CN117857191A - TCP secure communication proxy method and system - Google Patents
TCP secure communication proxy method and system Download PDFInfo
- Publication number
- CN117857191A CN117857191A CN202410038938.6A CN202410038938A CN117857191A CN 117857191 A CN117857191 A CN 117857191A CN 202410038938 A CN202410038938 A CN 202410038938A CN 117857191 A CN117857191 A CN 117857191A
- Authority
- CN
- China
- Prior art keywords
- proxy
- tcp
- data packet
- secure communication
- core
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006854 communication Effects 0.000 title claims abstract description 180
- 238000004891 communication Methods 0.000 title claims abstract description 179
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000012545 processing Methods 0.000 claims description 24
- 238000005516 engineering process Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 9
- 238000013507 mapping Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- 238000007726 management method Methods 0.000 description 41
- 230000003993 interaction Effects 0.000 description 14
- 230000006870 function Effects 0.000 description 11
- 238000006243 chemical reaction Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the field of power system communication and network security, and provides a TCP secure communication proxy method and a system, which are applied to a first device with a multi-core processor, wherein the multi-core processor comprises a plurality of cores including a management core; the method comprises the following steps: when a second device sends a first data packet to the first device, the management core establishes TCP secure communication connection with the second device, and the management core receives the first data packet; the management check polls a communication link configuration file to obtain a target kernel corresponding to the first data packet; the management core modifies the destination address of the first data packet into an internal address corresponding to the target kernel, and encapsulates the internal address to obtain a second data packet; and the management core sends the second data packet to the target kernel. The invention meets the current network security function requirement for the electric secondary equipment, and the user can flexibly configure according to different application scenes, thereby having good expandability and high security.
Description
Technical Field
The invention relates to the field of power system communication and network security, in particular to a TCP security communication proxy method and a system.
Background
In recent years, the development of power system automation technology and communication network security technology is rapid. However, with the frequency of network security events at home and abroad, the power system as a national infrastructure faces a serious network security threat, which puts higher demands on the communication network security of the power secondary equipment. To address this challenge, national and southern grids place stringent requirements on software-level security functions of power networking equipment devices, including communications network security, data security, and user audit certification. For old devices and new factory devices that are already running on the network deployment, there are the following problems:
(1) Limited to the functional requirements of the device when developed, most legacy devices do not implement communication network security functions;
(2) On one hand, the original device needs to perform TCP communication interaction with a plurality of external entities, including a PC upper computer SCADA tool, a background server, other interconnection devices and the like; on the other hand, for devices with multi-core CPUs, different external entities also interact business with different CPU cores. The realization of the TCP communication interaction is scattered at the whole part of the device system, so that the unified management is inconvenient;
(3) Whether the old device is functionally extended or the new device is deployed, it is technically very difficult to handle when the security functions of the communication network need to be extended.
Disclosure of Invention
The invention aims to solve at least one technical problem in the background technology, and provides a TCP secure communication proxy method and a system, which can flexibly configure and expand the communication security functions of an old device and a new device through software upgrading without large-scale reconstruction or replacement of the device, thereby saving huge economic cost and labor cost.
In order to achieve the above object, the present invention provides a TCP secure communication proxy method, which is applied to a first device with a multi-core processor, wherein the multi-core processor includes a plurality of cores including a management core; the method is characterized in that:
when a second device sends a first data packet to the first device, the management core establishes TCP secure communication connection with the second device, and the management core receives the first data packet;
the management check polls a communication link configuration file to obtain a target kernel corresponding to the first data packet;
the management core modifies the destination address of the first data packet into an internal address corresponding to the target kernel, and encapsulates the internal address to obtain a second data packet;
the management core sends the second data packet to the target kernel;
the communication link configuration file is used for describing basic information of a TCP secure communication link, and comprises external address information of the first device, address information of the second device corresponding to a current communication link and internal address information of the target kernel corresponding to the current communication link in the first device.
Preferably, the target kernel sends a third data packet generated in response to the second data packet to the management kernel;
the management core inquires the communication link configuration file and acquires address information of a second device corresponding to the current communication link;
the management core modifies the destination address of the third data packet into the address of the second device, modifies the source address of the third data packet into the external address of the first device, and encapsulates the source address of the third data packet to obtain a fourth data packet;
the management core sends the fourth data packet to the second device.
