CN115643297A - Link establishment method and device, nonvolatile storage medium and computer equipment - Google Patents

Link establishment method and device, nonvolatile storage medium and computer equipment Download PDF

Info

Publication number
CN115643297A
CN115643297A CN202211330010.2A CN202211330010A CN115643297A CN 115643297 A CN115643297 A CN 115643297A CN 202211330010 A CN202211330010 A CN 202211330010A CN 115643297 A CN115643297 A CN 115643297A
Authority
CN
China
Prior art keywords
server
address
client
port number
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211330010.2A
Other languages
Chinese (zh)
Inventor
刘准
陈保军
高新平
张晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Network Communication and Security Zijinshan Laboratory
Original Assignee
Network Communication and Security Zijinshan Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Network Communication and Security Zijinshan Laboratory filed Critical Network Communication and Security Zijinshan Laboratory
Priority to CN202211330010.2A priority Critical patent/CN115643297A/en
Publication of CN115643297A publication Critical patent/CN115643297A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a link establishing method, a link establishing device, a nonvolatile storage medium and computer equipment. Wherein, the method comprises the following steps: determining a first port number, a first IP address and an identifier of a server in a predetermined private network, wherein the first port number is a port number of a client requesting to establish a QUIC link with the server, and the first IP address is an IP address of the client; according to the identification of the server, the first IP address and the first port number are sent to the server through an out-of-band channel; receiving a second IP address of the server and a second port number of the server returned by the server; and establishing a first quick user datagram network connection QUIC link with the server according to the second IP address and the second port number. The invention solves the technical problem that the client can not establish the QUIC link with the server by using the address of the server when the server is positioned in a private network and the client is positioned in a public network.

