CN114710544B - Channel establishment method and device - Google Patents

Channel establishment method and device Download PDF

Info

Publication number
CN114710544B
CN114710544B CN202210290192.9A CN202210290192A CN114710544B CN 114710544 B CN114710544 B CN 114710544B CN 202210290192 A CN202210290192 A CN 202210290192A CN 114710544 B CN114710544 B CN 114710544B
Authority
CN
China
Prior art keywords
server
client
channel
connection
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210290192.9A
Other languages
Chinese (zh)
Other versions
CN114710544A (en
Inventor
杨刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202210290192.9A priority Critical patent/CN114710544B/en
Publication of CN114710544A publication Critical patent/CN114710544A/en
Application granted granted Critical
Publication of CN114710544B publication Critical patent/CN114710544B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a channel establishment method and a device, which are applied to a software defined boundary SDP gateway, wherein the method comprises the following steps: receiving a first connection establishment request of a first channel sent by a client, wherein the first connection establishment request comprises first connection information for connecting a server; according to the first connection information, if the client side is confirmed to have the access right for accessing the server side, forwarding the first connection establishment request to the server side; and receiving a first response result which is fed back by the server and agrees to establish the first channel, and forwarding the first response result to the client so as to establish the first channel between the client and the server. Therefore, when the SDP gateway starts the SPA function, communication between the client and the server is realized.