Preferably, the management core is provided with a secure communication proxy module;
the secure communication proxy module is used for establishing TCP secure communication connection with an external device comprising the second device;
the secure communication proxy module is further configured to create a virtual proxy endpoint, where the proxy endpoint includes a proxy client and a proxy server, and the proxy endpoint is configured to establish a TCP service connection with a kernel of the first device;
the secure communication proxy module is also used for proxy sending and receiving TCP traffic.
Preferably, the communication link profile further comprises:
the method comprises the steps of enabling the address information of the external device, enabling the communication link, enabling the proxy server address or the internet access name, enabling the proxy server port number, enabling the proxy client address or the internet access name, enabling the proxy client port number, enabling the link between the external device and the proxy endpoint to be encrypted, and enabling the link between the proxy endpoint and the target kernel to be encrypted.
Preferably, the external device includes: SCADA tools, background servers and other connected devices on the PC host.
Preferably, the first device may establish a TCP secure communication connection with a plurality of the external devices; the first device includes at least one multi-core processor.
Preferably, the management core is provided with a service processing and forwarding module;
the service processing and forwarding module is used for processing TCP communication service between an external device including the second device and the management core; the service processing and forwarding module is further configured to forward service traffic between cores of the first device based on NAPT technology.
In order to achieve the above object, the present invention further provides a TCP secure communication proxy system, which is applied to a first device with a multi-core processor, wherein the multi-core processor includes a plurality of cores including a management core; the TCP secure communication proxy system is characterized by comprising:
a communication link configuration module, configured to store a communication link configuration file, where the communication link configuration file is used to describe basic information of a TCP secure communication link, and includes: address information of an external device, whether a communication link is started, a proxy server address or a network port name, a proxy server port number, a proxy client address or a network port name, a proxy client port number, whether a link between the external device and a proxy endpoint is encrypted, and whether a link between the proxy endpoint and a target kernel is encrypted;
the secure communication proxy module is used for establishing TCP secure communication connection with the external device; the secure communication proxy module is further configured to create a virtual proxy endpoint, where the proxy endpoint includes a proxy client and a proxy server, and the proxy endpoint is configured to establish a TCP service connection with a kernel of the first device; the safety communication proxy module is also used for proxy sending and receiving TCP traffic;
the service processing and forwarding module is used for processing TCP communication service between the external device and the management core; the service processing and forwarding module is further configured to forward service traffic between cores of the first device based on NAPT technology;
the TCP security communication proxy system realizes the mapping relation between the TCP security communication connection and the TCP service connection based on the management core by inquiring the communication link configuration file.
To achieve the above object, the present invention also provides an electronic device including a processor, a memory, and a computer program stored on the memory and executable on the processor, the computer program implementing any one of the TCP secure communication proxy methods described above when executed by the processor.
To achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements any of the TCP secure communication proxy methods described above.
The invention has the following technical effects:
the TCP communication link between the external entity and the first device is uniformly configured and described through the communication link configuration file, so that the management, the expansion and the customization are convenient.
According to the invention, the TCP secure communication connection is established between the unique external IP address of the first device and the external entity, so that the expansion of the secure function and the difficulty of modifying and developing the module are simplified;
the invention conceals the network details among the CPU cores of the first device through the NAPT-based network address port conversion technology, and further improves the communication network security when the first device interacts with the external entity.
The invention meets the current network security function requirement for the electric secondary equipment, and the user can flexibly configure according to different application scenes, thereby having good expandability and high security.
Drawings
FIG. 1 schematically illustrates a flow chart of a TCP secure communication proxy method according to an embodiment of the invention;
FIG. 2 schematically illustrates an application of a TCP secure communication proxy method in a power system according to an embodiment of the present invention;
fig. 3 schematically shows a flow chart of TCP communication traffic interaction with the first device core n when the external device is acting as a client according to an embodiment of the invention;
fig. 4 schematically illustrates a flow chart of TCP communication traffic interaction with the first device core n when the external device is used as a server according to an embodiment of the present invention;
FIG. 5 schematically illustrates a flow chart of TCP communication traffic interaction with a first device management core when an external device acts as a client, according to one embodiment of the invention;
fig. 6 schematically illustrates a flow chart of TCP communication traffic interaction with a first device management core when an external device is used as a server according to an embodiment of the present invention;
fig. 7 schematically shows a structural diagram of a TCP secure communication proxy system according to an embodiment of the present invention.
