CN117439815B

CN117439815B - Intranet penetration system and method based on reverse transparent bridging

Info

Publication number: CN117439815B
Application number: CN202311676857.0A
Authority: CN
Inventors: 王正; 王慧平; 陈育浩; 杜毓聪; 梁念峰; 易田龙佳; 熊波; 何伟山; 张时生
Original assignee: Chinese People's Liberation Army 31203 Unit
Current assignee: Chinese People's Liberation Army 31203 Unit
Priority date: 2023-12-08
Filing date: 2023-12-08
Publication date: 2024-03-19
Anticipated expiration: 2043-12-08
Also published as: CN117439815A

Abstract

The invention provides an intranet penetration system and method based on reverse transparent bridging, comprising the following steps: a user server side configured with a private communication protocol requests to register intranet information of the user server side from a public network transfer server; the public network transit server distributes a unique identification code for the user server and establishes a domain name resolution corresponding relation; a user client side configured with a private communication protocol initiates a request of bridging a user server side to a public network transit server; the public network transfer server returns the information of the user server to the user client; the user client configures local routing service, modifies a routing table and configures a communication data message forwarding interface; the user server receives the bridging request of the user client, updates the local routing table, configures a forwarding interface leading to the communication data message of the user client, and establishes direct communication with the user server by adopting a private communication protocol or communicates with other terminals in the intranet after the communication data message is converted into the communication data message of the TCP/IP protocol by the user server.

Description

Intranet penetration system and method based on reverse transparent bridging

Technical Field

The invention belongs to the technical field of network communication, and particularly relates to intranet penetration.

Background

With the rapid development of the internet, the demands of enterprises and individuals on network services are higher and higher, but since the number of public network addresses of the IPv4 is limited, a public network IP cannot be allocated to each device needing to access the internet, and the next-generation IP protocol capable of completely solving the problem at the present stage is not yet fully popularized. Personal computers and office networks generally belong to two local area networks (intranets), and computer nodes of the intranets and extranets cannot be directly connected and communicated under the condition of no independent IP and port mapping, so that intranet penetration technology has been developed to solve the problems. However, with the development of the internet of things, the existing intranet penetration technology cannot meet the existing demands of society, and further cannot realize transparent bridging transmission.

At present, solutions for internal network penetration at home and abroad are not completely formed into unified standards and references, and are all proposed in a certain application environment, have advantages in a certain range and have certain limitations. The existing intranet penetration scheme has the following technologies:

(1) STUN (Simple Traversal of UDP over NATs) protocol

STUN technology is a traversing approach based on UDP. The host A in the intranet carries out connection session to the external STUN server B with the public network IP address in a UDP protocol mode, and the server is required to return the public network IP address mapped by the network address conversion of the host A, the server B with the public network address receives and analyzes the data packet, and returns the mapped public network IP address to the host A. At this time, the host a can receive and learn the external address and Port (IP/Port) corresponding to the network address after the network address conversion, record the external address and Port, and send a message to the host C, where the message includes the IP/Port mapped by the network address conversion, and at the same time, directly bind the IP/Port mapped by the network address conversion in other application layer links for use. Because the data packet of the host A is transmitted from the inside of the network address conversion to the outside of the network address conversion, the data packet can freely pass through the network address conversion and be recorded by the network address conversion, meanwhile, the terminal embedded with the network address conversion establishes a relevant mapping table, and then the host C outside the network address conversion can communicate with the host A for transmission. The penetration diagram is shown in fig. 1.

This is a simple penetration scheme with good scalability, but only penetration based on the UDP protocol. Meanwhile, the scheme has poor robustness and can not carry out the problems of dynamic setting QoS (Quality of Service) and the like.

(2) TURN (Traversal Using Relays around NAT) protocol

The TURN (Traversal Using Relay NAT) approach to solving the network address translation problem is similar to STUN, and also by changing the private IP within the private network, with the difference that the mapping scheme between them is different. The TURN scheme maps its own network address to a public network IP/Port, and the TURN scheme maps the IP/Port mapped by the TURN client to the corresponding network address translation public network to communicate with the TURN server, then obtains the public network IP/Port allocated by the TURN server to the TURN server, and rewrites the local private address of the application layer, so that the intermediate server appears to the user as if it were not visible transparently, and the scheme directly writes the obtained IP/Port into the data load at the application layer, and the idea method is the same as that of the STUN scheme. However, the client performs the network address translation through the intermediate server in a forwarding manner, and the server forwards the data packet according to the destination address when the data packet reaches the server. The same applies to the data packet incoming, just the role is switched. In short, both host a located in the intranet and host C located in the extranet need to forward the data via the TURN server when receiving and transmitting the data. The transmission diagram is shown in fig. 2.

TURN penetration technique is similar in principle to the STUN protocol, but both TURN penetration technique communication parties require a separate TURN server for forwarding. The TURN protocol inherits many of the advantages of the STUN protocol, supports TCP-based tunneling, and also enables tunneling through devices such as symmetric network address translation that the STUN protocol cannot. However, the need for a special TURN server to forward the data greatly increases the data transmission delay and packet loss rate.

(3) UDP Hole punching technique

UDP Hole punching technology is to enable hosts on both sides behind a network address translation device to establish a direct communication connection from one end to the other with the aid of a public network server. The schematic of the penetration process is shown in the following figure.

When host a wants to communicate with host C via a UDP request, it is necessary to send a request-to-retransmit message to server B (210.209.115.173:1246) simultaneously with sending a message to the public network address and Port number (27.54.248.207:2000) of host C, when the message sent to C by a arrives at host C, a session is established between the private address of host a and the public address of C at this time, network address translation a records the session record of the public network addresses of host a and C and forms the IP/Port mapping relationship between the internal network and the public network of host a, while the message (sent by server B request C) arrives at host a also establishes a session between the private address of host C and the public address of a, network address translation C records the mapping relationship between the internal network of host C and the public network address of a and the session between host C, so that host a and host C can communicate with each other without any help of the server.

The success rate of this technique penetration is high but this technique relies on firewall and cone network address translation and does not support TCP-based applications.

(4) Reverse link technology

Reverse link technology is the most simple way of network penetration. Only one of the two P2P communication terminals is located behind the network address translation device, and the other terminal is located on the public network and has a unique legal public network IP address, as shown in fig. 4. When host C on the public network side is to access host a on the latter side of the NAT device (say a webcam), if it sent the packet directly past, the packet would be discarded by the network address translation a device. However, if there is a third party public network server B, the host C located on the public network may send a request through the server B, so that the host endpoint a behind the network address translation device actively sends a reverse link data packet to the public network host C, at this time, corresponding mapping information is left on the network address translation device a, and then the host C on the public network may access the host of the local area network through the NAT device. The transmission diagram is shown in fig. 4.

The advantage of reverse link is that it takes up little resources from third party server C on the public network and can communicate data directly. The limitation is that this approach is only suitable for the case where one party of the communication is behind the network address translation device, and if both parties are behind the network address translation device, then no effective communication can be performed. This approach is not universal either.

Disclosure of Invention

In view of the above, the present invention discloses an intranet penetration system based on reverse transparent bridging, comprising: the system comprises a user client, a public network transfer server and a user server;

the user client is used for actively initiating a link request of an internal local area network where the remote access user server is located and processing the receiving and transmitting of local network data messages; the user client comprises a routing table module, a virtual network card module and a communication protocol module; wherein,

the routing table module is used for modifying a local routing table based on the information returned to the user client by the received public network transfer server and configuring the routing service of the communication data message;

the virtual network card module is used for packaging and decapsulating the communication data message between the user client and the user server according to the private communication protocol set by the communication protocol module according to the route configuration and the target address of the communication data message after the route configuration is completed by the route table module, and sending and receiving the communication data message;

the communication protocol module is used for setting a private communication protocol which is used for completing rules and conventions which are required to be followed by communication or service between the user client and the user service end entity, and is used for packaging and unpacking communication data messages between the user client and the user service end, and transmitting and addressing the data messages from a data link layer to a network layer;

The public network transit server is used for establishing a reverse transparent bridging tunnel between the user client and the user server; the public network transit server comprises: the system comprises a data forwarding module, a domain name resolution module and a point-to-point service module; wherein,

the data forwarding module is used for forwarding data in the communication process of the user client and the user server;

the domain name resolution module is used for resolving the corresponding relation between the name of the user server and the corresponding intranet attribute; establishing and maintaining a database of the mapping relation between the name of the user service end and the unique identification code of the user service end;

the point-to-point service module is used for establishing point-to-point communication links between the user client and the user server;

the user service end is an intranet terminal of an internal local area network and is used for receiving and transmitting communication data messages between the user service end and the user client end in response to receiving a link request of the user client end, or the intranet terminal of the local area network where the user service end is located receives and transmits the communication data messages between the user service end and the user client end through the user service end; the user service end comprises: the system comprises a communication protocol module, a virtual network card module and a network address conversion module; wherein,

The communication protocol module is used for setting the same private communication protocol as the communication protocol module of the user client, and is used for packaging and unpacking communication data messages between the user client and the user server, and transmitting and addressing the data messages from the data link layer to the network layer;

the virtual network card module is used for processing communication data between all intranet terminals of the internal local area network where the user server side is located and the user client side, packaging and unsealing the communication data messages between the user server side and the user client side according to a private protocol set by the communication protocol module according to local routing configuration and a target address of the communication data messages, and sending and receiving the communication data messages;

the network address conversion module is used for converting the address of the communication data message between all intranet terminals in the internal local area network where the user server side is located and the user client side, and converting the communication data message based on the standard TCP/IP protocol into the communication data message supported by the private protocol set by the communication protocol module.

Further, the user client is a networking device with an independent IPV4 address, or an intranet terminal of an internal lan that cannot directly communicate with the internal lan where the user server is located.

Further, the information returned to the user client by the public network transfer server received by the user client includes: the user service end identification code and the intranet section of the local area network where the user service end is located;

if the internal local area network where the user service end is located can communicate with other internal local area networks, the information returned to the user client end by the public network transfer server also comprises a routing information table; the routing information table is a routing table for the user service end to communicate with other internal local area networks.

Further, when the network environments where the user client and the user server are located support point-to-point communication links, the point-to-point service module negotiates that the bridging tunnel is directly established between the user client and the user server in a point-to-point communication mode, and then communication data between the user client and the user server are not forwarded by the data forwarding module any more, but are directly communicated; if the network environment where the user client and the user server are located does not support the point-to-point communication link, a bridging tunnel is established through the data forwarding module.

Further, the public network transit server also comprises a user authentication module, which is used for authenticating the identity of the user client when receiving the communication request initiated by the user client, and determining whether the identity of the user client is legal; the method is used for authenticating the identity of the user server when the user server makes a registration request, and determining whether the identity of the user server is legal or not.

The invention also provides a method for establishing the reverse transparent bridging tunnel, which comprises the following steps:

step A1: the user server requests to register the internal local area network information of the user server from the public network transfer server;

the user server side comprises a communication protocol module, wherein a private communication protocol is configured in the communication protocol module;

step A2: after receiving a registration request of a user service end, a public network transfer server agrees with the registration request to the user service end passing through user identity authentication, allocates a unique Identification (ID) to identify the user service end, inputs registration information in the registration request into a database, and establishes a domain name resolution corresponding relation;

step A3: the user client initiates a request of bridging the user server to the public network transit server;

the communication protocol module of the user client and the communication protocol module of the user server are configured with the same private communication protocol;

step A4, when the name of the user service end to be connected is registered in the public network transfer server and is online, the public network transfer server returns the corresponding user service end information to the user client;

step A5, the user client uses the user service side information returned by the public network transfer server to configure the local routing service, modify the routing table and configure the communication data message forwarding interface;

Step A6, after receiving the user client information forwarded by the public network transfer server, the user server receives the user client bridging request, updates the local routing table based on the received user client information, and configures a communication link leading to a forwarding interface of the user client communication data message;

and step A7, the user client establishes direct communication with the user server by adopting a private communication protocol, or after the private communication protocol is converted into a TCP/IP protocol communication data message by the user server, the TCP/IP protocol communication data message is communicated with other intranet terminals of an internal local area network where the user server is positioned by an intranet switch.

The invention also provides a method for establishing the reverse transparent bridging tunnel, which is applied to the user service end and comprises the following steps:

step B1, a user server is operated, and a virtual network card driver of the user server is installed;

step B2, configuring the name of the user service end and the link password information, and registering the name of the user service end and the intranet segment information to a public network transfer server;

step B3, the public network transfer server distributes a user service end identification code (ID) to the user service end, inputs the name of the user service end and the network segment information of the internal local area network where the user service end is positioned into a database, and establishes a reverse transparent bridging transfer service with the user service end;

Wherein, the mapping relation between the name of the user service end and the unique identification code of the user service end is stored in the database;

step B4, the user service end keeps an online state through a link with the public network transfer server, monitors a user client link request sent by the public network transfer server, receives a user client bridging request after receiving user client information forwarded by the public network transfer server, updates a local routing table based on the received user client information, and configures a communication link leading to a forwarding interface of a user client communication data message;

and step B5, the user server side and the user client side adopt a private communication protocol, a communication link is established in a point-to-point mode, or after the private communication protocol is converted into a TCP/IP protocol communication data message through the user server side, the TCP/IP protocol communication data message is communicated with other intranet terminals of an internal local area network where the user server side is located through an intranet switch.

The invention also provides a method for establishing the reverse transparent bridging tunnel, which is applied to the user client, and comprises the following steps:

Step C1, a user client is operated, and a virtual network card driver of the user client is installed and configured;

the user client comprises a communication protocol module, wherein a private communication protocol is configured in the communication protocol module;

step C2, the user client initiates a request of bridging the user server to the public network transit server;

the communication protocol module of the user server and the communication protocol module of the user client are configured with the same private communication protocol;

step C3, the domain name resolution module of the public network transfer server resolves the identification code of the user service end and the intranet section information of the internal local area network where the user service end is located, and returns the identification code of the user service end and the intranet section information of the internal local area network where the user service end is located to the user client when the user service end is online;

step C4, the user client receives the returned user service end identification code and the intranet section information of the internal local area network where the user service end is located, modifies a user client routing table based on the received user service end identification code and the intranet section information, and adds the routing information communicated with the internal local area network where the user service end is located;

step C5, the user service end updates the local routing table based on the received user client bridging request, and configures a communication link leading to a forwarding interface of the user client communication data message;

And step C6, the user client and the user server adopt a private communication protocol, establish a communication link in a point-to-point mode, or communicate with other intranet terminals of an internal local area network where the user server is located through an intranet switch after converting the private communication protocol into a TCP/IP protocol communication data message through the user server.

Further, if the internal local area network where the user server is located can directly communicate with other internal local area networks, the information returned to the user client by the public network transfer server also comprises a routing information table; the routing information table is a routing table for the user service end to communicate with other internal local area networks.

The scheme of the invention has the following advantages:

(1) The cost is saved: compared with the traditional intranet penetration scheme, the intranet penetration technology is simpler and easier to use, is simple in configuration, can effectively reduce the cost of middle and small enterprises in the aspects of remote office and network maintenance, and enables individual users to realize enterprise-level intranet penetration application at low cost.

(2) Data security is improved: encrypted transmission and forwarding by a custom communication protocol.

(3) The data processing speed is increased: transparent transmission and improves the forwarding efficiency.

(4) Easy expansion: the traditional VPN technology, port forwarding technology and proxy technology are basically point-to-point intranet penetration, and forwarding configuration needs to be added when other terminals need to be accessed.

(5) The treatment is more stable: the data packet forwarding, encapsulation and decapsulation are processed below the network layer, so that the data interception of equipment such as a firewall is effectively broken through, and the transmission is more stable and efficient.

Drawings

Fig. 1 is a schematic diagram of a conventional STUN technique;

FIG. 2 is a schematic diagram of a conventional TURN technique;

FIG. 3 is a schematic diagram of a conventional UDP Hole punching technology;

FIG. 4 is a schematic diagram of a prior art reverse link technique;

FIG. 5 is a schematic diagram of an intranet penetration system based on reverse transparent bridging according to the present invention;

FIG. 6 is a functional block diagram of an intranet penetration system based on reverse transparent bridging according to the present invention;

fig. 7 is a schematic diagram of signal flow in the process of establishing a reverse transparent bridging tunnel according to the present invention;

FIG. 8 is a flow chart of a method for establishing a reverse transparent bridging tunnel according to the present invention;

Fig. 9 is a block diagram of a process for establishing a reverse transparent bridging tunnel at a user service end according to the present invention;

FIG. 10 is a block diagram of a reverse transparent bridging tunnel establishment flow for a user client in accordance with the present invention;

FIG. 11 is a schematic diagram of a system frame according to embodiment 1 of the present invention;

fig. 12 is a schematic diagram of a reverse transparent bridging tunnel establishment flow in embodiment 1 of the present invention;

FIG. 13 is a schematic diagram of a system frame according to embodiment 2 of the present invention;

fig. 14 is a schematic diagram of a reverse transparent bridging tunnel establishment flow according to embodiment 2 of the present invention;

fig. 15 is a schematic diagram of a system frame according to embodiment 3 of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Explanation of the terminology related to the invention:

bridging: refers to the process of forwarding network packets according to the address of the link layer of the OSI network model. When the router configures the bridging option, it will process all data frames on all interfaces and investigate the location of each host in real time. If a frame is received on an interface, an entry is placed in a bridge to list the host sending the data and the MAC address of the interface receiving the data frame, so that the routing table is continuously refined in the communication.

Transparent bridging: meaning that the router is transparent to the host and functions as a lan switch. The transparent bridging is basically consistent with the concept, and after the reverse transparent bridging tunnel is established by using the routing technology, the bridging tunnel is transparent to the host, and the effect of the bridging tunnel is equivalent to a link of a local area network switch link terminal.

And (3) intranet: i.e., local area networks, also known as internal local area networks, the computers of the internal networks access the internet through a common gateway in a Network Address Translation (NAT) protocol. The intranet belongs to the local area network.

And (3) a terminal: the equipment with the networking function comprises a computer, a router, a mobile phone, an intelligent television, a network camera and the like. The terminals according to the invention are all of one type of such kind of device.

Reverse link: the technology is used for the terminals located in the intranet to actively establish a communication link to the terminals of the external network, so as to realize the link from the terminals of the external network to the terminals of the intranet, and rebound Trojan horse and the like.

The present invention will be described in detail with reference to the accompanying drawings.

Fig. 5 shows an overall framework of the intranet penetration system based on the reverse transparent bridging of the present invention, and fig. 6 shows a functional module architecture of the intranet penetration system based on the reverse transparent bridging of the present invention. As shown in fig. 5 and 6, the system is composed of three parts, namely a user client, a public network transit server and a user server. Wherein,

The user client is a device with networking function, for example, a computer, a server, a router, a mobile phone, an intelligent television, a network camera and the like, and can be a networking device with an independent IPV4 address or an intranet terminal of an intranet, which is used for actively initiating a link request of the intranet where the remote access user server is located and processing the receiving and transmitting of local network data messages.

The user client comprises: the system comprises a routing table module, a virtual network card module and a communication protocol module. Wherein,

and the routing table module is used for modifying the local routing table and configuring the communication data message routing service when receiving the information returned to the user client by the public network transfer server.

The information sent to the user client by the public network transit server comprises: user service end identification code and intranet network section. If the internal local area network where the user service end is located can communicate with other internal local area networks, the information sent to the user client end by the public network transfer server can also comprise a routing information table; the routing information table is a routing table of the user service end leading to other internal local area networks, if the network segments of other internal local area networks need to be linked, the routing information table needs to be pushed, and if the user service end is only accessed to the internal local area network, the pushing is not needed.

The virtual network card module is used for processing all communication data related to the user service end after the routing table module completes the routing setting, and mainly packaging and decapsulating the communication data message between the user client and the user service end according to a self-defined communication protocol according to the routing configuration and the target address of the communication data message, and sending and receiving the data message;

the communication protocol module self-defines the rules and conventions that the user client and the user service end entity must follow to complete communication or service, and can be called a private communication protocol which is different from a TCP/IP protocol and is used for packaging and unpacking communication data messages between the user client and the user service end and transmitting and addressing the data messages from a data link layer to a network layer.

The public network transit server is a networking terminal with independent external network addresses and is used for supporting the establishment of a reverse transparent bridging tunnel between a user client and a user server. The public network transit server comprises: the system comprises a user authentication module, a data forwarding module, a domain name resolution module and a point-to-point service module. Wherein,

the user authentication module is used for carrying out identity authentication on the user client when receiving a communication request initiated by the user client, and determining whether the identity of the user client is legal or not; when the user service side makes a registration request, authenticating the identity of the user service side to determine whether the identity of the user service side is legal;

The data forwarding module is used for forwarding data in the communication process of the user client and the user server; the user client side sends a data message to the user server side, and the data message flows to the public network transfer server, and the corresponding user server side is identified through the data forwarding module and then forwarded to the user server side;

and the domain name resolution module is used for resolving the name of the user server. When a user client initiates a link through a user service end name, firstly, the unique identification code, the intranet section and other information of the user service end are analyzed by a domain name analysis module of a public network transfer server and then returned to the user client, meanwhile, the domain name analysis module is also responsible for maintaining a database mapped between the user service end name and the unique identification code of the user service end, when the user service end is registered, a database record is added, the state information of the user service end is recorded, and when the user service end is dropped for a long time, the corresponding record and reverse transparent bridging are deleted;

the domain name resolution service of the domain name resolution module is similar to the Internet DNS service and is used for resolving the corresponding relation between the name of the user service end and the corresponding intranet attribute.

The point-to-point service module is used for establishing point-to-point (P2P) link between the user client and the user server, when the network environment where the user client and the user server are located can support the P2P link, the point-to-point service module negotiates that the bridge tunnel is directly established between the user client and the user server in a P2P mode, communication data at two ends can be directly communicated without being forwarded by the data forwarding module, and if the network environment where the user client and the user server are located does not support the P2P link, the bridge tunnel is still established by adopting the data forwarding module with stronger compatibility.

The user service end is any intranet terminal in an internal local area network, and the intranet terminal can be a desktop computer, a portable computer, a router for obtaining root authority, an intelligent television or the like, and is used for receiving and sending communication data messages accessed to the internal local area network. The internal local area network generally comprises a switch, an internal network server and various internal network terminals, and the internal network terminals of the internal local area network communicate with terminals outside the internal local area network through the switch. The user service end comprises: the system comprises a communication protocol module, a virtual network card module and a network address conversion module; wherein,

the communication protocol module is similar to the communication protocol module of the user client, and the communication protocol module of the user server also adopts the private communication protocol of the invention, which is different from the TCP/IP protocol and is used for packaging and unpacking the communication data message between the user client and the user server, thereby realizing the protocol of data message transmission and addressing from the data link layer to the network layer.

And the virtual network card module is used for processing the communication data of all intranet terminals and the user clients in the internal local area network, mainly encapsulating and decapsulating all communication data messages of the user server and the user clients according to a self-defined communication protocol according to the local routing configuration and the target address of the communication data messages, and sending and receiving the communication data messages.

The network address conversion module is used for address conversion of all the communication data messages of the terminal and the user client in the internal local area network, namely, the communication data messages based on the standard TCP/IP protocol are converted into the communication data messages supported by the private communication protocol.

It should be noted that, when the user client is an intranet terminal, the user client is an intranet terminal of an internal lan which cannot directly communicate with the internal lan where the user server is located.

According to the invention, the user client and the user server establish the encrypted communication tunnel through the public network transit server, so that intranet penetration is realized, the internal local area network where the user server is located is remotely accessed, reverse transparent bridging of the user client to the intranet network segment where the user server is located is realized, and the network data packet is forwarded between the user client and all intranet terminals in the internal local area network where the user server is located based on the link layer address, just like general transparent transmission in one local area network, so as to achieve access and control with all intranet terminals in the internal local area network where the user server is located.

The present invention is described in further detail below.

Fig. 7 is a schematic signal flow diagram in the process of establishing the reverse transparent bridging tunnel according to the present invention, and fig. 8 is a flow chart of the reverse transparent bridging tunnel establishment method according to the present invention. As shown in fig. 7 and 8, the method comprises the following steps:

Step A1: the user server requests the public network transfer server to register the internal local area network information of the user server. And registering the basic information of the user service end and the information of the local area network in the public network transfer service by using a secure transport layer protocol (TLS protocol) channel, initiating the initial link of the reverse transparent bridge, and preparing for forwarding and analyzing the data packet at the data link layer of the user service end. The registration data comprises information such as a name of the user service end, a link password, an intranet network section where the user service end is located, an existing routing table entry of the user service end and the like. The communication protocol module of the user server is configured with a private communication protocol.

Step A2: after receiving the registration request of the user service end, the public network transit server firstly performs user identity verification on the user service end, and if the user identity is not legal, the registration is refused; if the user identity rule agrees to register, a unique identification code (ID) is allocated to identify the user server, registration information in the request is input into a database, and a domain name resolution corresponding relation is established.

Step A3: the user client initiates a request of bridging the user server to the public network transit server; the communication protocol module of the user client is configured with the same private communication protocol as the private communication protocol configured in the communication protocol module of the user server.

Step A4: the public network transfer server inquires the name of the user service end requested to be connected by the user client end, and if the name of the user service end ready to be connected is registered and online, the public network transfer server returns the corresponding user service end information to the user client end. The return information received by the user client side comprises: user service end identification code (ID) and user service end intranet segment information.

Step A5: the user client uses the information returned by the public network transfer server to configure the local routing service, modify the routing table, configure the communication data message forwarding interface and establish the reverse transparent bridging tunnel.

After the configuration is completed, the establishment of the reverse transparent bridging tunnel is completed, all data of the intranet terminal accessed by the user client side will automatically carry out data message encapsulation, the data is forwarded to the reverse transparent tunnel through the virtual network card of the user client side, finally the data reaches the user server side, and the data is forwarded to the target intranet terminal of the internal local area network through the physical address (MAC address) in the data message after the data is unpacked through the virtual network card of the user server side. After the tunnel is established, the public network transfer server mainly aims at forwarding the data message, and the encapsulation, the decapsulation, the encryption and the decryption of the data message are completed by the user client and the user server under the action of the respective virtual network cards. That is, after the user initiates the access request, the intranet penetration system of the present invention automatically completes the reverse bridging, the user does not need to participate, the whole reverse bridging process does not feel the existence of the system from the perspective of the user, after the user service end receives the bridging of the client end, a virtual link is established between the user client end and the exchange of the intranet where the user service end is located, the communication process of the link is similar to a tunnel, the two ends are communicated, and the middle process is shielded, so that the virtual link is a reverse transparent bridging tunnel.

Step A6: after receiving the information of the user client forwarded by the public network transfer server, the user server updates the local routing table, configures a forwarding interface leading to the communication data message of the user client, successfully establishes a reverse transparent bridging tunnel, and then the communication between the intranet terminal of the user server and the user client is equivalent to the communication in the same internal local area network.

And step A7, the user client establishes direct communication with the user server by adopting a private communication protocol, or after the user client is converted into a TCP/IP protocol communication data message by the user server protocol, the data message is communicated with other terminals of the intranet by the intranet switch.

The method for establishing the reverse transparent bridging tunnel of the present invention is further described below from the user server side and the user client side, respectively.

Fig. 9 shows a flow chart of the reverse transparent bridging tunnel establishment method of the present invention. As shown in fig. 9, the method is applied to a user service end, and includes the following steps:

step B1, a user server is operated, and a virtual network card driver of the user server is installed; the communication protocol module of the user server is configured with a private communication protocol.

Step B2, configuring information such as a user service end name and a link password, and registering the information such as the user service end name and an intranet section to a public network transit server;

Step B3, the public network transfer server distributes a user service end identification code (ID) to the user service end, inputs the name of the user service end and the network segment information of the local area network into a database mapped between the name of the user service end and the unique identification code of the user service end, and establishes reverse transparent bridging transfer service with the user service end;

and step B4, the user server establishes a network bridging forwarding service mechanism, maintains an online state through the link with the public network transfer server, monitors a user client link request sent by the public network transfer server, and prepares to establish a reverse transparent bridging tunnel with the user client.

And after receiving the user client information forwarded by the public network transfer server, the user server receives the user client bridging request, updates the local routing table and configures a forwarding interface leading to the user client communication data message.

And B5, establishing direct communication between the user client and the user server by adopting a private communication protocol, or communicating with other terminals in an intranet through an intranet switch after converting the protocol of the user server into a TCP/IP protocol communication data message.

Fig. 10 shows a flow chart of the reverse transparent bridging tunnel establishment method of the present invention. As shown in fig. 10, the method is applied to a user client, and comprises the following steps:

Step C1, a user client is operated, and a virtual network card driver of the user client is installed and configured; configuring a private communication protocol in a communication protocol module of a user client;

step C2, the user client initiates a request of bridging the user server to the public network transit server; the communication protocol module of the user server is configured with a private communication protocol which is the same as the private communication protocol configured in the communication protocol module of the user client;

step C3, the domain name resolution module of the public network transit server resolves the identification code of the user service end and the internal network segment information of the internal local area network where the user service end is located, judges whether the user service end is online, if so, returns the identification code of the user service end and the internal network segment information of the internal local area network where the user service end is located to the user client, otherwise, returns the information of the disconnection of the service end to the user client;

step C4, the user client receives the returned user server identification code and the intranet segment information of the internal local area network where the user server is located, modifies the user client routing table, adds the routing information leading to the internal local area network where the user server is located, and establishes a transparent bridging tunnel linking the internal local area network where the user server is located;

And step C5, the user client sends the user client information to the user server through the public network transfer server, after the user server completes the link bridging configuration, the establishment of the reverse transparent bridging tunnel is completed, the transparent access to the intranet of the user server is realized, the free transfer of all network data with any terminal in the intranet is realized, and the public network transfer service only provides a data message transfer function.

And step C6, the user client establishes direct communication with the user server by adopting a private communication protocol, or after the user client is converted into a TCP/IP protocol communication data message by the user server protocol, the data message is communicated with other terminals of the intranet by the intranet switch.

The invention is further illustrated by the following three examples.

Example 1: user terminal remote access company intranet

Fig. 11 shows a system framework for remote access of a user terminal to a corporate intranet according to the present invention. As shown in fig. 11, the embodiment 1 provides an intranet penetration system based on reverse transparent bridging to access a corporate intranet, so as to implement a remote office, which includes a user terminal (user client), a public network transit server, and a corporate intranet terminal (user server). The internal local area network of the company generally comprises a switch, an internal network server and various internal network terminals, and the internal network terminals of the internal local area network communicate with terminals outside the internal local area network through the switch.

Application conditions: (1) the company has only one internal local area network; (2) the user terminal can be any device for linking with the Internet in any way, can be an intranet terminal positioned in an internal local area network different from the company local area network, and can also be an extranet terminal with independent IP; (3) the intranet terminal of the company can be any intranet terminal in the local area network of the company, and the intranet terminal comprises a computer, a tablet, a router, an intelligent television and the like.

Fig. 12 shows a flow of a reverse transparent bridging tunnel establishment method according to embodiment 1 of the present invention. As shown in fig. 12, the establishing method includes:

step S11, operating a company intranet terminal, wherein the company intranet terminal is provided with a virtual network card driver by itself;

step S12, information such as the name of the intranet terminal of the company and a link password is configured, and the information such as the name of the intranet terminal of the company and an intranet section is registered to a public network transfer server;

step S13, after receiving the registration request of the company intranet terminal, the public network transfer service firstly performs user identity verification, if the registration is illegal, the registration is refused, if the registration is legal, the registration is agreed, a unique identification code is allocated to identify the company intranet terminal, registration information in the request is input into a database, and a domain name resolution corresponding relation is established;

Step S14, the intranet terminal of the company establishes a network bridging forwarding service mechanism, maintains an online state through the link with a public network transfer server, monitors a user terminal link request sent by the public network transfer service, and prepares to establish a reverse transparent bridging tunnel with the user terminal;

step S15, running the user terminal and automatically installing a virtual network card driver of the user terminal;

step S16, the user terminal initiates a link request for accessing the intranet terminal of the company to a public network transfer server by taking the intranet terminal name of the company as a parameter;

step S17, a domain name resolution module of the public network transfer server resolves the identification code and the intranet section information of the intranet terminal of the company through the name of the intranet terminal of the company, judges whether the intranet terminal of the company is online, returns the identification code and the intranet section information of the intranet terminal of the company if the intranet terminal of the company is online, otherwise, returns the offline information of the intranet terminal of the company;

step S18, the user terminal receives the returned intranet terminal identification code and intranet section information of the company, modifies a local routing table, adds routing information leading to an internal local area network where the intranet terminal of the company is located, and establishes a transparent bridging tunnel linking the internal local area network where the intranet terminal of the company is located;

Step S19, after the user terminal transmits the user terminal information to the company intranet terminal by the public network transfer server and the company intranet terminal completes the link bridging configuration, the establishment of a reverse transparent bridging tunnel is completed, the internal local area network where the company intranet terminal is positioned is accessed transparently, free transfer of all network data with any terminal in the internal local area network is realized, and the public network transfer service only provides a data message transfer function.

Example 2: user terminal remote access company multiple department intranet

Fig. 13 shows a system frame in which a user terminal according to embodiment 2 of the present invention remotely accesses a plurality of department intranets of a company. The main application object of this embodiment 2 is a network management maintenance person of a company, as shown in fig. 13, the intranet penetration system based on reverse transparent bridging provided in embodiment 2 of the present invention remotely accesses a plurality of lans in the company, and implements a scheme for remote network maintenance, including a user terminal (user client), a public network transit server, a company lan A, B, C, and a plurality of company intranet terminals (user server).

Application conditions: (1) the company is provided with a plurality of internal local area networks, and the internal local area networks can communicate with each other; (2) the user terminal can be any device for linking with the Internet in any way, can be an intranet terminal positioned in an internal local area network different from the company local area network, and can also be an extranet terminal with independent IP; (3) the intranet terminal can be any intranet terminal in any local area network of the company, and the intranet terminal comprises a computer, a tablet, a router, an intelligent television and the like.

If the application scenario of the embodiment uses the traditional VPN solution, VPN servers need to be deployed in the local area network A, B, C, and the user terminal and the local area network A, B, C establish links respectively, so that the user terminal and the terminal in A, B, C can be accessed simultaneously, which has the disadvantages of high deployment cost and more links establishment; if proxy forwarding is used, different forwarding ports and forwarding paths need to be configured for different applications, and the configuration is complex and has no generality.

By using the scheme of the invention, any terminal in the local area network A, B, C can be freely accessed by only establishing a reverse transparent bridging tunnel from the user client to the user server between any intranet terminal, the user terminal and the public network transit server in the local area network A, B, C according to the flow of the example 1. The only step to be added is to add the routing table of the company intranet terminal to the other two local area networks to the routing push table of the intranet terminal when the company intranet terminal is configured, push the routing table to the user terminal when the user terminal establishes a bridging tunnel with the intranet terminal, and establish a routing forwarding service to the local area network A, B, C at the user terminal, so that the transparent access to the intranet A, B, C is realized, and the intranet penetration effect is achieved.

Fig. 14 is a flow chart showing a reverse transparent bridging tunnel establishment method according to embodiment 2 of the present invention. As shown in fig. 14, the establishing method includes:

step S21, operating an intranet terminal in a company LAN B, wherein the company intranet terminal is provided with a virtual network card driver by itself;

step S22, information such as the name of the intranet terminal, a link password, a pre-push route information table (the route table comprises route information of the terminal in the local area network B and the terminal in the local area network A, C) and the like of the company intranet terminal is configured, and the information such as the name of the intranet terminal in the company intranet B, the network segment in which the intranet terminal is located and the like is registered to a public network transfer server;

step S23, after receiving the registration request of the intranet terminal of the company, the public network transfer service firstly performs user identity verification, if the registration is illegal, the registration is refused, if the registration is legal, the registration is agreed, a unique identification code is allocated to identify the intranet terminal of the company, registration information in the request is input into a database, and a domain name resolution corresponding relation is established;

step S24, the intranet terminal of the company establishes a network bridging forwarding service mechanism, maintains an online state through the link with a public network transfer server, monitors a user terminal link request sent by the public network transfer service, and prepares to establish a reverse transparent bridging tunnel with the user terminal;

Step S25, running a user terminal, and automatically installing a safe virtual network card driver by the user terminal;

step S26, the user terminal initiates a link request for accessing the company intranet to a public network transfer server by taking the terminal name of the intranet as a parameter;

step S27, a domain name resolution module of the public network transfer server resolves the intranet terminal identification code and intranet section information of the company through the intranet terminal name of the company, judges whether the intranet terminal of the company is online, returns the intranet terminal identification code and intranet section information of the company if the intranet terminal is online, and otherwise returns the intranet terminal disconnection information of the company;

step S28, the user terminal receives the returned information such as the intranet terminal identification code, the intranet network segment and the routing table pushed by the intranet terminal of the company intranet B, modifies the routing table of the user terminal, adds the routing information leading to the intranet terminal of the company, updates the routing information leading to the company intranet A, C pushed by the intranet terminal of the company to the routing table of the user terminal, and establishes a transparent bridging tunnel linking the intranet terminal of the company to the intranet terminal of the company;

in step S29, after the public network transfer server sends the user terminal information to the intranet terminal of the company and the intranet terminal of the company completes the link bridging configuration, the establishment of the reverse transparent bridging tunnel is completed, the transparent access company intranet terminal is in the lan B, and the routing information of the lan B to the lan A, C is used to realize the free forwarding of all network data with any terminal in the lan A, B, C of the company, and the public network transfer server only provides the data message forwarding function.

Example 3: simultaneously penetrating multiple internal networks to realize large local area network link

Fig. 15 shows a system framework of the present invention for implementing large lan links across multiple intranets simultaneously. As shown in fig. 15, in the intranet penetration system based on reverse transparent bridging according to embodiment 3 of the present invention, a scheme of bridging multiple internal lans simultaneously to form a large lan includes a public network transit server and an internal lan A, B, C, D, where the internal lan A, B, C, D can be independently linked to the internet. The intranet penetration process is as follows:

firstly, selecting an intranet terminal from 4 internal local area networks, wherein the intranet terminal can be used as a user client and a user server, and the intranet terminal A in the internal local area network A is used as the user client to respectively establish reverse transparent bridging tunnel links with the local area networks B, C, D according to the steps of the example 1, and simultaneously bridge A, B, C three local area networks; according to the method, bridging of other three local area networks is achieved at an intranet terminal B of the local area network B, an intranet terminal C of the local area network C and an intranet terminal D of the local area network D in sequence, route information is exchanged, a global route table of 4 local area networks is formed, and four local area networks are bridged through 6 bidirectional reverse transparent bridging tunnels to form a large local area network.

Application conditions: (1) the internal lan A, B, C, D belongs to 4 independent internal lans, possibly belonging to one company or a plurality of companies, and cannot directly communicate between intranet terminals which do not perform network address conversion; (2) the terminals of the user service end and the user client end can be any intranet terminal in the internal local area network A, B, C, D, and the intranet terminal comprises a computer, a tablet, a router, an intelligent television and the like; (3) in order to cope with the bottleneck of data forwarding after forming a large local area network, a public network forwarding service can be deployed with a plurality of public network forwarding services, and can also form a cluster to balance the pressure of forwarding a large amount of data.

The traditional intranet penetration scheme cannot realize the scheme design. Because the intranet penetration scheme works below the network layer, the data message receiving and transmitting can be realized by establishing the reverse transparent bridging tunnel through routing and repackaging the data packet, and the application scene can be realized at extremely low cost.

Note that the technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be regarded as the scope of the description. The foregoing examples represent only a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be obvious to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.

Claims

1. An intranet penetration system based on reverse transparent bridging, comprising: the system comprises a user client, a public network transfer server and a user server; it is characterized in that the method comprises the steps of,

2. The reverse transparent bridging-based intranet penetration system of claim 1, wherein: the user client is a networking device with an independent IPV4 address, or an intranet terminal of an internal local area network which cannot be directly communicated with the internal local area network where the user server is located.

3. The reverse transparent bridging-based intranet penetration system of claim 1 or 2, wherein: the information returned to the user client by the public network transfer server received by the user client comprises: the user service end is unique identification code and the intranet section of the local area network where the user service end is located;

4. The reverse transparent bridging-based intranet penetration system of claim 1, wherein: when the network environment where the user client and the user service end are located supports point-to-point communication links, the point-to-point service module negotiates that the bridging tunnel is directly established between the user client and the user service end in a point-to-point communication mode, and then communication data between the user client and the user service end is not forwarded by the data forwarding module but is directly communicated; if the network environment where the user client and the user server are located does not support the point-to-point communication link, a bridging tunnel is established through the data forwarding module.

5. The reverse transparent bridging-based intranet penetration system of claim 1, wherein: the public network transit server further comprises a user authentication module, which is used for authenticating the identity of the user client when receiving the communication request initiated by the user client, and determining whether the identity of the user client is legal; the method is used for authenticating the identity of the user server when the user server makes a registration request, and determining whether the identity of the user server is legal or not.

6. The reverse transparent bridging tunnel establishment method is characterized by comprising the following steps:

7. The reverse transparent bridging tunnel establishment method is applied to a user service end and is characterized by comprising the following steps:

step B3, the public network transfer server distributes a unique Identification (ID) of the user service end to the user service end, inputs the name of the user service end and the network segment information of the internal local area network where the user service end is positioned into a database, and establishes a reverse transparent bridging transfer service with the user service end;

8. The reverse transparent bridging tunnel establishment method is applied to a user client and is characterized by comprising the following steps:

9. The method for establishing reverse transparent bridging tunnel according to any one of claims 6-8, wherein if the internal local area network where the user server is located can directly communicate with other internal local area networks, the information returned to the user client by the public network transit server further includes a routing information table; the routing information table is a routing table for the user service end to communicate with other internal local area networks.