CN117749356A

CN117749356A - Virtual machine communication method, device, computer equipment and storage medium

Info

Publication number: CN117749356A
Application number: CN202311588181.XA
Authority: CN
Inventors: 陈鸿杰; 陈文华; 蒋春元; 李澄宇; 李志龙
Original assignee: China Telecom Technology Innovation Center; China Telecom Corp Ltd
Current assignee: China Telecom Technology Innovation Center; China Telecom Corp Ltd
Priority date: 2023-11-24
Filing date: 2023-11-24
Publication date: 2024-03-22

Abstract

The application relates to a virtual machine communication method, a virtual machine communication device, computer equipment and a storage medium, and relates to the technical field of communication security. The method comprises the following steps: receiving a session establishment request sent by a first virtual machine and used for communicating with a second virtual machine, further generating a signature verification rule corresponding to the session establishment request, generating a session key based on a first virtual machine identifier, further sending the signature verification rule and the session key to the first virtual machine, and sending the signature verification rule and the first virtual machine identifier to the second virtual machine; the signature verification rule is used for indicating the first virtual machine to sign the data packet based on the session key and sending the signed data packet to the second virtual machine; the signature verification rule is further used for indicating the second virtual machine to verify the signed data packet based on the first virtual machine identifier. The method can provide specific signature verification rules for the virtual machines so as to realize the reliability and the safety of data packet transmission among the virtual machines.

Description

Virtual machine communication method, device, computer equipment and storage medium

Technical Field

The present disclosure relates to the field of communications security technologies, and in particular, to a virtual machine communication method, device, computer device, and storage medium.

Background

With the continuous development of internet technology, the cloud platform has been widely used. The virtual machine is one of the most active main bodies in the cloud platform, has the advantages of resource isolation, resource sharing, rapid deployment and the like, and can realize the hosting of application programs and data in the cloud platform by creating, managing and running virtual machine instances.

At present, virtual machine data packets transmitted between different virtual machines in a cloud platform are generally transmitted based on a TCP/IP protocol (Transmission Control Protocol/Internet Protocol ), and the risk of being counterfeited, tampered or replay-attacked exists, so how to guarantee the safety of communication between the virtual machines becomes a problem to be solved urgently.

Disclosure of Invention

In view of the foregoing, it is desirable to provide a virtual machine communication method, apparatus, computer device, and storage medium capable of improving the security of virtual machine communication.

In a first aspect, the present application provides a virtual machine communication method, applied to a control platform, where the method includes:

receiving a session establishment request sent by a first virtual machine and used for communication with a second virtual machine; the session establishment request carries a first virtual machine identifier;

Generating a signature verification rule corresponding to the session establishment request, and generating a session key based on the first virtual machine identifier;

transmitting a signature verification rule and a session key to a first virtual machine, and transmitting the signature verification rule and a first virtual machine identifier to a second virtual machine;

the signature verification rule is used for indicating the first virtual machine to sign the data packet based on the session key and sending the signed data packet to the second virtual machine; the signature verification rule is further used for indicating the second virtual machine to verify the signed data packet based on the first virtual machine identifier.

In one embodiment, generating a signature verification rule corresponding to the session establishment request, and generating a session key based on the first virtual machine identifier includes:

acquiring basic information of a first virtual machine and basic information of a second virtual machine; the basic information comprises life cycle information and connection relations;

determining whether to allow the first virtual machine to communicate with the second virtual machine based on the base information of the first virtual machine and the base information of the second virtual machine;

in the event that it is determined that the first virtual machine is permitted to communicate with the second virtual machine, a signature verification rule corresponding to the establish session request is generated, and a session key is generated based on the first virtual machine identification.

In one embodiment, generating a signature verification rule corresponding to a session establishment request includes:

based on the session establishment request, the basic information of the first virtual machine and the basic information of the second virtual machine, a corresponding access control rule is generated;

based on the access control rule, a signature verification rule corresponding to the session establishment request is generated.

In one embodiment, obtaining basic information of a first virtual machine and basic information of a second virtual machine includes:

and acquiring basic information of the first virtual machine and basic information of the second virtual machine from the cloud management platform through the custom interface.

In one embodiment, the signature verification rule is further used for indicating the first virtual machine to repackage the data packet, inserting a session counter field into the repackaged data packet, and signing the data packet inserted into the session counter field based on the session key;

the signature verification rule is further used for indicating the second virtual machine to perform first verification on the received data packet based on the standard value corresponding to the session counter field, and performing second verification on the received data packet based on the first virtual machine identifier under the condition that the first verification is passed.

In one embodiment, before receiving the session establishment request sent by the first virtual machine and requesting to communicate with the second virtual machine, the method further includes:

receiving a first registration request sent by a first virtual machine;

the first virtual machine is registered based on the first registration request.

receiving a second registration request sent by a second virtual machine;

the second virtual machine is registered based on the second registration request.

In a second aspect, the present application provides a virtual machine communication method, applied to a first virtual machine, where the method includes:

sending a session establishment request for requesting communication with the second virtual machine to the control platform; the session establishment request carries a first virtual machine identifier;

receiving a session key sent by a control platform and establishing a signature verification rule corresponding to a session request; the session key is generated by the control platform based on the first virtual machine identifier;

and signing the data packet based on the signature verification rule and the session key, and transmitting the signed data packet to the second virtual machine.

In one embodiment, the session key and the signature verification rule are generated by the control platform when determining that the first virtual machine is allowed to communicate with the second virtual machine based on the base information of the first virtual machine and the base information of the second virtual machine; the basic information includes life cycle information and connection relations.

In one embodiment, signing the data packet based on the signature verification rule and the session key includes:

repackaging the data packet based on the signature verification rule, and inserting a session counter field into the repackaged data packet;

the data packet inserted into the session counter field is signed with the session key.

In one embodiment, before sending a session establishment request to the control platform requesting communication with the second virtual machine, the method further comprises:

and sending a first registration request to the control platform to instruct the control platform to register the first virtual machine.

In one embodiment, the first virtual machine includes a micro quarantine agent, and the execution body of the method is the micro quarantine agent installed in the first virtual machine.

In a third aspect, the present application provides a virtual machine communication method, applied to a second virtual machine, where the method includes:

Receiving a first virtual machine identifier and a signature verification rule sent by a control platform; the first virtual machine identifier is carried in a session establishment request which is sent to the control platform and used for communicating with the second virtual machine by the first virtual machine;

receiving a signed data packet sent by a first virtual machine; the signed data packet is obtained by signing the data packet by the first virtual machine based on a session key and a signature verification rule sent by the control platform, and the session key is generated by the control platform based on the first virtual machine identifier;

and verifying the signed data packet based on the signature verification rule and the first virtual machine identifier.

In one embodiment, verifying the signed data packet based on the signature verification rule and the first virtual machine identifier includes:

performing first verification on the signed data packet based on a standard numerical value corresponding to a session counter field in a signature verification rule;

And under the condition that the first verification of the signed data packet is confirmed to pass, carrying out second verification on the signed data packet based on a signature verification rule and the first virtual machine identification.

In one embodiment, performing a first verification on the signed data packet based on the standard value corresponding to the session counter field in the signature verification rule includes:

comparing the actual value of the session counter field in the signed data packet with the standard value corresponding to the session counter field in the signature verification rule;

if the comparison result is that the actual value accords with the standard value, determining that the signed data packet passes the first check.

In one embodiment, before receiving the first virtual machine identifier and the signature verification rule sent by the control platform, the method further includes:

and sending a second registration request to the control platform to instruct the control platform to register the second virtual machine.

In one embodiment, the second virtual machine includes a micro quarantine agent, and the execution body of the method is the micro quarantine agent installed in the second virtual machine.

In a fourth aspect, the present application further provides a virtual machine communication device configured on a control platform, where the device includes:

The first receiving module is used for receiving a session establishment request sent by the first virtual machine and used for communicating with the second virtual machine; the session establishment request carries a first virtual machine identifier;

the generation module is used for generating a signature verification rule corresponding to the session establishment request and generating a session key based on the first virtual machine identifier;

the first sending module is used for sending the signature verification rule and the session key to the first virtual machine and sending the signature verification rule and the first virtual machine identifier to the second virtual machine;

In a fifth aspect, the present application further provides a virtual machine communication apparatus configured to a first virtual machine, where the apparatus includes:

the second sending module is used for sending a session establishment request for requesting to communicate with the second virtual machine to the control platform; the session establishment request carries a first virtual machine identifier;

the second receiving module is used for receiving the session key sent by the control platform and establishing a signature verification rule corresponding to the session request; the session key is generated by the control platform based on the first virtual machine identifier;

And the signature module is used for signing the data packet based on the signature verification rule and the session key and transmitting the signed data packet to the second virtual machine.

In a sixth aspect, the present application further provides a virtual machine communication apparatus configured in a second virtual machine, where the apparatus includes:

the third receiving module is used for receiving the first virtual machine identifier and the signature verification rule sent by the control platform; the first virtual machine identifier is carried in a session establishment request which is sent to the control platform and used for communicating with the second virtual machine by the first virtual machine;

the fourth receiving module is used for receiving the signed data packet sent by the first virtual machine; the signed data packet is obtained by signing the data packet by the first virtual machine based on a session key and a signature verification rule sent by the control platform, and the session key is generated by the control platform based on the first virtual machine identifier;

and the verification module is used for verifying the signed data packet based on the signature verification rule and the first virtual machine identifier.

In a seventh aspect, the present application also provides a computer device comprising a memory storing a computer program and a processor implementing the steps of the method of any one of the first, second and third aspects described above when the computer program is executed by the processor.

In an eighth aspect, the present application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method of any of the first, second and third aspects described above.

In a ninth aspect, the present application also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the method of any of the first, second and third aspects described above.

The method, the device, the computer equipment and the storage medium for virtual machine communication are characterized in that a control platform receives a session establishment request sent by a first virtual machine and used for communicating with a second virtual machine, further generates a signature verification rule corresponding to the session establishment request, generates a session key based on a first virtual machine identifier, further sends the signature verification rule and the session key to the first virtual machine, and sends the signature verification rule and the first virtual machine identifier to the second virtual machine; the session establishment request carries a first virtual machine identifier; the signature verification rule is used for indicating the first virtual machine to sign the data packet based on the session key and sending the signed data packet to the second virtual machine; the signature verification rule is further used for indicating the second virtual machine to verify the signed data packet based on the first virtual machine identifier. According to the method and the device, the control platform with the unified signature verification rule management function is newly added and deployed, the specific signature verification rule is provided for each virtual machine, so that the first virtual machine serving as a sender performs data packet signature based on the signature verification rule, and the second virtual machine serving as a receiver performs data packet verification based on the signature verification rule, reliability and safety of data packet transmission among the virtual machines are achieved, and a corresponding relation exists between a session key adopted by the signature and a first virtual machine identifier adopted by the verification, so that safety of virtual machine communication can be further improved.

Drawings

FIG. 1 is an application scenario diagram of a virtual machine communication method in one embodiment;

FIG. 2 is a flow chart of a virtual machine communication method applied to a control platform in one embodiment;

FIG. 3 is a flow diagram of generating signature verification rules and session keys in one embodiment;

FIG. 4 is a flow diagram of generating signature verification rules in one embodiment;

FIG. 5 is a flow diagram of a first virtual machine registration in one embodiment;

FIG. 6 is a flow diagram of second virtual machine registration in one embodiment;

FIG. 7 is a flow chart of a virtual machine communication method applied to a first virtual machine in one embodiment;

FIG. 8 is a flow diagram of data packet signing in one embodiment;

FIG. 9 is a block diagram of a signed data packet in one embodiment;

FIG. 10 is a flow chart of a virtual machine communication method applied to a second virtual machine in one embodiment;

FIG. 11 is a flow diagram of packet verification in one embodiment;

FIG. 12 is a flow chart of a method of virtual machine communication in another embodiment;

FIG. 13 is a block diagram illustrating an exemplary configuration of a virtual machine communication device configured on a control platform;

FIG. 14 is a block diagram illustrating a virtual machine communication device configured on a control platform according to another embodiment;

FIG. 15 is a block diagram illustrating a configuration of a virtual machine communication device configured in a first virtual machine in one embodiment;

FIG. 16 is a block diagram illustrating a configuration of a virtual machine communication device configured in a first virtual machine according to another embodiment;

FIG. 17 is a block diagram of a virtual machine communication device configured in a second virtual machine in one embodiment;

FIG. 18 is a block diagram illustrating a configuration of a virtual machine communication device configured in a second virtual machine according to another embodiment;

FIG. 19 is a block diagram of a computer device implementing a virtual machine communication method in one embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.

The virtual machine communication method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. The cloud platform management domain comprises a control platform, a cloud management platform and a PKI (Key Performance Indicator) module, the cloud platform service domain comprises any number of service nodes, and each service node comprises any number of virtual machines. Specifically, the cloud platform may be a cloud platform scene such as OpenStack, VMware, the control platform may be a micro-isolation control platform, and has functions of generating a session key and distributing the session key, and the session key may be a private key. The virtual machine may include a micro isolation agent, for example, a micro isolation agent is installed in each virtual machine, data transmission can be performed between different virtual machines through a cloud platform network, the virtual machine as a data sender performs data packet signature based on the micro isolation agent, and the virtual machine as a data receiver performs data packet verification based on the micro isolation agent.

At present, virtual machine data packets transmitted among different virtual machines in a cloud platform have risks of being counterfeited, tampered or replay-attacked, and all service systems deployed on the cloud platform are required to independently carry out relevant configuration of rules such as data packet signature verification and the like, so that the reliability and the safety of virtual machine communication are poor.

In order to solve the above problem, in one embodiment, as shown in fig. 2, there is provided a virtual machine communication method applied to a control platform, including the steps of:

s201, receiving a session establishment request sent by the first virtual machine and used for communicating with the second virtual machine.

The first virtual machine and the second virtual machine are any two different virtual machines in the cloud platform, and the control platform is a micro-isolation control platform in the cloud platform. Optionally, the virtual machine includes a micro quarantine agent, and in this embodiment, the steps performed by the virtual machine are performed by the micro quarantine agent installed in the virtual machine.

When the first virtual machine needs to establish communication with the second virtual machine, namely, the first virtual machine needs to send a data packet to the second virtual machine, the first virtual machine serving as a data packet sender sends a session establishment request to a control platform in the cloud platform, and correspondingly, the control platform receives the session establishment request. The session establishment request is used for applying for a corresponding session key from the control platform, and the session establishment request contains related information of a corresponding data packet sender and a data packet receiver. Specifically, the session establishment request carries the identifier of the first virtual machine, that is, identifier information corresponding to the first virtual machine, such as the IP/MAC address (Internet Protocol/Media Access Control Address) and other identifier information.

Optionally, the first virtual machine may send a corresponding session establishment request to the control platform only when communication with the second virtual machine needs to be established for the first time, or may send a corresponding session establishment request to the control platform each time communication with the second virtual machine needs to be established.

S202, generating a signature verification rule corresponding to the session establishment request, and generating a session key based on the first virtual machine identifier.

The control platform responds to the session establishment request, and generates a signature verification rule corresponding to the session establishment request based on the related information of the corresponding data packet sender and the data packet receiver contained in the session establishment request. For example, the control platform determines a first virtual machine as a data packet sender and a second virtual machine as a data packet receiver, and generates a corresponding signature verification rule when it is determined that the first virtual machine is allowed to communicate with the second virtual machine.

Optionally, the control platform acquires a signing policy of the first virtual machine and a signing policy of the second virtual machine, and further determines to allow the first virtual machine to communicate with the second virtual machine and generates a corresponding signature verification rule under the condition that the signing policy of the first virtual machine and the signing policy of the second virtual machine both meet communication requirements.

The control platform responds to the session establishment request, and generates a session key corresponding to the first virtual machine identifier based on the first virtual machine identifier carried in the session establishment request, wherein the session key is a private key distributed to the first virtual machine. It will be appreciated that the identification information corresponding to the different virtual machines is different, in other words, the first virtual machine identification is unique, and the session key generated based on the first virtual machine identification is also unique, and the session key is only used by the first virtual machine to sign the data packet.

S203, the signature verification rule and the session key are sent to the first virtual machine, and the signature verification rule and the first virtual machine identification are sent to the second virtual machine.

The control platform sends unified signature verification rules to the first virtual machine and the second virtual machine, wherein the signature verification rules are used for indicating the first virtual machine to sign the data packet based on the session key and sending the signed data packet to the second virtual machine, and the signature verification rules are used for indicating the second virtual machine to verify the signed data packet based on the first virtual machine identifier.

The control platform also sends a session key to the first virtual machine so that the first virtual machine signs a data packet to be sent to the second virtual machine by adopting the session key; the control platform also sends the first virtual machine identifier to the second virtual machine, so that the second virtual machine can verify the data packet signed by the session key by adopting the first virtual machine identifier.

Optionally, the control platform synchronously or asynchronously sends the signature verification rule and the session key to the first virtual machine, and synchronously or asynchronously sends the signature verification rule and the first virtual machine identification to the second virtual machine.

According to the scheme, the control platform receives a session establishment request sent by the first virtual machine and used for communicating with the second virtual machine, further generates a signature verification rule corresponding to the session establishment request, generates a session key based on the first virtual machine identifier, further sends the signature verification rule and the session key to the first virtual machine, and sends the signature verification rule and the first virtual machine identifier to the second virtual machine; the session establishment request carries a first virtual machine identifier; the signature verification rule is used for indicating the first virtual machine to sign the data packet based on the session key and sending the signed data packet to the second virtual machine; the signature verification rule is further used for indicating the second virtual machine to verify the signed data packet based on the first virtual machine identifier. According to the embodiment, the control platform with the unified signature verification rule management function is newly added and deployed, so that a specific signature verification rule is provided for each virtual machine, a first virtual machine serving as a sender performs data packet signature based on the signature verification rule, and a second virtual machine serving as a receiver performs data packet verification based on the signature verification rule, reliability and safety of data packet transmission among the virtual machines are achieved, and a corresponding relation exists between a session key adopted by the signature and a first virtual machine identifier adopted by verification, so that safety of virtual machine communication can be further improved.

In order to ensure the reliability of the communication of the virtual machine, in one embodiment, based on the basic information of the virtual machine, whether the virtual machine meets the communication condition may be judged, and the corresponding signature verification rule and session key may be regenerated, as shown in fig. 3, where S202 may include:

s301, basic information of a first virtual machine and basic information of a second virtual machine are obtained.

Wherein the basic information includes life cycle information and connection relation. The life cycle information of the virtual machine can represent the current running state of the virtual machine, and the connection relation of the virtual machine can be the access connection relation of the virtual machine in the cloud platform, the access relation with physical resources, the connection relation with other virtual machines, and the like. Wherein, the connection relation can be represented in a view form.

Optionally, the basic information of the first virtual machine and the basic information of the second virtual machine are acquired from the cloud management platform through the custom interface. The control platform is in butt joint with the cloud management platform through the customized interface, so that the basic information of the first virtual machine and the basic information of the second virtual machine are obtained from the cloud management platform under the condition that the first virtual machine serving as a data packet sender and the second virtual machine serving as a data packet receiver are determined.

For example, the control platform acquires basic information of the first virtual machine and basic information of the second virtual machine from the cloud management platform based on the virtual machine access connection relation module, and further transmits the basic information of the first virtual machine and the basic information of the second virtual machine from the virtual machine access connection relation module to the control engine module through an internal interface of the control platform.

S302, determining whether to allow the first virtual machine to communicate with the second virtual machine based on the basic information of the first virtual machine and the basic information of the second virtual machine.

The basic information also includes an ACL (Access Control List ) and the like, and the ACL can be used for subscription policy matching and calculation. Based on the basic information of the first virtual machine and the basic information of the second virtual machine, combining the signing policy of the first virtual machine and the signing policy of the second virtual machine, and then deciding whether to allow the first virtual machine to communicate with the second virtual machine.

For example, the control platform decides whether to allow the first virtual machine to communicate with the second virtual machine based on the control engine module, and transmits the decision result to the signature verification rule generation module through the internal interface. If the life cycle information of the first virtual machine and the second virtual machine meets the communication condition, and the connection relation of the first virtual machine and the second virtual machine accords with a preset signing policy, determining to allow the first virtual machine to communicate with the second virtual machine; otherwise, if any of the conditions is not met, determining that the first virtual machine and the second virtual machine are not allowed to communicate.

S303, generating a signature verification rule corresponding to the session establishment request and generating a session key based on the first virtual machine identification under the condition that the first virtual machine is allowed to communicate with the second virtual machine.

Specifically, the control platform dynamically generates a signature verification rule based on the basic information of the first virtual machine and the basic information of the second virtual machine. For example, the control platform generates a signature verification rule including both a signature and a verification policy based on the signature verification rule generation module. The signing policy may instruct the first virtual machine to sign the data packet to be sent in what manner, and send the signed data packet to the second virtual machine through what path; the verification policy may indicate how the second virtual machine verifies the signed data packet after receiving the signed data packet sent by the first virtual machine.

The control platform generates a session key only for the signature of the first virtual machine based on the first virtual machine identification, and the data packet signed by the session key can be checked through the first virtual machine identification. For example, the control platform generates a private key corresponding to the first virtual machine identifier based on the identifier key management module, where the private key is used for encrypting the data packet of the network layer, and the embodiment does not limit the specific private key type.

In this embodiment, the control platform obtains the basic information of the first virtual machine and the basic information of the second virtual machine, determines whether to allow the first virtual machine to communicate with the second virtual machine based on the basic information of the first virtual machine and the basic information of the second virtual machine, further generates a signature verification rule corresponding to the session request under the condition that the first virtual machine is determined to be allowed to communicate with the second virtual machine, and generates the session key based on the first virtual machine identifier, so that the generation of the signature verification rule and the session key under the condition that the virtual machines cannot communicate with each other can be avoided, the reliability of the dynamic generation of the signature verification rule and the session key by the control platform is improved, unified management of the cloud platform signature verification rule is realized, and the service system deployed on the cloud platform is not required to perform relevant configuration of the signature verification rule alone.

In order to configure signature verification compatible with virtual machines of different service systems, in an embodiment, access control rules corresponding to the virtual machines may be generated first, and then signature verification rules may be generated based on the access control rules, as shown in fig. 4, S303 may include:

s401, based on the session establishment request, the basic information of the first virtual machine and the basic information of the second virtual machine, a corresponding access control rule is generated.

The service interview requirement between the first virtual machine and the second virtual machine can be determined based on the session establishment request, meanwhile, the communication path which can be realized between the first virtual machine and the second virtual machine can be determined based on the connection relation in the basic information of the first virtual machine and the connection relation in the basic information of the second virtual machine, and the corresponding access control rule is generated by combining the service interview requirement between the first virtual machine and the second virtual machine and the communication path which can be realized.

For example, the control platform obtains basic information of the first virtual machine and basic information of the second virtual machine from the virtual machine access connection relation module through an internal interface based on the control engine module, and further dynamically generates access control rules in combination with service interview requirements indicated by the session request establishment.

S402, generating a signature verification rule corresponding to the session establishment request based on the access control rule.

Further, the signature verification rule generating module of the control platform applies for the access control rule from the control engine module through the internal interface, and generates the signature verification rule based on the access control rule.

Signature verification rules include, but are not limited to, both signature and verification policies. The signing policy may instruct the first virtual machine to sign the data packet to be sent in what manner, and send the signed data packet to the second virtual machine through what path; the verification policy may indicate how the second virtual machine verifies the signed data packet after receiving the signed data packet sent by the first virtual machine.

In this embodiment, the control node generates the corresponding access control rule based on the session establishment request, the basic information of the first virtual machine and the basic information of the second virtual machine, and generates the signature verification rule corresponding to the session establishment request based on the access control rule, so that the reliability of dynamically generating the signature verification rule by the control platform can be increased, and unified linkage management of the cloud platform on the access control rule and the signature verification rule is realized.

In an alternative embodiment, the signature verification rule is further used to instruct the first virtual machine to repackage the data packet, insert a session counter field into the repackaged data packet, and sign the data packet inserted into the session counter field based on the session key.

After the first virtual machine receives the signature verification rule, the data packet to be sent to the second virtual machine is repackaged under the instruction of the signature verification rule, a session counter field is inserted into the data packet, and then a signature field is inserted into the data packet, so that the signature flow of the data packet to be sent is realized. The session counter field is used for preventing replay attack, the signature information is used for signing the whole IP data packet, and the session counter field and the signature information can both comprise 32-bit fields.

In an alternative embodiment, the signature verification rule is further configured to instruct the second virtual machine to perform a first verification on the received data packet based on the standard value corresponding to the session counter field, and perform a second verification on the received data packet based on the first virtual machine identifier if the first verification passes.

After the second virtual machine receives the signature verification rule and the signed data packet, under the instruction of the signature verification rule, performing session counter verification and signature verification, namely first verification and second verification, on the signed data packet.

The second virtual machine obtains a standard value corresponding to the session counter field, wherein the standard value can be carried in a signature verification rule, and then the actual value corresponding to the session counter field is compared with the standard value, so that the first verification of the data packet is realized. If the actual value accords with the standard value, judging that the first check passes; if the actual value does not accord with the standard value, the data packet is judged to be intercepted, and the first check is not passed.

Further, under the condition that the first check passes, the second virtual machine adopts the first virtual machine identifier to carry out the second check on the data packet. And if the second verification is not passed, judging that the data packet is tampered, discarding the data packet and disconnecting the communication with the first virtual machine.

Based on the foregoing embodiment, in one embodiment, as shown in fig. 5, the virtual machine communication method further includes:

s501, a first registration request sent by a first virtual machine is received.

Before the control platform receives a session establishment request sent by the first virtual machine, the control platform receives a first registration request sent by the first virtual machine, wherein the first registration request is used for applying for registering information of the first virtual machine. For example, the first virtual machine sends a first registration request to the control platform based on the corresponding micro quarantine agent, and the control platform receives the first registration request based on the virtual machine access connection relation module.

S502, the first virtual machine is registered based on the first registration request.

Further, the control platform registers the first virtual machine so that the first virtual machine has a condition for establishing communication with other virtual machines.

Similarly, in one embodiment, as shown in fig. 6, the virtual machine communication method further includes:

s601, receiving a second registration request sent by a second virtual machine.

Before the control platform receives a session establishment request sent by the first virtual machine and requesting to establish communication with the second virtual machine, the control platform receives a second registration request sent by the second virtual machine, wherein the second registration request is used for applying for registering information of the second virtual machine. For example, the second virtual machine sends a second registration request to the control platform based on the corresponding micro quarantine agent, and the control platform receives the second registration request based on the virtual machine access connection relationship module.

S602, the second virtual machine is registered based on the second registration request.

Further, the control platform registers the second virtual machine so that the second virtual machine has a condition for establishing communication with other virtual machines.

Therefore, the control platform can acquire basic information of the first virtual machine and the second virtual machine from the cloud management platform, and respond to a session establishment request sent by the first virtual machine so as to realize a management flow of virtual machine communication, so that the first virtual machine and the second virtual machine can communicate in a manner with higher reliability and safety.

In one embodiment, as shown in fig. 7, a virtual machine communication method is provided, applied to a first virtual machine, and includes the following steps:

s701, sending a session establishment request for requesting communication with the second virtual machine to the control platform.

The first virtual machine and the second virtual machine are any two different virtual machines in the cloud platform, and the control platform is a micro-isolation control platform in the cloud platform. Optionally, the first virtual machine includes a micro quarantine agent, and the execution body of the method is the micro quarantine agent installed in the first virtual machine.

When the first virtual machine needs to establish communication with the second virtual machine, namely, the first virtual machine needs to send a data packet to the second virtual machine, the first virtual machine serving as a data packet sender sends a session establishment request to a control platform in the cloud platform. The session establishment request is used for applying for a corresponding session key from the control platform, and the session establishment request contains related information of a corresponding data packet sender and a data packet receiver. Specifically, the session establishment request carries the identifier of the first virtual machine, that is, identifier information corresponding to the first virtual machine, such as the identifier information of an IP/MAC address, etc.

S702, receiving a session key sent by a control platform and a signature verification rule corresponding to the session request.

The control platform responds to the session establishment request, generates a session key corresponding to the first virtual machine identifier based on the first virtual machine identifier carried in the session establishment request, and generates a signature verification rule corresponding to the session establishment request based on the related information of the corresponding data packet sender and the data packet receiver contained in the session establishment request.

Further, the control platform sends the session key and the signature verification rule to the first virtual machine, and correspondingly, the first virtual machine receives the session key and the signature verification rule.

Wherein the session key is generated by the control platform based on the first virtual machine identification, the session key being a private key assigned to the first virtual machine. It will be appreciated that the identification information corresponding to the different virtual machines is different, in other words, the first virtual machine identification is unique, and the session key generated based on the first virtual machine identification is also unique, and the session key is only used by the first virtual machine to sign the data packet.

Optionally, the signature verification rule and the session key are received synchronously or asynchronously.

S703, signing the data packet based on the signature verification rule and the session key, and sending the signed data packet to the second virtual machine.

Under the instruction of a signature verification rule, the first virtual machine signs a data packet to be sent to the second virtual machine by adopting a session key, and sends the signed data packet to the second virtual machine after the signature is completed.

Optionally, the signature verification rule includes a policy of both signature and verification. The policy in the signing aspect may instruct the first virtual machine to sign the data packet to be sent in what manner, and send the signed data packet to the second virtual machine through what path.

According to the scheme, the first virtual machine sends a session establishment request for requesting communication with the second virtual machine to the control platform, receives a session key sent by the control platform and a signature verification rule corresponding to the session establishment request, signs a data packet based on the signature verification rule and the session key, and sends the signed data packet to the second virtual machine, wherein the session key is generated by the control platform based on the first virtual machine identifier. According to the embodiment, the control platform with the unified signature verification rule management function is newly added and deployed, so that a specific signature verification rule is provided for the first virtual machine, the first virtual machine serving as a sender performs data packet signature based on the signature verification rule, reliability and safety of data packet transmission among the virtual machines are achieved, a session key adopted by the signature is generated based on a first virtual machine identifier adopted by verification, and safety of virtual machine communication can be further improved.

In an alternative embodiment, the session key and signature verification rule are generated by the control platform in determining that the first virtual machine is allowed to communicate with the second virtual machine based on the base information of the first virtual machine and the base information of the second virtual machine.

The basic information includes life cycle information and connection relations. The life cycle information of the virtual machine can represent the current running state of the virtual machine, and the connection relation of the virtual machine can be the access connection relation of the virtual machine in the cloud platform, the access relation with physical resources, the connection relation with other virtual machines, and the like. Wherein, the connection relation can be represented in a view form.

The basic information also includes ACLs, etc., which can be used for subscription policy matching and calculation. Based on the basic information of the first virtual machine and the basic information of the second virtual machine, the control platform combines the signing policy of the first virtual machine and the signing policy of the second virtual machine, so as to decide whether to allow the first virtual machine to communicate with the second virtual machine.

Further, under the condition that the first virtual machine is determined to be allowed to communicate with the second virtual machine, the control platform dynamically generates a signature verification rule based on the basic information of the first virtual machine and the basic information of the second virtual machine, generates a session key only for signature of the first virtual machine based on the first virtual machine identifier, and the data packet signed by the session key can be verified by the first virtual machine identifier.

Therefore, the generation of the signature verification rule and the session key under the condition that the virtual machines cannot communicate with each other can be avoided, so that the reliability of the dynamic generation of the signature verification rule and the session key by the control platform is increased, unified management of the cloud platform signature verification rule is realized, and the service system deployed on the cloud platform is not required to perform related configuration of the signature verification rule independently.

In order to enhance the security of the data packet transmitted in the communication flow of the virtual machine, in one embodiment, the processing may be performed in combination with the session counter and the data signature, as shown in fig. 8, and S703 may include:

s801, the data packet is repackaged based on the signature verification rule, and a session counter field is inserted into the repackaged data packet.

And after the first virtual machine receives the signature verification rule, the data packet to be sent to the second virtual machine is repackaged under the instruction of the signature verification rule. For example, the original data is converted into binary data, the binary data is divided into data segments, and the TCP header and the IP header are encapsulated to obtain a data packet of the network layer.

Further, a session counter field is inserted in the repackaged data packet, where the session counter field may include 32 bits. An attacker sends a data packet which is received by the second virtual machine to carry out communication authentication, so that the safety of communication is destroyed, the actual value of the session counter field is used for indicating the number of times of the session, and in the process that the first virtual machine communicates with the second virtual machine, the actual value of the session counter field is increased along with the number of times of the session, so that the data packet inserted into the session counter field can prevent replay attack.

S802, signing the data packet inserted into the session counter field by adopting the session key.

At the end of the data packet inserted into the session counter field, a signature information field obtained by encryption of the session key is added, wherein the signature information field is used for signing the whole IP data packet, namely, the data packet of the network layer, and the signature information field can contain 32 bits. The embodiment does not limit the specific encryption method.

Optionally, as shown in fig. 9, the signed packet structure includes version 4 bits, header 4 bits, service type 8 bits, package total length, reassembly identifier 16 bits, flag 3 bits, segment offset 13 bits, time-to-live TTL8 bits, protocol 8 bits, checksum 16 bits, source IP address 32 bits, destination IP address 32 bits, optional option, user data, session counter field 32 bits, and signature field 32 bits. Wherein the total length of the package is updated from the original 16 bits to increase the length of the session counter field and the signature field.

In this embodiment, not only is a session counter field inserted into the data packet to realize replay attack prevention, but also a signature field is inserted to allow the second virtual machine to determine whether the data packet is tampered, thereby comprehensively improving the security of virtual machine communication.

In an alternative embodiment, a first registration request is sent to the control platform to instruct the control platform to register the first virtual machine.

Before the first virtual machine sends a session establishment request to the control platform, the first virtual machine sends a first registration request to the control platform, wherein the first registration request is used for applying for registering information of the first virtual machine. For example, the first virtual machine sends a first registration request to the control platform based on the corresponding micro quarantine agent, so that the control platform receives the first registration request based on the virtual machine access connection relation module and registers the first virtual machine.

The first virtual machine is provided with conditions for establishing communication with other virtual machines such that communication between the first virtual machine and the second virtual machine takes place in a more reliable and secure manner.

In one embodiment, as shown in fig. 10, a virtual machine communication method is provided, applied to a second virtual machine, and includes the following steps:

s1001, a first virtual machine identifier and a signature verification rule sent by a control platform are received.

The first virtual machine and the second virtual machine are any two different virtual machines in the cloud platform, and the control platform is a micro-isolation control platform in the cloud platform. Optionally, the second virtual machine includes a micro quarantine agent, and the execution body of the method is the micro quarantine agent installed in the second virtual machine.

The first virtual machine identifier is carried in a session establishment request sent to the control platform by the first virtual machine for communication with the second virtual machine, and the first virtual machine identifier, namely, the identifier information corresponding to the first virtual machine, can be identifier information such as an IP/MAC address.

The control platform generates a signature verification rule and a session key, sends the signature verification rule and the session key to the first virtual machine, and sends the signature verification rule and the first virtual machine identification to the second virtual machine if it is determined that the first virtual machine is allowed to communicate with the second virtual machine. Correspondingly, the second virtual machine receives the first virtual machine identification and the signature verification rule.

Optionally, the signature verification rule and the first virtual machine identification are received synchronously or asynchronously.

S1002, receiving the signed data packet sent by the first virtual machine.

The signed data packet is obtained by signing the data packet by the first virtual machine based on the session key and the signature verification rule sent by the control platform. After receiving the signature verification rule and the session key sent by the control platform, the first virtual machine signs the data packet by adopting the session key under the instruction of the signature verification rule, and sends the signed data packet to the second virtual machine. Correspondingly, the second virtual machine receives the signed data packet.

The session key is generated by the control platform based on the first virtual machine identification. It will be appreciated that the identification information corresponding to the different virtual machines is different, in other words, the first virtual machine identification is unique, and the session key generated based on the first virtual machine identification is also unique, and the session key is only used by the first virtual machine to sign the data packet.

S1003, checking the signed data packet based on the signature checking rule and the first virtual machine identification.

And under the instruction of the signature verification rule, the second virtual machine verifies the received data packet by adopting the first virtual machine identifier. Wherein the verification includes a session counter verification and a signature verification.

Optionally, the signature verification rule includes a policy of both signature and verification. The policy in the verification aspect may instruct the second virtual machine to verify the signed data packet in what manner the second virtual machine receives the signed data packet sent by the first virtual machine.

According to the scheme, the second virtual machine receives the first virtual machine identifier and the signature verification rule sent by the control platform, receives the signed data packet sent by the first virtual machine, and verifies the signed data packet based on the signature verification rule and the first virtual machine identifier. According to the embodiment, the control platform with the unified signature verification rule management function is newly added and deployed, so that a specific signature verification rule is provided for the second virtual machine, and the second virtual machine serving as a receiving party performs data packet verification based on the signature verification rule, so that reliability and safety of data packet transmission among the virtual machines are realized, and a session key adopted by signature is generated based on a first virtual machine identifier adopted by verification, so that the safety of virtual machine communication can be further improved.

In order to enhance the security of the data packet transmitted in the communication flow of the virtual machine, in one embodiment, the processing may be performed in combination with the session counter and the data signature, as shown in fig. 11, and S1003 may include:

s1101, performing first verification on the signed data packet based on the standard value corresponding to the session counter field in the signature verification rule.

After receiving the signature verification rule and the signed data packet, the second virtual machine performs session counter verification, namely first verification, on the signed data packet under the instruction of the signature verification rule.

Specifically, the second virtual machine obtains a standard value corresponding to the session counter field, the standard value can be carried in a signature verification rule, the session counter field is found from the signed data packet, an actual value of the session counter field is obtained, and then the actual value corresponding to the session counter field is compared with the standard value, so that first verification of the data packet is achieved.

An attacker sends a data packet which is received by the second virtual machine to carry out communication authentication, so that the safety of communication is destroyed, the actual value of the session counter field is used for indicating the number of times of the session, and in the process that the first virtual machine communicates with the second virtual machine, the actual value of the session counter field is increased along with the number of times of the session, so that the data packet inserted into the session counter field can prevent replay attack.

In an alternative embodiment, comparing the actual value of the session counter field in the signed data packet with the standard value corresponding to the session counter field in the signature verification rule; if the actual value accords with the standard value, determining that the signed data packet first check passes, and if the actual value does not accord with the standard value, determining that the signed data packet first check does not pass. In other words, when the actual value of the session counter field is equal to the standard value, it is indicated that the current session is not at risk of a session replay attack.

S1102, when the first verification of the signed data packet is determined to pass, performing a second verification on the signed data packet based on the signature verification rule and the first virtual machine identifier.

And under the instruction of the signature verification rule, if the first verification is passed, adopting a first virtual machine identifier to carry out second verification on the data packet. Specifically, the signature information field obtained by the encryption of the session key is found at the tail end of the data packet, and the signature information field obtained by the encryption of the session key is checked by adopting the first virtual machine identifier. The signature information field is used for signing the whole IP data packet, namely, the data packet of the network layer, and the signature information field may include 32 bits.

And if the second verification is not passed, judging that the data packet is tampered, discarding the data packet and disconnecting the communication with the first virtual machine.

In this embodiment, the first verification is performed based on the standard value corresponding to the session counter field, and the second verification is performed based on the first virtual machine identifier, so that not only can replay attack be prevented, but also whether the data packet is tampered can be checked, and the security of virtual machine communication is comprehensively improved.

In an alternative embodiment, a second registration request is sent to the control platform to instruct the control platform to register with the second virtual machine.

Before receiving the signature verification rule and the first virtual machine identifier sent by the control platform, the second virtual machine sends a second registration request to the control platform, wherein the second registration request is used for applying for registering information of the second virtual machine. For example, the second virtual machine sends a second registration request to the control platform based on the corresponding micro quarantine agent, so that the control platform receives the second registration request based on the virtual machine access connection relation module and registers the second virtual machine.

The second virtual machine is provided with conditions for establishing communication with other virtual machines, so that communication between the first virtual machine and the second virtual machine is performed in a manner with higher reliability and security.

In one embodiment, an alternative example of a virtual machine communication method is provided, as shown in fig. 12, including a micro-isolation client a corresponding to a first virtual machine, a micro-isolation client B corresponding to a second virtual machine, and a micro-isolation controller corresponding to a cloud management platform and a control platform, where the micro-isolation client a is a data transmitting end, the micro-isolation client B is a data receiving end, and the micro-isolation controller includes a virtual machine access connection relation module, a signature verification rule generating module, a control engine module, and an identification key management module.

Specifically, the virtual machine communication method comprises the following steps:

in the first step, a micro isolation client A and a micro isolation client B are respectively provided with a micro isolation agent.

And the second step, the micro isolation client A and the micro isolation client B respectively send a virtual machine registration request to the virtual machine access connection relation module.

And thirdly, the virtual machine access connection relation module completes the registration flow of the first virtual machine and the second virtual machine.

And fourthly, the cloud management platform sends the life cycle information and the connection relation of the virtual machine to the virtual machine access connection relation module.

And fifthly, the virtual machine access connection relation module sends the virtual machine life cycle information and the connection relation to the control engine module through the internal interface.

And sixthly, the control engine module generates access control rules based on the connection relation and the business interview requirements.

And seventh, the micro isolation client A sends a session establishment request carrying the first virtual machine identifier to the signature verification rule generation module.

And eighth step, the signature verification rule generation module sends the session establishment request carrying the first virtual machine identifier to the identifier key management module through the internal interface.

And a ninth step, the identification key management module generates a private key based on the first virtual machine identification.

And tenth step, the identification key management module sends the private key to the signature verification rule generation module.

Eleventh step, the signature verification rule generating module sends an access control rule request to the control engine module.

Twelfth, the control engine module sends the access control rule to the signature verification rule generation module.

Thirteenth, the signature verification rule generation module generates a signature verification rule based on the access control rule.

And fourteenth step, the signature verification rule generating module sends the signature verification rule and the private key to the micro isolation client A, and sends the signature verification rule and the first virtual machine identification to the micro isolation client B.

Fifteenth, the micro quarantine client a repackages the data packet based on the signature verification rule, inserts the session counter field, and signs the data packet with the private key.

Sixteenth, the micro quarantine client a sends the signed data packet to the micro quarantine client B.

Seventeenth, the micro isolation client B performs session counter verification on the signed data packet based on the signature verification rule, and performs signature verification by using the first virtual machine identifier after the session counter verification passes.

The specific process of the above steps may refer to the description of the above method embodiments, and its implementation principle and technical effects are similar, and are not repeated herein.

It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides a virtual machine communication device for realizing the above related virtual machine communication method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the virtual machine communication device or devices provided below may refer to the limitation of the virtual machine communication method hereinabove, and will not be repeated herein.

In one embodiment, as shown in fig. 13, there is provided a virtual machine communication apparatus 1, configured on a control platform, including a first receiving module 10, a generating module 20, and a first transmitting module 30, where:

the first receiving module 10 is configured to receive a session establishment request sent by the first virtual machine and requesting to communicate with the second virtual machine.

The session establishment request carries the first virtual machine identifier.

The generating module 20 is configured to generate a signature verification rule corresponding to the session establishment request, and generate a session key based on the first virtual machine identifier.

The first sending module 30 is configured to send the signature verification rule and the session key to the first virtual machine, and send the signature verification rule and the first virtual machine identifier to the second virtual machine.

In one embodiment, on the basis of fig. 13, as shown in fig. 14, the generating module 20 may include:

an obtaining unit 21 is configured to obtain the basic information of the first virtual machine and the basic information of the second virtual machine.

Wherein the basic information includes life cycle information and connection relation.

The determining unit 22 is configured to determine whether to allow the first virtual machine to communicate with the second virtual machine, based on the basic information of the first virtual machine and the basic information of the second virtual machine.

The generating unit 23 is configured to generate a signature verification rule corresponding to the session establishment request, and generate a session key based on the first virtual machine identifier, where it is determined that the first virtual machine is allowed to communicate with the second virtual machine.

In one embodiment, the generating unit 23 may include:

the first generation subunit is used for generating a corresponding access control rule based on the session establishment request, the basic information of the first virtual machine and the basic information of the second virtual machine.

And the second generation subunit is used for generating a signature verification rule corresponding to the session establishment request based on the access control rule.

In one embodiment, the obtaining unit 21 is specifically configured to obtain, through a custom interface, basic information of the first virtual machine and basic information of the second virtual machine from the cloud management platform.

In one embodiment, the signature verification rule is further used for indicating the first virtual machine to repackage the data packet, inserting a session counter field into the repackaged data packet, and signing the data packet inserted into the session counter field based on the session key; the signature verification rule is further used for indicating the second virtual machine to perform first verification on the received data packet based on the standard value corresponding to the session counter field, and performing second verification on the received data packet based on the first virtual machine identifier under the condition that the first verification is passed.

In one embodiment, the virtual machine communication apparatus 1 may further include a first registration module and a second registration module. The first registration module is used for receiving a first registration request sent by the first virtual machine and registering the first virtual machine based on the first registration request; the second registration module is used for receiving a second registration request sent by the second virtual machine and registering the second virtual machine based on the second registration request.

In one embodiment, as shown in fig. 15, there is provided a virtual machine communication apparatus 2 configured in a first virtual machine, including a second sending module 40, a second receiving module 50, and a signature module 60, wherein:

a second sending module 40, configured to send a session establishment request to the control platform, where the session establishment request requests communication with the second virtual machine.

The session establishment request carries the first virtual machine identifier.

The second receiving module 50 is configured to receive the session key sent by the control platform and a signature verification rule corresponding to the session request.

Wherein the session key is generated by the control platform based on the first virtual machine identification.

The signature module 60 is configured to sign the data packet based on the signature verification rule and the session key, and send the signed data packet to the second virtual machine.

In one embodiment, the session key and signature verification rule are generated by the control platform in determining that the first virtual machine is allowed to communicate with the second virtual machine based on the base information of the first virtual machine and the base information of the second virtual machine; the basic information includes life cycle information and connection relations.

In one embodiment, on the basis of fig. 15, as shown in fig. 16, the signature module 60 may include:

The first signing unit 61 is configured to repackage the data packet based on the signature verification rule, and insert a session counter field into the repackaged data packet.

A second signing unit 62, configured to sign the data packet inserted into the session counter field with the session key.

In one embodiment, the virtual machine communication apparatus 2 may further include a first application registration module, configured to send a first registration request to the control platform to instruct the control platform to register the first virtual machine.

In one embodiment, the first virtual machine includes a micro quarantine agent in which the virtual machine communication device 2 is installed.

In one embodiment, as shown in fig. 17, there is provided a virtual machine communication apparatus 3 configured in a second virtual machine, including a third receiving module 70, a fourth receiving module 80, and a checking module 90, wherein:

and a third receiving module 70, configured to receive the first virtual machine identifier and the signature verification rule sent by the control platform.

The first virtual machine identifier is carried in a session establishment request sent to the control platform and used for communicating with the second virtual machine.

And a fourth receiving module 80, configured to receive the signed data packet sent by the first virtual machine.

The signed data packet is obtained by signing the data packet by the first virtual machine based on a session key and a signature verification rule sent by the control platform, and the session key is generated by the control platform based on the first virtual machine identifier.

The verification module 90 is configured to verify the signed data packet based on the signature verification rule and the first virtual machine identifier.

In one embodiment, based on fig. 17, as shown in fig. 18, the verification module 90 may include:

the first checking unit 91 is configured to perform a first check on the signed data packet based on the standard value corresponding to the session counter field in the signature checking rule.

And the second checking unit 92 is configured to, when determining that the first check of the signed data packet passes, perform a second check on the signed data packet based on the signature checking rule and the first virtual machine identifier.

In one embodiment, the first verification unit 91 is specifically configured to compare an actual value of a session counter field included in the signed data packet with a standard value corresponding to the session counter field in the signature verification rule, and determine that the signed data packet passes the first verification when the comparison result is that the actual value meets the standard value.

In one embodiment, the virtual machine communication apparatus 3 may further include a second application registration module, configured to send a second registration request to the control platform to instruct the control platform to register the second virtual machine.

In one embodiment, the second virtual machine comprises a micro quarantine agent in which the virtual machine communication device 3 is installed.

The various modules in the virtual machine communication device described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 19. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing virtual machine identification, session key and other data. The network interface of the computer device is used for communicating with an external terminal through a network connection.

It will be appreciated by those skilled in the art that the structure shown in fig. 19 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is provided that includes a memory having a computer program stored therein and a processor that when executing the computer program performs the steps of the virtual machine communication method described above.

In one embodiment, a computer readable storage medium is provided having a computer program stored thereon which, when executed by a processor, implements the steps of the virtual machine communication method described above.

In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, implements the steps of the virtual machine communication method described above.

Those skilled in the art will appreciate that implementing all or part of the above-described methods in accordance with the embodiments may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The foregoing examples represent only a few embodiments of the present application, which are described in more detail and are not thereby to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims

1. The virtual machine communication method is applied to a control platform and is characterized by comprising the following steps of:

Transmitting the signature verification rule and the session key to the first virtual machine, and transmitting the signature verification rule and the first virtual machine identification to the second virtual machine;

2. The method of claim 1, wherein the generating signature verification rules corresponding to the set-up session request and generating a session key based on the first virtual machine identification comprises:

acquiring basic information of the first virtual machine and basic information of the second virtual machine; wherein, the basic information comprises life cycle information and connection relation;

determining whether to allow the first virtual machine to communicate with the second virtual machine based on the basic information of the first virtual machine and the basic information of the second virtual machine;

generating a signature verification rule corresponding to the session establishment request under the condition that the first virtual machine is allowed to communicate with the second virtual machine, and generating a session key based on the first virtual machine identification.

3. The method according to claim 1 or 2, wherein the generating a signature verification rule corresponding to the session establishment request comprises:

generating a corresponding access control rule based on the session establishment request, the basic information of the first virtual machine and the basic information of the second virtual machine;

and generating a signature verification rule corresponding to the session establishment request based on the access control rule.

4. The method of claim 2, wherein the obtaining the base information of the first virtual machine and the base information of the second virtual machine comprises:

and acquiring the basic information of the first virtual machine and the basic information of the second virtual machine from a cloud management platform through a custom interface.

5. The method of claim 1, wherein the signature verification rule is further configured to instruct the first virtual machine to repackage the data packet, insert a session counter field into the repackaged data packet, and sign the data packet inserted into the session counter field based on the session key;

6. The method of claim 1, wherein prior to receiving the session establishment request sent by the first virtual machine requesting communication with the second virtual machine, the method further comprises:

receiving a first registration request sent by a first virtual machine;

and registering the first virtual machine based on the first registration request.

7. The method of claim 1, wherein prior to receiving the session establishment request sent by the first virtual machine requesting communication with the second virtual machine, the method further comprises:

receiving a second registration request sent by a second virtual machine;

and registering the second virtual machine based on the second registration request.

8. A virtual machine communication method applied to a first virtual machine, comprising:

receiving a session key sent by the control platform and a signature verification rule corresponding to the session establishment request; wherein the session key is generated by the control platform based on the first virtual machine identification;

And signing the data packet based on the signature verification rule and the session key, and sending the signed data packet to the second virtual machine.

9. The method of claim 8, wherein the session key and the signature verification rule are generated by the control platform if it is determined that the first virtual machine is allowed to communicate with the second virtual machine based on the base information of the first virtual machine and the base information of the second virtual machine; the basic information includes life cycle information and connection relations.

10. The method of claim 8, wherein signing the data packet based on the signature verification rule and the session key comprises:

and signing the data packet inserted into the session counter field by adopting the session key.

11. The method of claim 8, wherein prior to sending the request to the control platform to establish a session requesting communication with the second virtual machine, the method further comprises:

12. The method of any of claims 8-11, wherein the first virtual machine comprises a micro quarantine agent, and wherein the execution body of the method is a micro quarantine agent installed in the first virtual machine.

13. A virtual machine communication method applied to a second virtual machine, comprising:

receiving a signed data packet sent by the first virtual machine; the signed data packet is obtained by signing the data packet by the first virtual machine based on a session key and a signature verification rule sent by the control platform, and the session key is generated by the control platform based on the first virtual machine identifier;

14. The method of claim 13, wherein the session key and the signature verification rule are generated by the control platform if it is determined that the first virtual machine is allowed to communicate with the second virtual machine based on the base information of the first virtual machine and the base information of the second virtual machine; the basic information includes life cycle information and connection relations.

15. The method of claim 13, wherein verifying the signed data packet based on the signature verification rule and the first virtual machine identification comprises:

performing a first check on the signed data packet based on a standard value corresponding to a session counter field in the signature check rule;

and under the condition that the first verification of the signed data packet is confirmed to pass, carrying out second verification on the signed data packet based on the signature verification rule and the first virtual machine identifier.

16. The method of claim 15, wherein the performing a first check on the signed data packet based on the standard value corresponding to the session counter field in the signature verification rule includes:

and if the comparison result shows that the actual value accords with the standard value, determining that the signed data packet passes the first check.

17. The method of claim 13, wherein prior to receiving the first virtual machine identification and the signature verification rule sent by the control platform, the method further comprises:

18. The method of any of claims 13-17, wherein the second virtual machine comprises a micro quarantine agent, and wherein the execution subject of the method is a micro quarantine agent installed in the second virtual machine.

19. A virtual machine communication apparatus configured on a control platform, comprising:

20. A virtual machine communication apparatus configured in a first virtual machine, comprising:

the second receiving module is used for receiving the session key sent by the control platform and the signature verification rule corresponding to the session establishment request; wherein the session key is generated by the control platform based on the first virtual machine identification;

And the signature module is used for signing the data packet based on the signature verification rule and the session key and sending the signed data packet to the second virtual machine.

21. A virtual machine communication apparatus configured in a second virtual machine, comprising:

a fourth receiving module, configured to receive a signed data packet sent by the first virtual machine; the signed data packet is obtained by signing the data packet by the first virtual machine based on a session key and a signature verification rule sent by the control platform, and the session key is generated by the control platform based on the first virtual machine identifier;

22. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1-18 when the computer program is executed.

23. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1-18.

24. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1-18.