Detailed Description
The present disclosure will now be discussed with reference to exemplary embodiments. It should be understood that the embodiments discussed are merely to enable those of ordinary skill in the art to better understand and thus practice the teachings of the present invention and do not imply any limitation on the scope of the invention.
As used herein, the term "comprising" and variants thereof are to be interpreted as meaning "including but not limited to" open-ended terms. The term "based on" is to be interpreted as "based at least in part on". The terms "one embodiment" and "an embodiment" are to be interpreted as "at least one embodiment.
Example 1
FIG. 1 schematically illustrates a flow chart of a TCP secure communication proxy method according to an embodiment of the invention; as shown in fig. 1, according to an embodiment of the present invention, a TCP secure communication proxy method is applied to a first device with a multi-core processor including a plurality of cores including a management core; the method is characterized in that:
step S102, when a second device sends a first data packet to a first device, a management core establishes TCP secure communication connection with the second device, and the management core receives the first data packet;
step S104, managing and checking the communication link configuration file to obtain a target kernel corresponding to the first data packet;
step S106: the management core modifies the destination address of the first data packet into an internal address corresponding to the target kernel, and encapsulates the internal address to obtain a second data packet;
step S108, the management core sends the second data packet to the target core;
the communication link configuration file is used for describing basic information of the TCP secure communication link, and comprises external address information of the first device, address information of the second device corresponding to the current communication link and internal address information of a target kernel corresponding to the current communication link in the first device.
According to another implementation of this embodiment, the target kernel sends a third data packet generated in response to the second data packet to the management kernel;
the management check inquires the communication link configuration file to acquire the address information of the second device corresponding to the current communication link;
the management core modifies the destination address of the third data packet into the address of the second device, modifies the source address of the third data packet into the external address of the first device, and encapsulates the source address of the third data packet to obtain a fourth data packet;
the management core sends a fourth data packet to the second device.
According to another implementation of this embodiment, a secure communication proxy module is provided on the management core;
the secure communication proxy module is used for establishing TCP secure communication connection with an external device including the second device;
the secure communication proxy module is further configured to create a virtual proxy endpoint, where the proxy endpoint includes a proxy client and a proxy server, and the proxy endpoint is configured to establish a TCP service connection with a kernel of the first device;
the secure communication proxy module is also used for proxy sending and receiving TCP traffic.
According to another implementation of this embodiment, the communication link profile further includes:
address information of the external device, whether the communication link is enabled, a proxy server address or port name, a proxy server port number, a proxy client address or port name, a proxy client port number, whether a link between the external device and the proxy endpoint is encrypted, and whether a link between the proxy endpoint and the target kernel is encrypted.
According to another implementation of the present embodiment, the external device includes: SCADA tools, background servers and other connected devices on the PC host.
According to another implementation of the present embodiment, a first device may establish TCP secure communication connections with a plurality of external devices; the first device includes at least one multi-core processor.
According to another implementation manner of the embodiment, a service processing and forwarding module is arranged on the management core;
the service processing and forwarding module is used for processing TCP communication service between the external device including the second device and the management core; the service processing and forwarding module is further configured to forward service traffic between cores of the first device based on NAPT technology.
The TCP communication link between the external entity and the first device is uniformly configured and described through the communication link configuration file, so that the management, the expansion and the customization are convenient; according to the invention, the TCP secure communication connection is established between the unique external IP address of the first device and the external device, so that the expansion of the secure function and the difficulty of modifying and developing the module are simplified; the invention conceals the network details between the kernels of the first device through the NAPT-based network address port conversion technology, and further improves the communication network security when the first device interacts with the external device.
Example two
FIG. 2 schematically illustrates an application of a TCP secure communication proxy method in a power system according to an embodiment of the present invention; fig. 3 schematically shows a flow chart of TCP communication traffic interaction with the first device core n when the external device is acting as a client according to an embodiment of the invention; fig. 4 schematically illustrates a flow chart of TCP communication traffic interaction with the first device core n when the external device is used as a server according to an embodiment of the present invention; FIG. 5 schematically illustrates a flow chart of TCP communication traffic interaction with a first device management core when an external device acts as a client, according to one embodiment of the invention; fig. 6 schematically illustrates a flow chart of TCP communication traffic interaction with a first device management core when an external device is used as a server according to an embodiment of the present invention. As shown in fig. 2 to 6, according to an embodiment of the present invention, a power system includes an upper computer SCADA tool, a background server system, an embedded device with a multi-core CPU, and other devices, and a TCP secure communication proxy method is applied to the embedded device with the multi-core CPU, where the embedded device with the multi-core CPU has a plurality of cores, including core 0, core 1, core 2 … …, and n is a natural number greater than or equal to 1, where core 0 is a management core, core 0 runs a Linux operating system instance, and other cores run real-time or non-real-time operating system instances; the embedded device with the multi-core CPU is externally provided with a unique external IP address, and each core is internally provided with a corresponding internal IP address;
the core 0 also comprises a communication link configuration file, a secure communication proxy module and a service processing and forwarding module;
the communication link configuration file is deployed in the file system of the CPU core 0, and the communication link configuration file is used for describing basic information of the TCP secure communication link, and includes: link owner (IP address information of external entity), whether link is enabled, proxy server IP address or port name, proxy server port number, proxy client IP address or port name, proxy client port number, whether link between external entity and proxy is encrypted, whether link between proxy endpoint and actual CPU core is encrypted, etc. The format of the configuration file is not limited, and in this embodiment, the configuration file adopts an XML format.
And the secure communication proxy module establishes a TCP communication secure connection with an external entity according to user configuration, wherein the connection uses a transport layer security protocol based on SSL/TLS. And creates a virtual proxy endpoint (client or server) for establishing TCP traffic connections with the traffic entity (core 0 or other core). The service connection may be either a secure connection or a transparent forwarding connection depending on the user configuration.
And the business processing and forwarding module is used for converting a source address or a target address in the data packet based on the NAPT technology according to user configuration. If the interaction with the CPU core 0 is needed, directly using the unique external IP address to establish corresponding proxy connection; if interaction with other cores of the CPU is needed, proxy connection is established between the core 0 and the other cores by using the internal IP address after NAT conversion.
In the embodiment, the SCADA tool of the PC upper computer is used as a client (IP address: 192.168.0.100) to perform TCP interaction with the device side core 1 as a server (external IP address: 192.168.0.1, internal IP address: 10.0.0.2);
the communication link profile is set to:
<link id="1"owner="SCADA"sAddr="192.168.0.1"sPort="5555"sWithEnc="1"cAddr="10.0.0.2"cPort="6666"cWithEnc="0"enable="1"/>
wherein:
(1) id uniquely identifies the TCP connection configuration.
(2) The owner represents the owner of the TCP connection.
(3) sAddr represents the secure communication agent IP address.
(4) sPort stands for secure communication proxy traffic port number.
(5) sWithEnc represents whether the secure communication connection is encrypted, 1 represents encryption, and 0 represents no encryption.
(6) The coaddr represents the IP address of the server that the proxy connection needs to connect to.
(7) cPort represents the service port number to which the proxy connection needs to connect.
(8) cWithEnc represents whether the proxy connection is encrypted, 1 represents encryption, and 0 represents no encryption.
(9) Enable indicates whether the connection is enabled, 1 indicates enabled, and 0 indicates not enabled.
The secure communication proxy module establishes two TCP service endpoints according to the communication link configuration file, and the specific communication process is as follows:
(1) 192.168.0.1:5555 server listens to the connection initiated by the SCADA tool client (assumed to be 192.168.0.100:12345); known as a secure communication connection;
(2) Proxy connection clients (assumed to be 192.168.0.1:4444) are established attempting to establish a connection with 10.0.0.2:6666. Referred to as proxy connection.
(3) The secure communication connection and the proxy connection are associated, i.e. TCP traffic of the previous connection will be forwarded transparently to the latter connection and vice versa.
(4) When the SCADA tool client 192.168.0.100:12345 on the PC sends a request, the 192.168.0.1:5555 receives a TCP packet over the secure TCP communication connection, and then transparently forwards the packet to 192.168.0.1:4444. The service processing and forwarding module performs NAT address translation based on NAPT technology, modifies the source IP address and port 192.168.0.1:4444 in the packet to 10.0.0.1:4444, and forwards to 10.0.0.2:6666.
10.0.0.2:6666 replies by sending the packet to 10.0.0.1:4444, the service agent and forwarding module receiving the packet and then modifying the destination address 10.0.0.1:4444 to 192.168.0.1:4444. The data packet is then transparently forwarded by 192.168.0.1:4444 to 192.168.0.1:5555, which ultimately is forwarded by 192.168.0.1:5555 over the secure communication connection to 192.168.0.100:12345, the SCADA tool client on the PC.
In this embodiment, when the SCADA needs to perform service interaction with the device core 1, a secure communication connection is established between the SCADA and the device core 0, and the security agent of the device core 0 hides details of internal communication, so that it is ensured that communication between an external entity and the device is always secure.
As shown in fig. 3 and fig. 4, according to another implementation manner of the present embodiment, when an external entity is used as a client, a virtual TCP proxy server and a virtual TCP proxy client are created in the core 0, the external entity client reports a data packet to the virtual TCP proxy server, the virtual TCP proxy server forwards the received data packet to the virtual TCP proxy client in a proxy manner, and the virtual TCP proxy client forwards the data packet to the actual TCP server core n through secure encryption transmission or transparency;
when the external entity is used as a service end, a virtual TCP proxy client and a virtual TCP proxy service end are created in the core 0, the external entity service end reports the data packet to the virtual TCP proxy client, the virtual TCP proxy client forwards the received data packet to the virtual TCP proxy service end in a proxy mode, and the virtual TCP proxy service end transmits the data packet to the actual TCP client core n through safe encryption transmission or transparent forwarding.
As shown in fig. 5 and fig. 6, according to another implementation manner of the present embodiment, when an external entity is used as a client, a virtual TCP proxy server and a virtual TCP proxy client are created in the core 0, the external entity client reports a data packet to the virtual TCP proxy server, the virtual TCP proxy server forwards the received data packet to the virtual TCP proxy client in a proxy manner, and the virtual TCP proxy client forwards the data packet to the actual TCP server core 0 through secure encryption transmission or transparency;
when the external entity is used as a service end, a virtual TCP proxy client and a virtual TCP proxy service end are created in the core 0, the external entity service end reports the data packet to the virtual TCP proxy client, the virtual TCP proxy client forwards the received data packet to the virtual TCP proxy service end in a proxy mode, and the virtual TCP proxy service end transmits the data packet to the actual TCP client core 0 through safe encryption transmission or transparent forwarding.
The invention meets the current network security function requirement for the electric secondary equipment, and the user can flexibly configure according to different application scenes, thereby having good expandability and high security. The invention uniformly configures and describes the TCP communication link between the external entity and the embedded device with the multi-core CPU through the communication link configuration file, thereby being convenient for management, expansion and customization. The embedded device with the multi-core CPU establishes TCP secure communication connection with an external entity through the unique external IP address, so that the expansion of the secure function and the difficulty of module modification and development are simplified; the invention conceals network details among the cores of the embedded device CPU with the multi-core CPU through the network address port conversion technology based on NAPT, and further improves the communication network security when the device is interacted with an external entity.
Example III
FIG. 7 schematically illustrates a structural diagram of a TCP secure communication proxy system according to an embodiment of the present invention, as shown in FIG. 7, and according to an embodiment of the present invention, a TCP secure communication proxy system is applied to a first device with a multi-core processor including a plurality of cores including a management core; the TCP secure communication proxy system comprises:
a communication link configuration module 10, configured to store a communication link configuration file, where the communication link configuration file is used to describe basic information of a TCP secure communication link, and includes: address information of the external device, whether the communication link is enabled, a proxy server address or port name, a proxy server port number, a proxy client address or port name, a proxy client port number, whether a link between the external device and the proxy endpoint is encrypted, and whether a link between the proxy endpoint and the target kernel is encrypted;
a secure communication proxy module 20 for establishing a TCP secure communication connection with an external device; the secure communication proxy module 20 is further configured to create a virtual proxy endpoint, where the proxy endpoint includes a proxy client and a proxy server, and the proxy endpoint is configured to establish a TCP service connection with a kernel of the first device; the secure communication proxy module is also used for proxy sending and receiving TCP traffic;
a service processing and forwarding module 30 for processing TCP communication service between the external device and the management core; the service processing and forwarding module is further used for forwarding service traffic between kernels of the first device based on the NAPT technology;
the TCP security communication proxy system realizes the mapping relation between the TCP security communication connection and the TCP business connection based on the management core by inquiring the communication link configuration file.
To achieve the above object, the present invention also provides an electronic device including a processor, a memory, and a computer program stored on the memory and executable on the processor, the computer program implementing any one of the TCP secure communication proxy methods described above when executed by the processor.
To achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements any of the TCP secure communication proxy methods described above.
The TCP communication link between the external entity and the first device is uniformly configured and described through the communication link configuration file, so that the management, the expansion and the customization are convenient; according to the invention, the TCP secure communication connection is established between the unique external IP address of the first device and the external device, so that the expansion of the secure function and the difficulty of modifying and developing the module are simplified; the invention conceals the network details between the kernels of the first device through the NAPT-based network address port conversion technology, and further improves the communication network security when the first device interacts with the external device.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the system, apparatus and storage medium described above may refer to corresponding procedures in the foregoing method embodiments, which are not described in detail herein.
It should be understood that, the sequence numbers of the steps in the summary and the embodiments of the present invention do not necessarily mean the order of execution, and the execution order of the processes should be determined by the functions and the internal logic, and should not be construed as limiting the implementation process of the embodiments of the present invention.
Claims (10)
1. A TCP secure communication proxy method is applied to a first device with a multi-core processor, wherein the multi-core processor comprises a plurality of cores including a management core; the method is characterized in that:
when a second device sends a first data packet to the first device, the management core establishes TCP secure communication connection with the second device, and the management core receives the first data packet;
the management check polls a communication link configuration file to obtain a target kernel corresponding to the first data packet;
the management core modifies the destination address of the first data packet into an internal address corresponding to the target kernel, and encapsulates the internal address to obtain a second data packet;
the management core sends the second data packet to the target kernel;
the communication link configuration file is used for describing basic information of a TCP secure communication link, and comprises external address information of the first device, address information of the second device corresponding to a current communication link and internal address information of the target kernel corresponding to the current communication link in the first device.
2. The TCP secure communication proxy method according to claim 1, wherein:
the target kernel sends a third data packet generated in response to the second data packet to the management kernel;
the management core inquires the communication link configuration file and acquires address information of a second device corresponding to the current communication link;
the management core modifies the destination address of the third data packet into the address of the second device, modifies the source address of the third data packet into the external address of the first device, and encapsulates the source address of the third data packet to obtain a fourth data packet;
the management core sends the fourth data packet to the second device.
3. The TCP secure communication proxy method according to claim 1, wherein: the management core is provided with a secure communication proxy module;
the secure communication proxy module is used for establishing TCP secure communication connection with an external device comprising the second device;
the secure communication proxy module is further configured to create a virtual proxy endpoint, where the proxy endpoint includes a proxy client and a proxy server, and the proxy endpoint is configured to establish a TCP service connection with a kernel of the first device;
the secure communication proxy module is also used for proxy sending and receiving TCP traffic.
4. A TCP secure communications proxy method according to claim 3 wherein said communications link profile further comprises:
the method comprises the steps of enabling the address information of the external device, enabling the communication link, enabling the proxy server address or the internet access name, enabling the proxy server port number, enabling the proxy client address or the internet access name, enabling the proxy client port number, enabling the link between the external device and the proxy endpoint to be encrypted, and enabling the link between the proxy endpoint and the target kernel to be encrypted.
5. A TCP secure communication proxy method according to claim 3, wherein said external means comprises: SCADA tools, background servers and other connected devices on the PC host.
6. A TCP secure communications proxy method according to claim 3, wherein:
the first device may establish a TCP secure communication connection with a plurality of the external devices; the first device includes at least one multi-core processor.
7. The TCP secure communication proxy method according to claim 1, wherein: the management core is provided with a service processing and forwarding module;
the service processing and forwarding module is used for processing TCP communication service between an external device including the second device and the management core; the service processing and forwarding module is further configured to forward service traffic between cores of the first device based on NAPT technology.
8. A TCP secure communication proxy system is applied to a first device with a multi-core processor, wherein the multi-core processor comprises a plurality of cores including a management core; the TCP secure communication proxy system is characterized by comprising:
a communication link configuration module, configured to store a communication link configuration file, where the communication link configuration file is used to describe basic information of a TCP secure communication link, and includes: address information of an external device, whether a communication link is started, a proxy server address or a network port name, a proxy server port number, a proxy client address or a network port name, a proxy client port number, whether a link between the external device and a proxy endpoint is encrypted, and whether a link between the proxy endpoint and a target kernel is encrypted;
the secure communication proxy module is used for establishing TCP secure communication connection with the external device; the secure communication proxy module is further configured to create a virtual proxy endpoint, where the proxy endpoint includes a proxy client and a proxy server, and the proxy endpoint is configured to establish a TCP service connection with a kernel of the first device; the safety communication proxy module is also used for proxy sending and receiving TCP traffic;
the service processing and forwarding module is used for processing TCP communication service between the external device and the management core; the service processing and forwarding module is further configured to forward service traffic between cores of the first device based on NAPT technology;
and the TCP security communication proxy system realizes the mapping relation between the TCP security communication connection and the TCP service connection based on the management core by inquiring the communication link configuration file.
9. An electronic device comprising a processor, a memory, and a computer program stored on the memory and executable on the processor, which when executed by the processor implements the TCP secure communication proxy method according to any one of claims 1 to 8.
10. A computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, which computer program, when executed by a processor, implements the TCP secure communication proxy method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410038938.6A CN117857191A (en) | 2024-01-10 | 2024-01-10 | TCP secure communication proxy method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410038938.6A CN117857191A (en) | 2024-01-10 | 2024-01-10 | TCP secure communication proxy method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117857191A true CN117857191A (en) | 2024-04-09 |
Family
ID=90531077
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410038938.6A Pending CN117857191A (en) | 2024-01-10 | 2024-01-10 | TCP secure communication proxy method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117857191A (en) |
-
2024
- 2024-01-10 CN CN202410038938.6A patent/CN117857191A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3471375B1 (en) | Method and apparatus for managing field device based on cloud server | |
| US9231846B2 (en) | Providing network capability over a converged interconnect fabric | |
| RU2533063C2 (en) | Method to establish connection (versions), method to transfer data packet and system of remote access | |
| EP2262185B1 (en) | Method and system for forwarding data among private networks | |
| US8788814B2 (en) | Secure data transfer using an embedded system | |
| CN111294399B (en) | Data transmission method and device | |
| CN107613036B (en) | Method and system for realizing HTTPS transparent proxy | |
| EP4319097A1 (en) | Communication method, apparatus, computer-readable medium electronic device, and program product | |
| KR101988130B1 (en) | Node management gateway device based on data distribution service in grid network and distribution network, and method thereof | |
| WO2013097484A1 (en) | Method, server and system for balancing loads of virtual machine cluster | |
| Nugur et al. | Design and development of an iot gateway for smart building applications | |
| CN106464596A (en) | Openflow communication method, system, controller, and service gateway | |
| WO2021031518A1 (en) | Data compatibility gateway system | |
| CN112968965B (en) | Metadata service method, server and storage medium for NFV network node | |
| CN111565237B (en) | Network parameter determination method and device, computer equipment and storage medium | |
| CN111182071A (en) | Method for intranet penetration and service release | |
| CN102710518B (en) | The method and system that NAT penetrates are realized under wide area network | |
| CN117857191A (en) | TCP secure communication proxy method and system | |
| WO2022121492A1 (en) | File transmission method and apparatus, computer device, and storage medium | |
| CN110753043B (en) | Communication method, device, server and medium | |
| CN113114643A (en) | Operation and maintenance access method and system of operation and maintenance auditing system | |
| GB2580848A (en) | Data compatible gateway system | |
| CN110830602A (en) | Distribution network terminal communication test system and method based on dynamic domain name resolution | |
| TW202125291A (en) | Gateway device with built-in server module and communication system thereof | |
| JP2002222124A (en) | Full-duplex communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |