning task data packet is the IPv6 address converted and processed according to the first conversion mode.

In this embodiment, the intranet router receives a scanning task data packet that may come from a non-intranet collection node or an intranet collection node (i.e., an intranet management node), where a destination address in the scanning task data packet is an address of a terminal to be scanned with an IPv6 address. If the collection node is not the intranet management node, that is, the collection node is a non-intranet collection node, based on the foregoing embodiment, the non-intranet collection node may obtain an IPv6 address after conversion processing or obfuscation processing; and after receiving the scanning task data packet, the intranet router sends a third data packet to the intranet management node, the intranet management node is instructed by the third data packet to perform reverse conversion on the destination address in the scanning task data packet, namely, the destination address is subjected to reverse conversion according to the second conversion mode, so that the real IPv6 address corresponding to the scanning task data packet is obtained, and the scanning task data packet can be sent to the terminal corresponding to the real IPv6 address.

It should be noted that the scan task packet in this embodiment may also be referred to as a packet or a fourth packet, where the packet or the fourth packet corresponds to a scan task, and the scan task is used to obtain the IPv6 address of the terminal.

In some optional embodiments of the invention, the method further comprises: and if the acquisition node is the intranet management node, forwarding the scanning task data packet.

The address protection method according to the embodiment of the present invention is described below with reference to specific examples.

FIG. 3 is a first schematic interaction flow chart of an address protection method according to an embodiment of the present invention; as shown in fig. 3, the method includes:

step 11 to step 12: the intranet router receives an RA packet containing a Collection Point Address, and extracts the Collection Point Address from the RA packet.

Step 13 to step 14: and the intranet router judges the role and the authority of the acquisition node corresponding to the acquisition node address, namely judges whether the acquisition node address is the address of the intranet management node. If yes, executing step 15; when the result of the judgment is negative, steps 16 to 18 are performed. Specifically, the method comprises the following steps:

step 15: the intranet router sends a real IPv6 address to the acquisition node address; namely, the real IPv6 address is sent to the intranet management node corresponding to the collection node address.

Step 16: the intranet router saves the acquisition node address and discards the received RA packet.

And step 17: the intranet router sends a data packet to the intranet management node, and informs the intranet management node to send an IPv6 address converted by a certain rule or an IPv6 address mixed by a specific algorithm to the acquisition node address.

Step 18: the intranet management node sends the IPv6 address converted by a certain rule or the IPv6 address mixed by a specific algorithm to the acquisition node address.

FIG. 4 is a schematic diagram illustrating an interaction flow of an address protection method according to an embodiment of the present invention; as shown in fig. 4, the method includes:

step 21: the scanner initiates scanning with the terminal device having an IPv6 address.

Step 22: the scanner and the corresponding collection node are in scanning linkage.

Step 23: and the intranet router receives the scanning task data packet from the acquisition node, and if the acquisition node is an intranet management node, the scanning task data packet is directly forwarded.

Step 24: the intranet router receives the scanning task data packet from the acquisition node, if the acquisition node is an acquisition node of a non-intranet, the destination address in the scanning task data packet is reversely converted, and the data packet after the destination address conversion is forwarded.

Step 25: and the scanning data packet of the acquisition node carries out subsequent scanning operation according to the routing path.

Step 26: corresponding scan results are obtained.

The embodiment of the invention also provides an address protection device. FIG. 5 is a first block diagram of an address protection device according to an embodiment of the present invention; as shown in fig. 5, the apparatus includes: a first receiving unit 31, a first processing unit 32, and a first transmitting unit 33; wherein the content of the first and second substances,

the first receiving unit 31 is configured to receive a first data packet, where the first data packet includes an acquisition node address;

the first processing unit 32 is configured to determine whether the acquisition node address is an address of an intranet management node;

the first sending unit 33 is configured to send a second data packet to an intranet management node if the first processing unit 32 determines that the acquisition node address is not the address of the intranet management node, where the second data packet is used to instruct the intranet management node to send the IPv6 address converted in the first conversion manner to the acquisition node address; the second data packet comprises the acquisition node address.

In some optional embodiments of the present invention, the first sending unit 33 is further configured to send a real IPv6 address to the collecting node address if the first processing unit 32 determines that the collecting node address is an address of an intranet management node.

In some optional embodiments of the present invention, the first receiving unit 31 is further configured to receive a scan task data packet from a scanner; the scanning task data packet comprises the address of the acquisition node associated with the scanner;

the first processing unit 32 is further configured to, if the address of the acquisition node is not the address of the intranet management node, perform conversion processing on the destination address in the scan task data packet according to a second conversion manner; the second conversion mode is the reverse conversion process of the first conversion mode; the destination address in the scanning task data packet is an IPv6 address converted and processed according to the first conversion mode;

the first sending unit 33 is further configured to forward the scan task data packet after the destination address conversion processing.

the first sending unit 33 is further configured to send a third data packet to the intranet management node if the address of the acquisition node is not the address of the intranet management node, where the third data packet is used to instruct the intranet management node to forward the scan task data packet after the destination address in the scan task data packet is converted according to a second conversion method; wherein the second conversion mode is the reverse conversion process of the first conversion mode; and the destination address in the scanning task data packet is the IPv6 address converted and processed according to the first conversion mode.

In some optional embodiments of the present invention, the first sending unit 33 is further configured to forward the scan task data packet if the collecting node is the intranet management node.

In some optional embodiments of the present invention, the apparatus further includes a first storage unit, configured to store the acquisition node address if the acquisition node address is not an address of an intranet management node;

the first processing unit 32 is further configured to discard the first data packet.

In the embodiment of the present invention, the first Processing Unit 32 in the address protection device may be implemented by a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a Micro Control Unit (MCU), or a Programmable Gate Array (FPGA) in practical application; the first receiving unit 31 and the first sending unit 33 in the device can be realized by a communication module (including a basic communication suite, an operating system, a communication module, a standardized interface, a protocol and the like) and a transceiving antenna in practical application; the storage unit in the device can be realized by a memory in practical application; the first storage unit in the address protection device can be realized by a memory in practical application.

It should be noted that: in the address protection device provided in the above embodiment, when performing information processing, only the division of each program module is described as an example, and in practical applications, the processing may be distributed to different program modules according to needs, that is, the internal structure of the device may be divided into different program modules to complete all or part of the processing described above. In addition, the address protection device and the address protection method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.

The embodiment of the invention also provides an address protection device. FIG. 6 is a schematic diagram of a second exemplary embodiment of an address protection device; as shown in fig. 6, the apparatus includes: a second receiving unit 41, a second processing unit 42, and a second transmitting unit 43; wherein the content of the first and second substances,

the second receiving unit 41 is configured to receive a second data packet sent by the intranet router; the second data packet is sent when the intranet router judges that the collection node address in the received first data packet is not the address of the intranet management node; the second data packet comprises an acquisition node address;

the second processing unit 42 is configured to perform conversion processing on the acquired IPv6 address according to a first conversion manner based on the second data packet;

the second sending unit 43 is configured to send the converted IPv6 address to the collection node address.

In some optional embodiments of the present invention, the second receiving unit 41 is further configured to receive a third data packet sent by the intranet router; the third data packet is sent when the intranet router judges that the address of the acquisition node in the received scanning task data packet is not the address of the intranet management node;

the second processing unit 42 is further configured to perform conversion processing on a destination address in the scan task data packet according to a second conversion manner; wherein the second conversion mode is the reverse conversion process of the first conversion mode; the destination address in the scanning task data packet is an IPv6 address converted and processed according to the first conversion mode;

the second sending unit 43 is further configured to forward the scan task data packet after the destination address conversion processing.

In the embodiment of the present invention, the second processing unit 42 in the address protection device may be implemented by a CPU, a DSP, an MCU, or an FPGA in practical application; the second receiving unit 41 and the second sending unit 43 in the device can be realized by a communication module (including a basic communication suite, an operating system, a communication module, a standardized interface, a protocol and the like) and a transceiving antenna in practical application.

The embodiment of the invention also provides an address protection method. FIG. 7 is a second flowchart illustrating an address protection method according to an embodiment of the present invention; as shown in fig. 7, the method includes:

step 301: an intranet router receives a first data packet, wherein the first data packet comprises an acquisition node address;

step 302: judging whether the acquisition node address is the address of an intranet management node;

step 303: and if the acquisition node address is not the address of the intranet management node, sending the IPv6 address converted according to the first conversion mode to the acquisition node address.

In some optional embodiments of the present invention, if the acquisition node address is not an address of an intranet management node, the method further includes: and the intranet router saves the acquisition node address and discards the first data packet.

The detailed implementation of this embodiment can refer to the description of step 101 to step 103 shown in fig. 2. The difference from the embodiment shown in fig. 2 is that, in this embodiment, when the acquisition node address is not the address of the intranet management node, the intranet router converts the IPv6 address in the first conversion method, and transmits the converted IPv6 address to the acquisition node address.

Based on the foregoing embodiments, the embodiment of the present invention further provides an address protection device. FIG. 8 is a third schematic diagram illustrating a structure of an address protection device according to an embodiment of the present invention; as shown in fig. 8, the apparatus includes: a third receiving unit 51, a third processing unit 52, and a third transmitting unit 53; wherein the content of the first and second substances,

the third receiving unit 51 is configured to receive a first data packet, where the first data packet includes an acquisition node address;

the third processing unit 52 is configured to determine whether the acquisition node address is an address of an intranet management node;

the third sending unit 53 is configured to send the IPv6 address converted according to the first conversion method to the collection node address if the third processing unit 52 determines that the collection node address is not the address of the intranet management node.

In some optional embodiments of the present invention, the third sending unit 53 is further configured to send a real IPv6 address to the collecting node address if the third processing unit 52 determines that the collecting node address is an address of an intranet management node.

In some optional embodiments of the present invention, the third receiving unit 51 is further configured to receive a scan task data packet from a scanner; the scanning task data packet comprises the address of the acquisition node associated with the scanner;

the third processing unit 52 is further configured to, if the address of the acquisition node is not the address of the intranet management node, perform conversion processing on the destination address in the scan task data packet according to a second conversion method, where the second conversion method is an inverse conversion process of the first conversion method; the destination address in the scanning task data packet is an IPv6 address converted and processed according to the first conversion mode;

the third sending unit 53 is further configured to forward the scan task data packet after the destination address conversion processing.

the third sending unit 53 is further configured to send a third data packet to the intranet management node if the address of the acquisition node is not the address of the intranet management node, where the third data packet is used to instruct the intranet management node to forward the scan task data packet after the destination address in the scan task data packet is converted according to a second conversion method; wherein the second conversion mode is the reverse conversion process of the first conversion mode; and the destination address in the scanning task data packet is the IPv6 address converted and processed according to the first conversion mode.

In some optional embodiments of the present invention, the third sending unit 53 is further configured to forward the scan task data packet if the collecting node is the intranet management node.

In some optional embodiments of the present invention, the apparatus further includes a second storage unit, configured to store the acquisition node address if the acquisition node address is not an address of an intranet management node;

the third processing unit 52 is further configured to discard the first data packet.

In the embodiment of the present invention, the third processing unit 52 in the address protection device may be implemented by a CPU, a DSP, an MCU, or an FPGA in practical application; the third receiving unit 51 and the third sending unit 53 in the device can be realized by a communication module (including a basic communication suite, an operating system, a communication module, a standardized interface, a protocol and the like) and a transceiving antenna in practical application; the second storage unit in the device can be realized by a memory in practical application.

The embodiment of the invention also provides network equipment, which can be an intranet router or an intranet management node in the embodiment. Fig. 9 is a schematic diagram of a hardware structure of a network device according to an embodiment of the present invention, where the network device includes a memory 62, a processor 61, and a computer program stored in the memory 62 and operable on the processor 61, and when the processor 61 executes the computer program, the processor implements the steps of the address protection method applied to an intranet router or an intranet management node according to an embodiment of the present invention.

Optionally, the network device further comprises one or more network interfaces 63. It will be appreciated that the various components in the network device are coupled together by a bus system 64. It will be appreciated that the bus system 64 is used to enable communications among the components. The bus system 64 includes a power bus, a control bus, and a status signal bus in addition to the data bus. For clarity of illustration, however, the various buses are labeled as bus system 64 in fig. 9.

It will be appreciated that the memory 62 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 62 described in connection with the embodiments of the invention is intended to comprise, without being limited to, these and any other suitable types of memory.

The method disclosed in the above embodiments of the present invention may be applied to the processor 61, or implemented by the processor 61. The processor 61 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 61. The processor 61 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Processor 61 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 62, and the processor 61 reads the information in the memory 62 and performs the steps of the aforementioned method in conjunction with its hardware.

In an exemplary embodiment, the network Device may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field-Programmable Gate arrays (FPGAs), general purpose processors, controllers, Micro Controllers (MCUs), microprocessors (microprocessors), or other electronic components for performing the foregoing methods.

In an exemplary embodiment, the present invention further provides a computer readable storage medium, such as a memory 62 comprising a computer program, which is executable by a processor 61 of a network device to perform the steps of the aforementioned method. The computer readable storage medium can be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM; or may be various devices including one or any combination of the above memories.

The computer-readable storage medium provided by the embodiment of the present invention stores thereon a computer program, which, when executed by a processor, implements the steps of the address protection method applied to an intranet router or an intranet management node according to the embodiment of the present invention.

The methods disclosed in the several method embodiments provided in the present application may be combined arbitrarily without conflict to obtain new method embodiments.

Features disclosed in several of the product embodiments provided in the present application may be combined in any combination to yield new product embodiments without conflict.

The features disclosed in the several method or apparatus embodiments provided in the present application may be combined arbitrarily, without conflict, to arrive at new method embodiments or apparatus embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims

1. An address protection method, characterized in that the method comprises:

if the acquisition node address is not the address of the intranet management node, sending a second data packet to the intranet management node, wherein the second data packet is used for indicating the intranet management node to send an internet protocol sixth version IPv6 address converted according to a first conversion mode to the acquisition node address; the second data packet comprises the acquisition node address.

2. The method of claim 1, further comprising: and if the acquisition node address is the address of the intranet management node, sending a real IPv6 address to the acquisition node address.

3. The method according to claim 1 or 2, characterized in that the method further comprises:

4. The method according to claim 1 or 2, characterized in that the method further comprises:

5. The method according to claim 3 or 4, characterized in that the method further comprises:

6. The method according to claim 1, wherein if the collection node address is not an address of an intranet management node, the method further comprises:

7. An address protection method, characterized in that the method comprises:

8. The method of claim 7, further comprising:

9. An address protection device, the device comprising: the device comprises a first receiving unit, a first processing unit and a first sending unit; wherein the content of the first and second substances,

10. The apparatus according to claim 9, wherein the first sending unit is further configured to send a real IPv6 address to the collection node address if the first processing unit determines that the collection node address is an address of an intranet management node.

11. The apparatus according to claim 9 or 10, wherein the first receiving unit is further configured to receive a scan task data packet from a scanner; the scanning task data packet comprises the address of the acquisition node associated with the scanner;

12. The apparatus according to claim 9 or 10, wherein the first receiving unit is further configured to receive a scan task data packet from a scanner; the scanning task data packet comprises the address of the acquisition node associated with the scanner;

13. The apparatus according to claim 11 or 12, wherein the first sending unit is further configured to forward the scan task packet if the collecting node is the intranet management node.

14. The apparatus according to claim 9, further comprising a first storage unit configured to store the collection node address if the collection node address is not an address of an intranet management node;

15. An address protection device, the device comprising: the second receiving unit, the second processing unit and the second sending unit; wherein the content of the first and second substances,

16. The apparatus according to claim 15, wherein the second receiving unit is further configured to receive a third data packet sent by the intranet router; the third data packet is sent when the intranet router judges that the address of the acquisition node in the received scanning task data packet is not the address of the intranet management node;

17. An address protection method, characterized in that the method comprises:

18. The method of claim 17, further comprising:

and if the acquisition node address is the address of the intranet management node, sending a real IPv6 address to the acquisition node address.

19. The method according to claim 17 or 18, further comprising:

20. The method according to claim 17 or 18, further comprising:

21. The method according to claim 19 or 20, further comprising:

22. The method according to claim 17, wherein if the collection node address is not an address of an intranet management node, the method further comprises:

23. An address protection device, the device comprising: a third receiving unit, a third processing unit and a third transmitting unit; wherein the content of the first and second substances,

24. The apparatus according to claim 23, wherein the third sending unit is further configured to send a real IPv6 address to the collection node address if the third processing unit determines that the collection node address is an address of an intranet management node.

25. The apparatus according to claim 23 or 24, wherein the third receiving unit is further configured to receive a scan task packet from a scanner; the scanning task data packet comprises the address of the acquisition node associated with the scanner;

26. The apparatus according to claim 23 or 24, wherein the third receiving unit is further configured to receive a scan task packet from a scanner; the scanning task data packet comprises the address of the acquisition node associated with the scanner;

27. The apparatus according to claim 25 or 26, wherein the third sending unit is further configured to forward the scan task packet if the collecting node is the intranet management node.

28. The apparatus according to claim 23, further comprising a second storage unit, configured to store the collection node address if the collection node address is not an address of an intranet management node;

29. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the steps of the address protection method according to any one of claims 1 to 6; or the program, when executed by a processor, implements the steps of the address protection method of claim 7 or 8; alternatively, the program is adapted to carry out the steps of the address protection method of any one of claims 17 to 22 when executed by a processor.

30. A network device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the address protection method of any one of claims 1 to 6 when executing the program; alternatively, the processor implements the steps of the address protection method of claim 7 or 8 when executing the program; alternatively, the processor implements the steps of the address protection method of claims 17 to 22 when executing the program.