Description

Channel establishment method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for establishing a channel.
Background
Under the framework of zero-trust-Software-Defined-per (SDP), the real backend services are required to be hidden, and the SDP gateway does not provide a data channel to the outside when the device is not successfully authenticated. To achieve reliable authentication, a multi-factor single packet authorization service, single packet authentication (Single packet authorize, SPA), is required. In a multi-channel protocol scene, after an SPA function is started by an SDP gateway, in a data transmission mode of FTP (File Transport Protocol, document transmission protocol), when a server side has a requirement of actively transmitting data to a client side, the data cannot be transmitted to the client side by the server side in the current scheme because the SPA function is started by the SDP gateway;
In addition, when the client needs to access the server, the SDP gateway is required to check the access right of the client, when the client only has the right to access a certain port of the server, if the client has other ports on the client than the certain port, the SDP gateway will reject the access operation of the client if it checks that the client does not have the right to access the other ports, so that the client cannot be accessed smoothly.
Therefore, how to implement communication between the client and the server when the SPD gateway starts the SPA function is one of the technical problems that deserves consideration.
Disclosure of Invention
In view of the above, the present application provides a method and apparatus for establishing a channel, which are used to implement communication between a client and a server when an SDP gateway opens an SPA function.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of the present application, there is provided a channel establishment method applied to a software defined boundary SDP gateway, the method comprising:
receiving a first connection establishment request of a first channel sent by a client, wherein the first connection establishment request comprises first connection information for connecting a server;
according to the first connection information, if the client side is confirmed to have the access right for accessing the server side, forwarding the first connection establishment request to the server side;
And receiving a first response result which is fed back by the server and agrees to establish the first channel, and forwarding the first response result to the client so as to establish the first channel between the client and the server.
According to a second aspect of the present application, there is provided a channel establishing apparatus provided in a software defined boundary SDP gateway, the apparatus comprising:
the first receiving module is used for receiving a first connection establishment request of a first channel sent by the client, wherein the first connection establishment request comprises first connection information for connecting with the server;
the first sending module is used for forwarding the first connection establishment request to the server side if the client side is confirmed to have the access right of the access server side according to the first connection information;
the second receiving module is used for receiving the agreement fed back by the server to establish a first response result of the first channel;
and the second sending module is used for forwarding the first response result to the client so as to establish the first channel between the client and the server.
According to a third aspect of the present application there is provided an electronic device comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiment of the present application.
According to a fourth aspect of the present application there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to carry out the method provided by the first aspect of the embodiments of the present application.
The embodiment of the application has the beneficial effects that:
the channel establishment method provided by the embodiment of the application receives a first connection establishment request of a first channel sent by a client, wherein the first connection establishment request comprises first connection information for connecting a server; according to the first connection information, if the client side is confirmed to have the access right for accessing the server side, forwarding the first connection establishment request to the server side; and receiving a first response result which is fed back by the server and agrees to establish the first channel, and forwarding the first response result to the client so as to establish the first channel between the client and the server. By adopting the method, the establishment of the first channel between the client and the server is realized, and the client can interact with the server through the first channel.
Drawings
Fig. 1 is a schematic flow chart of a channel establishment method according to an embodiment of the present application;
Fig. 2 is an application scenario schematic diagram of a channel establishment method provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a channel-establishing device according to an embodiment of the present application;
fig. 4 is a schematic hardware structure of an electronic device implementing a channel establishment method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this disclosure, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The channel establishment method provided by the application is described in detail below.
Referring to fig. 1, fig. 1 is a flowchart of a channel establishment method provided by the present application, where the method is applied to a software defined boundary SDP gateway, and when the SDP gateway implements the method, the method may include the following steps:
s101, receiving a first connection establishment request of a first channel sent by a client, wherein the first connection establishment request comprises first connection information for connecting a server.
In the step, when a client needs to establish communication connection with a server, a first connection establishment request is sent to an SDP gateway, and then the first connection establishment request carries first connection information; after receiving the first connection request, the SDP gateway parses the first connection information from the request.
S102, according to the first connection information, if the client side is confirmed to have the access right for accessing the server side, forwarding the first connection establishment request to the server side.
In this step, when the SDP gateway obtains the first connection information, it is determined whether the client terminal has the right to access to the server terminal according to the first connection information, and when the client terminal has the right to access, the SDP gateway forwards the first connection establishment request to the server terminal.
Specifically, after the SPA function is started, when the client or the server normally sends a message to the SDP gateway, the SDP gateway does not process all the messages, namely the message sent by the client or the server is discarded; in view of this, in order to enable the client to interact with the server, before sending the first connection request to the SDP gateway, the client will send an SPA packet to the SDP gateway, where the SPA packet is used to enable the SDP gateway to verify the identity of the client, so that the client will carry the identity information of the client in the SPA packet, and after the identity information of the client is verified by the SDP gateway, the SDP gateway will open its own service port for interaction with the client. In this way, the client may send a first connection establishment request to the SDP gateway based on the service port.
It should be noted that, the SDP gateway may record, in advance, actual connection information of the client terminal having access rights of the server terminal issued by the SDP controller, and then after the first connection information is parsed from the first connection establishment request, determine whether the actual connection information issued by the SDP controller includes the first connection information, and if so, confirm that the client terminal has access rights of the server terminal.
S103, receiving agreement fed back by the server side to establish a first response result of the first channel, and forwarding the first response result to the client side so as to establish the first channel between the client side and the server side.
Specifically, after receiving the first connection establishment request, if the server agrees to establish a communication connection with the client, the server sends an agreement response result of the request, that is, the first response result, to the SDP gateway, so that the SDP gateway can forward the first response result to the client after receiving the first response result, and the client can establish a first channel between the client and the server based on the first response result.
It should be noted that, when the connection request is established, a file transfer protocol (File Transfer Protocol, FTP) or the like may be used in the interaction process, but is not limited to the use of the file transfer protocol.
By executing the method, the establishment of the first channel between the client and the server is realized, and the client can interact with the server through the first channel.
In addition, the SDP gateway also records the first connection information, so that when the client terminal or the server terminal interacts with the other party again, the first connection information can be used to realize the connection.
On the basis, the channel establishment method provided by the embodiment further comprises the following steps: receiving a second connection establishment request of a second channel initiated by a server, and determining second connection information of the second connection establishment request; sending the second connection establishment request to the client to establish the second channel between the server and the client; and carrying out association processing on the first connection information and the second connection information to obtain a first association relation and updating a local association relation table according to the first association relation.
Specifically, the server side also has a requirement of actively establishing communication connection with the client side, based on the requirement, the server side sends a second connection establishment request to the SDP gateway, so that when the SDP gateway receives the second connection establishment request, the SDP gateway can determine second connection information of the second connection request initiated by the server side and then send the second connection request to the client side, and after receiving the second connection establishment request, the client side establishes a second channel with the server side, and further realizes communication interaction between the client side and the server side through the second channel. Therefore, interaction between the client and the server based on different channels under the multi-channel protocol is realized.
In addition, in order to realize smooth access between the client and the server under the multi-channel protocol, the application also establishes a first association relationship between the first connection information and the second connection information, and then updates the first association relationship into an association relationship table recorded by the SDP gateway. In this way, when the subsequent client interacts with the server, the SDP gateway may be implemented by using the association relationship recorded in the association relationship table.
On the basis, the first connection information in the embodiment comprises first access information of the client accessing the server, wherein the first access information is access information which is issued by the SDP controller and allows the client to access the server; the second connection information includes second access information for establishing the second channel on the server.
On the basis, the channel establishment method provided by the embodiment further comprises the following steps: receiving a first data processing request sent by a sending end based on the second channel; determining first target access information of the first data processing request; matching the association relation table by using the first target access information; when the first association relation is matched, forwarding the first data processing request to a receiving end; when the sending end is a client, the receiving end is a server; when the transmitting end is a service end, the receiving end is a client end.
Specifically, the sending end is taken as a client, the receiving end is taken as a server for illustration, when the client has a requirement of accessing the resource on the server, the client sends a first data processing request by using a second channel, and meanwhile, in order to ensure that the request can reach the server, first target access information is added into the first data processing request, so that after the SDP gateway receives the first data processing request, the first target access information is analyzed from the request, then the SDP gateway judges whether the client has the access right of accessing the server based on the first target access information, and the judging mode can refer to the related description in the step S102 and is not explained in detail herein. When confirming that the client does not have the access right of the access server based on the first target access information, the SDP gateway determines whether the first target access information is in an association relationship table stored in the SDP gateway, and when the first target access information exists in the association relationship table (for example, the first target access information is the same as the second access information), the first data processing request may be released, that is, the first data processing request is forwarded to the server, thereby implementing the access of the asset.
Similarly, when the server side has a requirement of accessing the data on the client side, a first data processing request is sent to the SDP gateway based on the second channel, the SDP gateway can confirm first target access information of the server side based on communication connection between the client side and the server side, then confirm whether the first target access information can be successfully matched with the association relationship recorded in the association relationship table, and when the first association relationship is matched, the first data processing request is released, namely, the first data processing request is sent to the client side, so that the requirement of the server side for accessing the data on the client side is also realized.
Alternatively, the first access information may include, but is not limited to, an IP address of the server and a first port on the server, where the client has access rights, and the second access information may include, but is not limited to, an IP address of the server and a second port on the server. In addition, the first port may be a random port on the server, such as 21 ports, etc.; and the second port may be a set port on the server side, for example, 20 ports, etc. It should be noted that, the port 20 belongs to a set port in the FTP active mode (port mode), and when the client is in the FTP active mode, the client will default to use the port 20 to access the server. Thus, the SDP gateway establishes a first association between the first connection information including the 21 port and the second connection information including the 20 port.
Specifically, the security level of the server is higher, in practical application, the message sent by the server to the SDP gateway is generally rejected by the SDP gateway, and in order to realize data transmission between the server and the client, in this embodiment, the server uses 20 ports to request to establish connection with the SDP gateway, that is, send a second connection establishment request to the SDP gateway, where the connection establishment request is implemented through a common TCP message, and because the SPA is opened at this time, the server cannot send the SPA message. In order to realize the data transmission, the SDP gateway records a first association relationship between the first connection information including the 21 port and the second connection information including the 20 port, and when the subsequent client terminal and the server terminal perform data transmission, only the association relationship recorded in the association relationship table is needed to be searched to release the data processing requests at the two ends.
It should be noted that, the first channel may be, but not limited to, a control channel and a data channel, and the second channel is a data channel; when the first channel is a control channel and the second channel is a data channel, the scene that control data such as a control command is required to be sent in service processing can be supported, for example, when a client sends a service processing request to a server, a control message is sent through the first channel, and then data is sent through the second channel, so that data transmission between the client and the server is realized; when the first channel is a data channel and the second channel is a data channel, transmission of service data through multiple channels can be supported, and a scene of sending control messages is not needed. For example, when the channel establishment method provided by any of the embodiments of the present application is applied to the FTP scheme, a control command or the like can be transmitted through a first channel (control channel), and then data can be transmitted through a second channel (data channel).
Optionally, based on any one of the foregoing embodiments, the first response result in this embodiment includes third connection information fed back by the server; on the basis, the channel establishment method provided by the embodiment further comprises the following steps: and carrying out association processing on the first connection information and the third connection information to obtain a second association relation and updating a local association relation table according to the second association relation.
Specifically, in order to realize smooth access between the client and the server under the multi-channel protocol, the application also establishes a second association relationship between the first connection information and the third connection information, and then updates the second association relationship into an association relationship table recorded by the SDP gateway. In this way, when the subsequent client interacts with the server, the SDP gateway may be implemented by using the second association recorded in the association table.
On the basis, the channel establishment method provided by the embodiment further comprises the following steps: receiving a third connection establishment request of a third channel sent by the client, wherein the third connection establishment request carries the third connection information; and matching the association relation table by using third connection information carried in the third connection establishment request, and forwarding the third connection establishment request to the server side when the second association relation is matched, so as to establish a third channel between the client side and the server side.
Specifically, in order to realize multi-channel communication, the client needs to access the server through a channel other than the first channel, and therefore, the client actively sends a third connection establishment request to the SDP gateway, and in order to ensure that the third channel is successfully established with the server, the client carries third connection information in the third connection establishment request. In this way, after receiving the third connection establishment request, the SDP gateway analyzes the third connection information from the request, and then determines whether the client has the authority to access the server according to the third connection information, i.e., determines whether the actual connection information issued by the SDP controller includes the third connection information, and when the actual connection information does not include the third connection information, it is confirmed that the client does not have the authority to access the server, but in order to successfully access the server, the SDP gateway uses the third connection information to match the association table, and because the second association includes the third connection information, it is confirmed that the association table is successfully matched, and then forwards the third connection establishment request to the server, thereby, the server can establish a third channel between the client and the client, and thus, multi-channel communication under the SDP scene is also realized.
Further, when the first connection information includes first access information that the client accesses the server, the first access information is access information that is issued by the SDP controller and allows the client to access the server; the third connection information comprises third access information for establishing the third channel on the server side; on the basis, the channel establishment method provided by the embodiment can further comprise the following steps: receiving a second data processing request sent by a sending end based on the third channel, wherein the second data processing request comprises second target access information; matching the association relation table by using the second target access information; when the second association relation is matched, forwarding the second data processing request to the receiving end; when the sending end is a client, the receiving end is a server; when the transmitting end is a service end, the receiving end is a client end.
Specifically, taking the sending end as the client and the receiving end as the server for illustration, when the client has a requirement of accessing the resource on the server, the client may send the second data processing request by using the third channel, and in order to ensure that the request can reach the server, the second target access information is added to the second data processing request, so after receiving the second data processing request, the SDP gateway parses the second target access information from the request, and then the SDP gateway determines whether the client has access rights for accessing the server based on the second target access information, where the determination manner may refer to the related description in step S102, and the detailed description is omitted herein. When confirming that the client does not have the access right of the access server based on the second target access information, the SDP gateway determines whether the second target access information is in the association relationship table stored in the SDP gateway, and when the second target access information exists in the association relationship table (for example, the second target access information is the same as the third access information), the second data processing request may be released, that is, the second data processing request is forwarded to the server, thereby implementing the access of the asset.
Similarly, when the server side has a requirement of accessing the data on the client side, a second data processing request is sent to the SDP gateway based on the third channel, the SDP gateway can confirm second target access information of the server side based on communication connection between the client side and the server side, then confirm whether the second target access information can be successfully matched with the association relationship recorded in the association relationship table, and when the matching is successful, the second data processing request is released, namely, the second data processing request is sent to the client side, so that the requirement of the server side for accessing the data on the client side is also realized.
Optionally, the third connection information may include, but is not limited to, an IP address of the server and a third port on the server for establishing a third channel. In addition, the third port may be a random port on the server, such as 3699 port, etc. Thus, the SDP gateway establishes a second association between the first connection information including 21 ports and the third connection information including 3699 ports.
It should be noted that, the first channel may be, but not limited to, a control channel and a data channel, and the third channel is a data channel; when the first channel is a control channel and the third channel is a data channel, the scene that control data such as a control command is required to be sent in service processing can be supported, for example, when a client sends a service processing request to a server, a control message is sent through the first channel, and then data is sent through the third channel, so that data transmission between the client and the server is realized; when the first channel is a data channel and the third channel is a data channel, transmission of service data through multiple channels can be supported, and a scene of sending control messages is not needed. For example, when the channel establishment method provided by any of the embodiments of the present application is applied to the FTP scheme, a control command or the like can be transmitted through a first channel (control channel), and then data can be transmitted through a third channel (data channel).
In order to better understand the channel establishment method provided in any of the above embodiments of the present application, the scenario shown in fig. 2 is taken as an example, and in addition, any of the above access information including an IP address and a port is taken as an example. For example, if the IP address 10.1.11.10 of the server is 21 ports, the first port D1 is 20 ports, the second port D2 is 20 ports, and the third port D3 is 3699 ports, the first connection information is 10.1.11.10 and 21 ports, the second connection information is 10.1.11.10 and 20, and the third connection information is 10.1.11.10 and 3699. In addition, ports of the client in fig. 2 are respectively provided with A1-A3, and inlet ports on the SDP gateway are respectively provided with a B1-B3 and outlet ports C1-C3; the ports on the service end are respectively provided with D1-D3.
Specifically, after the SDP gateway opens the SPA function, when the client needs to access the server through the SDP gateway, the client obtains first connection information of the server with access rights from the SDP controller, and the SDP controller issues actual access information with access rights to the SDP gateway. Thus, when the client passes authentication with the SDP gateway, it sends a bearer 10.1.11.10 to the SDP gateway: 21, the SDP gateway is based on port D1:21, confirming that the 21 has the access right, and forwarding the first connection establishment request to the server; at this time, a first response result agreeing to establish the first channel is fed back to the SDP gateway, so that the first channel between the client terminal and the server terminal: port A1-port B1-port C1-port D1, whereby the first channel is established successfully, reference is made to channel 1 shown in fig. 2.
In order to realize the multi-channel communication, the server side also has a requirement of actively establishing a second channel, that is, the server side will send a second connection establishment request to the SDP gateway, and the SDP gateway can confirm that the server side outputs the port D3 of the second connection establishment request based on the port C3 of the second connection establishment request, and at this time, the SDP gateway can determine the second connection information: 10.1.11.10:20, so that the SDP gateway can establish a first association (10.1.11.10:20) between the first connection information (10.1.11.10:21) and the second connection information, and then send a second connection establishment request to the client terminal, so as to establish a second channel between the client terminal and the server terminal: port A3-port B3-port C3-port D3, refer to channel 3 shown in fig. 2. In this way, when the subsequent sending end (client or server) realizes service processing based on the second channel, the first association relationship can be matched, and when the matching is successful, the service processing request can be sent to the receiving end (server or client).
In order to realize multi-channel communication, the server side carries third connection information in the first response result: 10.1.11.10:3699, after receiving the first response result, the SDP gateway analyzes the third connection information from the first response result, and then establishes a second association relationship between the third connection information (10.1.11.10:3699) and the first connection information (10.1.11.10:21), and simultaneously forwards the third connection relationship to the client; in this way, when the client establishes the third channel, the third connection establishment request may be sent to the SDP gateway, where the request carries third connection information, and the SDP gateway may use the parsed third connection information to match the second association relationship, and when the matching is successful, forward the third connection establishment request to the server, so as to implement establishment of the third channel between the server and the client, where the third channel is: port A2-port B2-port C2-port D2, refer to channel 2 in fig. 2.
It is noted that, after the first channel, the second channel and the third channel are established successfully, when the first channel is a control channel, the first channel belongs to a unidirectional channel, so that unidirectional communication from the client to the server can be realized; and when the second channel and the third channel are data channels, the second channel and the third channel belong to a bidirectional channel because full duplex communication is adopted, and the two sides of the channels can realize mutual communication.
Based on the same inventive concept, the application also provides a channel establishment device corresponding to the channel establishment method. The implementation of the channel establishing device may refer to the above description of the channel establishing method, and will not be discussed here.
Referring to fig. 3, fig. 3 is a schematic diagram of a channel setup device provided in a software defined boundary SDP gateway according to an exemplary embodiment of the present application, where the device includes:
a first receiving module 301, configured to receive a first connection establishment request of a first channel sent by a client, where the first connection establishment request includes first connection information for connecting to a server;
a first sending module 302, configured to forward, according to the first connection information, the first connection establishment request to the server if it is confirmed that the client has access rights to the server;
A second receiving module 303, configured to receive a first response result that is fed back by the server and agrees to establish the first channel;
and a second sending module 304, configured to forward the first response result to the client, so as to establish the first channel between the client and the server.
Optionally, the second receiving module 303 is further configured to receive a second connection establishment request of a second channel initiated by the server, and determine second connection information of the second connection establishment request;
the second sending module 304 is further configured to send the second connection establishment request to the client, so as to establish the second channel between the server and the client;
the device further comprises:
and the first association module (not shown in the figure) is used for carrying out association processing on the first connection information and the second connection information to obtain a first association relationship and updating a local association relationship table according to the first association relationship.
Optionally, the first connection information includes first access information of the client accessing the server, where the first access information is access information that is issued by the SDP controller and allows the client to access the server; the second connection information comprises second access information used for establishing the second channel on the server side; on the basis, the channel establishing device provided by the embodiment further comprises:
A third receiving module (not shown in the figure) for receiving the first data processing request sent by the sending end based on the second channel; determining first target access information of the first data processing request;
a first matching module (not shown in the figure) for matching the association table using the first target access information;
a third sending module (not shown in the figure) configured to forward the first data processing request to a receiving end when the first matching module matches the first association relationship;
when the sending end is a client, the receiving end is a server; when the transmitting end is a service end, the receiving end is a client end.
Optionally, the first response result includes third connection information fed back by the server; on the basis, the channel establishing device provided by the embodiment further comprises: a second association module (not shown) and a second matching module (not shown), wherein:
a second association module (not shown in the figure) for performing association processing on the first connection information and the third connection information to obtain a second association relationship and updating a local association relationship table according to the second association relationship;
The first receiving module 301 is further configured to receive a third connection establishment request of a third channel sent by the client, where the third connection establishment request carries the third connection information;
a second matching module (not shown in the figure) for matching the association relationship table by using third connection information carried in the third connection establishment request;
the first sending module 302 is further configured to forward the third connection establishment request to the server to establish a third channel between the client and the server when the second matching module matches the second association relationship.
Optionally, the first connection information includes first access information of the client accessing the server, where the first access information is access information that is issued by the SDP controller and allows the client to access the server; the third connection information comprises third access information used for establishing the third channel on the server; the device further comprises:
a fourth receiving module (not shown in the figure) configured to receive a second data processing request sent by the sending end based on the third channel, where the second data processing request includes second target access information;
A third matching module (not shown in the figure) for matching the association table using the second target access information;
a fourth sending module (not shown in the figure) configured to forward the second data processing request to the receiving end when the third matching module matches the second association relationship;
when the sending end is a client, the receiving end is a server; when the transmitting end is a service end, the receiving end is a client end.
Based on the same inventive concept, the embodiment of the present application provides an electronic device, which may be, but is not limited to, the SDP gateway described above. As shown in fig. 4, the electronic device includes a processor 401 and a machine-readable storage medium 402, where the machine-readable storage medium 402 stores a computer program executable by the processor 401, and the processor 401 is caused by the computer program to perform a method for acquiring a message provided by any embodiment of the present application. The electronic device further comprises a communication interface 403 and a communication bus 404, wherein the processor 401, the communication interface 403 and the machine readable storage medium 402 communicate with each other via the communication bus 404.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the electronic device and other devices.
The Memory may include random access Memory (Random Access Memory, RAM), DDR SRAM (Double Data Rate Synchronous Dynamic Random Access Memory, double rate synchronous dynamic random access Memory), or Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
In addition, the embodiment of the application provides a machine-readable storage medium, wherein the machine-readable storage medium stores a computer program, and when the computer program is called and executed by a processor, the computer program causes the processor to execute the message acquisition method provided by the embodiment of the application.
For the electronic device and the machine-readable storage medium embodiments, the description is relatively simple, and reference should be made to the description of the method embodiments for relevant points, since the method content involved is substantially similar to that of the method embodiments described above.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and roles of each unit/module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be repeated here.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The above described apparatus embodiments are merely illustrative, wherein the units/modules illustrated as separate components may or may not be physically separate, and the components shown as units/modules may or may not be physical units/modules, i.e. may be located in one place, or may be distributed over a plurality of network units/modules. Some or all of the units/modules may be selected according to actual needs to achieve the purposes of the present solution. Those of ordinary skill in the art will understand and implement the present application without undue burden.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the application.

Claims (10)

1. A channel establishment method, applied to a software defined boundary SDP gateway, the SDP gateway opening an SPA function, the method comprising:
receiving a first connection establishment request of a first channel sent by a client, wherein the first connection establishment request comprises first connection information for connecting a server;
according to the first connection information, if the client side is confirmed to have the access right for accessing the server side, forwarding the first connection establishment request to the server side;
and receiving a first response result which is fed back by the server and agrees to establish the first channel, and forwarding the first response result to the client so as to establish the first channel between the client and the server.
2. The method as recited in claim 1, further comprising:
receiving a second connection establishment request of a second channel initiated by a server, and determining second connection information of the second connection establishment request;
sending the second connection establishment request to the client to establish the second channel between the server and the client;
and carrying out association processing on the first connection information and the second connection information to obtain a first association relation and updating a local association relation table according to the first association relation.
3. The method of claim 2, wherein the first connection information includes first access information of the client accessing the server, the first access information being access information issued by an SDP controller that allows the client to access the server; the second connection information comprises second access information used for establishing the second channel on the server side; the method further comprises the steps of:
receiving a first data processing request sent by a sending end based on the second channel; determining first target access information of the first data processing request;
matching the association relation table by using the first target access information;
when the first association relation is matched, forwarding the first data processing request to a receiving end;
when the sending end is a client, the receiving end is a server; when the transmitting end is a service end, the receiving end is a client end.
4. The method of claim 1, wherein the first response result includes third connection information fed back by the server; the method further comprises the steps of:
carrying out association processing on the first connection information and the third connection information to obtain a second association relation and updating a local association relation table according to the second association relation;
The method further comprises the steps of:
receiving a third connection establishment request of a third channel sent by the client, wherein the third connection establishment request carries the third connection information;
and matching the association relation table by using third connection information carried in the third connection establishment request, and forwarding the third connection establishment request to the server side when the second association relation is matched, so as to establish a third channel between the client side and the server side.
5. The method of claim 4, wherein the first connection information includes first access information of the client to the server, the first access information being access information issued by an SDP controller that allows the client to access the server; the third connection information comprises third access information used for establishing the third channel on the server; the method further comprises the steps of:
receiving a second data processing request sent by a sending end based on the third channel, wherein the second data processing request comprises second target access information;
matching the association relation table by using the second target access information;
when the second association relation is matched, forwarding the second data processing request to a receiving end;
When the sending end is a client, the receiving end is a server; when the transmitting end is a service end, the receiving end is a client end.
6. A channel creation device, disposed in a software defined boundary SDP gateway, the SDP gateway opening an SPA function, the device comprising:
the first receiving module is used for receiving a first connection establishment request of a first channel sent by the client, wherein the first connection establishment request comprises first connection information for connecting with the server;
the first sending module is used for forwarding the first connection establishment request to the server side if the client side is confirmed to have the access right of the access server side according to the first connection information;
the second receiving module is used for receiving the agreement fed back by the server to establish a first response result of the first channel;
and the second sending module is used for forwarding the first response result to the client so as to establish the first channel between the client and the server.
7. The apparatus of claim 6, wherein the device comprises a plurality of sensors,
the second receiving module is further configured to receive a second connection establishment request of a second channel initiated by the server, and determine second connection information of the second connection establishment request;
The second sending module is further configured to send the second connection establishment request to the client, so as to establish the second channel between the server and the client;
the device further comprises:
and the first association module is used for carrying out association processing on the first connection information and the second connection information to obtain a first association relationship and updating a local association relationship table according to the first association relationship.
8. The apparatus of claim 7, wherein the first connection information includes first access information for the client to access the server, the first access information being access information issued by an SDP controller that allows the client to access the server; the second connection information comprises second access information used for establishing the second channel on the server side; the device further comprises:
the third receiving module is used for receiving a first data processing request sent by the sending end based on the second channel; determining first target access information of the first data processing request;
the first matching module is used for matching the association relation table by utilizing the first target access information;
The third sending module is used for forwarding the first data processing request to a receiving end when the first matching module is matched with the first association relation;
when the sending end is a client, the receiving end is a server; when the transmitting end is a service end, the receiving end is a client end.
9. The apparatus of claim 6, wherein the first response result includes third connection information fed back by the server; the device further comprises: the second association module and the second matching module, wherein:
the second association module is used for carrying out association processing on the first connection information and the third connection information to obtain a second association relationship and updating a local association relationship table according to the second association relationship;
the first receiving module is further configured to receive a third connection establishment request of a third channel sent by the client, where the third connection establishment request carries the third connection information;
the second matching module is used for matching the association relation table by utilizing third connection information carried in the third connection establishment request;
the first sending module is further configured to forward the third connection establishment request to the server to establish a third channel between the client and the server when the second matching module matches the second association relationship.
10. The apparatus of claim 9, wherein the first connection information includes first access information of the client to the server, the first access information being access information issued by an SDP controller that allows the client to access the server; the third connection information comprises third access information used for establishing the third channel on the server; the device further comprises:
a fourth receiving module, configured to receive a second data processing request sent by the sending end based on the third channel, where the second data processing request includes second target access information;
the third matching module is used for matching the association relation table by using the second target access information;
a fourth sending module, configured to forward the second data processing request to a receiving end when the third matching module matches the second association relationship;
when the sending end is a client, the receiving end is a server; when the transmitting end is a service end, the receiving end is a client end.
CN202210290192.9A 2022-03-23 2022-03-23 Channel establishment method and device Active CN114710544B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210290192.9A CN114710544B (en) 2022-03-23 2022-03-23 Channel establishment method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210290192.9A CN114710544B (en) 2022-03-23 2022-03-23 Channel establishment method and device

Publications (2)

Publication Number Publication Date
CN114710544A CN114710544A (en) 2022-07-05
CN114710544B true CN114710544B (en) 2023-11-03

Family

ID=82169405

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210290192.9A Active CN114710544B (en) 2022-03-23 2022-03-23 Channel establishment method and device

Country Status (1)

Country Link
CN (1) CN114710544B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103580986A (en) * 2012-07-30 2014-02-12 华为终端有限公司 Real-time communication method, terminal equipment, real-time communication server and system
CN106254433A (en) * 2016-07-28 2016-12-21 杭州迪普科技有限公司 A kind of method and device setting up TCP communication connection
CN108429730A (en) * 2018-01-22 2018-08-21 北京智涵芯宇科技有限公司 Feedback-less safety certification and access control method
CN109587275A (en) * 2019-01-08 2019-04-05 网宿科技股份有限公司 A kind of method for building up and proxy server of communication connection
CN110602112A (en) * 2019-09-19 2019-12-20 四川长虹电器股份有限公司 MQTT (multiple quantum dots technique) secure data transmission method
CN111586026A (en) * 2020-04-30 2020-08-25 广州市品高软件股份有限公司 Software defined boundary implementation method and system based on SDN
CN112261067A (en) * 2020-12-21 2021-01-22 江苏易安联网络技术有限公司 Method and system for multi-stage single-packet authorization

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11297107B2 (en) * 2017-12-28 2022-04-05 Siemens Aktiengesellschaft Message queuing telemetry transport (MQTT) data transmission method, apparatus, and system
US11190489B2 (en) * 2019-06-04 2021-11-30 OPSWAT, Inc. Methods and systems for establishing a connection between a first device and a second device across a software-defined perimeter

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103580986A (en) * 2012-07-30 2014-02-12 华为终端有限公司 Real-time communication method, terminal equipment, real-time communication server and system
CN106254433A (en) * 2016-07-28 2016-12-21 杭州迪普科技有限公司 A kind of method and device setting up TCP communication connection
CN108429730A (en) * 2018-01-22 2018-08-21 北京智涵芯宇科技有限公司 Feedback-less safety certification and access control method
CN109587275A (en) * 2019-01-08 2019-04-05 网宿科技股份有限公司 A kind of method for building up and proxy server of communication connection
CN110602112A (en) * 2019-09-19 2019-12-20 四川长虹电器股份有限公司 MQTT (multiple quantum dots technique) secure data transmission method
CN111586026A (en) * 2020-04-30 2020-08-25 广州市品高软件股份有限公司 Software defined boundary implementation method and system based on SDN
CN112261067A (en) * 2020-12-21 2021-01-22 江苏易安联网络技术有限公司 Method and system for multi-stage single-packet authorization

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Changqing Sun ; Fuquan Zheng ; Guangxu Zhou ; Kun Guo.Design and Implementation of Cloud-based Single-channel LoRa IIoT Gateway Using Raspberry Pi.《2020 39th Chinese Control Conference (CCC)》.2020,全文. *
基于WebRTC的视频会议系统开发;石芮;成洪豪;孙立民;;智能计算机与应用(06);全文 *
构建基于SDP技术的网络安全体系;朱良海;张义超;袁震;;网络安全和信息化(12);全文 *

Also Published As

Publication number Publication date
CN114710544A (en) 2022-07-05

Similar Documents

Publication Publication Date Title
US9003042B2 (en) P2P file transmission system and method
EP3907973A1 (en) Method for establishing communication connection and proxy server
CN110365701B (en) Client terminal equipment management method and device, computing equipment and storage medium
EP2518972A1 (en) System and method for device addressing
WO2014201931A1 (en) Resource processing method and site server
JP2008533784A (en) Method, system, and computer program for communication in a computer system
US20110035413A1 (en) Diameter bus communications between processing nodes of a network element
US20210234835A1 (en) Private cloud routing server connection mechanism for use in a private communication architecture
CN109714367B (en) Equipment access system and method based on Internet
CN110691110B (en) Communication method, device, system, terminal, equipment and medium
WO2021139311A1 (en) Routing forwarding method and apparatus, routing device and readable storage medium
US10158644B2 (en) Token-based routing for out-of-network authorization
US20150358263A1 (en) Communication between a web application instance connected to a connection server and a calling entity other than said connection server
CN114710544B (en) Channel establishment method and device
WO2017185934A1 (en) Management device and method for managing device
KR20090112714A (en) User Access Policy for Storing Offline
US7774464B2 (en) Automatic syncML client profile creation for new servers
CN113852697B (en) SDP terminal flow proxy method, device, equipment and storage medium
CN108055262A (en) Video conference terminal register method, terminal and gatekeeper
CN114928459A (en) Connection method and computer readable medium for private communication architecture
WO2015021842A1 (en) Method and apparatus of accessing ott application and method and apparatus of pushing message by server
CN113596890B (en) Communication method, system, device and storage medium
CN113676540B (en) Connection establishment method and device
CN112804224B (en) Authentication and authorization method and device based on micro-service, medium and electronic equipment
TWI769965B (en) Connection method and computer-readable medium for use in a private communication architecture

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant