WO2023092497A1 - Groupcast message processing method and related apparatus - Google Patents

Groupcast message processing method and related apparatus Download PDF

Info

Publication number
WO2023092497A1
WO2023092497A1 PCT/CN2021/133694 CN2021133694W WO2023092497A1 WO 2023092497 A1 WO2023092497 A1 WO 2023092497A1 CN 2021133694 W CN2021133694 W CN 2021133694W WO 2023092497 A1 WO2023092497 A1 WO 2023092497A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
node device
identification information
group
acl
Prior art date
Application number
PCT/CN2021/133694
Other languages
French (fr)
Chinese (zh)
Inventor
吕小强
茹昭
Original Assignee
Oppo广东移动通信有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo广东移动通信有限公司 filed Critical Oppo广东移动通信有限公司
Priority to CN202180100648.4A priority Critical patent/CN117643040A/en
Priority to PCT/CN2021/133694 priority patent/WO2023092497A1/en
Publication of WO2023092497A1 publication Critical patent/WO2023092497A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5069Address allocation for group communication, multicast communication or broadcast communication

Definitions

  • the present application relates to the technical field of communications, and in particular to a method for processing a multicast message and a related device.
  • a multicast group is a collection of all node devices registered under the same multicast group identifier. After a multicast message is sent to a multicast group, it will be received by all node devices in the group.
  • Each multicast group corresponds to a shared group key, and the group key is managed by the group key management function set of each node device in the multicast group, and is used for encrypting and decrypting message transmission within the group.
  • Each node device in the multicast group does not know the situation of other node devices, and can only ensure the security of communication within the group through the group key. However, if a node device in the multicast group is illegally controlled, the node device can control other node devices in the group by constructing a group command, and other node devices cannot distinguish whether the received group command is a legal operation or an illegal operation , the security of communication between node devices in the multicast group is poor.
  • the present application provides a multicast message processing method and a related device, which improve the security of communication between node devices in a multicast group.
  • the present application provides a method for processing a multicast message, the method is applied to a target node device, and includes: receiving a multicast message, the multicast message is a group command, and the multicast message includes a group identifier Information and identification information of the source node device; according to the group identification information, the identification information of the source node device and the topic information in the access control list ACL of the target node device, determine whether to execute the group command.
  • the target node device receives the multicast message, the multicast message is a group command, including group identification information and the identification information of the source node device, and the target node device Information to judge whether to execute the group command.
  • the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other devices in the group.
  • the target node device After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
  • the method further includes: receiving ACL configuration information from a configurator, where the ACL configuration information includes the group identification information and identification information of at least one control node device; according to the The group identification information and the identification information of the at least one control node device configure the ACL.
  • the configuring the ACL according to the group identification information and the identification information of the at least one control node device includes: setting the group identification information Configured in the first information of the first access control entity ACE of the ACL; configure the identification information of the at least one control node device in at least one topic information of the first ACE, and the at least one control node device
  • the identification information of is in one-to-one correspondence with the at least one subject information.
  • configuring the ACL according to the group identification information and the identification information of the at least one control node device further includes: configuring the at least The number n of identification information of one control node device is configured in the first information.
  • the configuring the ACL according to the group identification information and the identification information of the at least one control node device includes: setting the group identification information Respectively configured in at least one subject information of the first ACE of the ACL; compressing the identification information of each control node device in the identification information of the at least one control node device to obtain the compressed identification of at least one control node device information; configure the compressed identification information of the at least one control node device in at least one subject information including the group identification information, and the compressed identification information of the at least one control node device corresponds to the at least one subject information one-to-one .
  • the configuring the ACL according to the group identification information and the identification information of the at least one control node device includes: setting the group identification information and compressing the identification information of each control node device in the identification information of the at least one control node device to obtain at least one first compressed information; configuring the at least one first compressed information in at least one topic of the ACL Among the information, the at least one piece of first compressed information is in one-to-one correspondence with the at least one theme information.
  • judging whether to execute the group command includes: according to the group identification information, determining the first ACE in the ACL; searching in the first ACE whether there is an ACE that matches the identification information of the source node device Topic information; if present, executes the set of commands.
  • judging whether to execute the group command includes: according to the group identification information, determining the first information in the ACL; finding whether there is a link with the source node in the last n topic information of the first information Information matching the identification information of the device; if present, execute the set of commands.
  • judging whether to execute the group command includes: according to the group identification information, determining at least one topic information that includes the group identification information in the ACL; compressing the identification information of the source node device to obtain the source node device The compressed identification information of the source node device; check whether there is information matching the compressed identification information of the source node device in at least one subject information containing the group identification information; if yes, execute the group command.
  • judging whether to execute the group command includes: according to the group identification information, determining at least one topic information including the group identification information in the ACL; decompressing at least one topic information including the group identification information, Obtain at least one piece of first decompressed information; check whether there is information matching the identification information of the source node device in the at least one piece of first decompressed information; if so, execute the set of commands.
  • judging whether to execute the group command includes: compressing the group identification information and the identification information of the source node device to obtain second compressed information; searching whether there is a match with the second compressed information in the ACL The topic information of the ; if present, the set of commands is executed.
  • judging whether to execute the set of commands includes: decompressing at least one topic information in the ACL to obtain at least one second decompression information; finding whether there is any information related to the at least one second decompression information in the at least one second decompression information Information that matches the group identification information with the identification information of the source node device; if it exists, execute the group command.
  • the group identification information the identification information of the source node device, and the topic information in the access control list ACL of the target node device , judging whether to execute the group of commands, further comprising: if not, not executing the group of commands.
  • the method further includes: receiving group table configuration information from a configurator, where the group table configuration information includes first indication information, and the first The indication information is used to indicate whether the target node device is a control node device; and the first indication information is configured in the group table of the target node device.
  • the ACL configuration information further includes authentication mode configuration information
  • the method further includes: according to the authentication mode configuration information, configuring the ACL
  • the authentication mode of the ACE is configured as enhanced group-based secure connection.
  • the present application provides a method for processing a multicast message.
  • the method is applied to a configurator, and includes: sending access control list ACL configuration information to a target node device, and the ACL configuration information includes group identification information and at least Identification information of a control node device, the ACL configuration information is used to instruct the target node device to configure the ACL according to the group identification information and the identification information of the at least one control node device, and the subject in the ACL
  • the information is used by the target node device to judge whether to execute the group command.
  • the configurator sends ACL configuration information to the target node device, the ACL configuration information includes group identification information and identification information of at least one control node device, and the target node device configures according to the group identification information and the identification information of at least one control node device ACLs.
  • the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other devices in the group.
  • the target node device After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
  • the method further includes: sending group table configuration information to multiple node devices in the multicast group, where the group table configuration information includes a first indication information, the group table configuration information is used to instruct each of the multiple node devices to configure the first indication information in the group table, and the first indication information is used to indicate that each node Whether the device is a control node device.
  • the method before sending the access control list ACL configuration information to the target node device, the method further includes: according to the first The indication information determines the ACL configuration information.
  • the present application provides a communication device, which is applied to a target node device, and includes: a transceiver unit for receiving a multicast message, the multicast message is a group command, and the multicast message includes a group Identification information and identification information of the source node device; a processing unit configured to determine whether to execute the set group commands.
  • the transceiver unit is further configured to receive ACL configuration information from a configurator, where the ACL configuration information includes the group identification information and at least one control node Identification information of the device; the processing unit is further configured to configure the ACL according to the group identification information and the identification information of the at least one control node device.
  • the processing unit is specifically configured to: configure the group identification information in the first information of the first access control entity ACE of the ACL;
  • the identification information of the at least one control node device is configured in at least one topic information of the first ACE, and the identification information of the at least one control node device corresponds to the at least one topic information one by one.
  • the processing unit is further configured to: configure the number n of identification information of the at least one control node device in the first information.
  • the processing unit is specifically configured to: respectively configure the group identification information in at least one subject information of the first ACE of the ACL;
  • the identification information of each control node device in the identification information of the at least one control node device is compressed to obtain the compressed identification information of at least one control node device;
  • the compressed identification information of the at least one control node device is configured in the In the at least one subject information of the group identification information, the compressed identification information of the at least one control node device corresponds to the at least one subject information one by one.
  • the processing unit is specifically configured to: use each control node device in the group identification information and the identification information of the at least one control node device
  • the identification information of the ACL is compressed to obtain at least one first compressed information; the at least one first compressed information is configured in the at least one subject information of the ACL, and the at least one first compressed information and the at least one subject information One to one correspondence.
  • the processing unit is specifically configured to: determine the first ACE in the ACL according to the group identification information; Check whether there is subject information matching the identification information of the source node device in the ACE; if yes, execute the group command.
  • the processing unit is specifically configured to: determine the first information in the ACL according to the group identification information; Check whether there is information matching the identification information of the source node device in the last n topic information of the information; if yes, execute the group command.
  • the processing unit is specifically configured to: determine at least one subject information in the ACL that includes the group identification information according to the group identification information; Compressing the identification information of the source node device to obtain the compressed identification information of the source node device; searching whether there is information matching the compressed identification information of the source node device in at least one topic information containing the group identification information ; If present, execute the set of commands.
  • the processing unit is specifically configured to: determine at least one subject information in the ACL that includes the group identification information according to the group identification information; Decompressing at least one subject information containing the group identification information to obtain at least one first decompressed information; finding whether there is a match with the identification information of the source node device in the at least one first decompressed information info; if present, execute the set of commands.
  • the processing unit is specifically configured to: compress the group identification information and the identification information of the source node device to obtain second compressed information; Check whether there is subject information matching the second compressed information in the ACL; if yes, execute the set of commands.
  • the processing unit is specifically configured to: decompress at least one subject information in the ACL to obtain at least one second decompressed information; Check whether there is information matching the group identification information and the identification information of the source node device in the at least one second decompressed information; if yes, execute the group command.
  • the processing unit is further configured to: if not exist, not execute the set of commands.
  • the transceiver unit is further configured to receive group table configuration information from a configurator, where the group table configuration information includes first indication information, and the second The indication information is used to indicate whether the target node device is a control node device; the processing unit is further configured to configure the first indication information in the group table of the target node device.
  • the ACL configuration information further includes authentication mode configuration information
  • the processing unit is further configured to: according to the authentication mode configuration information, set the The authentication mode of ACE in the above ACL is configured as enhanced group-based security connection.
  • the present application provides a communication device, which is applied to a configurator, and includes: a transceiver unit, configured to send access control list ACL configuration information to a target node device, and the ACL configuration information includes group identification information and Identification information of at least one control node device, the ACL configuration information is used to instruct the target node device to configure the ACL according to the group identification information and the identification information of the at least one control node device, and the ACL in the ACL
  • the topic information is used by the target node device to judge whether to execute the group command.
  • the transceiver unit is further configured to: send group table configuration information to multiple node devices in the multicast group, where the group table configuration information includes the first Instruction information, the group table configuration information is used to instruct each node device in the plurality of node devices to configure the first instruction information in the group table, and the first instruction information is used to indicate that each Whether a node device is a control node device.
  • the apparatus further includes a processing unit configured to: determine the ACL according to the first indication information of the plurality of node devices configuration information.
  • the present application provides a target node device, including a memory, a processor, and a program stored in the memory and operable on the processor, and the processor implements the first Aspect or a method in any possible implementation of the first aspect.
  • the present application provides a configurator, including a memory, a processor, and a program stored in the memory and operable on the processor, and the second aspect is realized when the processor executes the program Or the method in any possible implementation manner of the second aspect.
  • the present application provides a computer-readable storage medium, the computer-readable storage medium is used to store instructions, and when the instructions are executed by a processor, the first aspect or any one of the first aspects may A method of an embodiment, or a method of the second aspect or any possible embodiment of the second aspect is performed.
  • the present application provides a computer program product containing instructions. When it is run on a computer, the method in the first aspect or any possible implementation of the first aspect, or the second aspect or the first aspect The method in any possible implementation manner of the two aspects is carried out.
  • FIG. 1 is a schematic diagram of a method for processing a group command provided in an embodiment of the present application
  • FIG. 2 is a schematic diagram of another group command processing method provided by the embodiment of the present application.
  • FIG. 3 is a schematic diagram of another group command processing method provided by the embodiment of the present application.
  • FIG. 4 is a schematic diagram of another group command processing method provided by the embodiment of the present application.
  • FIG. 5 is a schematic diagram of another group command processing method provided by the embodiment of the present application.
  • FIG. 6 is a schematic diagram of another group command processing method provided by the embodiment of the present application.
  • FIG. 7 is a schematic diagram of a communication device provided by an embodiment of the present application.
  • FIG. 8 is a schematic diagram of another communication device provided by an embodiment of the present application.
  • FIG. 9 is a schematic diagram of a target node device provided in an embodiment of the present application.
  • FIG. 10 is a schematic diagram of a configurator provided by an embodiment of the present application.
  • At least one referred to in the embodiments of the present application refers to one or more, and “multiple” refers to two or more.
  • “And/or” describes the association relationship of associated objects, indicating that there may be three types of relationships, for example, A and/or B, which can mean: A exists alone, A and B exist at the same time, and B exists alone, where A, B can be singular or plural.
  • the character “/” generally indicates that the contextual objects are an "or” relationship.
  • At least one of the following” or similar expressions refer to any combination of these items, including any combination of single or plural items.
  • At least one item (piece) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .
  • first and second are used to distinguish multiple objects, and are not used to limit the order, timing, priority or priority of multiple objects. Importance.
  • first information and the second information are only for distinguishing different information, and do not indicate the difference in content, priority, sending order, or degree of importance of the two kinds of information.
  • Matter is an application layer protocol launched by the connectivity standards alliance (CSA), and it is a new connection standard based on the Internet protocol (Internet protocol, IP).
  • IP Internet protocol
  • the Matter protocol defines the IPv6-based application layer deployed on devices to achieve interoperability architecture goals.
  • Multicast group refers to the collection of all node devices registered under the same multicast group identifier (identifier, ID). After the multicast message is sent to the multicast group, all nodes in the group The device receives.
  • Group session formed by one or more multicast messages, including the following information:
  • Domain index (fabric index), indicating the fabric domain to which the group session belongs.
  • Group ID which is the unique identifier of a multicast group.
  • Source node ID (source node ID), indicating the source node device ID of the group session.
  • a source Internet protocol Internet protocol, IP
  • source IP address source IP address
  • Source port (source port), indicating the source port of the source node device of the group session message.
  • Operational group key (operational group key), which represents the encryption key for group conversation messages.
  • Group session ID group session ID
  • Group table In a multicast group supporting the Matter protocol, each node device has a group table indicating group membership, and one or more endpoints on the node device can belong to the same multicast group. Any endpoint on the node device can also belong to one or more multicast groups.
  • Group key management function set (group key management cluster): In a multicast group that supports the Matter protocol, each node device has a group key management function set for managing group keys, including attributes and methods (command), wherein, the attributes in the group key management function set are shown in Table 1, and the commands in the group key management function set are shown in Table 2.
  • F A indicates that access is distinguished according to the fabric, and administrator privileges are required.
  • the attributes of the group key management function set are used to maintain the group table of the node device, and the information included in the group table is shown in Table 3.
  • FabricIndex indicates the fabric domain to which the group session belongs.
  • GroupID is the unique identifier of a multicast group.
  • GroupKeySetIndex points to the shared group key of the multicast group, which is used to encrypt and decrypt message transmission within the group.
  • Endpoints are endpoints belonging to the multicast group on the node device.
  • GroupName is the name of the multicast group.
  • fabric-idx represents the data type of the domain index defined by the standard.
  • group-id represents the data type of the group identifier defined by the standard. desc means refer to the detailed description section. all means that all values are allowed in the numeric data type.
  • the node device will check the group table after receiving the message to determine which endpoints in the group table correspond to the same group ID as the group ID in the multicast message, and correspond to the endpoints with the same group ID Then belong to the multicast group corresponding to the multicast message. Then, the multicast message will be delivered to each end point belonging to the multicast group on the node device.
  • Access control list specifies the access rights of other node devices to this node device.
  • ACL function set (ACL cluster): It is used to control the access rights of node devices. Each node device has an ACL function set. When a node device receives a request, it first checks whether the requester has permission in the ACL.
  • the ACL feature set includes attributes, and the attributes in the ACL feature set are shown in Table 4.
  • the information included in the access control entity structure is shown in Table 5.
  • the privileges in the access control entity structure include:
  • View which means read and subscribe (except ACL feature set) permissions.
  • Proxy view which means read and subscribe permissions.
  • Operation which means the right to read and execute the main functions of the device (except the ACL function set).
  • the administrator represents the management authority and the authority to subscribe and modify the ACL function set.
  • the authentication mode (AuthMode) in the access control entity structure includes:
  • PASE passcode authenticated session
  • CASE certificate authenticated session
  • GROUP group authenticated session
  • the node device in the multicast group When the node device in the multicast group receives the multicast message and checks the ACL, the content of the subject (Subjects) in the ACL is the group ID (group ID), that is to say, after any node device in the multicast group sends the group command, All other node devices that receive the group command must execute it. If a node device in the multicast group is illegally controlled, the node device can control other node devices in the group by constructing a group command, and other node devices cannot distinguish whether the received group command is a legal operation or an illegal operation. The communication security between node devices in the broadcast group is poor.
  • FIG. 1 is a schematic diagram of a method for processing group commands provided by an embodiment of the present application. As shown in Figure 1, the processing methods of this group of commands include:
  • the target node device receives a multicast message, where the multicast message is a group command, and the multicast message includes group identification information and identification information of a source node device.
  • the target node device and the source node device belong to the first multicast group.
  • the source node device sends a multicast message
  • the multicast message is a group command.
  • the target node device receives the multicast message .
  • the group identification information included in the multicast message is group identification information of the first multicast group.
  • the target node device judges whether to execute the group command according to the group identification information, the identification information of the source node device, and the subject information in the ACL of the target node device.
  • the identification information of the source node device before judging whether to execute the group command according to the group identification information, the identification information of the source node device, and the topic information in the ACL, it also includes: receiving ACL configuration information from the configurator, the ACL configuration information includes group identification information and Identification information of at least one control node device; ACL is configured according to the group identification information and the identification information of at least one control node device.
  • the target node device receives ACL configuration information from the configurator, where the ACL configuration information includes group identification information and identification information of at least one control node device.
  • the target node device configures the ACL according to the group identification information and the identification information of the at least one control node device.
  • the ACL configuration information may also include other information, such as domain index (FabricIndex), authority (Privilege), authentication mode (AuthMode) etc., the target node device also configures other information in the ACL.
  • the configurator is used to configure the node devices in the multicast group, and the node devices in the same multicast group are configured by one configurator.
  • the group identification information in the ACL configuration information is group identification information of the first multicast group, and the identification information of at least one control node device is used to indicate at least one control node device in the first multicast group.
  • the configurator determines one or more node devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group.
  • configuring the ACL includes: configuring the group identification information in the first information of the first access control entity ACE of the ACL; configuring at least one The identification information of the control node device is configured in at least one topic information of the first ACE, and the identification information of the at least one control node device is in one-to-one correspondence with the at least one topic information.
  • the ACL of the target node device includes one or more access control entities (access control entity, ACE), and each ACE includes a piece of first information and one or more subject information (subject ID).
  • the first information may be subject information in the ACE.
  • the target node device After receiving the ACL configuration information, the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE, and configures the identification information of at least one control node device in the ACL configuration information in the first information of the first ACE.
  • access control entity access control entity
  • each ACE includes a piece of first information and one or more subject information (subject ID).
  • the first information may be subject information in the ACE.
  • the target node device After receiving the ACL configuration information, the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE, and configures the identification information of at least one control node device in the ACL configuration information in the first information of the first ACE.
  • control node devices in the first multicast group include node device 1, node device 2 and node device 3, the group commands sent by node device 1, node device 2 and node device 3 will be executed by other node devices in the group,
  • the identification information of the node device 1, the node device 2, and the node device 3 are respectively configured in the three subject information in the first ACE, and one identification information corresponds to one subject information.
  • one ACE corresponds to one multicast group, and group identification information of other multicast groups and identification information of control node devices need to be configured in other ACEs.
  • configuring the ACL according to the group identification information and the identification information of the at least one control node device further includes: configuring the number n of the identification information of the at least one control node device in the first information.
  • the ACL of the target node device includes one or more ACEs, and each ACE includes one or more first information and one or more topic information.
  • the first information may be subject information in the ACE.
  • the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE, and configures the identification information of at least one control node device in the ACL configuration information in the first information of the first ACE.
  • the number n of identification information of at least one control node device is also configured in the first information.
  • control node devices in the first multicast group include node device 1, node device 2, and node device 3, and the identification information of node device 1, node device 2, and node device 3 are respectively configured in three ACEs in the first ACE.
  • one identification information corresponds to one topic information.
  • the number n of identification information is 3, and n is 3 also configured in the first information.
  • one ACE corresponds to one or more multicast groups, and group identification information of other multicast groups and identification information of control node devices may also be configured in the first ACE.
  • configuring the ACL according to the group identification information and the identification information of at least one control node device includes: respectively configuring the group identification information in at least one subject information of the first ACE of the ACL; The identification information of each control node device in the identification information of the node device is compressed to obtain the compressed identification information of at least one control node device; the compressed identification information of at least one control node device is configured in at least one topic containing the group identification information In the information, the compressed identification information of at least one control node device is in one-to-one correspondence with at least one subject information.
  • the ACL of the target node device includes one or more ACEs, and each ACE includes one or more subject information.
  • the target node device configures the group identification information in the ACL configuration information in at least one subject information of the first ACE, and configures the identification information of each control node device in the identification information of at least one control node device.
  • the information is compressed to obtain compressed identification information of at least one control node device, and the compressed identification information of at least one control node device is also respectively configured in at least one subject information including group identification information.
  • control node devices in the first multicast group include node device 1, node device 2 and node device 3, group identification information is respectively configured in three topic information, and node device 1, node device 2 and node device
  • the compression identification information of 3 is also respectively configured in the three topic information, that is to say, in the three topic information, each topic information includes group identification information and one piece of compression identification information.
  • one ACE corresponds to one or more multicast groups, and the group identification information of other multicast groups and the compression identification information of the control node device may also be configured in the first ACE.
  • configuring the ACL includes: combining the identification information of each control node device in the group identification information and the identification information of at least one control node device performing compression to obtain at least one first compressed information; configuring the at least one first compressed information in at least one subject information of the ACL, where the at least one first compressed information corresponds to the at least one subject information one by one.
  • the ACL of the target node device includes one or more ACEs, and each ACE includes one or more subject information.
  • the target node device compresses the group identification information in the ACL configuration information and the identification information of each control node device in the identification information of at least one control node device to obtain at least one first compressed information, and compresses The at least one first compressed information is configured in at least one subject information of the ACL.
  • the control node devices in the first multicast group include node device 1, node device 2, and node device 3, and the group identification information is respectively combined with the identification information of node device 1, the identification information of node device 2, and the identification information of node device 3. The information is compressed to obtain three first compressed information.
  • each topic information includes a first compressed information
  • a first compressed information consists of the group identification information and The identification information of a control node device is compressed.
  • one ACE corresponds to one or more multicast groups, and information obtained by compressing the group identification information and the identification information of the control node device for other multicast groups may also be configured in the first ACE.
  • judging whether to execute the group command includes: determining the first ACE in the ACL according to the group identification information; Check in the first ACE whether there is subject information matching the identification information of the source node device; if yes, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
  • the first ACE in the ACL of the target node device is determined according to the group identification information, and the first ACE also includes at least one topic information, and the topic information configures the identification information of the control node device in the multicast group.
  • the first ACE find whether there is topic information matching the identification information of the source node device. If it exists, it means that the source node device is the control node device in the multicast group, so the group command sent by the source node device can be executed. The target node device executes this group of commands, otherwise it does not execute.
  • judging whether to execute the group command includes: determining the first information in the ACL according to the group identification information; Check whether there is information matching the identification information of the source node device in the last n topic information of the first information; if yes, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
  • the group identification information determine the first information in the ACL of the target node device, obtain the number n of identification information in the first information, and the last n topic information of the first information configure the control nodes in the multicast group Identification information for the device. Check whether there is topic information matching the identification information of the source node device in the last n topic information of the first message, if it exists, it means that the source node device is the control node device in the multicast group, so the source node device sends A group of commands can be executed, and the target node device executes the group of commands, otherwise it does not execute.
  • judging whether to execute the group command includes: according to the group identification information, determining the group identification information in the ACL At least one topic information; compressing the identification information of the source node device to obtain the compressed identification information of the source node device; searching whether there is information matching the compressed identification information of the source node device in at least one topic information including group identification information; If present, the group command is executed. In a possible implementation manner, if it does not exist, the group command is not executed.
  • the group identification information it is determined that the ACL of the target node device contains at least one topic information of the group identification information, the topic information configures the compression identification information of the control node device in the multicast group, and the compression identification information of the control node device Obtained by compressing the identification information of the control node device.
  • the identification information of the source node device is compressed by the same algorithm as that of compressing the identification information of the control node device, to obtain the compressed identification information of the source node device.
  • judging whether to execute the group command includes: according to the group identification information, determining at least A topic information; decompressing at least one topic information including group identification information to obtain at least one first decompressed information; searching whether there is information matching the identification information of the source node device in the at least one first decompressed information; If present, the group command is executed. In a possible implementation manner, if it does not exist, the group command is not executed.
  • the group identification information it is determined that the ACL of the target node device contains at least one topic information of the group identification information, the topic information configures the compression identification information of the control node device in the multicast group, and the compression identification information of the control node device Obtained by compressing the identification information of the control node device. Decompress at least one subject information including the group of identification information to obtain at least one first decompressed information, wherein the first decompressed information includes the identification information of the control node device.
  • judging whether to execute the group command includes: compressing the group identification information and the identification information of the source node device, Obtain the second compressed information; check whether there is subject information matching the second compressed information in the ACL; if yes, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
  • the ACL of the target node device includes at least one topic information
  • the topic information is configured with first compressed information obtained by compressing the group identification information and the identification information of the control node device in the multicast group.
  • the second compressed information is obtained by compressing the group identification information and the identification information of the source node device by using the same algorithm as compressing the group identification information and the identification information of the control node device in the multicast group.
  • Check the ACL to see if there is topic information that matches the second compressed information. If it exists, it means that the source node device is the control node device in the multicast group. Therefore, the group command sent by the source node device can be executed, and the target node device executes This group of commands, otherwise not executed.
  • judging whether to execute the group command includes: decompressing at least one topic information in the ACL to obtain at least A second decompression information; check whether there is information matching the group identification information and the identification information of the source node device in at least one second decompression information; if yes, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
  • the ACL of the target node device includes at least one subject information, and the subject information is configured with first compressed information obtained by compressing the group identification information and the identification information of the control node device in the multicast group. At least one subject information is decompressed to obtain at least one second decompressed information, wherein the second decompressed information includes group identification information and identification information of the control node device. Find whether there is information matching the group identification information included in the group command and the identification information of the source node device in at least one second decompression information, if it exists, it indicates that the source node device is a control node device in the multicast group, so The group command issued by the source node device can be executed, and the target node device executes the group command, otherwise it does not execute it.
  • the target node device receives group table configuration information from the configurator, the group table configuration information includes first indication information, and the first indication information is used to indicate whether the target node device is a control node device; configure the first indication information in In the group table of the target node device.
  • the configurator determines one or more devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group.
  • the target node device receives the group table configuration information from the configurator, and the group table configuration information includes first indication information. After receiving the group table configuration information, the target node device configures the first indication information in the group table, wherein the first indication The information is used to indicate whether the target node device is a control node device.
  • the group table of each node device in the multicast group has the first indication information, and the configurator obtains the first indication information in the group table of each node device, so that it can determine which node devices in the multicast group are control node device.
  • the configurator sends the ACL configuration information to the node devices in the multicast group, it may determine the control node device in the group according to the first indication information.
  • the ACL configuration information sent by the configurator to the control node device includes the identification information of other control node devices in the multicast group except the control node device, and the ACL configuration information sent to other node devices includes the identification information of all control node devices in the multicast group information.
  • the ACL configuration information also includes authentication mode configuration information, and the target node device configures the authentication mode of the ACE in the ACL as an enhanced group-based security connection according to the authentication mode configuration information.
  • the target node device receives the multicast message, the multicast message is a group command, including group identification information and the identification information of the source node device, and the target node device Information to judge whether to execute the group command.
  • the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other devices in the group.
  • the target node device After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
  • FIG. 2 is a schematic diagram of another group command processing method provided by an embodiment of the present application. As shown in Figure 2, the processing methods of this group of commands include:
  • the configurator sends group table configuration information to a target node device, where the group table configuration information includes first indication information, and correspondingly, the target node device receives the group table configuration information.
  • the configurator is used to configure the node devices in the multicast group, and the node devices in the same multicast group are configured by one configurator.
  • the configurator determines one or more node devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group.
  • Multiple node devices in the configurator multicast group send group table configuration information, the group table configuration information includes first indication information, and the group table configuration information is used to instruct each node device in the multiple node devices to configure the first indication information
  • the first indication information is used to indicate whether each node device is a control node device.
  • the group table configuration information also includes other information, such as domain index, group ID, group key index, etc.
  • the target node device also configures the domain index, group ID, group key index, etc. in the group table.
  • the target node device configures first indication information in the group table, where the first indication information is used to indicate whether the target node device is a control node device.
  • the target node device receives the group table configuration information, configures the first indication information included in the group table configuration information in the group table, if the group table configuration information also includes other information, such as domain index, group identifier, group password key index, etc., the target node device also configures the domain index, group identifier, group key index, etc. in the group table.
  • the first indication information is added in the group table of the target node device, and the information contained in the group table of the target node device is shown in Table 6.
  • the data type of the first indication information is a boolean (Boolean) data type
  • the boolean data type indicates that the first indication information is true or flase, and when the first indication information is true, it indicates that the target node device is a control node device, when When the first indication information is false or default, it indicates that the target node device is not a control node device.
  • the configurator acquires the first indication information in the group table of the target node device, and judges whether the target node device is a control node device.
  • the configurator Before sending the ACL configuration information to the target node device, the configurator needs to first determine whether the target node device is a control node device in the multicast group. In a possible implementation manner, the configurator obtains the first indication information in the group table of each node device in the multicast group by sending a request message, so as to determine which devices in the multicast group are control node devices.
  • the configurator may also save information about whether each node device is a control node device when adding each node device to the multicast group, and does not need to obtain information from each node device.
  • the configurator sends ACL configuration information to the target node device.
  • the ACL configuration information includes group identification information and identification information of at least one control node device.
  • the target node device receives the ACL configuration information.
  • the group identification information in the ACL configuration information is the group identification information of the first multicast group to which the target node device belongs, and the identification information of at least one control node device indicates at least one control node device in the first multicast group.
  • the ACL configuration information includes identification information of other control node devices in the multicast group except the target node device. If the target node device is not a control node device in the multicast group, the ACL configuration information includes identification information of all control node devices in the multicast group.
  • the ACL configuration information may include other information, such as domain index, authority, authentication mode, etc., in addition to the group identification information and the identification information of the at least one control node device, and the target node device will also include other information Also configured in the ACL.
  • the target node device configures the ACL according to the group identification information and the identification information of at least one control node device.
  • the target node device configures the group identification information in the first information of the first access control entity ACE of the ACL; configures the identification information of at least one control node device in at least one subject of the first ACE In the information, the identification information of at least one control node device is in one-to-one correspondence with at least one subject information.
  • the target node device configures the number n of identification information of at least one control node device in the first information.
  • the target node device configures group identification information in at least one topic information of the first ACE of the ACL; the identification information of each control node device in the identification information of at least one control node device Perform compression to obtain the compressed identification information of at least one control node device; configure the compressed identification information of at least one control node device in at least one topic information containing the group identification information, and at least one compressed identification information of the control node device and at least one One-to-one correspondence of subject information.
  • the target node device compresses the identification information of each control node device among the group identification information and the identification information of the at least one control node device, to obtain at least one piece of first compressed information; Configuring the at least one first compressed information in at least one subject information of the ACL, where the at least one first compressed information corresponds to the at least one subject information one by one.
  • an authentication mode is added in the access control entity structure of the target node device.
  • the authentication modes in the access control entity structure of the target node device include: key-based security connection, certificate-based security connection, group-based security connection and enhanced group-based security connection.
  • the enhanced group-based secure connection is a newly added authentication mode, which means that the group-based secure connection mode must be inherited, and the content of the subject information in the ACL in the above-mentioned embodiment must be satisfied.
  • the target node device receives a group command, where the group command includes group identification information and identification information of the source node device.
  • the target node device and the source node device belong to the same multicast group, in the multicast group, the source node device sends a group command, and correspondingly, the target node device receives the group command.
  • the target node device judges whether to execute the group command according to the group identification information, the identification information of the source node device, and the subject information in the ACL of the target node device.
  • the target node device determines the first ACE in the ACL according to the group identification information; checks in the first ACE whether there is subject information that matches the identification information of the source node device; if it exists, execute The set of commands. In a possible implementation manner, if it does not exist, the group command is not executed.
  • the target node device determines the first information in the ACL according to the group identification information; finds whether there is information matching the identification information of the source node device in the last n topic information of the first information; If present, the group command is executed. In a possible implementation manner, if it does not exist, the group command is not executed.
  • the target node device determines at least one topic information containing group identification information in the ACL according to the group identification information; compresses the identification information of the source node device to obtain the compressed identification information of the source node device; Check whether there is information matching the compressed identification information of the source node device in at least one topic information including the group identification information; if yes, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
  • the target node device determines at least one topic information containing group identification information in the ACL according to the group identification information; decompresses at least one topic information containing group identification information to obtain at least one first decompressed Compress information; check whether there is information matching the identification information of the source node device in at least one first decompressed information; if yes, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
  • the target node device compresses the group identification information and the identification information of the source node device to obtain the second compressed information; check whether there is subject information matching the second compressed information in the ACL; if there is , the group command is executed. In a possible implementation manner, if it does not exist, the group command is not executed.
  • the target node device decompresses at least one subject information in the ACL to obtain at least one second decompressed information; checks whether there is a group identification information and Information matching the identification information of the source node device; if it exists, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
  • the configurator sends ACL configuration information to the target node device, the ACL configuration information includes group identification information and identification information of at least one control node device, and the target node device configures according to the group identification information and the identification information of at least one control node device ACLs.
  • the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other node devices in the group.
  • the target node device After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
  • FIG. 3 is a schematic diagram of another group command processing method provided by an embodiment of the present application. As shown in Figure 3, the processing methods of this group of commands include:
  • the target node device receives ACL configuration information from a configurator, where the ACL configuration information includes group identification information and identification information of at least one control node device.
  • the configurator is used to configure the node devices in the multicast group, and the node devices in the same multicast group are configured by one configurator.
  • the group identification information in the ACL configuration information is the group identification information of the first multicast group to which the target node device belongs, and the identification information of at least one control node device indicates at least one control node device in the first multicast group .
  • the configurator determines one or more node devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group.
  • the ACL configuration information may include other information, such as domain index, authority, authentication mode, etc., in addition to the group identification information and the identification information of the at least one control node device, and the target node device will also include other information Also configured in the ACL.
  • the target node device configures the group identifier information in the first information of the first access control entity ACE of the ACL.
  • the ACL of the target node device includes one or more access control entities (access control entity, ACE), and each ACE includes a piece of first information and one or more subject information.
  • the first information may be subject information in the ACE.
  • the target node device After receiving the ACL configuration information, the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE.
  • the target node device configures the identification information of at least one control node device in at least one subject information of the first ACE.
  • the target node device also configures the identification information of at least one control node device in the ACL configuration information in at least one topic information of the first ACE, and the identification information of the at least one control node device and the at least one topic information are one by one correspond.
  • the control node devices in the first multicast group include node device 1, node device 2 and node device 3, the group commands sent by node device 1, node device 2 and node device 3 will be executed by other node devices in the group,
  • the identification information of the node device 1, the node device 2, and the node device 3 are respectively configured in the three subject information in the first ACE, and one identification information corresponds to one subject information.
  • one ACE corresponds to one multicast group, and group identification information of other multicast groups and identification information of control node devices need to be configured in other ACEs.
  • the subject (Subjects) structure of the first ACE of the target node device is shown in Table 7.
  • the subject information has a length of 64 bits
  • the first information is the subject information in the ACE.
  • the group identification information has a length of 16 bits
  • the identification information of the control node device has a length of 64 bits.
  • the group identification information is configured in the lower 16 bits of the first information
  • the identification information of the control node device is configured in the next 64 bits (ie, the next topic information).
  • the structure shown in Table 7 is only an example, and the group identification information may also be configured in the upper 16 bits of the first information, or the group identification information may be configured in any 16 bits of the first information. If there is identification information of multiple control node devices, the identification information of multiple control node devices is configured in multiple pieces of subject information following the first information.
  • the 16-23 bits in the first information may also configure the number n of identification information of at least one control node device. For example, if identification information of 3 control node devices is configured in the first ACE, then n is 3, and n is 3 configured in the first information.
  • the target node device receives a group command, where the group command includes group identification information and identification information of the source node device.
  • the target node device and the source node device belong to the first multicast group, and in the multicast group, the source node device sends a group command, and correspondingly, the target node device receives the group command.
  • the target node device determines the first ACE in the ACL according to the group identification information.
  • the target node device after the target node device receives the group command, it searches the ACL for an ACE that satisfies the following conditions: the authentication mode (AuthMode) in the ACE is GROUP; the target (Targets) in the ACE matches the target resource requested by the group command ; The domain index (FabricIndex) in the ACE matches the group identification information in the group command.
  • the ACE that satisfies the foregoing conditions is the first ACE.
  • the target node device searches in the first ACE whether there is subject information matching the identification information of the source node device.
  • the first ACE further includes at least one topic information, and the topic information is configured with identification information of the control node device in the multicast group.
  • the target node device checks in the first ACE whether there is topic information that matches the identification information of the source node device. If it exists, it indicates that the source node device is the control node device in the multicast group, so the group command sent by the source node device can be is executed, the target node device executes this group of commands, otherwise it does not execute.
  • the target node device executes the group command.
  • the target node device does not execute the group command.
  • the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other node devices in the group.
  • the target node device After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
  • FIG. 4 is a schematic diagram of another group command processing method provided by an embodiment of the present application. As shown in Figure 4, the processing methods of this group of commands include:
  • the target node device receives ACL configuration information from a configurator, where the ACL configuration information includes group identification information and identification information of at least one control node device.
  • the configurator is used to configure the node devices in the multicast group, and the node devices in the same multicast group are configured by one configurator.
  • the group identification information in the ACL configuration information is the group identification information of the first multicast group to which the target node device belongs, and the identification information of at least one control node device indicates at least one control node device in the first multicast group.
  • the configurator determines one or more node devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group.
  • the ACL configuration information may include other information, such as domain index, authority, authentication mode, etc., in addition to the group identification information and the identification information of the at least one control node device, and the target node device will also include other information Also configured in the ACL.
  • the target node device configures the group identification information in the first information of the first access control entity ACE of the ACL.
  • the ACL of the target node device includes one or more ACEs, and each ACE includes one or more first information and one or more topic information. After receiving the ACL configuration information, the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE.
  • the target node device configures the number n of identification information of at least one control node device in the first information.
  • the ACL of the target node device includes one or more ACEs, and each ACE includes one or more first information and one or more second topic information.
  • the first information may be subject information in the ACE.
  • the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE, and also configures the number n of identification information of at least one control node device in the first information .
  • the control node devices in the first multicast group include node device 1, node device 2, and node device 3.
  • the number n of identification information is 3, and the target node device configures n as 3 in the first information .
  • the target node device configures the identification information of at least one control node device in at least one subject information of the first ACE.
  • the target node device also configures the identification information of at least one control node device in the ACL configuration information in at least one subject information of the first ACE.
  • the control node devices in the first multicast group include node device 1, node device 2, and node device 3, and the identification information of node device 1, node device 2, and node device 3 are respectively configured in three ACEs in the first ACE.
  • one identification information corresponds to one topic information.
  • one ACE corresponds to one or more multicast groups, and group identification information of other multicast groups and identification information of control node devices may also be configured in the first ACE.
  • the subject (Subjects) structure of the first ACE of the target node device is shown in Table 8.
  • the subject information has a length of 64 bits
  • the first information is the subject information in the ACE.
  • the group identification information has a length of 16 bits
  • the identification information of the control node device has a length of 64 bits.
  • the group identification information is configured in the lower 16 bits of the first information
  • the 16-23 bits in the first information configure the number of devices corresponding to the identification information of at least one control node device.
  • the structure shown in Table 8 is only an example, the group identification information can be configured in any 16 bits of the first information, and the number n of identification information of the control node device can also be configured in the first information and the group identification A location where information is not repeated. For example, if 3 pieces of identification information are configured in the first ACE, then n is 3, and n is 3 configured in the first information.
  • the identification information of the control node device is configured in the next 64 bits of the first information (that is, the next topic information). If there is identification information of multiple control node devices, the identification information of multiple control node devices is configured in multiple pieces of subject information following the first information. In the first ACE, multiple pieces of group identification information may be respectively configured in multiple pieces of first information.
  • the target node device receives a group command, where the group command includes group identification information and identification information of the source node device.
  • the target node device and the source node device belong to the first multicast group, and in the multicast group, the source node device sends a group command, and correspondingly, the target node device receives the group command.
  • the target node device determines first information in the ACL according to the group identification information.
  • the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE, so the target node device can determine the first information according to the group identification information in the group command.
  • the target node device searches whether there is information matching the identification information of the source node device in the last n topic information of the first information.
  • the number n of identification information of control node devices in the first information is obtained, and the last n pieces of subject information of the first information are configured with identification information of control node devices in the multicast group.
  • the target node device executes the group command.
  • the target node device does not execute the group command.
  • the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other node devices in the group.
  • the target node device After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
  • FIG. 5 is a schematic diagram of another group command processing method provided by an embodiment of the present application. As shown in Figure 5, the processing methods of this group of commands include:
  • the target node device receives ACL configuration information from a configurator, where the ACL configuration information includes group identification information and identification information of at least one control node device.
  • the configurator is used to configure the node devices in the multicast group, and the node devices in the same multicast group are configured by one configurator.
  • the group identification information in the ACL configuration information is the group identification information of the first multicast group to which the target node device belongs, and the identification information of at least one control node device indicates at least one control node device in the first multicast group.
  • the configurator determines one or more node devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group.
  • the ACL configuration information may include other information, such as domain index, authority, authentication mode, etc., in addition to the group identification information and the identification information of the at least one control node device, and the target node device will also include other information Also configured in the ACL.
  • the target node device respectively configures group identification information in at least one subject information of the first ACE of the ACL.
  • the ACL of the target node device includes one or more ACEs, and each ACE includes one or more subject information. After receiving the ACL configuration information, the target node device configures the group identification information in the ACL configuration information in at least one topic information of the first ACE respectively.
  • the target node device compresses the identification information of each control node device in the identification information of at least one control node device to obtain the compressed identification information of at least one control node device.
  • the target node device configures the compressed identification information of at least one control node device in at least one subject information including group identification information, and the compressed identification information of at least one control node device corresponds to the at least one subject information one by one.
  • the target node device configures the compression identification information of at least one control node device in at least one topic information including group identification information.
  • the control node devices in the first multicast group include node device 1, node device 2 and node device 3, group identification information is respectively configured in three topic information, and node device 1, node device 2 and node device
  • the compression identification information of 3 is also respectively configured in the three topic information, that is to say, in the three topic information, each topic information includes group identification information and one piece of compression identification information.
  • one ACE corresponds to one or more multicast groups, and the group identification information of other multicast groups and the compression identification information of the control node device may also be configured in the first ACE.
  • the subject (Subjects) structure of the first ACE of the target node device is shown in Table 9.
  • the subject information has a length of 64 bits
  • the group identification information has a length of 16 bits
  • the identification information of the control node device has a length of 64 bits.
  • the group identification information is configured in the lower 16 bits of the topic information
  • the identification information of the 64-bit control node device is compressed to 48 bits, and configured in the upper 48 bits of the topic information.
  • the structure shown in Table 9 is only an example, and the group identification information can also be configured in the upper 16 bits of the topic information, and the identification information of the 64-bit control node device is compressed to 48 bits, and configured in the lower 16 bits of the topic information. 48bits.
  • the identification information of each control node device is compressed separately, and the compressed identification information and group identification information of each control node device form the structure shown in Table 9 and are configured in the topic information .
  • multiple pieces of group identification information may be respectively configured in multiple topic information, that is to say, group identification information 1 and group identification information 2 may be the same or different.
  • the target node device receives a group command, where the group command includes group identification information and identification information of the source node device.
  • the target node device and the source node device belong to the first multicast group, and in the multicast group, the source node device sends a group command, and correspondingly, the target node device receives the group command.
  • the target node device determines at least one subject information in the ACL according to the group identification information.
  • the target node device configures the group identification information in at least one topic information respectively, therefore, the target node device can determine the topic information including the group identification information in the ACL according to the group identification information in the group command.
  • the subject information configures the compressed identification information of the control node device in the multicast group, and the compressed identification information of the control node device is obtained by compressing the identification information of the control node device.
  • the identification information of the source node device is compressed by the same algorithm as that of compressing the identification information of the control node device, to obtain the compressed identification information of the source node device.
  • the subject information configures the compressed identification information of the control node device in the multicast group, and the compressed identification information of the control node device is obtained by compressing the identification information of the control node device. Find whether there is information matching the compression identification information of the source node device in at least one topic information, if it exists, it means that the source node device is the control node device in the multicast group, so the group command issued by the source node device can be executed , the target node device executes this group of commands, otherwise it does not execute.
  • the target node device does not execute the group command.
  • the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other node devices in the group.
  • the target node device After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
  • FIG. 6 is a schematic diagram of another group command processing method provided by an embodiment of the present application. As shown in Figure 6, the processing methods of this group of commands include:
  • the target node device receives ACL configuration information from a configurator, where the ACL configuration information includes group identification information and identification information of at least one control node device.
  • the configurator is used to configure the node devices in the multicast group, and the node devices in the same multicast group are configured by one configurator.
  • the group identification information in the ACL configuration information is the group identification information of the first multicast group to which the target node device belongs, and the identification information of at least one control node device indicates at least one control node device in the first multicast group.
  • the configurator determines one or more node devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group.
  • the ACL configuration information may include other information, such as domain index, authority, authentication mode, etc., in addition to the group identification information and the identification information of the at least one control node device, and the target node device will also include other information Also configured in the ACL.
  • the target node device compresses the identification information of each control node device among the group identification information and the identification information of at least one control node device, to obtain at least one piece of first compressed information.
  • the ACL of the target node device includes one or more ACEs, and each ACE includes one or more subject information.
  • the target node device compresses the group identification information in the ACL configuration information and the identification information of each control node device among the identification information of at least one control node device to obtain at least one piece of first compressed information.
  • the control node devices in the first multicast group include node device 1, node device 2, and node device 3, and the group identification information is respectively combined with the identification information of node device 1, the identification information of node device 2, and the identification information of node device 3. The information is compressed to obtain three first compressed information.
  • the target node device configures at least one piece of first compressed information in at least one topic information of the ACL, where the at least one piece of first compressed information corresponds to at least one piece of topic information.
  • the target node device configures the at least one piece of first compression information in at least one subject information of the ACL.
  • the control node devices in the first multicast group include node device 1, node device 2, and node device 3, and the group identification information is respectively combined with the identification information of node device 1, the identification information of node device 2, and the identification information of node device 3.
  • the information is compressed to obtain three first compressed information.
  • the identification information of a control node device is compressed.
  • one ACE corresponds to one or more multicast groups, and information obtained by compressing the group identification information and the identification information of the control node device for other multicast groups may also be configured in the first ACE.
  • the subject (Subjects) structure of the first ACE of the target node device is shown in Table 10.
  • the subject information has a length of 64 bits
  • the group identification information has a length of 16 bits
  • the identification information of the control node device has a length of 64 bits.
  • the identification information of the control node device of 64 bits and the group identification information of 16 bits are compressed into the first compressed information of 64 bits, and configured in the topic information. If there are multiple identification information of control node devices, the identification information and group identification information of each control node device are compressed to form the structure shown in Table 9 and configured in the topic information.
  • the identification information of control node devices of other multicast groups and compressed information obtained by compressing the group identification information may be configured in different topic information.
  • the target node device receives a group command, where the group command includes group identification information and identification information of the source node device.
  • the target node device and the source node device belong to the first multicast group, and in the multicast group, the source node device sends a group command, and correspondingly, the target node device receives the group command.
  • the target node device compresses the group identification information and the identification information of the source node device to obtain second compressed information.
  • the ACL of the target node device includes at least one subject information
  • the subject information is configured with first compressed information obtained by compressing the group identification information and the identification information of the control node device in the multicast group.
  • the second compressed information is obtained by compressing the group identification information and the identification information of the source node device by using the same algorithm as compressing the group identification information and the identification information of the control node device in the multicast group.
  • the target node device searches the ACL for whether there is subject information matching the second compressed information.
  • the subject information is configured with first compressed information obtained by compressing the group identification information and the identification information of the control node device in the multicast group.
  • the group identification information and the identification information of the source node device are compressed by using the same compression algorithm to obtain the second compressed information.
  • Check the ACL to see if there is topic information that matches the second compressed information. If it exists, it means that the source node device is the control node device in the multicast group. Therefore, the group command sent by the source node device can be executed, and the target node device Execute the set of commands, otherwise not.
  • the target node device does not execute the group command.
  • the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other node devices in the group.
  • the target node device After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
  • FIG. 7 is a schematic diagram of a communication device provided by an embodiment of the present application.
  • the communication device 700 is applied to a target node device and includes a transceiver unit 710 and a processing unit 720 .
  • the communication device 700 may be a target node device, or a chip or an integrated circuit inside the target node device, wherein:
  • the transceiver unit 710 is configured to receive a multicast message, the multicast message is a group command, and the multicast message includes group identification information and source node device identification information.
  • the processing unit 720 is configured to judge whether to execute the group command according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device.
  • the target node device receives a multicast message, and the multicast message is a group command, including group identification information and source node device identification information, and the target node device
  • the topic information determines whether to execute the group command.
  • the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other devices in the group.
  • the target node device After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
  • the transceiver unit 710 is further configured to receive ACL configuration information from the configurator, where the ACL configuration information includes the group identification information and identification information of at least one control node device; the processing unit 720 further uses The ACL is configured according to the group identification information and the identification information of the at least one control node device.
  • the processing unit 720 is specifically configured to: configure the group identification information in the first information of the first access control entity ACE of the ACL; configure the identification of the at least one control node device The information is configured in at least one topic information of the first ACE, and the identification information of the at least one control node device is in one-to-one correspondence with the at least one topic information.
  • the processing unit 720 is further configured to: configure the number n of identification information of the at least one control node device in the first information.
  • the processing unit 720 is specifically configured to: respectively configure the group identification information in at least one subject information of the first ACE of the ACL; configure the identification information of the at least one control node device Compress the identification information of each control node device in the group to obtain the compressed identification information of at least one control node device; configure the compressed identification information of the at least one control node device in at least one subject information containing the group identification information , the compressed identification information of the at least one control node device is in one-to-one correspondence with the at least one subject information.
  • the processing unit 720 is specifically configured to: compress the identification information of each control node device in the group identification information and the identification information of the at least one control node device, to obtain at least one first Compressed information: configure the at least one first compressed information in at least one subject information of the ACL, where the at least one first compressed information is in one-to-one correspondence with the at least one subject information.
  • the processing unit 720 is specifically configured to: determine the first ACE in the ACL according to the group identification information; check whether there is an ACE related to the source node in the first ACE The subject information that matches the device's identification information; if present, execute the set of commands.
  • the processing unit 720 is specifically configured to: determine the first information in the ACL according to the group identification information; find whether There is information matching the identification information of the source node device; if there is, the set of commands is executed.
  • the processing unit 720 is specifically configured to: determine at least one subject information in the ACL that includes the group identification information according to the group identification information; Compress to obtain the compressed identification information of the source node device; find whether there is information matching the compressed identification information of the source node device in at least one topic information containing the group identification information; if so, execute the group command .
  • the processing unit 720 is specifically configured to: according to the group identification information, determine at least one subject information in the ACL that includes the group identification information; Decompress the subject information to obtain at least one first decompressed information; find whether there is information matching the identification information of the source node device in the at least one first decompressed information; if so, execute the set Order.
  • the processing unit 720 is specifically configured to: compress the group identification information and the identification information of the source node device to obtain second compressed information; check whether there is an The subject information matching the second compression information; if it exists, execute the set of commands.
  • the processing unit 720 is specifically configured to: decompress at least one subject information in the ACL to obtain at least one second decompressed information; in the at least one second decompressed information Finding whether there is information matching the group identification information and the identification information of the source node device; if yes, executing the group command.
  • the processing unit 720 is further configured to: if not exist, not execute the set of commands.
  • the transceiver unit 710 is further configured to receive group table configuration information from the configurator, where the group table configuration information includes first indication information, and the first indication information is used to indicate that the target node Whether the device is a control node device; the processing unit 720 is further configured to configure the first indication information in the group table of the target node device.
  • the ACL configuration information further includes authentication mode configuration information
  • the processing unit 720 is further configured to: according to the authentication mode configuration information, configure the authentication mode of the ACE in the ACL as Enhanced group-based secure connections.
  • transceiver unit 710 in the embodiment of the present application may be implemented by a transceiver or a transceiver-related circuit component, and the processing unit 720 may be implemented by a processor or a processor-related component.
  • FIG. 8 is a schematic diagram of another communication device provided by an embodiment of the present application.
  • the communication device 800 is applied to a configurator and includes a transceiver unit 810 .
  • the communication device 800 may be a configurator, or a chip or an integrated circuit inside the configurator, wherein:
  • the transceiver unit 810 is configured to send access control list ACL configuration information to the target node device, the ACL configuration information includes group identification information and identification information of at least one control node device, and the ACL configuration information is used to indicate the target node device
  • the ACL is configured according to the group identification information and the identification information of the at least one control node device, and the subject information in the ACL is used by the target node device to determine whether to execute a group command.
  • the configurator sends ACL configuration information to the target node device, the ACL configuration information includes group identification information and identification information of at least one control node device, and the target node device uses the group identification information and identification information of at least one control node device , configure the ACL.
  • the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other devices in the group.
  • the target node device After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
  • the transceiver unit 810 is further configured to: send group table configuration information to multiple node devices in the multicast group, the group table configuration information includes first indication information, and the group table configuration information It is used to instruct each node device among the plurality of node devices to configure the first indication information in the group table, where the first indication information is used to indicate whether each node device is a control node device.
  • the apparatus further includes a processing unit 820, and the processing unit 820 is configured to: determine the ACL configuration information according to the first indication information of the plurality of node devices.
  • transceiver unit 810 in the embodiment of the present application may be implemented by a transceiver or a transceiver-related circuit component, and the processing unit 820 may be implemented by a processor or a processor-related component.
  • FIG. 9 is a schematic diagram of a target node device provided in an embodiment of the present application.
  • the target node device 900 includes a processor 910, a memory 920, and a transceiver 930, wherein the memory 920 stores instructions or programs, and the processor 910 is used to execute instructions or programs stored in memory 920 .
  • the processor 910 is used to perform the operations performed by the processing unit 720 in the above embodiments
  • the transceiver 930 is used to perform the operations performed by the transceiver unit 710 in the above embodiments.
  • the communication device 700 in the embodiment of the present application may correspond to the target node device in the group command processing method in the embodiment of the present application, and the operations and/or functions of each unit in the communication device 700 or the target node device 900 are respectively In order to realize the corresponding flow of the method for processing the above-mentioned group commands, for the sake of brevity, details are not repeated here.
  • FIG. 10 is a schematic diagram of a configurator provided in an embodiment of the present application.
  • the configurator 1000 includes a processor 1010, a memory 1020, and a transceiver 1030, wherein the memory 1020 stores instructions or programs, and the processor 1010 uses Instructions or programs stored in the memory 1020 are executed.
  • the processor 1010 is used to perform the operations performed by the processing unit 820 in the above embodiments
  • the transceiver 1030 is used to perform the operations performed by the transceiver unit 810 in the above embodiments.
  • the communication device 800 in the embodiment of the present application may correspond to the configurator in the method for processing group commands in the embodiment of the present application, and the operations and/or functions of each unit in the communication device 800 or the configurator 1000 are respectively for realizing For the sake of brevity, the corresponding flow of the method for processing the above group commands will not be repeated here.
  • the embodiment of the present application also provides a computer-readable storage medium, where the computer-readable storage medium is used to store instructions, and when the instructions are executed by a processor, the procedures related to the target node device in the foregoing method embodiments can be implemented.
  • the embodiment of the present application also provides a computer-readable storage medium, where the computer-readable storage medium is used to store instructions, and when the instructions are executed by a processor, the processes related to the configurator in the above method embodiments can be implemented.
  • the embodiment of the present application also provides a computer program product containing instructions, which when run on a computer or a processor, causes the computer or processor to execute one or more steps in the above method embodiments. If each component module of the above-mentioned device is implemented in the form of a software function unit and sold or used as an independent product, it can be stored in the computer-readable storage medium.
  • sequence numbers of the above-mentioned processes do not mean the order of execution, and the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present application.
  • the implementation process constitutes any limitation.
  • the disclosed systems, devices and methods can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
  • the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disc and other media that can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed in the present application are a groupcast message processing method and a related apparatus. The groupcast message processing method comprises: a target node device receiving a groupcast message, which groupcast message is a group command and comprises group identification information and identification information of a source node device; and according to the group identification information, the identification information of the source node device and topic information in an access control list (ACL) of the target node device, the target node device determining whether to execute the group command. In this way, the source of a group command is limited by means of topic information, such that the situation where a certain node device in a multicast group controls, after being illegally controlled, other node devices in the group by means of the group command is avoided, thereby improving the security of communication between the node devices in the multicast group.

Description

组播消息的处理方法及相关装置Multicast message processing method and related device 技术领域technical field
本申请涉及通信技术领域,尤其涉及一种组播消息的处理方法及相关装置。The present application relates to the technical field of communications, and in particular to a method for processing a multicast message and a related device.
背景技术Background technique
多播组是在同一多播组标识下注册的所有节点设备的集合,多播消息被发送到多播组后,由该组的所有节点设备接收。A multicast group is a collection of all node devices registered under the same multicast group identifier. After a multicast message is sent to a multicast group, it will be received by all node devices in the group.
每个多播组对应一个共享的组密钥,组密钥通过多播组内各个节点设备的组密钥管理功能集进行管理,用于对组内消息传输进行加密和解密。多播组内每个节点设备不清楚其他节点设备的情况,只能通过组密钥保证组内通信的安全。但是,若多播组内某个节点设备被非法控制,该节点设备则可以通过构造组命令来控制组内的其他节点设备,而其他节点设备无法区分接收到的组命令是合法操作还是非法操作,多播组内节点设备之间通信的安全性较差。Each multicast group corresponds to a shared group key, and the group key is managed by the group key management function set of each node device in the multicast group, and is used for encrypting and decrypting message transmission within the group. Each node device in the multicast group does not know the situation of other node devices, and can only ensure the security of communication within the group through the group key. However, if a node device in the multicast group is illegally controlled, the node device can control other node devices in the group by constructing a group command, and other node devices cannot distinguish whether the received group command is a legal operation or an illegal operation , the security of communication between node devices in the multicast group is poor.
发明内容Contents of the invention
本申请提供了一种组播消息的处理方法及相关装置,提高了多播组内节点设备之间通信的安全性。The present application provides a multicast message processing method and a related device, which improve the security of communication between node devices in a multicast group.
第一方面,本申请提供了一种组播消息的处理方法,所述方法应用于目标节点设备,包括:接收组播消息,所述组播消息为组命令,所述组播消息包括组标识信息和源节点设备的标识信息;根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令。In a first aspect, the present application provides a method for processing a multicast message, the method is applied to a target node device, and includes: receiving a multicast message, the multicast message is a group command, and the multicast message includes a group identifier Information and identification information of the source node device; according to the group identification information, the identification information of the source node device and the topic information in the access control list ACL of the target node device, determine whether to execute the group command.
上述方法中,目标节点设备接收组播消息,组播消息为组命令,包括组标识信息和源节点设备的标识信息,目标节点设备根据组标识信息、源节点设备的标识信息和ACL中的主题信息判断是否执行组命令。在多播组内,通过ACL中的主题信息限制组命令的来源,控制节点设备发出的组命令才能被组内其他设备执行。目标节点设备收到组命令后,查看ACL中的主题信息,结合源节点设备的标识信息可以判断来自源节点设备的组命令能否被执行。这样,避免了多播组内某个节点设备被非法控制后通过组命令控制组内其他节点设备的情况,提高了多播组内节点设备之间通信的安全性。In the above method, the target node device receives the multicast message, the multicast message is a group command, including group identification information and the identification information of the source node device, and the target node device Information to judge whether to execute the group command. In the multicast group, the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other devices in the group. After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
结合第一方面,在第一方面的一种可能的实施方式中,在所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令之前,所述方法还包括:接收来自配置器的ACL配置信息,所述ACL配置信息包括所述组标识信息和至少一个控制节点设备的标识信息;根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL。With reference to the first aspect, in a possible implementation manner of the first aspect, according to the group identification information, the identification information of the source node device, and the subject in the access control list ACL of the target node device information, before judging whether to execute the group command, the method further includes: receiving ACL configuration information from a configurator, where the ACL configuration information includes the group identification information and identification information of at least one control node device; according to the The group identification information and the identification information of the at least one control node device configure the ACL.
结合第一方面,在第一方面的一种可能的实施方式中,所述根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL包括:将所述组标识信息配置在所述ACL的第一访问控制实 体ACE的第一信息中;将所述至少一个控制节点设备的标识信息配置在所述第一ACE的至少一个主题信息中,所述至少一个控制节点设备的标识信息与所述至少一个主题信息一一对应。With reference to the first aspect, in a possible implementation manner of the first aspect, the configuring the ACL according to the group identification information and the identification information of the at least one control node device includes: setting the group identification information Configured in the first information of the first access control entity ACE of the ACL; configure the identification information of the at least one control node device in at least one topic information of the first ACE, and the at least one control node device The identification information of is in one-to-one correspondence with the at least one subject information.
结合第一方面,在第一方面的一种可能的实施方式中,所述根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL,还包括:将所述至少一个控制节点设备的标识信息的数量n配置在所述第一信息中。With reference to the first aspect, in a possible implementation manner of the first aspect, configuring the ACL according to the group identification information and the identification information of the at least one control node device further includes: configuring the at least The number n of identification information of one control node device is configured in the first information.
结合第一方面,在第一方面的一种可能的实施方式中,所述根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL包括:将所述组标识信息分别配置在所述ACL的第一ACE的至少一个主题信息中;将所述至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个控制节点设备的压缩标识信息;将所述至少一个控制节点设备的压缩标识信息配置在包含所述组标识信息的至少一个主题信息中,所述至少一个控制节点设备的压缩标识信息与所述至少一个主题信息一一对应。With reference to the first aspect, in a possible implementation manner of the first aspect, the configuring the ACL according to the group identification information and the identification information of the at least one control node device includes: setting the group identification information Respectively configured in at least one subject information of the first ACE of the ACL; compressing the identification information of each control node device in the identification information of the at least one control node device to obtain the compressed identification of at least one control node device information; configure the compressed identification information of the at least one control node device in at least one subject information including the group identification information, and the compressed identification information of the at least one control node device corresponds to the at least one subject information one-to-one .
结合第一方面,在第一方面的一种可能的实施方式中,所述根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL包括:将所述组标识信息和所述至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个第一压缩信息;将所述至少一个第一压缩信息配置在所述ACL的至少一个主题信息中,所述至少一个第一压缩信息与所述至少一个主题信息一一对应。With reference to the first aspect, in a possible implementation manner of the first aspect, the configuring the ACL according to the group identification information and the identification information of the at least one control node device includes: setting the group identification information and compressing the identification information of each control node device in the identification information of the at least one control node device to obtain at least one first compressed information; configuring the at least one first compressed information in at least one topic of the ACL Among the information, the at least one piece of first compressed information is in one-to-one correspondence with the at least one theme information.
结合第一方面,在第一方面的一种可能的实施方式中,所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令包括:根据所述组标识信息,确定所述ACL中的所述第一ACE;在所述第一ACE中查找是否存在与所述源节点设备的标识信息匹配的主题信息;若存在,则执行所述组命令。With reference to the first aspect, in a possible implementation manner of the first aspect, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device , judging whether to execute the group command includes: according to the group identification information, determining the first ACE in the ACL; searching in the first ACE whether there is an ACE that matches the identification information of the source node device Topic information; if present, executes the set of commands.
结合第一方面,在第一方面的一种可能的实施方式中,所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令包括:根据所述组标识信息,确定所述ACL中的所述第一信息;在所述第一信息的后n个主题信息中查找是否存在与所述源节点设备的标识信息匹配的信息;若存在,则执行所述组命令。With reference to the first aspect, in a possible implementation manner of the first aspect, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device , judging whether to execute the group command includes: according to the group identification information, determining the first information in the ACL; finding whether there is a link with the source node in the last n topic information of the first information Information matching the identification information of the device; if present, execute the set of commands.
结合第一方面,在第一方面的一种可能的实施方式中,所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令包括:根据所述组标识信息,确定所述ACL中包含所述组标识信息的至少一个主题信息;将所述源节点设备的标识信息进行压缩,得到源节点设备的压缩标识信息;在包含所述组标识信息的至少一个主题信息中查找是否存在与所述源节点设备的压缩标识信息匹配的信息;若存在,则执行所述组命令。With reference to the first aspect, in a possible implementation manner of the first aspect, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device , judging whether to execute the group command includes: according to the group identification information, determining at least one topic information that includes the group identification information in the ACL; compressing the identification information of the source node device to obtain the source node device The compressed identification information of the source node device; check whether there is information matching the compressed identification information of the source node device in at least one subject information containing the group identification information; if yes, execute the group command.
结合第一方面,在第一方面的一种可能的实施方式中,所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令包括:根据所述组标识信息,确定所述ACL中包含所述组标识信息的至少一个主题信息;对包含所述组标识信息的至少一个主题信息进行解压缩,得到至少一个第一解压缩信息;在所述至少一个第一解压缩信息中查找是否存在与所述源节点设备的标识信息匹配的信息;若存在,则执行所述组命令。With reference to the first aspect, in a possible implementation manner of the first aspect, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device , judging whether to execute the group command includes: according to the group identification information, determining at least one topic information including the group identification information in the ACL; decompressing at least one topic information including the group identification information, Obtain at least one piece of first decompressed information; check whether there is information matching the identification information of the source node device in the at least one piece of first decompressed information; if so, execute the set of commands.
结合第一方面,在第一方面的一种可能的实施方式中,所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令包括:将所述组标识信息和所述源节点设备的标识信息进行压缩,得到第二压缩信息;在所述ACL中查找是否存在与所述第二压缩信息匹配的主题信息;若存在,则执行所述组命令。With reference to the first aspect, in a possible implementation manner of the first aspect, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device , judging whether to execute the group command includes: compressing the group identification information and the identification information of the source node device to obtain second compressed information; searching whether there is a match with the second compressed information in the ACL The topic information of the ; if present, the set of commands is executed.
结合第一方面,在第一方面的一种可能的实施方式中,所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令包括:对所述ACL中的至少一个主题信息进行解压缩,得到至少一个第二解压缩信息;在所述至少一个第二解压缩信息中查找是否存在与所述组标识信息和所述源节点设备的标识信息匹配的信息;若存在,则执行所述组命令。With reference to the first aspect, in a possible implementation manner of the first aspect, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device , judging whether to execute the set of commands includes: decompressing at least one topic information in the ACL to obtain at least one second decompression information; finding whether there is any information related to the at least one second decompression information in the at least one second decompression information Information that matches the group identification information with the identification information of the source node device; if it exists, execute the group command.
结合第一方面,在第一方面的一种可能的实施方式中,所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令,还包括:若不存在,则不执行所述组命令。With reference to the first aspect, in a possible implementation manner of the first aspect, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device , judging whether to execute the group of commands, further comprising: if not, not executing the group of commands.
结合第一方面,在第一方面的一种可能的实施方式中,所述方法还包括:接收来自配置器的组表配置信息,所述组表配置信息包括第一指示信息,所述第一指示信息用于指示所述目标节点设备是否为控制节点设备;将所述第一指示信息配置在所述目标节点设备的组表中。With reference to the first aspect, in a possible implementation manner of the first aspect, the method further includes: receiving group table configuration information from a configurator, where the group table configuration information includes first indication information, and the first The indication information is used to indicate whether the target node device is a control node device; and the first indication information is configured in the group table of the target node device.
结合第一方面,在第一方面的一种可能的实施方式中,所述ACL配置信息还包括鉴权模式配置信息,所述方法还包括:根据所述鉴权模式配置信息,将所述ACL中ACE的鉴权模式配置为增强型基于组的安全连接。With reference to the first aspect, in a possible implementation manner of the first aspect, the ACL configuration information further includes authentication mode configuration information, and the method further includes: according to the authentication mode configuration information, configuring the ACL The authentication mode of the ACE is configured as enhanced group-based secure connection.
第二方面,本申请提供了一种组播消息的处理方法,所述方法应用于配置器,包括:向目标节点设备发送访问控制列表ACL配置信息,所述ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息,所述ACL配置信息用于指示所述目标节点设备根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL,所述ACL中的主题信息用于所述目标节点设备判断是否执行组命令。In a second aspect, the present application provides a method for processing a multicast message. The method is applied to a configurator, and includes: sending access control list ACL configuration information to a target node device, and the ACL configuration information includes group identification information and at least Identification information of a control node device, the ACL configuration information is used to instruct the target node device to configure the ACL according to the group identification information and the identification information of the at least one control node device, and the subject in the ACL The information is used by the target node device to judge whether to execute the group command.
上述方法中,配置器向目标节点设备发送ACL配置信息,ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息,目标节点设备根据组标识信息和至少一个控制节点设备的标识信息,配置ACL。在多播组内,通过ACL中的主题信息限制组命令的来源,控制节点设备发出的组命令才能被组内其他设备执行。目标节点设备收到组命令后,查看ACL中的主题信息,结合源节点设备的标识信息可以判断来自源节点设备的组命令能否被执行。这样,避免了多播组内某个节点设备被非法控制后通过组命令控制组内其他节点设备的情况,提高了多播组内节点设备之间通信的安全性。In the above method, the configurator sends ACL configuration information to the target node device, the ACL configuration information includes group identification information and identification information of at least one control node device, and the target node device configures according to the group identification information and the identification information of at least one control node device ACLs. In the multicast group, the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other devices in the group. After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
结合第二方面,在第二方面的一种可能的实施方式中,所述方法还包括:向多播组内的多个节点设备发送组表配置信息,所述组表配置信息包括第一指示信息,所述组表配置信息用于指示所述多个节点设备中的每个节点设备将所述第一指示信息配置在组表中,所述第一指示信息用于指示所述每个节点设备是否为控制节点设备。With reference to the second aspect, in a possible implementation manner of the second aspect, the method further includes: sending group table configuration information to multiple node devices in the multicast group, where the group table configuration information includes a first indication information, the group table configuration information is used to instruct each of the multiple node devices to configure the first indication information in the group table, and the first indication information is used to indicate that each node Whether the device is a control node device.
结合第二方面,在第二方面的一种可能的实施方式中,在所述向目标节点设备发送访问控制列表 ACL配置信息之前,所述方法还包括:根据所述多个节点设备的第一指示信息,确定所述ACL配置信息。With reference to the second aspect, in a possible implementation manner of the second aspect, before sending the access control list ACL configuration information to the target node device, the method further includes: according to the first The indication information determines the ACL configuration information.
第三方面,本申请提供了一种通信装置,所述装置应用于目标节点设备,包括:收发单元,用于接收组播消息,所述组播消息为组命令,所述组播消息包括组标识信息和源节点设备的标识信息;处理单元,用于根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令。In a third aspect, the present application provides a communication device, which is applied to a target node device, and includes: a transceiver unit for receiving a multicast message, the multicast message is a group command, and the multicast message includes a group Identification information and identification information of the source node device; a processing unit configured to determine whether to execute the set group commands.
结合第三方面,在第三方面的一种可能的实施方式中,所述收发单元还用于接收来自配置器的ACL配置信息,所述ACL配置信息包括所述组标识信息和至少一个控制节点设备的标识信息;所述处理单元还用于根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL。With reference to the third aspect, in a possible implementation manner of the third aspect, the transceiver unit is further configured to receive ACL configuration information from a configurator, where the ACL configuration information includes the group identification information and at least one control node Identification information of the device; the processing unit is further configured to configure the ACL according to the group identification information and the identification information of the at least one control node device.
结合第三方面,在第三方面的一种可能的实施方式中,所述处理单元具体用于:将所述组标识信息配置在所述ACL的第一访问控制实体ACE的第一信息中;将所述至少一个控制节点设备的标识信息配置在所述第一ACE的至少一个主题信息中,所述至少一个控制节点设备的标识信息与所述至少一个主题信息一一对应。With reference to the third aspect, in a possible implementation manner of the third aspect, the processing unit is specifically configured to: configure the group identification information in the first information of the first access control entity ACE of the ACL; The identification information of the at least one control node device is configured in at least one topic information of the first ACE, and the identification information of the at least one control node device corresponds to the at least one topic information one by one.
结合第三方面,在第三方面的一种可能的实施方式中,所述处理单元还用于:将所述至少一个控制节点设备的标识信息的数量n配置在所述第一信息中。With reference to the third aspect, in a possible implementation manner of the third aspect, the processing unit is further configured to: configure the number n of identification information of the at least one control node device in the first information.
结合第三方面,在第三方面的一种可能的实施方式中,所述处理单元具体用于:将所述组标识信息分别配置在所述ACL的第一ACE的至少一个主题信息中;将所述至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个控制节点设备的压缩标识信息;将所述至少一个控制节点设备的压缩标识信息配置在包含所述组标识信息的至少一个主题信息中,所述至少一个控制节点设备的压缩标识信息与所述至少一个主题信息一一对应。With reference to the third aspect, in a possible implementation manner of the third aspect, the processing unit is specifically configured to: respectively configure the group identification information in at least one subject information of the first ACE of the ACL; The identification information of each control node device in the identification information of the at least one control node device is compressed to obtain the compressed identification information of at least one control node device; the compressed identification information of the at least one control node device is configured in the In the at least one subject information of the group identification information, the compressed identification information of the at least one control node device corresponds to the at least one subject information one by one.
结合第三方面,在第三方面的一种可能的实施方式中,所述处理单元具体用于:将所述组标识信息和所述至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个第一压缩信息;将所述至少一个第一压缩信息配置在所述ACL的至少一个主题信息中,所述至少一个第一压缩信息与所述至少一个主题信息一一对应。With reference to the third aspect, in a possible implementation manner of the third aspect, the processing unit is specifically configured to: use each control node device in the group identification information and the identification information of the at least one control node device The identification information of the ACL is compressed to obtain at least one first compressed information; the at least one first compressed information is configured in the at least one subject information of the ACL, and the at least one first compressed information and the at least one subject information One to one correspondence.
结合第三方面,在第三方面的一种可能的实施方式中,所述处理单元具体用于:根据所述组标识信息,确定所述ACL中的所述第一ACE;在所述第一ACE中查找是否存在与所述源节点设备的标识信息匹配的主题信息;若存在,则执行所述组命令。With reference to the third aspect, in a possible implementation manner of the third aspect, the processing unit is specifically configured to: determine the first ACE in the ACL according to the group identification information; Check whether there is subject information matching the identification information of the source node device in the ACE; if yes, execute the group command.
结合第三方面,在第三方面的一种可能的实施方式中,所述处理单元具体用于:根据所述组标识信息,确定所述ACL中的所述第一信息;在所述第一信息的后n个主题信息中查找是否存在与所述源节点设备的标识信息匹配的信息;若存在,则执行所述组命令。With reference to the third aspect, in a possible implementation manner of the third aspect, the processing unit is specifically configured to: determine the first information in the ACL according to the group identification information; Check whether there is information matching the identification information of the source node device in the last n topic information of the information; if yes, execute the group command.
结合第三方面,在第三方面的一种可能的实施方式中,所述处理单元具体用于:根据所述组标识信息,确定所述ACL中包含所述组标识信息的至少一个主题信息;将所述源节点设备的标识信息进行压缩,得到源节点设备的压缩标识信息;在包含所述组标识信息的至少一个主题信息中查找是否存在与所述源节点设备的压缩标识信息匹配的信息;若存在,则执行所述组命令。With reference to the third aspect, in a possible implementation manner of the third aspect, the processing unit is specifically configured to: determine at least one subject information in the ACL that includes the group identification information according to the group identification information; Compressing the identification information of the source node device to obtain the compressed identification information of the source node device; searching whether there is information matching the compressed identification information of the source node device in at least one topic information containing the group identification information ; If present, execute the set of commands.
结合第三方面,在第三方面的一种可能的实施方式中,所述处理单元具体用于:根据所述组标识信息,确定所述ACL中包含所述组标识信息的至少一个主题信息;对包含所述组标识信息的至少一个主题信息进行解压缩,得到至少一个第一解压缩信息;在所述至少一个第一解压缩信息中查找是否存在与所述源节点设备的标识信息匹配的信息;若存在,则执行所述组命令。With reference to the third aspect, in a possible implementation manner of the third aspect, the processing unit is specifically configured to: determine at least one subject information in the ACL that includes the group identification information according to the group identification information; Decompressing at least one subject information containing the group identification information to obtain at least one first decompressed information; finding whether there is a match with the identification information of the source node device in the at least one first decompressed information info; if present, execute the set of commands.
结合第三方面,在第三方面的一种可能的实施方式中,所述处理单元具体用于:将所述组标识信息和所述源节点设备的标识信息进行压缩,得到第二压缩信息;在所述ACL中查找是否存在与所述第二压缩信息匹配的主题信息;若存在,则执行所述组命令。With reference to the third aspect, in a possible implementation manner of the third aspect, the processing unit is specifically configured to: compress the group identification information and the identification information of the source node device to obtain second compressed information; Check whether there is subject information matching the second compressed information in the ACL; if yes, execute the set of commands.
结合第三方面,在第三方面的一种可能的实施方式中,所述处理单元具体用于:对所述ACL中的至少一个主题信息进行解压缩,得到至少一个第二解压缩信息;在所述至少一个第二解压缩信息中查找是否存在与所述组标识信息和所述源节点设备的标识信息匹配的信息;若存在,则执行所述组命令。With reference to the third aspect, in a possible implementation manner of the third aspect, the processing unit is specifically configured to: decompress at least one subject information in the ACL to obtain at least one second decompressed information; Check whether there is information matching the group identification information and the identification information of the source node device in the at least one second decompressed information; if yes, execute the group command.
结合第三方面,在第三方面的一种可能的实施方式中,所述处理单元还用于:若不存在,则不执行所述组命令。With reference to the third aspect, in a possible implementation manner of the third aspect, the processing unit is further configured to: if not exist, not execute the set of commands.
结合第三方面,在第三方面的一种可能的实施方式中,所述收发单元还用于接收来自配置器的组表配置信息,所述组表配置信息包括第一指示信息,所述第一指示信息用于指示所述目标节点设备是否为控制节点设备;所述处理单元还用于将所述第一指示信息配置在所述目标节点设备的组表中。With reference to the third aspect, in a possible implementation manner of the third aspect, the transceiver unit is further configured to receive group table configuration information from a configurator, where the group table configuration information includes first indication information, and the second The indication information is used to indicate whether the target node device is a control node device; the processing unit is further configured to configure the first indication information in the group table of the target node device.
结合第三方面,在第三方面的一种可能的实施方式中,所述ACL配置信息还包括鉴权模式配置信息,所述处理单元还用于:根据所述鉴权模式配置信息,将所述ACL中ACE的鉴权模式配置为增强型基于组的安全连接。With reference to the third aspect, in a possible implementation manner of the third aspect, the ACL configuration information further includes authentication mode configuration information, and the processing unit is further configured to: according to the authentication mode configuration information, set the The authentication mode of ACE in the above ACL is configured as enhanced group-based security connection.
第四方面,本申请提供了一种通信装置,所述装置应用于配置器,包括:收发单元,用于向目标节点设备发送访问控制列表ACL配置信息,所述ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息,所述ACL配置信息用于指示所述目标节点设备根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL,所述ACL中的主题信息用于所述目标节点设备判断是否执行组命令。In a fourth aspect, the present application provides a communication device, which is applied to a configurator, and includes: a transceiver unit, configured to send access control list ACL configuration information to a target node device, and the ACL configuration information includes group identification information and Identification information of at least one control node device, the ACL configuration information is used to instruct the target node device to configure the ACL according to the group identification information and the identification information of the at least one control node device, and the ACL in the ACL The topic information is used by the target node device to judge whether to execute the group command.
结合第四方面,在第四方面的一种可能的实施方式中,所述收发单元还用于:向多播组内的多个节点设备发送组表配置信息,所述组表配置信息包括第一指示信息,所述组表配置信息用于指示所述多个节点设备中的每个节点设备将所述第一指示信息配置在组表中,所述第一指示信息用于指示所述每个节点设备是否为控制节点设备。With reference to the fourth aspect, in a possible implementation manner of the fourth aspect, the transceiver unit is further configured to: send group table configuration information to multiple node devices in the multicast group, where the group table configuration information includes the first Instruction information, the group table configuration information is used to instruct each node device in the plurality of node devices to configure the first instruction information in the group table, and the first instruction information is used to indicate that each Whether a node device is a control node device.
结合第四方面,在第四方面的一种可能的实施方式中,所述装置还包括处理单元,所述处理单元用于:根据所述多个节点设备的第一指示信息,确定所述ACL配置信息。With reference to the fourth aspect, in a possible implementation manner of the fourth aspect, the apparatus further includes a processing unit configured to: determine the ACL according to the first indication information of the plurality of node devices configuration information.
第五方面,本申请提供了一种目标节点设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序,所述处理器执行所述程序时实现第一方面或第一方面的任一可能的实施方式中的方法。In a fifth aspect, the present application provides a target node device, including a memory, a processor, and a program stored in the memory and operable on the processor, and the processor implements the first Aspect or a method in any possible implementation of the first aspect.
第六方面,本申请提供了一种配置器,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序,所述处理器执行所述程序时实现第二方面或第二方面的任一可能的实施方式中的方 法。In a sixth aspect, the present application provides a configurator, including a memory, a processor, and a program stored in the memory and operable on the processor, and the second aspect is realized when the processor executes the program Or the method in any possible implementation manner of the second aspect.
第七方面,本申请提供了一种计算机可读存储介质,所述计算机可读存储介质用于存储指令,所述指令被处理器执行时,使得第一方面或第一方面的任一可能的实施方式中的方法、或第二方面或第二方面的任一可能的实施方式中的方法被执行。In a seventh aspect, the present application provides a computer-readable storage medium, the computer-readable storage medium is used to store instructions, and when the instructions are executed by a processor, the first aspect or any one of the first aspects may A method of an embodiment, or a method of the second aspect or any possible embodiment of the second aspect is performed.
第八方面,本申请提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得第一方面或第一方面的任一可能的实施方式中的方法、或第二方面或第二方面的任一可能的实施方式中的方法被执行。In an eighth aspect, the present application provides a computer program product containing instructions. When it is run on a computer, the method in the first aspect or any possible implementation of the first aspect, or the second aspect or the first aspect The method in any possible implementation manner of the two aspects is carried out.
附图说明Description of drawings
图1为本申请实施例提供的一种组命令的处理方法的示意图;FIG. 1 is a schematic diagram of a method for processing a group command provided in an embodiment of the present application;
图2为本申请实施例提供的另一种组命令的处理方法的示意图;FIG. 2 is a schematic diagram of another group command processing method provided by the embodiment of the present application;
图3为本申请实施例提供的另一种组命令的处理方法的示意图;FIG. 3 is a schematic diagram of another group command processing method provided by the embodiment of the present application;
图4为本申请实施例提供的另一种组命令的处理方法的示意图;FIG. 4 is a schematic diagram of another group command processing method provided by the embodiment of the present application;
图5为本申请实施例提供的另一种组命令的处理方法的示意图;FIG. 5 is a schematic diagram of another group command processing method provided by the embodiment of the present application;
图6为本申请实施例提供的另一种组命令的处理方法的示意图;FIG. 6 is a schematic diagram of another group command processing method provided by the embodiment of the present application;
图7为本申请实施例提供的一种通信装置的示意图;FIG. 7 is a schematic diagram of a communication device provided by an embodiment of the present application;
图8为本申请实施例提供的另一种通信装置的示意图;FIG. 8 is a schematic diagram of another communication device provided by an embodiment of the present application;
图9为本申请实施例提供的一种目标节点设备的示意图;FIG. 9 is a schematic diagram of a target node device provided in an embodiment of the present application;
图10为本申请实施例提供的一种配置器的示意图。FIG. 10 is a schematic diagram of a configurator provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合附图,对本申请中的技术方案进行描述。The technical solution in this application will be described below with reference to the accompanying drawings.
以下,对本申请实施例中的部分用语进行解释说明,以便于本领域技术人员理解。In the following, some terms used in the embodiments of the present application are explained, so as to facilitate the understanding of those skilled in the art.
本申请实施例中涉及的“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B的情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指的这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b,或c中的至少一项(个),可以表示:a,b,c,a-b,a-c,b-c,或a-b-c,其中a,b,c可以是单个,也可以是多个。"At least one" referred to in the embodiments of the present application refers to one or more, and "multiple" refers to two or more. "And/or" describes the association relationship of associated objects, indicating that there may be three types of relationships, for example, A and/or B, which can mean: A exists alone, A and B exist at the same time, and B exists alone, where A, B can be singular or plural. The character "/" generally indicates that the contextual objects are an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one item (piece) of a, b, or c can represent: a, b, c, a-b, a-c, b-c, or a-b-c, where a, b, c can be single or multiple .
以及,除非有相反的说明,本申请实施例提及“第一”、“第二”等序数词是用于对多个对象进行区分,不用于限定多个对象的顺序、时序、优先级或者重要程度。例如,第一信息和第二信息,只是为了区分不同的信息,而并不是表示这两种信息的内容、优先级、发送顺序或者重要程度等的不同。And, unless otherwise stated, the ordinal numerals such as "first" and "second" mentioned in the embodiments of the present application are used to distinguish multiple objects, and are not used to limit the order, timing, priority or priority of multiple objects. Importance. For example, the first information and the second information are only for distinguishing different information, and do not indicate the difference in content, priority, sending order, or degree of importance of the two kinds of information.
为了便于理解本申请,首先对本申请涉及的概念进行解释。In order to facilitate understanding of the present application, the concepts involved in the present application are explained first.
Matter协议:Matter是连接标准联盟(connectivity standards alliance,CSA)推出的一个应用层协议, 是一种新的、基于互联网协议(Internet protocol,IP)的连接标准。Matter协议定义了部署在设备上的基于IPv6网络的应用层,以实现互操作性架构目标。Matter protocol: Matter is an application layer protocol launched by the connectivity standards alliance (CSA), and it is a new connection standard based on the Internet protocol (Internet protocol, IP). The Matter protocol defines the IPv6-based application layer deployed on devices to achieve interoperability architecture goals.
多播组(multicast group):指的是在同一多播组标识(identifier,ID)下注册的所有节点设备的集合,多播消息被发送到多播组后,由该组内的所有节点设备接收。Multicast group: refers to the collection of all node devices registered under the same multicast group identifier (identifier, ID). After the multicast message is sent to the multicast group, all nodes in the group The device receives.
组会话(group session):由一个或多个组播消息(multicast message)形成,包括以下信息:Group session: formed by one or more multicast messages, including the following information:
1、域索引(fabric index),表示组会话所归属的fabric域。1. Domain index (fabric index), indicating the fabric domain to which the group session belongs.
2、组标识(group ID),是多播组的唯一标识。2. Group ID (group ID), which is the unique identifier of a multicast group.
3、源节点标识(source node ID),表示组会话的源节点设备ID。3. Source node ID (source node ID), indicating the source node device ID of the group session.
4、源互联网协议(Internet protocol,IP)地址(source IP address),表示组会话消息的发送设备的源节点设备的IP地址。4. A source Internet protocol (Internet protocol, IP) address (source IP address), indicating the IP address of the source node device of the sending device of the group session message.
5、源端口(source port),表示组会话消息的源节点设备的源端口。5. Source port (source port), indicating the source port of the source node device of the group session message.
6、操作组密钥(operational group key),表示组会话消息的加密密钥。6. Operational group key (operational group key), which represents the encryption key for group conversation messages.
7、组会话标识(group session ID)。7. Group session ID (group session ID).
组表(group table):在支持Matter协议的多播组中,每个节点设备上都有一个表示组成员身份的组表,节点设备上的一个或多个端点可以属于同一个多播组,节点设备上的任意一个端点也可以属于一个或多个多播组。Group table (group table): In a multicast group supporting the Matter protocol, each node device has a group table indicating group membership, and one or more endpoints on the node device can belong to the same multicast group. Any endpoint on the node device can also belong to one or more multicast groups.
组密钥管理功能集(group key management cluster):在支持Matter协议的多播组中,每个节点设备上都有一个用于管理组密钥的组密钥管理功能集,包括属性和方法(命令),其中,组密钥管理功能集中的属性如表1所示,组密钥管理功能集中的命令如表2所示。Group key management function set (group key management cluster): In a multicast group that supports the Matter protocol, each node device has a group key management function set for managing group keys, including attributes and methods ( command), wherein, the attributes in the group key management function set are shown in Table 1, and the commands in the group key management function set are shown in Table 2.
表1 组密钥管理功能集的属性Table 1 Attributes of the group key management function set
Figure PCTCN2021133694-appb-000001
Figure PCTCN2021133694-appb-000001
其中,desc表示参阅详细说明部分。Among them, desc means refer to the detailed description part.
表2 组密钥管理功能集的命令Table 2 Commands for group key management function set
Figure PCTCN2021133694-appb-000002
Figure PCTCN2021133694-appb-000002
Figure PCTCN2021133694-appb-000003
Figure PCTCN2021133694-appb-000003
其中,F A表示访问根据fabric区分,并且需要有管理员权限。Among them, F A indicates that access is distinguished according to the fabric, and administrator privileges are required.
组密钥管理功能集的属性用于维护节点设备的组表,组表中包括的信息如表3所示。The attributes of the group key management function set are used to maintain the group table of the node device, and the information included in the group table is shown in Table 3.
表3 组表中包含的信息Table 3 Information contained in the group table
Figure PCTCN2021133694-appb-000004
Figure PCTCN2021133694-appb-000004
其中,FabricIndex表示组会话所归属的fabric域。GroupID是多播组的唯一标识。GroupKeySetIndex指向多播组的共享组密钥,用于对组内消息传输进行加密和解密。Endpoints为节点设备上归属于多播组的端点。GroupName为多播组的名称。fabric-idx表示标准定义的域索引的数据类型。group-id表示标准定义的组标识的数据类型。desc表示参阅详细说明部分。all表示数值数据类型中允许所有值。Wherein, FabricIndex indicates the fabric domain to which the group session belongs. GroupID is the unique identifier of a multicast group. GroupKeySetIndex points to the shared group key of the multicast group, which is used to encrypt and decrypt message transmission within the group. Endpoints are endpoints belonging to the multicast group on the node device. GroupName is the name of the multicast group. fabric-idx represents the data type of the domain index defined by the standard. group-id represents the data type of the group identifier defined by the standard. desc means refer to the detailed description section. all means that all values are allowed in the numeric data type.
如果节点设备接收的消息为组播消息,则节点设备接收该消息后会查看组表,确定组表中哪些端点对应的组标识与组播消息中的组标识相同,对应了相同组标识的端点则归属于该组播消息对应的多播组。然后,该组播消息将被传递到节点设备上归属于该多播组的各个端点。If the message received by the node device is a multicast message, the node device will check the group table after receiving the message to determine which endpoints in the group table correspond to the same group ID as the group ID in the multicast message, and correspond to the endpoints with the same group ID Then belong to the multicast group corresponding to the multicast message. Then, the multicast message will be delivered to each end point belonging to the multicast group on the node device.
访问控制列表(access control list,ACL):规定了其他节点设备对本节点设备的访问权限。Access control list (ACL): specifies the access rights of other node devices to this node device.
ACL功能集(ACL cluster):用于控制节点设备的访问权限,每个节点设备上都有一个ACL功能集,当节点设备收到一个请求时,首先在ACL中查看请求方是否有权限。ACL功能集包括属性,ACL功能集中的属性如表4所示。ACL function set (ACL cluster): It is used to control the access rights of node devices. Each node device has an ACL function set. When a node device receives a request, it first checks whether the requester has permission in the ACL. The ACL feature set includes attributes, and the attributes in the ACL feature set are shown in Table 4.
表4 ACL功能集的属性Table 4 Attributes of the ACL feature set
Figure PCTCN2021133694-appb-000005
Figure PCTCN2021133694-appb-000005
其中,ACL功能集的属性中,访问控制实体结构体中包括的信息如表5所示。Among them, among the attributes of the ACL function set, the information included in the access control entity structure is shown in Table 5.
表5 访问控制实体结构体中包括的信息Table 5 Information included in the access control entity structure
Figure PCTCN2021133694-appb-000006
Figure PCTCN2021133694-appb-000006
其中,访问控制实体结构体中的权限(Privilege)包括:Among them, the privileges in the access control entity structure include:
查阅(view),表示读取和订阅(除了ACL功能集)的权限。View (view), which means read and subscribe (except ACL feature set) permissions.
代理查阅(proxy view),表示读取和订阅的权限。Proxy view, which means read and subscribe permissions.
操作(operate),表示查阅的权限以及执行设备主要功能(除了ACL功能集)的权限。Operation (operate), which means the right to read and execute the main functions of the device (except the ACL function set).
管理(manage),表示操作的权限以及修改配置数据(除了ACL功能集)的权限。Management (manage), indicating the authority to operate and modify the configuration data (except ACL function set).
管理员(administrator),表示管理的权限以及订阅和修改ACL功能集的权限。The administrator (administrator) represents the management authority and the authority to subscribe and modify the ACL function set.
其中,访问控制实体结构体中的鉴权模式(AuthMode)包括:Among them, the authentication mode (AuthMode) in the access control entity structure includes:
PASE(passcode authenticated session),表示基于密钥的安全连接。PASE (passcode authenticated session), which means a key-based secure connection.
CASE(certificate authenticated session),表示基于证书的安全连接。CASE (certificate authenticated session), which means a secure connection based on a certificate.
GROUP(group authenticated session),表示基于组的安全连接。GROUP (group authenticated session), which means a group-based secure connection.
当多播组内的节点设备收到组播消息并检查ACL时,ACL中主题(Subjects)的内容为组标识(group ID),也就是说多播组内任何一个节点设备发送组命令后,接收组命令的其他节点设备都要执行。若多播组内某个节点设备被非法控制,该节点设备则可以通过构造组命令来控制组内的其他节点设备,而其他节点设备无法区分接收到的组命令是合法操作还是非法操作,多播组内节点设备之间通信的安全性较差。When the node device in the multicast group receives the multicast message and checks the ACL, the content of the subject (Subjects) in the ACL is the group ID (group ID), that is to say, after any node device in the multicast group sends the group command, All other node devices that receive the group command must execute it. If a node device in the multicast group is illegally controlled, the node device can control other node devices in the group by constructing a group command, and other node devices cannot distinguish whether the received group command is a legal operation or an illegal operation. The communication security between node devices in the broadcast group is poor.
如上介绍了本申请的背景技术,下面介绍本申请实施例的技术特征。The background technology of the present application is described above, and the technical features of the embodiments of the present application are introduced below.
参见图1,图1为本申请实施例提供的一种组命令的处理方法的示意图。如图1所示,该组命令的处理方法包括:Referring to FIG. 1 , FIG. 1 is a schematic diagram of a method for processing group commands provided by an embodiment of the present application. As shown in Figure 1, the processing methods of this group of commands include:
S101、目标节点设备接收组播消息,组播消息为组命令,组播消息包括组标识信息和源节点设备的标识信息。S101. The target node device receives a multicast message, where the multicast message is a group command, and the multicast message includes group identification information and identification information of a source node device.
具体的,目标节点设备和源节点设备属于第一多播组,在该多播组内,源节点设备发送组播消息,该组播消息为组命令,相应的,目标节点设备接收组播消息。其中,组播消息包括的组标识信息为第一多播组的组标识信息。Specifically, the target node device and the source node device belong to the first multicast group. In the multicast group, the source node device sends a multicast message, and the multicast message is a group command. Correspondingly, the target node device receives the multicast message . Wherein, the group identification information included in the multicast message is group identification information of the first multicast group.
S102、目标节点设备根据组标识信息、源节点设备的标识信息和目标节点设备的访问控制列表ACL中的主题信息,判断是否执行组命令。S102. The target node device judges whether to execute the group command according to the group identification information, the identification information of the source node device, and the subject information in the ACL of the target node device.
可选的,在根据组标识信息、源节点设备的标识信息和ACL中的主题信息,判断是否执行组命令之前,还包括:接收来自配置器的ACL配置信息,ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息;根据组标识信息和至少一个控制节点设备的标识信息,配置ACL。Optionally, before judging whether to execute the group command according to the group identification information, the identification information of the source node device, and the topic information in the ACL, it also includes: receiving ACL configuration information from the configurator, the ACL configuration information includes group identification information and Identification information of at least one control node device; ACL is configured according to the group identification information and the identification information of at least one control node device.
具体的,目标节点设备接收来自配置器的ACL配置信息,该ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息。目标节点设备根据该组标识信息和该至少一个控制节点设备的标识信息,配置ACL。可选的,该ACL配置信息除了包括该组标识信息和该至少一个控制节点设备的标识信息外,还可能包括其他信息,例如域索引(FabricIndex)、权限(Privilege)、鉴权模式(AuthMode)等,目标节点设备还将其他信息也配置在ACL中。Specifically, the target node device receives ACL configuration information from the configurator, where the ACL configuration information includes group identification information and identification information of at least one control node device. The target node device configures the ACL according to the group identification information and the identification information of the at least one control node device. Optionally, in addition to including the group identification information and the identification information of the at least one control node device, the ACL configuration information may also include other information, such as domain index (FabricIndex), authority (Privilege), authentication mode (AuthMode) etc., the target node device also configures other information in the ACL.
配置器用于对多播组中的节点设备进行配置,并且同一个多播组中的节点设备由一个配置器进行配置。具体的,ACL配置信息中的组标识信息为第一多播组的组标识信息,至少一个控制节点设备的标识信息用于指示第一多播组中的至少一个控制节点设备。其中,配置器在配置多播组内的节点设备时,确定一个或多个节点设备作为控制节点设备,控制节点设备发送的组命令才会被组内其他节点设备执行。The configurator is used to configure the node devices in the multicast group, and the node devices in the same multicast group are configured by one configurator. Specifically, the group identification information in the ACL configuration information is group identification information of the first multicast group, and the identification information of at least one control node device is used to indicate at least one control node device in the first multicast group. Wherein, when configuring the node devices in the multicast group, the configurator determines one or more node devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group.
在一种可能的实施方式中,根据组标识信息和至少一个控制节点设备的标识信息,配置ACL包括:将组标识信息配置在ACL的第一访问控制实体ACE的第一信息中;将至少一个控制节点设备的标识信息配置在第一ACE的至少一个主题信息中,至少一个控制节点设备的标识信息与至少一个主题信息一一对应。In a possible implementation manner, according to the group identification information and the identification information of at least one control node device, configuring the ACL includes: configuring the group identification information in the first information of the first access control entity ACE of the ACL; configuring at least one The identification information of the control node device is configured in at least one topic information of the first ACE, and the identification information of the at least one control node device is in one-to-one correspondence with the at least one topic information.
具体的,目标节点设备的ACL包括一个或多个访问控制实体(access control entity,ACE),每个ACE包括一个第一信息以及一个或多个主题信息(subject ID)。在一种可能的实施方式中,第一信息可以是ACE中的主题信息。目标节点设备接收ACL配置信息后,将该ACL配置信息中的组标识信息配置在第一ACE的第一信息中,将该ACL配置信息中的至少一个控制节点设备的标识信息也配置在该第一ACE中。例如,第一多播组内的控制节点设备包括节点设备1、节点设备2和节点设备3,节点设备1、节点设备2和节点设备3发出的组命令才会被组内其他节点设备执行,将节点设备1、节点设备2和节点设备3的标识信息分别配置在第一ACE中的三个主题信息中,一个标识信息对应一个主题信息。需要说明的是,在本实施方式中,一个ACE对应一个多播组,其他多播组的组标识信息和控制节点设备的标识信息需要配置在其他ACE中。Specifically, the ACL of the target node device includes one or more access control entities (access control entity, ACE), and each ACE includes a piece of first information and one or more subject information (subject ID). In a possible implementation manner, the first information may be subject information in the ACE. After receiving the ACL configuration information, the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE, and configures the identification information of at least one control node device in the ACL configuration information in the first information of the first ACE. One ACE. For example, the control node devices in the first multicast group include node device 1, node device 2 and node device 3, the group commands sent by node device 1, node device 2 and node device 3 will be executed by other node devices in the group, The identification information of the node device 1, the node device 2, and the node device 3 are respectively configured in the three subject information in the first ACE, and one identification information corresponds to one subject information. It should be noted that, in this embodiment, one ACE corresponds to one multicast group, and group identification information of other multicast groups and identification information of control node devices need to be configured in other ACEs.
在一种可能的实施方式中,根据组标识信息和至少一个控制节点设备的标识信息,配置ACL还包括:将至少一个控制节点设备的标识信息的数量n配置在第一信息中。In a possible implementation manner, configuring the ACL according to the group identification information and the identification information of the at least one control node device further includes: configuring the number n of the identification information of the at least one control node device in the first information.
具体的,目标节点设备的ACL包括一个或多个ACE,每个ACE包括一个或多个第一信息以及一个或多个主题信息。在一种可能的实施方式中,第一信息可以是ACE中的主题信息。目标节点设备接收ACL配置信息后,将该ACL配置信息中的组标识信息配置在第一ACE的第一信息中,将该ACL配置信息中的至少一个控制节点设备的标识信息也配置在该第一ACE中,还将至少一个控制节点设备的标识信息的数量n也配置在第一信息中。例如,第一多播组内的控制节点设备包括节点设备1、节点设备2和节点设备3,将节点设备1、节点设备2和节点设备3的标识信息分别配置在第一ACE中的三个主题信息中,一个标识信息对应一个主题信息。此时,标识信息的数量n为3,将n为3也配置在第一信息中。需要说明的是,在本实施方式中,一个ACE对应一个或多个多播组,其他多播组的组标识信息和控制节点设备的标识信息也可以配置在第一ACE中。Specifically, the ACL of the target node device includes one or more ACEs, and each ACE includes one or more first information and one or more topic information. In a possible implementation manner, the first information may be subject information in the ACE. After receiving the ACL configuration information, the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE, and configures the identification information of at least one control node device in the ACL configuration information in the first information of the first ACE. In an ACE, the number n of identification information of at least one control node device is also configured in the first information. For example, the control node devices in the first multicast group include node device 1, node device 2, and node device 3, and the identification information of node device 1, node device 2, and node device 3 are respectively configured in three ACEs in the first ACE. In the topic information, one identification information corresponds to one topic information. At this time, the number n of identification information is 3, and n is 3 also configured in the first information. It should be noted that, in this embodiment, one ACE corresponds to one or more multicast groups, and group identification information of other multicast groups and identification information of control node devices may also be configured in the first ACE.
在一种可能的实施方式中,根据组标识信息和至少一个控制节点设备的标识信息,配置ACL包括:将组标识信息分别配置在ACL的第一ACE的至少一个主题信息中;将至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个控制节点设备的压缩标识信息;将至少一个控制节点设备的压缩标识信息配置在包含该组标识信息的至少一个主题信息中,至少一个控制节点设备的压缩标识信息与至少一个主题信息一一对应。In a possible implementation manner, configuring the ACL according to the group identification information and the identification information of at least one control node device includes: respectively configuring the group identification information in at least one subject information of the first ACE of the ACL; The identification information of each control node device in the identification information of the node device is compressed to obtain the compressed identification information of at least one control node device; the compressed identification information of at least one control node device is configured in at least one topic containing the group identification information In the information, the compressed identification information of at least one control node device is in one-to-one correspondence with at least one subject information.
具体的,目标节点设备的ACL包括一个或多个ACE,每个ACE包括一个或多个主题信息。目标节点设备接收ACL配置信息后,将该ACL配置信息中的组标识信息分别配置在第一ACE的至少一个主题信息中,将至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个控制节点设备的压缩标识信息,将至少一个控制节点设备的压缩标识信息也分别配置在包含了组标识信息的至少一个主题信息中。例如,第一多播组内的控制节点设备包括节点设备1、节点设备2和节点设备3,将组标识信息分别配置在三个主题信息中,并且将节点设备1、节点设备2和节点设备3的压缩标识信息也分别配置在该三个主题信息中,也就是说,该三个主题信息中,每个主题信息包括组标识信息和一个压缩标识信息。需要说明的是,在本实施方式中,一个ACE对应一个或多个多播组,其他多播组的组标识信息和控制节点设备的压缩标识信息也可以配置在第一ACE中。Specifically, the ACL of the target node device includes one or more ACEs, and each ACE includes one or more subject information. After receiving the ACL configuration information, the target node device configures the group identification information in the ACL configuration information in at least one subject information of the first ACE, and configures the identification information of each control node device in the identification information of at least one control node device The information is compressed to obtain compressed identification information of at least one control node device, and the compressed identification information of at least one control node device is also respectively configured in at least one subject information including group identification information. For example, the control node devices in the first multicast group include node device 1, node device 2 and node device 3, group identification information is respectively configured in three topic information, and node device 1, node device 2 and node device The compression identification information of 3 is also respectively configured in the three topic information, that is to say, in the three topic information, each topic information includes group identification information and one piece of compression identification information. It should be noted that, in this embodiment, one ACE corresponds to one or more multicast groups, and the group identification information of other multicast groups and the compression identification information of the control node device may also be configured in the first ACE.
在一种可能的实施方式中,根据组标识信息和至少一个控制节点设备的标识信息,配置ACL包括:将组标识信息和至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个第一压缩信息;将至少一个第一压缩信息配置在ACL的至少一个主题信息中,至少一个第一压缩信息与至少一个主题信息一一对应。In a possible implementation manner, according to the group identification information and the identification information of at least one control node device, configuring the ACL includes: combining the identification information of each control node device in the group identification information and the identification information of at least one control node device performing compression to obtain at least one first compressed information; configuring the at least one first compressed information in at least one subject information of the ACL, where the at least one first compressed information corresponds to the at least one subject information one by one.
具体的,目标节点设备的ACL包括一个或多个ACE,每个ACE包括一个或多个主题信息。目标节点设备接收ACL配置信息后,将该ACL配置信息中的组标识信息和至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个第一压缩信息,将该至少一个第一压缩信息配置在ACL的至少一个主题信息中。例如,第一多播组内的控制节点设备包括节点设备1、节点设备2和节点设备3,将组标识信息分别与节点设备1的标识信息、节点设备2的标识信息、节点设备3的标 识信息进行压缩,得到三个第一压缩信息。然后将三个第一压缩信息分别配置在三个主题信息中,也就是说,该三个主题信息中,每个主题信息包括一个第一压缩信息,并且一个第一压缩信息由组标识信息和一个控制节点设备的标识信息压缩得到。需要说明的是,在本实施方式中,一个ACE对应一个或多个多播组,其他多播组由组标识信息和控制节点设备的标识信息压缩得到的信息也可以配置在第一ACE中。Specifically, the ACL of the target node device includes one or more ACEs, and each ACE includes one or more subject information. After receiving the ACL configuration information, the target node device compresses the group identification information in the ACL configuration information and the identification information of each control node device in the identification information of at least one control node device to obtain at least one first compressed information, and compresses The at least one first compressed information is configured in at least one subject information of the ACL. For example, the control node devices in the first multicast group include node device 1, node device 2, and node device 3, and the group identification information is respectively combined with the identification information of node device 1, the identification information of node device 2, and the identification information of node device 3. The information is compressed to obtain three first compressed information. Then configure the three first compressed information in the three topic information respectively, that is to say, in the three topic information, each topic information includes a first compressed information, and a first compressed information consists of the group identification information and The identification information of a control node device is compressed. It should be noted that, in this embodiment, one ACE corresponds to one or more multicast groups, and information obtained by compressing the group identification information and the identification information of the control node device for other multicast groups may also be configured in the first ACE.
可选的,根据组标识信息、源节点设备的标识信息和目标节点设备的访问控制列表ACL中的主题信息,判断是否执行组命令包括:根据组标识信息,确定ACL中的第一ACE;在第一ACE中查找是否存在与源节点设备的标识信息匹配的主题信息;若存在,则执行组命令。在一种可能的实施方式中,若不存在,则不执行组命令。Optionally, according to the subject information in the group identification information, the identification information of the source node device and the access control list ACL of the target node device, judging whether to execute the group command includes: determining the first ACE in the ACL according to the group identification information; Check in the first ACE whether there is subject information matching the identification information of the source node device; if yes, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
具体的,根据组标识信息,确定目标节点设备的ACL中的第一ACE,该第一ACE还包括至少一个主题信息,主题信息配置了多播组中控制节点设备的标识信息。在第一ACE中查找是否存在与源节点设备的标识信息匹配的主题信息,若存在,则说明源节点设备为多播组中的控制节点设备,因此源节点设备发出的组命令可以被执行,目标节点设备执行该组命令,否则不执行。Specifically, the first ACE in the ACL of the target node device is determined according to the group identification information, and the first ACE also includes at least one topic information, and the topic information configures the identification information of the control node device in the multicast group. In the first ACE, find whether there is topic information matching the identification information of the source node device. If it exists, it means that the source node device is the control node device in the multicast group, so the group command sent by the source node device can be executed. The target node device executes this group of commands, otherwise it does not execute.
可选的,根据组标识信息、源节点设备的标识信息和目标节点设备的访问控制列表ACL中的主题信息,判断是否执行组命令包括:根据组标识信息,确定ACL中的第一信息;在第一信息的后n个主题信息中查找是否存在与源节点设备的标识信息匹配的信息;若存在,则执行组命令。在一种可能的实施方式中,若不存在,则不执行组命令。Optionally, according to the group identification information, the identification information of the source node device, and the subject information in the access control list ACL of the target node device, judging whether to execute the group command includes: determining the first information in the ACL according to the group identification information; Check whether there is information matching the identification information of the source node device in the last n topic information of the first information; if yes, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
具体的,根据组标识信息,确定目标节点设备的ACL中的第一信息,获取该第一信息中的标识信息的数量n,第一信息的后n个主题信息配置了多播组中控制节点设备的标识信息。在第一信息的后n个主题信息中查找是否存在与源节点设备的标识信息匹配的主题信息,若存在,则说明源节点设备为多播组中的控制节点设备,因此源节点设备发出的组命令可以被执行,目标节点设备执行该组命令,否则不执行。Specifically, according to the group identification information, determine the first information in the ACL of the target node device, obtain the number n of identification information in the first information, and the last n topic information of the first information configure the control nodes in the multicast group Identification information for the device. Check whether there is topic information matching the identification information of the source node device in the last n topic information of the first message, if it exists, it means that the source node device is the control node device in the multicast group, so the source node device sends A group of commands can be executed, and the target node device executes the group of commands, otherwise it does not execute.
可选的,根据组标识信息、源节点设备的标识信息和目标节点设备的访问控制列表ACL中的主题信息,判断是否执行组命令包括:根据组标识信息,确定ACL中的包含组标识信息的至少一个主题信息;将源节点设备的标识信息进行压缩,得到源节点设备的压缩标识信息;在包含组标识信息的至少一个主题信息中查找是否存在与源节点设备的压缩标识信息匹配的信息;若存在,则执行组命令。在一种可能的实施方式中,若不存在,则不执行组命令。Optionally, according to the group identification information, the identification information of the source node device and the subject information in the access control list ACL of the target node device, judging whether to execute the group command includes: according to the group identification information, determining the group identification information in the ACL At least one topic information; compressing the identification information of the source node device to obtain the compressed identification information of the source node device; searching whether there is information matching the compressed identification information of the source node device in at least one topic information including group identification information; If present, the group command is executed. In a possible implementation manner, if it does not exist, the group command is not executed.
具体的,根据组标识信息,确定目标节点设备的ACL中包含该组标识信息的至少一个主题信息,该主题信息配置了多播组中控制节点设备的压缩标识信息,控制节点设备的压缩标识信息由控制节点设备的标识信息压缩得到。通过与压缩控制节点设备的标识信息相同的算法对源节点设备的标识信息进行压缩,得到源节点设备的压缩标识信息。在包含该组标识信息的至少一个主题信息中查找是否存在与源节点设备的压缩标识信息匹配的信息,若存在,则说明源节点设备为多播组中的控制节点设备,因此源节点设备发出的组命令可以被执行,目标节点设备执行该组命令,否则不执行。Specifically, according to the group identification information, it is determined that the ACL of the target node device contains at least one topic information of the group identification information, the topic information configures the compression identification information of the control node device in the multicast group, and the compression identification information of the control node device Obtained by compressing the identification information of the control node device. The identification information of the source node device is compressed by the same algorithm as that of compressing the identification information of the control node device, to obtain the compressed identification information of the source node device. Check whether there is information matching the compressed identification information of the source node device in at least one topic information containing the group identification information. If it exists, it indicates that the source node device is the control node device in the multicast group, so the source node device sends The group commands of can be executed, and the target node device executes the group commands, otherwise it does not execute.
可选的,根据组标识信息、源节点设备的标识信息和目标节点设备的访问控制列表ACL中的主题 信息,判断是否执行组命令包括:根据组标识信息,确定ACL中包含组标识信息的至少一个主题信息;对包含组标识信息的至少一个主题信息进行解压缩,得到至少一个第一解压缩信息;在至少一个第一解压缩信息中查找是否存在与源节点设备的标识信息匹配的信息;若存在,则执行组命令。在一种可能的实施方式中,若不存在,则不执行组命令。Optionally, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device, judging whether to execute the group command includes: according to the group identification information, determining at least A topic information; decompressing at least one topic information including group identification information to obtain at least one first decompressed information; searching whether there is information matching the identification information of the source node device in the at least one first decompressed information; If present, the group command is executed. In a possible implementation manner, if it does not exist, the group command is not executed.
具体的,根据组标识信息,确定目标节点设备的ACL中包含该组标识信息的至少一个主题信息,该主题信息配置了多播组中控制节点设备的压缩标识信息,控制节点设备的压缩标识信息由控制节点设备的标识信息压缩得到。对包含该组标识信息的至少一个主题信息进行解压缩,得到至少一个第一解压缩信息,其中第一解压缩信息中包括控制节点设备的标识信息。在至少一个第一解压缩信息中查找是否存在与源节点设备的标识信息匹配的信息,若存在,则说明源节点设备为多播组中的控制节点设备,因此源节点设备发出的组命令可以被执行,目标节点设备执行该组命令,否则不执行。Specifically, according to the group identification information, it is determined that the ACL of the target node device contains at least one topic information of the group identification information, the topic information configures the compression identification information of the control node device in the multicast group, and the compression identification information of the control node device Obtained by compressing the identification information of the control node device. Decompress at least one subject information including the group of identification information to obtain at least one first decompressed information, wherein the first decompressed information includes the identification information of the control node device. Find whether there is information matching the identification information of the source node device in at least one first decompressed information, if it exists, it indicates that the source node device is the control node device in the multicast group, so the group command sent by the source node device can be is executed, the target node device executes this group of commands, otherwise it does not execute.
可选的,根据组标识信息、源节点设备的标识信息和目标节点设备的访问控制列表ACL中的主题信息,判断是否执行组命令包括:将组标识信息和源节点设备的标识信息进行压缩,得到第二压缩信息;在ACL中查找是否存在与第二压缩信息匹配的主题信息;若存在,则执行组命令。在一种可能的实施方式中,若不存在,则不执行组命令。Optionally, according to the group identification information, the identification information of the source node device and the topic information in the access control list ACL of the target node device, judging whether to execute the group command includes: compressing the group identification information and the identification information of the source node device, Obtain the second compressed information; check whether there is subject information matching the second compressed information in the ACL; if yes, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
具体的,目标节点设备的ACL包括至少一个主题信息,该主题信息配置了由组标识信息和多播组中控制节点设备的标识信息压缩得到的第一压缩信息。通过与压缩组标识信息和多播组中控制节点设备的标识信息相同的算法对组标识信息和源节点设备的标识信息进行压缩,得到第二压缩信息。在ACL中查找是否存在与第二压缩信息匹配的主题信息,若存在,则说明源节点设备为多播组中的控制节点设备,因此源节点设备发出的组命令可以被执行,目标节点设备执行该组命令,否则不执行。Specifically, the ACL of the target node device includes at least one topic information, and the topic information is configured with first compressed information obtained by compressing the group identification information and the identification information of the control node device in the multicast group. The second compressed information is obtained by compressing the group identification information and the identification information of the source node device by using the same algorithm as compressing the group identification information and the identification information of the control node device in the multicast group. Check the ACL to see if there is topic information that matches the second compressed information. If it exists, it means that the source node device is the control node device in the multicast group. Therefore, the group command sent by the source node device can be executed, and the target node device executes This group of commands, otherwise not executed.
可选的,根据组标识信息、源节点设备的标识信息和目标节点设备的访问控制列表ACL中的主题信息,判断是否执行组命令包括:对ACL中的至少一个主题信息进行解压缩,得到至少一个第二解压缩信息;在至少一个第二解压缩信息中查找是否存在与组标识信息和源节点设备的标识信息匹配的信息;若存在,则执行组命令。在一种可能的实施方式中,若不存在,则不执行组命令。Optionally, according to the group identification information, the identification information of the source node device and the topic information in the access control list ACL of the target node device, judging whether to execute the group command includes: decompressing at least one topic information in the ACL to obtain at least A second decompression information; check whether there is information matching the group identification information and the identification information of the source node device in at least one second decompression information; if yes, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
具体的,目标节点设备的ACL包括至少一个主题信息,主题信息配置了由组标识信息和多播组中控制节点设备的标识信息压缩得到的第一压缩信息。对至少一个主题信息进行解压缩,得到至少一个第二解压缩信息,其中第二解压缩信息中包括组标识信息和控制节点设备的标识信息。在至少一个第二解压缩信息中查找是否存在与组命令包括的组标识信息和源节点设备的标识信息匹配的信息,若存在,则说明源节点设备为多播组中的控制节点设备,因此源节点设备发出的组命令可以被执行,目标节点设备执行该组命令,否则不执行。Specifically, the ACL of the target node device includes at least one subject information, and the subject information is configured with first compressed information obtained by compressing the group identification information and the identification information of the control node device in the multicast group. At least one subject information is decompressed to obtain at least one second decompressed information, wherein the second decompressed information includes group identification information and identification information of the control node device. Find whether there is information matching the group identification information included in the group command and the identification information of the source node device in at least one second decompression information, if it exists, it indicates that the source node device is a control node device in the multicast group, so The group command issued by the source node device can be executed, and the target node device executes the group command, otherwise it does not execute it.
可选的,目标节点设备接收来自配置器的组表配置信息,组表配置信息包括第一指示信息,第一指示信息用于指示目标节点设备是否为控制节点设备;将第一指示信息配置在目标节点设备的组表中。Optionally, the target node device receives group table configuration information from the configurator, the group table configuration information includes first indication information, and the first indication information is used to indicate whether the target node device is a control node device; configure the first indication information in In the group table of the target node device.
具体的,配置器在配置多播组内的节点设备时,确定一个或多个设备作为控制节点设备,控制节点设备发送的组命令才会被组内其他节点设备执行。目标节点设备接收来自配置器的组表配置信息,该组表配置信息包括第一指示信息,目标节点设备接收该组表配置信息后,将第一指示信息配置在组表中, 其中第一指示信息用于指示目标节点设备是否为控制节点设备。这样,多播组中各个节点设备的组表中都有第一指示信息,配置器获取各个节点设备的组表中的第一指示信息,由此可以判断出多播组中哪些节点设备为控制节点设备。配置器在向多播组中的节点设备发送ACL配置信息时,可以根据第一指示信息确定组内的控制节点设备。配置器向控制节点设备发送的ACL配置信息包括多播组内除了该控制节点设备以外其他控制节点设备的标识信息,向其他节点设备发送的ACL配置信息包括多播组内所有控制节点设备的标识信息。Specifically, when configuring the node devices in the multicast group, the configurator determines one or more devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group. The target node device receives the group table configuration information from the configurator, and the group table configuration information includes first indication information. After receiving the group table configuration information, the target node device configures the first indication information in the group table, wherein the first indication The information is used to indicate whether the target node device is a control node device. In this way, the group table of each node device in the multicast group has the first indication information, and the configurator obtains the first indication information in the group table of each node device, so that it can determine which node devices in the multicast group are control node device. When the configurator sends the ACL configuration information to the node devices in the multicast group, it may determine the control node device in the group according to the first indication information. The ACL configuration information sent by the configurator to the control node device includes the identification information of other control node devices in the multicast group except the control node device, and the ACL configuration information sent to other node devices includes the identification information of all control node devices in the multicast group information.
可选的,ACL配置信息还包括鉴权模式配置信息,目标节点设备根据鉴权模式配置信息,将ACL中ACE的鉴权模式配置为增强型基于组的安全连接。Optionally, the ACL configuration information also includes authentication mode configuration information, and the target node device configures the authentication mode of the ACE in the ACL as an enhanced group-based security connection according to the authentication mode configuration information.
上述方法中,目标节点设备接收组播消息,组播消息为组命令,包括组标识信息和源节点设备的标识信息,目标节点设备根据组标识信息、源节点设备的标识信息和ACL中的主题信息判断是否执行组命令。在多播组内,通过ACL中的主题信息限制组命令的来源,控制节点设备发出的组命令才能被组内其他设备执行。目标节点设备收到组命令后,查看ACL中的主题信息,结合源节点设备的标识信息可以判断来自源节点设备的组命令能否被执行。这样,避免了多播组内某个节点设备被非法控制后通过组命令控制组内其他节点设备的情况,提高了多播组内节点设备之间通信的安全性。In the above method, the target node device receives the multicast message, the multicast message is a group command, including group identification information and the identification information of the source node device, and the target node device Information to judge whether to execute the group command. In the multicast group, the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other devices in the group. After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
参见图2,图2为本申请实施例提供的另一种组命令的处理方法的示意图。如图2所示,该组命令的处理方法包括:Referring to FIG. 2 , FIG. 2 is a schematic diagram of another group command processing method provided by an embodiment of the present application. As shown in Figure 2, the processing methods of this group of commands include:
S201、配置器向目标节点设备发送组表配置信息,组表配置信息包括第一指示信息,相应的,目标节点设备接收组表配置信息。S201. The configurator sends group table configuration information to a target node device, where the group table configuration information includes first indication information, and correspondingly, the target node device receives the group table configuration information.
其中,配置器用于对多播组中的节点设备进行配置,并且同一个多播组中的节点设备由一个配置器进行配置。Wherein, the configurator is used to configure the node devices in the multicast group, and the node devices in the same multicast group are configured by one configurator.
具体的,配置器在配置多播组内的节点设备时,确定一个或多个节点设备作为控制节点设备,控制节点设备发送的组命令才会被组内其他节点设备执行。配置器多播组内的多个节点设备发送组表配置信息,组表配置信息包括第一指示信息,组表配置信息用于指示多个节点设备中的每个节点设备将第一指示信息配置在组表中,第一指示信息用于指示每个节点设备是否为控制节点设备。Specifically, when configuring the node devices in the multicast group, the configurator determines one or more node devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group. Multiple node devices in the configurator multicast group send group table configuration information, the group table configuration information includes first indication information, and the group table configuration information is used to instruct each node device in the multiple node devices to configure the first indication information In the group table, the first indication information is used to indicate whether each node device is a control node device.
可选的,组表配置信息还包括其他信息,例如域索引、组标识、组密钥索引等,目标节点设备将域索引、组标识、组密钥索引等也配置在组表中。Optionally, the group table configuration information also includes other information, such as domain index, group ID, group key index, etc., and the target node device also configures the domain index, group ID, group key index, etc. in the group table.
S202、目标节点设备将第一指示信息配置在组表中,第一指示信息用于指示目标节点设备是否为控制节点设备。S202. The target node device configures first indication information in the group table, where the first indication information is used to indicate whether the target node device is a control node device.
具体的,目标节点设备接收组表配置信息,将该组表配置信息包括的第一指示信息配置在组表中,若该组表配置信息还包括其他信息,例如域索引、组标识、组密钥索引等,目标节点设备将域索引、组标识、组密钥索引等也配置在组表中。Specifically, the target node device receives the group table configuration information, configures the first indication information included in the group table configuration information in the group table, if the group table configuration information also includes other information, such as domain index, group identifier, group password key index, etc., the target node device also configures the domain index, group identifier, group key index, etc. in the group table.
在一种可能的实施方式中,在目标节点设备的组表中新增第一指示信息,目标节点设备的组表中包含的信息如表6所示。In a possible implementation manner, the first indication information is added in the group table of the target node device, and the information contained in the group table of the target node device is shown in Table 6.
表6 目标节点设备的组表中包含的信息Table 6 Information contained in the group table of the target node device
Figure PCTCN2021133694-appb-000007
Figure PCTCN2021133694-appb-000007
其中,第一指示信息的数据类型为boolean(布尔型)数据类型,boolean数据类型表示第一指示信息为true或flase,当第一指示信息为true时,表明目标节点设备为控制节点设备,当第一指示信息为flase或者缺省时,表明目标节点设备不为控制节点设备。Wherein, the data type of the first indication information is a boolean (Boolean) data type, and the boolean data type indicates that the first indication information is true or flase, and when the first indication information is true, it indicates that the target node device is a control node device, when When the first indication information is false or default, it indicates that the target node device is not a control node device.
S203、配置器获取目标节点设备的组表中的第一指示信息,判断目标节点设备是否为控制节点设备。S203. The configurator acquires the first indication information in the group table of the target node device, and judges whether the target node device is a control node device.
具体的,配置器在向目标节点设备发送ACL配置信息之前,需要先判断目标节点设备是否为多播组内的控制节点设备。在一种可能的实施方式中,配置器通过发送请求消息,获取多播组内各个节点设备的组表中的第一指示信息,由此可以判断出多播组中哪些设备为控制节点设备。Specifically, before sending the ACL configuration information to the target node device, the configurator needs to first determine whether the target node device is a control node device in the multicast group. In a possible implementation manner, the configurator obtains the first indication information in the group table of each node device in the multicast group by sending a request message, so as to determine which devices in the multicast group are control node devices.
可选的,配置器还可能在将各个节点设备加入多播组时,保存了各个节点设备是否为控制节点设备的信息,不需要再从各个节点设备获取。Optionally, the configurator may also save information about whether each node device is a control node device when adding each node device to the multicast group, and does not need to obtain information from each node device.
S204、配置器向目标节点设备发送访问控制列表ACL配置信息,ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息,相应的,目标节点设备接收ACL配置信息。S204. The configurator sends ACL configuration information to the target node device. The ACL configuration information includes group identification information and identification information of at least one control node device. Correspondingly, the target node device receives the ACL configuration information.
具体的,ACL配置信息中的组标识信息为目标节点设备归属的第一多播组的组标识信息,至少一个控制节点设备的标识信息指示了第一多播组中的至少一个控制节点设备。Specifically, the group identification information in the ACL configuration information is the group identification information of the first multicast group to which the target node device belongs, and the identification information of at least one control node device indicates at least one control node device in the first multicast group.
若目标节点设备是多播组内的控制节点设备,则该ACL配置信息包括多播组内除了目标节点设备以外其他控制节点设备的标识信息。若目标节点设备不是多播组内的控制节点设备,则该ACL配置信息包括多播组内所有控制节点设备的标识信息。If the target node device is a control node device in the multicast group, the ACL configuration information includes identification information of other control node devices in the multicast group except the target node device. If the target node device is not a control node device in the multicast group, the ACL configuration information includes identification information of all control node devices in the multicast group.
可选的,该ACL配置信息除了包括该组标识信息和该至少一个控制节点设备的标识信息外,还可能包括其他信息,例如域索引、权限、鉴权模式等,目标节点设备还将其他信息也配置在ACL中。Optionally, the ACL configuration information may include other information, such as domain index, authority, authentication mode, etc., in addition to the group identification information and the identification information of the at least one control node device, and the target node device will also include other information Also configured in the ACL.
S205、目标节点设备根据组标识信息和至少一个控制节点设备的标识信息,配置ACL。S205. The target node device configures the ACL according to the group identification information and the identification information of at least one control node device.
在一种可能的实施方式中,目标节点设备将组标识信息配置在ACL的第一访问控制实体ACE的第一信息中;将至少一个控制节点设备的标识信息配置在第一ACE的至少一个主题信息中,至少一个控制节点设备的标识信息与至少一个主题信息一一对应。In a possible implementation manner, the target node device configures the group identification information in the first information of the first access control entity ACE of the ACL; configures the identification information of at least one control node device in at least one subject of the first ACE In the information, the identification information of at least one control node device is in one-to-one correspondence with at least one subject information.
在一种可能的实施方式中,目标节点设备将至少一个控制节点设备的标识信息的数量n配置在第一信息中。In a possible implementation manner, the target node device configures the number n of identification information of at least one control node device in the first information.
在一种可能的实施方式中,目标节点设备将组标识信息分别配置在ACL的第一ACE的至少一个主题信息中;将至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个控制节点设备的压缩标识信息;将至少一个控制节点设备的压缩标识信息配置在包含该组标识信息的至少一个主题信息中,至少一个控制节点设备的压缩标识信息与至少一个主题信息一一对应。In a possible implementation manner, the target node device configures group identification information in at least one topic information of the first ACE of the ACL; the identification information of each control node device in the identification information of at least one control node device Perform compression to obtain the compressed identification information of at least one control node device; configure the compressed identification information of at least one control node device in at least one topic information containing the group identification information, and at least one compressed identification information of the control node device and at least one One-to-one correspondence of subject information.
在一种可能的实施方式中,目标节点设备将所述组标识信息和所述至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个第一压缩信息;将所述至少一个第一压缩信息配置在所述ACL的至少一个主题信息中,所述至少一个第一压缩信息与所述至少一个主题信息一一对应。In a possible implementation manner, the target node device compresses the identification information of each control node device among the group identification information and the identification information of the at least one control node device, to obtain at least one piece of first compressed information; Configuring the at least one first compressed information in at least one subject information of the ACL, where the at least one first compressed information corresponds to the at least one subject information one by one.
在一种可能的实施方式中,在目标节点设备的访问控制实体结构体中新增一种鉴权模式。目标节点设备的访问控制实体结构体中的鉴权模式包括:基于密钥的安全连接、基于证书的安全连接、基于组的安全连接和增强型基于组的安全连接。其中,增强型基于组的安全连接为新增的鉴权模式,表示既要继承基于组的安全连接模式,又要满足上述实施方式中ACL中主题信息的内容。In a possible implementation manner, an authentication mode is added in the access control entity structure of the target node device. The authentication modes in the access control entity structure of the target node device include: key-based security connection, certificate-based security connection, group-based security connection and enhanced group-based security connection. Among them, the enhanced group-based secure connection is a newly added authentication mode, which means that the group-based secure connection mode must be inherited, and the content of the subject information in the ACL in the above-mentioned embodiment must be satisfied.
S206、目标节点设备接收组命令,组命令包括组标识信息和源节点设备的标识信息。S206. The target node device receives a group command, where the group command includes group identification information and identification information of the source node device.
具体的,目标节点设备和源节点设备属于同一多播组,在该多播组内,源节点设备发送组命令,相应的,目标节点设备接收组命令。Specifically, the target node device and the source node device belong to the same multicast group, in the multicast group, the source node device sends a group command, and correspondingly, the target node device receives the group command.
S207、目标节点设备根据组标识信息、源节点设备的标识信息和目标节点设备的访问控制列表ACL中的主题信息,判断是否执行组命令。S207. The target node device judges whether to execute the group command according to the group identification information, the identification information of the source node device, and the subject information in the ACL of the target node device.
在一种可能的实施方式中,目标节点设备根据组标识信息,确定ACL中的第一ACE;在第一ACE中查找是否存在与源节点设备的标识信息匹配的主题信息;若存在,则执行所述组命令。在一种可能的实施方式中,若不存在,则不执行组命令。In a possible implementation, the target node device determines the first ACE in the ACL according to the group identification information; checks in the first ACE whether there is subject information that matches the identification information of the source node device; if it exists, execute The set of commands. In a possible implementation manner, if it does not exist, the group command is not executed.
在一种可能的实施方式中,目标节点设备根据组标识信息,确定ACL中的第一信息;在第一信息的后n个主题信息中查找是否存在与源节点设备的标识信息匹配的信息;若存在,则执行组命令。在一种可能的实施方式中,若不存在,则不执行组命令。In a possible implementation manner, the target node device determines the first information in the ACL according to the group identification information; finds whether there is information matching the identification information of the source node device in the last n topic information of the first information; If present, the group command is executed. In a possible implementation manner, if it does not exist, the group command is not executed.
在一种可能的实施方式中,目标节点设备根据组标识信息,确定ACL中包含组标识信息的至少一个主题信息;将源节点设备的标识信息进行压缩,得到源节点设备的压缩标识信息;在包含组标识信息的至少一个主题信息中查找是否存在与源节点设备的压缩标识信息匹配的信息;若存在,则执行组命令。在一种可能的实施方式中,若不存在,则不执行组命令。In a possible implementation manner, the target node device determines at least one topic information containing group identification information in the ACL according to the group identification information; compresses the identification information of the source node device to obtain the compressed identification information of the source node device; Check whether there is information matching the compressed identification information of the source node device in at least one topic information including the group identification information; if yes, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
在一种可能的实施方式中,目标节点设备根据组标识信息,确定ACL中包含组标识信息的至少一个主题信息;对包含组标识信息的至少一个主题信息进行解压缩,得到至少一个第一解压缩信息;在至 少一个第一解压缩信息中查找是否存在与源节点设备的标识信息匹配的信息;若存在,则执行组命令。在一种可能的实施方式中,若不存在,则不执行组命令。In a possible implementation manner, the target node device determines at least one topic information containing group identification information in the ACL according to the group identification information; decompresses at least one topic information containing group identification information to obtain at least one first decompressed Compress information; check whether there is information matching the identification information of the source node device in at least one first decompressed information; if yes, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
在一种可能的实施方式中,目标节点设备将组标识信息和源节点设备的标识信息进行压缩,得到第二压缩信息;在ACL中查找是否存在与第二压缩信息匹配的主题信息;若存在,则执行组命令。在一种可能的实施方式中,若不存在,则不执行组命令。In a possible implementation manner, the target node device compresses the group identification information and the identification information of the source node device to obtain the second compressed information; check whether there is subject information matching the second compressed information in the ACL; if there is , the group command is executed. In a possible implementation manner, if it does not exist, the group command is not executed.
在一种可能的实施方式中,目标节点设备对ACL中的至少一个主题信息进行解压缩,得到至少一个第二解压缩信息;在至少一个第二解压缩信息中查找是否存在与组标识信息和源节点设备的标识信息匹配的信息;若存在,则执行组命令。在一种可能的实施方式中,若不存在,则不执行组命令。In a possible implementation manner, the target node device decompresses at least one subject information in the ACL to obtain at least one second decompressed information; checks whether there is a group identification information and Information matching the identification information of the source node device; if it exists, execute the group command. In a possible implementation manner, if it does not exist, the group command is not executed.
上述方法中,配置器向目标节点设备发送ACL配置信息,ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息,目标节点设备根据组标识信息和至少一个控制节点设备的标识信息,配置ACL。在多播组内,通过ACL中的主题信息限制组命令的来源,控制节点设备发出的组命令才能被组内其他节点设备执行。目标节点设备收到组命令后,查看ACL中的主题信息,结合源节点设备的标识信息可以判断来自源节点设备的组命令能否被执行。这样,避免了多播组内某个节点设备被非法控制后通过组命令控制组内其他节点设备的情况,提高了多播组内节点设备之间通信的安全性。In the above method, the configurator sends ACL configuration information to the target node device, the ACL configuration information includes group identification information and identification information of at least one control node device, and the target node device configures according to the group identification information and the identification information of at least one control node device ACLs. In the multicast group, the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other node devices in the group. After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
参见图3,图3为本申请实施例提供的另一种组命令的处理方法的示意图。如图3所示,该组命令的处理方法包括:Referring to FIG. 3 , FIG. 3 is a schematic diagram of another group command processing method provided by an embodiment of the present application. As shown in Figure 3, the processing methods of this group of commands include:
S301、目标节点设备接收来自配置器的ACL配置信息,该ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息。S301. The target node device receives ACL configuration information from a configurator, where the ACL configuration information includes group identification information and identification information of at least one control node device.
具体的,配置器用于对多播组中的节点设备进行配置,并且同一个多播组中的节点设备由一个配置器进行配置。具体的,ACL配置信息中的组标识信息为目标节点设备归属的第一多播组的组标识信息,至少一个控制节点设备的标识信息指示了该第一多播组中的至少一个控制节点设备。其中,配置器在配置多播组内的节点设备时,确定一个或多个节点设备作为控制节点设备,控制节点设备发送的组命令才会被组内其他节点设备执行。Specifically, the configurator is used to configure the node devices in the multicast group, and the node devices in the same multicast group are configured by one configurator. Specifically, the group identification information in the ACL configuration information is the group identification information of the first multicast group to which the target node device belongs, and the identification information of at least one control node device indicates at least one control node device in the first multicast group . Wherein, when configuring the node devices in the multicast group, the configurator determines one or more node devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group.
可选的,该ACL配置信息除了包括该组标识信息和该至少一个控制节点设备的标识信息外,还可能包括其他信息,例如域索引、权限、鉴权模式等,目标节点设备还将其他信息也配置在ACL中。Optionally, the ACL configuration information may include other information, such as domain index, authority, authentication mode, etc., in addition to the group identification information and the identification information of the at least one control node device, and the target node device will also include other information Also configured in the ACL.
S302、目标节点设备将组标识信息配置在ACL的第一访问控制实体ACE的第一信息中。S302. The target node device configures the group identifier information in the first information of the first access control entity ACE of the ACL.
具体的,目标节点设备的ACL包括一个或多个访问控制实体(access control entity,ACE),每个ACE包括一个第一信息以及一个或多个主题信息。在一种可能的实施方式中,第一信息可以是ACE中的主题信息。目标节点设备接收ACL配置信息后,将该ACL配置信息中的组标识信息配置在第一ACE的第一信息中。Specifically, the ACL of the target node device includes one or more access control entities (access control entity, ACE), and each ACE includes a piece of first information and one or more subject information. In a possible implementation manner, the first information may be subject information in the ACE. After receiving the ACL configuration information, the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE.
S303、目标节点设备将至少一个控制节点设备的标识信息配置在第一ACE的至少一个主题信息中。S303. The target node device configures the identification information of at least one control node device in at least one subject information of the first ACE.
具体的,目标节点设备将该ACL配置信息中的至少一个控制节点设备的标识信息也配置在该第一ACE的至少一个主题信息中,至少一个控制节点设备的标识信息与至少一个主题信息一一对应。例如,第一多播组内的控制节点设备包括节点设备1、节点设备2和节点设备3,节点设备1、节点设备2和节 点设备3发出的组命令才会被组内其他节点设备执行,将节点设备1、节点设备2和节点设备3的标识信息分别配置在第一ACE中的三个主题信息中,一个标识信息对应一个主题信息。需要说明的是,在本实施方式中,一个ACE对应一个多播组,其他多播组的组标识信息和控制节点设备的标识信息需要配置在其他ACE中。Specifically, the target node device also configures the identification information of at least one control node device in the ACL configuration information in at least one topic information of the first ACE, and the identification information of the at least one control node device and the at least one topic information are one by one correspond. For example, the control node devices in the first multicast group include node device 1, node device 2 and node device 3, the group commands sent by node device 1, node device 2 and node device 3 will be executed by other node devices in the group, The identification information of the node device 1, the node device 2, and the node device 3 are respectively configured in the three subject information in the first ACE, and one identification information corresponds to one subject information. It should be noted that, in this embodiment, one ACE corresponds to one multicast group, and group identification information of other multicast groups and identification information of control node devices need to be configured in other ACEs.
在一种可能的实施方式中,目标节点设备的第一ACE的主题(Subjects)结构如表7所示。In a possible implementation manner, the subject (Subjects) structure of the first ACE of the target node device is shown in Table 7.
表7 ACE的第一种主题结构Table 7 The first topic structure of ACE
Figure PCTCN2021133694-appb-000008
Figure PCTCN2021133694-appb-000008
具体的,在一个ACE中,主题信息为64bits的长度,第一信息为ACE中的主题信息。组标识信息是16bits的长度,控制节点设备的标识信息是64bits的长度。在表7所示的结构中,组标识信息配置在第一信息的低16bits,控制节点设备的标识信息配置在下一个64bits(即下一个主题信息)。需要说明的是,表7所示的结构仅为一种示例,组标识信息也可以配置在第一信息的高16bits,或者,组标识信息可以配置在第一信息的任意16bits。如果存在多个控制节点设备的标识信息,则将多个控制节点设备的标识信息配置在第一信息之后的多个主题信息中。Specifically, in an ACE, the subject information has a length of 64 bits, and the first information is the subject information in the ACE. The group identification information has a length of 16 bits, and the identification information of the control node device has a length of 64 bits. In the structure shown in Table 7, the group identification information is configured in the lower 16 bits of the first information, and the identification information of the control node device is configured in the next 64 bits (ie, the next topic information). It should be noted that the structure shown in Table 7 is only an example, and the group identification information may also be configured in the upper 16 bits of the first information, or the group identification information may be configured in any 16 bits of the first information. If there is identification information of multiple control node devices, the identification information of multiple control node devices is configured in multiple pieces of subject information following the first information.
可选的,第一信息中的16-23bit还可以配置至少一个控制节点设备的标识信息的数量n。例如,第一ACE中配置了3个控制节点设备的标识信息,则n为3,将n为3配置在第一信息中。Optionally, the 16-23 bits in the first information may also configure the number n of identification information of at least one control node device. For example, if identification information of 3 control node devices is configured in the first ACE, then n is 3, and n is 3 configured in the first information.
S304、目标节点设备接收组命令,组命令包括组标识信息和源节点设备的标识信息。S304. The target node device receives a group command, where the group command includes group identification information and identification information of the source node device.
具体的,目标节点设备和源节点设备属于第一多播组,在该多播组内,源节点设备发送组命令,相应的,目标节点设备接收组命令。Specifically, the target node device and the source node device belong to the first multicast group, and in the multicast group, the source node device sends a group command, and correspondingly, the target node device receives the group command.
S305、目标节点设备根据组标识信息,确定ACL中的第一ACE。S305. The target node device determines the first ACE in the ACL according to the group identification information.
可选的,目标节点设备接收到组命令后,在ACL中查找满足以下条件的ACE:ACE中的鉴权模式(AuthMode)为GROUP;ACE中的目标(Targets)与组命令请求的目标资源匹配;ACE中的域索引(FabricIndex)与组命令中的组标识信息匹配。满足前述条件的ACE即为第一ACE。Optionally, after the target node device receives the group command, it searches the ACL for an ACE that satisfies the following conditions: the authentication mode (AuthMode) in the ACE is GROUP; the target (Targets) in the ACE matches the target resource requested by the group command ; The domain index (FabricIndex) in the ACE matches the group identification information in the group command. The ACE that satisfies the foregoing conditions is the first ACE.
S306、目标节点设备在第一ACE中查找是否存在与源节点设备的标识信息匹配的主题信息。S306. The target node device searches in the first ACE whether there is subject information matching the identification information of the source node device.
具体的,该第一ACE还包括至少一个主题信息,主题信息配置了多播组中控制节点设备的标识信息。目标节点设备在第一ACE中查找是否存在与源节点设备的标识信息匹配的主题信息,若存在,则说明源节点设备为多播组中的控制节点设备,因此源节点设备发出的组命令可以被执行,目标节点设备执行该组命令,否则不执行。Specifically, the first ACE further includes at least one topic information, and the topic information is configured with identification information of the control node device in the multicast group. The target node device checks in the first ACE whether there is topic information that matches the identification information of the source node device. If it exists, it indicates that the source node device is the control node device in the multicast group, so the group command sent by the source node device can be is executed, the target node device executes this group of commands, otherwise it does not execute.
S307、若存在,则目标节点设备执行组命令。S307. If it exists, the target node device executes the group command.
S308、若不存在,则目标节点设备不执行组命令。S308. If it does not exist, the target node device does not execute the group command.
上述方法中,在多播组内,通过ACL中的主题信息限制组命令的来源,控制节点设备发出的组命令才能被组内其他节点设备执行。目标节点设备收到组命令后,查看ACL中的主题信息,结合源节点设备的标识信息可以判断来自源节点设备的组命令能否被执行。这样,避免了多播组内某个节点设备被非法控制后通过组命令控制组内其他节点设备的情况,提高了多播组内节点设备之间通信的安全性。In the above method, in the multicast group, the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other node devices in the group. After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
参见图4,图4为本申请实施例提供的另一种组命令的处理方法的示意图。如图4所示,该组命令的处理方法包括:Referring to FIG. 4 , FIG. 4 is a schematic diagram of another group command processing method provided by an embodiment of the present application. As shown in Figure 4, the processing methods of this group of commands include:
S401、目标节点设备接收来自配置器的ACL配置信息,该ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息。S401. The target node device receives ACL configuration information from a configurator, where the ACL configuration information includes group identification information and identification information of at least one control node device.
具体的,配置器用于对多播组中的节点设备进行配置,并且同一个多播组中的节点设备由一个配置器进行配置。具体的,ACL配置信息中的组标识信息为目标节点设备归属的第一多播组的组标识信息,至少一个控制节点设备的标识信息指示了第一多播组中的至少一个控制节点设备。其中,配置器在配置多播组内的节点设备时,确定一个或多个节点设备作为控制节点设备,控制节点设备发送的组命令才会被组内其他节点设备执行。Specifically, the configurator is used to configure the node devices in the multicast group, and the node devices in the same multicast group are configured by one configurator. Specifically, the group identification information in the ACL configuration information is the group identification information of the first multicast group to which the target node device belongs, and the identification information of at least one control node device indicates at least one control node device in the first multicast group. Wherein, when configuring the node devices in the multicast group, the configurator determines one or more node devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group.
可选的,该ACL配置信息除了包括该组标识信息和该至少一个控制节点设备的标识信息外,还可能包括其他信息,例如域索引、权限、鉴权模式等,目标节点设备还将其他信息也配置在ACL中。Optionally, the ACL configuration information may include other information, such as domain index, authority, authentication mode, etc., in addition to the group identification information and the identification information of the at least one control node device, and the target node device will also include other information Also configured in the ACL.
S402、目标节点设备将组标识信息配置在ACL的第一访问控制实体ACE的第一信息中。S402. The target node device configures the group identification information in the first information of the first access control entity ACE of the ACL.
具体的,目标节点设备的ACL包括一个或多个ACE,每个ACE包括一个或多个第一信息以及一个或多个主题信息。目标节点设备接收ACL配置信息后,将该ACL配置信息中的组标识信息配置在第一ACE的第一信息中。Specifically, the ACL of the target node device includes one or more ACEs, and each ACE includes one or more first information and one or more topic information. After receiving the ACL configuration information, the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE.
S403、目标节点设备将至少一个控制节点设备的标识信息的数量n配置在第一信息中。S403. The target node device configures the number n of identification information of at least one control node device in the first information.
具体的,目标节点设备的ACL包括一个或多个ACE,每个ACE包括一个或多个第一信息以及一个或多个第二主题信息。在一种可能的实施方式中,第一信息可以是ACE中的主题信息。目标节点设备接收ACL配置信息后,将该ACL配置信息中的组标识信息配置在第一ACE的第一信息中,还将至少一个控制节点设备的标识信息的数量n也配置在第一信息中。例如,第一多播组内的控制节点设备包括节点设备1、节点设备2和节点设备3,此时,标识信息的数量n为3,目标节点设备将n为3也配置在第一信息中。Specifically, the ACL of the target node device includes one or more ACEs, and each ACE includes one or more first information and one or more second topic information. In a possible implementation manner, the first information may be subject information in the ACE. After receiving the ACL configuration information, the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE, and also configures the number n of identification information of at least one control node device in the first information . For example, the control node devices in the first multicast group include node device 1, node device 2, and node device 3. At this time, the number n of identification information is 3, and the target node device configures n as 3 in the first information .
S404、目标节点设备将至少一个控制节点设备的标识信息配置在第一ACE的至少一个主题信息中。S404. The target node device configures the identification information of at least one control node device in at least one subject information of the first ACE.
具体的,目标节点设备将该ACL配置信息中的至少一个控制节点设备的标识信息也配置在该第一ACE的至少一个主题信息中。例如,第一多播组内的控制节点设备包括节点设备1、节点设备2和节点设备3,将节点设备1、节点设备2和节点设备3的标识信息分别配置在第一ACE中的三个主题信息中,一个标识信息对应一个主题信息。需要说明的是,在本实施方式中,一个ACE对应一个或多个多播组,其他多播组的组标识信息和控制节点设备的标识信息也可以配置在第一ACE中。Specifically, the target node device also configures the identification information of at least one control node device in the ACL configuration information in at least one subject information of the first ACE. For example, the control node devices in the first multicast group include node device 1, node device 2, and node device 3, and the identification information of node device 1, node device 2, and node device 3 are respectively configured in three ACEs in the first ACE. In the topic information, one identification information corresponds to one topic information. It should be noted that, in this embodiment, one ACE corresponds to one or more multicast groups, and group identification information of other multicast groups and identification information of control node devices may also be configured in the first ACE.
在一种可能的实施方式中,目标节点设备的第一ACE的主题(Subjects)结构如表8所示。In a possible implementation manner, the subject (Subjects) structure of the first ACE of the target node device is shown in Table 8.
表8 ACE的第二种主题结构Table 8 The second theme structure of ACE
Figure PCTCN2021133694-appb-000009
Figure PCTCN2021133694-appb-000009
具体的,在一个ACE中,主题信息为64bits的长度,第一信息为ACE中的主题信息。组标识信息是16bits的长度,控制节点设备的标识信息是64bits的长度。在表8所示的结构中,组标识信息配置在第一信息的低16bits,第一信息中的16-23bit配置至少一个控制节点设备的标识信息对应的设备数量。需要说明的是,表8所示的结构仅为一种示例,组标识信息可以配置在第一信息的任意16bits,控制节点设备的标识信息的数量n也可以配置在第一信息的与组标识信息不重复的位置。例如,第一ACE中配置了3个标识信息,则n为3,将n为3配置在第一信息中。Specifically, in an ACE, the subject information has a length of 64 bits, and the first information is the subject information in the ACE. The group identification information has a length of 16 bits, and the identification information of the control node device has a length of 64 bits. In the structure shown in Table 8, the group identification information is configured in the lower 16 bits of the first information, and the 16-23 bits in the first information configure the number of devices corresponding to the identification information of at least one control node device. It should be noted that the structure shown in Table 8 is only an example, the group identification information can be configured in any 16 bits of the first information, and the number n of identification information of the control node device can also be configured in the first information and the group identification A location where information is not repeated. For example, if 3 pieces of identification information are configured in the first ACE, then n is 3, and n is 3 configured in the first information.
控制节点设备的标识信息配置在第一信息的下一个64bits(即下一个主题信息)。如果存在多个控制节点设备的标识信息,则将多个控制节点设备的标识信息配置在第一信息之后的多个主题信息中。在第一ACE中,可以将多个组标识信息分别配置在多个第一信息中。The identification information of the control node device is configured in the next 64 bits of the first information (that is, the next topic information). If there is identification information of multiple control node devices, the identification information of multiple control node devices is configured in multiple pieces of subject information following the first information. In the first ACE, multiple pieces of group identification information may be respectively configured in multiple pieces of first information.
S405、目标节点设备接收组命令,组命令包括组标识信息和源节点设备的标识信息。S405. The target node device receives a group command, where the group command includes group identification information and identification information of the source node device.
具体的,目标节点设备和源节点设备属于第一多播组,在该多播组内,源节点设备发送组命令,相应的,目标节点设备接收组命令。Specifically, the target node device and the source node device belong to the first multicast group, and in the multicast group, the source node device sends a group command, and correspondingly, the target node device receives the group command.
S406、目标节点设备根据组标识信息,确定ACL中的第一信息。S406. The target node device determines first information in the ACL according to the group identification information.
具体的,目标节点设备将ACL配置信息中的组标识信息配置在第一ACE的第一信息中,因此,目标节点设备可以根据组命令中的组标识信息,确定第一信息。Specifically, the target node device configures the group identification information in the ACL configuration information in the first information of the first ACE, so the target node device can determine the first information according to the group identification information in the group command.
S407、目标节点设备在第一信息的后n个主题信息中查找是否存在与源节点设备的标识信息匹配的信息。S407. The target node device searches whether there is information matching the identification information of the source node device in the last n topic information of the first information.
具体的,确定第一信息后,获取该第一信息中的控制节点设备的标识信息的数量n,第一信息的后n个主题信息配置了多播组中控制节点设备的标识信息。在第一信息的后n个主题信息中查找是否存在与源节点设备的标识信息匹配的主题信息,若存在,则说明源节点设备为多播组中的控制节点设备,因 此源节点设备发出的组命令可以被执行,目标节点设备执行该组命令,否则不执行。Specifically, after the first information is determined, the number n of identification information of control node devices in the first information is obtained, and the last n pieces of subject information of the first information are configured with identification information of control node devices in the multicast group. Check whether there is topic information matching the identification information of the source node device in the last n topic information of the first message, if it exists, it means that the source node device is the control node device in the multicast group, so the source node device sends A group of commands can be executed, and the target node device executes the group of commands, otherwise it does not execute.
S408、若存在,则目标节点设备执行组命令。S408. If it exists, the target node device executes the group command.
S409、若不存在,则目标节点设备不执行组命令。S409. If it does not exist, the target node device does not execute the group command.
上述方法中,在多播组内,通过ACL中的主题信息限制组命令的来源,控制节点设备发出的组命令才能被组内其他节点设备执行。目标节点设备收到组命令后,查看ACL中的主题信息,结合源节点设备的标识信息可以判断来自源节点设备的组命令能否被执行。这样,避免了多播组内某个节点设备被非法控制后通过组命令控制组内其他节点设备的情况,提高了多播组内节点设备之间通信的安全性。In the above method, in the multicast group, the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other node devices in the group. After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
参见图5,图5为本申请实施例提供的另一种组命令的处理方法的示意图。如图5所示,该组命令的处理方法包括:Referring to FIG. 5 , FIG. 5 is a schematic diagram of another group command processing method provided by an embodiment of the present application. As shown in Figure 5, the processing methods of this group of commands include:
S501、目标节点设备接收来自配置器的ACL配置信息,该ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息。S501. The target node device receives ACL configuration information from a configurator, where the ACL configuration information includes group identification information and identification information of at least one control node device.
具体的,配置器用于对多播组中的节点设备进行配置,并且同一个多播组中的节点设备由一个配置器进行配置。具体的,ACL配置信息中的组标识信息为目标节点设备归属的第一多播组的组标识信息,至少一个控制节点设备的标识信息指示了第一多播组中的至少一个控制节点设备。其中,配置器在配置多播组内的节点设备时,确定一个或多个节点设备作为控制节点设备,控制节点设备发送的组命令才会被组内其他节点设备执行。Specifically, the configurator is used to configure the node devices in the multicast group, and the node devices in the same multicast group are configured by one configurator. Specifically, the group identification information in the ACL configuration information is the group identification information of the first multicast group to which the target node device belongs, and the identification information of at least one control node device indicates at least one control node device in the first multicast group. Wherein, when configuring the node devices in the multicast group, the configurator determines one or more node devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group.
可选的,该ACL配置信息除了包括该组标识信息和该至少一个控制节点设备的标识信息外,还可能包括其他信息,例如域索引、权限、鉴权模式等,目标节点设备还将其他信息也配置在ACL中。Optionally, the ACL configuration information may include other information, such as domain index, authority, authentication mode, etc., in addition to the group identification information and the identification information of the at least one control node device, and the target node device will also include other information Also configured in the ACL.
S502、目标节点设备将组标识信息分别配置在ACL的第一ACE的至少一个主题信息中。S502. The target node device respectively configures group identification information in at least one subject information of the first ACE of the ACL.
具体的,目标节点设备的ACL包括一个或多个ACE,每个ACE包括一个或多个主题信息。目标节点设备接收ACL配置信息后,将该ACL配置信息中的组标识信息分别配置在第一ACE的至少一个主题信息中。Specifically, the ACL of the target node device includes one or more ACEs, and each ACE includes one or more subject information. After receiving the ACL configuration information, the target node device configures the group identification information in the ACL configuration information in at least one topic information of the first ACE respectively.
S503、目标节点设备将至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个控制节点设备的压缩标识信息。S503. The target node device compresses the identification information of each control node device in the identification information of at least one control node device to obtain the compressed identification information of at least one control node device.
S504、目标节点设备将至少一个控制节点设备的压缩标识信息配置在包含组标识信息的至少一个主题信息中,至少一个控制节点设备的压缩标识信息与至少一个主题信息一一对应。S504. The target node device configures the compressed identification information of at least one control node device in at least one subject information including group identification information, and the compressed identification information of at least one control node device corresponds to the at least one subject information one by one.
具体的,目标节点设备将至少一个控制节点设备的压缩标识信息也分别配置在包含组标识信息的至少一个主题信息中。例如,第一多播组内的控制节点设备包括节点设备1、节点设备2和节点设备3,将组标识信息分别配置在三个主题信息中,并且将节点设备1、节点设备2和节点设备3的压缩标识信息也分别配置在该三个主题信息中,也就是说,该三个主题信息中,每个主题信息包括组标识信息和一个压缩标识信息。需要说明的是,在本实施方式中,一个ACE对应一个或多个多播组,其他多播组的组标识信息和控制节点设备的压缩标识信息也可以配置在第一ACE中。Specifically, the target node device configures the compression identification information of at least one control node device in at least one topic information including group identification information. For example, the control node devices in the first multicast group include node device 1, node device 2 and node device 3, group identification information is respectively configured in three topic information, and node device 1, node device 2 and node device The compression identification information of 3 is also respectively configured in the three topic information, that is to say, in the three topic information, each topic information includes group identification information and one piece of compression identification information. It should be noted that, in this embodiment, one ACE corresponds to one or more multicast groups, and the group identification information of other multicast groups and the compression identification information of the control node device may also be configured in the first ACE.
在一种可能的实施方式中,目标节点设备的第一ACE的主题(Subjects)结构如表9所示。In a possible implementation manner, the subject (Subjects) structure of the first ACE of the target node device is shown in Table 9.
表9 ACE的第三种主题结构Table 9 The third theme structure of ACE
Figure PCTCN2021133694-appb-000010
Figure PCTCN2021133694-appb-000010
具体的,在一个ACE中,主题信息为64bits的长度,组标识信息是16bits的长度,控制节点设备的标识信息是64bits的长度。在表9所示的结构中,组标识信息配置在主题信息的低16bits,将64bits的控制节点设备的标识信息压缩到48bits,并配置在主题信息的高48bits。需要说明的是,表9所示的结构仅为一种示例,组标识信息也可以配置在主题信息的高16bits,将64bits的控制节点设备的标识信息压缩到48bits,并配置在主题信息的低48bits。如果存在多个控制节点设备的标识信息,则将每个控制节点设备的标识信息分别进行压缩,每个控制节点设备的压缩标识信息与组标识信息构成表9所示的结构配置在主题信息中。可选的,在第一ACE中,可以将多个组标识信息分别配置在多个主题信息中,也就是说,组标识信息1与组标识信息2可以相同,也可以不同。Specifically, in an ACE, the subject information has a length of 64 bits, the group identification information has a length of 16 bits, and the identification information of the control node device has a length of 64 bits. In the structure shown in Table 9, the group identification information is configured in the lower 16 bits of the topic information, and the identification information of the 64-bit control node device is compressed to 48 bits, and configured in the upper 48 bits of the topic information. It should be noted that the structure shown in Table 9 is only an example, and the group identification information can also be configured in the upper 16 bits of the topic information, and the identification information of the 64-bit control node device is compressed to 48 bits, and configured in the lower 16 bits of the topic information. 48bits. If there are multiple identification information of control node devices, the identification information of each control node device is compressed separately, and the compressed identification information and group identification information of each control node device form the structure shown in Table 9 and are configured in the topic information . Optionally, in the first ACE, multiple pieces of group identification information may be respectively configured in multiple topic information, that is to say, group identification information 1 and group identification information 2 may be the same or different.
S505、目标节点设备接收组命令,组命令包括组标识信息和源节点设备的标识信息。S505. The target node device receives a group command, where the group command includes group identification information and identification information of the source node device.
具体的,目标节点设备和源节点设备属于第一多播组,在该多播组内,源节点设备发送组命令,相应的,目标节点设备接收组命令。Specifically, the target node device and the source node device belong to the first multicast group, and in the multicast group, the source node device sends a group command, and correspondingly, the target node device receives the group command.
S506、目标节点设备根据组标识信息,确定ACL中的至少一个主题信息。S506. The target node device determines at least one subject information in the ACL according to the group identification information.
具体的,目标节点设备将组标识信息分别配置在至少一个主题信息中,因此,目标节点设备可以根据组命令中的组标识信息,确定ACL中包含该组标识信息的主题信息。Specifically, the target node device configures the group identification information in at least one topic information respectively, therefore, the target node device can determine the topic information including the group identification information in the ACL according to the group identification information in the group command.
S507、将源节点设备的标识信息进行压缩,得到源节点设备的压缩标识信息。S507. Compress the identification information of the source node device to obtain the compressed identification information of the source node device.
具体的,主题信息配置了多播组中控制节点设备的压缩标识信息,控制节点设备的压缩标识信息由控制节点设备的标识信息压缩得到。通过与压缩控制节点设备的标识信息相同的算法对源节点设备的标识信息进行压缩,得到源节点设备的压缩标识信息。Specifically, the subject information configures the compressed identification information of the control node device in the multicast group, and the compressed identification information of the control node device is obtained by compressing the identification information of the control node device. The identification information of the source node device is compressed by the same algorithm as that of compressing the identification information of the control node device, to obtain the compressed identification information of the source node device.
S508、在至少一个主题信息中查找是否存在与源节点设备的压缩标识信息匹配的信息。S508. Search whether there is information matching the compressed identification information of the source node device in at least one subject information.
具体的,主题信息配置了多播组中控制节点设备的压缩标识信息,控制节点设备的压缩标识信息由控制节点设备的标识信息压缩得到。在至少一个主题信息中查找是否存在与源节点设备的压缩标识信息匹配的信息,若存在,则说明源节点设备为多播组中的控制节点设备,因此源节点设备发出的组命令可以被执行,目标节点设备执行该组命令,否则不执行。Specifically, the subject information configures the compressed identification information of the control node device in the multicast group, and the compressed identification information of the control node device is obtained by compressing the identification information of the control node device. Find whether there is information matching the compression identification information of the source node device in at least one topic information, if it exists, it means that the source node device is the control node device in the multicast group, so the group command issued by the source node device can be executed , the target node device executes this group of commands, otherwise it does not execute.
S509、若存在,则目标节点设备执行组命令。S509. If it exists, the target node device executes the group command.
S510、若不存在,则目标节点设备不执行组命令。S510. If it does not exist, the target node device does not execute the group command.
上述方法中,在多播组内,通过ACL中的主题信息限制组命令的来源,控制节点设备发出的组命令才能被组内其他节点设备执行。目标节点设备收到组命令后,查看ACL中的主题信息,结合源节点设备的标识信息可以判断来自源节点设备的组命令能否被执行。这样,避免了多播组内某个节点设备被非法控制后通过组命令控制组内其他节点设备的情况,提高了多播组内节点设备之间通信的安全性。In the above method, in the multicast group, the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other node devices in the group. After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
参见图6,图6为本申请实施例提供的另一种组命令的处理方法的示意图。如图6所示,该组命令的处理方法包括:Referring to FIG. 6 , FIG. 6 is a schematic diagram of another group command processing method provided by an embodiment of the present application. As shown in Figure 6, the processing methods of this group of commands include:
S601、目标节点设备接收来自配置器的ACL配置信息,该ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息。S601. The target node device receives ACL configuration information from a configurator, where the ACL configuration information includes group identification information and identification information of at least one control node device.
具体的,配置器用于对多播组中的节点设备进行配置,并且同一个多播组中的节点设备由一个配置器进行配置。具体的,ACL配置信息中的组标识信息为目标节点设备归属的第一多播组的组标识信息,至少一个控制节点设备的标识信息指示了第一多播组中的至少一个控制节点设备。其中,配置器在配置多播组内的节点设备时,确定一个或多个节点设备作为控制节点设备,控制节点设备发送的组命令才会被组内其他节点设备执行。Specifically, the configurator is used to configure the node devices in the multicast group, and the node devices in the same multicast group are configured by one configurator. Specifically, the group identification information in the ACL configuration information is the group identification information of the first multicast group to which the target node device belongs, and the identification information of at least one control node device indicates at least one control node device in the first multicast group. Wherein, when configuring the node devices in the multicast group, the configurator determines one or more node devices as control node devices, and the group commands sent by the control node devices will be executed by other node devices in the group.
可选的,该ACL配置信息除了包括该组标识信息和该至少一个控制节点设备的标识信息外,还可能包括其他信息,例如域索引、权限、鉴权模式等,目标节点设备还将其他信息也配置在ACL中。Optionally, the ACL configuration information may include other information, such as domain index, authority, authentication mode, etc., in addition to the group identification information and the identification information of the at least one control node device, and the target node device will also include other information Also configured in the ACL.
S602、目标节点设备将组标识信息和至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个第一压缩信息。S602. The target node device compresses the identification information of each control node device among the group identification information and the identification information of at least one control node device, to obtain at least one piece of first compressed information.
具体的,目标节点设备的ACL包括一个或多个ACE,每个ACE包括一个或多个主题信息。目标节点设备接收ACL配置信息后,将该ACL配置信息中的组标识信息和至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个第一压缩信息。例如,第一多播组内的控制节点设备包括节点设备1、节点设备2和节点设备3,将组标识信息分别与节点设备1的标识信息、节点设备2的标识信息、节点设备3的标识信息进行压缩,得到三个第一压缩信息。Specifically, the ACL of the target node device includes one or more ACEs, and each ACE includes one or more subject information. After receiving the ACL configuration information, the target node device compresses the group identification information in the ACL configuration information and the identification information of each control node device among the identification information of at least one control node device to obtain at least one piece of first compressed information. For example, the control node devices in the first multicast group include node device 1, node device 2, and node device 3, and the group identification information is respectively combined with the identification information of node device 1, the identification information of node device 2, and the identification information of node device 3. The information is compressed to obtain three first compressed information.
S603、目标节点设备将至少一个第一压缩信息配置在ACL的至少一个主题信息中,至少一个第一压缩信息与至少一个主题信息一一对应。S603. The target node device configures at least one piece of first compressed information in at least one topic information of the ACL, where the at least one piece of first compressed information corresponds to at least one piece of topic information.
具体的,目标节点设备将该至少一个第一压缩信息配置在ACL的至少一个主题信息中。例如,第一多播组内的控制节点设备包括节点设备1、节点设备2和节点设备3,将组标识信息分别与节点设备1的标识信息、节点设备2的标识信息、节点设备3的标识信息进行压缩,得到三个第一压缩信息。然后将三个第一压缩信息分别配置在三个主题信息中,也就是说,该三个主题信息中,每个主题信息包括一个第一压缩信息,并且一个第一压缩信息由组标识信息和一个控制节点设备的标识信息压缩得到。需要说明的是,在本实施方式中,一个ACE对应一个或多个多播组,其他多播组由组标识信息和控制节点设备的标识信息压缩得到的信息也可以配置在第一ACE中。Specifically, the target node device configures the at least one piece of first compression information in at least one subject information of the ACL. For example, the control node devices in the first multicast group include node device 1, node device 2, and node device 3, and the group identification information is respectively combined with the identification information of node device 1, the identification information of node device 2, and the identification information of node device 3. The information is compressed to obtain three first compressed information. Then configure the three first compressed information in the three topic information respectively, that is to say, in the three topic information, each topic information includes a first compressed information, and a first compressed information consists of the group identification information and The identification information of a control node device is compressed. It should be noted that, in this embodiment, one ACE corresponds to one or more multicast groups, and information obtained by compressing the group identification information and the identification information of the control node device for other multicast groups may also be configured in the first ACE.
在一种可能的实施方式中,目标节点设备的第一ACE的主题(Subjects)结构如表10所示。In a possible implementation manner, the subject (Subjects) structure of the first ACE of the target node device is shown in Table 10.
表10 ACE的第四种主题结构Table 10 The fourth theme structure of ACE
主题信息subject information
0-63bit0-63bit
第一压缩信息first compressed information
……...
具体的,在一个ACE中,主题信息为64bits的长度,组标识信息是16bits的长度,控制节点设备的标识信息是64bits的长度。在表10所示的结构中,将64bits的控制节点设备的标识信息和16bits的组标识信息压缩为64bits的第一压缩信息,并配置在主题信息中。如果存在多个控制节点设备的标识信息,则将每个控制节点设备的标识信息与组标识信息进行压缩,构成表9所示的结构配置在主题信息中。可选的,在第一ACE中,可以将其他多播组的控制节点设备的标识信息与组标识信息压缩得到的压缩信息配置在不同主题信息中。Specifically, in an ACE, the subject information has a length of 64 bits, the group identification information has a length of 16 bits, and the identification information of the control node device has a length of 64 bits. In the structure shown in Table 10, the identification information of the control node device of 64 bits and the group identification information of 16 bits are compressed into the first compressed information of 64 bits, and configured in the topic information. If there are multiple identification information of control node devices, the identification information and group identification information of each control node device are compressed to form the structure shown in Table 9 and configured in the topic information. Optionally, in the first ACE, the identification information of control node devices of other multicast groups and compressed information obtained by compressing the group identification information may be configured in different topic information.
S604、目标节点设备接收组命令,组命令包括组标识信息和源节点设备的标识信息。S604. The target node device receives a group command, where the group command includes group identification information and identification information of the source node device.
具体的,目标节点设备和源节点设备属于第一多播组,在该多播组内,源节点设备发送组命令,相应的,目标节点设备接收组命令。Specifically, the target node device and the source node device belong to the first multicast group, and in the multicast group, the source node device sends a group command, and correspondingly, the target node device receives the group command.
S605、目标节点设备将组标识信息和源节点设备的标识信息进行压缩,得到第二压缩信息。S605. The target node device compresses the group identification information and the identification information of the source node device to obtain second compressed information.
具体的,目标节点设备的ACL包括至少一个主题信息,主题信息配置了由组标识信息和多播组中控制节点设备的标识信息压缩得到的第一压缩信息。通过与压缩组标识信息和多播组中控制节点设备的标识信息相同的算法对组标识信息和源节点设备的标识信息进行压缩,得到第二压缩信息。Specifically, the ACL of the target node device includes at least one subject information, and the subject information is configured with first compressed information obtained by compressing the group identification information and the identification information of the control node device in the multicast group. The second compressed information is obtained by compressing the group identification information and the identification information of the source node device by using the same algorithm as compressing the group identification information and the identification information of the control node device in the multicast group.
S606、目标节点设备在ACL中查找是否存在与第二压缩信息匹配的主题信息。S606. The target node device searches the ACL for whether there is subject information matching the second compressed information.
具体的,主题信息配置了由组标识信息和多播组中控制节点设备的标识信息压缩得到的第一压缩信息。通过相同压缩算法对组标识信息和源节点设备的标识信息进行压缩,得到第二压缩信息。在ACL中查找是否存在与第二压缩信息匹配的主题信息,若存在,则说明源节点设备为多播组中的控制节点设备的,因此源节点设备发出的组命令可以被执行,目标节点设备执行该组命令,否则不执行。Specifically, the subject information is configured with first compressed information obtained by compressing the group identification information and the identification information of the control node device in the multicast group. The group identification information and the identification information of the source node device are compressed by using the same compression algorithm to obtain the second compressed information. Check the ACL to see if there is topic information that matches the second compressed information. If it exists, it means that the source node device is the control node device in the multicast group. Therefore, the group command sent by the source node device can be executed, and the target node device Execute the set of commands, otherwise not.
S607、若存在,则目标节点设备执行组命令。S607. If it exists, the target node device executes the group command.
S608、若不存在,则目标节点设备不执行组命令。S608. If it does not exist, the target node device does not execute the group command.
上述方法中,在多播组内,通过ACL中的主题信息限制组命令的来源,控制节点设备发出的组命令才能被组内其他节点设备执行。目标节点设备收到组命令后,查看ACL中的主题信息,结合源节点设备的标识信息可以判断来自源节点设备的组命令能否被执行。这样,避免了多播组内某个节点设备被非法控制后通过组命令控制组内其他节点设备的情况,提高了多播组内节点设备之间通信的安全性。In the above method, in the multicast group, the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other node devices in the group. After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
上文描述了本申请实施例提供的组命令的处理方法,下面将描述本申请实施例提供的通信装置。The method for processing the group command provided by the embodiment of the present application is described above, and the communication device provided by the embodiment of the present application will be described below.
参见图7,图7为本申请实施例提供的一种通信装置的示意图,该通信装置700应用于目标节点设备,包括收发单元710和处理单元720。该通信装置700可以为目标节点设备,也可以为目标节点设备内部的芯片或者集成电路,其中:Referring to FIG. 7 , FIG. 7 is a schematic diagram of a communication device provided by an embodiment of the present application. The communication device 700 is applied to a target node device and includes a transceiver unit 710 and a processing unit 720 . The communication device 700 may be a target node device, or a chip or an integrated circuit inside the target node device, wherein:
收发单元710,用于接收组播消息,所述组播消息为组命令,所述组播消息包括组标识信息和源节点设备的标识信息。The transceiver unit 710 is configured to receive a multicast message, the multicast message is a group command, and the multicast message includes group identification information and source node device identification information.
处理单元720,用于根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问 控制列表ACL中的主题信息,判断是否执行所述组命令。The processing unit 720 is configured to judge whether to execute the group command according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device.
本申请实施例中,目标节点设备接收组播消息,组播消息为组命令,包括组标识信息和源节点设备的标识信息,目标节点设备根据组标识信息、源节点设备的标识信息和ACL中的主题信息判断是否执行组命令。在多播组内,通过ACL中的主题信息限制组命令的来源,控制节点设备发出的组命令才能被组内其他设备执行。目标节点设备收到组命令后,查看ACL中的主题信息,结合源节点设备的标识信息可以判断来自源节点设备的组命令能否被执行。这样,避免了多播组内某个节点设备被非法控制后通过组命令控制组内其他节点设备的情况,提高了多播组内节点设备之间通信的安全性。In the embodiment of this application, the target node device receives a multicast message, and the multicast message is a group command, including group identification information and source node device identification information, and the target node device The topic information determines whether to execute the group command. In the multicast group, the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other devices in the group. After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
可选的,作为一个实施例,收发单元710还用于接收来自配置器的ACL配置信息,所述ACL配置信息包括所述组标识信息和至少一个控制节点设备的标识信息;处理单元720还用于根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL。Optionally, as an embodiment, the transceiver unit 710 is further configured to receive ACL configuration information from the configurator, where the ACL configuration information includes the group identification information and identification information of at least one control node device; the processing unit 720 further uses The ACL is configured according to the group identification information and the identification information of the at least one control node device.
可选的,作为一个实施例,处理单元720具体用于:将所述组标识信息配置在所述ACL的第一访问控制实体ACE的第一信息中;将所述至少一个控制节点设备的标识信息配置在所述第一ACE的至少一个主题信息中,所述至少一个控制节点设备的标识信息与所述至少一个主题信息一一对应。Optionally, as an embodiment, the processing unit 720 is specifically configured to: configure the group identification information in the first information of the first access control entity ACE of the ACL; configure the identification of the at least one control node device The information is configured in at least one topic information of the first ACE, and the identification information of the at least one control node device is in one-to-one correspondence with the at least one topic information.
可选的,作为一个实施例,处理单元720还用于:将所述至少一个控制节点设备的标识信息的数量n配置在所述第一信息中。Optionally, as an embodiment, the processing unit 720 is further configured to: configure the number n of identification information of the at least one control node device in the first information.
可选的,作为一个实施例,处理单元720具体用于:将所述组标识信息分别配置在所述ACL的第一ACE的至少一个主题信息中;将所述至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个控制节点设备的压缩标识信息;将所述至少一个控制节点设备的压缩标识信息配置在包含所述组标识信息的至少一个主题信息中,所述至少一个控制节点设备的压缩标识信息与所述至少一个主题信息一一对应。Optionally, as an embodiment, the processing unit 720 is specifically configured to: respectively configure the group identification information in at least one subject information of the first ACE of the ACL; configure the identification information of the at least one control node device Compress the identification information of each control node device in the group to obtain the compressed identification information of at least one control node device; configure the compressed identification information of the at least one control node device in at least one subject information containing the group identification information , the compressed identification information of the at least one control node device is in one-to-one correspondence with the at least one subject information.
可选的,作为一个实施例,处理单元720具体用于:将所述组标识信息和所述至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个第一压缩信息;将所述至少一个第一压缩信息配置在所述ACL的至少一个主题信息中,所述至少一个第一压缩信息与所述至少一个主题信息一一对应。Optionally, as an embodiment, the processing unit 720 is specifically configured to: compress the identification information of each control node device in the group identification information and the identification information of the at least one control node device, to obtain at least one first Compressed information: configure the at least one first compressed information in at least one subject information of the ACL, where the at least one first compressed information is in one-to-one correspondence with the at least one subject information.
可选的,作为一个实施例,处理单元720具体用于:根据所述组标识信息,确定所述ACL中的所述第一ACE;在所述第一ACE中查找是否存在与所述源节点设备的标识信息匹配的主题信息;若存在,则执行所述组命令。Optionally, as an embodiment, the processing unit 720 is specifically configured to: determine the first ACE in the ACL according to the group identification information; check whether there is an ACE related to the source node in the first ACE The subject information that matches the device's identification information; if present, execute the set of commands.
可选的,作为一个实施例,处理单元720具体用于:根据所述组标识信息,确定所述ACL中的所述第一信息;在所述第一信息的后n个主题信息中查找是否存在与所述源节点设备的标识信息匹配的信息;若存在,则执行所述组命令。Optionally, as an embodiment, the processing unit 720 is specifically configured to: determine the first information in the ACL according to the group identification information; find whether There is information matching the identification information of the source node device; if there is, the set of commands is executed.
可选的,作为一个实施例,处理单元720具体用于:根据所述组标识信息,确定所述ACL中包含所述组标识信息的至少一个主题信息;将所述源节点设备的标识信息进行压缩,得到源节点设备的压缩标识信息;在包含所述组标识信息的至少一个主题信息中查找是否存在与所述源节点设备的压缩标识信息匹配的信息;若存在,则执行所述组命令。Optionally, as an embodiment, the processing unit 720 is specifically configured to: determine at least one subject information in the ACL that includes the group identification information according to the group identification information; Compress to obtain the compressed identification information of the source node device; find whether there is information matching the compressed identification information of the source node device in at least one topic information containing the group identification information; if so, execute the group command .
可选的,作为一个实施例,处理单元720具体用于:根据所述组标识信息,确定所述ACL中包含所述组标识信息的至少一个主题信息;对包含所述组标识信息的至少一个主题信息进行解压缩,得到至少一个第一解压缩信息;在所述至少一个第一解压缩信息中查找是否存在与所述源节点设备的标识信息匹配的信息;若存在,则执行所述组命令。Optionally, as an embodiment, the processing unit 720 is specifically configured to: according to the group identification information, determine at least one subject information in the ACL that includes the group identification information; Decompress the subject information to obtain at least one first decompressed information; find whether there is information matching the identification information of the source node device in the at least one first decompressed information; if so, execute the set Order.
可选的,作为一个实施例,处理单元720具体用于:将所述组标识信息和所述源节点设备的标识信息进行压缩,得到第二压缩信息;在所述ACL中查找是否存在与所述第二压缩信息匹配的主题信息;若存在,则执行所述组命令。Optionally, as an embodiment, the processing unit 720 is specifically configured to: compress the group identification information and the identification information of the source node device to obtain second compressed information; check whether there is an The subject information matching the second compression information; if it exists, execute the set of commands.
可选的,作为一个实施例,处理单元720具体用于:对所述ACL中的至少一个主题信息进行解压缩,得到至少一个第二解压缩信息;在所述至少一个第二解压缩信息中查找是否存在与所述组标识信息和所述源节点设备的标识信息匹配的信息;若存在,则执行所述组命令。Optionally, as an embodiment, the processing unit 720 is specifically configured to: decompress at least one subject information in the ACL to obtain at least one second decompressed information; in the at least one second decompressed information Finding whether there is information matching the group identification information and the identification information of the source node device; if yes, executing the group command.
可选的,作为一个实施例,处理单元720还用于:若不存在,则不执行所述组命令。Optionally, as an embodiment, the processing unit 720 is further configured to: if not exist, not execute the set of commands.
可选的,作为一个实施例,收发单元710还用于接收来自配置器的组表配置信息,所述组表配置信息包括第一指示信息,所述第一指示信息用于指示所述目标节点设备是否为控制节点设备;处理单元720还用于将所述第一指示信息配置在所述目标节点设备的组表中。Optionally, as an embodiment, the transceiver unit 710 is further configured to receive group table configuration information from the configurator, where the group table configuration information includes first indication information, and the first indication information is used to indicate that the target node Whether the device is a control node device; the processing unit 720 is further configured to configure the first indication information in the group table of the target node device.
可选的,作为一个实施例,所述ACL配置信息还包括鉴权模式配置信息,处理单元720还用于:根据所述鉴权模式配置信息,将所述ACL中ACE的鉴权模式配置为增强型基于组的安全连接。Optionally, as an embodiment, the ACL configuration information further includes authentication mode configuration information, and the processing unit 720 is further configured to: according to the authentication mode configuration information, configure the authentication mode of the ACE in the ACL as Enhanced group-based secure connections.
应理解,本申请实施例中的收发单元710可以由收发器或收发器相关电路组件实现,处理单元720可以由处理器或处理器相关组件实现。It should be understood that the transceiver unit 710 in the embodiment of the present application may be implemented by a transceiver or a transceiver-related circuit component, and the processing unit 720 may be implemented by a processor or a processor-related component.
参见图8,图8为本申请实施例提供的另一种通信装置的示意图,该通信装置800应用于配置器,包括收发单元810。该通信装置800可以为配置器,也可以为配置器内部的芯片或者集成电路,其中:Referring to FIG. 8 , FIG. 8 is a schematic diagram of another communication device provided by an embodiment of the present application. The communication device 800 is applied to a configurator and includes a transceiver unit 810 . The communication device 800 may be a configurator, or a chip or an integrated circuit inside the configurator, wherein:
收发单元810,用于向目标节点设备发送访问控制列表ACL配置信息,所述ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息,所述ACL配置信息用于指示所述目标节点设备根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL,所述ACL中的主题信息用于所述目标节点设备判断是否执行组命令。The transceiver unit 810 is configured to send access control list ACL configuration information to the target node device, the ACL configuration information includes group identification information and identification information of at least one control node device, and the ACL configuration information is used to indicate the target node device The ACL is configured according to the group identification information and the identification information of the at least one control node device, and the subject information in the ACL is used by the target node device to determine whether to execute a group command.
本申请实施例中,配置器向目标节点设备发送ACL配置信息,ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息,目标节点设备根据组标识信息和至少一个控制节点设备的标识信息,配置ACL。在多播组内,通过ACL中的主题信息限制组命令的来源,控制节点设备发出的组命令才能被组内其他设备执行。目标节点设备收到组命令后,查看ACL中的主题信息,结合源节点设备的标识信息可以判断来自源节点设备的组命令能否被执行。这样,避免了多播组内某个节点设备被非法控制后通过组命令控制组内其他节点设备的情况,提高了多播组内节点设备之间通信的安全性。In the embodiment of the present application, the configurator sends ACL configuration information to the target node device, the ACL configuration information includes group identification information and identification information of at least one control node device, and the target node device uses the group identification information and identification information of at least one control node device , configure the ACL. In the multicast group, the source of the group command is restricted through the topic information in the ACL, so that the group command issued by the control node device can be executed by other devices in the group. After the target node device receives the group command, it checks the topic information in the ACL and combines the identification information of the source node device to determine whether the group command from the source node device can be executed. In this way, it is avoided that a certain node device in the multicast group is illegally controlled and then controls other node devices in the group through group commands, and the security of communication between node devices in the multicast group is improved.
可选的,作为一个实施例,收发单元810还用于:向多播组内的多个节点设备发送组表配置信息,所述组表配置信息包括第一指示信息,所述组表配置信息用于指示所述多个节点设备中的每个节点设备将所述第一指示信息配置在组表中,所述第一指示信息用于指示所述每个节点设备是否为控制节点设备。Optionally, as an embodiment, the transceiver unit 810 is further configured to: send group table configuration information to multiple node devices in the multicast group, the group table configuration information includes first indication information, and the group table configuration information It is used to instruct each node device among the plurality of node devices to configure the first indication information in the group table, where the first indication information is used to indicate whether each node device is a control node device.
可选的,作为一个实施例,所述装置还包括处理单元820,处理单元820用于:根据所述多个节 点设备的第一指示信息,确定所述ACL配置信息。Optionally, as an embodiment, the apparatus further includes a processing unit 820, and the processing unit 820 is configured to: determine the ACL configuration information according to the first indication information of the plurality of node devices.
应理解,本申请实施例中的收发单元810可以由收发器或收发器相关电路组件实现,处理单元820可以由处理器或处理器相关组件实现。It should be understood that the transceiver unit 810 in the embodiment of the present application may be implemented by a transceiver or a transceiver-related circuit component, and the processing unit 820 may be implemented by a processor or a processor-related component.
参见图9,图9为本申请实施例提供的一种目标节点设备的示意图,该目标节点设备900包括处理器910、存储器920和收发器930,其中,存储器920中存储指令或程序,处理器910用于执行存储器920中存储的指令或程序。存储器920中存储的指令或程序被执行时,该处理器910用于执行上述实施例中处理单元720执行的操作,收发器930用于执行上述实施例中收发单元710执行的操作。Referring to FIG. 9, FIG. 9 is a schematic diagram of a target node device provided in an embodiment of the present application. The target node device 900 includes a processor 910, a memory 920, and a transceiver 930, wherein the memory 920 stores instructions or programs, and the processor 910 is used to execute instructions or programs stored in memory 920 . When the instructions or programs stored in the memory 920 are executed, the processor 910 is used to perform the operations performed by the processing unit 720 in the above embodiments, and the transceiver 930 is used to perform the operations performed by the transceiver unit 710 in the above embodiments.
应理解,本申请实施例的通信装置700可对应于本申请实施例的组命令的处理方法中的目标节点设备,并且通信装置700或目标节点设备900中的各个单元的操作和/或功能分别为了实现上述组命令的处理方法的相应流程,为了简洁,在此不再赘述。It should be understood that the communication device 700 in the embodiment of the present application may correspond to the target node device in the group command processing method in the embodiment of the present application, and the operations and/or functions of each unit in the communication device 700 or the target node device 900 are respectively In order to realize the corresponding flow of the method for processing the above-mentioned group commands, for the sake of brevity, details are not repeated here.
参见图10,图10为本申请实施例提供的一种配置器的示意图,该配置器1000包括处理器1010、存储器1020和收发器1030,其中,存储器1020中存储指令或程序,处理器1010用于执行存储器1020中存储的指令或程序。存储器1020中存储的指令或程序被执行时,该处理器1010用于执行上述实施例中处理单元820执行的操作,该收发器1030用于执行上述实施例中收发单元810执行的操作。Referring to FIG. 10, FIG. 10 is a schematic diagram of a configurator provided in an embodiment of the present application. The configurator 1000 includes a processor 1010, a memory 1020, and a transceiver 1030, wherein the memory 1020 stores instructions or programs, and the processor 1010 uses Instructions or programs stored in the memory 1020 are executed. When the instructions or programs stored in the memory 1020 are executed, the processor 1010 is used to perform the operations performed by the processing unit 820 in the above embodiments, and the transceiver 1030 is used to perform the operations performed by the transceiver unit 810 in the above embodiments.
应理解,本申请实施例的通信装置800可对应于本申请实施例的组命令的处理方法中的配置器,并且通信装置800或配置器1000中的各个单元的操作和/或功能分别为了实现上述组命令的处理方法的相应流程,为了简洁,在此不再赘述。It should be understood that the communication device 800 in the embodiment of the present application may correspond to the configurator in the method for processing group commands in the embodiment of the present application, and the operations and/or functions of each unit in the communication device 800 or the configurator 1000 are respectively for realizing For the sake of brevity, the corresponding flow of the method for processing the above group commands will not be repeated here.
本申请实施例还提供一种计算机可读存储介质,该计算机可读存储介质用于存储指令,该指令被处理器执行时,可实现上述方法实施例中与目标节点设备相关的流程。The embodiment of the present application also provides a computer-readable storage medium, where the computer-readable storage medium is used to store instructions, and when the instructions are executed by a processor, the procedures related to the target node device in the foregoing method embodiments can be implemented.
本申请实施例还提供一种计算机可读存储介质,该计算机可读存储介质用于存储指令,该指令被处理器执行时,可实现上述方法实施例中与配置器相关的流程。The embodiment of the present application also provides a computer-readable storage medium, where the computer-readable storage medium is used to store instructions, and when the instructions are executed by a processor, the processes related to the configurator in the above method embodiments can be implemented.
本申请实施例还提供了一种包含指令的计算机程序产品,当其在计算机或处理器上运行时,使得计算机或处理器执行上述方法实施例中的一个或多个步骤。上述所涉及的设备的各组成模块如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在所述计算机可读取存储介质中。The embodiment of the present application also provides a computer program product containing instructions, which when run on a computer or a processor, causes the computer or processor to execute one or more steps in the above method embodiments. If each component module of the above-mentioned device is implemented in the form of a software function unit and sold or used as an independent product, it can be stored in the computer-readable storage medium.
应注意,本文描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It should be noted that the memories described herein are intended to include, but are not limited to, these and any other suitable types of memories.
应理解,在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the order of execution, and the execution order of the processes should be determined by their functions and internal logic, and should not be used in the embodiments of the present application. The implementation process constitutes any limitation.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Skilled artisans may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式 实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disc and other media that can store program codes. .
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. Should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims.

Claims (40)

  1. 一种组播消息的处理方法,其特征在于,所述方法应用于目标节点设备,包括:A method for processing a multicast message, wherein the method is applied to a target node device, comprising:
    接收组播消息,所述组播消息为组命令,所述组播消息包括组标识信息和源节点设备的标识信息;receiving a multicast message, the multicast message is a group command, and the multicast message includes group identification information and identification information of a source node device;
    根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令。Whether to execute the group command is determined according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device.
  2. 根据权利要求1所述的方法,其特征在于,在所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令之前,所述方法还包括:The method according to claim 1, wherein, according to the group identification information, the identification information of the source node device, and the subject information in the access control list (ACL) of the target node device, it is judged whether to execute Before the set of commands, the method also includes:
    接收来自配置器的ACL配置信息,所述ACL配置信息包括所述组标识信息和至少一个控制节点设备的标识信息;receiving ACL configuration information from a configurator, where the ACL configuration information includes the group identification information and identification information of at least one control node device;
    根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL。Configuring the ACL according to the group identification information and the identification information of the at least one control node device.
  3. 根据权利要求2所述的方法,其特征在于,所述根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL包括:The method according to claim 2, wherein the configuring the ACL according to the group identification information and the identification information of the at least one control node device comprises:
    将所述组标识信息配置在所述ACL的第一访问控制实体ACE的第一信息中;Configuring the group identification information in the first information of the first access control entity ACE of the ACL;
    将所述至少一个控制节点设备的标识信息配置在所述第一ACE的至少一个主题信息中,所述至少一个控制节点设备的标识信息与所述至少一个主题信息一一对应。The identification information of the at least one control node device is configured in at least one topic information of the first ACE, and the identification information of the at least one control node device corresponds to the at least one topic information one by one.
  4. 根据权利要求3所述的方法,其特征在于,所述根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL,还包括:The method according to claim 3, wherein the configuring the ACL according to the group identification information and the identification information of the at least one control node device further comprises:
    将所述至少一个控制节点设备的标识信息的数量n配置在所述第一信息中。The number n of identification information of the at least one control node device is configured in the first information.
  5. 根据权利要求2所述的方法,其特征在于,所述根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL包括:The method according to claim 2, wherein the configuring the ACL according to the group identification information and the identification information of the at least one control node device comprises:
    将所述组标识信息分别配置在所述ACL的第一ACE的至少一个主题信息中;Configuring the group identification information in at least one subject information of the first ACE of the ACL;
    将所述至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个控制节点设备的压缩标识信息;Compressing the identification information of each control node device in the identification information of the at least one control node device to obtain the compressed identification information of at least one control node device;
    将所述至少一个控制节点设备的压缩标识信息配置在包含所述组标识信息的至少一个主题信息中,所述至少一个控制节点设备的压缩标识信息与所述至少一个主题信息一一对应。The compressed identification information of the at least one control node device is configured in at least one topic information including the group identification information, and the compressed identification information of the at least one control node device is in one-to-one correspondence with the at least one topic information.
  6. 根据权利要求2所述的方法,其特征在于,所述根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL包括:The method according to claim 2, wherein the configuring the ACL according to the group identification information and the identification information of the at least one control node device comprises:
    将所述组标识信息和所述至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个第一压缩信息;Compressing the identification information of each control node device in the group identification information and the identification information of the at least one control node device to obtain at least one piece of first compressed information;
    将所述至少一个第一压缩信息配置在所述ACL的至少一个主题信息中,所述至少一个第一压缩信息与所述至少一个主题信息一一对应。Configuring the at least one first compressed information in at least one subject information of the ACL, where the at least one first compressed information corresponds to the at least one subject information one by one.
  7. 根据权利要求3所述的方法,其特征在于,所述根据所述组标识信息、所述源节点设备的标识 信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令包括:The method according to claim 3, wherein, according to the group identification information, the identification information of the source node device, and the subject information in the access control list (ACL) of the target node device, it is judged whether to execute the The above group commands include:
    根据所述组标识信息,确定所述ACL中的所述第一ACE;determining the first ACE in the ACL according to the group identification information;
    在所述第一ACE中查找是否存在与所述源节点设备的标识信息匹配的主题信息;Finding whether there is subject information matching the identification information of the source node device in the first ACE;
    若存在,则执行所述组命令。If present, execute the set of commands.
  8. 根据权利要求4所述的方法,其特征在于,所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令包括:The method according to claim 4, wherein, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device, it is judged whether to execute the The above group commands include:
    根据所述组标识信息,确定所述ACL中的所述第一信息;determining the first information in the ACL according to the group identification information;
    在所述第一信息的后n个主题信息中查找是否存在与所述源节点设备的标识信息匹配的信息;Finding whether there is information matching the identification information of the source node device in the last n subject information of the first information;
    若存在,则执行所述组命令。If present, execute the set of commands.
  9. 根据权利要求5所述的方法,其特征在于,所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令包括:The method according to claim 5, wherein, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device, it is judged whether to execute the The above group commands include:
    根据所述组标识信息,确定所述ACL中包含所述组标识信息的至少一个主题信息;According to the group identification information, determine at least one topic information including the group identification information in the ACL;
    将所述源节点设备的标识信息进行压缩,得到源节点设备的压缩标识信息;Compressing the identification information of the source node device to obtain the compressed identification information of the source node device;
    在包含所述组标识信息的至少一个主题信息中查找是否存在与所述源节点设备的压缩标识信息匹配的信息;Finding whether there is information matching the compressed identification information of the source node device in at least one subject information including the group identification information;
    若存在,则执行所述组命令。If present, execute the set of commands.
  10. 根据权利要求5所述的方法,其特征在于,所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令包括:The method according to claim 5, wherein, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device, it is judged whether to execute the The above group commands include:
    根据所述组标识信息,确定所述ACL中包含所述组标识信息的至少一个主题信息;According to the group identification information, determine at least one topic information including the group identification information in the ACL;
    对包含所述组标识信息的至少一个主题信息进行解压缩,得到至少一个第一解压缩信息;Decompress at least one topic information including the group identification information to obtain at least one first decompressed information;
    在所述至少一个第一解压缩信息中查找是否存在与所述源节点设备的标识信息匹配的信息;Finding whether there is information matching the identification information of the source node device in the at least one first decompressed information;
    若存在,则执行所述组命令。If present, execute the set of commands.
  11. 根据权利要求6所述的方法,其特征在于,所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令包括:The method according to claim 6, wherein, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device, it is judged whether to execute the The above group commands include:
    将所述组标识信息和所述源节点设备的标识信息进行压缩,得到第二压缩信息;Compressing the group identification information and the identification information of the source node device to obtain second compressed information;
    在所述ACL中查找是否存在与所述第二压缩信息匹配的主题信息;Finding whether there is subject information matching the second compressed information in the ACL;
    若存在,则执行所述组命令。If present, execute the set of commands.
  12. 根据权利要求6所述的方法,其特征在于,所述根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令包括:The method according to claim 6, wherein, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device, it is judged whether to execute the The above group commands include:
    对所述ACL中的至少一个主题信息进行解压缩,得到至少一个第二解压缩信息;Decompress at least one subject information in the ACL to obtain at least one second decompressed information;
    在所述至少一个第二解压缩信息中查找是否存在与所述组标识信息和所述源节点设备的标识信息匹配的信息;Finding whether there is information matching the group identification information and the identification information of the source node device in the at least one second decompressed information;
    若存在,则执行所述组命令。If present, execute the set of commands.
  13. 根据权利要求7-12任一项所述的方法,其特征在于,所述根据所述组标识信息、所述源节点 设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令,还包括:The method according to any one of claims 7-12, wherein, according to the group identification information, the identification information of the source node device, and the topic information in the access control list ACL of the target node device , to determine whether to execute the set of commands, and also include:
    若不存在,则不执行所述组命令。If not present, the set of commands is not executed.
  14. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    接收来自配置器的组表配置信息,所述组表配置信息包括第一指示信息,所述第一指示信息用于指示所述目标节点设备是否为控制节点设备;receiving group table configuration information from a configurator, where the group table configuration information includes first indication information, and the first indication information is used to indicate whether the target node device is a control node device;
    将所述第一指示信息配置在所述目标节点设备的组表中。Configuring the first indication information in the group table of the target node device.
  15. 根据权利要求2所述的方法,其特征在于,所述ACL配置信息还包括鉴权模式配置信息,所述方法还包括:The method according to claim 2, wherein the ACL configuration information also includes authentication mode configuration information, and the method further includes:
    根据所述鉴权模式配置信息,将所述ACL中ACE的鉴权模式配置为增强型基于组的安全连接。According to the authentication mode configuration information, the authentication mode of the ACE in the ACL is configured as an enhanced group-based security connection.
  16. 一种组播消息的处理方法,其特征在于,所述方法应用于配置器,包括:A method for processing multicast messages, characterized in that the method is applied to a configurator, including:
    向目标节点设备发送访问控制列表ACL配置信息,所述ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息,所述ACL配置信息用于指示所述目标节点设备根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL,所述ACL中的主题信息用于所述目标节点设备判断是否执行组命令。Sending access control list ACL configuration information to the target node device, the ACL configuration information includes group identification information and identification information of at least one control node device, and the ACL configuration information is used to instruct the target node device according to the group identification information The ACL is configured with the identification information of the at least one control node device, and the topic information in the ACL is used by the target node device to determine whether to execute the group command.
  17. 根据权利要求16所述的方法,其特征在于,所述方法还包括:The method according to claim 16, further comprising:
    向多播组内的多个节点设备发送组表配置信息,所述组表配置信息包括第一指示信息,所述组表配置信息用于指示所述多个节点设备中的每个节点设备将所述第一指示信息配置在组表中,所述第一指示信息用于指示所述每个节点设备是否为控制节点设备。sending group table configuration information to multiple node devices in the multicast group, where the group table configuration information includes first indication information, and the group table configuration information is used to indicate that each node device in the multiple node devices will The first indication information is configured in a group table, and the first indication information is used to indicate whether each node device is a control node device.
  18. 根据权利要求17所述的方法,其特征在于,在所述向目标节点设备发送访问控制列表ACL配置信息之前,所述方法还包括:The method according to claim 17, wherein, before sending the access control list ACL configuration information to the target node device, the method further comprises:
    根据所述多个节点设备的第一指示信息,确定所述ACL配置信息。Determine the ACL configuration information according to the first indication information of the plurality of node devices.
  19. 一种通信装置,其特征在于,所述装置应用于目标节点设备,包括:A communication device, characterized in that the device is applied to a target node device, including:
    收发单元,用于接收组播消息,所述组播消息为组命令,所述组播消息包括组标识信息和源节点设备的标识信息;A transceiver unit, configured to receive a multicast message, the multicast message is a group command, and the multicast message includes group identification information and identification information of a source node device;
    处理单元,用于根据所述组标识信息、所述源节点设备的标识信息和所述目标节点设备的访问控制列表ACL中的主题信息,判断是否执行所述组命令。A processing unit, configured to judge whether to execute the group command according to the group identification information, the identification information of the source node device, and the subject information in the ACL of the target node device.
  20. 根据权利要求19所述的装置,其特征在于,所述收发单元还用于接收来自配置器的ACL配置信息,所述ACL配置信息包括所述组标识信息和至少一个控制节点设备的标识信息;所述处理单元还用于根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL。The device according to claim 19, wherein the transceiver unit is further configured to receive ACL configuration information from a configurator, the ACL configuration information including the group identification information and identification information of at least one control node device; The processing unit is further configured to configure the ACL according to the group identification information and the identification information of the at least one control node device.
  21. 根据权利要求20所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 20, wherein the processing unit is specifically used for:
    将所述组标识信息配置在所述ACL的第一访问控制实体ACE的第一信息中;Configuring the group identification information in the first information of the first access control entity ACE of the ACL;
    将所述至少一个控制节点设备的标识信息配置在所述第一ACE的至少一个主题信息中,所述至少一个控制节点设备的标识信息与所述至少一个主题信息一一对应。Configuring the identification information of the at least one control node device in at least one topic information of the first ACE, where the identification information of the at least one control node device corresponds to the at least one topic information.
  22. 根据权利要求21所述的装置,其特征在于,所述处理单元还用于:The device according to claim 21, wherein the processing unit is further used for:
    将所述至少一个控制节点设备的标识信息的数量n配置在所述第一信息中。The number n of identification information of the at least one control node device is configured in the first information.
  23. 根据权利要求20所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 20, wherein the processing unit is specifically used for:
    将所述组标识信息分别配置在所述ACL的第一ACE的至少一个主题信息中;configuring the group identification information in at least one subject information of the first ACE of the ACL;
    将所述至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个控制节点设备的压缩标识信息;Compressing the identification information of each control node device in the identification information of the at least one control node device to obtain the compressed identification information of at least one control node device;
    将所述至少一个控制节点设备的压缩标识信息配置在包含所述组标识信息的至少一个主题信息中,所述至少一个控制节点设备的压缩标识信息与所述至少一个主题信息一一对应。The compressed identification information of the at least one control node device is configured in at least one topic information including the group identification information, and the compressed identification information of the at least one control node device is in one-to-one correspondence with the at least one topic information.
  24. 根据权利要求20所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 20, wherein the processing unit is specifically used for:
    将所述组标识信息和所述至少一个控制节点设备的标识信息中的每个控制节点设备的标识信息进行压缩,得到至少一个第一压缩信息;Compressing the identification information of each control node device in the group identification information and the identification information of the at least one control node device to obtain at least one piece of first compressed information;
    将所述至少一个第一压缩信息配置在所述ACL的至少一个主题信息中,所述至少一个第一压缩信息与所述至少一个主题信息一一对应。Configuring the at least one first compressed information in at least one subject information of the ACL, where the at least one first compressed information corresponds to the at least one subject information one by one.
  25. 根据权利要求21所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 21, wherein the processing unit is specifically used for:
    根据所述组标识信息,确定所述ACL中的所述第一ACE;determining the first ACE in the ACL according to the group identification information;
    在所述第一ACE中查找是否存在与所述源节点设备的标识信息匹配的主题信息;Finding whether there is subject information matching the identification information of the source node device in the first ACE;
    若存在,则执行所述组命令。If present, execute the set of commands.
  26. 根据权利要求22所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 22, wherein the processing unit is specifically used for:
    根据所述组标识信息,确定所述ACL中的所述第一信息;determining the first information in the ACL according to the group identification information;
    在所述第一信息的后n个主题信息中查找是否存在与所述源节点设备的标识信息匹配的信息;Finding whether there is information matching the identification information of the source node device in the last n subject information of the first information;
    若存在,则执行所述组命令。If present, execute the set of commands.
  27. 根据权利要求23所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 23, wherein the processing unit is specifically used for:
    根据所述组标识信息,确定所述ACL中包含所述组标识信息的至少一个主题信息;According to the group identification information, determine at least one topic information including the group identification information in the ACL;
    将所述源节点设备的标识信息进行压缩,得到源节点设备的压缩标识信息;Compressing the identification information of the source node device to obtain the compressed identification information of the source node device;
    在包含所述组标识信息的至少一个主题信息中查找是否存在与所述源节点设备的压缩标识信息匹配的信息;Finding whether there is information matching the compressed identification information of the source node device in at least one subject information including the group identification information;
    若存在,则执行所述组命令。If present, execute the set of commands.
  28. 根据权利要求23所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 23, wherein the processing unit is specifically used for:
    根据所述组标识信息,确定所述ACL中包含所述组标识信息的至少一个主题信息;According to the group identification information, determine at least one topic information including the group identification information in the ACL;
    对包含所述组标识信息的至少一个主题信息进行解压缩,得到至少一个第一解压缩信息;Decompress at least one topic information including the group identification information to obtain at least one first decompressed information;
    在所述至少一个第一解压缩信息中查找是否存在与所述源节点设备的标识信息匹配的信息;Finding whether there is information matching the identification information of the source node device in the at least one first decompressed information;
    若存在,则执行所述组命令。If present, execute the set of commands.
  29. 根据权利要求24所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 24, wherein the processing unit is specifically used for:
    将所述组标识信息和所述源节点设备的标识信息进行压缩,得到第二压缩信息;Compressing the group identification information and the identification information of the source node device to obtain second compressed information;
    在所述ACL中查找是否存在与所述第二压缩信息匹配的主题信息;Finding whether there is subject information matching the second compressed information in the ACL;
    若存在,则执行所述组命令。If present, execute the set of commands.
  30. 根据权利要求24所述的装置,其特征在于,所述处理单元具体用于:The device according to claim 24, wherein the processing unit is specifically used for:
    对所述ACL中的至少一个主题信息进行解压缩,得到至少一个第二解压缩信息;Decompress at least one subject information in the ACL to obtain at least one second decompressed information;
    在所述至少一个第二解压缩信息中查找是否存在与所述组标识信息和所述源节点设备的标识信息匹配的信息;Finding whether there is information matching the group identification information and the identification information of the source node device in the at least one second decompressed information;
    若存在,则执行所述组命令。If present, execute the set of commands.
  31. 根据权利要求25-30任一项所述的装置,其特征在于,所述处理单元还用于:The device according to any one of claims 25-30, wherein the processing unit is further configured to:
    若不存在,则不执行所述组命令。If not present, the set of commands is not executed.
  32. 根据权利要求19所述的装置,其特征在于,所述收发单元还用于接收来自配置器的组表配置信息,所述组表配置信息包括第一指示信息,所述第一指示信息用于指示所述目标节点设备是否为控制节点设备;所述处理单元还用于将所述第一指示信息配置在所述目标节点设备的组表中。The device according to claim 19, wherein the transceiver unit is further configured to receive group table configuration information from a configurator, the group table configuration information includes first indication information, and the first indication information is used to Indicating whether the target node device is a control node device; the processing unit is further configured to configure the first indication information in a group table of the target node device.
  33. 根据权利要求20所述的装置,其特征在于,所述ACL配置信息还包括鉴权模式配置信息,所述处理单元还用于:The device according to claim 20, wherein the ACL configuration information further includes authentication mode configuration information, and the processing unit is further configured to:
    根据所述鉴权模式配置信息,将所述ACL中ACE的鉴权模式配置为增强型基于组的安全连接。According to the authentication mode configuration information, the authentication mode of the ACE in the ACL is configured as an enhanced group-based security connection.
  34. 一种通信装置,其特征在于,所述装置应用于配置器,包括:A communication device, characterized in that the device is applied to a configurator, comprising:
    收发单元,用于向目标节点设备发送访问控制列表ACL配置信息,所述ACL配置信息包括组标识信息和至少一个控制节点设备的标识信息,所述ACL配置信息用于指示所述目标节点设备根据所述组标识信息和所述至少一个控制节点设备的标识信息,配置所述ACL,所述ACL中的主题信息用于所述目标节点设备判断是否执行组命令。A transceiver unit, configured to send access control list ACL configuration information to the target node device, the ACL configuration information includes group identification information and identification information of at least one control node device, and the ACL configuration information is used to instruct the target node device according to The group identification information and the identification information of the at least one control node device configure the ACL, and the subject information in the ACL is used by the target node device to determine whether to execute a group command.
  35. 根据权利要求34所述的装置,其特征在于,所述收发单元还用于:The device according to claim 34, wherein the transceiver unit is also used for:
    向多播组内的多个节点设备发送组表配置信息,所述组表配置信息包括第一指示信息,所述组表配置信息用于指示所述多个节点设备中的每个节点设备将所述第一指示信息配置在组表中,所述第一指示信息用于指示所述每个节点设备是否为控制节点设备。sending group table configuration information to multiple node devices in the multicast group, where the group table configuration information includes first indication information, and the group table configuration information is used to indicate that each node device in the multiple node devices will The first indication information is configured in a group table, and the first indication information is used to indicate whether each node device is a control node device.
  36. 根据权利要求35所述的装置,其特征在于,所述装置还包括处理单元,所述处理单元用于:The device according to claim 35, wherein the device further comprises a processing unit configured to:
    根据所述多个节点设备的第一指示信息,确定所述ACL配置信息。Determine the ACL configuration information according to the first indication information of the plurality of node devices.
  37. 一种目标节点设备,其特征在于,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序,所述处理器执行所述程序时实现如权利要求1至15任一项所述的方法。A target node device, characterized in that it includes a memory, a processor, and a program stored on the memory and operable on the processor, when the processor executes the program, it implements claims 1 to 15 any one of the methods described.
  38. 一种配置器,其特征在于,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的程序,所述处理器执行所述程序时实现如权利要求16至18任一项所述的方法。A configurator, characterized by comprising a memory, a processor, and a program stored on the memory and operable on the processor, when the processor executes the program, any one of the methods described.
  39. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质用于存储指令,所述指令被处理器执行时,使得如权利要求1至15任一项、或如权利要求16至18任一项所述的方法被执行。A computer-readable storage medium, characterized in that the computer-readable storage medium is used to store instructions, and when the instructions are executed by a processor, such that any one of claims 1 to 15, or any one of claims 16 to 15 The method described in any one of 18 is carried out.
  40. 一种包含指令的计算机程序产品,其特征在于,当其在计算机上运行时,使得如权利要求1至15任一项、或如权利要求16至18任一项所述的方法被执行。A computer program product comprising instructions, characterized in that, when it is run on a computer, the method according to any one of claims 1 to 15 or any one of claims 16 to 18 is executed.
PCT/CN2021/133694 2021-11-26 2021-11-26 Groupcast message processing method and related apparatus WO2023092497A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202180100648.4A CN117643040A (en) 2021-11-26 2021-11-26 Multicast message processing method and related device
PCT/CN2021/133694 WO2023092497A1 (en) 2021-11-26 2021-11-26 Groupcast message processing method and related apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2021/133694 WO2023092497A1 (en) 2021-11-26 2021-11-26 Groupcast message processing method and related apparatus

Publications (1)

Publication Number Publication Date
WO2023092497A1 true WO2023092497A1 (en) 2023-06-01

Family

ID=86538700

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/133694 WO2023092497A1 (en) 2021-11-26 2021-11-26 Groupcast message processing method and related apparatus

Country Status (2)

Country Link
CN (1) CN117643040A (en)
WO (1) WO2023092497A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105791318A (en) * 2016-04-29 2016-07-20 浙江宇视科技有限公司 Multicast safety access apparatus and method thereof
CN107370680A (en) * 2016-05-12 2017-11-21 中兴通讯股份有限公司 A kind of multicast routing entry control method, device and communication system
CN107528781A (en) * 2016-06-22 2017-12-29 中兴通讯股份有限公司 Retransmission method and device, the router of multicast message
CN109495406A (en) * 2017-09-13 2019-03-19 中兴通讯股份有限公司 The retransmission method and forwarding device of multicasting virtual private network network VPN flow
CN110958124A (en) * 2019-12-12 2020-04-03 北京爱奇艺科技有限公司 Multicast group management method, device, readable storage medium and computer

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105791318A (en) * 2016-04-29 2016-07-20 浙江宇视科技有限公司 Multicast safety access apparatus and method thereof
CN107370680A (en) * 2016-05-12 2017-11-21 中兴通讯股份有限公司 A kind of multicast routing entry control method, device and communication system
CN107528781A (en) * 2016-06-22 2017-12-29 中兴通讯股份有限公司 Retransmission method and device, the router of multicast message
CN109495406A (en) * 2017-09-13 2019-03-19 中兴通讯股份有限公司 The retransmission method and forwarding device of multicasting virtual private network network VPN flow
CN110958124A (en) * 2019-12-12 2020-04-03 北京爱奇艺科技有限公司 Multicast group management method, device, readable storage medium and computer

Also Published As

Publication number Publication date
CN117643040A (en) 2024-03-01

Similar Documents

Publication Publication Date Title
US20230224145A1 (en) End-to-end communication security
US9197422B2 (en) System and method for differential encryption
US7978858B2 (en) Terminal device, group management server, network communication system, and method for generating encryption key
EP2687036B1 (en) Permitting access to a network
US9571463B2 (en) Policy-based access control in content networks
US10091650B2 (en) Wireless terminal configuration method, device, and system
US9344434B2 (en) GET VPN group member registration
EP3748928A1 (en) Method and system for apparatus awaiting network configuration to access hot spot network apparatus
EP2686999A1 (en) Permitting access to a network
WO2006135872A2 (en) Establishing wireless universal serial bus (wusb) connection via a trusted medium
US20150134960A1 (en) Determination of cryptographic keys
CN111177769A (en) Private data protection list query method and related list query system
WO2023093090A1 (en) Sample alignment method and apparatus, device, and storage medium
US9906953B2 (en) Method and user equipment for discovering device user
US20230327869A1 (en) Authentication method and apparatus
WO2022021256A1 (en) Association control method and related apparatus
WO2023092497A1 (en) Groupcast message processing method and related apparatus
WO2017080381A1 (en) Method for processing cross-domain data, first server and second server
WO2023092498A1 (en) Multicast message processing method and related apparatus
Fischlin et al. Cryptographic analysis of the bluetooth secure connection protocol suite
CN117501653A (en) Apparatus, system and method for operating a wireless network
US11171786B1 (en) Chained trusted platform modules (TPMs) as a secure bus for pre-placement of device capabilities
US20210014197A1 (en) Dynamic endpoint isolation in a cryptographically-segmented network
CN112752265A (en) Access control method and device for network slice and storage medium
CN113169965B (en) Resource allocation method, equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21965230

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 202180100648.4

Country of ref document: CN