Description

Link establishment method and device, nonvolatile storage medium and computer equipment
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a link establishment method and apparatus, a non-volatile storage medium, and a computer device.
Background
In the related art, QUIC technology is commonly used for HTTP3.0, using client-server mode. In the client-server mode, the server is located in the public network and has a definite and fixed IP address and port number, and the client is located in the private network and can be actively connected with the server according to the address and the port number of the server.
However, in some specific scenarios, the service end of the QUIC is connected with the NAT, is located in a private network behind the NAT, and the client is located in a public network.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a link establishing method and device, a nonvolatile storage medium and computer equipment, which at least solve the technical problem that a client cannot establish a QUIC link with a server by using the address of the server when the server is positioned in a private network and the client is positioned in a public network.
According to an aspect of an embodiment of the present invention, a link establishment method is provided, including: determining a first port number, a first IP address and an identifier of a server in a predetermined private network, wherein the first port number is a port number of a client requesting to establish a QUIC link with the server, and the first IP address is an IP address of the client; according to the identification of the server, the first IP address and the first port number are sent to the server through an out-of-band channel; receiving a second IP address of the server and a second port number of the server returned by the server; and establishing a first quick user datagram network connection QUIC link with the server according to the second IP address and the second port number.
According to an aspect of the embodiments of the present invention, there is provided a link establishment method, including: receiving a first IP address of a client and a first port number of the client through an out-of-band channel; according to the first IP address and the first port number, sending a second IP address of a server in a preset private network and a second port number of the server to the client; and responding to the request of the client for establishing the first QUIC link, and establishing the first QUIC link with the client.
According to another aspect of the embodiments of the present invention, there is also provided a link establishing apparatus, including: the acquisition module is used for acquiring a first port number of a client, a first IP address of the client and an identifier of a server in a predetermined private network; the first sending module is used for sending the first IP address and the first port number to the server through the out-of-band channel according to the identifier of the server; the first receiving module is used for receiving a second IP address of the server and a second port number of the server, which are returned by the server; and the first establishing module is used for establishing a first quick user datagram network connection QUIC link with the server side according to the second IP address and the second port number.
According to another aspect of the embodiments of the present invention, there is also provided a link establishment apparatus, including: the second receiving module is used for receiving the first IP address of the client and the first port number of the client through the out-of-band channel; the second sending module is used for sending a second IP address of the server side in the preset private network and a second port number of the server side to the client side according to the first IP address and the first port number; and the second establishing module is used for responding to a request of the client for establishing the first QUIC link and establishing the first QUIC link with the client.
According to another aspect of the embodiments of the present invention, there is also provided a nonvolatile storage medium, where the nonvolatile storage medium includes a stored program, and when the program runs, a device in which the nonvolatile storage medium is located is controlled to execute any one of the above-mentioned link establishment methods.
According to another aspect of the embodiments of the present invention, there is provided a computer device, where the computer device includes a processor, and the processor is configured to execute a program, where the program executes any one of the above-mentioned link establishment methods.
In the embodiment of the invention, a first port number of a client, a first IP address of the client and an identifier of a server in a predetermined private network are obtained; according to the identification of the server, the first IP address and the first port number are sent to the server through an out-of-band channel; receiving a second IP address of the server and a second port number of the server returned by the server; according to the second IP address and the second port number, the first quick user datagram network connection QUIC link is established with the server, the purpose that the client side located in the public network can know the address of the server side located in the private network is achieved, the technical effect of establishing the QUIC link between the server side located in the private network and the client side located in the public network is achieved, and the technical problem that the client side cannot use the address of the server side and the server side to establish the QUIC link when the server side is located in the private network and the client side is located in the public network is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 shows a hardware configuration block diagram of a computer terminal for implementing a link establishment method;
fig. 2 is a flowchart illustrating a first link establishment method according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating QUIC link establishment according to the related art of the present invention;
FIG. 4 is a schematic diagram of QUIC link establishment in an application scenario of the present invention, which is provided in accordance with an alternative embodiment of the present invention;
fig. 5 is a flowchart illustrating a second link establishment method according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a reverse establish QUIC link provided in accordance with an alternative embodiment of the present invention;
FIG. 7 is a diagram illustrating an initial packet format for QUIC link establishment according to the related art of the present invention;
fig. 8 is a diagram of a reverse connection initial packet format provided in accordance with an alternative embodiment of the present invention;
FIG. 9 is a schematic diagram of a QUIC standardized version message format provided in accordance with an alternative embodiment of the present invention;
fig. 10 is a block diagram of a first link establishment apparatus according to an embodiment of the present invention;
fig. 11 is a block diagram of a second link establishment apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, partial terms or terms appearing in the description of the embodiments of the present application are applied to the following explanations:
fast user datagram network Connection (Quick UDP-Internet Connection, QUIC for short) is a UDP-based low-latency Internet transport layer protocol.
The User Datagram Protocol (UDP) provides a method for sending encapsulated IP packets without establishing a connection.
Network Address Translation (NAT) is a method for translating an internal private IP Address into a public Network IP Address.
A Domain Name System (DNS) is a distributed database that maps domain names and IP addresses to each other, enabling people to access the internet more conveniently.
CHLO (initial client hello) is an early handshake message sent by the client to the server.
The sho (server hello) is the handshake information sent by the server to the client.
In accordance with an embodiment of the present invention, there is provided a method embodiment of link connection, it being noted that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer-executable instructions, and that while a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than here.
The method provided by the first embodiment of the present application may be executed in a mobile terminal, a computer terminal, or a similar computing device. Fig. 1 shows a hardware configuration block diagram of a computer terminal for implementing the link establishment method. As shown in fig. 1, the computer terminal 10 may include one or more processors (shown in the figures as 102a, 102b, \8230;, 102 n) which may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, or the like, a memory 104 for storing data. Besides, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial BUS (USB) port (which may be included as one of the ports of the BUS), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10. As referred to in the embodiments of the application, the data processing circuit acts as a processor control (e.g. selection of a variable resistance termination path connected to the interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the link establishment method in the embodiment of the present invention, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory 104, that is, implementing the link establishment method of the application program. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with the user interface of the computer terminal 10.
Fig. 2 is a flowchart illustrating a first link establishment method according to an embodiment of the present invention, as shown in fig. 2, the method includes the following steps:
step S202, a first port number, a first IP address and an identification of a service end in a preset private network are determined, wherein the first port number is a port number of a client end requesting to establish a QUIC link with the service end, and the first IP address is an IP address of the client end.
Fig. 3 is a diagram illustrating QUIC link establishment in the related art, as shown in fig. 3, in which QUIC technology is generally used for HTTP3.0, using a client-server model. In client-server mode, the server is located in the public network and has a definite and fixed IP address and port number, i.e. IP2 and port2 shown in fig. 3; the client is located in a private network, the IP address and the port number are respectively IP1 and port1, the client can be actively connected with the server according to the address and the port number of the server, and after NAT conversion, the port number of the client connected with the server in a public network is IP1 'and port1'.
Fig. 4 is a schematic diagram of QUIC link establishment in an application scenario according to an alternative embodiment of the present invention, as shown in fig. 4, an application scenario of the present invention is that a device in a public network wants to establish a QUIC link with a device in a private network, at this time, the device in the private network is connected to a NAT, an IP address and a port number of the device in the private network are unknown to the device in the public network, and the device in the public network cannot acquire an effective address of the device in the private network, that is, cannot establish a QUIC link with the device in the private network and communicate with the device in the private network. At this time, the device located in the public network is a provider of the request for establishing the QUIC link, so the device located in the public network is called a client when the QUIC link is connected, and the device located in the private network is called a server when the QUIC link is connected, it should be noted that the two names of the server and the client are only called for the convenience of distinguishing two devices which actively send a request for establishing the link and establish the link in response to the request when the QUIC link is established this time, the server and the client are only called two different devices in the process of establishing the link this time, and the two devices may be any communication device, and do not mean that the server is only a server or the client is only a terminal of a user.
In this step, the client device first needs to determine its own first IP address and the first port number used for this communication, and after knowing the first port number, the client device can monitor the port indicated by the first port number in real time, so as to receive the information sent by the server device in time. The client device also needs to obtain the identification of the object that needs to establish the QUIC link connection this time, i.e. the client knows that it should establish a QUIC link with a specific device, i.e. the server.
And step S204, according to the identification of the server, sending the first IP address and the first port number to the server through an out-of-band channel.
In this step, the client may send the first IP address of the client and the first port number used for the communication to the server through an out-of-band channel according to the identifier of the server, where the out-of-band channel refers to a mode of sending data through communication connection, and the out-of-band channel may be configured for the server, may be DNS resolution, or may be a communication controller.
Step S206, receiving the second IP address of the server and the second port number of the server returned by the server.
In this step, after the server receives the first IP address and the first port number of the client sent by the client, the server knows the information of the client in the public network in the private network, and can send the second IP address and the second port number of the server to the client, and the client in the public network can receive the information sent by the server, so that the second IP address and the second port number of the server can be obtained. Generally, a server can send information to a client according to a UDP protocol, and sending a small amount of information through the UDP protocol is a very efficient method when the server and the client are located in a private network and a public network, respectively, and no link connection is established. After the server sends information to the client through the UDP protocol, the server can be considered to establish UDP connection to the client, and next, the client can establish QUIC connection with the server on the basis of the UDP connection.
And step S208, establishing a first quick user datagram network connection QUIC link with the server according to the second IP address and the second port number.
In this step, after the client in the public network knows the specific second IP address and the second port number of the server in the private network, it can send information to the server in the private network and request to establish the first QUIC link with the server.
Through the steps, the purpose that the client side located in the public network acquires the address of the server side located in the private network can be achieved, the technical effect of establishing the QUIC link between the server side located in the private network and the client side located in the public network is achieved, and the technical problem that the client side cannot establish the QUIC link with the server side by using the address of the server side when the server side is located in the private network and the client side is located in the public network is solved.
As an optional embodiment, according to the identifier of the server, the first IP address and the first port number are sent to the server through an out-of-band channel, which may be implemented through the following steps: generating a first token according to the identifier of the server; and sending the first token, the first IP address and the first port number to the server through an out-of-band channel, wherein the first token is used for verifying the identity of the server in the process of establishing the first QUIC link with the server.
Optionally, the client sends the first IP address and the first port number to the server, and receives the second IP address and the second port number returned by the server, and when receiving the information returned by the server, the token may be introduced as a ciphertext for verifying the identity when the two parties exchange information for the requirement of communication security. That is, the client may generate the first token as a ciphertext according to the identifier of the server, and send the first token to the server while sending the first IP address and the first port number. When communication information such as an IP address, a port number and the like is sent, the ciphertext used as the authentication identity is added, so that the communication safety is improved, and the connection establishment process is safer and more reliable.
It should be noted that the out-of-band channel refers to a communication channel other than the established QUIC link, and the client may send the first IP address and the first port number of the client to the server according to the identifier of the server through the out-of-band channel. Alternatively, the out-of-band channel may be a DNS-based or controller-based established channel. When the out-of-band channel is a private DNS, the corresponding relationship between the identifier of the server and the IP may be written in advance into an analysis rule of the private DNS, and after the client acquires the identifier of the server, the client may send the first IP address and the first port number to the server through the private DNS; when the out-of-band channel is a controller, the information of the server and the information of the client can be respectively registered to the controller in advance, so that the controller can send the first IP address and the first port number to the server according to the pre-stored registration information of the server after receiving a request that the client wants to establish a QUIC link with the server.
As an alternative embodiment, establishing the first QUIC link with the server according to the second IP address and the second port number may be implemented by: receiving a second token returned by the server, wherein the second token is used for verifying the identity of the server; verifying whether the second token matches the first token; and under the condition that the second token is matched with the first token, establishing a first QUIC link with the service end according to the second IP address and the second port number.
Optionally, after receiving the first token sent by the client, the server may perform certain data processing on the first token to generate a second token, or directly send the first token as the second token to the client without processing the first token. After receiving the second token, the client can verify whether the second token is matched with the first token according to the convention, if the second token can be matched with the first token, the client can verify the identity of the server, and establish a first QUIC link with the server according to a second IP address and a second port number which are simultaneously sent by the second token.
As an alternative embodiment, the following steps may also be performed: sending the third token to the server; under the condition that the disconnection of the first QUIC link is monitored, receiving a fourth token sent by the server, a third IP address of the server and a third port number of the server, wherein the third IP address is the current IP address and the port number of the server; verifying whether the fourth token matches the third token; and under the condition that the fourth token is matched with the third token, establishing a second QUIC link with the service end according to the third IP address and the third port number.
It should be noted that the above alternative embodiment may be applied to an application scenario that describes a process of re-establishing a QUIC connection between a server and a client when a first QUIC link is disconnected on the basis that the client and the server have already established the first QUIC link. The first QUIC link is disconnected, namely a client side positioned in a public network wants to convert the IP address and the port number of the client side and then establishes a QUIC link connection with a server side, and the server side positioned in a private network wants to convert the IP address and the port number of the client side and then establishes a QUIC link connection with the client side.
Under the condition that the server side transforms the own IP address and the port number, the server side determines a third port number and a third IP address, wherein the server side transforms from using the second port number to using the third port number to communicate with the client side, and the IP address of the server side transforms from the second IP address to the third IP address; sending the third port number, the third IP address and the connection identifier of the first QUIC link to the client through the first QUIC link; the client receives the third port number, the third IP address and the connection identifier of the first QUIC link and replies ready information; and after the first QUIC link is disconnected, the server sends the third IP address, the third port number and the connection identifier of the first QUIC link to the client in a UDP protocol, and the client receives the third IP address, the third port number and the connection identifier of the first QUIC link and establishes a second QUIC link with the server. That is, when the server wants to replace the IP address and the port number, the server needs to inform the client of the connection identifier of the first QUIC link through the original QUIC link, disconnect the original QUIC link, establish UDP connection with the client through the UDP connection using the newly replaced IP address, the port number, and the connection identifier of the first QUIC link, and then establish a new QUIC link with the client.
Optionally, when the first QUIC link is established, after the client verifies that the identity of the server is a trusted identity, the client may directly send the third token to the server, and after the server receives the third token, the server may perform data processing to obtain a fourth token and store the fourth token. When the server converts the IP address and the port number of the server to cause the disconnection of the first QUIC link, the server can send a third IP address, a third port number, a connection identifier of the first QUIC link and a fourth token of the current server to the client according to the first IP address and the first port number; when the client reestablishes the link with the server after the link is broken, the identity of the server needs to be verified, and the verification method can be directly matching the third token and the fourth token without sending the first IP address, the first port number and the third token to the server through the out-of-band channel again. The token which is used as the ciphertext of the identity authentication is replaced, the process of establishing the QUIC link can be prevented from being attacked by replay, the safety degree of communication is further enhanced, and the third token is sent to the server side when the first QUIC link can also communicate, so that the communication cost can be reduced.
Under the condition that the client terminal transforms the IP address and the port number of the client terminal, the client terminal determines a fourth port number and a fourth IP address, wherein the client terminal transforms from using the first port number to using the fourth port number to communicate with the server terminal, and the IP address of the client terminal transforms from the first IP address to the fourth IP address; sending the fourth port number and the fourth IP address to the server through the first QUIC link; after the first QUIC link is disconnected, the client receives a second IP address and a second port number returned by the server; and the client establishes a second QUIC link with the server according to the second IP address and the second port number. Similarly, when the client wants to change the IP address and the port number, the client needs to inform the server through the original QUIC link, then the original QUIC link is disconnected, the server sends the IP address and the port number of the server through the UDP protocol again according to the new IP address and the port number sent by the client, and the client establishes a new QUIC link with the server according to the information sent by the server through the UDP protocol.
Similarly, when the client converts the IP address and the port number, the client and the server need to check the identity of the server when building a link again, and whether the identity of the server is reliable may also be determined according to whether the fourth token sent by the server matches the third token sent by the client through the first QUIC link before.
Fig. 5 is a flowchart illustrating a second link establishment method according to an embodiment of the present invention, as shown in fig. 5, the method includes the following steps:
step S502, receiving a first IP address of the client and a first port number of the client through an out-of-band channel.
In this step, the server may receive the first IP address and the first port number of the client sent by the client through the out-of-band channel.
Step S504, according to the first IP address and the first port number, a second IP address of a service end in a preset private network and a second port number of the service end are sent to the client.
In this step, because the client is in the public network, the server can find the client according to the first IP address and the first port number of the client, and send the second IP address and the second port number of the server to the client, so that the client in the public network can smoothly find the server in the private network, and send a request for establishing the first QUIC link to the server.
Step S506, responding to the request of the client for establishing the first QUIC link, and establishing the first QUIC link with the client.
In this step, after receiving a request, namely a CHLO message, for the client to establish the first QUIC link, the server may reply a client SHLO message according to a normal QUIC link establishment process, perform a handshake process between the client and the server, and establish the first QUIC link.
Through the steps, the server side located in the private network can acquire the address of the client side located in the public network, and the address of the server side per se is sent to the client side according to the address of the client side, so that the client side can send a request for establishing the QUIC link to the server side.
As an alternative embodiment, receiving the first IP address of the client and the first port number of the client through the out-of-band channel may be implemented by the following steps: and receiving a first IP address, a first port number and a first token sent by the client through an out-of-band channel, wherein the first token is generated by the client according to the identifier of the server and is used for verifying the identity of the server by the client in the process of establishing a first QUIC link with the client.
Optionally, the server may receive a first token generated by the client, where the first token may be generated by the client according to an identifier of the server, or may be a randomly generated number or password, the server may generate a second token according to the received first token, and send the second token to the client, and the client may verify the identity of the server by checking a matching state of the second token and the first token.
As an optional embodiment, sending the second IP address of the server and the second port number of the server to the client according to the first IP address and the first port number may further be implemented by the following steps: generating a second token matched with the first token according to the first token, wherein the second token is used for verifying the identity of the server by the client; and sending the second token to the client according to the first IP address and the first port number.
Optionally, the second token may be generated according to the first token, the generation method may be directly taking the first token as the second token, and when the second token is sent to the client, the client only needs to compare whether the first token and the second token are the same, and if the server performs data processing on the first token, after sending the second token to the client, the client needs to analyze the second token according to a previously agreed processing method and match the second token with the first token, and as long as the second token can be matched with the first token, the client may determine that the server is trustworthy.
As an alternative embodiment, the method can also be implemented by the following steps: receiving a third token sent by the client, wherein the third token is used for verifying the identity of the server when the server is connected with the client again after the first QUIC link is disconnected; when the situation that the first QUIC link is disconnected is monitored, a fourth token is generated according to the third token, wherein the fourth token is used for verifying the identity of the server side by the client side; according to the first IP address and the first port number, sending a fourth token, a third IP address of the server and a third port number of the server to the client; and responding to a request of the client to establish a second QUIC link with the client, wherein the client sends the request for establishing the second QUIC link to the server according to the third IP address and the third port number under the condition that the fourth token is verified to be matched with the third token.
Optionally, the server may store the third token when receiving the third token sent by the client, generate a fourth token according to the third token when detecting that the first QUIC link is disconnected, and send the fourth token and the current IP address and port number of the server to the client according to the original first IP address and first port number of the client. The reason that the first QUIC link is disconnected can be various, the IP address of the server side can possibly change, so the server side needs to send the current third IP address and the current third port number to the client side, after the client side verifies the matching relation between the fourth token and the third token, if the fourth token can be matched with the third token, the client side sends a request for establishing a second QUIC link to the server side according to the third IP address and the third port number, and the server side responds to the request for establishing the second QUIC link by the client side and carries out a normal process for establishing the QUIC link.
As a specific embodiment, fig. 6 is a schematic diagram of reverse establishing a QUIC link according to an alternative embodiment of the present invention, as shown in fig. 6, where the QUIC client is located in the public network, the public network IP, i.e. the first IP address, is 220.18.1.31, and the udp snooping port number, i.e. the first port number, is 6222. After the QUIC client is started, it will listen to the UDP port indicated by the first port number 6222 and generate token1, i.e. the first token, to the corresponding QUIC server (in this example, it is assumed to be labeled label 100). Then, the first IP address (220.18.1.31) and the first port number (6222) of the self and the first token are transmitted to the server end through an out-of-band channel.
Fig. 7 is a schematic diagram of an initial packet format established by a QUIC link in the related art, and fig. 7 is an initial packet format specified in the draft of the QUIC transmission protocol in the related art, where a first lattice represents basic information such as a data type of the QUIC link initial packet, RR is a reserved bit, PP is a packet number length bit, a second lattice version fills a version number of the communication protocol of this time, a fourth lattice is a target connection ID, a fifth lattice is a source connection ID, a third lattice is an abbreviation of the target connection ID length and the source connection ID length, the number of bits is 4, a sixth lattice is a token length, a seventh lattice is a token, an eighth lattice is a data packet length, a ninth lattice is a serial number of a message, and a tenth lattice is encryption handshake information.
Fig. 8 is a schematic diagram of a format of a reverse connection initiation packet according to an alternative embodiment of the present invention, in which after receiving a notification, the QUIC server encapsulates the QUIC reverse connection initiation packet, and sends its own second IP address and second port number to the client via the reverse connection initiation packet shown in fig. 8. It should be noted that the specific format of the initial packet shown in fig. 8 is simplified according to the QUIC initial packet format proposed in the QUIC draft, that is, the initial packet shown in fig. 8 is simplified according to the initial packet shown in fig. 7, the UDP header in the outer layer of the initial packet in fig. 8 includes the second IP address and the second port number of the server, and padding is padding data. Comparing fig. 7 with fig. 8, it is found that compared to the prior art QUIC link establishment initial packet format, the packet number length of the last two bits in the first grid is set to 0, version is also filled with 0 (version can be determined by version negotiation of the subsequent QUIC normal link establishment procedure), DCIL and SCID are set to 0, i.e. there is no source connection ID and no destination connection ID (DCIL and SCID can be determined by the subsequent QUIC normal link establishment procedure). These all 0 initial packets are considered reverse concatenation initial packets. This is followed by token1 (i.e., token) length and token1, and a padding section, where the padding section is to prevent amplification attacks, requiring the initial packet to be padded to a length greater than the initial packet length of the QUIC client. From the above analysis, the reverse connection initial packet is distinguished from the QUIC general initial packet.
It should be noted that the message format shown in fig. 7 is a message format proposed in the QUIC draft, and compared with the version of the QUIC draft, the formal standardized version of the QUIC transmission communication protocol has a part of message formats changed, specifically, fig. 9 is a schematic diagram of the message format of the QUIC standardized version provided according to the optional embodiment of the present invention, and as the message format included in the dotted line frame shown in fig. 9 is compared with the message format included in the dotted line frame shown in fig. 8, it can be seen that the message format proposed in the draft is modified by the message format of the standardized version, and the modified message format is: destination Connection ID Length (8); a Destination Connection ID (0.. 160); source Connection ID Length (8); the Source Connection ID (0.. 160), i.e., the Source link ID and the destination link ID, are changed in format. Therefore, when the scheme provided by the present invention is applied, the format of the reverse connection initiation packet also becomes a standardized format, and DCIL and SCIL included in the dotted line box in fig. 7, i.e., the source connection ID length and the destination connection ID length, become eight bits accordingly.
The technical effect of the invention can be realized for the scheme provided by the invention no matter the message format specified in the QUIC draft or the message format specified in the QUIC standardization is used, and the difference of the two formats only affects the specific form of the transmission data format when the scheme provided by the invention is used, and does not substantially affect the realization of the technical scheme provided by the invention.
After receiving the reverse connection initial packet, the QUIC client can verify whether the token1 carried in the initial packet is the locally distributed token1 (after receiving the certificate of the QUIC server, whether the local distribution is met or not can be verified), discard the token1 after the verification is passed, generate a new token2, and inform the server of the new token2 so as to facilitate the subsequent disconnection and reconnection. The normal QUIC link establishment process then begins.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the link establishment method according to the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but the former is a better implementation in many cases. Based on such understanding, the technical solutions of the present invention or portions thereof contributing to the prior art may be embodied in the form of a software product, where the computer software product is stored in a storage medium (such as a ROM/RAM, a magnetic disk, and an optical disk), and includes several instructions for enabling a terminal device (which may be a mobile phone, a computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
According to an embodiment of the present invention, there is further provided an apparatus for implementing the first link establishment method, and fig. 10 is a block diagram of a structure of the first link establishment apparatus according to the embodiment of the present invention, as shown in fig. 10, the apparatus includes: the determining module 12, the first sending module 14, the first receiving module 16 and the first establishing module 18 are described below.
The determining module 12 is configured to determine a first port number, a first IP address, and an identifier of a server in a predetermined private network, where the first port number is a port number of a client requesting to establish a QUIC link with the server, and the first IP address is an IP address of the client.
And the first sending module 14 is connected to the determining module 12, and is configured to send the first IP address and the first port number to the server through the out-of-band channel according to the identifier of the server.
And the first receiving module 16 is connected to the first sending module 14, and is configured to receive the second IP address of the server and the second port number of the server, which are returned by the server.
And the first establishing module 18 is connected with the first receiving module 16 and is used for establishing a first fast user datagram network connection QUIC link with the server according to the second IP address and the second port number.
It should be noted here that the determining module 12, the first sending module 14, the first receiving module 16 and the first establishing module 18 correspond to steps S202 to S208 in the embodiment, and a plurality of modules are the same as the corresponding steps in the implementation example and the application scenario, but are not limited to the disclosure in the embodiment. It should be noted that the above modules as a part of the apparatus may be operated in the computer terminal 10 provided in the embodiment.
According to an embodiment of the present invention, an apparatus for implementing the second link establishment method is further provided, and fig. 11 is a block diagram of a structure of the second link establishment apparatus according to an embodiment of the present invention, as shown in fig. 11, the apparatus includes: a second receiving module 22, a second sending module 24 and a second establishing module 26, which are described below.
The second receiving module 22 is configured to receive the first IP address of the client and the first port number of the client through the out-of-band channel.
And a second sending module 24, connected to the second receiving module 22, for sending the second IP address of the service end and the second port number of the service end in the predetermined private network to the client according to the first IP address and the first port number.
And the second establishing module 26 is connected with the second sending module 24 and used for responding to the request of the client for establishing the first QUIC link and establishing the first QUIC link with the client.
It should be noted that the second receiving module 22, the second sending module 24 and the second establishing module 26 correspond to steps S502 to S506 in the embodiment, and a plurality of modules are the same as the corresponding steps in the implementation example and the application scenario, but are not limited to the disclosure in the embodiment. It should be noted that the above modules as a part of the apparatus may be operated in the computer terminal 10 provided in the embodiment.
An embodiment of the present invention may provide a computer device, and optionally, in this embodiment, the computer device may be located in at least one network device of a plurality of network devices of a computer network. The computer device includes a memory and a processor.
The memory may be configured to store software programs and modules, such as program instructions/modules corresponding to the link establishment method and apparatus in the embodiments of the present invention, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory, so as to implement the above-mentioned link establishment method. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory remotely located from the processor, which may be connected to the computer terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: determining a first port number, a first IP address and an identifier of a server in a predetermined private network, wherein the first port number is a port number of a client requesting to establish a QUIC link with the server, and the first IP address is an IP address of the client; according to the identification of the server, the first IP address and the first port number are sent to the server through an out-of-band channel; receiving a second IP address of the server and a second port number of the server returned by the server; and establishing a first quick user datagram network connection QUIC link with the server according to the second IP address and the second port number.
Optionally, the processor may further execute the program code of the following steps: receiving a first IP address of a client and a first port number of the client through an out-of-band channel; according to the first IP address and the first port number, sending a second IP address of a server side in a preset private network and a second port number of the server side to the client side; and responding to a request of the client for establishing the first QUIC link, and establishing the first QUIC link with the client.
The embodiment of the invention provides a link establishment scheme. Acquiring a first port number of a client, a first IP address of the client and an identifier of a server in a predetermined private network; according to the identification of the server, the first IP address and the first port number are sent to the server through an out-of-band channel; receiving a second IP address of the server and a second port number of the server returned by the server; according to the second IP address and the second port number, the first quick user datagram network connection QUIC link is established with the server, the purpose that the client side located in the public network knows the address of the server side located in the private network is achieved, the technical effect of establishing the QUIC link between the server side located in the private network and the client side located in the public network is achieved, and the technical problem that the client side cannot use the address of the server side and the QUIC link between the server side and the client side when the server side is located in the private network and the client side is located in the public network is solved.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a non-volatile storage medium, and the storage medium may include: flash disks, read-Only memories (ROMs), random Access Memories (RAMs), magnetic or optical disks, and the like.
Embodiments of the present invention also provide a non-volatile storage medium. Optionally, in this embodiment, the nonvolatile storage medium may be configured to store program codes executed by the link establishment method provided in the foregoing embodiment.
Optionally, in this embodiment, the nonvolatile storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in this embodiment, the non-volatile storage medium is configured to store program code for performing the following steps: determining a first port number, a first IP address and an identifier of a server in a predetermined private network, wherein the first port number is a port number of a client requesting to establish a QUIC link with the server, and the first IP address is an IP address of the client; according to the identification of the server, the first IP address and the first port number are sent to the server through an out-of-band channel; receiving a second IP address of the server and a second port number of the server returned by the server; and establishing a first quick user datagram network connection QUIC link with the server according to the second IP address and the second port number.
Optionally, in this embodiment, the non-volatile storage medium is configured to store program code for performing the following steps: receiving a first IP address of a client and a first port number of the client through an out-of-band channel; according to the first IP address and the first port number, sending a second IP address of a server side in a preset private network and a second port number of the server side to the client side; and responding to the request of the client for establishing the first QUIC link, and establishing the first QUIC link with the client.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the description of each embodiment has its own emphasis, and reference may be made to the related description of other embodiments for parts that are not described in detail in a certain embodiment.
In the embodiments provided in the present application, it should be understood that the disclosed technical content can be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be an indirect coupling or communication connection through some interfaces, units or modules, and may be electrical or in other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a non-volatile memory storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and amendments can be made without departing from the principle of the present invention, and these modifications and amendments should also be considered as the protection scope of the present invention.

Claims (10)

1. A method for link establishment, comprising:
determining a first port number, a first IP address and an identifier of a server in a predetermined private network, wherein the first port number is a port number of a client requesting to establish a QUIC link with the server, and the first IP address is an IP address of the client;
according to the identification of the server, the first IP address and the first port number are sent to the server through an out-of-band channel;
receiving a second IP address of the server and a second port number of the server returned by the server;
and establishing a first quick user datagram network connection QUIC link with the server according to the second IP address and the second port number.
2. The method of claim 1, wherein the sending the first IP address and the first port number to the server over an out-of-band channel according to the identity of the server comprises:
generating a first token according to the identifier of the server;
and sending the first token, the first IP address and the first port number to the server through the out-of-band channel, wherein the first token is used for verifying the identity of the server in the process of establishing the first QUIC link with the server.
3. The method according to claim 2, wherein said establishing a first QUIC link with said server according to said second IP address and said second port number comprises:
receiving a second token returned by the server, wherein the second token is used for verifying the identity of the server;
verifying whether the second token matches the first token;
and under the condition that the second token is matched with the first token, establishing the first QUIC link with the service end according to the second IP address and the second port number.
4. The method of claim 3, further comprising:
sending a third token to the server;
under the condition that the disconnection of the first QUIC link is monitored, receiving a fourth token sent by the server, a third IP address of the server and a third port number of the server, wherein the third IP address is the current IP address and the port number of the server;
verifying whether the fourth token matches the third token;
and under the condition that the fourth token is matched with the third token, establishing a second QUIC link with the service end according to the third IP address and the third port number.
5. A method for link establishment, comprising:
receiving a first IP address of a client and a first port number of the client through an out-of-band channel;
according to the first IP address and the first port number, sending a second IP address of a server in a preset private network and a second port number of the server to the client;
and responding to the request of the client for establishing the first QUIC link, and establishing the first QUIC link with the client.
6. The method of claim 5, wherein receiving the first IP address of the client and the first port number of the client via an out-of-band channel comprises:
and receiving the first IP address, the first port number and a first token sent by the client through the out-of-band channel, wherein the first token is generated by the client according to the identifier of the server and is used for verifying the identity of the server by the client in the process of establishing the first QUIC link with the client.
7. The method of claim 6, wherein sending the second IP address of the server and the second port number of the server to the client according to the first IP address and the first port number, further comprises:
generating a second token matched with the first token according to the first token, wherein the second token is used for the client to verify the identity of the server;
and sending the second token to the client according to the first IP address and the first port number.
8. The method of claim 7, further comprising:
receiving a third token sent by the client, wherein the third token is used for verifying the identity of the server when the server is connected with the client again after the first QUIC link is disconnected;
under the condition that the first QUIC link is monitored to be disconnected, a fourth token is generated according to the third token, wherein the fourth token is used for the client to verify the identity of the server;
according to the first IP address and the first port number, sending the fourth token, the third IP address of the server and the third port number of the server to the client;
and responding to the request of the client to establish a second QUIC link with the client, wherein the client sends the request for establishing the second QUIC link to the server according to the third IP address and the third port number under the condition that the fourth token is verified to be matched with the third token.
9. A non-volatile storage medium, comprising a stored program, wherein a device in which the non-volatile storage medium is located is controlled to perform the link establishment method according to any one of claims 1 to 8 when the program is run.
10. A computer device, comprising: a memory and a processor, wherein the processor is capable of,
the memory stores a computer program;
the processor is configured to execute a computer program stored in the memory, and the computer program is configured to cause the processor to perform the link establishment method according to any one of claims 1 to 8 when executed.
CN202211330010.2A 2022-10-27 2022-10-27 Link establishment method and device, nonvolatile storage medium and computer equipment Pending CN115643297A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211330010.2A CN115643297A (en) 2022-10-27 2022-10-27 Link establishment method and device, nonvolatile storage medium and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211330010.2A CN115643297A (en) 2022-10-27 2022-10-27 Link establishment method and device, nonvolatile storage medium and computer equipment

Publications (1)

Publication Number Publication Date
CN115643297A true CN115643297A (en) 2023-01-24

Family

ID=84945846

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211330010.2A Pending CN115643297A (en) 2022-10-27 2022-10-27 Link establishment method and device, nonvolatile storage medium and computer equipment

Country Status (1)

Country Link
CN (1) CN115643297A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117650965A (en) * 2024-01-26 2024-03-05 北京天维信通科技股份有限公司 Method and device for realizing SD-WAN management network based on uCPE original port

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117650965A (en) * 2024-01-26 2024-03-05 北京天维信通科技股份有限公司 Method and device for realizing SD-WAN management network based on uCPE original port
CN117650965B (en) * 2024-01-26 2024-04-19 北京天维信通科技股份有限公司 Method and device for realizing SD-WAN management network based on uCPE original ports

Similar Documents

Publication Publication Date Title
US9398026B1 (en) Method for authenticated communications incorporating intermediary appliances
US9154487B2 (en) Registration server, gateway apparatus and method for providing a secret value to devices
US9882897B2 (en) Method and system for transmitting and receiving data, method and device for processing message
CN102231725B (en) Method, equipment and system for authenticating dynamic host configuration protocol message
EP3197190A1 (en) Methods for fast, secure and privacy-friendly internet connection discovery in wireless networks
CN104580553A (en) Identification method and device for network address translation device
CN112039905B (en) Reverse connection-based network communication method and device, electronic equipment and medium
CN111343083B (en) Instant messaging method, instant messaging device, electronic equipment and readable storage medium
WO2017185978A1 (en) Method and device for parsing packet
CN107135190B (en) Data flow attribution identification method and device based on transport layer secure connection
CN111541776A (en) Safe communication device and system based on Internet of things equipment
CN115643297A (en) Link establishment method and device, nonvolatile storage medium and computer equipment
EP3932044B1 (en) Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp)
CN113938474B (en) Virtual machine access method and device, electronic equipment and storage medium
US20180183584A1 (en) IKE Negotiation Control Method, Device and System
EP3414877B1 (en) Technique for transport protocol selection and setup of a connection between a client and a server
CN106936608B (en) Method, related equipment and system for establishing SSH connection
CN116017429A (en) 5G network encryption networking method, system, device and storage medium
CN115632963A (en) Method, device, apparatus and medium for confirming tunnel connection state
CN111953742B (en) Page redirection method, terminal equipment, intermediate equipment and server
CN113067910B (en) NAT traversal method and device, electronic equipment and storage medium
CN113746807A (en) Block chain node point support cryptographic algorithm communication detection method
CN113067908B (en) NAT (network Address translation) traversing method and device, electronic equipment and storage medium
CN115225313B (en) High-reliability cloud network virtual private network communication method and device
US20240163664A1 (en) Secure key management device, authentication system, wide area network and method for generating session keys

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination