CN115208590A - Cross-domain communication system, method and storage medium - Google Patents

Cross-domain communication system, method and storage medium Download PDF

Info

Publication number
CN115208590A
CN115208590A CN202110314740.2A CN202110314740A CN115208590A CN 115208590 A CN115208590 A CN 115208590A CN 202110314740 A CN202110314740 A CN 202110314740A CN 115208590 A CN115208590 A CN 115208590A
Authority
CN
China
Prior art keywords
node
data
domain
proxy
transmitted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110314740.2A
Other languages
Chinese (zh)
Inventor
许少辉
师佳
吴锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Cloud Computing Technologies Co Ltd
Original Assignee
Huawei Cloud Computing Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Cloud Computing Technologies Co Ltd filed Critical Huawei Cloud Computing Technologies Co Ltd
Priority to CN202110314740.2A priority Critical patent/CN115208590A/en
Publication of CN115208590A publication Critical patent/CN115208590A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Abstract

The application provides a cross-domain communication system, which comprises a first communication domain and a second communication domain, wherein the first communication domain comprises a first proxy node and a service node, and the internal network security of the first communication domain is lower than a preset standard; the second communication domain comprises a second proxy node and a control node, and the internal network security of the second communication domain is higher than the preset standard. The first proxy node is used for sending data to be transmitted from the service node to the second proxy node; the second proxy node is used for receiving and storing the data to be transmitted, and the control node acquires the data to be transmitted in the second proxy node. Since the network port exposed by the second communication domain to the first communication domain is only the network port of the second proxy node and not the network port of the control node, the network security level of the second communication domain is not reduced because the network port of the control node is not exposed. In addition, the application also provides a cross-domain communication method and a storage medium.

Description

Cross-domain communication system, method and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a cross-domain communication system, a method, and a storage medium.
Background
In a network communication scenario, there will typically be cross-domain communication. Based on the difference of the security degrees inside the network, the domains for communication can be divided into a trusted domain, a semi-trusted domain and an untrusted domain. The internal security degree of the network in the trusted domain is the highest, and the network is not easy to be attacked maliciously; the internal security degree of the network in the untrusted domain is minimum, for example, the network is directly connected with equipment used by tenants, and the risk of malicious attack is high; while the degree of intra-network security of the semi-trusted domain lies between the trusted and untrusted domains.
When cross-domain communication is carried out, a trusted domain accesses a semi-trusted domain or an untrusted domain, which is not easy to have security risk, however, when the semi-trusted domain or the untrusted domain accesses the trusted domain, a network port of a control node in the trusted domain is exposed to the semi-trusted domain or the untrusted domain, which increases the risk that the network port of the control node in the trusted domain is maliciously attacked, and reduces the internal security of the network of the trusted domain.
Disclosure of Invention
The application provides a cross-domain communication system, which is used for improving the communication safety of different nodes in a communication domain and improving the network internal safety of a trusted domain. In addition, the application also provides a cross-domain communication method, a computer readable storage medium and a computer program product.
In a first aspect, the present application provides a cross-domain communication system, which includes a first communication domain and a second communication domain, where the first communication domain includes a first proxy node and a service node, and the internal network security of the first communication domain is lower than a preset standard (which may also be referred to as a semi-trusted domain or an untrusted domain); and the second communication domain comprises a second proxy node and a control node, and the internal network security of the second communication domain is higher than the preset standard (also called as a trusted domain). When cross-domain communication is carried out, the first agent node is used for sending data to be transmitted to the second agent node, and the data to be transmitted is sourced from the service node; the second proxy node is configured to receive and store the data to be transmitted, and the control node may obtain the data to be transmitted stored in the second proxy node, for example, the control node may obtain the data to be transmitted from the second proxy node in an active polling manner, or the second proxy node actively sends the data to be transmitted to the control node, and the like.
In the cross-domain communication process, the data to be transmitted in the first communication domain is not directly transmitted to the control node in the second communication domain, but the data to be transmitted is firstly transmitted to the second proxy node in the second communication domain, and then the control node acquires the monitoring data from the second proxy node. In this way, although the first communication domain is an untrusted domain or a semi-trusted domain with internal network security lower than a preset standard, in the cross-domain communication process, the network port exposed to the first communication domain by the second communication domain is only the network port of the second proxy node, and is not the network port of the control node, so that the network security degree of the second communication domain is not reduced because the network port of the control node is not exposed, and the security of cross-domain communication between the first communication domain and the second communication domain can be improved.
In a possible implementation manner, the first communication domain further includes an intermediate node, and when the first proxy node sends the data to be transmitted to the second proxy node, the intermediate node may specifically send the data to be transmitted to the second proxy node. Illustratively, the intermediate node may be, for example, a storage database, such as redis or the like.
In a possible implementation manner, in the process of transmitting data to be transmitted from a first communication domain to a second communication domain, an intermediate node is specifically configured to receive a data reporting instruction from a first proxy node, where the data reporting instruction includes the data to be transmitted; then, the intermediate node can perform security authentication on the data reporting instruction, and send the data to be transmitted to the second proxy node after the data reporting instruction passes the security authentication. Otherwise, when the data reporting instruction fails the security authentication, the intermediate node may refuse to forward the data to be transmitted. Therefore, the safety during cross-domain data transmission can be further improved by adding a safety certificate in the process of forwarding the data to be transmitted by the intermediate node.
In a possible implementation manner, when the intermediate node performs security authentication on the data reporting instruction, the method specifically includes authenticating whether a command word in the data reporting instruction matches a preset command word, and/or authenticating whether a node identifier in the data reporting instruction matches an identifier of a service node. Of course, the specific implementation manner of the intermediate node authentication data reporting instruction in the embodiment of the present application is not limited.
In a possible implementation manner, the frequency of the intermediate node executing the instruction may not exceed a preset frequency, and therefore, after the intermediate node determines that the number of the instructions executed in the current period (for example, 1 second) reaches the number corresponding to the preset frequency, the intermediate node may suspend the execution of the data reporting instruction, and wait for the next period to execute the data reporting instruction, and if the number of the instructions does not reach the data corresponding to the preset frequency, the intermediate node may execute the data reporting instruction and forward the data to be transmitted.
In a possible implementation manner, the second proxy node includes a data cache queue corresponding to the service node, and when the control node obtains the data to be transmitted from the second proxy node, the control node may specifically obtain the data to be transmitted from the data cache queue. In other examples, the second proxy node may store the data to be transmitted by other means besides the buffer queue, which is not limited in this embodiment of the present application.
In a possible implementation manner, the second communication domain may actively communicate with the first communication domain, and specifically, the second proxy node may further send a control instruction to the first proxy node, where the control instruction is used to control the serving node to execute the target service. Illustratively, the second proxy node may send control instructions to the first proxy node via the intermediate node.
In a possible implementation manner, the second proxy node includes an instruction cache queue corresponding to the service node, where the instruction cache instruction is used to store an instruction issued to the corresponding service node; correspondingly, the intermediate node may receive the control instruction sent by the control node, and add the control instruction to the instruction cache queue for caching, so that the first proxy node pulls the control instruction from the instruction cache queue.
In a possible implementation manner, the intermediate node performs security authentication on a control instruction issued by the control node, so as to improve the security during cross-domain communication.
In a second aspect, the present application provides a cross-domain communication method, which is applied to a cross-domain communication system that includes a first communication domain and a second communication domain, where the first communication domain includes a first proxy node and a service node, and the internal network security of the first communication domain is lower than a preset standard, and the internal network security of the second communication domain is higher than the preset standard, and the second communication domain includes a second proxy node and a control node, and the method specifically includes: the method comprises the steps that a first proxy node sends data to be transmitted to a second proxy node, wherein the data to be transmitted comes from a service node; then, the second proxy node receives and stores the data to be transmitted, and the control node acquires the data to be transmitted stored in the second proxy node.
In a possible implementation manner, the first communication domain further includes an intermediate node, and when the first proxy node sends the data to be transmitted to the second proxy node, the first proxy node may specifically send the data to be transmitted to the intermediate node; and the intermediate node forwards the data to be transmitted to the second proxy node.
In a possible implementation manner, when the first proxy node sends data to be transmitted to the second proxy node through the intermediate node, specifically, the first proxy node sends a data reporting instruction to the intermediate node, where the data reporting instruction includes the data to be transmitted; and then, the intermediate node performs security authentication on the data reporting instruction, and sends the data to be transmitted to the second proxy node after the data reporting instruction passes the security authentication.
In a possible implementation manner, the security authentication of the data reporting instruction specifically includes authenticating whether a command word in the data reporting instruction matches a preset command word, and/or authenticating whether a node identifier in the data reporting instruction matches an identifier of a service node.
In one possible embodiment, the intermediate node executes the instructions from the first proxy node no more frequently than a predetermined frequency.
In one possible implementation, the second proxy node includes a data cache queue corresponding to the service node; the control node may specifically obtain the data to be transmitted from a data cache queue corresponding to the service node when obtaining the data to be transmitted stored in the second proxy node.
In one possible embodiment, the method further comprises: and the second proxy node sends a control instruction to the first proxy node, wherein the control instruction is used for controlling the service node to execute the target service.
In one possible implementation, the second proxy node includes an instruction cache queue corresponding to the service node, and the method further includes: and the intermediate node receives the control instruction sent by the control node and adds the control instruction to an instruction cache queue corresponding to the service node.
In one possible embodiment, the method further comprises: and the intermediate node performs security authentication on the control instruction.
In a third aspect, the present application provides a cross-domain communication apparatus, where the data providing apparatus is applied to the second proxy node, and the cross-domain communication apparatus includes various modules for implementing the cross-domain communication method performed by the first proxy node in the second aspect or any possible implementation manner of the second aspect.
In a fourth aspect, the present application provides a computer-readable storage medium having stored therein instructions, which, when run on a plurality of computer devices, cause the plurality of computer devices to perform the method of any one of the implementations of the second aspect or the second aspect described above. Specifically, a first computer device in the plurality of computer devices, executing instructions in a computer-readable storage medium, may implement the method performed by the second proxy node in the second aspect; wherein the first computer device comprises at least one computer device. A second computer device of the plurality of computer devices, executing instructions in a computer-readable storage medium, may implement the method performed by the first proxy node in the second aspect; wherein the second computer device comprises at least one computer device.
In a possible implementation manner, the plurality of computer devices further includes a third computer device, and the third computer device executes instructions in a computer-readable storage medium, so that the method performed by the intermediate node in the second aspect can be implemented; wherein the third computer device comprises at least one computer device.
In a fifth aspect, the present application provides a computer program product comprising instructions which, when run on a plurality of computer devices, cause the plurality of computer devices to perform the method of any one of the implementations of the second aspect or the second aspect described above. Specifically, a first computer device of the plurality of computer devices, executing a computer program product containing instructions, may implement the method performed by the first proxy node in the second aspect; wherein the first computer device comprises at least one computer device. A second computer device of the plurality of computer devices, executing a computer program product comprising instructions, may implement the method performed by the second proxy node of the second aspect; wherein the second computer device comprises at least one computer device.
In a possible implementation manner, a third computer device of the plurality of computer devices, executing a computer program product comprising instructions, may implement the method performed by the intermediate node in the second aspect; wherein the third computer device comprises at least one computer device.
The present application can further combine to provide more implementations on the basis of the implementations provided by the above aspects.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a block diagram of a cross-domain communication system;
fig. 2 is a schematic architecture diagram of a cross-domain communication system according to an embodiment of the present application;
fig. 3 is a schematic architecture diagram of another cross-domain communication system according to an embodiment of the present application;
fig. 4 is a flowchart illustrating a cross-domain communication method according to an embodiment of the present application;
fig. 5 is a schematic diagram of a specific data structure of a data cache queue according to an embodiment of the present application;
fig. 6 is a schematic architecture diagram of another cross-domain communication system according to an embodiment of the present application;
fig. 7 is a flowchart illustrating another cross-domain communication method according to an embodiment of the present application;
fig. 8 is a flowchart illustrating another cross-domain communication method according to an embodiment of the present application;
FIG. 9 is a diagram illustrating an exemplary data structure of an instruction cache queue according to an embodiment of the present disclosure;
fig. 10 is a schematic diagram of an implementation process of the proxy node 1023 accessing the intermediate node 1025 according to the embodiment of the present application;
fig. 11 is a schematic structural diagram of a computer device 1100 according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of another computer apparatus 1200 according to an embodiment of the present application;
fig. 13 is a schematic structural diagram of a further computer device 1300 according to an embodiment of the present application;
fig. 14 is a schematic structural diagram of a further computer device 1400 according to an embodiment of the present application.
Detailed Description
The terms "first," "second," and the like in the description and in the claims of the present application and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances and are merely descriptive of the various embodiments of the application and how objects of the same nature can be distinguished.
Referring to fig. 1, a specific architecture of a cross-domain communication system is shown. As shown in fig. 1, a cross-domain communication system 100 may include a communication domain 101 and a communication domain 102, where the communication domain 101 includes at least one control node 1011, the communication domain 102 includes at least one service node, and the communication domain 102 includes a service node 1021 and a service node 1022 as an example in fig. 1. The control node 1011 may issue a control instruction to the service node 1021 and/or the service node 1022 across domains, so as to control the service node 1021 and/or the service node 1022 to provide corresponding services, such as a face recognition service, an Artificial Intelligence (AI) calculation service, and the like; meanwhile, the service node 1021 and/or the service node 1022 may report data, such as reporting monitoring data of the service node, to the control node 1011 across the communication domain.
In the cross-domain communication system 100, the internal network security of the communication domain 101 is higher than a preset standard and belongs to a trusted domain, and the internal network security of the communication domain 102 is lower than the preset standard and belongs to an untrusted domain (for example, the service node 1021 and/or the service node 1022 in the communication domain 102 are directly connected to the tenant, and the internal network security is lower) or a semi-trusted domain. The preset criterion for judging whether the communication domain is the trusted domain may be, for example, a preset network security level, a condition for judging whether the network is secure (for example, whether a node therein is connected with a tenant), and the like, which is not limited in this embodiment. If the control node 1011 issues a control instruction to the service node 1021 and/or the service node 1022 across domains, the network port of the control node 1011 may not be exposed to the communication domain 102, so that the control node 1011 may not be attacked maliciously due to the exposure of the network port in the cross-domain communication process or after the cross-domain communication is completed, and the internal network security of the communication domain 101 may not be reduced. However, if the service node 1021 and/or the service node 1022 report monitoring data to the control node 1011 across domains, such as reporting data related to the load, CPU utilization, temperature, etc. of the node itself, usually, the network port of the control node 1011 needs to inform the service node 1021 and/or the service node 1022 to complete reporting of the monitoring data. Thus, after some nodes in the communication domain 102 are attacked, a large amount of error data or error instructions may be sent to the control node 1011 for attack based on the exposed network port of the control node 1011, so that the control node 1011 may receive a large amount of error data or execute the error instructions, thereby affecting the normal operation of the control node 1011, for example, it is impossible to monitor that the service node 1021 and/or the service node 1022 are abnormal, and reducing the network internal security of the communication domain 101.
Based on this, the embodiment of the present application provides a cross-domain communication system, so as to improve network security in a communication domain during cross-domain communication. Specifically, as shown in the cross-domain communication system 200 of fig. 2, on the basis of the cross-domain communication system 100 shown in fig. 1, in the cross-domain communication system 200, a proxy node 1012 is newly added in the communication domain 101, a proxy node 1023 is newly added for the service node 1021 in the communication domain 102, and a proxy node 1024 is newly added for the service node 1022.
In actual deployment, each newly added agent node may be implemented by software, for example, may be a computer program running on a device; alternatively, the proxy node may be implemented by hardware, for example, by using an application-specific integrated circuit (ASIC), or a Programmable Logic Device (PLD), which may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
When the communication domain 101 is a trusted domain and the communication domain 102 is an untrusted domain or a semi-trusted domain, taking the example that the service node 1021 reports monitoring data to the control node 1011, the service node 1021 may send the monitoring data to the proxy node 1023, and then the proxy node 1023 sends the monitoring data to the proxy node 1012 in the communication domain 101 across domains; the proxy node 1012 receives and stores the monitoring data, and the control node 1011 may periodically poll the proxy node 1012 to obtain the monitoring data stored in the proxy node 1012. When the service node 1022 reports the monitoring data to the control node 1011, the proxy node 1024 may also report the monitoring data to the control node 1011 by referring to the above process, which is not described in detail in this embodiment.
In the cross-domain communication process, the monitoring data in the communication domain 102 is not directly transmitted to the control node 1011 in the communication domain 101, but the monitoring data is firstly sent to the proxy node 1012 in the communication domain 101, and then the control node 1011 acquires the monitoring data from the proxy node 1012. In this way, although the communication domain 102 is an untrusted domain or a semi-trusted domain, during the cross-domain communication, the network port exposed to the communication domain 102 by the communication domain 101 is only the network port of the proxy node 1012, and is not the network port of the control node 1011, so that the network security degree of the communication domain 101 is not reduced because the network port of the control node 1011 is not exposed, and the security of the cross-domain communication between the communication domain 101 and the communication domain 102 can be improved.
It should be noted that the cross-domain communication system 200 described in fig. 2 is only an exemplary illustration, and is not intended to limit the technical solution of the embodiment of the present application to the example shown in fig. 2. For example, in the cross-domain communication system 200 shown in fig. 2, an additional proxy node may be integrated as a component in a service node, and in other possible cross-domain communication systems, the additional proxy node may also be separately deployed in a communication domain; alternatively, multiple serving nodes may share the same proxy node; still alternatively, referring to the cross-domain communication system 300 including 3 communication domains shown in fig. 3, after the monitoring data collected by the service node 1021 is reported to the communication domain 101, the control node 1031 in the communication domain 103 acquires the monitoring data from the proxy node 1012 in the communication domain 101 by means of active polling, and the like, at this time, the communication domain 103 may be a trusted domain, and both the communication domain 101 and the communication domain 102 may be an untrusted domain or a semi-trusted domain, and the like. In this embodiment, the specific deployment manner of the cross-domain communication system is not necessarily limited.
For the sake of understanding, the embodiments of the present application will be described below with reference to the accompanying drawings.
Referring to fig. 4, fig. 4 is a flowchart illustrating a cross-domain communication method according to an embodiment of the present application. The cross-domain communication method shown in fig. 4 can be applied to the cross-domain communication system shown in fig. 2, or to other applicable cross-domain communication systems. In practical application, the agent nodes may be independently deployed in the communication domain of the cross-domain communication system, or each agent node may be integrally deployed with other nodes. For convenience of explanation, the cross-domain communication system shown in fig. 2 is taken as an example in this embodiment.
Based on the cross-domain communication network 200 shown in fig. 2, the traffic processing method shown in fig. 4 may specifically include:
s401: the service node 1021 sends the data to be transmitted to the proxy node 1023 corresponding to the service node 1021.
As an implementation example, the data to be transmitted may be, for example, monitoring data of service node 101, where the monitoring data may be, for example, data of load, CPU occupancy, memory utilization, port traffic, operating power, operating temperature, and the like of service node 101. In practical applications, the service node 101 may periodically collect the monitoring data and send the monitoring data to the proxy node 1023 as the data to be transmitted, so that the proxy node 1023 sends the data to be transmitted to the communication domain 101.
Of course, in other possible implementation manners, the data to be transmitted may also be other data reported by service node 101, for example, after control node 1011 in communication domain 101 issues a control instruction to service node 1021, service node 101 executes a corresponding service processing operation based on the control instruction, and feeds back a result obtained by the service processing as the data to be transmitted to communication domain 101.
In this embodiment, the agent node 1023 is integrated with the service node 1021, so that the service node 1021 can send data to be transmitted to the agent node 1023 through a corresponding bus, such as a peripheral component interconnect express (PCIe) bus. In other embodiments, the service node 1021 and the proxy node 1023 are deployed independently, and the service node 1021 may send data to be transmitted to the proxy node 1023 through a network Protocol, such as a Transmission Control Protocol (TCP).
S402: proxy node 1023 sends the data to be transmitted to proxy node 1012 in communications domain 101.
In this embodiment, the proxy node 1023 and the proxy node 1012 belong to different communication domains, so that when performing cross-domain communication between different nodes, data can be transmitted through a network protocol such as a TCP protocol.
Before data communication is performed between control node 1011 in communication domain 101 and service node 1021 in communication domain 102, a communication connection is established in advance with proxy node 1023 through proxy node 1012, so that proxy node 1023 can send data to be transmitted to proxy node 1012 through the communication connection. At this time, the network port exposed to the communication domain 102 in the communication domain 101 is the network port of the proxy node 1012, and the network port of the control node 1011 is not exposed to the communication domain 102.
S403: proxy node 1012 receives and stores data to be transmitted.
As an example, proxy node 1012 includes a data cache queue, and after receiving data to be transmitted, proxy node 1012 may write the data to the data cache queue for storage. Further, during actual application, a plurality of service nodes may exist in the communication domain 102 and all report data to the control node 101, so that the proxy node 1012 may include a plurality of data buffer queues, and different data buffer queues are used to store data to be transmitted, which is reported by different service nodes. The proxy node 1012 may pre-establish a corresponding relationship between the service node and the data cache queue, and one data cache queue may be used to store data to be transmitted from one service node, or may be used to store data to be transmitted from multiple service nodes.
As an example, the specific data structure of the data buffer queue may be as shown in fig. 5. Each data cache queue comprises a queue identifier and a plurality of data areas, and each data area can be used for storing data to be transmitted from a service node, the identifier of the service node and a data type (such as a character type, an integer type, a floating point type and the like). Of course, in other possible embodiments, the specific data structure of the data buffer queue may also adopt other structures, or the data stored in the data buffer queue may also be adaptively increased or decreased, and the like.
In practical applications, the proxy node 1012 may also store data to be transmitted in other manners, which is not limited in this embodiment.
S404: the control node 1011 acquires data to be transmitted stored in the proxy node 1012.
In a possible embodiment, the controlling node 1011 may periodically poll the proxy node 1012, determine whether the proxy node 1012 stores the data to be transmitted reported by the serving node 1021, and if the data to be transmitted exists, read the data to be transmitted from the proxy node 102, for example, read the data to be transmitted from a data buffer queue.
In another possible embodiment, proxy node 1012 may also be an active node that reports stored data to be transmitted to control node 1011. For example, after the agent node 1012 successfully stores the data to be transmitted, a corresponding communication message may be generated based on the data to be transmitted, where the communication message may carry the data to be transmitted, and then, the agent node 1012 sends the communication message to the control node 1011, so that the control node 1011 parses the data to be transmitted from the notification message. Alternatively, the proxy node 1012 may count the data amount of the data to be transmitted stored therein, and when the data amount of the data to be transmitted reaches the preset data threshold, the proxy node 1012 may send the data to be transmitted to the control node 1011, or notify the control node 1011 to access the proxy node 1012, so as to obtain the data to be transmitted.
Since the control node 1011 and the proxy node 1012 are both located in the communication domain 101, a process of sending data to be transmitted to the control node 1011 by the proxy node 1012 belongs to a data communication process in the same communication domain, and a network port of the control node 1011 is exposed to the proxy node 1012, so that the internal network security of the communication domain 101 is not reduced. Meanwhile, the network port exposed to the communication domain 102 by the communication domain 101 is the network port of the proxy node 1012, and even if the communication domain 102 is an untrusted domain, the network port attacked is only the network port of the proxy node 1012, which does not affect the data communication and control process of the control node 1011 in the communication domain 101, so that the internal network security of the communication domain 101 is not reduced.
In the embodiment shown in fig. 4, the proxy node 1012 in the communication domain 101 and the proxy node 1023 in the communication domain 102 can directly communicate with each other, and in other possible cross-domain communication scenarios, data transmission between the proxy node 1012 and the proxy node 1023 can be realized through an intermediate node, as shown in fig. 6, and the intermediate node 1025 can be deployed in the communication domain 102. In practice, intermediate node 1025 may be, for example, a storage database such as Redis or the like. Next, based on the cross-domain communication system 600 shown in fig. 6, another cross-domain communication method provided in the embodiment of the present application is described in detail. As shown in fig. 7, the cross-domain communication method includes:
s701: the service node 1021 sends the data to be transmitted to the proxy node 1023 corresponding to the service node 1021.
S702: the agent node 1023 sends a data reporting instruction to the intermediate node 1025, wherein the data reporting instruction carries data to be transmitted.
In this embodiment, data can be transmitted between the proxy node 1023 and the proxy node 1012 through the intermediate node 1025, so that the proxy node 1023 can forward the data to be transmitted, which is reported by the service node 1021, to the intermediate node 1025.
S703: and the intermediate node 1025 performs security authentication on the data reporting instruction.
In this embodiment, to further increase the security of sending data from the communication domain 102 to the communication domain 101 in the cross-domain communication process, the intermediate node 1025 may perform security authentication on the data reporting instruction sent by the proxy node 1023, and when the data reporting instruction fails the security authentication, the intermediate node 105 may not send the data to be transmitted in the data reporting instruction to the communication domain 101.
As some examples, when the intermediate node 105 performs security authentication on the data reporting instruction, it may specifically authenticate whether a command word in the data reporting instruction matches a preset command word. Specifically, the intermediate node 1025 may be configured with a command word white list, which may be configured by a technician or an administrator in advance at the intermediate node 1025 in actual application, or the proxy node 1023 acquires the command word white list at startup and sends the command word white list to the intermediate node 1025, and so on. One or more command words, such as data, report, command, report, data, pull, command, execute, and the like, are recorded in the command word white list. In this way, after receiving the data reporting instruction sent by the proxy node 1023, the intermediate node 1025 can analyze the command word in the data reporting instruction and match the command word with the command word white list, specifically, it can be queried whether the command word in the data reporting instruction is consistent with any command word recorded in the command word white list. When the command words do not match, i.e., it is determined that the security authentication failed, intermediate node 1025 may refuse to forward the data to be transmitted to communication domain 101, and may return an error prompt. And when the command words match, intermediate node 1025 may allow transmission of the data to be transmitted to communication domain 101.
Or, when the intermediate node 105 performs security authentication on the data reporting instruction, it may specifically authenticate whether the node identifier in the data reporting instruction matches with the identifier of the service node. Specifically, after receiving the data to be transmitted sent by the service node 1021, the proxy node 1023 may generate a data reporting instruction based on the data to be transmitted and an identifier (such as an ID and a name of the service node 1021) of the service node 1021, and send the data reporting instruction to the intermediate node 1025. When forwarding the data to be transmitted for the service node 1021, the intermediate node 1025 may compare the identifier of the service node carried in the received data reporting instruction with the identifier of the service node 1021. If the two identifiers are consistent, the intermediate node 1025 indicates that the data to be transmitted is forwarded to other service nodes without errors, and at this time, the security authentication is passed, so that the intermediate node 1025 can forward the data to be transmitted to the communication domain 101; if the two identifiers are not consistent, that is, it is determined that the security authentication fails, intermediate node 1025 may refuse to forward the data to be transmitted to communication domain 101, and may return an error prompt.
Certainly, in practical application, the intermediate node 1025 may also authenticate whether the command word in the data reporting instruction matches the preset command word, and authenticate whether the node identifier in the data reporting instruction matches the identifier of the service node. Alternatively, the intermediate node 1025 may perform other security authentication procedures, which is not limited in this embodiment.
S704: when the data reporting instruction passes the security authentication, the intermediate node 1025 sends the data to be transmitted to the proxy node 1012.
For example, the frequency of executing instructions by the intermediate node 1025 may be limited to not exceed a preset frequency in the present embodiment. For example, the intermediate node 1025 may be restricted from executing instructions from the communication domain 102 at a frequency of 100 pieces/second, the intermediate node 1025 may be restricted from executing instructions from the communication domain 101 at a frequency of 1000 pieces/second, and so on. The value of the preset frequency can be set according to the needs of practical application, which is not limited in this embodiment.
When the check determines that the intermediate node 1025 executes the data reporting instruction, if the frequency of executing the instruction does not exceed the preset frequency, the intermediate node 1025 may send the data to be transmitted to the proxy node 1012 in the communication domain 101.
S705: proxy node 1012 receives and stores data to be transmitted.
S706: the control node 1011 acquires data to be transmitted stored in the proxy node 1012.
The control node 1011 may actively poll the proxy node 1012 to obtain the data to be transmitted; alternatively, proxy node 1012 may actively send data to be transmitted to control node 1011.
It should be noted that steps S701, S702, S705, and S706 in this embodiment are similar to the specific implementation process from step S401 to step S404 in the embodiment shown in fig. 4, and reference may be made to the description of relevant parts in the foregoing embodiment, which is not repeated herein.
In the above embodiment, the cross-domain communication process is exemplarily described in terms of transmitting data from the communication domain 102 to the communication domain 101, and the cross-domain communication process is described in detail in terms of issuing a control command from the communication domain 101 to the communication domain 102 in conjunction with fig. 6 and 8.
Referring to fig. 8, a flowchart of another cross-domain communication method is shown, where the method may specifically include:
s801: control node 1011 sends control instructions to intermediate node 1025 that instruct service node 1021 to perform the target service.
Illustratively, the control node 1011 instructs the service node 1021 to perform a target service, which may be, for example, an AI calculation task, a face recognition task, and the like, which is not limited in this embodiment.
S802: intermediate node 1025 performs security authentication on the received control instructions.
In a specific implementation, intermediate node 1025 may parse out a command word in the control instruction and query whether the command word matches any command word recorded in a pre-configured command word white list, where the command word white list records one or more command words, such as command. When the command words do not match, i.e., it is determined that the security authentication failed, intermediate node 1025 may refuse to forward the control instruction into communication domain 102. And when the command words match, the intermediate node 1025 may send the control instruction to the communication domain 102.
Alternatively, intermediate node 1025 may parse out the identity of the service node included in the control instruction and compare the identity to the identity of service node 1021. If the two identifiers are consistent, that is, it is determined that the security authentication is passed, the intermediate node 1025 may forward the control instruction to the communication domain 101; if the two identifiers do not match, i.e., it is determined that the security authentication failed, intermediate node 1025 may refuse to forward the control instruction.
Of course, in practical applications, the intermediate node 1025 may also simultaneously authenticate whether the command word in the control instruction matches the preset command word, and whether the node identifier in the control instruction matches the identifier of the service node. Alternatively, the intermediate node 1025 may perform other security authentication processes, which is not limited in this embodiment.
S803: intermediate node 1025 sends control instructions to proxy node 1012.
S804: agent node 1012 receives and stores control instructions in an instruction cache queue.
As an example, the proxy node 1012 includes an instruction cache queue, and after receiving the control instruction forwarded by the intermediate node 1012, the proxy node 1012 may write the control instruction into the instruction cache queue for storage. Further, because the control node 1011 may issue different control commands to multiple service nodes in the communication domain 102 during actual application, the proxy node 1012 may include multiple command cache queues, and the different command cache queues are used for storing the control commands issued by the control node 1011 to different service nodes. The agent node 1012 may pre-establish a correspondence between the service node and the instruction cache queue, and one instruction cache queue may be used to store a control instruction issued by the control node 1011 to one service node, or may store a control instruction issued by the control node 1011 to multiple service nodes.
For example, the intermediate node 1025 may send a command.execute command to the proxy node 1012, where the command.execute command may carry a control instruction and an identifier of the service node 1021, so that after receiving the command.execute command, the proxy node 1012 may determine, according to the identifier of the service node 1021 carried in the command, an instruction cache queue for storing the control instruction, and add the control instruction carried in the command to the instruction cache queue.
As an example, the specific data structure of the instruction cache queue may be as shown in FIG. 9. Each instruction cache queue includes a queue identifier and a plurality of instruction areas, and each instruction area may be used for a control instruction issued by the control node 1011 to a service node, an identifier of the service node, and other information. Of course, in other possible embodiments, the specific data structure of the instruction cache queue may also adopt other structures, or the content stored in the instruction cache queue may also be adaptively increased or decreased, and the like.
In other possible embodiments, the proxy node 1012 may also store the control instruction by other means, which is not limited in this embodiment.
S805: proxy node 1012 places the current connection with intermediate node 1025 in a locked (blocking) state.
In this embodiment, after locking the connection between the proxy node 1012 and the intermediate node 1025, the proxy node 1023 (or the service node 1021) may not need to periodically poll the intermediate node 1025 whether there is a control instruction sent by the control node 1011. In this way, resource consumption of CPU, bandwidth, and the like, caused by polling by the proxy node 1023 (or the service node 1021) can be reduced.
S806: intermediate node 1025 informs proxy node 1023 that there is currently a control instruction for service node 1021.
For example, after the proxy node 1023 is connected to the intermediate node 1025, it may track whether a value (key) change exists in an instruction cache queue corresponding to the service node 1021 in real time, that is, whether a control instruction is issued by the tracking control node 1011. After the connection between the intermediate node 1025 and the proxy node 1023 is set to the locked state, the intermediate node 1025 may send a notification message to the proxy node 1023, where the notification message is used to notify the proxy node 1023 that the value in the instruction cache queue (corresponding to the service node 1021) has changed, so that the service node 1021 can subsequently actively pull the changed value (i.e., the newly issued control instruction).
S807: the agent node 1023 sends an instruction pull command to the intermediate node 1025 to get the newly added control instructions in the instruction cache queue.
Illustratively, the instruction pull (command.pull) command sent by the proxy node 1023 to the intermediate node 1025 may carry an identifier of the service node 1021, so as to find out the new control instruction from the instruction cache queue corresponding to the service node 1021 by using the identifier.
S808: intermediate node 1025 performs security authentication on the instruction pull command.
In this embodiment, a specific implementation manner of the intermediate instruction 1025 for performing security authentication on the instruction pull instruction is similar to the security authentication manner of the intermediate node 1025 for the control instruction and the data report instruction in the foregoing embodiment, and reference may be specifically made to the description of the relevant parts in the foregoing embodiment, which is not described herein again.
S809: when the instruction pull command passes security authentication, intermediate node 1025 forwards the instruction pull command to proxy node 1012.
S810: according to the received instruction pull command, proxy node 1012 sends the control instruction sent by control node 1011 to proxy node 1023.
In a specific implementation, the proxy node 1012 may parse the identifier of the service node 1021 from the received instruction pull command, so as to find out, according to the identifier of the service node 1021, a control instruction belonging to the service node 1021 from the instruction cache queue, and send the found control instruction to the proxy node 1023.
S811: the proxy node 1023 forwards the control instructions to the service node 1021 for execution by the service node 1021.
S812: the service node 1021 returns the execution result of the control instruction to the proxy node 1023.
S813: proxy node 1023 feeds back the execution result to proxy node 1012.
S814: proxy node 1012 unlocks the connection with intermediate node 1025.
S815: proxy node 1012 feeds back the execution result to control node 1011.
In practice, the proxy node 1023 may be accessed to the intermediate node 1025 in advance before the control node 1011 communicates with the service node 1021. For convenience of understanding, the access process of the proxy node 1023 is described in detail below with reference to a specific application scenario, in the application scenario, based on the cross-domain communication system shown in fig. 6, the communication domain 102 may further include an Identity and Access Management (IAM) node, a virtual private network (VPC), a virtual private network end node (VPCEP), a certificate service node, and a cloud server (ECS), and the control node 1011 in the communication domain 101 may send a corresponding request or instruction to the communication domain to complete the access of the proxy node 1023.
As shown in fig. 10, an exemplary implementation of accessing the intermediate node 1025 for the proxy node 1023 includes:
s1001: the control node 1011 sends a tenant creating request to the IAM node, where the tenant creating request carries a tenant identifier and is used to request the IAM node to create the tenant and allocate resources to the tenant, such as computing resources, storage resources, and bandwidth resources.
In actual application, the IAM may feed back a notification of successful creation to the control node 1011 after completing tenant creation and resource allocation based on the tenant creation request.
S1002: the control node 1011 sends an authorization request to the sending VPCEP, where the authorization request carries the tenant identity and is used to request the VPCEP to grant the permission of accessing the service node 1021 to the newly created tenant.
In practical applications, VPCEP may create a white list including one or tenants for service node 1021, and service node 1021 may provide corresponding services for tenants recorded on the white list. In this way, after receiving the authorization request, the VPCEP may add the newly created tenant in the white list, so that after the tenant accesses the service node 1021, the service node 1021 can provide a corresponding service for the tenant.
Further, VPCEP may be able to narrow the ability of the control node 1011 to feed back a notification of successful authorization after completing authorization.
S1003: the control node 1011 sends a VPC creation request to the VPC to request the VPC to create VPC resources for the tenant.
In this way, the subsequent tenant can request the corresponding service through the requested VPC resource, and the like.
In practical application, after VPC successfully creates VPC resources, the creation result can be fed back to the control node 1011.
S1004: control node 1011 sends a request to VPCEP to create an end node (endpoint) to request VPCEP to create a VPC end node on intermediate node 1025 for the tenant.
After the creation of the VPC terminal node is successful, VPCEP may return a notification of the successful creation to the control node 1011.
S1005: the control node 1011 instructs the certificate service node to issue a certificate for the created VPC terminal node.
In practical application, the certificate service node may feed back the certificate issuing result to the control node 1011 after the certificate is successfully issued.
S1006: the control node 1011 sends a virtual machine creation request to the ECS, where the virtual machine creation request carries a certificate, an IP address of the intermediate node 1025, an identifier of the virtual machine, and an identifier of the service node 1021, and is used to request the ECS to create the virtual machine for the tenant.
After the creation is successful, the ECS may feed back the result of successful creation to the control node 1011.
S1007: the proxy node 1023 initiates runtime by reading the certificate from the service node 1021 and the IP address of the intermediate node 1025.
S1008: the proxy node 1023 accesses the intermediate node 1025 based on the IP address of the intermediate node 1025 and provides the certificate to the intermediate node 1025.
In this way, the subsequent proxy node 1023 can report the monitoring data for the service node 1021 through the connection with the intermediate node 1025, or pull the control command sent by the control node 1011 through the intermediate node 1025, and the like.
Typically, the intermediate node 1025, after determining that the connection with the proxy node 1023 was successful, may feed back a notification of the connection success to the proxy node 1023.
In the embodiments, the control node 1011, the proxy node 1012, the proxy node 1023 and the intermediate node 1025 involved in the cross-domain communication process may be implemented by separate hardware devices, but in other possible implementations, they may be software configured on a computer device, and by running the software on the computer device, the computer device can implement the functions of the control node 1011, the proxy node 1012, the proxy node 1023 and the intermediate node 1025 respectively. The control node 1011, the proxy node 1012, the proxy node 1023 and the intermediate node 1025 involved in the cross-domain communication process will be described in detail below.
Fig. 11-14 provide a computer device. The computer device 1100 shown in fig. 11 may be specifically used to implement the functions of the control node 1011 in the embodiments shown in fig. 2 to 10, the computer device 1200 shown in fig. 12 may be specifically used to implement the functions of the proxy node 1012 in the embodiments shown in fig. 2 to 9, the computer device 1300 shown in fig. 13 may be specifically used to implement the functions of the proxy node 1023 in the embodiments shown in fig. 2 to 10, and the computer device 1400 shown in fig. 14 may be specifically used to implement the functions of the intermediate node 1025 in the embodiments shown in fig. 6 to 10.
Computer device 1100 includes a bus 1101, a processor 1102, a communication interface 1103, and a memory 1104. Communication between the processor 1102, memory 1104 and communication interface 1103 occurs via a bus 1101. The bus 1101 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 11, but this is not intended to represent only one bus or type of bus. The communication interface 1103 is used for communicating with the outside, for example, receiving a data acquisition request or the like sent from a terminal.
The processor 1102 may be a Central Processing Unit (CPU). The memory 1104 may include volatile memory (volatile memory), such as Random Access Memory (RAM). The memory 1104 may also include a non-volatile memory (non-volatile memory), such as a read-only memory (ROM), a flash memory, an HDD, or an SSD.
The memory 1104 has stored therein executable code that the processor 1102 executes to perform the methods described above as being performed by the control node 1011.
Specifically, in the case of implementing the embodiment shown in fig. 2 to 10 and the control node 1011 described in the embodiment shown in fig. 2 to 10 is implemented by software, the software or program code required for executing the functions of the control node 1011 in fig. 2 to 10 is stored in the memory 1004, the interaction of the control node 1011 with other devices is implemented by the communication interface 1003, and the processor is used for executing the instructions in the memory 1004 to implement the method executed by the control node 1011.
The computer device 1200 includes a bus 1201, a processor 1202, a communication interface 1203, and a memory 1204. The processor 1202, the memory 1204, and the communication interface 1203 communicate over a bus 1201. In the case of the computer apparatus 1200 implementing the embodiment shown in fig. 2 to 9, and the proxy node 1012 described in the embodiment of fig. 2 to 9 is implemented by software, software or program codes required for implementing the functions of the proxy node 1012 are stored in the memory 1204. The interaction of the proxy node 1012 with other devices is performed via the communication interface 1203, and the processor 1202 is configured to execute instructions in the memory 1204 to perform the methods performed by the proxy node 1012.
Computer device 1300 includes a bus 1301, a processor 1302, a communication interface 1303, and memory 1304. Communication among processor 1302, memory 1304, and communications interface 1303 is via bus 1301. In the case where the computer apparatus 1300 implements the embodiment shown in fig. 2 to 9 and the proxy node 1023 described in the embodiment of fig. 2 to 9 is implemented by software, software or program codes required for implementing the function of the proxy node 1023 are stored in the memory 1304. The function of the proxy node 1023 to interact with other devices is implemented via the communication interface 1303, and the processor 1302 is configured to execute instructions in the memory 1304 to implement the method executed by the proxy node 1023.
The computer device 1400 includes a bus 1401, a processor 1402, a communication interface 1403, and a memory 1404. Communication between the processor 1402, the memory 1404, and the communication interface 1403 occurs via a bus 1401. In the case of computer device 1400 implementing the embodiment shown in fig. 6-10, and where intermediate node 1025 described in the embodiment of fig. 6-10 is implemented in software, the software or program code necessary to perform the functions of intermediate node 1025 is stored in memory 1404. The function of intermediate node 1025 to interact with other devices is performed by communication interface 1403 and processor 1402 executes instructions in memory 1404 to perform the method performed by intermediate node 1025.
In addition, the present application also provides a computer-readable storage medium, which stores instructions that, when executed on a plurality of computer devices, cause the plurality of computer devices to execute the method described in the above embodiment. Specifically, the plurality of computer devices may include a first computer device, and the first computer device executes instructions in the computer-readable storage medium, so as to implement the method performed by the proxy node 1012 in each embodiment described above. Wherein the first computer device comprises at least one computer device.
In some embodiments, a second computer device may be further included in the plurality of computer devices, and the second computer device executes instructions in a computer-readable storage medium, so that the method performed by the proxy node 1023 in the above embodiments can be implemented. Wherein the second computer device comprises at least one computer device.
In a further possible implementation, a third computer device may be included in the plurality of computer devices, and the third computer device executes instructions in the computer-readable storage medium, so as to implement the method performed by the intermediate node 1025 in the above embodiments; wherein the third computer device comprises at least one computer device.
Embodiments of the present application also provide a computer program product, when the computer program product is executed by a plurality of computers, the plurality of computers execute any one of the foregoing data providing methods. The computer program product may be a software installation package which may be downloaded and executed on a computer in the event that any of the aforementioned data providing methods needs to be used.
It should be noted that the above-described embodiments of the apparatus are merely schematic, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. In addition, in the drawings of the embodiments of the apparatus provided in the present application, the connection relationship between the modules indicates that there is a communication connection therebetween, and may be implemented as one or more communication buses or signal lines.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus necessary general-purpose hardware, and certainly can also be implemented by special-purpose hardware including special-purpose integrated circuits, special-purpose CPUs, special-purpose memories, special-purpose components and the like. Generally, functions performed by computer programs can be easily implemented by corresponding hardware, and specific hardware structures for implementing the same functions may be various, such as analog circuits, digital circuits, or dedicated circuits. However, for the present application, the implementation of a software program is more preferable. Based on such understanding, the technical solutions of the present application may be substantially embodied in the form of a software product, which is stored in a readable storage medium, such as a floppy disk, a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, an exercise device, or a network device) to execute the method according to the embodiments of the present application.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the application are all or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, training device, or data center to another website site, computer, training device, or data center via wired (e.g., coaxial cable, fiber optics, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that a computer can store or a data storage device, such as a training device, a data center, etc., that incorporates one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.

Claims (19)

1. A cross-domain communication system, comprising a first communication domain and a second communication domain, wherein the first communication domain comprises a first proxy node and a service node, the second communication domain comprises a second proxy node and a control node, the internal network security of the first communication domain is lower than a preset standard, and the internal network security of the second communication domain is higher than the preset standard;
the first proxy node is used for sending data to be transmitted to the second proxy node, and the data to be transmitted comes from the service node;
the second proxy node is used for receiving and storing the data to be transmitted;
and the control node is used for acquiring the data to be transmitted stored in the second proxy node.
2. The system of claim 1, wherein the first communication domain further comprises an intermediate node; the first proxy node is specifically configured to send the data to be transmitted to the second proxy node through the intermediate node.
3. The system according to claim 2, wherein the intermediate node is specifically configured to receive a data reporting instruction from the first proxy node, where the data reporting instruction includes the data to be transmitted; performing security authentication on the data reporting instruction; and when the data reporting instruction passes the security authentication, sending the data to be transmitted to the second proxy node.
4. The system according to claim 3, wherein the security authentication of the data reporting instruction includes authenticating whether a command word in the data reporting instruction matches a preset command word, and authenticating whether a node identifier in the data reporting instruction matches an identifier of the service node.
5. The system according to any one of claims 2 to 4, wherein the intermediate node executes instructions from the first proxy node no more frequently than a predetermined frequency.
6. The system according to any one of claims 1 to 5, wherein the second proxy node includes a data cache queue corresponding to the service node, and the control node is specifically configured to obtain the data to be transmitted from the data cache queue.
7. The system according to any of claims 2 to 5, wherein the second proxy node is further configured to send a control instruction to the first proxy node, the control instruction being configured to control the serving node to execute a target service.
8. The system of claim 7, wherein the second proxy node comprises an instruction cache queue corresponding to the service node;
the intermediate node is further configured to receive a control instruction sent by the control node, and add the control instruction to the instruction cache queue.
9. The system of claim 8, wherein the intermediate node is further configured to perform security authentication on the control instruction.
10. A cross-domain communication method is applied to a cross-domain communication system, the cross-domain communication system comprises a first communication domain and a second communication domain, the first communication domain comprises a first proxy node and a service node, the second communication domain comprises a second proxy node and a control node, the internal network security of the first communication domain is lower than a preset standard, and the internal network security of the second communication domain is higher than the preset standard, the method comprises the following steps:
the first agent node sends data to be transmitted to the second agent node, and the data to be transmitted comes from the service node;
the second agent node receives and stores the data to be transmitted;
and the control node acquires the data to be transmitted stored in the second proxy node.
11. The method of claim 10, wherein the first communication domain further comprises an intermediate node;
the first proxy node sends data to be transmitted to the second proxy node, and the method comprises the following steps:
the first proxy node sends the data to be transmitted to the intermediate node;
and the intermediate node forwards the data to be transmitted to the second proxy node.
12. The method of claim 10, wherein the first proxy node sending the data to be transmitted to the second proxy node via the intermediate node comprises:
the first proxy node sends a data reporting instruction to the intermediate node, wherein the data reporting instruction comprises the data to be transmitted;
the intermediate node carries out security authentication on the data reporting instruction;
and after the data reporting instruction passes the security authentication, the intermediate node sends the data to be transmitted to the second proxy node.
13. The method of claim 12, wherein the performing security authentication on the data reporting instruction comprises authenticating whether a command word in the data reporting instruction matches a preset command word, and authenticating whether a node identifier in the data reporting instruction matches an identifier of the serving node.
14. The method according to any of claims 11 to 13, wherein the intermediate node executes instructions from the first proxy node no more frequently than a predetermined frequency.
15. The method according to any of claims 10 to 14, wherein the second proxy node comprises a data buffer queue corresponding to the service node;
the control node acquires the data to be transmitted stored in the second proxy node, and the method comprises the following steps:
and the control node acquires the data to be transmitted from a data cache queue corresponding to the service node.
16. The method of any one of claims 11 to 14, further comprising:
and the second proxy node sends a control instruction to the first proxy node, wherein the control instruction is used for controlling the service node to execute the target service.
17. The method of claim 16, wherein the second proxy node comprises an instruction cache queue corresponding to the service node;
the method further comprises the following steps:
and the intermediate node receives a control instruction sent by the control node and adds the control instruction to the instruction cache queue.
18. The method of claim 17, further comprising:
and the intermediate node carries out security authentication on the control command.
19. A computer-readable storage medium having stored therein instructions that, when executed on a plurality of computing devices, cause the plurality of computing devices to perform the method of any one of claims 10 to 18.
CN202110314740.2A 2021-03-24 2021-03-24 Cross-domain communication system, method and storage medium Pending CN115208590A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110314740.2A CN115208590A (en) 2021-03-24 2021-03-24 Cross-domain communication system, method and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110314740.2A CN115208590A (en) 2021-03-24 2021-03-24 Cross-domain communication system, method and storage medium

Publications (1)

Publication Number Publication Date
CN115208590A true CN115208590A (en) 2022-10-18

Family

ID=83570371

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110314740.2A Pending CN115208590A (en) 2021-03-24 2021-03-24 Cross-domain communication system, method and storage medium

Country Status (1)

Country Link
CN (1) CN115208590A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116033010A (en) * 2023-02-16 2023-04-28 北京有竹居网络技术有限公司 Remote access method, device, electronic equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116033010A (en) * 2023-02-16 2023-04-28 北京有竹居网络技术有限公司 Remote access method, device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US20220075653A1 (en) Scheduling method and apparatus, and related device
US10476906B1 (en) System and method for managing formation and modification of a cluster within a malware detection system
US9332005B2 (en) System and method for providing switch based subnet management packet (SMP) traffic protection in a middleware machine environment
US10680893B2 (en) Communication device, system, and method
CN110855709A (en) Access control method, device, equipment and medium for security access gateway
CN112149105A (en) Data processing system, method, related device and storage medium
CN112491776B (en) Security authentication method and related equipment
CN114268957B (en) Abnormal business data processing method, device, server and storage medium
CN111787038A (en) Method, system and computing device for providing edge service
CN111885031B (en) Fine-grained access control method and system based on session process
US10491513B2 (en) Verifying packet tags in software defined networks
CN115208590A (en) Cross-domain communication system, method and storage medium
CN112491836B (en) Communication system, method, device and electronic equipment
CN110661673A (en) Heartbeat detection method and device
WO2024021703A1 (en) Server control method, server, and storage medium
CN111212077A (en) Host access system and method
CN113873041B (en) Message transmission method, device, network equipment and computer readable storage medium
US7350065B2 (en) Method, apparatus and program storage device for providing a remote power reset at a remote server through a network connection
CN114338177B (en) Directional access control method and system for Internet of things
CN114500039A (en) Instruction issuing method and system based on safety control
CN114389890A (en) User request proxy method, server and storage medium
CN114338777B (en) Escape control method and device
US9401837B2 (en) Network management method and network management system
CN117082147B (en) Application network access control method, system, device and medium
KR102218079B1 (en) Method for excluding sites not accessible from secure socket layer decryption apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination