CN116389173B - Method, system, medium and equipment for realizing enterprise production network ad hoc network - Google Patents
Method, system, medium and equipment for realizing enterprise production network ad hoc network Download PDFInfo
- Publication number
- CN116389173B CN116389173B CN202310658837.4A CN202310658837A CN116389173B CN 116389173 B CN116389173 B CN 116389173B CN 202310658837 A CN202310658837 A CN 202310658837A CN 116389173 B CN116389173 B CN 116389173B
- Authority
- CN
- China
- Prior art keywords
- network
- enterprise production
- production network
- access terminal
- fixed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004519 manufacturing process Methods 0.000 title claims abstract description 178
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000002955 isolation Methods 0.000 claims abstract description 31
- 230000005540 biological transmission Effects 0.000 claims abstract description 16
- 230000006855 networking Effects 0.000 claims description 51
- 238000007726 management method Methods 0.000 claims description 12
- 238000003860 storage Methods 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 9
- 230000000977 initiatory effect Effects 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 abstract description 5
- 238000012423 maintenance Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000000704 physical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
- H04L47/80—Actions related to the user profile or the type of traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/30—Managing network names, e.g. use of aliases or nicknames
- H04L61/3015—Name registration, generation or assignment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4547—Network directories; Name-to-address mapping for personal communications, i.e. using a personal identifier
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses an enterprise production network ad hoc network realization method, a system, a medium and equipment, wherein the system comprises an enterprise production network core server, an access terminal and nodes capable of accessing the enterprise production network, wherein the enterprise production network core server is provided with an identification request rule, an access attribute dictionary, different security isolation domains, different transmission priority levels and different network address host positions, wherein the security isolation domains, the different transmission priority levels and the different network address host positions are set according to different terminal attributes; the access terminal is communicatively coupled to the enterprise production network core server via a node accessible to the enterprise production network. The invention solves the problems of difficult coverage of the existing enterprise production network, self-organizing network security reliability, IP address ambiguity, network upgrading operation and maintenance difficulty improvement, poor anti-interference performance, unavoidable network attack and the like in the technology.
Description
Technical Field
The invention relates to the technical field of park networks, in particular to an enterprise production network ad hoc network realization method, system, medium and equipment.
Background
In the enterprise production environment, such as actual situations of large mines, underground, large open-air production sites and the like, large-scale network distribution cannot be performed, and meanwhile, with the development of internet technology, sensor technology and embedded technology, data interconnection of people and objects, people and objects is required, so that the enterprise production network ad hoc network is required to be realized under the condition that no network exists at present.
However, the existing self-organizing network also has the following problems, such as lack of network security management, and network attacker can access the network at will; the self-organizing network is mostly self-organizing by wireless nodes, and in the enterprise production network, the problems of partial wired or fixed wireless nodes and the like exist, and the problems influence the production progress and reduce the economic benefit of enterprises.
IPv6 is the next generation IP protocol designed by the Internet engineering task force and used for replacing IPv4, and the original network uses IPv4 addresses, so that network maintenance difficulty is increased when the network is updated due to incompatibility of the two network protocols.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to provide a method, a system, a medium and equipment for realizing the ad hoc network of the enterprise production network, which solve the problems that the existing enterprise production network is difficult to cover, the self-organizing network security reliability, the IP address ambiguity, the network upgrading operation and maintenance difficulty is improved, the anti-interference performance is poor, the network attack cannot be avoided and the like exist in the technology.
In order to solve the technical problems, the invention provides the following technical scheme:
an enterprise production network ad hoc network implementation method comprises the following steps:
s1) setting an identification request rule and an access attribute dictionary on an enterprise production network core server, and setting different security isolation domains, different transmission priorities and different network address host positions according to different terminal access attributes;
s2) the new access terminal discovers the existing ad hoc network or fixed wired node and wireless node in an automatic network sniffing mode and establishes initialization connection with the enterprise production network through the node which can access the enterprise production network; if the initialized connection is defined as illegal connection, under the illegal connection, the access terminal only allows the access terminal to initiate an identification request with a core server of the enterprise production network, and does not allow the access terminal to perform data interaction with other network nodes or application services;
s3) the new access terminal initiates an identification request with the attribute of the access terminal to the core server of the enterprise production network through the node capable of accessing the enterprise production network;
s4) the enterprise production network core server forms fixed-length identification information through a hash function according to the access terminal attribute carried in the identification request, compares the generated fixed-length identification information with the content of the registry, if the generated fixed-length identification information conflicts with the content in the registry, the hash conflict exists, a conflict result is returned, the fixed-length identification information is regenerated, then the generated fixed-length identification information is compared with the content of the registry until the generated fixed-length identification information does not conflict with the content in the registry, then the generated fixed-length identification information is registered with the identification information, and the registered fixed-length identification information is stored in the registry data table;
s5) the enterprise production network core server feeds back feedback information corresponding to the identification request to the access terminal initiating the identification request; if the enterprise production network core server can not inquire the dictionary information corresponding to the access attribute, the enterprise production network core server judges that the access terminal is an illegal access terminal, the feedback information is the information for refusing the access of the access terminal and records the corresponding identification request log, and if the enterprise production network core server inquires the dictionary information corresponding to the access attribute, the feedback information comprises a network address generated according to the registered fixed-length identification information and the dictionary information corresponding to the fixed-length identification information;
s6) when the feedback information is the information for refusing the access of the access terminal, the access terminal can not access the enterprise production network after receiving the feedback information; when the feedback information comprises a network address generated according to the registered fixed-length identification information and dictionary information corresponding to the fixed-length identification information, the access terminal accesses the enterprise production network and is used as an access node of the enterprise production network, and an enterprise production network core server divides an ad hoc network security isolation domain and performs ad hoc network according to a dynamic networking strategy to complete a networking process.
In the above method, in step S6), when the access terminal receives the returned dictionary information and the network address, the access terminal confirms that the enterprise production network allows the access terminal to access the enterprise production network, and then configures the network address and the identifier of the access terminal according to the returned dictionary information and the network address, where the network address includes a network address host bit, an identifier bit, and an IPv4 address bit, the identifier in the identifier bit is an identifier contained in the fixed-length identifier information and used to identify the access terminal in the enterprise production network, and the identifier configured by the access terminal is an identifier in the identifier bit.
In the method, the network address length is 128 bits, the network address host bit length is 64 bits, the identification bit length is 32 bits, and the IPv4 address bit length is 32 bits.
The above method, the access terminal attributes include access terminal MAC, access terminal type, and access terminal vendor information.
In the above method, in step S4), step S4) is completed by an enterprise production network management system provided in an enterprise production network core server; the enterprise production network identification management system comprises a fixed-length identification generation module, an identification registration module, an identification analysis module and a networking module, wherein the fixed-length identification generation module is used for forming fixed-length identification information through a hash function by utilizing the attribute of an access terminal, the identification registration module is used for comparing the fixed-length identification information with information in a registry and registering the fixed-length identification information which does not conflict with the content in the registry, the registered fixed-length identification information is stored in a data table for the registry, the identification analysis module is used for analyzing and identifying the identification of a terminal for networking, and the networking module is used for networking according to a dynamic networking strategy.
In the method, in the enterprise production network, different security isolation domains have different core switching nodes, and the different security isolation domains share one enterprise production network core server.
An enterprise production network ad hoc network realization system comprises an enterprise production network core server, an access terminal and nodes capable of accessing the enterprise production network, wherein the enterprise production network core server is provided with an identification request rule, an access attribute dictionary, different security isolation domains, different transmission priority levels and different network address host positions which are set according to different terminal attributes; the access terminal is in communication connection with the enterprise production network core server through a node capable of accessing the enterprise production network; the access terminal realizes the enterprise production network ad hoc network through the method.
The enterprise production network ad hoc network implementation system is characterized in that an enterprise production network identification management system is arranged in an enterprise production network core server, the enterprise production network identification management system comprises a fixed-length identification generation module, an identification registration module, an identification analysis module and a networking module, wherein the fixed-length identification generation module is used for forming fixed-length identification information through a hash function by utilizing an access terminal attribute, the identification registration module is used for comparing the fixed-length identification information with information in a registry and registering the fixed-length identification information which does not conflict with the content in the registry, the registered fixed-length identification information is stored in a data table for the registry, the identification analysis module is used for analyzing and identifying the identification of a terminal for networking, and the networking module is used for networking according to a dynamic networking strategy.
A computer readable storage medium having stored thereon a computer program which when executed by a processor implements the above method.
Computer device comprising a readable storage medium, a processor and a computer program stored on the readable storage medium and executable on the processor, which computer program, when executed by the processor, implements the method described above.
The technical scheme of the invention has the following beneficial technical effects:
1. according to the invention, under the condition that the enterprise production network cannot be deployed in a large-scale network, the enterprise production network can be connected with the access terminals in a wired and wireless manner through the terminals, and different security domains are established by carrying out dynamic strategy networking according to network conditions, identifiers and dictionary information, so that an self-organizing enterprise production network is formed, and the coverage of the enterprise production network and the access range of the terminals are enlarged.
2. The invention realizes the new network identification authentication of the access terminal, any trusted node in the production network is accessed to complete the node access control process, and the data layer intercommunication can be performed only by mutual trust. Meanwhile, network identification and dictionary security domains are added, and subdivision of different services is formed through security domain isolation, so that data and network transmission security is guaranteed, and the problem of lack of security isolation domains is solved.
3. The invention realizes that the host bit generated by the access attribute dictionary, the access terminal attribute generation equipment identification information and the original network IPv4 address are packaged to the IPv6 address, is compatible with the original IPv4 network without independently storing the equipment identification information, saves storage resources and reduces operation and maintenance difficulty.
4. The invention realizes any trusted node, can join or exit the self-organizing enterprise production network at any time, does not influence the data transmission of other network nodes and access terminals, and improves the self-adaptability of the self-organizing enterprise production network.
5. The invention realizes the prevention of the attack of illegal and impossible network nodes, prevents the network resource congestion caused by the connection of a large number of illegal devices by setting the request rule, prevents the network fault and the illegal attack, and improves the autonomous network anti-interference performance of the enterprise production network.
6. The invention realizes that the self-organizing network combines the identification to form the self-organizing identification network, and enhances the expansibility, mobility, safety, reliability and controllable manageability of the network.
7. The invention realizes the self-organizing network forming identification process through the hash algorithm, and in order to realize the access of various nodes, a unified access identification access control mechanism is embedded to complete the process of accessing the nodes into the network and generate the fixed-length network identification.
8. The invention realizes that enterprises can build the self-organizing network with various network types, the self-organizing network is quick and simple, the nodes can move at will, and the network expandability is good.
9. The invention generates the unique identity symbol of the access terminal through the access terminal attribute and the access attribute dictionary information, and aims to form a new network communication identifier, thereby realizing the separation of the network address identity and the position attribute and solving the problem of the ambiguity of the IP address.
Drawings
FIG. 1 is a schematic diagram of an implementation system of an enterprise production network ad hoc network in accordance with the present invention;
FIG. 2 is a flow chart of an implementation of an enterprise production network ad hoc network in accordance with the present invention;
FIG. 3 is a schematic diagram of an ad hoc network architecture within an enterprise production network;
FIG. 4 is a schematic diagram of a network address structure
Fig. 5 is a schematic diagram of a computer device capable of performing an ad hoc network of an enterprise production network.
Detailed Description
The invention is further described below with reference to examples.
As shown in fig. 1, the system for implementing the ad hoc network of the enterprise production network comprises an enterprise production network core server, an access terminal and nodes capable of accessing the enterprise production network, wherein the enterprise production network core server is provided with an identification request rule and an access attribute dictionary, and different security isolation domains, different transmission priority levels and different network address host positions which are set according to different terminal attributes; the access terminal is in communication connection with the enterprise production network core server through a node capable of accessing the enterprise production network; the access terminal realizes the enterprise production network ad hoc network through the enterprise production network ad hoc network realization method.
The enterprise production network management system comprises a fixed-length identification generation module, an identification registration module, an identification analysis module and a networking module, wherein the fixed-length identification generation module is used for forming fixed-length identification information through a hash function by utilizing the attribute of an access terminal, the identification registration module is used for comparing the fixed-length identification information with information in a registry and registering the fixed-length identification information which does not conflict with the content in the registry, the registered fixed-length identification information is stored in a data table for the registry, the identification analysis module is used for analyzing and identifying the identification of a terminal for networking, and the networking module is used for networking according to a dynamic networking strategy.
The identification request rule is a rule that an access terminal can request access when first accessing an enterprise production network, and has the functions of: the access terminal is allowed to initiate the identification request for a specific time, for example, 30 times a minute, if more than 30 times are added to the blacklist, the request is forbidden to be initiated again, and the duration of the blacklist can be set, for example, 10 minutes is automatically recovered, or the blacklist is manually pulled out. By the mode, a large number of illegal equipment are prevented from requesting connection, network resources are prevented from being congested, network faults and illegal attacks are avoided, and anti-interference performance is improved.
In the invention, the fixed-length identification information generated by the fixed-length identification generating module is provided with an identification, the identification is a unique identity symbol for an enterprise production network core server to identify an access terminal, and the networking module is used for accessing the access terminal to the identity of the enterprise production network according to a dynamic networking strategy; the identification analysis module is used for inquiring network positions or related information of the access terminals needing to be networked according to the identification codes of the access terminals and the access attribute dictionary so that the networking module can dynamically and strategically networking according to actual network conditions, fixed-length identification information and the access attribute dictionary information to establish different security isolation domains or networking adjustment of the enterprise production network according to dynamic strategies.
As shown in fig. 2, when an access terminal is accessed to an enterprise production network, the system for implementing the ad hoc network of the enterprise production network in the present invention can be utilized to implement networking by the following steps:
s1) setting an identification request rule and an access attribute dictionary on an enterprise production network core server, and setting different security isolation domains, different transmission priorities and different network address host positions according to different terminal access attributes; the access terminal attribute comprises access terminal MAC, access terminal type and access terminal manufacturer information, different security isolation domains have different core switching nodes, and the different security isolation domains share an enterprise production network core server;
s2) the new access terminal discovers the existing ad hoc network or fixed wired node and wireless node in an automatic network sniffing mode and establishes initialization connection with the enterprise production network through the node which can access the enterprise production network;
s3) the new access terminal initiates an identification request with the attribute of the access terminal to the core server of the enterprise production network through the node capable of accessing the enterprise production network;
s4) the enterprise production network core server forms fixed-length identification information through a hash function according to the access terminal attribute carried in the identification request, compares the generated fixed-length identification information with the content of the registry, if the generated fixed-length identification information conflicts with the content in the registry, the hash conflict exists, a conflict result is returned, the fixed-length identification information is regenerated, then the generated fixed-length identification information is compared with the content of the registry until the generated fixed-length identification information does not conflict with the content in the registry, then the generated fixed-length identification information is registered with the identification information, and the registered fixed-length identification information is stored in the registry data table; the length of the fixed-length identification information is 32 bits, and the step is completed by an enterprise production network management system arranged in an enterprise production network core server;
s5) the enterprise production network core server feeds back feedback information corresponding to the identification request to the access terminal initiating the identification request; if the enterprise production network core server can not inquire the dictionary information corresponding to the access attribute, the enterprise production network core server judges that the access terminal is an illegal access terminal, the feedback information is the information for refusing the access of the access terminal and records the corresponding identification request log, and if the enterprise production network core server inquires the dictionary information corresponding to the access attribute, the feedback information comprises a network address generated according to the registered fixed-length identification information and the dictionary information corresponding to the fixed-length identification information;
s6) when the feedback information is the information for refusing the access of the access terminal, the access terminal can not access the enterprise production network after receiving the feedback information; when the feedback information comprises a network address generated according to the registered fixed-length identification information and dictionary information corresponding to the fixed-length identification information, the access terminal accesses the enterprise production network and is used as an access node of the enterprise production network, and an enterprise production network core server divides an ad hoc network security isolation domain and performs ad hoc network according to a dynamic networking strategy to complete a networking process.
When the access terminal is refused to access the enterprise production network, the access terminal cannot access the enterprise production network to participate in the self-organizing network of the enterprise production network, and is not allowed to interact with other network nodes or application services, and according to the comparison of the identification request log initiated by the access terminal and the request rule set on the core server of the enterprise production network within a certain time range, if the upper limit of the request rule is exceeded, the request operation is forbidden to be restarted. The request rule is set to ensure that the time interval, the request frequency, the forbidden time, the blacklist rule and the blacklist release rule of the access terminal for requesting operation to the enterprise production network core server are ensured, so that the illegal access terminal is prevented from illegally occupying the computing resources of the enterprise production network core server through a large number of illegal identification requests, and network attacks are avoided.
In the enterprise production network, the access terminal type and the service condition are fixed for a long time and not replaced, so that the access attribute dictionary can be set according to specific use requirements. In the existing enterprise production network, various network terminal nodes exist, the types of the network terminal nodes have access information with different specifications, lengths and the like, and in the process of forming the identification by the self-organizing network, in order to realize the access of the diversity nodes, an enterprise production network management system is embedded in a core server of the enterprise production network, so that a unified access identification access control mechanism is realized, and the process of accessing the nodes to the network is completed. The access of any trusted node in the enterprise production network needs to complete the node access control process, and the data layer intercommunication can be performed only by mutual trust.
After the access terminal is accessed to the enterprise production network, the access terminal can freely select to enter the security isolation domain at any time to carry out networking, and can also select to exit the security isolation domain and the enterprise production network. When the access terminal accesses the enterprise production network, the access terminal can be used as a wired or wireless node of the new enterprise production network ad hoc network, and the coverage range of the enterprise production network ad hoc network is enlarged. After the access terminal exits a certain security isolation domain, the core server of the enterprise production network reorganizes the rest of the access terminals in the security isolation domain according to the change. The self-adaption of the self-organizing network is guaranteed, communication among other network nodes is not affected, but after a legal access terminal exits a certain security isolation domain, the coverage area of the security isolation domain is reduced, and if the legal access terminal exits an enterprise production network, the coverage area of the enterprise production network self-organizing network is also reduced.
The network transmission specific requirements of the key access terminals can be guaranteed by setting different transmission priorities, and node information priority forwarding in the self-organizing network is carried out by the enterprise production network core server according to the transmission priority information, so that the node data transmission efficiency can be guaranteed.
In step S6), when the access terminal receives the returned dictionary information and the network address, the access terminal confirms that the enterprise production network allows the access terminal to access the enterprise production network, and then configures a network address and an identifier of the access terminal according to the returned dictionary information and the network address, wherein the network address comprises a network address host bit, an identifier bit and an IPv4 address bit, as shown in fig. 4, the identifier in the identifier bit is an identifier contained in the fixed-length identifier information and used for identifying the access terminal in the enterprise production network, and the identifier configured by the access terminal is an identifier in the identifier bit. The network address length is 128 bits, the network address host bit length is 64 bits, the identification bit length is 32 bits, the IPv4 address bit length is 32 bits, the network address host bit can be used for representing physical range, organization structure, network attribute and other attributes, the identification in the identification bit is used for representing the unique identification which is generated by utilizing information such as access terminal MAC, equipment type, interface type and the like and has the length of 32 bits through a hash function, and the IPv4 address bit is used for identifying the IPv4 address which has the length of 32 bits in the original network planning.
The illegal connection in step S6) refers to a connection in which the access terminal accesses the enterprise production network and is isolated by the security domain at the time of network initialization. After the networking initialization is completed, the access terminal can be networked by the enterprise production network core server through the networking module according to a dynamic networking strategy, and the enterprise production network core server divides the self-organizing security isolation domain. When the core server of the enterprise production network performs networking, in order to ensure the data forwarding of the network surface of the access terminal when the network congestion condition exists in the key transfer stage, the core server of the enterprise production network performs dynamic strategy networking according to the actual network condition, the identification and the access attribute dictionary.
As shown in fig. 3, there are a plurality of network coverage areas in the existing enterprise production network, where the location of the node of the new access terminal C1 is a coverage area C formed by intersecting a coverage area a and a coverage area B. The coverage is determined by physical properties of the nodes of the ad hoc network produced by the enterprise, specifically, the coverage is the signal receiving and transmitting range of the physical nodes, for example, the devices are directly connected through bluetooth, and the coverage of the bluetooth connection is determined by the actual physical environment and the physical properties of the terminal device.
The C1 node is connected with the A5 node in the coverage area A and is connected with the B2 node in the coverage area B.
C1 node initialization, initiating an identification request to an enterprise production network core server through a coverage network, returning the request by the enterprise production network core server, allowing the node to join, and then networking. The security domain a is established and the security isolation node B2 is disconnected.
Because the node A3 in the security domain A is a core switching node in the network, a network forwarding flow bottleneck exists, the data exchange between the C1 node and other security domains is ensured, and the preferred forwarding paths C1 to A5 to A4 to A2 to A1 are established through the dynamic networking of the core servers of the enterprise production network.
When the enterprise production network ad hoc network method is used for the enterprise production network ad hoc network, the access terminal can access the enterprise production network through the wired node or the wireless node and is connected with other equipment, then the enterprise production network performs dynamic strategy networking on the enterprise production network according to network conditions, the identification and access attribute dictionary information, and different security isolation domains are established, so that the enterprise production network performs ad hoc network.
Based on the above-mentioned method for implementing an ad hoc network of an enterprise production network, correspondingly, in this example, there is also provided a computer readable storage medium storing a computer program, where the computer program when executed by a processor implements the following steps: setting an access attribute dictionary on an enterprise production network core server, setting different security isolation domains, different transmission priorities and different network address host positions according to different terminal access attributes, processing an identification request initiated by an access terminal by the enterprise production network core server, returning fixed-length identification information which is formed according to the access terminal attributes in the identification request through a hash function and is successfully registered in a registry and dictionary information corresponding to the fixed-length identification information to the access terminal initiating the identification request, and networking access terminal equipment which is successfully accessed to the network by the enterprise production network core server according to a dynamic networking strategy, wherein the enterprise production network core server identifies and authenticates the access terminal through the identification contained in the fixed-length identification information.
As shown in fig. 5, based on the above-mentioned method for implementing an ad hoc network of an enterprise production network and a computer readable storage medium, in this embodiment, there is further provided a computer device, which includes a readable storage medium, a processor, and a computer program stored on the readable storage medium and executable on the processor, wherein the readable storage medium and the processor are both disposed on a bus, and when the processor executes the computer program, the processor implements the following steps: setting an access attribute dictionary on an enterprise production network core server, setting different security isolation domains, different transmission priorities and different network address host positions according to different terminal access attributes, processing an identification request initiated by an access terminal by the enterprise production network core server, returning fixed-length identification information which is formed according to the access terminal attributes in the identification request through a hash function and is successfully registered in a registry and dictionary information corresponding to the fixed-length identification information to the access terminal initiating the identification request, and networking access terminal equipment which is successfully accessed to the network by the enterprise production network core server according to a dynamic networking strategy, wherein the enterprise production network core server identifies and authenticates the access terminal through the identification contained in the fixed-length identification information.
It is apparent that the above examples are given by way of illustration only and are not limiting of the embodiments. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. While the obvious variations or modifications which are extended therefrom remain within the scope of the claims of this patent application.
Claims (10)
1. The method for realizing the enterprise production network ad hoc network is characterized by comprising the following steps:
s1) setting an identification request rule and an access attribute dictionary on an enterprise production network core server, and setting different security isolation domains, different transmission priorities and different network address host positions according to different terminal access attributes;
s2) the new access terminal discovers the existing ad hoc network or fixed wired node and wireless node in an automatic network sniffing mode and establishes initialization connection with the enterprise production network through the node which can access the enterprise production network;
s3) the new access terminal initiates an identification request with the attribute of the access terminal to the core server of the enterprise production network through the node capable of accessing the enterprise production network;
s4) the enterprise production network core server forms fixed-length identification information through a hash function according to the access terminal attribute carried in the identification request, compares the generated fixed-length identification information with the content of the registry, if the generated fixed-length identification information conflicts with the content in the registry, the hash conflict exists, a conflict result is returned, the fixed-length identification information is regenerated, then the generated fixed-length identification information is compared with the content of the registry until the generated fixed-length identification information does not conflict with the content in the registry, then the generated fixed-length identification information is registered with the identification information, and the registered fixed-length identification information is stored in the registry data table;
s5) the enterprise production network core server feeds back feedback information corresponding to the identification request to the access terminal initiating the identification request; if the enterprise production network core server can not inquire the dictionary information corresponding to the access attribute, the enterprise production network core server judges that the access terminal is an illegal access terminal, the feedback information is the information for refusing the access of the access terminal and records the corresponding identification request log, and if the enterprise production network core server inquires the dictionary information corresponding to the access attribute, the feedback information comprises a network address generated according to the registered fixed-length identification information and the dictionary information corresponding to the fixed-length identification information;
s6) when the feedback information is the information for refusing the access of the access terminal, the access terminal can not access the enterprise production network after receiving the feedback information; when the feedback information comprises a network address generated according to the registered fixed-length identification information and dictionary information corresponding to the fixed-length identification information, the access terminal accesses the enterprise production network and is used as an access node of the enterprise production network, and an enterprise production network core server divides an ad hoc network security isolation domain and performs ad hoc network according to a dynamic networking strategy to complete a networking process.
2. The method of claim 1, wherein in step S6), when the access terminal receives the returned dictionary information and the network address, the access terminal confirms that the enterprise production network allows the access terminal to access the enterprise production network, and then configures a network address and an identifier of the access terminal according to the returned dictionary information and the network address, wherein the network address is an IPv6 address, the network address includes a network address host bit, an identifier bit, and an IPv4 address bit, the identifier in the identifier bit is an identifier contained in the fixed-length identifier information and used for identifying the access terminal in the enterprise production network, and the identifier configured by the access terminal is an identifier in the identifier bit.
3. The method of claim 2, wherein the network address is 128 bits long, the network address host is 64 bits long, the identification bit is 32 bits long, and the IPv4 address bit is 32 bits long.
4. The method of claim 1, wherein the access terminal attributes comprise access terminal MAC, access terminal type, and access terminal vendor information.
5. The method according to claim 1, wherein in step S4), step S4) is performed by an enterprise production network management system provided within an enterprise production network core server; the enterprise production network identification management system comprises a fixed-length identification generation module, an identification registration module, an identification analysis module and a networking module, wherein the fixed-length identification generation module is used for forming fixed-length identification information through a hash function by utilizing the attribute of an access terminal, the identification registration module is used for comparing the fixed-length identification information with information in a registry and registering the fixed-length identification information which does not conflict with the content in the registry, the registered fixed-length identification information is stored in a data table for the registry, the identification analysis module is used for analyzing and identifying the identification of a terminal for networking, and the networking module is used for networking according to a dynamic networking strategy.
6. A method according to any one of claims 1-5, characterized in that in the enterprise production network different security isolation domains have different core switching nodes, the different security isolation domains sharing one enterprise production network core server.
7. The enterprise production network ad hoc network implementation system is characterized by comprising an enterprise production network core server, an access terminal and nodes capable of accessing the enterprise production network, wherein the enterprise production network core server is provided with an identification request rule, an access attribute dictionary, different security isolation domains, different transmission priority levels and different network address host positions which are set according to different terminal attributes; the access terminal is in communication connection with the enterprise production network core server through a node capable of accessing the enterprise production network; the access terminal implements an enterprise production network ad hoc network by the method of claim 1.
8. The enterprise production network ad hoc network implementation system according to claim 7, wherein an enterprise production network identification management system is provided in an enterprise production network core server, the enterprise production network identification management system comprises a fixed-length identification generation module, an identification registration module, an identification analysis module and a networking module, wherein the fixed-length identification generation module is used for forming fixed-length identification information through a hash function by using an access terminal attribute, the identification registration module is used for comparing the fixed-length identification information with information in a registry and registering the fixed-length identification information which does not conflict with content in the registry, the registered fixed-length identification information is stored in a data table for the registry, the identification analysis module is used for analyzing and identifying identifications of terminals for networking, and the networking module is used for networking according to a dynamic networking strategy.
9. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, implements the method of any of claims 1-6.
10. Computer device comprising a readable storage medium, a processor and a computer program stored on the readable storage medium and executable on the processor, characterized in that the computer program when executed by the processor implements the method according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310658837.4A CN116389173B (en) | 2023-06-06 | 2023-06-06 | Method, system, medium and equipment for realizing enterprise production network ad hoc network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310658837.4A CN116389173B (en) | 2023-06-06 | 2023-06-06 | Method, system, medium and equipment for realizing enterprise production network ad hoc network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116389173A CN116389173A (en) | 2023-07-04 |
| CN116389173B true CN116389173B (en) | 2023-08-01 |
Family
ID=86961934
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310658837.4A Active CN116389173B (en) | 2023-06-06 | 2023-06-06 | Method, system, medium and equipment for realizing enterprise production network ad hoc network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116389173B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016112613A1 (en) * | 2015-01-14 | 2016-07-21 | 中兴通讯股份有限公司 | Access control method, device and broadband remote access server (bras) |
| CN110740490A (en) * | 2019-10-22 | 2020-01-31 | 深圳市信锐网科技术有限公司 | Terminal network access method, gateway equipment, system, storage medium and device |
| CN114025408A (en) * | 2022-01-04 | 2022-02-08 | 北京交通大学 | Network establishing and accessing method and device for self-adaptive networking and computer equipment |
| CN115955456A (en) * | 2022-12-23 | 2023-04-11 | 明阳产业技术研究院(沈阳)有限公司 | IPv 6-based enterprise campus network and networking method |
-
2023
- 2023-06-06 CN CN202310658837.4A patent/CN116389173B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016112613A1 (en) * | 2015-01-14 | 2016-07-21 | 中兴通讯股份有限公司 | Access control method, device and broadband remote access server (bras) |
| CN110740490A (en) * | 2019-10-22 | 2020-01-31 | 深圳市信锐网科技术有限公司 | Terminal network access method, gateway equipment, system, storage medium and device |
| CN114025408A (en) * | 2022-01-04 | 2022-02-08 | 北京交通大学 | Network establishing and accessing method and device for self-adaptive networking and computer equipment |
| CN115955456A (en) * | 2022-12-23 | 2023-04-11 | 明阳产业技术研究院(沈阳)有限公司 | IPv 6-based enterprise campus network and networking method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116389173A (en) | 2023-07-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5364671B2 (en) | Terminal connection status management in network authentication | |
| US7814311B2 (en) | Role aware network security enforcement | |
| EP3720100A1 (en) | Service request processing method and device | |
| US20140286348A1 (en) | Architecture for virtualized home ip service delivery | |
| US20050240758A1 (en) | Controlling devices on an internal network from an external network | |
| US20070192500A1 (en) | Network access control including dynamic policy enforcement point | |
| US20030051170A1 (en) | Secure and seemless wireless public domain wide area network and method of using the same | |
| US9094409B2 (en) | Method for configuring access rights, control point, device and communication system | |
| JP2001356973A (en) | Network system | |
| CN101379795A (en) | address assignment by a DHCP server while client credentials are checked by an authentication server | |
| US20190089648A1 (en) | Resource subscription method, resource subscription apparatus, and resource subscription system | |
| US10448253B2 (en) | Wireless terminal | |
| CN104378456A (en) | Allocation optimization method for IP addresses in local area network | |
| CN113364741A (en) | Application access method and proxy server | |
| EP1489809A1 (en) | Network access system | |
| CN102571811A (en) | User access authority control system and method thereof | |
| CN108599968B (en) | Information broadcasting method for urban Internet of things | |
| CN114221959A (en) | Service sharing method, device and system | |
| JP2002084306A (en) | Packet communication apparatus and network system | |
| CN101873330A (en) | Access control method and server for supporting IPv6/IPv4 dual stack access | |
| CN116389173B (en) | Method, system, medium and equipment for realizing enterprise production network ad hoc network | |
| US11451516B1 (en) | Device isolation service | |
| JP5937563B2 (en) | Communication base station and control method thereof | |
| JP2003318939A (en) | Communication system and control method thereof | |
| CN114363902A (en) | Method, device, equipment and storage medium for guaranteeing 5G private network service safety |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230811 Address after: Room 701, No. 88 Quanyunsan Road, Hunnan District, Shenyang City, Liaoning Province, 110167 Patentee after: Mingyang Industrial Technology Research Institute (Shenyang) Co.,Ltd. Address before: Room 903, 9th Floor, Building 2, No. 1 Lanxiangou, Haidian District, Beijing, 100089 Patentee before: Mingyang Shichuang (Beijing) Technology Co.,Ltd. Patentee before: Mingyang Industrial Technology Research Institute (Shenyang) Co.,Ltd. |