WO2023165324A1 - Communication method, network device, terminal, and domain name system server - Google Patents

Communication method, network device, terminal, and domain name system server Download PDF

Info

Publication number
WO2023165324A1
WO2023165324A1 PCT/CN2023/075817 CN2023075817W WO2023165324A1 WO 2023165324 A1 WO2023165324 A1 WO 2023165324A1 CN 2023075817 W CN2023075817 W CN 2023075817W WO 2023165324 A1 WO2023165324 A1 WO 2023165324A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
virtual
data packet
terminal
application server
Prior art date
Application number
PCT/CN2023/075817
Other languages
French (fr)
Chinese (zh)
Inventor
程建明
蒋胜
郑秀丽
江伟玉
杨言
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023165324A1 publication Critical patent/WO2023165324A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2539Hiding addresses; Keeping addresses anonymous
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the communication field, in particular to a communication method, network equipment, terminal and domain name system server.
  • IP address hopping can change the IP address and prevent attackers from continuously launching network attacks on the IP address of the attack target.
  • IP address hopping includes real IP address hopping and virtual IP address hopping.
  • the terminal wants to access the application server, the terminal requests the application server from the domain name system (domain name system, DNS) server through the mobile target defense (mobile target defense, MTD) gateway proxy.
  • DNS domain name system
  • MTD gateway agent modifies the IP address of the application server in the message to a virtual IP address, and then sends the virtual IP address to the terminal.
  • the terminal sends a data message to the MTD gateway agent according to the virtual IP address, and the destination IP address of the data message is the virtual IP address.
  • the MTD gateway agent After the MTD gateway agent receives the data message, according to the mapping table of the virtual IP address and the IP address of the application server, the destination IP address of the data message is changed from the virtual IP address to the IP address of the application server, and then contains the IP address of the application server. The data packet of the IP address is sent to the application server.
  • this application provides a communication method that can generate multiple virtual IP addresses for each application server's IP address, thereby preventing network attackers from using multiple bot devices to launch network attacks using the same virtual IP address, and improving network security sex.
  • the present application also provides a terminal, a network device, a domain name system server, etc. capable of implementing the above-mentioned communication method.
  • the first aspect provides a communication method, which includes: receiving an uplink data packet sent by a terminal; when it is detected that the uplink data packet carries a high-defense address identifier, obtaining the terminal's IP address and the first virtual address of the application server from the uplink data packet IP address; after obtaining the key, according to the key, the IP address of the terminal and the first virtual IP address generate the IP address to be processed; when the IP address to be processed is not the IP address of the application server, it is determined that the uplink data packet is illegal; when the IP address to be processed is not the IP address of the application server; When the processing IP address is the IP address of the application server, modify the destination IP address of the uplink data packet from the first virtual IP address to the IP address to be processed, and send the uplink data packet carrying the IP address to be processed to the application server.
  • the uplink data packet carries the first virtual IP address of the application server and the IP address of the terminal. Since the first virtual IP address is based on the key, the IP address of the terminal The address is generated from the IP address of the application server, so one application server IP address corresponds to many virtual IP addresses, which can prevent network attackers from using multiple bot devices to launch network attacks on the application server corresponding to one virtual IP address.
  • generating the IP address to be processed according to the key, the IP address of the terminal, and the first virtual IP address includes: when the uplink data packet further includes the first address generation sequence, according to the key, the terminal The IP address, the first virtual IP address and the first address generation sequence generate the IP address to be processed. Since the first address generation sequence includes the address generation time of the first virtual IP address and the address lifetime of the first virtual address, it can be verified whether the first virtual IP address is legal according to the first address generation sequence, which can improve the validity of the virtual IP address. safety.
  • the above method further includes: receiving the downlink data packet sent by the application server, and when it is detected that the downlink data packet carries the high-defense address identifier, according to the key, the IP address of the application server, the IP address of the terminal.
  • the address and the first address generation sequence generate the first virtual IP address; determine the address end time of the first virtual IP address according to the first address generation sequence; when the address end time is greater than the verification time, determine that the target time difference is equal to the address end time minus the verification Time: when the target time difference is greater than the preset duration, generate a first downlink data packet according to the downlink data packet and the first virtual IP address, and send the first downlink data packet to the terminal.
  • the downlink data packet carries the IP address of the application server, the IP address of the terminal, the first address generation sequence and the high-defense address identification. After converting the IP address of the application server into a virtual IP address, the IP address of the application server can be hidden. When the end time of the address is less than the verification time, it indicates that the first virtual IP address has expired, and the downlink data packet can be discarded, or the first downlink data packet can be generated according to the downlink data packet and the first virtual IP address, and the first downlink data packet can be sent to the terminal.
  • the second address generation sequence when the target time difference is less than or equal to the preset duration, the second address generation sequence is obtained, and the second address generation sequence is generated according to the key, the IP address of the application server, the IP address of the terminal, and the second address generation sequence.
  • Two virtual IP addresses generate a second downlink data packet according to the downlink data packet, the first virtual IP address, the second virtual IP address, the second address generation sequence and the address switching identifier, and send the second downlink data packet to the terminal.
  • the second downlink data packet carries the first virtual IP address, the second virtual IP address, the second address generation sequence and the address switching identifier.
  • the second address generation sequence includes address generation time of the second virtual IP address and address lifetime of the second virtual IP address. This provides a method for notifying the terminal to perform address switching by using the downlink data packet.
  • the second address generation sequence when the target time difference is less than or equal to the preset duration, the second address generation sequence is obtained, and the second address generation sequence includes the address generation time of the second virtual IP address and the address generation time of the second virtual IP address.
  • Address survival time generate a second virtual IP address according to the key, the IP address of the application server, the IP address of the terminal, and the second address generation sequence; send an address switch carrying the second virtual IP address and the second address generation sequence to the terminal Notification; generate a first downlink data packet according to the downlink data packet and the first virtual IP address, and send the first downlink data packet to the terminal.
  • the address switching notification belongs to the control plane message, which provides another method for notifying the terminal to perform address switching.
  • generating the IP address to be processed according to the key, the IP address of the terminal, the first virtual IP address, and the first address generation sequence includes: using the key to convert the second part of the first virtual IP address to Decryption; perform the first XOR operation on the second part of the terminal's IP address and the decryption result; perform the second XOR operation on the first address generation sequence and the first XOR operation result; convert the first virtual IP The first part of the address and the result of the second XOR operation form the IP address to be processed.
  • This provides a feasible address decryption method.
  • the key management server before obtaining the key, receive the application service sent by the key management server The IP address of the application server and the key corresponding to the IP address of the application server. There is a one-to-one correspondence between the key and the IP address of the application server. After the key is deployed on the network device, it can perform address translation on the virtual IP address generated by using the key.
  • the IP address of the terminal and the key corresponding to the IP address of the terminal are received from the key management server. There is a one-to-one correspondence between the key and the IP address of the terminal. After the key is deployed on the network device, it can perform address translation on the virtual IP address generated by using the key.
  • the key sent by the key management server is received before obtaining the key.
  • This key is used for address translation.
  • the key management server may periodically send new keys to improve the security of the virtual address.
  • the second aspect provides a communication method.
  • the method includes: after sending an address request message including a domain name to a domain name system server, receiving a response message sent by the domain name system server according to the address request message, and then generating an uplink data packet, and sending an uplink data packet to a network device. data pack.
  • the uplink data packet carries the IP address of the terminal, the first virtual IP address and the high-defense address identification. According to this implementation, the real IP address of the application server can be hidden when sending uplink data, thereby improving communication security.
  • the response message further includes the first address generation sequence
  • the uplink data packet further includes the first address generation sequence.
  • the first address generation sequence includes the address generation time of the first virtual IP address and the address lifetime of the first virtual address.
  • the generation moment of the virtual IP address may be a time stamp. Since the address generation time and address lifetime of the virtual IP address are unique, the encryption and decryption of the virtual IP address can reduce the possibility of counterfeiting and have good security.
  • the above method further includes: receiving a first downlink data packet sent by the network device, where the first downlink data packet carries the first virtual IP address.
  • the network device sends a downlink data packet carrying the first virtual IP address.
  • the above method further includes: receiving a second downlink data packet sent by the network device, the second downlink data packet carrying the first virtual IP address, the second virtual IP address, the second address generation sequence and Address switching identification; generating an uplink data packet carrying a second virtual IP address, a second address generation sequence and a high-defense address identification according to the address switching identification.
  • the second address generation sequence includes address generation time of the second virtual IP address and address lifetime of the second virtual IP address.
  • the above method further includes: after receiving the first downlink data packet and the address switching notification sent by the network device, generating a second virtual IP address carrying the second virtual IP address according to the address switching notification, the second address generation sequence and the uplink data packet identified by Anti-DDoS Pro address.
  • the first downlink data packet carries the first virtual IP address.
  • the address switching notification includes a second virtual IP address and a second address generation sequence.
  • the network device can send the first downlink data packet and address switching notification to the terminal, and the terminal generates an uplink data packet carrying the second virtual IP address and the second address generation sequence according to the address switching notification After that, the uplink data packet can be sent to the network device.
  • This provides another address switching method, using different virtual IP addresses for communication during each address switching period, thereby further improving High network security.
  • the third aspect provides a communication method, the method includes: receiving an address request message sent by a terminal, and when the domain name included in the address request message is a high-defense domain name, obtaining a key and a high-defense address identifier; then according to the key, the terminal's The IP address and the IP address of the application server generate a first virtual IP address; and send a response message to the terminal.
  • the response message includes the first virtual IP address and the Anti-DDoS Pro address identifier. Accordingly, a virtual IP address can be provided to hide the real IP address of the application server during communication, thereby improving communication security.
  • generating the first virtual IP address according to the key, the IP address of the terminal and the IP address of the application server includes: obtaining the first address generation sequence, and according to the key, the IP address of the terminal and the IP address of the application server The IP address and first address generation sequence generates a first virtual IP address.
  • the first address generation sequence includes the address generation time of the first virtual IP address and the address lifetime of the first virtual address. This provides a way to generate a virtual IP address.
  • generating the first virtual IP address according to the secret key, the IP address of the terminal, the IP address of the application server, and the first address generation sequence includes: combining the second part of the IP address of the terminal with the application Perform the first XOR operation on the second part of the server's IP address; perform the second XOR operation on the first address generation sequence and the first XOR operation result; use the key to pair the second XOR operation result performing encryption; combining the encryption result and the first part of the IP address of the application server to form a first virtual IP address. This provides a way to generate a virtual IP address.
  • the fourth aspect provides a network device, which has the function of implementing the communication method in the first aspect.
  • This function may be implemented by hardware, or may be implemented by executing corresponding software on the hardware.
  • Hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the fifth aspect provides a terminal, which has the function of implementing the communication method in the second aspect.
  • This function may be implemented by hardware, or may be implemented by executing corresponding software on the hardware.
  • Hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the sixth aspect provides a domain name system server, and the domain name system server has the function of implementing the communication method in the third aspect.
  • This function may be implemented by hardware, or may be implemented by executing corresponding software on the hardware.
  • the hardware or software includes one or more modules corresponding to the above functions.
  • a seventh aspect provides a network device, which includes a processor and a memory, where the memory is used to store a program; and the processor implements the method of the first aspect by executing the program.
  • An eighth aspect provides a terminal, which includes a processor and a memory, where the memory is used to store a program; and the processor implements the method of the second aspect by executing the program.
  • a ninth aspect provides a domain name system server, which includes a processor and a memory, where the memory is used to store a program; and the processor implements the method of the third aspect by executing the program.
  • a tenth aspect provides a computer-readable storage medium, in which instructions are stored, and when the computer-readable storage medium is run on a computer, it causes the computer to execute the methods in the above aspects.
  • the eleventh aspect provides a computer program product containing instructions, which, when run on a computer, causes the computer to perform the methods of the above aspects.
  • a twelfth aspect provides a chip system, including at least one processor, the processor is coupled to a memory, the memory is used to store computer programs or instructions, and the processor is used to execute the computer programs or instructions, to Methods of implementing the above aspects.
  • FIG. 1 is a schematic diagram of an address jumping scenario of the present application
  • Fig. 2 is a signaling diagram of the communication method in the embodiment of the present application.
  • FIG. 3 is another signaling diagram of the communication method in the embodiment of the present application.
  • FIG. 4 is another signaling diagram of the communication method in the embodiment of the present application.
  • FIG. 5A is a schematic diagram of generating a first virtual IP address according to a key, a user IP address, an IP address of an application server, and a first address generation sequence in an embodiment of the present application;
  • FIG. 5B is a schematic diagram of generating an application server IP address according to the key, the first virtual IP address, the user IP address and the first address generation sequence in the embodiment of the present application;
  • FIG. 6 is another signaling diagram of the communication method in the embodiment of the present application.
  • FIG. 7 is another signaling diagram of the communication method in the embodiment of the present application.
  • FIG. 8 is a schematic diagram of the first downlink data packet in the embodiment of the present application.
  • FIG. 9 is a schematic diagram of a second downlink data packet in the embodiment of the present application.
  • FIG. 10 is a structural diagram of a network device in an embodiment of the present application.
  • FIG. 11 is a structural diagram of a terminal in an embodiment of the present application.
  • FIG. 12 is a structural diagram of a domain name system server in an embodiment of the present application.
  • FIG. 13 is another structural diagram of a network device in an embodiment of the present application.
  • FIG. 14 is another structural diagram of a terminal in the embodiment of the present application.
  • FIG. 15 is another structural diagram of the domain name system server in the embodiment of the present application.
  • the communication method of the present application can be applied to an IP network system.
  • the IP network system includes a terminal 10 , a network device 20 , a domain name system server 30 , a key management server 40 and an application server 50 .
  • the data transmission process of the above devices includes:
  • Step S11 the key management server 40 sends the key to the domain name system server 30 .
  • Step S12 the key management server 40 sends the key to the network device 20 .
  • the key management server 40 stores keys.
  • the key management server 40 can periodically send the key to the domain name system server 30 and the network device 20, and the domain name system server 30 and the network device 20 can store the key locally after receiving the key.
  • Step S12 may be performed before step S11, and step S11 and step S12 may also be performed together.
  • Step S13 the terminal 10 sends an address request to the network device 20 .
  • the terminal 10 After the user inputs the domain name on the terminal 10, the terminal 10 generates an address request carrying the domain name, and sends the address request to the network device.
  • Step S14 the network device 20 sends the address request to the domain name system server 30 .
  • the domain name system server 30 determines the virtual IP address and virtual address associated information of the application server 50 according to the domain name carried in the address request.
  • the virtual IP address and key of the application server 50, the IP address of the terminal 10 The address is related to the IP address of the application server 50.
  • the virtual address-related information refers to information related to the virtual IP address of the application server 50 .
  • high-defense address identification address generation sequence.
  • the address generation sequence includes address generation time and address lifetime of the virtual IP address.
  • the high-defense address identification can also be understood as a virtual address identification.
  • Step S15 the domain name system server 30 sends the virtual IP address of the application server 50 and the associated information of the virtual address to the network device 20 .
  • Step S16 the network device 20 sends the virtual IP address of the application server 50 and the virtual address association information to the terminal 10 .
  • the terminal 10 After acquiring the virtual IP address of the application server 50 and the associated information of the virtual address, the terminal 10 generates a data packet including the virtual IP address of the application server 50 and the associated information of the virtual address.
  • Step S17 the terminal 10 sends a data packet including the virtual IP address of the application server 50 and information associated with the virtual address to the network device 20 .
  • the network device 20 After receiving the data packet, the network device 20 performs address hopping on the destination address of the data packet, so that the destination address of the data packet is converted from the virtual IP address of the application server 50 to the IP address of the application server 50 .
  • Step 18 the network device 20 sends a data packet including the IP address of the application server 50 and the associated information of the virtual address to the application server 50 .
  • Step 19 the application server 50 sends a data packet including the IP address of the application server 50 and the associated information of the virtual address to the network device 20 .
  • Step 20 the network device 20 sends to the terminal 10 a data packet including the virtual IP address of the application server 50 and the associated information of the virtual address.
  • the network device can perform address hopping between the virtual IP address and the real IP address of the application server 50, so that the real IP address of the application server can be hidden. Since the virtual IP address of the application server 50 is related to the key, the IP address of the terminal 10 is related to the IP address of the application server 50, when m terminals access the application server 50 at the same time, there are m virtual IP addresses corresponding to the application server 50, This can prevent network attackers from using multiple bot devices to launch network attacks on the application server 50 corresponding to one virtual IP address, thus improving network security. m is a positive integer.
  • Address hopping in this application is a moving target defense technology (Moving Target Defense, MTD), that is, by dynamically and continuously changing the attack surface (changing IP addresses, network ports, network configuration information, software, etc.), the attacker's surface
  • MTD Moving Target Defense
  • one application server corresponds to one virtual IP address.
  • network attackers can use multiple bot devices to launch network attacks on the virtual IP address, such as distributed denial of service attacks (distributed denial of service, DDOS).
  • DDOS distributed denial of service
  • this application provides a communication method that enables one application server to correspond to multiple virtual IP addresses, thereby reducing the possibility of network attackers using multiple bot devices to launch network attacks on one virtual IP address.
  • an embodiment of the communication method provided by the present application includes:
  • Step 201 the terminal sends an address request message to the domain name system server.
  • the address request message carries a domain name.
  • Step 202 the domain name system server judges whether the domain name carried in the address request message is a high-defense domain name, if so, then Execute step 204, if not, execute step 203.
  • Step 203 the domain name system server sends the IP address corresponding to the domain name to the terminal.
  • the terminal can access the server corresponding to the domain name according to the IP address corresponding to the domain name.
  • Step 204 the domain name system server obtains the key and the Anti-DDoS Pro address identifier.
  • the domain name system server obtains the key from a locally stored key. Before obtaining the key, the domain name system server periodically receives the key from the key management server, and then saves it locally. During a single key period, the domain name system server or network device uses the key for encryption and decryption.
  • the key management server stores the mapping relationship between the IP address of the terminal and the key.
  • the domain name system server periodically receives the IP address of the terminal and the key corresponding to the IP address of the terminal sent by the key management server.
  • the domain name system server sends a key request carrying the IP address of the terminal to the key management server, and the key management server obtains the key according to the IP address of the terminal carried in the key request. In this way, the IP address of each terminal corresponds to a key.
  • the key management server stores the mapping relationship between the IP address of the application server and the key.
  • the domain name system server periodically receives the IP address of the application server and the key corresponding to the IP address of the application server sent by the key management server.
  • the domain name system server sends a key request carrying the IP address of the application server to the key management server, and the key management server obtains the key according to the IP address of the application server carried in the key request. In this way, the IP address of each application server corresponds to a key.
  • Step 205 the domain name system server generates a first virtual IP address according to the key, the IP address of the terminal and the IP address of the application server.
  • Step 206 the domain name system server sends a response message including the first virtual IP address and the high-defense address identifier to the terminal.
  • Step 207 the terminal sends an uplink data packet to the network device.
  • the terminal After receiving the response message, the terminal can generate an uplink data packet.
  • the uplink data packet carries the IP address of the terminal, the first virtual IP address and the high-defense address identification.
  • the IP address of the terminal is the source IP address of the uplink data packet, and the first virtual IP address is the destination IP address of the uplink data packet.
  • Step 208 when it is detected that the uplink data packet carries the high-defense address identifier, obtain the IP address of the terminal and the first virtual IP address of the application server from the uplink data packet.
  • the uplink data packet sent by the terminal After receiving the uplink data packet sent by the terminal, detect whether the uplink data packet includes the high-defense address identification. When it is detected that the uplink data packet carries the high-defense address identifier, it indicates that the destination IP address of the uplink data packet is a virtual IP address. Obtain the IP address of the terminal and the first virtual IP address of the application server from the uplink data packet. It should be understood that if the data packet sent by the terminal does not carry the high-defense address identifier, it indicates that the server corresponding to the destination IP address of the data packet is not a high-defense server, and the data packet is directly forwarded according to the destination IP address of the data packet.
  • Step 209 the network device acquires the key.
  • the key obtained by the domain name system server in step 204 and the key obtained by the network device in step 209 are the same.
  • the network device obtains the key from locally stored keys. It should be noted that before the network device obtains the key, the key management server can periodically send the key to the network device, and the network device receives the key After the key is created, save the key locally.
  • the network device after the network device sends a key acquisition request to the key management server, it receives the terminal IP address and the key corresponding to the terminal IP address sent by the key management server.
  • the network device after the network device sends a key acquisition request to the key management server, it receives the IP address of the application server and the key corresponding to the IP address of the application server sent by the key management server. It should be noted that the network device and the application server are in the same domain, and the prefix of the virtual IP address is used to point to this domain.
  • the forwarding device (such as a router or switch) in the network can send the uplink data packet to the network device of the domain according to the prefix of the virtual IP address.
  • Step 210 the network device generates an IP address to be processed according to the key, the IP address of the terminal and the first virtual IP address.
  • step 210 includes: using a key to decrypt the second part of the first virtual IP address; performing an XOR operation on the second part of the terminal's IP address and the decryption result; The first part of the address and the XOR operation result form the IP address to be processed.
  • the first part of the IP address of the application server is the same as the first part of the first virtual IP address, and the second part of the IP address of the application server is different from the second part of the first virtual IP address.
  • the first part and the second part can be intercepted from the IP address according to the actual situation, and the length of the first part and the second part can also be set according to the actual situation, which is not limited in this application.
  • the decryption algorithm and the encryption algorithm use the same key.
  • the decryption algorithm can be but not limited to international data encryption algorithm (international data encryption algorithm, IDEA) algorithm, data encryption standard (data encryption standard, DES) algorithm, triple DES algorithm, etc.
  • Step 211 the network device judges whether the IP address to be processed is the IP address of the application server, if yes, execute step 213 , if not, execute step 212 .
  • the IP address to be processed is the IP address of the application server, it indicates that the second part of the first virtual IP address is obtained by encrypting the second part of the IP address of the application server using a key.
  • the IP address to be processed is not the IP address of the application server, it indicates that the second part of the first virtual IP address is not obtained by encrypting the second part of the IP address of the application server with a key.
  • Step 212 the network device determines that the uplink data packet is illegal.
  • the network can forward the uplink data packet to the traffic cleaning center or honeypot server, or the network device discards the illegal data packet.
  • Step 213 the network device modifies the destination IP address of the uplink data packet from the first virtual IP address to the IP address of the application server.
  • the IP address to be processed is the IP address of the application server, it indicates that the uplink data packet is legal, and the destination IP address of the data packet is converted.
  • Step 214 the network device sends the modified uplink data packet to the application server.
  • the destination IP address is the IP address of the application server.
  • the uplink data packets sent by different terminals have Different virtual IP addresses, which can prevent network attackers from using multiple bot devices and the same virtual IP address to launch network attacks on the same application server.
  • the application server can send downlink data packets to the terminal, and the downlink data packets can be implemented as shown in Figure 2
  • the response data packet of the modified uplink data packet in the example may also be a message initiated by the application server, such as a push message.
  • the above method also includes:
  • Step 301 the network device receives the downlink data packet sent by the application server.
  • the downlink data packet carries the IP address of the application server, the IP address of the terminal, and the high-defense address identification.
  • step 302 is executed.
  • Step 302 the network device generates a first virtual IP address according to the key, the IP address of the application server and the IP address of the terminal.
  • the network device encrypts the second part of the IP address of the application server according to the key; performs an XOR operation on the second part of the IP address of the terminal and the encrypted result, and XORs the first part of the IP address of the application server with The operation result forms the first virtual IP address. Since the second part of the IP address of different terminals is different, different virtual IP addresses will be generated according to the IP addresses of different terminals. Using key encryption can improve the security of the virtual IP address.
  • Step 303 the network device modifies the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address.
  • Step 304 the network device sends the modified downlink data packet to the terminal.
  • the network device can convert the real IP address carried in the downlink data packet into a virtual IP address, so that the real IP address of the application server can be hidden and network security can be improved.
  • the virtual IP address generated by using the key will also change, so the virtual IP address can be updated periodically, which can improve the security of the virtual IP address.
  • the present application can also use the key and time stamp to generate a virtual IP address, which can further improve the security of the virtual IP address.
  • another embodiment of the communication method provided by the present application includes:
  • Step 401 the terminal sends an address request message to the domain name system server.
  • the address request message carries a domain name.
  • Step 402 the domain name system server judges whether the domain name carried in the address request message is a high-defense domain name, if yes, execute step 404, if not, execute step 403.
  • Step 403 the domain name system server sends the IP address corresponding to the domain name to the terminal.
  • the terminal can access the server corresponding to the domain name according to the IP address corresponding to the domain name.
  • Step 404 the domain name system server obtains the key, the first address generation sequence and the high-defense address identification.
  • the domain name system server obtains the key from locally stored keys. Before obtaining the key, the domain name system server periodically receives the key from the key management server, and then saves it locally. During a single key period, the domain name system server or network device uses the key for encryption and decryption.
  • the keys issued in different key periods are different, so the virtual IP addresses carried in data packets sent by the same terminal in different key periods are also different.
  • the key management server stores the mapping relationship between the IP address of the terminal and the key.
  • the domain name system server periodically receives the IP address of the terminal and the key corresponding to the IP address of the terminal sent by the key management server.
  • the domain name system server sends a key request carrying the IP address of the terminal to the key management server, and the key management server obtains the key according to the IP address of the terminal carried in the key request. In this way each IP address of the terminal has a key.
  • the key management server stores the mapping relationship between the IP address of the application server and the key.
  • the domain name system server periodically receives the IP address of the application server and the key corresponding to the IP address of the application server sent by the key management server.
  • the domain name system server sends a key request carrying the IP address of the application server to the key management server, and the key management server obtains the key according to the IP address of the application server carried in the key request. This way there is one key per application server.
  • Step 405 the domain name system server generates a first virtual IP address according to the key, the IP address of the terminal, the IP address of the application server, and the first address generation sequence.
  • vIP ij F key (SrcIP i ,DstIP,Seq j )
  • vIP ij represents the virtual IP address associated with the IP address of the i-th terminal and the j-th address generation sequence.
  • SrcIP i is the IP address of the i-th terminal, and Seq j is the generated sequence for the j-th address. Both i and j are positive integers.
  • DstIP represents the IP address of the application server.
  • F key () represents the encryption function related to the key key, which is used to represent IDEA algorithm, DES algorithm or triple DES algorithm.
  • Step 406 the domain name system server sends a response message including the first virtual IP address, the first address generation sequence and the high-defense address identifier to the terminal.
  • Step 407 the terminal sends an uplink data packet to the network device.
  • the terminal After receiving the response message, the terminal can generate an uplink data packet.
  • the uplink data packet carries the IP address of the terminal, the first virtual IP address, the first address generation sequence and the high-defense address identification.
  • the IP address of the terminal is the source IP address of the uplink data packet, and the first virtual IP address is the destination IP address of the uplink data packet.
  • Step 408 when it is detected that the uplink data packet carries the high-defense address identifier, obtain the IP address of the terminal from the uplink data packet, and generate a sequence of the first virtual IP address and the first address of the application server.
  • the uplink data packet sent by the terminal After receiving the uplink data packet sent by the terminal, detect whether the uplink data packet includes the high-defense address identification. When it is detected that the uplink data packet carries the high-defense address identifier, it indicates that the destination IP address of the uplink data packet is a virtual IP address. The IP address of the terminal, the first virtual IP address of the application server and the first address generation sequence are obtained from the uplink data packet. It should be understood that if the data packet sent by the terminal does not carry the high-defense address identifier, it indicates that the server corresponding to the destination IP address of the data packet is not a high-defense server, and the data packet can be forwarded directly according to the destination IP address of the data packet.
  • Step 409 the network device acquires the key.
  • the key obtained by the domain name system server in step 404 and the key obtained by the network device in step 409 are the same.
  • the network device obtains the key from locally stored keys. It should be noted that before the network device obtains the key, the key management server may periodically send the key to the network device, and the network device stores the key locally after receiving the key.
  • the network device after the network device sends a key acquisition request to the key management server, it receives the IP address of the terminal and the key corresponding to the IP address of the terminal sent by the key management server.
  • the network device after the network device sends a key management server to obtain a key request, it receives the key
  • the IP address of the application server and the key corresponding to the IP address of the application server are sent by the management server. It should be noted that the network device and the application server are in the same domain, and the prefix of the virtual IP address is used to point to this domain.
  • the forwarding device (such as a router or switch) in the network can send the uplink data packet to the network device of the domain according to the prefix of the virtual IP address.
  • Step 410 the network device generates an IP address to be processed according to the key, the IP address of the terminal, the first virtual IP address and the first address generation sequence.
  • IP F key (SrcIP i , vIP ij , Seq j ).
  • IP represents the IP address to be processed.
  • vIP ij represents the virtual IP address associated with the IP address of the i-th terminal and the j-th address generation sequence.
  • SrcIP i is the IP address of the i-th terminal, and Seq j is the generated sequence for the j-th address.
  • F key () represents a function related to the key key.
  • step 410 includes: using a key to decrypt the second part of the first virtual IP address; performing the first XOR operation on the second part of the terminal's IP address and the decryption result; An address generation sequence and the result of the first XOR operation are subjected to a second XOR operation; the first part of the first virtual IP address and the result of the second XOR operation are used to form an IP address to be processed.
  • the first part of the IP address of the application server is the same as the first part of the first virtual IP address, and the second part of the IP address of the application server is different from the second part of the first virtual IP address.
  • the decryption algorithm and the encryption algorithm use the same key.
  • the decryption algorithm can be but not limited to international data encryption algorithm (international data encryption algorithm, IDEA) algorithm, data encryption standard (data encryption standard, DES) algorithm, triple DES algorithm.
  • Step 411 the network device judges whether the IP address to be processed is the IP address of the application server, if yes, execute step 413 , if not, execute step 412 .
  • the IP address to be processed is the IP address of the application server, it indicates that the second part of the first virtual IP address is obtained by encrypting the second part of the IP address of the application server using a key.
  • the IP address to be processed is not the IP address of the application server, it indicates that the second part of the first virtual IP address is not obtained by encrypting the second part of the IP address of the application server with a key.
  • Step 412 the network device determines that the uplink data packet is illegal.
  • the network device determines that the uplink data packet is illegal, and the network device can forward the uplink data packet to the traffic cleaning center or the honeypot server, or the network device discards the illegal data packet.
  • Step 413 the network device modifies the destination IP address of the uplink data packet from the first virtual IP address to the IP address of the application server.
  • the IP address to be processed is the IP address of the application server, it indicates that the uplink data packet is legal, and the destination IP address of the data packet is converted. Address conversion is also called address hopping.
  • Step 414 the network device sends the modified uplink data packet to the application server.
  • the destination IP address is the IP address of the application server.
  • the IP address of the terminal is the same as the IP address of the application server.
  • the uplink data packets sent by different terminals have different virtual IP addresses. The possibility of network attacks, which can further improve network security.
  • the virtual IP address is related to the address generation time and the address lifetime of the virtual IP address, the security of the virtual IP address can be improved.
  • the lifetime of the virtual IP address can be determined based on the address generation time and the address lifetime.
  • the present application can check the timeliness of the virtual IP address based on the lifetime of the virtual IP address, and judge whether the virtual IP address has expired.
  • the security of data transmission can be improved by automatically changing the virtual IP address.
  • the IP address of the terminal includes a first part 501 of the terminal IP address and a second part 502 of the terminal IP address, and the lengths of the first part 501 of the terminal IP address and the second part 502 of the terminal IP address are the same. is 64 bits.
  • the IP address of the application server includes the first part 503 of the IP address of the application server and the second part 504 of the IP address of the application server, and the lengths of the first part 503 of the IP address of the application server and the second part 504 of the IP address of the application server are equal. is 64 bits.
  • the result is subjected to a second XOR operation.
  • the result of the second XOR operation is encrypted using the key 506 to obtain the second part 508 of the first virtual IP address.
  • the first part 503 of the IP address of the application server is the same as the first part 507 of the first virtual IP address, and the first part 507 of the first virtual IP address and the second part 508 of the first virtual IP address form the first virtual IP address.
  • the IP address of the terminal includes a first part 501 of the terminal IP address and a second part 502 of the terminal IP address, and the lengths of the first part 501 of the terminal IP address and the second part 502 of the terminal IP address are the same. is 64 bits.
  • the IP address of the application server includes the first part 503 of the IP address of the application server and the second part 504 of the IP address of the application server, and the lengths of the first part 503 of the IP address of the application server and the second part 504 of the IP address of the application server are equal. is 64 bits.
  • the second portion 508 of the first virtual IP address is decrypted using the key 506 .
  • the first part 503 of the IP address of the application server is the same as the first part 507 of the first virtual IP address, and the first part 503 of the IP address of the application server and the second part 504 of the IP address of the application server form the IP address of the application server.
  • first part and the second part can be intercepted from the IP address according to the actual situation, for example, the first part and the second part can be exchanged, that is, the first part participates in encryption and XOR operation.
  • the length of the first part and the length of the second part are not limited to 64 bits, which can be set according to actual conditions, and are not limited in this application.
  • the application server may send a downlink data packet to the terminal in response to the modified uplink data packet.
  • the network device can modify the destination address carried in the downlink data from the IP address of the application server to the first virtual IP address, so that the real IP address of the application server can be hidden.
  • the above method also includes:
  • Step 601 the network device receives the downlink data packet sent by the application server.
  • the downlink data packet carries the IP address of the application server, the IP address of the terminal, the first address generation sequence and the high-defense address identification.
  • step 602 is executed.
  • Step 602 the network device generates a first virtual IP address according to the key, the IP address of the terminal, the IP address of the application server and the first address generation sequence.
  • the network device encrypts the second part of the IP address of the application server according to the key; performs an XOR operation on the second part of the IP address of the terminal and the encrypted result, and XORs the first part of the IP address of the application server with The operation result forms the first virtual IP address. Since the second part of the IP address of different terminals is different, different virtual IP addresses will be generated according to the IP addresses of different terminals. Using key encryption can improve the security of the virtual IP address.
  • Step 603 the network device determines the address end time of the first virtual IP address according to the first address generation sequence.
  • Step 604 When the end time of the address is greater than the verification time, determine that the target time difference is equal to the end time of the address minus the verification time.
  • step 608 may be performed or the downlink data packet may be discarded.
  • Step 605 the network device judges whether the target time difference is greater than the preset duration, if yes, execute step 606, if not, execute step 608.
  • the preset duration is related to the data transmission duration T between the terminal and the application server, and can be set according to actual conditions.
  • the preset duration is equal to 2T.
  • the time difference between the verification time and the end time of the address is greater than 2T, it indicates that the virtual IP address used for the next data transmission will not expire, so there is no need to replace the virtual IP address.
  • the time difference between the verification time and the end time of the address is less than or equal to 2T, it indicates that the use of the virtual IP address for the next data transmission will expire, and the virtual IP address needs to be replaced. In this way, the virtual IP address can be replaced in advance to prevent the virtual IP address of the data packet from expiring.
  • Step 606 the network device generates a first downlink data packet according to the downlink data packet and the first virtual IP address.
  • the network device modifies the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address to obtain the first downlink data packet.
  • the source IP address of the downlink data packet is the IP address of the application server, and the source IP address of the first downlink data packet is the first virtual IP address.
  • Step 607 the network device sends the first downlink data packet to the terminal.
  • Step 608 the network device obtains the second address generation sequence.
  • Step 609 the network device generates a second virtual IP address according to the key, the IP address of the application server, the IP address of the terminal, and the second address generation sequence.
  • Step 610 the network device generates a second downlink data packet according to the downlink data packet, the first virtual IP address, the second virtual IP address and the address switching identifier.
  • the network device modifies the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address, and then add the second virtual IP address in the downlink data packet, the second address generation sequence and the address switching identifier, and then the second downlink data packet is obtained.
  • the source IP address of the downlink data packet is the IP address of the application server
  • the source IP address of the second downlink data packet is the first virtual IP address
  • the second downlink data packet also carries virtual address association information of the second virtual IP address, for example A second address generation sequence and an address switch flag.
  • the second address generation sequence includes address generation time and address lifetime of the second virtual IP address.
  • the address switch flag is used to change the destination IP address of the uplink data packet.
  • Step 611 the network device sends the second downlink data packet to the terminal.
  • the terminal may not generate an uplink data packet carrying the first virtual IP address and the first address generation sequence according to the address switching identifier, but may generate the second virtual IP address, the second address generation sequence and the high Anti-address identification of the uplink data packet, and then perform step 612.
  • Step 612 the terminal sends an uplink data packet to the network device.
  • step 613 is executed.
  • Step 613 the network device generates the IP address of the application server according to the key, the IP address of the terminal, the second virtual IP address and the second address generation sequence.
  • Step 614 the network device modifies the destination address of the uplink data packet from the second virtual IP address to the IP address of the application server.
  • Step 615 the network device sends the modified uplink data packet to the application server.
  • the first virtual IP address and the second virtual IP address represent two periods of virtual IP addresses.
  • the second virtual IP address When the second virtual IP address is about to expire, it can be replaced with another virtual IP address, and the replacement process can refer to the corresponding content recorded above.
  • the network device may modify the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address, thereby hiding the real IP address of the application server.
  • one application server can correspond to multiple virtual IP addresses, which can reduce the cost of the existing communication method. The risk of being attacked by a large number of broiler devices after the virtual IP address is shared or resold.
  • the network device can change the virtual IP address according to the lifetime of the virtual IP address, which can improve the security of the virtual IP address.
  • This method for replacing the virtual IP address does not require additional management equipment for setting the virtual IP address to manage and maintain the virtual IP address, so it has the advantage of being simple and convenient.
  • the application can replace the virtual IP address in advance to prevent the virtual IP address from expiring during data transmission. This ensures continuity of data flow.
  • the communication method above further includes:
  • Step 701 the network device receives the downlink data packet sent by the application server.
  • the downlink data packet carries the IP address of the application server, the IP address of the terminal, the first address generation sequence and the high-defense address identification.
  • step 702 is executed.
  • Step 702 the network device generates a first virtual IP address according to the key, the IP address of the application server, the IP address of the terminal and the first address generation sequence.
  • the network device encrypts the second part of the IP address of the application server according to the key; performs an XOR operation on the second part of the IP address of the terminal and the encrypted result, and XORs the first part of the IP address of the application server with The operation result forms the first virtual IP address. Since the second part of the IP address of different terminals is different, different virtual IP addresses will be generated according to the IP addresses of different terminals. Using key encryption can improve the security of the virtual IP address.
  • Step 703 the network device determines the address end time of the first virtual IP address according to the first address generation sequence.
  • Step 704 When the address end time is greater than the verification time, determine that the target time difference is equal to the address end time minus the verification time.
  • step 708 may be performed or the downlink data packet may be discarded.
  • Step 705 the network device judges whether the target time difference is greater than the preset duration, if yes, execute step 706, if not, execute step 708.
  • the preset duration is related to the data transmission duration T between the terminal and the application server, and can be set according to actual conditions.
  • the preset duration is equal to 2T.
  • the time difference between the verification time and the end time of the address is greater than 2T, it indicates that the virtual IP address used for the next data transmission will not expire, so there is no need to replace the virtual IP address.
  • the time difference between the verification time and the end time of the address is less than or equal to 2T, it indicates that the use of the virtual IP address for the next data transmission will expire, and the virtual IP address needs to be replaced.
  • Step 706 the network device generates a first downlink data packet according to the downlink data packet and the first virtual IP address.
  • the network device modifies the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address to obtain the first downlink data packet.
  • the source IP address of the downlink data packet is the IP address of the application server, and the source IP address of the first downlink data packet is the first virtual IP address.
  • Step 707 the network device sends the first downlink data packet to the terminal.
  • Step 708 the network device obtains the second address generation sequence.
  • Step 709 the network device generates a second virtual IP address according to the key, the IP address of the application server, the IP address of the terminal and the second address generation sequence.
  • Step 710 the network device generates an address switching notification carrying the second virtual IP address and the second address generation sequence.
  • Step 711 the network device sends an address switching notification to the terminal.
  • the address switching notification belongs to the control plane message. After the terminal receives the address switching notification, it can not generate an uplink data packet carrying the first virtual IP address and the first address generation sequence according to the address switching notification, but generate the second virtual IP address, the second address generation sequence and the high-defense address The identified uplink data packet, and then execute step 714. In this way, the virtual IP address can be replaced in advance to prevent the virtual IP address of the data packet from expiring.
  • Step 712 the network device generates a first downlink data packet according to the downlink data packet and the first virtual IP address.
  • the network device modifies the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address to obtain the first downlink data packet.
  • Step 713 the network device sends the first downlink data packet to the terminal.
  • steps 712 to 713 are the process of sending the first downlink data packet
  • steps 708 to 711 are the process of sending the address switching notification. The two processes are independent and there is no fixed sequence.
  • Step 714 the terminal sends an uplink data packet to the network device.
  • step 715 is executed.
  • Step 715 the network device generates the IP address of the application server according to the key, the IP address of the terminal, the second virtual IP address and the second address generation sequence.
  • Step 716 the network device modifies the destination address of the uplink data packet from the second virtual IP address to the IP address of the application server.
  • Step 717 the network device sends the modified uplink data packet to the application server.
  • the network device may modify the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address, thereby hiding the real IP address of the application server.
  • one application server can correspond to multiple virtual IP addresses, which can reduce the number of virtual IP addresses in existing communication methods. After the IP address is shared or resold, the risk of being attacked by a large number of bot devices.
  • the network device can change the virtual IP address according to the lifetime of the virtual IP address, which can improve the security of the virtual IP address.
  • This method for replacing the virtual IP address does not require additional management equipment for setting the virtual IP address to manage and maintain the virtual IP address, so it has the advantage of being simple and convenient.
  • the present application provides a method of notifying the terminal to switch the virtual IP address through a control plane message, which can prevent the virtual IP address from expiring during the communication process, making the implementation of the solution more flexible.
  • the first downlink data packet comprises message header 81 and payload 82
  • message header 81 comprises the first virtual IP address 811, the IP address 812 of terminal and the virtual address of the first virtual address Related information 813.
  • the virtual address association information 813 of the first virtual address includes a high-defense address identifier, an address generation sequence length, an address generation sequence, an address switching field, and an additional field.
  • the second downlink data packet includes a header 91 and a payload 92
  • the header 91 includes a first virtual IP address 911, the IP address 912 of the terminal and the virtual address association of the second virtual address Message 913.
  • the virtual address association information 913 of the second virtual address includes a high-defense address identifier, an address generation sequence length, an address generation sequence, an address switching identifier, and a second virtual IP address.
  • the type field indicates an address type.
  • the value of the type field is 1, which means the high-defense address identification.
  • the value of the type field is 0 for non-anti-advanced address identification.
  • the value of the RDLENGTH field indicates the length of the address generation sequence, and the length is 2 bytes.
  • the value of the RDATA field represents the address generation sequence, and the length is 128 bytes.
  • the FLAG field represents an address switching field, and the length is 1 byte. A value of 1 in the FLAG field indicates an address switching flag. A value of 0 in the FLAG field indicates that the address is not switched.
  • the Additional Record field represents an additional field with a length of 128 bytes.
  • the value of the FLAG field can be NULL, indicating that there is no additional information.
  • the value of the FLAG field is 1, it means that the value of the Additional Record field is the second virtual IP address.
  • the present application also provides a device capable of implementing the above communication method.
  • the network device of the present application can implement the steps performed by the network device in the foregoing embodiments.
  • the network device 1000 of the present application includes:
  • a receiving unit 1001 configured to receive an uplink data packet sent by a terminal
  • the processing unit 1002 is configured to obtain the terminal's Internet Protocol IP address and the first virtual IP address of the application server from the uplink data packet when it is detected that the uplink data packet carries the high-defense address identifier; obtain a key; according to the key, the terminal's The IP address and the first virtual IP address generate the IP address to be processed; when the IP address to be processed is not the IP address of the application server, it is determined that the upstream data packet is illegal; when the IP address to be processed is the IP address of the application server, the upstream data packet is determined to be illegal; The destination IP address of the first virtual IP address is changed to the IP address of the application server;
  • the sending unit 1003 is configured to send the modified uplink data packet to the application server.
  • the uplink data packet further includes a first address generation sequence, and the first address generation sequence includes the address generation time of the first virtual IP address and the address lifetime of the first virtual address;
  • the processing unit 1002 is specifically configured to generate the IP address to be processed according to the key, the IP address of the terminal, the first virtual IP address and the first address generation sequence.
  • the receiving unit 1001 is also used to receive the downlink data packet sent by the application server, the downlink data packet carries the IP address of the application server, the IP address of the terminal, the first address generation sequence and the high defense address identification;
  • the processing unit 1002 is further configured to generate a first virtual IP address according to the IP address of the application server, the IP address of the terminal, and the first address generation sequence when it is detected that the downlink data packet carries the high-defense address identifier; according to the address generation time and address
  • the survival time determines the end time of the address; when the end time of the address is greater than the verification time, determine the target time difference equal to the end time of the address minus the verification time; when the target time difference is greater than the preset duration, generate the first downlink data packet;
  • the sending unit 1003 is further configured to send the first downlink data packet to the terminal.
  • the processing unit 1002 is further configured to obtain a second address generation sequence when the target time difference is less than or equal to a preset duration, and the second address generation sequence includes the address generation time of the second virtual IP address and the second address generation time.
  • the address survival time of the second virtual IP address according to the key, the IP address of the application server, the IP address of the terminal and the second address generation sequence to generate the second virtual IP address; according to the downlink data packet, the first virtual IP address, the second virtual IP address
  • the IP address and the address switching identifier generate a second downlink data packet, the second downlink data packet carries the first virtual IP address, the second virtual IP address and the address switching identifier, and the address switching identifier is used to change the destination IP address of the uplink data packet;
  • the sending unit 1003 is further configured to send the second downlink data packet to the terminal.
  • the processing unit 1002 is further configured to obtain a second address generation sequence, the second address generation sequence includes the address generation time of the second virtual IP address and the address lifetime of the second virtual IP address; according to the key, the IP address of the application server, the terminal The IP address and the second address generation sequence generate the second virtual IP address;
  • the sending unit 1003 is further configured to send to the terminal an address switch notification carrying a second virtual IP address and a second address generation sequence, where the address switch notification is used to change the destination IP address and address generation sequence of the uplink data packet;
  • the processing unit 1002 is further configured to generate a first downlink data packet according to the downlink data packet and the first virtual IP address when the target time difference is less than or equal to a preset duration;
  • the sending unit 1003 is further configured to send the first downlink data packet to the terminal.
  • the processing unit 1002 is specifically configured to convert the second virtual IP address of the first virtual IP address to Decrypt part of the IP address; perform the first XOR operation on the second part of the terminal's IP address and the decryption result; perform the second XOR operation on the first address generation sequence and the first XOR operation result; The first part of the IP address and the result of the second XOR operation form the IP address to be processed.
  • the receiving unit 1001 is also configured to receive the IP address of the application server and the key corresponding to the IP address of the application server sent by the key management server.
  • a terminal 1100 includes a receiving unit 1101 , a processing unit 1102 and a sending unit 1103 .
  • the sending unit 1103 is configured to send an address request message to a domain name system server, where the address request message includes a domain name;
  • the receiving unit 1101 is configured to receive a response message sent by the domain name system server according to the address request message, the response message includes the first virtual Internet Protocol IP address of the application server and the high-defense address identifier;
  • the processing unit 1102 generates an uplink data packet, and the uplink data packet carries the IP address of the terminal, the first virtual IP address and the high-defense address identifier;
  • the sending unit 1103 is also configured to send the uplink data packet to the network device.
  • the response message further includes a first address generation sequence
  • the uplink data packet further includes a first address generation sequence
  • the first address generation sequence includes the address generation time of the first virtual IP address and the first virtual address The lifetime of the address.
  • the receiving unit 1101 is also configured to receive a first downlink data packet sent by a network device, where the first downlink data packet carries a first virtual IP address.
  • the receiving unit 1101 is further configured to receive a second downlink data packet sent by the network device, where the second downlink data packet carries a first virtual IP address, a second virtual IP address, a second address generation sequence and an address switching identifier;
  • the processing unit 1102 is further configured to generate an uplink data packet carrying a second virtual IP address, a second address generation sequence and a high-defense address identifier according to the address switching identifier.
  • the receiving unit 1101 is also used to receive the first downlink data packet and the address switching notification sent by the network device, the first downlink data packet carries the first virtual IP address, and the address switching notification includes the second virtual IP address and the second address generation sequence ;
  • the processing unit 1102 is further configured to generate an uplink data packet carrying the second virtual IP address, the second address generation sequence and the high-defense address identifier according to the address switching notification.
  • domain name system server 1200 includes:
  • the receiving unit 1201 is configured to receive an address request message sent by the terminal, where the address request message includes a domain name;
  • a processing unit 1202 configured to obtain the key and the address identifier of Anti-Advanced when the domain name is an Anti-Advanced domain name;
  • the processing unit 1202 is further configured to generate a first virtual IP address according to the key, the IP address of the terminal, and the IP address of the application server;
  • the sending unit 1203 is configured to send a response message to the terminal, the response message includes the first virtual IP address and the high-defense location Address ID.
  • the processing unit 1202 is specifically configured to obtain a first address generation sequence, the first address generation sequence includes the address generation time of the first virtual IP address and the address lifetime of the first virtual address; according to the key, the terminal's IP address and the application server The IP address and the first address generation sequence generate the first virtual IP address.
  • the processing unit 1202 is specifically configured to perform a first XOR operation on the second part of the IP address of the terminal and the second part of the IP address of the application server; perform a second XOR operation on the result of the first address generation sequence and the first XOR operation A second XOR operation; using a key to encrypt the result of the second XOR operation; combining the encrypted result and the first part of the IP address of the application server to form a first virtual IP address.
  • a network device 1300 of the present application includes a processor 1301 , a memory 1302 and a communication interface 1303 .
  • the number of the processor 1301, the memory 1302 and the communication interface 1303 may be one or more.
  • the processor 1301 and the memory 1302 are connected through a bus 1304
  • the processor 1301 and the communication interface 1303 are connected through a bus 1305 .
  • the processor 1301 may be a central processing unit (central processing unit, CPU), or other specific integrated circuit (application specific integrated circuit, ASIC).
  • the processor 1301 can also be other general processors, digital signal processing (digital signal processing, DSP), application specific integrated circuit (application specific integrated circuit, ASIC), field programmable gate array (field programmable gate array, FPGA) or Other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the memory 1302 is the main memory of the network device 1300 .
  • a dynamic random access memory (Dynamic Random Access Memory, DRAM) is used as the memory 1302 .
  • the processor 1301 can access the memory 1302 at high speed through the memory controller, and perform read and write operations on any storage unit in the memory 1302 .
  • the memory 1302 may also be other random access memories, such as Static Random Access Memory (Static Random Access Memory, SRAM).
  • SRAM Static Random Access Memory
  • the memory 1302 may also be a read-only memory (Read Only Memory, ROM).
  • the read-only memory for example, it may be a programmable read-only memory (Programmable Read Only Memory, PROM), an erasable programmable read-only memory (Erasable Programmable Read Only Memory, EPROM), and the like.
  • PROM Programmable Read Only Memory
  • EPROM Erasable Programmable Read Only Memory
  • This embodiment does not limit the quantity and type of the memory 1302 .
  • the memory 1302 can be configured to have a power saving function.
  • the power protection function means that when the system is powered off and then powered on again, the data stored in the memory will not be lost.
  • the memory 1302 with a power saving function is called a nonvolatile memory.
  • the communication interface 1303 is used to communicate with other devices.
  • the communication interface 1303 can receive uplink data or send downlink data.
  • the bus 1304 may be but not limited to a double data rate (DDR) bus, and the bus 1305 may be but not limited to a PCIe bus.
  • DDR double data rate
  • PCIe PCIe
  • the memory 1302 is used to store programs, and the processor 1301 can execute the steps performed by the network device in the foregoing embodiments by calling the programs stored in the memory 1302 .
  • a terminal 1400 of the present application includes a processor 1401 and a memory 1404 .
  • the processor 1401 is connected to the memory 1404 through the DDR bus 1403 .
  • different memory 1404 may use different data bus It communicates with the processor 1401, so the DDR bus 1403 can also be replaced with other types of data buses, and the embodiment of the present application does not limit the type of the bus.
  • the terminal 1400 also includes various input and output devices, and the processor 1401 can access these input and output devices 1407 through the PCIe bus 1405 .
  • the processor (Processor) 1401 is the computing core and control core of the computing device 1400 .
  • Processor 1401 may include one or more processing cores (core) 1402 .
  • Processor 1401 may be a VLSI. An operating system and other software programs are installed in the processor 1401, so that the processor 1401 can realize access to the memory 1404 and various PCIe devices.
  • the processing core 1402 in the processor 1401 may be, for example, a CPU or an ASIC.
  • the processor 1401 may also be other general-purpose processors, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like.
  • the terminal 1400 may also include multiple processors.
  • the memory controller is a bus circuit controller that controls the memory 1404 inside the terminal 1400 and is used to manage and plan data transmission from the memory 1404 to the processing core 1402. Through the memory controller, data can be exchanged between the memory 1404 and the processing core 1402 .
  • the memory controller can be an independent chip, and is connected with the processing core 1402 through the system bus.
  • the memory controller can also be integrated into the processor 1401, can also be built into the north bridge, or can be an independent memory controller chip, the embodiment of the present application does not specify the specific location of the memory controller and form of existence. In practical applications, the memory controller can control necessary logic to write data into the memory 1404 or read data from the memory 1404 .
  • the memory controller 1404 may be a memory controller in processor systems such as general processors, special accelerators, GPUs, FPGAs, and embedded processors.
  • the memory 1404 is the main memory of the terminal 1400 .
  • the memory 1404 is usually used to store various running software in the operating system, input and output data, and information exchanged with external storage. In order to improve the access speed of the processor 1401, the memory 1404 needs to have the advantage of fast access speed.
  • DRAM is usually used as the memory 1404 .
  • the processor 1401 can access the memory 1404 at high speed through the memory controller, and perform read and write operations on any storage unit in the memory 1404 .
  • the memory 1404 may also be other random access memories, such as SRAM.
  • the memory 1404 may also be a ROM. As for the read-only memory, for example, it can be PROM, EPROM and so on.
  • the memory 1404 can be configured to have a power saving function.
  • the power protection function means that when the system is powered off and then powered on again, the data stored in the memory will not be lost.
  • the memory 1404 with a power saving function is called a nonvolatile memory.
  • An input/output (input/ourput, I/O) device 1407 refers to hardware capable of data transmission, and may also be understood as a device connected to an I/O interface. Common I/O devices include network cards, printers, keyboards, and mice. All external storage can also be used as I/O devices, such as hard disks, floppy disks, and CDs.
  • the processor 1401 can access various input and output 1407 through the PCIe bus 1405 . It should be noted that the PCIe bus 1405 is just an example, and may be replaced by other buses, such as a unified (unified bus, UB) bus.
  • a baseboard management controller (Baseboard Management Controller, BMC) 1406 can upgrade the firmware of the device, manage the running status of the device, and troubleshoot.
  • the processor 1401 can access the baseboard management controller 1406 through a PCIe bus or a bus such as USB or I2C.
  • the base management controller 1406 can also be connected to at least one sensor.
  • the status data of the terminal is obtained through the sensor, where the status data includes: temperature data, current data, voltage data and so on. In this application, there is no specific limitation on the type of status data.
  • Baseboard Management Controller 1406 via PCIe The bus or other types of buses communicate with the processor 1401, for example, transfer the obtained state data to the processor 1401 for processing.
  • the baseboard management controller 1406 can also maintain the program codes in the memory 1404, including upgrading or restoring.
  • the baseboard management controller 1406 may also control a power supply circuit or a clock circuit in the terminal 1400 .
  • the baseboard management controller 1406 can manage the terminal 1400 through the above manner.
  • the baseboard management controller 1406 is only an optional device.
  • the processor 1401 may directly communicate with the sensor, so as to directly manage and maintain the terminal.
  • the memory 1404 is used to store programs.
  • the processor 1401 is configured to execute the steps executed by the terminal in the foregoing embodiments.
  • FIG. 15 is a schematic structural diagram of a domain name system server provided by an embodiment of the present application.
  • the domain name system server 1500 may have relatively large differences due to different configurations or performances, and may include one or more central processing units 1522 and memory 1532, and one or more storage media for storing application programs 1542 or data 1544 1530 (eg, one or more mass storage devices).
  • the memory 1532 and the storage medium 1530 may be temporary storage or persistent storage.
  • the program stored in the storage medium 1530 may include one or more modules, and each module may include a series of instructions to operate on the domain name system server.
  • the central processing unit 1522 can be configured to communicate with the storage medium 1530 , and execute a series of instruction operations in the storage medium 1530 on the domain name system server 1500 .
  • the domain name system server 1500 can also include one or more power supplies 1526, one or more wired or wireless network interfaces 1550, one or more input and output interfaces 1558, and/or, one or more operating systems 1541, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
  • operating systems 1541 such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
  • the present application provides a computer-readable storage medium.
  • a computer program is stored in the computer-readable storage medium.
  • the computer program When the computer program is run on a computer, it causes the computer to execute the communication method in the foregoing embodiment or optional embodiment.
  • the present application also provides a computer program product, which, when run on a computer, causes the computer to execute the communication method in the above-mentioned embodiments or optional embodiments.
  • the present application also provides a chip system, which includes a processor and a memory coupled to each other.
  • the memory is used to store computer programs or instructions, and the processing unit is used to execute the computer programs or instructions stored in the memory, so that the device performs the steps performed by the network device, terminal or domain name system server in the above embodiments.
  • the memory is an on-chip memory, such as a register, a cache, etc., and the memory can also be a memory located outside the chip in a site, such as a read-only memory (read-only memory, ROM) or a memory that can store static information and instructions. Other types of static storage devices, random access memory (random access memory, RAM), etc.
  • the processor mentioned in any of the above places may be a general-purpose central processing unit, a microprocessor, an application specific integrated circuit (ASIC) or one or more integrated circuits for implementing the above-mentioned communication method.
  • ASIC application specific integrated circuit
  • the device embodiments described above are only schematic, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units. That is, it can be located in one place, or it can also be distributed to multiple network elements. according to actual needs Part or all of the modules are selected to achieve the purpose of the solution of this embodiment.
  • the connection relationship between the modules indicates that they have communication connections, which can be specifically implemented as one or more communication buses or signal lines.
  • the essence of the technical solution of this application or the part that contributes to the prior art can be embodied in the form of a software product, and the computer software product is stored in a readable storage medium, such as a floppy disk of a computer , U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the method of each embodiment of the present application.
  • a readable storage medium such as a floppy disk of a computer , U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk, etc.
  • all or part of them may be implemented by software, hardware, firmware or any combination thereof.
  • software When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
  • a computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part.
  • a computer can be a general purpose computer, special purpose computer, computer network, or other programmable device.
  • Computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, e.g. Coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL) or wireless (such as infrared, wireless, microwave, etc.) transmission to another website site, computer, server or data center.
  • Computer readable storage medium can be Any available media that can be stored by a computer or a data storage device such as a server, data center, etc. that includes one or more available media. Available media can be magnetic media, (such as floppy disks, hard disks, tapes), optical media (such as DVDs), Or a semiconductor medium (such as a solid state disk (solid state disk, SSD)), etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A communication method, comprising: receiving an uplink data packet which is sent by a terminal; upon detecting that the uplink data packet carries a high-defense address identifier, acquiring, from the uplink data packet, an IP address of the terminal and a first virtual IP address of an application server; acquiring a key; according to the key, and the IP address of the terminal and the first virtual IP address, which are carried in the uplink data packet, generating an IP address to be processed; when the IP address to be processed is not the IP address of the application server, determining that the uplink data packet is illegitimate; and when the IP address to be processed is the IP address of the application server, modifying a destination IP address of the uplink data packet from the first virtual IP address to the IP address of the application server, and then sending the modified uplink data packet to the application server. In this way, one application server corresponds to a plurality of virtual IP addresses, thereby reducing the risk of the IP address of an application server being attacked by a network. Further provided in the present application is a related device capable of implementing the communication method.

Description

一种通信方法,网络设备,终端和域名系统服务器A communication method, network equipment, terminal and domain name system server
本申请要求于2022年03月03日提交中国专利局、申请号为202210210483.2、申请名称为“一种通信方法,网络设备,终端和域名系统服务器”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202210210483.2 and the application name "a communication method, network equipment, terminal and domain name system server" submitted to the China Patent Office on March 3, 2022, the entire content of which is passed References are incorporated in this application.
技术领域technical field
本申请涉及通信领域,尤其涉及一种通信方法,网络设备,终端和域名系统服务器。The present application relates to the communication field, in particular to a communication method, network equipment, terminal and domain name system server.
背景技术Background technique
在针对特定目标的网络攻击场景中,攻击者需要获取攻击目标的因特网协议(internet protocol,IP)地址,然后针对该地址展开攻击。IP地址跳变作为一种防御网络攻击的手段,能够改变IP地址,阻止攻击者对攻击目标的IP地址持续发动网络攻击。IP地址跳变包括真实IP地址跳变和虚拟IP地址跳变。In a network attack scenario targeting a specific target, the attacker needs to obtain the Internet Protocol (IP) address of the target, and then launch an attack against the address. As a means of defending against network attacks, IP address hopping can change the IP address and prevent attackers from continuously launching network attacks on the IP address of the attack target. IP address hopping includes real IP address hopping and virtual IP address hopping.
目前有一种虚拟IP地址跳变的方法大致如下:当终端想要访问应用服务器时,终端通过移动目标防御(mobile target defense,MTD)网关代理向域名系统(domain name system,DNS)服务器请求应用服务器的IP地址,DNS服务器将应用服务器的IP地址发送给MTD网关代理,MTD网关代理将报文中应用服务器的IP地址修改为虚拟IP地址,然后将虚拟IP地址发送给终端。终端获取虚拟IP地址后,根据虚拟IP地址向MTD网关代理发送数据报文,数据报文的目的IP地址为虚拟IP地址。MTD网关代理收到数据报文后,根据虚拟IP地址与应用服务器的IP地址的映射表,将数据报文的目的IP地址从虚拟IP地址修改为应用服务器的IP地址,然后将包含应用服务器的IP地址的数据报文发送给应用服务器。At present, there is a method of virtual IP address hopping as follows: When the terminal wants to access the application server, the terminal requests the application server from the domain name system (domain name system, DNS) server through the mobile target defense (mobile target defense, MTD) gateway proxy. The DNS server sends the IP address of the application server to the MTD gateway agent, and the MTD gateway agent modifies the IP address of the application server in the message to a virtual IP address, and then sends the virtual IP address to the terminal. After obtaining the virtual IP address, the terminal sends a data message to the MTD gateway agent according to the virtual IP address, and the destination IP address of the data message is the virtual IP address. After the MTD gateway agent receives the data message, according to the mapping table of the virtual IP address and the IP address of the application server, the destination IP address of the data message is changed from the virtual IP address to the IP address of the application server, and then contains the IP address of the application server. The data packet of the IP address is sent to the application server.
当多个终端访问应用服务器时,在单个跳变周期内不同终端得到的虚拟IP地址相同。当虚拟IP地址被分享或倒卖后,容易导致网络攻击者利用多个肉鸡设备对应用服务器实施网络攻击。When multiple terminals access the application server, different terminals get the same virtual IP address within a single hopping period. When the virtual IP address is shared or resold, it is easy for network attackers to use multiple bot devices to carry out network attacks on application servers.
发明内容Contents of the invention
有鉴于此,本申请提供一种通信方法,能够针对每个应用服务器的IP地址产生多个虚拟IP地址,从而防止网络攻击者利用多个肉鸡设备使用相同虚拟IP地址发动网络攻击,提高网络安全性。本申请还提供能够实现上述通信方法的终端,网络设备和域名系统服务器等。In view of this, this application provides a communication method that can generate multiple virtual IP addresses for each application server's IP address, thereby preventing network attackers from using multiple bot devices to launch network attacks using the same virtual IP address, and improving network security sex. The present application also provides a terminal, a network device, a domain name system server, etc. capable of implementing the above-mentioned communication method.
第一方面提供一种通信方法,该方法包括:接收终端发送的上行数据包;当检测到上行数据包携带高防地址标识时,从上行数据包获取终端的IP地址和应用服务器的第一虚拟IP地址;在获取密钥后,根据密钥,终端的IP地址和第一虚拟IP地址生成待处理IP地址;当待处理IP地址不是应用服务器的IP地址时,确定上行数据包非法;当待处理IP地址为应用服务器的IP地址时,将上行数据包的目的IP地址从第一虚拟IP地址修改为待处理IP地址,向应用服务器发送携带待处理IP地址的上行数据包。上行数据包携带应用服务器的第一虚拟IP地址和终端的IP地址,由于第一虚拟IP地址是根据密钥,终端的IP 地址和应用服务器的IP地址生成的,因此一个应用服务器的IP地址对应很多虚拟IP地址,这样可以避免网络攻击者使用多个肉鸡设备向一个虚拟IP地址对应的应用服务器发动网络攻击的情况。The first aspect provides a communication method, which includes: receiving an uplink data packet sent by a terminal; when it is detected that the uplink data packet carries a high-defense address identifier, obtaining the terminal's IP address and the first virtual address of the application server from the uplink data packet IP address; after obtaining the key, according to the key, the IP address of the terminal and the first virtual IP address generate the IP address to be processed; when the IP address to be processed is not the IP address of the application server, it is determined that the uplink data packet is illegal; when the IP address to be processed is not the IP address of the application server; When the processing IP address is the IP address of the application server, modify the destination IP address of the uplink data packet from the first virtual IP address to the IP address to be processed, and send the uplink data packet carrying the IP address to be processed to the application server. The uplink data packet carries the first virtual IP address of the application server and the IP address of the terminal. Since the first virtual IP address is based on the key, the IP address of the terminal The address is generated from the IP address of the application server, so one application server IP address corresponds to many virtual IP addresses, which can prevent network attackers from using multiple bot devices to launch network attacks on the application server corresponding to one virtual IP address.
在一种可能的实现方式中,根据密钥,终端的IP地址和第一虚拟IP地址生成待处理IP地址包括:在上行数据包还包括第一地址生成序列的情况下,根据密钥,终端的IP地址,第一虚拟IP地址和第一地址生成序列生成待处理IP地址。由于第一地址生成序列包括第一虚拟IP地址的地址生成时刻和第一虚拟地址的地址生存时长,因此根据第一地址生成序列可以可以验证第一虚拟IP地址是否合法,能够提高虚拟IP地址的安全性。In a possible implementation manner, generating the IP address to be processed according to the key, the IP address of the terminal, and the first virtual IP address includes: when the uplink data packet further includes the first address generation sequence, according to the key, the terminal The IP address, the first virtual IP address and the first address generation sequence generate the IP address to be processed. Since the first address generation sequence includes the address generation time of the first virtual IP address and the address lifetime of the first virtual address, it can be verified whether the first virtual IP address is legal according to the first address generation sequence, which can improve the validity of the virtual IP address. safety.
在另一种可能的实现方式中,上述方法还包括:接收应用服务器发送的下行数据包,当检测到下行数据包携带高防地址标识时,根据密钥,应用服务器的IP地址,终端的IP地址和第一地址生成序列生成第一虚拟IP地址;根据第一地址生成序列确定第一虚拟IP地址的地址结束时刻;当地址结束时刻大于验证时刻时,确定目标时间差等于地址结束时刻减去验证时刻;当目标时间差大于预设时长时,根据下行数据包和第一虚拟IP地址生成第一下行数据包,将第一下行数据包发送给终端。下行数据包携带应用服务器的IP地址,终端的IP地址,第一地址生成序列和高防地址标识。将应用服务器的IP地址转换为虚拟IP地址后,能够隐藏应用服务器的IP地址。当地址结束时刻小于验证时刻时,表明第一虚拟IP地址过期,可以丢弃下行数据包,或者根据下行数据包和第一虚拟IP地址生成第一下行数据包,将第一下行数据包发送给终端。In another possible implementation, the above method further includes: receiving the downlink data packet sent by the application server, and when it is detected that the downlink data packet carries the high-defense address identifier, according to the key, the IP address of the application server, the IP address of the terminal The address and the first address generation sequence generate the first virtual IP address; determine the address end time of the first virtual IP address according to the first address generation sequence; when the address end time is greater than the verification time, determine that the target time difference is equal to the address end time minus the verification Time: when the target time difference is greater than the preset duration, generate a first downlink data packet according to the downlink data packet and the first virtual IP address, and send the first downlink data packet to the terminal. The downlink data packet carries the IP address of the application server, the IP address of the terminal, the first address generation sequence and the high-defense address identification. After converting the IP address of the application server into a virtual IP address, the IP address of the application server can be hidden. When the end time of the address is less than the verification time, it indicates that the first virtual IP address has expired, and the downlink data packet can be discarded, or the first downlink data packet can be generated according to the downlink data packet and the first virtual IP address, and the first downlink data packet can be sent to the terminal.
在另一种可能的实现方式中,当目标时间差小于或等于预设时长时,获取第二地址生成序列,根据密钥,应用服务器的IP地址,终端的IP地址和第二地址生成序列生成第二虚拟IP地址;根据下行数据包,第一虚拟IP地址,第二虚拟IP地址,第二地址生成序列和地址切换标识生成第二下行数据包,向终端发送第二下行数据包。其中,第二下行数据包携带第一虚拟IP地址,第二虚拟IP地址,第二地址生成序列和地址切换标识。第二地址生成序列包括第二虚拟IP地址的地址生成时刻和第二虚拟IP地址的地址生存时长。这样提供了一种利用下行数据包通知终端进行地址切换的方法。In another possible implementation, when the target time difference is less than or equal to the preset duration, the second address generation sequence is obtained, and the second address generation sequence is generated according to the key, the IP address of the application server, the IP address of the terminal, and the second address generation sequence. Two virtual IP addresses; generate a second downlink data packet according to the downlink data packet, the first virtual IP address, the second virtual IP address, the second address generation sequence and the address switching identifier, and send the second downlink data packet to the terminal. Wherein, the second downlink data packet carries the first virtual IP address, the second virtual IP address, the second address generation sequence and the address switching identifier. The second address generation sequence includes address generation time of the second virtual IP address and address lifetime of the second virtual IP address. This provides a method for notifying the terminal to perform address switching by using the downlink data packet.
在另一种可能的实现方式中,当目标时间差小于或等于预设时长时,获取第二地址生成序列,第二地址生成序列包括第二虚拟IP地址的地址生成时刻和第二虚拟IP地址的地址生存时长;根据密钥,应用服务器的IP地址,终端的IP地址和第二地址生成序列生成第二虚拟IP地址;向终端发送携带有第二虚拟IP地址和第二地址生成序列的地址切换通知;根据下行数据包和第一虚拟IP地址生成第一下行数据包,将第一下行数据包发送给终端。地址切换通知属于控制面消息,这样提供了另一种通知终端进行地址切换的方法。In another possible implementation manner, when the target time difference is less than or equal to the preset duration, the second address generation sequence is obtained, and the second address generation sequence includes the address generation time of the second virtual IP address and the address generation time of the second virtual IP address. Address survival time; generate a second virtual IP address according to the key, the IP address of the application server, the IP address of the terminal, and the second address generation sequence; send an address switch carrying the second virtual IP address and the second address generation sequence to the terminal Notification; generate a first downlink data packet according to the downlink data packet and the first virtual IP address, and send the first downlink data packet to the terminal. The address switching notification belongs to the control plane message, which provides another method for notifying the terminal to perform address switching.
在另一种可能的实现方式中,根据密钥,终端的IP地址,第一虚拟IP地址和第一地址生成序列生成待处理IP地址包括:使用密钥将第一虚拟IP地址的第二部分进行解密;将终端的IP地址的第二部分和解密结果进行第一次异或运算;将第一地址生成序列和第一次异或运算结果进行第二次异或运算;将第一虚拟IP地址的第一部分与第二次异或运算结果组成待处理IP地址。这样提供了一种可行的地址解密方法。In another possible implementation manner, generating the IP address to be processed according to the key, the IP address of the terminal, the first virtual IP address, and the first address generation sequence includes: using the key to convert the second part of the first virtual IP address to Decryption; perform the first XOR operation on the second part of the terminal's IP address and the decryption result; perform the second XOR operation on the first address generation sequence and the first XOR operation result; convert the first virtual IP The first part of the address and the result of the second XOR operation form the IP address to be processed. This provides a feasible address decryption method.
在另一种可能的实现方式中,在获取密钥之前,接收密钥管理服务器发送的应用服务 器的IP地址以及与应用服务器的IP地址对应的密钥。该密钥与应用服务器的IP地址是一一对应的。当网络设备部署有该密钥之后,能够对使用该密钥生成的虚拟IP地址进行地址转换。In another possible implementation, before obtaining the key, receive the application service sent by the key management server The IP address of the application server and the key corresponding to the IP address of the application server. There is a one-to-one correspondence between the key and the IP address of the application server. After the key is deployed on the network device, it can perform address translation on the virtual IP address generated by using the key.
在另一种可能的实现方式中,在获取密钥之前,接收密钥管理服务器发送的终端的IP地址以及与终端的IP地址对应的密钥。该密钥与终端的IP地址是一一对应的。当网络设备部署有该密钥之后,能够对使用该密钥生成的虚拟IP地址进行地址转换。In another possible implementation manner, before obtaining the key, the IP address of the terminal and the key corresponding to the IP address of the terminal are received from the key management server. There is a one-to-one correspondence between the key and the IP address of the terminal. After the key is deployed on the network device, it can perform address translation on the virtual IP address generated by using the key.
在另一种可能的实现方式中,在获取密钥之前,接收密钥管理服务器发送的密钥。该密钥用于进行地址转换。在上述可能的实现方式中,密钥管理服务器可以周期性发送新的密钥,以提高虚拟地址的安全性。In another possible implementation manner, before obtaining the key, the key sent by the key management server is received. This key is used for address translation. In the foregoing possible implementation manners, the key management server may periodically send new keys to improve the security of the virtual address.
第二方面提供一种通信方法,该方法包括:向域名系统服务器发送包括域名的地址请求消息后,接收域名系统服务器根据地址请求消息发送的响应消息,然后生成上行数据包,向网络设备发送上行数据包。上行数据包携带终端的IP地址,第一虚拟IP地址和高防地址标识。依此实施,发送上行数据时能够隐藏应用服务器的真实IP地址,从而提高通信安全性。The second aspect provides a communication method. The method includes: after sending an address request message including a domain name to a domain name system server, receiving a response message sent by the domain name system server according to the address request message, and then generating an uplink data packet, and sending an uplink data packet to a network device. data pack. The uplink data packet carries the IP address of the terminal, the first virtual IP address and the high-defense address identification. According to this implementation, the real IP address of the application server can be hidden when sending uplink data, thereby improving communication security.
在一种可能的实现方式中,响应消息还包括第一地址生成序列,以及上行数据包还包括第一地址生成序列。第一地址生成序列包括第一虚拟IP地址的地址生成时刻和第一虚拟地址的地址生存时长。虚拟IP地址的生成时刻可以是时间戳。由于虚拟IP地址的地址生成时刻和地址生存时长是唯一的,这样加密和解密虚拟IP地址能够降低假冒的可能性,具有良好的安全性。In a possible implementation manner, the response message further includes the first address generation sequence, and the uplink data packet further includes the first address generation sequence. The first address generation sequence includes the address generation time of the first virtual IP address and the address lifetime of the first virtual address. The generation moment of the virtual IP address may be a time stamp. Since the address generation time and address lifetime of the virtual IP address are unique, the encryption and decryption of the virtual IP address can reduce the possibility of counterfeiting and have good security.
在另一种可能的实现方式中,上述方法还包括:接收网络设备发送的第一下行数据包,第一下行数据包携带第一虚拟IP地址。当第一虚拟IP地址没有过期时,网络设备发送携带第一虚拟IP地址的下行数据包。In another possible implementation manner, the above method further includes: receiving a first downlink data packet sent by the network device, where the first downlink data packet carries the first virtual IP address. When the first virtual IP address has not expired, the network device sends a downlink data packet carrying the first virtual IP address.
在另一种可能的实现方式中,上述方法还包括:接收网络设备发送的第二下行数据包,第二下行数据包携带第一虚拟IP地址,第二虚拟IP地址,第二地址生成序列和地址切换标识;根据地址切换标识生成携带有第二虚拟IP地址,第二地址生成序列和高防地址标识的上行数据包。第二地址生成序列包括第二虚拟IP地址的地址生成时刻和第二虚拟IP地址的地址生存时长。当第一虚拟IP地址即将过期时,网络设备可以向终端发送第二下行数据包,终端生成携带有第二虚拟IP地址,第二地址生成序列的上行数据包后,向网络设备发送该上行数据包。在各地址跳变时段使用不同的虚拟IP地址进行通信,由此进一步提高网络安全性。In another possible implementation, the above method further includes: receiving a second downlink data packet sent by the network device, the second downlink data packet carrying the first virtual IP address, the second virtual IP address, the second address generation sequence and Address switching identification; generating an uplink data packet carrying a second virtual IP address, a second address generation sequence and a high-defense address identification according to the address switching identification. The second address generation sequence includes address generation time of the second virtual IP address and address lifetime of the second virtual IP address. When the first virtual IP address is about to expire, the network device can send the second downlink data packet to the terminal, and the terminal generates the uplink data packet carrying the second virtual IP address and the second address generation sequence, and then sends the uplink data to the network device Bag. Different virtual IP addresses are used for communication during each address hopping period, thereby further improving network security.
在另一种可能的实现方式中,上述方法还包括:接收网络设备发送的第一下行数据包和地址切换通知后,根据地址切换通知生成携带有第二虚拟IP地址,第二地址生成序列和高防地址标识的上行数据包。第一下行数据包携带第一虚拟IP地址。地址切换通知包括第二虚拟IP地址和第二地址生成序列。当第一虚拟IP地址即将过期时,网络设备可以向终端发送第一下行数据包和地址切换通知,终端根据地址切换通知生成携带有第二虚拟IP地址和第二地址生成序列的上行数据包后,可以向网络设备发送该上行数据包。这样提供了另一种地址切换方法,在各地址跳变时段使用不同的虚拟IP地址进行通信,由此进一步提 高网络安全性。In another possible implementation, the above method further includes: after receiving the first downlink data packet and the address switching notification sent by the network device, generating a second virtual IP address carrying the second virtual IP address according to the address switching notification, the second address generation sequence and the uplink data packet identified by Anti-DDoS Pro address. The first downlink data packet carries the first virtual IP address. The address switching notification includes a second virtual IP address and a second address generation sequence. When the first virtual IP address is about to expire, the network device can send the first downlink data packet and address switching notification to the terminal, and the terminal generates an uplink data packet carrying the second virtual IP address and the second address generation sequence according to the address switching notification After that, the uplink data packet can be sent to the network device. This provides another address switching method, using different virtual IP addresses for communication during each address switching period, thereby further improving High network security.
第三方面提供一种通信方法,该方法包括:接收终端发送的地址请求消息,当地址请求消息包括的域名为高防域名时,获取密钥和高防地址标识;然后根据密钥,终端的IP地址和应用服务器的IP地址生成第一虚拟IP地址;向终端发送响应消息。响应消息包括第一虚拟IP地址和高防地址标识。依此可以提供虚拟IP地址,用于在通信时隐藏应用服务器的真实IP地址,提高通信安全性。The third aspect provides a communication method, the method includes: receiving an address request message sent by a terminal, and when the domain name included in the address request message is a high-defense domain name, obtaining a key and a high-defense address identifier; then according to the key, the terminal's The IP address and the IP address of the application server generate a first virtual IP address; and send a response message to the terminal. The response message includes the first virtual IP address and the Anti-DDoS Pro address identifier. Accordingly, a virtual IP address can be provided to hide the real IP address of the application server during communication, thereby improving communication security.
在一种可能的实现方式中,根据密钥,终端的IP地址和应用服务器的IP地址生成第一虚拟IP地址包括:获取第一地址生成序列,根据密钥,终端的IP地址和应用服务器的IP地址和第一地址生成序列生成第一虚拟IP地址。第一地址生成序列包括第一虚拟IP地址的地址生成时刻和第一虚拟地址的地址生存时长。这样提供了一种生成虚拟IP地址的方法。In a possible implementation manner, generating the first virtual IP address according to the key, the IP address of the terminal and the IP address of the application server includes: obtaining the first address generation sequence, and according to the key, the IP address of the terminal and the IP address of the application server The IP address and first address generation sequence generates a first virtual IP address. The first address generation sequence includes the address generation time of the first virtual IP address and the address lifetime of the first virtual address. This provides a way to generate a virtual IP address.
在另一种可能的实现方式中,上述根据密钥,终端的IP地址和应用服务器的IP地址和第一地址生成序列生成第一虚拟IP地址包括:将终端的IP地址的第二部分与应用服务器的IP地址的第二部分进行第一次异或运算;将第一地址生成序列的与第一次异或运算结果进行第二次异或运算;使用密钥对第二次异或运算结果进行加密;将加密结果与应用服务器的IP地址的第一部分组成第一虚拟IP地址。这样提供了一种生成虚拟IP地址的方法。In another possible implementation manner, generating the first virtual IP address according to the secret key, the IP address of the terminal, the IP address of the application server, and the first address generation sequence includes: combining the second part of the IP address of the terminal with the application Perform the first XOR operation on the second part of the server's IP address; perform the second XOR operation on the first address generation sequence and the first XOR operation result; use the key to pair the second XOR operation result performing encryption; combining the encryption result and the first part of the IP address of the application server to form a first virtual IP address. This provides a way to generate a virtual IP address.
第四方面提供一种网络设备,该网络设备具有实现第一方面中通信方法的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。硬件或软件包括一个或多个与上述功能相对应的模块。The fourth aspect provides a network device, which has the function of implementing the communication method in the first aspect. This function may be implemented by hardware, or may be implemented by executing corresponding software on the hardware. Hardware or software includes one or more modules corresponding to the above-mentioned functions.
第五方面提供一种终端,该终端具有实现第二方面中通信方法的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。硬件或软件包括一个或多个与上述功能相对应的模块。The fifth aspect provides a terminal, which has the function of implementing the communication method in the second aspect. This function may be implemented by hardware, or may be implemented by executing corresponding software on the hardware. Hardware or software includes one or more modules corresponding to the above-mentioned functions.
第六方面提供一种域名系统服务器,该域名系统服务器有实现第三方面中通信方法的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的模块。The sixth aspect provides a domain name system server, and the domain name system server has the function of implementing the communication method in the third aspect. This function may be implemented by hardware, or may be implemented by executing corresponding software on the hardware. The hardware or software includes one or more modules corresponding to the above functions.
第七方面提供一种网络设备,其包括处理器和存储器,所述存储器用于存储程序;所述处理器通过执行程序用于实现第一方面的方法。A seventh aspect provides a network device, which includes a processor and a memory, where the memory is used to store a program; and the processor implements the method of the first aspect by executing the program.
第八方面提供一种终端,其包括处理器和存储器,所述存储器用于存储程序;所述处理器通过执行程序用于实现第二方面的方法。An eighth aspect provides a terminal, which includes a processor and a memory, where the memory is used to store a program; and the processor implements the method of the second aspect by executing the program.
第九方面提供一种域名系统服务器,其包括处理器和存储器,所述存储器用于存储程序;所述处理器通过执行程序用于实现第三方面的方法。A ninth aspect provides a domain name system server, which includes a processor and a memory, where the memory is used to store a program; and the processor implements the method of the third aspect by executing the program.
第十方面提供一种计算机可读存储介质,计算机可读存储介质中存储有指令,当其在计算机上运行时,使得计算机执行上述各方面的方法。A tenth aspect provides a computer-readable storage medium, in which instructions are stored, and when the computer-readable storage medium is run on a computer, it causes the computer to execute the methods in the above aspects.
第十一方面提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述各方面的方法。The eleventh aspect provides a computer program product containing instructions, which, when run on a computer, causes the computer to perform the methods of the above aspects.
第十二方面提供了一种芯片系统,包括至少一个处理器,所述处理器和存储器耦合,所述存储器用于存储计算机程序或指令,所述处理器用于执行所述计算机程序或指令,以 实现上述各方面的方法。A twelfth aspect provides a chip system, including at least one processor, the processor is coupled to a memory, the memory is used to store computer programs or instructions, and the processor is used to execute the computer programs or instructions, to Methods of implementing the above aspects.
附图说明Description of drawings
图1为本申请的地址跳变场景的一个示意图;FIG. 1 is a schematic diagram of an address jumping scenario of the present application;
图2为本申请实施例中通信方法的一个信令图;Fig. 2 is a signaling diagram of the communication method in the embodiment of the present application;
图3为本申请实施例中通信方法的另一个信令图;FIG. 3 is another signaling diagram of the communication method in the embodiment of the present application;
图4为本申请实施例中通信方法的另一个信令图;FIG. 4 is another signaling diagram of the communication method in the embodiment of the present application;
图5A为本申请实施例中根据密钥,用户IP地址,应用服务器的IP地址和第一地址生成序列生成第一虚拟IP地址的一个示意图;FIG. 5A is a schematic diagram of generating a first virtual IP address according to a key, a user IP address, an IP address of an application server, and a first address generation sequence in an embodiment of the present application;
图5B为本申请实施例中根据密钥,第一虚拟IP地址,用户IP地址和第一地址生成序列生成应用服务器IP地址的一个示意图;FIG. 5B is a schematic diagram of generating an application server IP address according to the key, the first virtual IP address, the user IP address and the first address generation sequence in the embodiment of the present application;
图6为本申请实施例中通信方法的另一个信令图;FIG. 6 is another signaling diagram of the communication method in the embodiment of the present application;
图7为本申请实施例中通信方法的另一个信令图;FIG. 7 is another signaling diagram of the communication method in the embodiment of the present application;
图8为本申请实施例中第一下行数据包的一个示意图;FIG. 8 is a schematic diagram of the first downlink data packet in the embodiment of the present application;
图9为本申请实施例中第二下行数据包的一个示意图;FIG. 9 is a schematic diagram of a second downlink data packet in the embodiment of the present application;
图10为本申请实施例中网络设备的一个结构图;FIG. 10 is a structural diagram of a network device in an embodiment of the present application;
图11为本申请实施例中终端的一个结构图;FIG. 11 is a structural diagram of a terminal in an embodiment of the present application;
图12为本申请实施例中域名系统服务器的一个结构图;FIG. 12 is a structural diagram of a domain name system server in an embodiment of the present application;
图13为本申请实施例中网络设备的另一个结构图;FIG. 13 is another structural diagram of a network device in an embodiment of the present application;
图14为本申请实施例中终端的另一个结构图;FIG. 14 is another structural diagram of a terminal in the embodiment of the present application;
图15为本申请实施例中域名系统服务器的另一个结构图。FIG. 15 is another structural diagram of the domain name system server in the embodiment of the present application.
具体实施方式Detailed ways
本申请的通信方法可以应用于IP网络系统。在一个示例中,IP网络系统包括终端10,网络设备20,域名系统服务器30,密钥管理服务器40和应用服务器50。上述设备进行数据传输的过程包括:The communication method of the present application can be applied to an IP network system. In one example, the IP network system includes a terminal 10 , a network device 20 , a domain name system server 30 , a key management server 40 and an application server 50 . The data transmission process of the above devices includes:
步骤S11、密钥管理服务器40向域名系统服务器30发送密钥。Step S11 , the key management server 40 sends the key to the domain name system server 30 .
步骤S12、密钥管理服务器40向网络设备20发送密钥。Step S12 , the key management server 40 sends the key to the network device 20 .
密钥管理服务器40存储有密钥。密钥管理服务器40可以周期性地向域名系统服务器30和网络设备20发送密钥,域名系统服务器30和网络设备20收到密钥后,可以将密钥存储在本地。步骤S12可以在步骤S11之前执行,步骤S11和步骤S12也可以一并执行。The key management server 40 stores keys. The key management server 40 can periodically send the key to the domain name system server 30 and the network device 20, and the domain name system server 30 and the network device 20 can store the key locally after receiving the key. Step S12 may be performed before step S11, and step S11 and step S12 may also be performed together.
步骤S13、终端10向网络设备20发送地址请求。Step S13 , the terminal 10 sends an address request to the network device 20 .
当用户在终端10上输入域名后,终端10生成携带域名的地址请求,将地址请求发送给网络设备。After the user inputs the domain name on the terminal 10, the terminal 10 generates an address request carrying the domain name, and sends the address request to the network device.
步骤S14、网络设备20将地址请求发送给域名系统服务器30。Step S14 , the network device 20 sends the address request to the domain name system server 30 .
域名系统服务器30收到地址请求后,根据地址请求携带的域名确定应用服务器50的虚拟IP地址和虚拟地址关联信息。应用服务器50的虚拟IP地址与密钥,终端10的IP地 址和应用服务器50的IP地址相关。After receiving the address request, the domain name system server 30 determines the virtual IP address and virtual address associated information of the application server 50 according to the domain name carried in the address request. The virtual IP address and key of the application server 50, the IP address of the terminal 10 The address is related to the IP address of the application server 50.
该虚拟地址关联信息是指与应用服务器50的虚拟IP地址相关的信息。例如,高防地址标识,地址生成序列。地址生成序列包括虚拟IP地址的地址生成时刻和地址生存时长。高防地址标识也可以理解为虚拟地址标识。The virtual address-related information refers to information related to the virtual IP address of the application server 50 . For example, high-defense address identification, address generation sequence. The address generation sequence includes address generation time and address lifetime of the virtual IP address. The high-defense address identification can also be understood as a virtual address identification.
步骤S15、域名系统服务器30将应用服务器50的虚拟IP地址和虚拟地址关联信息发送给网络设备20。Step S15 , the domain name system server 30 sends the virtual IP address of the application server 50 and the associated information of the virtual address to the network device 20 .
步骤S16、网络设备20将应用服务器50的虚拟IP地址和虚拟地址关联信息发送给终端10。Step S16 , the network device 20 sends the virtual IP address of the application server 50 and the virtual address association information to the terminal 10 .
终端10获取应用服务器50的虚拟IP地址和虚拟地址关联信息后,生成包括应用服务器50的虚拟IP地址和虚拟地址关联信息的数据包。After acquiring the virtual IP address of the application server 50 and the associated information of the virtual address, the terminal 10 generates a data packet including the virtual IP address of the application server 50 and the associated information of the virtual address.
步骤S17、终端10向网络设备20发送包括应用服务器50的虚拟IP地址和虚拟地址关联信息的数据包。Step S17 , the terminal 10 sends a data packet including the virtual IP address of the application server 50 and information associated with the virtual address to the network device 20 .
网络设备20收到数据包后,将数据包的目的地址进行地址跳变,使得数据包的目的地址从应用服务器50的虚拟IP地址转换为应用服务器50的IP地址。After receiving the data packet, the network device 20 performs address hopping on the destination address of the data packet, so that the destination address of the data packet is converted from the virtual IP address of the application server 50 to the IP address of the application server 50 .
步骤18、网络设备20向应用服务器50发送包括应用服务器50的IP地址和虚拟地址关联信息的数据包。Step 18, the network device 20 sends a data packet including the IP address of the application server 50 and the associated information of the virtual address to the application server 50 .
步骤19、应用服务器50向网络设备20发送包括应用服务器50的IP地址和虚拟地址关联信息的数据包。Step 19, the application server 50 sends a data packet including the IP address of the application server 50 and the associated information of the virtual address to the network device 20 .
步骤20、网络设备20向终端10发送包括应用服务器50的虚拟IP地址和虚拟地址关联信息的数据包。Step 20 , the network device 20 sends to the terminal 10 a data packet including the virtual IP address of the application server 50 and the associated information of the virtual address.
网络设备可以将应用服务器50的虚拟IP地址和真实IP地址进行地址跳变,这样可以隐藏应用服务器的真实IP地址。由于应用服务器50的虚拟IP地址与密钥,终端10的IP地址和应用服务器50的IP地址相关,因此当m个终端同时访问应用服务器50时,应用服务器50对应的虚拟IP地址有m个,这样能够防止网络攻击者利用多个肉鸡设备对一个虚拟IP地址对应的应用服务器50发动网络攻击,因此可以提高网络安全性。m为正整数。The network device can perform address hopping between the virtual IP address and the real IP address of the application server 50, so that the real IP address of the application server can be hidden. Since the virtual IP address of the application server 50 is related to the key, the IP address of the terminal 10 is related to the IP address of the application server 50, when m terminals access the application server 50 at the same time, there are m virtual IP addresses corresponding to the application server 50, This can prevent network attackers from using multiple bot devices to launch network attacks on the application server 50 corresponding to one virtual IP address, thus improving network security. m is a positive integer.
本申请中的地址跳变是一种移动目标防御技术(Moving Target Defense,MTD),即通过动态持续地改变攻击面(改变IP地址、网络端口、网络配置信息、软件等),使攻击者面对很大的不确定性,难以预测和探索,从而提高网络安全性。现有的虚拟IP地址跳变方法中,单个地址跳变周期内,一个应用服务器对应一个虚拟IP地址。当虚拟IP地址被公开或倒卖后,网络攻击者可以利用多个肉鸡设备对该虚拟IP地址发动网络攻击,例如分布式拒绝服务攻击(distributed denial of service,DDOS)。对于该问题,本申请提供一种通信方法能够对使得一个应用服务器可以对应多个虚拟IP地址,从而降低网络攻击者利用多个肉鸡设备对一个虚拟IP地址发动网络攻击的可能性。Address hopping in this application is a moving target defense technology (Moving Target Defense, MTD), that is, by dynamically and continuously changing the attack surface (changing IP addresses, network ports, network configuration information, software, etc.), the attacker's surface For large uncertainties, it is difficult to predict and explore, thereby improving network security. In the existing virtual IP address hopping method, within a single address hopping period, one application server corresponds to one virtual IP address. When the virtual IP address is disclosed or resold, network attackers can use multiple bot devices to launch network attacks on the virtual IP address, such as distributed denial of service attacks (distributed denial of service, DDOS). For this problem, this application provides a communication method that enables one application server to correspond to multiple virtual IP addresses, thereby reducing the possibility of network attackers using multiple bot devices to launch network attacks on one virtual IP address.
下面对本申请的通信方法进行介绍,参阅图2,本申请提供的通信方法的一个实施例包括:The communication method of the present application is introduced below. Referring to FIG. 2, an embodiment of the communication method provided by the present application includes:
步骤201、终端向域名系统服务器发送地址请求消息。地址请求消息携带有域名。Step 201, the terminal sends an address request message to the domain name system server. The address request message carries a domain name.
步骤202、域名系统服务器判断地址请求消息携带的域名是否为高防域名,若是,则 执行步骤204,若否,则执行步骤203。Step 202, the domain name system server judges whether the domain name carried in the address request message is a high-defense domain name, if so, then Execute step 204, if not, execute step 203.
步骤203、域名系统服务器将域名对应的IP地址发送给终端。Step 203, the domain name system server sends the IP address corresponding to the domain name to the terminal.
终端可以根据域名对应的IP地址访问域名对应的服务器。The terminal can access the server corresponding to the domain name according to the IP address corresponding to the domain name.
步骤204、域名系统服务器获取密钥和高防地址标识。Step 204, the domain name system server obtains the key and the Anti-DDoS Pro address identifier.
获取密钥的方式有多种。There are several ways to obtain keys.
在一个可选实施例中,域名系统服务器从本地存储的密钥获取密钥。获取密钥之前,域名系统服务器周期性从密钥管理服务器接收密钥,然后保存在本地。在单个密钥周期内,域名系统服务器或网络设备都使用该密钥进行加密和解密。In an alternative embodiment, the domain name system server obtains the key from a locally stored key. Before obtaining the key, the domain name system server periodically receives the key from the key management server, and then saves it locally. During a single key period, the domain name system server or network device uses the key for encryption and decryption.
在另一个可选实施例中,密钥管理服务器存储有终端的IP地址和密钥的映射关系。域名系统服务器周期性地接收密钥管理服务器发送的终端的IP地址和终端的IP地址对应的密钥。或者,域名系统服务器向密钥管理服务器发送携带有终端的IP地址的密钥请求,密钥管理服务器根据密钥请求携带的终端的IP地址获取密钥。这样每个终端的IP地址对应一个密钥。In another optional embodiment, the key management server stores the mapping relationship between the IP address of the terminal and the key. The domain name system server periodically receives the IP address of the terminal and the key corresponding to the IP address of the terminal sent by the key management server. Alternatively, the domain name system server sends a key request carrying the IP address of the terminal to the key management server, and the key management server obtains the key according to the IP address of the terminal carried in the key request. In this way, the IP address of each terminal corresponds to a key.
在另一可选实施例中,密钥管理服务器存储有应用服务器的IP地址和密钥的映射关系。域名系统服务器周期性地接收密钥管理服务器发送的应用服务器的IP地址和应用服务器的IP地址对应的密钥。或者,域名系统服务器向密钥管理服务器发送携带有应用服务器的IP地址的密钥请求,密钥管理服务器根据密钥请求携带的应用服务器的IP地址获取密钥。这样每个应用服务器的IP地址对应一个密钥。In another optional embodiment, the key management server stores the mapping relationship between the IP address of the application server and the key. The domain name system server periodically receives the IP address of the application server and the key corresponding to the IP address of the application server sent by the key management server. Alternatively, the domain name system server sends a key request carrying the IP address of the application server to the key management server, and the key management server obtains the key according to the IP address of the application server carried in the key request. In this way, the IP address of each application server corresponds to a key.
步骤205、域名系统服务器根据密钥,终端的IP地址和应用服务器的IP地址生成第一虚拟IP地址。Step 205, the domain name system server generates a first virtual IP address according to the key, the IP address of the terminal and the IP address of the application server.
步骤206、域名系统服务器向终端发送包括第一虚拟IP地址和高防地址标识的响应消息。Step 206, the domain name system server sends a response message including the first virtual IP address and the high-defense address identifier to the terminal.
步骤207、终端向网络设备发送上行数据包。Step 207, the terminal sends an uplink data packet to the network device.
在终端接收响应消息后,可以生成上行数据包。上行数据包携带终端的IP地址,第一虚拟IP地址和高防地址标识。终端的IP地址为上行数据包的源IP地址,第一虚拟IP地址为上行数据包的目的IP地址。After receiving the response message, the terminal can generate an uplink data packet. The uplink data packet carries the IP address of the terminal, the first virtual IP address and the high-defense address identification. The IP address of the terminal is the source IP address of the uplink data packet, and the first virtual IP address is the destination IP address of the uplink data packet.
步骤208、当检测到上行数据包携带高防地址标识时,从上行数据包获取终端的IP地址和应用服务器的第一虚拟IP地址。Step 208, when it is detected that the uplink data packet carries the high-defense address identifier, obtain the IP address of the terminal and the first virtual IP address of the application server from the uplink data packet.
接收终端发送的上行数据包之后,检测上行数据包是否包括高防地址标识。当检测到上行数据包携带高防地址标识时,表明上行数据包的目的IP地址为虚拟IP地址。从上行数据包获取终端的IP地址和应用服务器的第一虚拟IP地址。应理解,如果终端发送的数据包没有携带高防地址标识,那么表明该数据包的目的IP地址对应的服务器并不是高防服务器,直接根据该数据包的目的IP地址转发数据包。After receiving the uplink data packet sent by the terminal, detect whether the uplink data packet includes the high-defense address identification. When it is detected that the uplink data packet carries the high-defense address identifier, it indicates that the destination IP address of the uplink data packet is a virtual IP address. Obtain the IP address of the terminal and the first virtual IP address of the application server from the uplink data packet. It should be understood that if the data packet sent by the terminal does not carry the high-defense address identifier, it indicates that the server corresponding to the destination IP address of the data packet is not a high-defense server, and the data packet is directly forwarded according to the destination IP address of the data packet.
步骤209、网络设备获取密钥。Step 209, the network device acquires the key.
步骤204中域名系统服务器获取的密钥和步骤209中网络设备获取的密钥是相同的。The key obtained by the domain name system server in step 204 and the key obtained by the network device in step 209 are the same.
在一个可选实施例中,网络设备从本地存储的密钥中获取密钥。需要说明的是,在网络设备获取密钥之前,密钥管理服务器可以周期性向网络设备发送密钥,网络设备收到密 钥后,将密钥保存在本地。In an optional embodiment, the network device obtains the key from locally stored keys. It should be noted that before the network device obtains the key, the key management server can periodically send the key to the network device, and the network device receives the key After the key is created, save the key locally.
在另一个可选实施例中,网络设备向密钥管理服务器发送获取密钥请求后,接收密钥管理服务器发送的终端IP地址以及与终端IP地址对应的密钥。In another optional embodiment, after the network device sends a key acquisition request to the key management server, it receives the terminal IP address and the key corresponding to the terminal IP address sent by the key management server.
在另一个可选实施例中,网络设备向密钥管理服务器发送获取密钥请求后,接收密钥管理服务器发送的应用服务器的IP地址以及与应用服务器的IP地址对应的密钥。需要说明的是,网络设备和应用服务器处于同一个域,虚拟IP地址的前缀用于指向该域。网络中的转发设备(如路由器或交换机)能够根据虚拟IP地址的前缀将上行数据包发送给域的网络设备。In another optional embodiment, after the network device sends a key acquisition request to the key management server, it receives the IP address of the application server and the key corresponding to the IP address of the application server sent by the key management server. It should be noted that the network device and the application server are in the same domain, and the prefix of the virtual IP address is used to point to this domain. The forwarding device (such as a router or switch) in the network can send the uplink data packet to the network device of the domain according to the prefix of the virtual IP address.
步骤210、网络设备根据密钥,终端的IP地址和第一虚拟IP地址生成待处理IP地址。Step 210, the network device generates an IP address to be processed according to the key, the IP address of the terminal and the first virtual IP address.
在一个可选实施例中,步骤210包括:使用密钥将第一虚拟IP地址的第二部分进行解密;将终端的IP地址的第二部分和解密结果进行异或运算;将第一虚拟IP地址的第一部分与异或运算结果组成待处理IP地址。本实施例中,应用服务器的IP地址的第一部分和第一虚拟IP地址的第一部分相同,应用服务器的IP地址的第二部分与第一虚拟IP地址的第二部分不同。本申请中,第一部分和第二部分可以根据实际情况从IP地址中截取,第一部分的长度和第二部分的长度也可以根据实际情况进行设置,本申请不作限定。解密算法和加密算法使用相同密钥。解密算法可以是但不限于国际数据加密算法(international data encryption algorithm,IDEA)算法,数据加密标准(data encryption standard,DES)算法,三重DES算法等。In an optional embodiment, step 210 includes: using a key to decrypt the second part of the first virtual IP address; performing an XOR operation on the second part of the terminal's IP address and the decryption result; The first part of the address and the XOR operation result form the IP address to be processed. In this embodiment, the first part of the IP address of the application server is the same as the first part of the first virtual IP address, and the second part of the IP address of the application server is different from the second part of the first virtual IP address. In this application, the first part and the second part can be intercepted from the IP address according to the actual situation, and the length of the first part and the second part can also be set according to the actual situation, which is not limited in this application. The decryption algorithm and the encryption algorithm use the same key. The decryption algorithm can be but not limited to international data encryption algorithm (international data encryption algorithm, IDEA) algorithm, data encryption standard (data encryption standard, DES) algorithm, triple DES algorithm, etc.
步骤211、网络设备判断待处理IP地址是否为应用服务器的IP地址,若是,则执行步骤213,若否,则执行步骤212。Step 211 , the network device judges whether the IP address to be processed is the IP address of the application server, if yes, execute step 213 , if not, execute step 212 .
当待处理IP地址为应用服务器的IP地址时,表明第一虚拟IP地址的第二部分是使用密钥对应用服务器的IP地址的第二部分加密得到的。当待处理IP地址不是应用服务器的IP地址时,表明第一虚拟IP地址的第二部分不是使用密钥对应用服务器的IP地址的第二部分加密得到的。When the IP address to be processed is the IP address of the application server, it indicates that the second part of the first virtual IP address is obtained by encrypting the second part of the IP address of the application server using a key. When the IP address to be processed is not the IP address of the application server, it indicates that the second part of the first virtual IP address is not obtained by encrypting the second part of the IP address of the application server with a key.
步骤212、网络设备确定上行数据包非法。Step 212, the network device determines that the uplink data packet is illegal.
当上行数据包非法时,网络可以将上行数据包转发到流量清洗中心或蜜罐服务器,或者网络设备丢弃非法数据包。When the uplink data packet is illegal, the network can forward the uplink data packet to the traffic cleaning center or honeypot server, or the network device discards the illegal data packet.
步骤213、网络设备将上行数据包的目的IP地址从第一虚拟IP地址修改为应用服务器的IP地址。当待处理IP地址为应用服务器的IP地址时,表明该上行数据包合法,对该数据包的目的IP地址进行转换。Step 213, the network device modifies the destination IP address of the uplink data packet from the first virtual IP address to the IP address of the application server. When the IP address to be processed is the IP address of the application server, it indicates that the uplink data packet is legal, and the destination IP address of the data packet is converted.
步骤214、网络设备向应用服务器发送修改后的上行数据包。修改后的上行数据包中,目的IP地址为应用服务器的IP地址。Step 214, the network device sends the modified uplink data packet to the application server. In the modified uplink data packet, the destination IP address is the IP address of the application server.
本实施例中,由于第一虚拟IP地址与密钥,终端的IP地址和应用服务器的IP地址相关,当多个终端向同一个应用服务器发送上行数据包时,不同终端发送的上行数据包具有不同的虚拟IP地址,这样可以防止网络攻击者利用多个肉鸡设备和相同的虚拟IP地址对同一个应用服务器发动网络攻击。In this embodiment, since the first virtual IP address is related to the key, the IP address of the terminal and the IP address of the application server, when multiple terminals send uplink data packets to the same application server, the uplink data packets sent by different terminals have Different virtual IP addresses, which can prevent network attackers from using multiple bot devices and the same virtual IP address to launch network attacks on the same application server.
本申请中,应用服务器可以向终端发送下行数据包,下行数据包可以是图2所示实施 例中修改后的上行数据包的响应数据包,也可以是由应用服务器发起的消息,例如推送消息。参阅图3,在一个可选实施例中,上述方法还包括:In this application, the application server can send downlink data packets to the terminal, and the downlink data packets can be implemented as shown in Figure 2 The response data packet of the modified uplink data packet in the example may also be a message initiated by the application server, such as a push message. Referring to Figure 3, in an optional embodiment, the above method also includes:
步骤301、网络设备接收应用服务器发送的下行数据包。该下行数据包携带应用服务器的IP地址,终端的IP地址和高防地址标识。当网络设备检测到下行数据包携带高防地址标识时,执行步骤302。Step 301, the network device receives the downlink data packet sent by the application server. The downlink data packet carries the IP address of the application server, the IP address of the terminal, and the high-defense address identification. When the network device detects that the downlink data packet carries the high-defense address identifier, step 302 is executed.
步骤302、网络设备根据密钥,应用服务器的IP地址和终端的IP地址生成第一虚拟IP地址。Step 302, the network device generates a first virtual IP address according to the key, the IP address of the application server and the IP address of the terminal.
具体的,网络设备根据密钥对应用服务器的IP地址的第二部分进行加密;将终端的IP地址的第二部分和加密结果进行异或运算,将应用服务器的IP地址的第一部分与异或运算结果组成第一虚拟IP地址。由于不同的终端的IP地址的第二部分存在区别,因此根据不同终端的IP地址会产生不同的虚拟IP地址。使用密钥加密能够提高虚拟IP地址的安全性。Specifically, the network device encrypts the second part of the IP address of the application server according to the key; performs an XOR operation on the second part of the IP address of the terminal and the encrypted result, and XORs the first part of the IP address of the application server with The operation result forms the first virtual IP address. Since the second part of the IP address of different terminals is different, different virtual IP addresses will be generated according to the IP addresses of different terminals. Using key encryption can improve the security of the virtual IP address.
步骤303、网络设备将下行数据包的源IP地址从应用服务器的IP地址修改为第一虚拟IP地址。Step 303, the network device modifies the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address.
步骤304、网络设备将修改后的下行数据包发送给终端。Step 304, the network device sends the modified downlink data packet to the terminal.
本实施例中,网络设备可以将下行数据包携带的真实IP地址转换为虚拟IP地址,这样可以隐藏应用服务器的真实IP地址,提高网络安全性。In this embodiment, the network device can convert the real IP address carried in the downlink data packet into a virtual IP address, so that the real IP address of the application server can be hidden and network security can be improved.
以上实施例中,当密钥管理服务器周期性更改密钥时,利用密钥生成的虚拟IP地址也会改变,因此虚拟IP地址可以周期性更新,这样可以提高虚拟IP地址的安全性。除此之外,本申请还可以利用密钥和时间戳生成虚拟IP地址,这样可以进一步提高虚拟IP地址的安全性。参阅图4,本申请提供的通信方法的另一个实施例包括:In the above embodiments, when the key management server periodically changes the key, the virtual IP address generated by using the key will also change, so the virtual IP address can be updated periodically, which can improve the security of the virtual IP address. In addition, the present application can also use the key and time stamp to generate a virtual IP address, which can further improve the security of the virtual IP address. Referring to Figure 4, another embodiment of the communication method provided by the present application includes:
步骤401、终端向域名系统服务器发送地址请求消息。该地址请求消息携带有域名。Step 401, the terminal sends an address request message to the domain name system server. The address request message carries a domain name.
步骤402、域名系统服务器判断地址请求消息携带的域名是否为高防域名,若是,则执行步骤404,若否,则执行步骤403。Step 402, the domain name system server judges whether the domain name carried in the address request message is a high-defense domain name, if yes, execute step 404, if not, execute step 403.
步骤403、域名系统服务器将域名对应的IP地址发送给终端。终端可以根据域名对应的IP地址访问域名对应的服务器。Step 403, the domain name system server sends the IP address corresponding to the domain name to the terminal. The terminal can access the server corresponding to the domain name according to the IP address corresponding to the domain name.
步骤404、域名系统服务器获取密钥,第一地址生成序列和高防地址标识。Step 404, the domain name system server obtains the key, the first address generation sequence and the high-defense address identification.
获取密钥的方式有多种。There are several ways to obtain keys.
在一个可选实施例中,域名系统服务器从本地存储的密钥中获取密钥。在获取密钥之前,域名系统服务器周期性从密钥管理服务器接收密钥,然后保存在本地。在单个密钥周期内,域名系统服务器或网络设备都使用该密钥进行加密和解密。在不同密钥周期下发的密钥不同,因此同一终端在不同密钥周期发送的数据包携带的虚拟IP地址也不同。In an alternative embodiment, the domain name system server obtains the key from locally stored keys. Before obtaining the key, the domain name system server periodically receives the key from the key management server, and then saves it locally. During a single key period, the domain name system server or network device uses the key for encryption and decryption. The keys issued in different key periods are different, so the virtual IP addresses carried in data packets sent by the same terminal in different key periods are also different.
在另一个可选实施例中,密钥管理服务器存储有终端的IP地址和密钥的映射关系。域名系统服务器周期性地接收密钥管理服务器发送的终端的IP地址和终端的IP地址对应的密钥。或者,域名系统服务器向密钥管理服务器发送携带有终端的IP地址的密钥请求,密钥管理服务器根据密钥请求携带的终端的IP地址获取密钥。这样每个终端的IP地址具有一个密钥。 In another optional embodiment, the key management server stores the mapping relationship between the IP address of the terminal and the key. The domain name system server periodically receives the IP address of the terminal and the key corresponding to the IP address of the terminal sent by the key management server. Alternatively, the domain name system server sends a key request carrying the IP address of the terminal to the key management server, and the key management server obtains the key according to the IP address of the terminal carried in the key request. In this way each IP address of the terminal has a key.
在另一可选实施例中,密钥管理服务器存储有应用服务器的IP地址和密钥的映射关系。域名系统服务器周期性地接收密钥管理服务器发送的应用服务器的IP地址和应用服务器的IP地址对应的密钥。或者,域名系统服务器向密钥管理服务器发送携带有应用服务器的IP地址的密钥请求,密钥管理服务器根据密钥请求携带的应用服务器的IP地址获取密钥。这样每个应用服务器具有一个密钥。In another optional embodiment, the key management server stores the mapping relationship between the IP address of the application server and the key. The domain name system server periodically receives the IP address of the application server and the key corresponding to the IP address of the application server sent by the key management server. Alternatively, the domain name system server sends a key request carrying the IP address of the application server to the key management server, and the key management server obtains the key according to the IP address of the application server carried in the key request. This way there is one key per application server.
步骤405、域名系统服务器根据密钥,终端的IP地址和应用服务器的IP地址和第一地址生成序列生成第一虚拟IP地址。Step 405, the domain name system server generates a first virtual IP address according to the key, the IP address of the terminal, the IP address of the application server, and the first address generation sequence.
需要说明的是,密钥,终端的IP地址和应用服务器的IP地址,地址生成序列和虚拟IP地址之间的关系可以用如下公式进行描述:
vIPij=Fkey(SrcIPi,DstIP,Seqj)It should be noted that the relationship between the key, the IP address of the terminal and the IP address of the application server, the address generation sequence and the virtual IP address can be described by the following formula:
vIP ij =F key (SrcIP i ,DstIP,Seq j )
vIPij表示与第i个终端的IP地址和第j个地址生成序列相关的虚拟IP地址。SrcIPi为第i个终端的IP地址,Seqj为第j个地址生成序列。i和j均为正整数。DstIP表示应用服务器的IP地址。Fkey()表示与密钥key相关的加密函数,该函数用于表示IDEA算法,DES算法或三重DES算法。vIP ij represents the virtual IP address associated with the IP address of the i-th terminal and the j-th address generation sequence. SrcIP i is the IP address of the i-th terminal, and Seq j is the generated sequence for the j-th address. Both i and j are positive integers. DstIP represents the IP address of the application server. F key () represents the encryption function related to the key key, which is used to represent IDEA algorithm, DES algorithm or triple DES algorithm.
步骤406、域名系统服务器向终端发送包括第一虚拟IP地址,第一地址生成序列和高防地址标识的响应消息。Step 406, the domain name system server sends a response message including the first virtual IP address, the first address generation sequence and the high-defense address identifier to the terminal.
步骤407、终端向网络设备发送上行数据包。Step 407, the terminal sends an uplink data packet to the network device.
在终端接收响应消息后,可以生成上行数据包。上行数据包携带终端的IP地址,第一虚拟IP地址,第一地址生成序列和高防地址标识。终端的IP地址为上行数据包的源IP地址,第一虚拟IP地址为上行数据包的目的IP地址。After receiving the response message, the terminal can generate an uplink data packet. The uplink data packet carries the IP address of the terminal, the first virtual IP address, the first address generation sequence and the high-defense address identification. The IP address of the terminal is the source IP address of the uplink data packet, and the first virtual IP address is the destination IP address of the uplink data packet.
步骤408、当检测到上行数据包携带高防地址标识时,从上行数据包获取终端的IP地址,应用服务器的第一虚拟IP地址和第一地址生成序列。Step 408, when it is detected that the uplink data packet carries the high-defense address identifier, obtain the IP address of the terminal from the uplink data packet, and generate a sequence of the first virtual IP address and the first address of the application server.
接收终端发送的上行数据包之后,检测上行数据包是否包括高防地址标识。当检测到上行数据包携带高防地址标识时,表明上行数据包的目的IP地址为虚拟IP地址。从上行数据包获取终端的IP地址,应用服务器的第一虚拟IP地址和第一地址生成序列。应理解,如果终端发送的数据包没有携带高防地址标识,那么表明该数据包的目的IP地址对应的服务器并不是高防服务器,可以直接根据该数据包的目的IP地址转发数据包。After receiving the uplink data packet sent by the terminal, detect whether the uplink data packet includes the high-defense address identification. When it is detected that the uplink data packet carries the high-defense address identifier, it indicates that the destination IP address of the uplink data packet is a virtual IP address. The IP address of the terminal, the first virtual IP address of the application server and the first address generation sequence are obtained from the uplink data packet. It should be understood that if the data packet sent by the terminal does not carry the high-defense address identifier, it indicates that the server corresponding to the destination IP address of the data packet is not a high-defense server, and the data packet can be forwarded directly according to the destination IP address of the data packet.
步骤409、网络设备获取密钥。步骤404中域名系统服务器获取的密钥和步骤409中网络设备获取的密钥是相同的。Step 409, the network device acquires the key. The key obtained by the domain name system server in step 404 and the key obtained by the network device in step 409 are the same.
在一个可选实施例中,网络设备从本地存储的密钥中获取密钥。需要说明的是,在网络设备获取密钥之前,密钥管理服务器可以周期性向网络设备发送密钥,网络设备收到密钥后,将密钥保存在本地。In an optional embodiment, the network device obtains the key from locally stored keys. It should be noted that before the network device obtains the key, the key management server may periodically send the key to the network device, and the network device stores the key locally after receiving the key.
在另一个可选实施例中,网络设备向密钥管理服务器发送获取密钥请求后,接收密钥管理服务器发送的终端的IP地址以及与终端的IP地址对应的密钥。In another optional embodiment, after the network device sends a key acquisition request to the key management server, it receives the IP address of the terminal and the key corresponding to the IP address of the terminal sent by the key management server.
在另一个可选实施例中,网络设备向密钥管理服务器发送获取密钥请求后,接收密钥 管理服务器发送的应用服务器的IP地址以及与应用服务器的IP地址对应的密钥。需要说明的是,网络设备和应用服务器处于同一个域,虚拟IP地址的前缀用于指向该域。网络中的转发设备(如路由器或交换机)能够根据虚拟IP地址的前缀将上行数据包发送给域的网络设备。In another optional embodiment, after the network device sends a key management server to obtain a key request, it receives the key The IP address of the application server and the key corresponding to the IP address of the application server are sent by the management server. It should be noted that the network device and the application server are in the same domain, and the prefix of the virtual IP address is used to point to this domain. The forwarding device (such as a router or switch) in the network can send the uplink data packet to the network device of the domain according to the prefix of the virtual IP address.
步骤410、网络设备根据密钥,终端的IP地址,第一虚拟IP地址和第一地址生成序列生成待处理IP地址。Step 410, the network device generates an IP address to be processed according to the key, the IP address of the terminal, the first virtual IP address and the first address generation sequence.
密钥,终端的IP地址,第一虚拟IP地址,第一地址生成序列和待处理IP地址之间的关系可以用如下公式进行表示:
IP=Fkey(SrcIPi,vIPij,Seqj)。The relationship between the key, the IP address of the terminal, the first virtual IP address, the first address generation sequence and the IP address to be processed can be expressed by the following formula:
IP=F key (SrcIP i , vIP ij , Seq j ).
IP表示待处理IP地址。vIPij表示与第i个终端的IP地址和第j个地址生成序列相关的虚拟IP地址。SrcIPi为第i个终端的IP地址,Seqj为第j个地址生成序列。Fkey()表示与密钥key相关的函数。IP represents the IP address to be processed. vIP ij represents the virtual IP address associated with the IP address of the i-th terminal and the j-th address generation sequence. SrcIP i is the IP address of the i-th terminal, and Seq j is the generated sequence for the j-th address. F key () represents a function related to the key key.
在一个可选实施例中,步骤410包括:使用密钥将第一虚拟IP地址的第二部分进行解密;将终端的IP地址的第二部分和解密结果进行第一次异或运算;将第一地址生成序列和第一次异或运算结果进行第二次异或运算;将第一虚拟IP地址的第一部分与第二次异或运算结果组成待处理IP地址。本实施例中,应用服务器的IP地址的第一部分和第一虚拟IP地址的第一部分相同,应用服务器的IP地址的第二部分与第一虚拟IP地址的第二部分不同。解密算法和加密算法使用相同密钥。解密算法可以是但不限于国际数据加密算法(international data encryption algorithm,IDEA)算法,数据加密标准(data encryption standard,DES)算法,三重DES算法。In an optional embodiment, step 410 includes: using a key to decrypt the second part of the first virtual IP address; performing the first XOR operation on the second part of the terminal's IP address and the decryption result; An address generation sequence and the result of the first XOR operation are subjected to a second XOR operation; the first part of the first virtual IP address and the result of the second XOR operation are used to form an IP address to be processed. In this embodiment, the first part of the IP address of the application server is the same as the first part of the first virtual IP address, and the second part of the IP address of the application server is different from the second part of the first virtual IP address. The decryption algorithm and the encryption algorithm use the same key. The decryption algorithm can be but not limited to international data encryption algorithm (international data encryption algorithm, IDEA) algorithm, data encryption standard (data encryption standard, DES) algorithm, triple DES algorithm.
步骤411、网络设备判断待处理IP地址是否为应用服务器的IP地址,若是,则执行步骤413,若否,则执行步骤412。Step 411 , the network device judges whether the IP address to be processed is the IP address of the application server, if yes, execute step 413 , if not, execute step 412 .
当待处理IP地址为应用服务器的IP地址时,表明第一虚拟IP地址的第二部分是使用密钥对应用服务器的IP地址的第二部分加密得到的。当待处理IP地址不是应用服务器的IP地址时,表明第一虚拟IP地址的第二部分不是使用密钥对应用服务器的IP地址的第二部分加密得到的。When the IP address to be processed is the IP address of the application server, it indicates that the second part of the first virtual IP address is obtained by encrypting the second part of the IP address of the application server using a key. When the IP address to be processed is not the IP address of the application server, it indicates that the second part of the first virtual IP address is not obtained by encrypting the second part of the IP address of the application server with a key.
步骤412、网络设备确定上行数据包非法。Step 412, the network device determines that the uplink data packet is illegal.
当待处理IP地址不是应用服务器的IP地址时,网络设备确定上行数据包非法,网络设备可以将上行数据包转发到流量清洗中心或蜜罐服务器,或者网络设备丢弃非法数据包。When the IP address to be processed is not the IP address of the application server, the network device determines that the uplink data packet is illegal, and the network device can forward the uplink data packet to the traffic cleaning center or the honeypot server, or the network device discards the illegal data packet.
步骤413、网络设备将上行数据包的目的IP地址从第一虚拟IP地址修改为应用服务器的IP地址。当待处理IP地址为应用服务器的IP地址时,表明该上行数据包合法,对该数据包的目的IP地址进行转换,地址转换也称为地址跳变。Step 413, the network device modifies the destination IP address of the uplink data packet from the first virtual IP address to the IP address of the application server. When the IP address to be processed is the IP address of the application server, it indicates that the uplink data packet is legal, and the destination IP address of the data packet is converted. Address conversion is also called address hopping.
步骤414、网络设备向应用服务器发送修改后的上行数据包。Step 414, the network device sends the modified uplink data packet to the application server.
修改后的上行数据包中,目的IP地址为应用服务器的IP地址。In the modified uplink data packet, the destination IP address is the IP address of the application server.
本实施例中,由于第一虚拟IP地址与密钥,终端的IP地址和应用服务器的IP地址相 关,当多个终端向同一个应用服务器发送上行数据包时,不同终端发送的上行数据包具有不同的虚拟IP地址,这样可以降低多个肉鸡设备使用相同的虚拟IP地址对同一个应用服务器发送网络攻击的可能性,由此可以进一步提高网络安全。In this embodiment, since the first virtual IP address is the same as the key, the IP address of the terminal is the same as the IP address of the application server. Off, when multiple terminals send uplink data packets to the same application server, the uplink data packets sent by different terminals have different virtual IP addresses. The possibility of network attacks, which can further improve network security.
其次,由于虚拟IP地址与虚拟IP地址的地址生成时刻以及地址生存时长相关,因此能够提高虚拟IP地址的安全性。Secondly, since the virtual IP address is related to the address generation time and the address lifetime of the virtual IP address, the security of the virtual IP address can be improved.
再次,基于地址生成时刻和地址生存时间可以确定虚拟IP地址的生存时段。本申请基于虚拟IP地址的生存时段可以对虚拟IP地址进行时效性校验,判断虚拟IP地址是否过期。通过自动更换虚拟IP地址能够提高数据传输的安全性。Thirdly, the lifetime of the virtual IP address can be determined based on the address generation time and the address lifetime. The present application can check the timeliness of the virtual IP address based on the lifetime of the virtual IP address, and judge whether the virtual IP address has expired. The security of data transmission can be improved by automatically changing the virtual IP address.
下面结合图5A对本申请中根据密钥,终端的IP地址,应用服务器的IP地址和第一地址生成序列生成虚拟IP地址的过程进行介绍。参阅图5A,在一个示例中,终端的IP地址包括终端IP地址的第一部分501和终端IP地址的第二部分502,终端IP地址的第一部分501和终端IP地址的第二部分502的长度均为64比特。应用服务器的IP地址包括应用服务器的IP地址的第一部分503和应用服务器的IP地址的第二部分504,应用服务器的IP地址的第一部分503和应用服务器的IP地址的第二部分504的长度均为64比特。The process of generating a virtual IP address according to the encryption key, the IP address of the terminal, the IP address of the application server and the first address generation sequence in this application will be described below with reference to FIG. 5A . Referring to FIG. 5A, in an example, the IP address of the terminal includes a first part 501 of the terminal IP address and a second part 502 of the terminal IP address, and the lengths of the first part 501 of the terminal IP address and the second part 502 of the terminal IP address are the same. is 64 bits. The IP address of the application server includes the first part 503 of the IP address of the application server and the second part 504 of the IP address of the application server, and the lengths of the first part 503 of the IP address of the application server and the second part 504 of the IP address of the application server are equal. is 64 bits.
从终端IP地址的第二部分502,应用服务器的IP地址的第二部分504和第一地址生成序列505中选取两项进行第一次异或运算,然后将剩余项与第一次异或运算结果进行第二次异或运算。使用密钥506对第二次异或运算结果进行加密,得到第一虚拟IP地址的第二部分508。应用服务器的IP地址的第一部分503与第一虚拟IP地址的第一部分507相同,将第一虚拟IP地址的第一部分507与第一虚拟IP地址的第二部分508组成第一虚拟IP地址。Select two items from the second part 502 of the terminal IP address, the second part 504 of the IP address of the application server and the first address generation sequence 505 to perform the first XOR operation, and then combine the remaining items with the first XOR operation The result is subjected to a second XOR operation. The result of the second XOR operation is encrypted using the key 506 to obtain the second part 508 of the first virtual IP address. The first part 503 of the IP address of the application server is the same as the first part 507 of the first virtual IP address, and the first part 507 of the first virtual IP address and the second part 508 of the first virtual IP address form the first virtual IP address.
下面结合图5B对本申请中根据密钥,终端的IP地址,第一虚拟IP地址和第一地址生成序列生成应用服务器的IP地址的过程进行介绍。参阅图5B,在一个示例中,终端的IP地址包括终端IP地址的第一部分501和终端IP地址的第二部分502,终端IP地址的第一部分501和终端IP地址的第二部分502的长度均为64比特。应用服务器的IP地址包括应用服务器的IP地址的第一部分503和应用服务器的IP地址的第二部分504,应用服务器的IP地址的第一部分503和应用服务器的IP地址的第二部分504的长度均为64比特。The process of generating the IP address of the application server according to the key, the IP address of the terminal, the first virtual IP address and the first address generation sequence in this application will be described below in conjunction with FIG. 5B . Referring to FIG. 5B, in an example, the IP address of the terminal includes a first part 501 of the terminal IP address and a second part 502 of the terminal IP address, and the lengths of the first part 501 of the terminal IP address and the second part 502 of the terminal IP address are the same. is 64 bits. The IP address of the application server includes the first part 503 of the IP address of the application server and the second part 504 of the IP address of the application server, and the lengths of the first part 503 of the IP address of the application server and the second part 504 of the IP address of the application server are equal. is 64 bits.
使用密钥506将第一虚拟IP地址的第二部分508进行解密。从解密结果,第一地址生成序列505和终端IP地址的第二部分502中选取两项进行第一次异或运算,将第一次异或运算结果与剩余项进行第二次异或运算,以得到应用服务器的IP地址的第二部分504。应用服务器的IP地址的第一部分503与第一虚拟IP地址的第一部分507相同,将应用服务器的IP地址的第一部分503与应用服务器的IP地址的第二部分504组成应用服务器的IP地址。The second portion 508 of the first virtual IP address is decrypted using the key 506 . Select two items from the decryption result, the first address generation sequence 505 and the second part 502 of the terminal IP address to perform the first XOR operation, and perform the second XOR operation on the result of the first XOR operation and the remaining items, to obtain the second part 504 of the IP address of the application server. The first part 503 of the IP address of the application server is the same as the first part 507 of the first virtual IP address, and the first part 503 of the IP address of the application server and the second part 504 of the IP address of the application server form the IP address of the application server.
应理解,对于A,B和C三个二进制值,A⊕B⊕C=B⊕C⊕A=A⊕C⊕B。⊕为异或运算符。It should be understood that for the three binary values of A, B and C, A⊕B⊕C=B⊕C⊕A=A⊕C⊕B. ⊕ is an XOR operator.
需要说明的是,第一部分和第二部分可以根据实际情况从IP地址中截取,例如可以将第一部分和第二部分进行调换,即将第一部分参与加密和异或运算。第一部分的长度和第二部分的长度均不限于64比特,具体可以根据实际情况进行设置,本申请不作限定。It should be noted that the first part and the second part can be intercepted from the IP address according to the actual situation, for example, the first part and the second part can be exchanged, that is, the first part participates in encryption and XOR operation. The length of the first part and the length of the second part are not limited to 64 bits, which can be set according to actual conditions, and are not limited in this application.
在步骤414之后,应用服务器可以响应修改后的上行数据包,向终端发送下行数据包。 网络设备可以将下行数据携带的目的地址从应用服务器的IP地址修改为第一虚拟IP地址,这样可以隐藏应用服务器的真实IP地址。After step 414, the application server may send a downlink data packet to the terminal in response to the modified uplink data packet. The network device can modify the destination address carried in the downlink data from the IP address of the application server to the first virtual IP address, so that the real IP address of the application server can be hidden.
参阅图6,在一个可选实施例中,上述方法还包括:Referring to Figure 6, in an optional embodiment, the above method also includes:
步骤601、网络设备接收应用服务器发送的下行数据包。下行数据包携带应用服务器的IP地址,终端的IP地址,第一地址生成序列和高防地址标识。网络设备检测到下行数据包携带高防地址标识时,执行步骤602。Step 601, the network device receives the downlink data packet sent by the application server. The downlink data packet carries the IP address of the application server, the IP address of the terminal, the first address generation sequence and the high-defense address identification. When the network device detects that the downlink data packet carries the high-defense address identifier, step 602 is executed.
步骤602、网络设备根据密钥,终端的IP地址,应用服务器的IP地址和第一地址生成序列生成第一虚拟IP地址。Step 602, the network device generates a first virtual IP address according to the key, the IP address of the terminal, the IP address of the application server and the first address generation sequence.
具体的,网络设备根据密钥对应用服务器的IP地址的第二部分进行加密;将终端的IP地址的第二部分和加密结果进行异或运算,将应用服务器的IP地址的第一部分与异或运算结果组成第一虚拟IP地址。由于不同的终端的IP地址的第二部分存在区别,因此根据不同终端的IP地址会产生不同的虚拟IP地址。使用密钥加密能够提高虚拟IP地址的安全性。Specifically, the network device encrypts the second part of the IP address of the application server according to the key; performs an XOR operation on the second part of the IP address of the terminal and the encrypted result, and XORs the first part of the IP address of the application server with The operation result forms the first virtual IP address. Since the second part of the IP address of different terminals is different, different virtual IP addresses will be generated according to the IP addresses of different terminals. Using key encryption can improve the security of the virtual IP address.
步骤603、网络设备根据第一地址生成序列确定第一虚拟IP地址的地址结束时刻。Step 603, the network device determines the address end time of the first virtual IP address according to the first address generation sequence.
步骤604、当地址结束时刻大于验证时刻时,确定目标时间差等于地址结束时刻减去验证时刻。Step 604: When the end time of the address is greater than the verification time, determine that the target time difference is equal to the end time of the address minus the verification time.
当地址结束时刻大于验证时刻时,表明第一虚拟IP地址没有过期。当地址结束时刻小于验证时刻时,表明第一虚拟IP地址过期,可以执行步骤608或者丢弃下行数据包。When the end time of the address is greater than the verification time, it indicates that the first virtual IP address has not expired. When the end time of the address is less than the verification time, it indicates that the first virtual IP address has expired, and step 608 may be performed or the downlink data packet may be discarded.
步骤605、网络设备判断目标时间差是否大于预设时长,若是,则执行步骤606,若否,则执行步骤608。Step 605, the network device judges whether the target time difference is greater than the preset duration, if yes, execute step 606, if not, execute step 608.
预设时长与终端与应用服务器之间的数据传输时长T相关,具体可以根据实际情况进行设置。The preset duration is related to the data transmission duration T between the terminal and the application server, and can be set according to actual conditions.
在一个示例中,预设时长等于2T。当验证时刻与地址结束时刻的时间差大于2T,表明下一次数据传输使用虚拟IP地址也不会超期,因此不需要更换虚拟IP地址。当验证时刻与地址结束时刻的时间差小于或等于2T,表明下一次数据传输使用该虚拟IP地址会超期,需要更换虚拟IP地址。这样能够提前更换虚拟IP地址,防止数据包的虚拟IP地址过期。In one example, the preset duration is equal to 2T. When the time difference between the verification time and the end time of the address is greater than 2T, it indicates that the virtual IP address used for the next data transmission will not expire, so there is no need to replace the virtual IP address. When the time difference between the verification time and the end time of the address is less than or equal to 2T, it indicates that the use of the virtual IP address for the next data transmission will expire, and the virtual IP address needs to be replaced. In this way, the virtual IP address can be replaced in advance to prevent the virtual IP address of the data packet from expiring.
步骤606、网络设备根据下行数据包和第一虚拟IP地址生成第一下行数据包。Step 606, the network device generates a first downlink data packet according to the downlink data packet and the first virtual IP address.
具体的,网络设备将下行数据包的源IP地址从应用服务器的IP地址修改为第一虚拟IP地址,就得到第一下行数据包。下行数据包的源IP地址为应用服务器的IP地址,第一下行数据包的源IP地址为第一虚拟IP地址。Specifically, the network device modifies the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address to obtain the first downlink data packet. The source IP address of the downlink data packet is the IP address of the application server, and the source IP address of the first downlink data packet is the first virtual IP address.
步骤607、网络设备将第一下行数据包发送给终端。Step 607, the network device sends the first downlink data packet to the terminal.
步骤608、网络设备获取第二地址生成序列。Step 608, the network device obtains the second address generation sequence.
步骤609、网络设备根据密钥,应用服务器的IP地址,终端的IP地址和第二地址生成序列生成第二虚拟IP地址。Step 609, the network device generates a second virtual IP address according to the key, the IP address of the application server, the IP address of the terminal, and the second address generation sequence.
步骤610、网络设备根据下行数据包,第一虚拟IP地址,第二虚拟IP地址和地址切换标识生成第二下行数据包。Step 610, the network device generates a second downlink data packet according to the downlink data packet, the first virtual IP address, the second virtual IP address and the address switching identifier.
具体的,网络设备将下行数据包的源IP地址从应用服务器的IP地址修改为第一虚拟 IP地址,再在下行数据包中添加第二虚拟IP地址,第二地址生成序列和地址切换标识,就得到第二下行数据包。下行数据包的源IP地址为应用服务器的IP地址,第二下行数据包的源IP地址为第一虚拟IP地址,而且第二下行数据包还携带第二虚拟IP地址的虚拟地址关联信息,例如第二地址生成序列和地址切换标识。第二地址生成序列包括第二虚拟IP地址的地址生成时刻和地址生存时长。地址切换标识用于更改上行数据包的目的IP地址。Specifically, the network device modifies the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address, and then add the second virtual IP address in the downlink data packet, the second address generation sequence and the address switching identifier, and then the second downlink data packet is obtained. The source IP address of the downlink data packet is the IP address of the application server, the source IP address of the second downlink data packet is the first virtual IP address, and the second downlink data packet also carries virtual address association information of the second virtual IP address, for example A second address generation sequence and an address switch flag. The second address generation sequence includes address generation time and address lifetime of the second virtual IP address. The address switch flag is used to change the destination IP address of the uplink data packet.
步骤611、网络设备将第二下行数据包发送给终端。Step 611, the network device sends the second downlink data packet to the terminal.
终端收到第二下行数据包后,可以根据地址切换标识不生成携带第一虚拟IP地址和第一地址生成序列的上行数据包,而生成携带第二虚拟IP地址,第二地址生成序列和高防地址标识的上行数据包,然后执行步骤612。After receiving the second downlink data packet, the terminal may not generate an uplink data packet carrying the first virtual IP address and the first address generation sequence according to the address switching identifier, but may generate the second virtual IP address, the second address generation sequence and the high Anti-address identification of the uplink data packet, and then perform step 612.
步骤612、终端向网络设备发送上行数据包。Step 612, the terminal sends an uplink data packet to the network device.
网络设备收到该上行数据包并检测出高防地址标识后,执行步骤613。After the network device receives the uplink data packet and detects the high-defense address identifier, step 613 is executed.
步骤613、网络设备根据密钥,终端的IP地址,第二虚拟IP地址和第二地址生成序列生成应用服务器的IP地址。Step 613, the network device generates the IP address of the application server according to the key, the IP address of the terminal, the second virtual IP address and the second address generation sequence.
步骤614、网络设备将上行数据包的目标地址从第二虚拟IP地址修改为应用服务器的IP地址。Step 614, the network device modifies the destination address of the uplink data packet from the second virtual IP address to the IP address of the application server.
步骤615、网络设备将修改后的上行数据包发送给应用服务器。Step 615, the network device sends the modified uplink data packet to the application server.
第一虚拟IP地址和第二虚拟IP地址表示两个时段的虚拟IP地址。当第二虚拟IP地址即将过期时,可以更换为其他虚拟IP地址,更换过程可参阅前文记载的相应内容。The first virtual IP address and the second virtual IP address represent two periods of virtual IP addresses. When the second virtual IP address is about to expire, it can be replaced with another virtual IP address, and the replacement process can refer to the corresponding content recorded above.
本实施例中,应用服务器向网络设备发送下行数据包时,网络设备可以将下行数据包的源IP地址从应用服务器的IP地址修改为第一虚拟IP地址,从而隐藏应用服务器的真实IP地址。In this embodiment, when the application server sends a downlink data packet to the network device, the network device may modify the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address, thereby hiding the real IP address of the application server.
其次,由于第一虚拟IP地址与密钥,终端的IP地址,应用服务器的IP地址和地址生成序列都相关,因此一个应用服务器可以对应多个虚拟IP地址,这样可以降低现有的通信方法中由虚拟IP地址被分享或倒卖后,被大量肉鸡设备攻击的风险。Secondly, since the first virtual IP address is related to the key, the IP address of the terminal, the IP address of the application server and the address generation sequence, one application server can correspond to multiple virtual IP addresses, which can reduce the cost of the existing communication method. The risk of being attacked by a large number of broiler devices after the virtual IP address is shared or resold.
再次,网络设备可以根据虚拟IP地址的生存时长更换虚拟IP地址,这样可以提高虚拟IP地址的安全性。这种更换虚拟IP地址的方法不需要另外设置虚拟IP地址的管理设备对虚拟IP地址进行管理和维护,因此具有简单方便的优点。Thirdly, the network device can change the virtual IP address according to the lifetime of the virtual IP address, which can improve the security of the virtual IP address. This method for replacing the virtual IP address does not require additional management equipment for setting the virtual IP address to manage and maintain the virtual IP address, so it has the advantage of being simple and convenient.
另外,本申请可以提前更换虚拟IP地址,防止在数据传输过程中虚拟IP地址过期。这样可以保障数据流的连续性。In addition, the application can replace the virtual IP address in advance to prevent the virtual IP address from expiring during data transmission. This ensures continuity of data flow.
参阅图7,在另一个可选实施例中,上述通信方法还包括:Referring to FIG. 7, in another optional embodiment, the communication method above further includes:
步骤701、网络设备接收应用服务器发送的下行数据包。下行数据包携带应用服务器的IP地址,终端的IP地址,第一地址生成序列和高防地址标识。网络设备检测到下行数据包携带高防地址标识时,执行步骤702。Step 701, the network device receives the downlink data packet sent by the application server. The downlink data packet carries the IP address of the application server, the IP address of the terminal, the first address generation sequence and the high-defense address identification. When the network device detects that the downlink data packet carries the high-defense address identifier, step 702 is executed.
步骤702、网络设备根据密钥,应用服务器的IP地址,终端的IP地址和第一地址生成序列生成第一虚拟IP地址。Step 702, the network device generates a first virtual IP address according to the key, the IP address of the application server, the IP address of the terminal and the first address generation sequence.
具体的,网络设备根据密钥对应用服务器的IP地址的第二部分进行加密;将终端的IP地址的第二部分和加密结果进行异或运算,将应用服务器的IP地址的第一部分与异或 运算结果组成第一虚拟IP地址。由于不同的终端的IP地址的第二部分存在区别,因此根据不同终端的IP地址会产生不同的虚拟IP地址。使用密钥加密能够提高虚拟IP地址的安全性。Specifically, the network device encrypts the second part of the IP address of the application server according to the key; performs an XOR operation on the second part of the IP address of the terminal and the encrypted result, and XORs the first part of the IP address of the application server with The operation result forms the first virtual IP address. Since the second part of the IP address of different terminals is different, different virtual IP addresses will be generated according to the IP addresses of different terminals. Using key encryption can improve the security of the virtual IP address.
步骤703、网络设备根据第一地址生成序列确定第一虚拟IP地址的地址结束时刻。Step 703, the network device determines the address end time of the first virtual IP address according to the first address generation sequence.
步骤704、当地址结束时刻大于验证时刻时,确定目标时间差等于地址结束时刻减去验证时刻。Step 704: When the address end time is greater than the verification time, determine that the target time difference is equal to the address end time minus the verification time.
当地址结束时刻大于验证时刻时,表明第一虚拟IP地址没有过期。当地址结束时刻小于验证时刻时,表明第一虚拟IP地址过期,可以执行步骤708或者丢弃下行数据包。When the end time of the address is greater than the verification time, it indicates that the first virtual IP address has not expired. When the end time of the address is less than the verification time, it indicates that the first virtual IP address has expired, and step 708 may be performed or the downlink data packet may be discarded.
步骤705、网络设备判断目标时间差是否大于预设时长,若是,则执行步骤706,若否,则执行步骤708。Step 705, the network device judges whether the target time difference is greater than the preset duration, if yes, execute step 706, if not, execute step 708.
预设时长与终端与应用服务器之间的数据传输时长T相关,具体可以根据实际情况进行设置。The preset duration is related to the data transmission duration T between the terminal and the application server, and can be set according to actual conditions.
在一个示例中,预设时长等于2T。当验证时刻与地址结束时刻的时间差大于2T,表明下一次数据传输使用虚拟IP地址也不会超期,因此不需要更换虚拟IP地址。当验证时刻与地址结束时刻的时间差小于或等于2T,表明下一次数据传输使用该虚拟IP地址会超期,需要更换虚拟IP地址。In one example, the preset duration is equal to 2T. When the time difference between the verification time and the end time of the address is greater than 2T, it indicates that the virtual IP address used for the next data transmission will not expire, so there is no need to replace the virtual IP address. When the time difference between the verification time and the end time of the address is less than or equal to 2T, it indicates that the use of the virtual IP address for the next data transmission will expire, and the virtual IP address needs to be replaced.
步骤706、网络设备根据下行数据包和第一虚拟IP地址生成第一下行数据包。Step 706, the network device generates a first downlink data packet according to the downlink data packet and the first virtual IP address.
具体的,网络设备将下行数据包的源IP地址从应用服务器的IP地址修改为第一虚拟IP地址,就得到第一下行数据包。下行数据包的源IP地址为应用服务器的IP地址,第一下行数据包的源IP地址为第一虚拟IP地址。Specifically, the network device modifies the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address to obtain the first downlink data packet. The source IP address of the downlink data packet is the IP address of the application server, and the source IP address of the first downlink data packet is the first virtual IP address.
步骤707、网络设备将第一下行数据包发送给终端。Step 707, the network device sends the first downlink data packet to the terminal.
步骤708、网络设备获取第二地址生成序列。Step 708, the network device obtains the second address generation sequence.
步骤709、网络设备根据密钥,应用服务器的IP地址,终端的IP地址和第二地址生成序列生成第二虚拟IP地址。Step 709, the network device generates a second virtual IP address according to the key, the IP address of the application server, the IP address of the terminal and the second address generation sequence.
步骤710、网络设备生成携带有第二虚拟IP地址和第二地址生成序列的地址切换通知。Step 710, the network device generates an address switching notification carrying the second virtual IP address and the second address generation sequence.
步骤711、网络设备将地址切换通知发送给终端。Step 711, the network device sends an address switching notification to the terminal.
地址切换通知属于控制面消息。终端收到地址切换通知后,可以根据地址切换通知不生成携带第一虚拟IP地址和第一地址生成序列的上行数据包,而生成携带第二虚拟IP地址,第二地址生成序列和高防地址标识的上行数据包,然后执行步骤714。这样能够提前更换虚拟IP地址,防止数据包的虚拟IP地址过期。The address switching notification belongs to the control plane message. After the terminal receives the address switching notification, it can not generate an uplink data packet carrying the first virtual IP address and the first address generation sequence according to the address switching notification, but generate the second virtual IP address, the second address generation sequence and the high-defense address The identified uplink data packet, and then execute step 714. In this way, the virtual IP address can be replaced in advance to prevent the virtual IP address of the data packet from expiring.
步骤712、网络设备根据下行数据包和第一虚拟IP地址生成第一下行数据包。Step 712, the network device generates a first downlink data packet according to the downlink data packet and the first virtual IP address.
具体的,网络设备将下行数据包的源IP地址从应用服务器的IP地址修改为第一虚拟IP地址,得到第一下行数据包。Specifically, the network device modifies the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address to obtain the first downlink data packet.
步骤713、网络设备将第一下行数据包发送给终端。Step 713, the network device sends the first downlink data packet to the terminal.
需要说明的是,步骤712至步骤713是发送第一下行数据包的过程,步骤708至步骤711是发送地址切换通知的过程,两个过程是独立的,并无固定先后顺序。It should be noted that steps 712 to 713 are the process of sending the first downlink data packet, and steps 708 to 711 are the process of sending the address switching notification. The two processes are independent and there is no fixed sequence.
步骤714、终端向网络设备发送上行数据包。 Step 714, the terminal sends an uplink data packet to the network device.
网络设备收到该上行数据包并检测出高防地址标识后,执行步骤715。After the network device receives the uplink data packet and detects the high-defense address identifier, step 715 is executed.
步骤715、网络设备根据密钥,终端的IP地址,第二虚拟IP地址和第二地址生成序列生成应用服务器的IP地址。Step 715, the network device generates the IP address of the application server according to the key, the IP address of the terminal, the second virtual IP address and the second address generation sequence.
步骤716、网络设备将上行数据包的目标地址从第二虚拟IP地址修改为应用服务器的IP地址。Step 716, the network device modifies the destination address of the uplink data packet from the second virtual IP address to the IP address of the application server.
步骤717、网络设备将修改后的上行数据包发送给应用服务器。Step 717, the network device sends the modified uplink data packet to the application server.
本实施例中,应用服务器向网络设备发送下行数据包时,网络设备可以将下行数据包的源IP地址从应用服务器的IP地址修改为第一虚拟IP地址,从而隐藏应用服务器的真实IP地址。In this embodiment, when the application server sends a downlink data packet to the network device, the network device may modify the source IP address of the downlink data packet from the IP address of the application server to the first virtual IP address, thereby hiding the real IP address of the application server.
其次,由于虚拟IP地址与密钥,终端的IP地址,应用服务器的IP地址和地址生成序列都相关,因此一个应用服务器可以对应多个虚拟IP地址,这样可以降低现有的通信方法中由虚拟IP地址被分享或倒卖后,被大量肉鸡设备攻击的风险。Secondly, since the virtual IP address is related to the key, the IP address of the terminal, the IP address of the application server, and the address generation sequence, one application server can correspond to multiple virtual IP addresses, which can reduce the number of virtual IP addresses in existing communication methods. After the IP address is shared or resold, the risk of being attacked by a large number of bot devices.
再次,网络设备可以根据虚拟IP地址的生存时长更换虚拟IP地址,这样可以提高虚拟IP地址的安全性。这种更换虚拟IP地址的方法不需要另外设置虚拟IP地址的管理设备对虚拟IP地址进行管理和维护,因此具有简单方便的优点。Thirdly, the network device can change the virtual IP address according to the lifetime of the virtual IP address, which can improve the security of the virtual IP address. This method for replacing the virtual IP address does not require additional management equipment for setting the virtual IP address to manage and maintain the virtual IP address, so it has the advantage of being simple and convenient.
另外,本申请提供了一种通过控制面消息通知终端切换虚拟IP地址的方法,可以防止在通信过程中虚拟IP地址过期,使得方案实施更为灵活。In addition, the present application provides a method of notifying the terminal to switch the virtual IP address through a control plane message, which can prevent the virtual IP address from expiring during the communication process, making the implementation of the solution more flexible.
下面对本申请的第一下行数据包和第二下行数据包进行介绍。参阅图8,在一个示例中,第一下行数据包包括报文头81和有效载荷82,报文头81包括第一虚拟IP地址811,终端的IP地址812和第一虚拟地址的虚拟地址关联信息813。第一虚拟地址的虚拟地址关联信息813包括高防地址标识、地址生成序列长度、地址生成序列、地址切换字段和附加字段。The first downlink data packet and the second downlink data packet of the present application are introduced below. Referring to Fig. 8, in an example, the first downlink data packet comprises message header 81 and payload 82, and message header 81 comprises the first virtual IP address 811, the IP address 812 of terminal and the virtual address of the first virtual address Related information 813. The virtual address association information 813 of the first virtual address includes a high-defense address identifier, an address generation sequence length, an address generation sequence, an address switching field, and an additional field.
参阅图9,在一个示例中,第二下行数据包包括报文头91和有效载荷92,报文头91包括第一虚拟IP地址911,终端的IP地址912和第二虚拟地址的虚拟地址关联信息913。第二虚拟地址的虚拟地址关联信息913包括高防地址标识、地址生成序列长度、地址生成序列、地址切换标识和第二虚拟IP地址。Referring to Fig. 9, in one example, the second downlink data packet includes a header 91 and a payload 92, the header 91 includes a first virtual IP address 911, the IP address 912 of the terminal and the virtual address association of the second virtual address Message 913. The virtual address association information 913 of the second virtual address includes a high-defense address identifier, an address generation sequence length, an address generation sequence, an address switching identifier, and a second virtual IP address.
在本申请的一个示例中,type字段表示地址类型。type字段的值为1表示高防地址标识。type字段的值为0为非高防地址标识。In an example of the present application, the type field indicates an address type. The value of the type field is 1, which means the high-defense address identification. The value of the type field is 0 for non-anti-advanced address identification.
RDLENGTH字段的值表示地址生成序列长度,长度为2字节。The value of the RDLENGTH field indicates the length of the address generation sequence, and the length is 2 bytes.
RDATA字段的值表示地址生成序列,长度为128字节。The value of the RDATA field represents the address generation sequence, and the length is 128 bytes.
FLAG字段表示地址切换字段,长度为1字节。FLAG字段的值为1表示地址切换标识。FLAG字段的值为0表示地址不切换。The FLAG field represents an address switching field, and the length is 1 byte. A value of 1 in the FLAG field indicates an address switching flag. A value of 0 in the FLAG field indicates that the address is not switched.
Additional Record字段表示附加字段,长度为128字节。当FLAG字段的值为0时,Additional Record字段的值可以为NULL,表示无附加信息。当FLAG字段的值为1时,表示Additional Record字段的值为第二虚拟IP地址。The Additional Record field represents an additional field with a length of 128 bytes. When the value of the FLAG field is 0, the value of the Additional Record field can be NULL, indicating that there is no additional information. When the value of the FLAG field is 1, it means that the value of the Additional Record field is the second virtual IP address.
应理解,虚拟地址关联信息包括的内容和各字段的长度等不限于以上举例。It should be understood that the content included in the virtual address association information and the length of each field are not limited to the above examples.
本申请还提供能够实施上述通信方法的设备。本申请的网络设备能够实现上述实施例中由网络设备执行的步骤。参阅图10,在一个实施例中,本申请的网络设备1000包括: The present application also provides a device capable of implementing the above communication method. The network device of the present application can implement the steps performed by the network device in the foregoing embodiments. Referring to FIG. 10, in one embodiment, the network device 1000 of the present application includes:
接收单元1001,用于接收终端发送的上行数据包;a receiving unit 1001, configured to receive an uplink data packet sent by a terminal;
处理单元1002,用于当检测到上行数据包携带高防地址标识时,从上行数据包获取终端的因特网协议IP地址和应用服务器的第一虚拟IP地址;获取密钥;根据密钥,终端的IP地址和第一虚拟IP地址生成待处理IP地址;当待处理IP地址不是应用服务器的IP地址时,确定上行数据包非法;当待处理IP地址为应用服务器的IP地址时,将上行数据包的目的IP地址从第一虚拟IP地址修改为应用服务器的IP地址;The processing unit 1002 is configured to obtain the terminal's Internet Protocol IP address and the first virtual IP address of the application server from the uplink data packet when it is detected that the uplink data packet carries the high-defense address identifier; obtain a key; according to the key, the terminal's The IP address and the first virtual IP address generate the IP address to be processed; when the IP address to be processed is not the IP address of the application server, it is determined that the upstream data packet is illegal; when the IP address to be processed is the IP address of the application server, the upstream data packet is determined to be illegal; The destination IP address of the first virtual IP address is changed to the IP address of the application server;
发送单元1003,用于向应用服务器发送修改后的上行数据包。The sending unit 1003 is configured to send the modified uplink data packet to the application server.
在一个可选实施例中,上行数据包还包括第一地址生成序列,第一地址生成序列包括第一虚拟IP地址的地址生成时刻和第一虚拟地址的地址生存时长;In an optional embodiment, the uplink data packet further includes a first address generation sequence, and the first address generation sequence includes the address generation time of the first virtual IP address and the address lifetime of the first virtual address;
处理单元1002具体用于根据密钥,终端的IP地址,第一虚拟IP地址和第一地址生成序列生成待处理IP地址。The processing unit 1002 is specifically configured to generate the IP address to be processed according to the key, the IP address of the terminal, the first virtual IP address and the first address generation sequence.
在另一个可选实施例中,In another alternative embodiment,
接收单元1001,还用于接收应用服务器发送的下行数据包,下行数据包携带应用服务器的IP地址,终端的IP地址,第一地址生成序列和高防地址标识;The receiving unit 1001 is also used to receive the downlink data packet sent by the application server, the downlink data packet carries the IP address of the application server, the IP address of the terminal, the first address generation sequence and the high defense address identification;
处理单元1002,还用于当检测到下行数据包携带高防地址标识时,根据应用服务器的IP地址,终端的IP地址和第一地址生成序列生成第一虚拟IP地址;根据地址生成时刻和地址生存时长确定地址结束时刻;当地址结束时刻大于验证时刻时,确定目标时间差等于地址结束时刻减去验证时刻;当目标时间差大于预设时长时,根据下行数据包和第一虚拟IP地址生成第一下行数据包;The processing unit 1002 is further configured to generate a first virtual IP address according to the IP address of the application server, the IP address of the terminal, and the first address generation sequence when it is detected that the downlink data packet carries the high-defense address identifier; according to the address generation time and address The survival time determines the end time of the address; when the end time of the address is greater than the verification time, determine the target time difference equal to the end time of the address minus the verification time; when the target time difference is greater than the preset duration, generate the first downlink data packet;
发送单元1003还用于将第一下行数据包发送给终端。The sending unit 1003 is further configured to send the first downlink data packet to the terminal.
在另一个可选实施例中,处理单元1002还用于当目标时间差小于或等于预设时长时,获取第二地址生成序列,第二地址生成序列包括第二虚拟IP地址的地址生成时刻和第二虚拟IP地址的地址生存时长;根据密钥,应用服务器的IP地址,终端的IP地址和第二地址生成序列生成第二虚拟IP地址;根据下行数据包,第一虚拟IP地址,第二虚拟IP地址和地址切换标识生成第二下行数据包,第二下行数据包携带第一虚拟IP地址,第二虚拟IP地址和地址切换标识,地址切换标识用于更改上行数据包的目的IP地址;In another optional embodiment, the processing unit 1002 is further configured to obtain a second address generation sequence when the target time difference is less than or equal to a preset duration, and the second address generation sequence includes the address generation time of the second virtual IP address and the second address generation time. The address survival time of the second virtual IP address; according to the key, the IP address of the application server, the IP address of the terminal and the second address generation sequence to generate the second virtual IP address; according to the downlink data packet, the first virtual IP address, the second virtual IP address The IP address and the address switching identifier generate a second downlink data packet, the second downlink data packet carries the first virtual IP address, the second virtual IP address and the address switching identifier, and the address switching identifier is used to change the destination IP address of the uplink data packet;
发送单元1003,还用于向终端发送第二下行数据包。The sending unit 1003 is further configured to send the second downlink data packet to the terminal.
在另一个可选实施例中,In another alternative embodiment,
处理单元1002还用于获取第二地址生成序列,第二地址生成序列包括第二虚拟IP地址的地址生成时刻和第二虚拟IP地址的地址生存时长;根据密钥,应用服务器的IP地址,终端的IP地址和第二地址生成序列生成第二虚拟IP地址;The processing unit 1002 is further configured to obtain a second address generation sequence, the second address generation sequence includes the address generation time of the second virtual IP address and the address lifetime of the second virtual IP address; according to the key, the IP address of the application server, the terminal The IP address and the second address generation sequence generate the second virtual IP address;
发送单元1003还用于向终端发送携带有第二虚拟IP地址和第二地址生成序列的地址切换通知,地址切换通知用于更改上行数据包的目的IP地址和地址生成序列;The sending unit 1003 is further configured to send to the terminal an address switch notification carrying a second virtual IP address and a second address generation sequence, where the address switch notification is used to change the destination IP address and address generation sequence of the uplink data packet;
处理单元1002还用于当目标时间差小于或等于预设时长时,根据下行数据包和第一虚拟IP地址生成第一下行数据包;The processing unit 1002 is further configured to generate a first downlink data packet according to the downlink data packet and the first virtual IP address when the target time difference is less than or equal to a preset duration;
发送单元1003还用于将第一下行数据包发送给终端。The sending unit 1003 is further configured to send the first downlink data packet to the terminal.
在另一个可选实施例中,处理单元1002具体用于使用密钥将第一虚拟IP地址的第二 部分进行解密;将终端的IP地址的第二部分和解密结果进行第一次异或运算;将第一地址生成序列和第一次异或运算结果进行第二次异或运算;将第一虚拟IP地址的第一部分与第二次异或运算结果组成待处理IP地址。In another optional embodiment, the processing unit 1002 is specifically configured to convert the second virtual IP address of the first virtual IP address to Decrypt part of the IP address; perform the first XOR operation on the second part of the terminal's IP address and the decryption result; perform the second XOR operation on the first address generation sequence and the first XOR operation result; The first part of the IP address and the result of the second XOR operation form the IP address to be processed.
在另一个可选实施例中,In another alternative embodiment,
接收单元1001还用于接收密钥管理服务器发送的应用服务器的IP地址以及与应用服务器的IP地址对应的密钥。The receiving unit 1001 is also configured to receive the IP address of the application server and the key corresponding to the IP address of the application server sent by the key management server.
本申请的终端能够实现上述实施例中由终端执行的步骤。参阅图11,在一个实施例中,终端1100包括接收单元1101,处理单元1102和发送单元1103。The terminal of the present application can implement the steps performed by the terminal in the foregoing embodiments. Referring to FIG. 11 , in an embodiment, a terminal 1100 includes a receiving unit 1101 , a processing unit 1102 and a sending unit 1103 .
发送单元1103用于向域名系统服务器发送地址请求消息,地址请求消息包括域名;The sending unit 1103 is configured to send an address request message to a domain name system server, where the address request message includes a domain name;
接收单元1101用于接收域名系统服务器根据地址请求消息发送的响应消息,响应消息包括应用服务器的第一虚拟因特网协议IP地址和高防地址标识;The receiving unit 1101 is configured to receive a response message sent by the domain name system server according to the address request message, the response message includes the first virtual Internet Protocol IP address of the application server and the high-defense address identifier;
处理单元1102生成上行数据包,上行数据包携带终端的IP地址,第一虚拟IP地址和高防地址标识;The processing unit 1102 generates an uplink data packet, and the uplink data packet carries the IP address of the terminal, the first virtual IP address and the high-defense address identifier;
发送单元1103还用于向网络设备发送上行数据包。The sending unit 1103 is also configured to send the uplink data packet to the network device.
在一个可选实施例中,响应消息还包括第一地址生成序列,以及上行数据包还包括第一地址生成序列,第一地址生成序列包括第一虚拟IP地址的地址生成时刻和第一虚拟地址的地址生存时长。In an optional embodiment, the response message further includes a first address generation sequence, and the uplink data packet further includes a first address generation sequence, and the first address generation sequence includes the address generation time of the first virtual IP address and the first virtual address The lifetime of the address.
在另一个可选实施例中,In another alternative embodiment,
接收单元1101还用于接收网络设备发送的第一下行数据包,第一下行数据包携带第一虚拟IP地址。The receiving unit 1101 is also configured to receive a first downlink data packet sent by a network device, where the first downlink data packet carries a first virtual IP address.
在另一个可选实施例中,In another alternative embodiment,
接收单元1101还用于接收网络设备发送的第二下行数据包,第二下行数据包携带第一虚拟IP地址,第二虚拟IP地址,第二地址生成序列和地址切换标识;The receiving unit 1101 is further configured to receive a second downlink data packet sent by the network device, where the second downlink data packet carries a first virtual IP address, a second virtual IP address, a second address generation sequence and an address switching identifier;
处理单元1102还用于根据地址切换标识生成携带有第二虚拟IP地址,第二地址生成序列和高防地址标识的上行数据包。The processing unit 1102 is further configured to generate an uplink data packet carrying a second virtual IP address, a second address generation sequence and a high-defense address identifier according to the address switching identifier.
在另一个可选实施例中,In another alternative embodiment,
接收单元1101还用于接收网络设备发送的第一下行数据包和地址切换通知,第一下行数据包携带第一虚拟IP地址,地址切换通知包括第二虚拟IP地址和第二地址生成序列;The receiving unit 1101 is also used to receive the first downlink data packet and the address switching notification sent by the network device, the first downlink data packet carries the first virtual IP address, and the address switching notification includes the second virtual IP address and the second address generation sequence ;
处理单元1102还用于根据地址切换通知生成携带有第二虚拟IP地址,第二地址生成序列和高防地址标识的上行数据包。The processing unit 1102 is further configured to generate an uplink data packet carrying the second virtual IP address, the second address generation sequence and the high-defense address identifier according to the address switching notification.
本申请的域名系统服务器能够实现上述实施例中由域名系统服务器执行的步骤。参阅图12,在一个实施例中,域名系统服务器1200包括:The domain name system server of the present application can implement the steps performed by the domain name system server in the above embodiments. Referring to Figure 12, in one embodiment, domain name system server 1200 includes:
接收单元1201,用于接收终端发送的地址请求消息,地址请求消息包括域名;The receiving unit 1201 is configured to receive an address request message sent by the terminal, where the address request message includes a domain name;
处理单元1202,用于当域名为高防域名时,获取密钥和高防地址标识;A processing unit 1202, configured to obtain the key and the address identifier of Anti-Advanced when the domain name is an Anti-Advanced domain name;
处理单元1202,还用于根据密钥,终端的IP地址和应用服务器的IP地址生成第一虚拟IP地址;The processing unit 1202 is further configured to generate a first virtual IP address according to the key, the IP address of the terminal, and the IP address of the application server;
发送单元1203,用于向终端发送响应消息,响应消息包括第一虚拟IP地址和高防地 址标识。The sending unit 1203 is configured to send a response message to the terminal, the response message includes the first virtual IP address and the high-defense location Address ID.
在一个可选实施例中,In an alternative embodiment,
处理单元1202,具体用于获取第一地址生成序列,第一地址生成序列包括第一虚拟IP地址的地址生成时刻和第一虚拟地址的地址生存时长;根据密钥,终端的IP地址和应用服务器的IP地址和第一地址生成序列生成第一虚拟IP地址。The processing unit 1202 is specifically configured to obtain a first address generation sequence, the first address generation sequence includes the address generation time of the first virtual IP address and the address lifetime of the first virtual address; according to the key, the terminal's IP address and the application server The IP address and the first address generation sequence generate the first virtual IP address.
在另一个可选实施例中,In another alternative embodiment,
处理单元1202具体用于将终端的IP地址的第二部分与应用服务器的IP地址的第二部分进行第一次异或运算;将第一地址生成序列的与第一次异或运算结果进行第二次异或运算;使用密钥对第二次异或运算结果进行加密;将加密结果与应用服务器的IP地址的第一部分组成第一虚拟IP地址。The processing unit 1202 is specifically configured to perform a first XOR operation on the second part of the IP address of the terminal and the second part of the IP address of the application server; perform a second XOR operation on the result of the first address generation sequence and the first XOR operation A second XOR operation; using a key to encrypt the result of the second XOR operation; combining the encrypted result and the first part of the IP address of the application server to form a first virtual IP address.
下面从硬件角度对本申请的网络设备,终端和域名解析服务器进行介绍。参阅图13,在一个实施例中,本申请的网络设备1300包括处理器1301,内存1302和通信接口1303。处理器1301,内存1302和通信接口1303的数量可以是一个或多个。处理器1301和内存1302通过总线1304连接,处理器1301和通信接口1303通过总线1305连接。The following introduces the network equipment, terminal and domain name resolution server of the present application from the perspective of hardware. Referring to FIG. 13 , in one embodiment, a network device 1300 of the present application includes a processor 1301 , a memory 1302 and a communication interface 1303 . The number of the processor 1301, the memory 1302 and the communication interface 1303 may be one or more. The processor 1301 and the memory 1302 are connected through a bus 1304 , and the processor 1301 and the communication interface 1303 are connected through a bus 1305 .
在本申请实施例中,处理器1301可以是中央处理器(central processing unit,CPU),可以是其他特定集成电路(application specific integrated circuit,ASIC)。处理器1301还可以是是其他通用处理器、数字信号处理器(digital signal processing,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现场可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。In the embodiment of the present application, the processor 1301 may be a central processing unit (central processing unit, CPU), or other specific integrated circuit (application specific integrated circuit, ASIC). The processor 1301 can also be other general processors, digital signal processing (digital signal processing, DSP), application specific integrated circuit (application specific integrated circuit, ASIC), field programmable gate array (field programmable gate array, FPGA) or Other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
内存1302是网络设备1300的主存。通常采用动态随机存取存储器(Dynamic Random Access Memory,DRAM)作为内存1302。处理器1301能够通过内存控制器高速访问内存1302,对内存1302中的任意一个存储单元进行读操作和写操作。除了DRAM之外,内存1302还可以是其他随机存取存储器,例如静态随机存取存储器(Static Random Access Memory,SRAM)等。另外,内存1302也可以是只读存储器(Read Only Memory,ROM)。而对于只读存储器,举例来说,可以是可编程只读存储器(Programmable Read Only Memory,PROM)、可抹除可编程只读存储器(Erasable Programmable Read Only Memory,EPROM)等。本实施例不对内存1302的数量和类型进行限定。此外,可对内存1302进行配置使其具有保电功能。保电功能是指系统发生掉电又重新上电时,存储器中存储的数据也不会丢失。具有保电功能的内存1302被称为非易失性存储器。The memory 1302 is the main memory of the network device 1300 . Usually, a dynamic random access memory (Dynamic Random Access Memory, DRAM) is used as the memory 1302 . The processor 1301 can access the memory 1302 at high speed through the memory controller, and perform read and write operations on any storage unit in the memory 1302 . In addition to DRAM, the memory 1302 may also be other random access memories, such as Static Random Access Memory (Static Random Access Memory, SRAM). In addition, the memory 1302 may also be a read-only memory (Read Only Memory, ROM). As for the read-only memory, for example, it may be a programmable read-only memory (Programmable Read Only Memory, PROM), an erasable programmable read-only memory (Erasable Programmable Read Only Memory, EPROM), and the like. This embodiment does not limit the quantity and type of the memory 1302 . In addition, the memory 1302 can be configured to have a power saving function. The power protection function means that when the system is powered off and then powered on again, the data stored in the memory will not be lost. The memory 1302 with a power saving function is called a nonvolatile memory.
通信接口1303用于与其他设备进行通信。通信接口1303可以接收上行数据或发送下行数据。总线1304可以是但不限于双倍速率(double data rate,DDR)总线,总线1305可以是但不限于PCIe总线。The communication interface 1303 is used to communicate with other devices. The communication interface 1303 can receive uplink data or send downlink data. The bus 1304 may be but not limited to a double data rate (DDR) bus, and the bus 1305 may be but not limited to a PCIe bus.
本实施例中,内存1302用于存储程序,处理器1301通过调用内存1302存储的程序可以执行上述实施例中由网络设备执行的步骤。In this embodiment, the memory 1302 is used to store programs, and the processor 1301 can execute the steps performed by the network device in the foregoing embodiments by calling the programs stored in the memory 1302 .
参阅图14,在另一个实施例中,本申请的终端1400包括处理器1401和内存1404。处理器1401通过DDR总线1403和内存1404相连。这里,不同的内存1404可能采用不同的数据总线 与处理器1401通信,因此DDR总线1403也可以替换为其他类型的数据总线,本申请实施例不对总线类型进行限定。另外,终端1400还包括各种输入输出设备,处理器1401可以通过PCIe总线1405访问这些输入输出设备1407。Referring to FIG. 14 , in another embodiment, a terminal 1400 of the present application includes a processor 1401 and a memory 1404 . The processor 1401 is connected to the memory 1404 through the DDR bus 1403 . Here, different memory 1404 may use different data bus It communicates with the processor 1401, so the DDR bus 1403 can also be replaced with other types of data buses, and the embodiment of the present application does not limit the type of the bus. In addition, the terminal 1400 also includes various input and output devices, and the processor 1401 can access these input and output devices 1407 through the PCIe bus 1405 .
处理器(Processor)1401是计算设备1400的运算核心和控制核心。处理器1401可以包括一个或多个处理核(core)1402。处理器1401可以是一块超大规模的集成电路。在处理器1401中安装有操作系统和其他软件程序,从而处理器1401能够实现对内存1404及各种PCIe设备的访问。在本申请实施例中,处理器1401中的处理核1402例如可以是CPU,可以是ASIC。处理器1401还可以是是其他通用处理器、DSP、ASIC、FPGA或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。实际应用中,终端1400也可以包括多个处理器。The processor (Processor) 1401 is the computing core and control core of the computing device 1400 . Processor 1401 may include one or more processing cores (core) 1402 . Processor 1401 may be a VLSI. An operating system and other software programs are installed in the processor 1401, so that the processor 1401 can realize access to the memory 1404 and various PCIe devices. In this embodiment of the present application, the processing core 1402 in the processor 1401 may be, for example, a CPU or an ASIC. The processor 1401 may also be other general-purpose processors, DSP, ASIC, FPGA or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. In practical applications, the terminal 1400 may also include multiple processors.
内存控制器(Memory Controller)是终端1400内部控制内存1404并用于管理与规划从内存1404到处理核1402间的数据传输的总线电路控制器。通过内存控制器,内存1404与处理核1402之间可以交换数据。内存控制器可以是一个单独的芯片,并通过系统总线与处理核1402连接。本领域技术人员可以知道,内存控制器也可以被集成到处理器1401中,也可以被内置于北桥中,还可以是一块独立的内存控制器芯片,本申请实施例不对内存控制器的具体位置和存在形式进行限定。实际应用中,内存控制器可以控制必要的逻辑以将数据写入内存1404或从内存1404中读取数据。内存控制器1404可以是通用处理器、专用加速器、GPU、FPGA、嵌入式处理器等处理器系统中的内存控制器。The memory controller (Memory Controller) is a bus circuit controller that controls the memory 1404 inside the terminal 1400 and is used to manage and plan data transmission from the memory 1404 to the processing core 1402. Through the memory controller, data can be exchanged between the memory 1404 and the processing core 1402 . The memory controller can be an independent chip, and is connected with the processing core 1402 through the system bus. Those skilled in the art can know that the memory controller can also be integrated into the processor 1401, can also be built into the north bridge, or can be an independent memory controller chip, the embodiment of the present application does not specify the specific location of the memory controller and form of existence. In practical applications, the memory controller can control necessary logic to write data into the memory 1404 or read data from the memory 1404 . The memory controller 1404 may be a memory controller in processor systems such as general processors, special accelerators, GPUs, FPGAs, and embedded processors.
内存1404是终端1400的主存。内存1404通常用来存放操作系统中各种正在运行的软件、输入和输出数据以及与外存交换的信息等。为了提高处理器1401的访问速度,内存1404需要具备访问速度快的优点。在传统的计算机系统架构中,通常采用DRAM作为内存1404。处理器1401能够通过内存控制器高速访问内存1404,对内存1404中的任意一个存储单元进行读操作和写操作。除了DRAM之外,内存1404还可以是其他随机存取存储器,例如SRAM等。另外,内存1404也可以是ROM。而对于只读存储器,举例来说,可以是PROM、EPROM等。本实施例不对内存1404的数量和类型进行限定。此外,可对内存1404进行配置使其具有保电功能。保电功能是指系统发生掉电又重新上电时,存储器中存储的数据也不会丢失。具有保电功能的内存1404被称为非易失性存储器。The memory 1404 is the main memory of the terminal 1400 . The memory 1404 is usually used to store various running software in the operating system, input and output data, and information exchanged with external storage. In order to improve the access speed of the processor 1401, the memory 1404 needs to have the advantage of fast access speed. In traditional computer system architecture, DRAM is usually used as the memory 1404 . The processor 1401 can access the memory 1404 at high speed through the memory controller, and perform read and write operations on any storage unit in the memory 1404 . In addition to DRAM, the memory 1404 may also be other random access memories, such as SRAM. In addition, the memory 1404 may also be a ROM. As for the read-only memory, for example, it can be PROM, EPROM and so on. This embodiment does not limit the quantity and type of the memory 1404 . In addition, the memory 1404 can be configured to have a power saving function. The power protection function means that when the system is powered off and then powered on again, the data stored in the memory will not be lost. The memory 1404 with a power saving function is called a nonvolatile memory.
输入输出(input/ourput,I/O)设备1407是指可以进行数据传输的硬件,也可以理解为与I/O接口对接的设备。常见的I/O设备有网卡、打印机、键盘、鼠标等。所有的外存也可以作为I/O设备,如硬盘、软盘、光盘等。处理器1401可通过PCIe总线1405访问各个输入输出1407。需要说明的是,PCIe总线1405只是其中的一个示例,可以被替换为其他总线,例如统一(unified bus,UB)总线等。An input/output (input/ourput, I/O) device 1407 refers to hardware capable of data transmission, and may also be understood as a device connected to an I/O interface. Common I/O devices include network cards, printers, keyboards, and mice. All external storage can also be used as I/O devices, such as hard disks, floppy disks, and CDs. The processor 1401 can access various input and output 1407 through the PCIe bus 1405 . It should be noted that the PCIe bus 1405 is just an example, and may be replaced by other buses, such as a unified (unified bus, UB) bus.
基板管理控制器(Baseboard Management Controller,BMC)1406可以对设备进行固件升级,对设备的运行状态进行管理以及排除故障等。处理器1401可通过PCIe总线或者USB、I2C等总线访问基板管理控制器1406。基本管理控制器1406还可以和至少一个传感器相连。通过传感器获取终端的状态数据,其中状态数据包括:温度数据,电流数据、电压数据等等。在本申请中不对状态数据的类型做具体限制。基板管理控制器1406通过PCIe 总线或者其他类型的总线和处理器1401通信,例如,将获取到的状态数据,传递给处理器1401进行处理。基板管理控制器1406也可以对内存1404中的程序代码进行维护,包括升级或恢复等等。基板管理控制器1406还可以对终端1400内的电源电路或时钟电路进行控制等。总之,基板管理控制器1406可以通过以上方式实现对终端1400的管理。然而,基板管理控制器1406只是一个可选设备。在一些实施方式中,处理器1401可以直接和传感器通信,从而对终端直接进行管理和维护。A baseboard management controller (Baseboard Management Controller, BMC) 1406 can upgrade the firmware of the device, manage the running status of the device, and troubleshoot. The processor 1401 can access the baseboard management controller 1406 through a PCIe bus or a bus such as USB or I2C. The base management controller 1406 can also be connected to at least one sensor. The status data of the terminal is obtained through the sensor, where the status data includes: temperature data, current data, voltage data and so on. In this application, there is no specific limitation on the type of status data. Baseboard Management Controller 1406 via PCIe The bus or other types of buses communicate with the processor 1401, for example, transfer the obtained state data to the processor 1401 for processing. The baseboard management controller 1406 can also maintain the program codes in the memory 1404, including upgrading or restoring. The baseboard management controller 1406 may also control a power supply circuit or a clock circuit in the terminal 1400 . In a word, the baseboard management controller 1406 can manage the terminal 1400 through the above manner. However, the baseboard management controller 1406 is only an optional device. In some implementation manners, the processor 1401 may directly communicate with the sensor, so as to directly manage and maintain the terminal.
本实施例中,内存1404用于存储程序。通过调用内存1404存储的程序,处理器1401用于执行上述实施例中由终端执行的步骤。In this embodiment, the memory 1404 is used to store programs. By calling the program stored in the memory 1404, the processor 1401 is configured to execute the steps executed by the terminal in the foregoing embodiments.
本申请提供一种域名系统服务器1500能够执行上述实施例中由域名系统服务器执行的步骤。图15是本申请实施例提供的一种域名系统服务器的结构示意图。参阅图15,该域名系统服务器1500可因配置或性能不同而产生比较大的差异,可以包括一个或多个中央处理器1522和存储器1532,一个或多个存储应用程序1542或数据1544的存储介质1530(例如一个或多个海量存储设备)。其中,存储器1532和存储介质1530可以是短暂存储或持久存储。存储在存储介质1530的程序可以包括一个或多个模块,每个模块可以包括对域名系统服务器中的一系列指令操作。更进一步地,中央处理器1522可以设置为与存储介质1530通信,在域名系统服务器1500上执行存储介质1530中的一系列指令操作。The present application provides a domain name system server 1500 capable of performing the steps performed by the domain name system server in the foregoing embodiments. FIG. 15 is a schematic structural diagram of a domain name system server provided by an embodiment of the present application. Referring to FIG. 15 , the domain name system server 1500 may have relatively large differences due to different configurations or performances, and may include one or more central processing units 1522 and memory 1532, and one or more storage media for storing application programs 1542 or data 1544 1530 (eg, one or more mass storage devices). Wherein, the memory 1532 and the storage medium 1530 may be temporary storage or persistent storage. The program stored in the storage medium 1530 may include one or more modules, and each module may include a series of instructions to operate on the domain name system server. Furthermore, the central processing unit 1522 can be configured to communicate with the storage medium 1530 , and execute a series of instruction operations in the storage medium 1530 on the domain name system server 1500 .
域名系统服务器1500还可以包括一个或多个电源1526,一个或多个有线或无线网络接口1550,一个或多个输入输出接口1558,和/或,一个或多个操作系统1541,例如Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTM等等。The domain name system server 1500 can also include one or more power supplies 1526, one or more wired or wireless network interfaces 1550, one or more input and output interfaces 1558, and/or, one or more operating systems 1541, such as Windows Server™, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
需要说明的是,上述装置各模块/单元之间的信息交互、执行过程等内容,由于与本申请方法实施例基于同一构思,其带来的技术效果与本申请方法实施例相同,具体内容可参见本申请前述方法实施例中的叙述,此处不再赘述。It should be noted that the information interaction and execution process between the modules/units of the above-mentioned device are based on the same concept as the method embodiment of the present application, and the technical effect it brings is the same as that of the method embodiment of the present application. The specific content can be Refer to the descriptions in the foregoing method embodiments of the present application, and details are not repeated here.
本申请提供一种计算机可读存储介质,计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行上述实施例或可选实施例中的通信方法。The present application provides a computer-readable storage medium. A computer program is stored in the computer-readable storage medium. When the computer program is run on a computer, it causes the computer to execute the communication method in the foregoing embodiment or optional embodiment.
本申请还提供一种包括计算机程序产品,当其在计算机上运行时,使得计算机执行如上述所示实施例或可选实施例中的通信方法。The present application also provides a computer program product, which, when run on a computer, causes the computer to execute the communication method in the above-mentioned embodiments or optional embodiments.
本申请还提供一种芯片系统,该芯片系包括相互耦合的处理器和存储器。存储器用于存储的计算机程序或指令,该处理单元用于执行存储器存储的计算机程序或指令,以使设备执行上述实施例中由网络设备,终端或域名系统服务器执行的步骤。可选地,存储器为芯片内的存储器,如寄存器、缓存等,存储器还可以是站点内的位于芯片外部的存储器,如只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)等。上述任一处提到的处理器,可以是一个通用中央处理器,微处理器,专用集成电路(application specific integrated circuit,ASIC)或一个或多个用于实现上述通信方法的集成电路。The present application also provides a chip system, which includes a processor and a memory coupled to each other. The memory is used to store computer programs or instructions, and the processing unit is used to execute the computer programs or instructions stored in the memory, so that the device performs the steps performed by the network device, terminal or domain name system server in the above embodiments. Optionally, the memory is an on-chip memory, such as a register, a cache, etc., and the memory can also be a memory located outside the chip in a site, such as a read-only memory (read-only memory, ROM) or a memory that can store static information and instructions. Other types of static storage devices, random access memory (random access memory, RAM), etc. The processor mentioned in any of the above places may be a general-purpose central processing unit, a microprocessor, an application specific integrated circuit (ASIC) or one or more integrated circuits for implementing the above-mentioned communication method.
另外需说明的是,以上所描述的装置实施例只是示意性的,其中作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要 选择其中的部分或者全部模块来实现本实施例方案的目的。另外,本申请提供的装置实施例附图中,模块之间的连接关系表示它们之间具有通信连接,具体可以实现为一条或多条通信总线或信号线。In addition, it should be noted that the device embodiments described above are only schematic, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units. That is, it can be located in one place, or it can also be distributed to multiple network elements. according to actual needs Part or all of the modules are selected to achieve the purpose of the solution of this embodiment. In addition, in the drawings of the device embodiments provided in the present application, the connection relationship between the modules indicates that they have communication connections, which can be specifically implemented as one or more communication buses or signal lines.
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到本申请可借助软件加必需的通用硬件的方式来实现,当然也可以通过专用硬件包括专用集成电路、专用CPU、专用存储器、专用元器件等来实现。一般情况下,凡由计算机程序完成的功能都可以很容易地用相应的硬件来实现,而且,用来实现同一功能的具体硬件结构也可以是多种多样的,例如模拟电路、数字电路或专用电路等。但是,对本申请而言更多情况下软件程序实现是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在可读取的存储介质中,如计算机的软盘、U盘、移动硬盘、ROM、RAM、磁碟或者光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the present application can be implemented by means of software plus necessary general-purpose hardware, and of course it can also be realized by special hardware including application-specific integrated circuits, dedicated CPUs, dedicated memories, Special components, etc. to achieve. In general, all functions completed by computer programs can be easily realized by corresponding hardware, and the specific hardware structure used to realize the same function can also be varied, such as analog circuits, digital circuits or special-purpose circuit etc. However, for this application, software program implementation is a better implementation mode in most cases. Based on this understanding, the essence of the technical solution of this application or the part that contributes to the prior art can be embodied in the form of a software product, and the computer software product is stored in a readable storage medium, such as a floppy disk of a computer , U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the method of each embodiment of the present application.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行计算机程序指令时,全部或部分地产生按照本申请实施例的流程或功能。计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一计算机可读存储介质传输,例如,计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL)或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。计算机可读存储介质可以是计算机能够存储的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。可用介质可以是磁性介质,(例如软盘、硬盘、磁带)、光介质(例如DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。 A computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. A computer can be a general purpose computer, special purpose computer, computer network, or other programmable device. Computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, e.g. Coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL) or wireless (such as infrared, wireless, microwave, etc.) transmission to another website site, computer, server or data center. Computer readable storage medium can be Any available media that can be stored by a computer or a data storage device such as a server, data center, etc. that includes one or more available media. Available media can be magnetic media, (such as floppy disks, hard disks, tapes), optical media (such as DVDs), Or a semiconductor medium (such as a solid state disk (solid state disk, SSD)), etc.

Claims (31)

  1. 一种通信方法,其特征在于,包括:A communication method, characterized in that, comprising:
    接收终端发送的上行数据包;receiving the uplink data packet sent by the terminal;
    当检测到所述上行数据包携带高防地址标识时,从所述上行数据包获取所述终端的因特网协议IP地址和应用服务器的第一虚拟IP地址;When it is detected that the uplink data packet carries a high-defense address identifier, obtain the Internet Protocol IP address of the terminal and the first virtual IP address of the application server from the uplink data packet;
    获取密钥;get the key;
    根据所述密钥,所述上行数据包携带的终端的IP地址和所述第一虚拟IP地址生成待处理IP地址;According to the key, the IP address of the terminal carried in the uplink data packet and the first virtual IP address generate an IP address to be processed;
    当所述待处理IP地址不是所述应用服务器的IP地址时,确定所述上行数据包非法;When the IP address to be processed is not the IP address of the application server, it is determined that the uplink data packet is illegal;
    当所述待处理IP地址为所述应用服务器的IP地址时,将所述上行数据包的目的IP地址从所述第一虚拟IP地址修改为所述应用服务器的IP地址,向所述应用服务器发送修改后的上行数据包。When the IP address to be processed is the IP address of the application server, modify the destination IP address of the uplink data packet from the first virtual IP address to the IP address of the application server, and report to the application server Send the modified uplink data packet.
  2. 根据权利要求1所述的方法,其特征在于,所述上行数据包还包括第一地址生成序列,所述第一地址生成序列包括所述第一虚拟IP地址的地址生成时刻和所述第一虚拟地址的地址生存时长;The method according to claim 1, wherein the uplink data packet further includes a first address generation sequence, and the first address generation sequence includes the address generation time of the first virtual IP address and the first The address lifetime of the virtual address;
    所述根据所述密钥,所述终端的IP地址和所述第一虚拟IP地址生成待处理IP地址包括:The generating the IP address to be processed according to the key, the IP address of the terminal and the first virtual IP address includes:
    根据所述密钥,所述终端的IP地址,所述第一虚拟IP地址和所述第一地址生成序列生成待处理IP地址。Generate an IP address to be processed according to the key, the IP address of the terminal, the first virtual IP address and the first address generation sequence.
  3. 根据权利要求2所述的方法,其特征在于,所述方法还包括:The method according to claim 2, further comprising:
    接收所述应用服务器发送的下行数据包,所述下行数据包携带所述应用服务器的IP地址,所述终端的IP地址,所述第一地址生成序列和高防地址标识;Receiving a downlink data packet sent by the application server, the downlink data packet carrying the IP address of the application server, the IP address of the terminal, the first address generation sequence and the high defense address identification;
    当检测到所述下行数据包携带高防地址标识时,根据所述密钥,所述应用服务器的IP地址,所述终端的IP地址和所述第一地址生成序列生成所述第一虚拟IP地址;When it is detected that the downlink data packet carries a high-defense address identifier, the first virtual IP is generated according to the key, the IP address of the application server, the IP address of the terminal and the first address generation sequence address;
    根据所述第一地址生成序列确定所述第一虚拟IP地址的地址结束时刻;determining the address end time of the first virtual IP address according to the first address generation sequence;
    当所述地址结束时刻大于验证时刻时,确定目标时间差等于所述地址结束时刻减去所述验证时刻;When the address end time is greater than the verification time, determine that the target time difference is equal to the address end time minus the verification time;
    当所述目标时间差大于预设时长时,根据所述下行数据包和所述第一虚拟IP地址生成第一下行数据包,将第一下行数据包发送给所述终端。When the target time difference is greater than the preset duration, generate a first downlink data packet according to the downlink data packet and the first virtual IP address, and send the first downlink data packet to the terminal.
  4. 根据权利要求3所述的方法,其特征在于,所述方法还包括:The method according to claim 3, characterized in that the method further comprises:
    当所述目标时间差小于或等于预设时长时,获取第二地址生成序列,所述第二地址生成序列包括第二虚拟IP地址的地址生成时刻和所述第二虚拟IP地址的地址生存时长;根据所述密钥,所述应用服务器的IP地址,所述终端的IP地址和第二地址生成序列生成第二虚拟IP地址;根据所述下行数据包,所述第一虚拟IP地址,所述第二虚拟IP地址,所述第二地址生成序列和地址切换标识生成第二下行数据包,向所述终端发送第二下行数据包。When the target time difference is less than or equal to the preset duration, a second address generation sequence is acquired, the second address generation sequence including the address generation time of the second virtual IP address and the address lifetime of the second virtual IP address; According to the key, the IP address of the application server, the IP address of the terminal and the second address generation sequence generate a second virtual IP address; according to the downlink data packet, the first virtual IP address, the The second virtual IP address, the second address generation sequence and the address switching identifier generate a second downlink data packet, and send the second downlink data packet to the terminal.
  5. 根据权利要求3所述的方法,其特征在于,所述方法还包括: The method according to claim 3, characterized in that the method further comprises:
    当所述目标时间差小于或等于预设时长时,获取第二地址生成序列,所述第二地址生成序列包括第二虚拟IP地址的地址生成时刻和所述第二虚拟IP地址的地址生存时长;根据所述密钥,所述应用服务器的IP地址,所述终端的IP地址和第二地址生成序列生成第二虚拟IP地址;向终端发送携带有第二虚拟IP地址和第二地址生成序列的地址切换通知;When the target time difference is less than or equal to the preset duration, a second address generation sequence is acquired, the second address generation sequence including the address generation time of the second virtual IP address and the address lifetime of the second virtual IP address; Generate a second virtual IP address according to the key, the IP address of the application server, the IP address of the terminal, and the second address generation sequence; send a message carrying the second virtual IP address and the second address generation sequence to the terminal address switching notification;
    根据所述下行数据包和所述第一虚拟IP地址生成第一下行数据包,将第一下行数据包发送给所述终端。generating a first downlink data packet according to the downlink data packet and the first virtual IP address, and sending the first downlink data packet to the terminal.
  6. 根据权利要求2至5中任一项所述的方法,其特征在于,所述根据密钥,所述终端的IP地址,所述第一虚拟IP地址和第一地址生成序列生成待处理IP地址包括:The method according to any one of claims 2 to 5, wherein the IP address to be processed is generated according to the key, the IP address of the terminal, the first virtual IP address and the first address generation sequence include:
    使用密钥将所述第一虚拟IP地址的第二部分进行解密;decrypting the second part of the first virtual IP address using a key;
    将所述终端的IP地址的第二部分和解密结果进行第一次异或运算;performing a first XOR operation on the second part of the terminal's IP address and the decryption result;
    将所述第一地址生成序列和第一次异或运算结果进行第二次异或运算;performing a second exclusive OR operation on the first address generation sequence and the result of the first exclusive OR operation;
    将所述第一虚拟IP地址的第一部分与第二次异或运算结果组成所述待处理IP地址。Combining the first part of the first virtual IP address and the result of the second XOR operation to form the IP address to be processed.
  7. 根据权利要求1至5中任一项所述的方法,其特征在于,在所述获取密钥之前,所述方法还包括:The method according to any one of claims 1 to 5, wherein, before the obtaining the key, the method further comprises:
    接收密钥管理服务器发送的所述应用服务器的IP地址以及与所述应用服务器的IP地址对应的密钥。The IP address of the application server and the key corresponding to the IP address of the application server are received from the key management server.
  8. 一种通信方法,其特征在于,包括:A communication method, characterized in that, comprising:
    向域名系统服务器发送地址请求消息,所述地址请求消息包括域名;sending an address request message to a domain name system server, where the address request message includes a domain name;
    接收所述域名系统服务器根据所述地址请求消息发送的响应消息,所述响应消息包括所述应用服务器的第一虚拟因特网协议IP地址和高防地址标识;Receiving a response message sent by the domain name system server according to the address request message, the response message including the first virtual Internet Protocol IP address of the application server and the high-defense address identifier;
    生成上行数据包,所述上行数据包携带有终端的IP地址,所述应用服务器的第一虚拟IP地址和高防地址标识;Generate an uplink data packet, the uplink data packet carries the IP address of the terminal, the first virtual IP address of the application server and the high-defense address identification;
    向网络设备发送上行数据包。Send uplink data packets to network devices.
  9. 根据权利要求8所述的方法,其特征在于,所述响应消息还包括第一地址生成序列,以及所述上行数据包还包括第一地址生成序列,所述第一地址生成序列包括第一虚拟IP地址的地址生成时刻和第一虚拟地址的地址生存时长。The method according to claim 8, wherein the response message further includes a first address generation sequence, and the uplink data packet further includes a first address generation sequence, and the first address generation sequence includes a first virtual The address generation time of the IP address and the address lifetime of the first virtual address.
  10. 根据权利要求8或9所述的方法,其特征在于,所述方法还包括:The method according to claim 8 or 9, wherein the method further comprises:
    接收所述网络设备发送的第一下行数据包,所述第一下行数据包携带第一虚拟IP地址。receiving a first downlink data packet sent by the network device, where the first downlink data packet carries a first virtual IP address.
  11. 根据权利要求9所述的方法,其特征在于,所述方法还包括:The method according to claim 9, characterized in that the method further comprises:
    接收所述网络设备发送的第二下行数据包,所述第二下行数据包携带第一虚拟IP地址,所述第二虚拟IP地址,第二地址生成序列和地址切换标识,所述第二地址生成序列包括第二虚拟IP地址的地址生成时刻和地址生存时长;receiving a second downlink data packet sent by the network device, the second downlink data packet carrying a first virtual IP address, the second virtual IP address, a second address generation sequence and an address switching identifier, and the second address The generation sequence includes address generation time and address survival time of the second virtual IP address;
    根据所述地址切换标识生成携带有所述第二虚拟IP地址,第二地址生成序列和高防地址标识的上行数据包。Generate an uplink data packet carrying the second virtual IP address, the second address generation sequence and the high-defense address identifier according to the address switching identifier.
  12. 根据权利要求9所述的方法,其特征在于,所述方法还包括:The method according to claim 9, characterized in that the method further comprises:
    接收所述网络设备发送的第一下行数据包和地址切换通知,所述第一下行数据包携带第一虚拟IP地址,所述地址切换通知包括第二虚拟IP地址和第二地址生成序列; receiving a first downlink data packet and an address switching notification sent by the network device, the first downlink data packet carrying a first virtual IP address, and the address switching notification includes a second virtual IP address and a second address generation sequence ;
    根据所述地址切换通知生成携带有第二虚拟IP地址,第二地址生成序列和高防地址标识的上行数据包。Generate an uplink data packet carrying a second virtual IP address, a second address generation sequence, and a high-defense address identifier according to the address switching notification.
  13. 一种通信方法,其特征在于,包括:A communication method, characterized in that, comprising:
    接收终端发送的地址请求消息,所述地址请求消息包括域名;receiving an address request message sent by a terminal, where the address request message includes a domain name;
    当所述域名为高防域名时,获取密钥和高防地址标识;When the domain name is a high-defense domain name, obtain the key and high-defense address identification;
    根据所述密钥,所述终端的IP地址和所述应用服务器的IP地址生成第一虚拟因特网协议IP地址;Generate a first virtual Internet Protocol IP address according to the key, the IP address of the terminal and the IP address of the application server;
    向终端发送响应消息,所述响应消息包括所述第一虚拟IP地址和所述高防地址标识。Sending a response message to the terminal, where the response message includes the first virtual IP address and the Anti-DDoS Pro address identifier.
  14. 根据权利要求13所述的方法,其特征在于,所述根据所述密钥,所述终端的IP地址和所述应用服务器的IP地址生成第一虚拟IP地址包括:The method according to claim 13, wherein generating the first virtual IP address according to the key, the IP address of the terminal and the IP address of the application server comprises:
    获取第一地址生成序列,所述第一地址生成序列包括第一虚拟IP地址的地址生成时刻和第一虚拟地址的地址生存时长;Obtaining a first address generation sequence, the first address generation sequence including the address generation time of the first virtual IP address and the address lifetime of the first virtual address;
    根据所述密钥,所述终端的IP地址和所述应用服务器的IP地址和所述第一地址生成序列生成第一虚拟IP地址。A first virtual IP address is generated according to the key, the IP address of the terminal, the IP address of the application server, and the first address generation sequence.
  15. 根据权利要求14所述的方法,其特征在于,所述根据所述密钥,所述终端的IP地址和所述应用服务器的IP地址和所述第一地址生成序列生成第一虚拟IP地址包括:The method according to claim 14, wherein the generating the first virtual IP address according to the key, the IP address of the terminal, the IP address of the application server, and the first address generation sequence comprises :
    将所述终端的IP地址的第二部分与所述应用服务器的IP地址的第二部分进行第一次异或运算;performing a first XOR operation on the second part of the IP address of the terminal and the second part of the IP address of the application server;
    将所述第一地址生成序列的与第一次异或运算结果进行第二次异或运算;performing a second XOR operation on the result of the first address generation sequence and the first XOR operation;
    使用所述密钥对第二次异或运算结果进行加密;Encrypt the result of the second XOR operation by using the key;
    将加密结果与所述应用服务器的IP地址的第一部分组成第一虚拟IP地址。Combining the encryption result with the first part of the IP address of the application server to form a first virtual IP address.
  16. 一种网络设备,其特征在于,包括:A network device, characterized in that it includes:
    接收单元,用于接收终端发送的上行数据包;a receiving unit, configured to receive an uplink data packet sent by the terminal;
    处理单元,用于当检测到所述上行数据包携带高防地址标识时,从所述上行数据包获取所述终端的因特网协议IP地址和应用服务器的第一虚拟IP地址;A processing unit, configured to acquire the Internet Protocol IP address of the terminal and the first virtual IP address of the application server from the uplink data packet when it is detected that the uplink data packet carries a high-defense address identifier;
    所述处理单元,还用于获取密钥;The processing unit is also used to obtain a key;
    所述处理单元,还用于根据所述密钥,所述终端的IP地址和所述第一虚拟IP地址生成待处理IP地址;The processing unit is further configured to generate an IP address to be processed according to the key, the IP address of the terminal and the first virtual IP address;
    所述处理单元,还用于当所述待处理IP地址不是所述应用服务器的IP地址时,确定所述上行数据包非法;当所述待处理IP地址为所述应用服务器的IP地址时,将所述上行数据包的目的IP地址从所述第一虚拟IP地址修改为所述应用服务器的IP地址;The processing unit is further configured to determine that the uplink data packet is illegal when the IP address to be processed is not the IP address of the application server; when the IP address to be processed is the IP address of the application server, modifying the destination IP address of the uplink data packet from the first virtual IP address to the IP address of the application server;
    发送单元,用于向所述应用服务器发送修改后的上行数据包。A sending unit, configured to send the modified uplink data packet to the application server.
  17. 根据权利要求16所述的网络设备,其特征在于,所述上行数据包还包括第一地址生成序列,所述第一地址生成序列包括所述第一虚拟IP地址的地址生成时刻和所述第一虚拟地址的地址生存时长;The network device according to claim 16, wherein the uplink data packet further includes a first address generation sequence, and the first address generation sequence includes the address generation time of the first virtual IP address and the second The address lifetime of a virtual address;
    所述处理单元具体用于根据所述密钥,所述终端的IP地址,所述第一虚拟IP地址和所述第一地址生成序列生成待处理IP地址。 The processing unit is specifically configured to generate an IP address to be processed according to the key, the IP address of the terminal, the first virtual IP address and the first address generation sequence.
  18. 根据权利要求17所述的网络设备,其特征在于,The network device according to claim 17, characterized in that,
    所述接收单元,还用于接收所述应用服务器发送的下行数据包,所述下行数据包携带所述应用服务器的IP地址,所述终端的IP地址,所述第一地址生成序列和高防地址标识;The receiving unit is further configured to receive a downlink data packet sent by the application server, the downlink data packet carries the IP address of the application server, the IP address of the terminal, the first address generation sequence and the high defense address identification;
    所述处理单元,还用于当检测到所述下行数据包携带高防地址标识时,根据所述应用服务器的IP地址,所述终端的IP地址和所述第一地址生成序列生成所述第一虚拟IP地址;The processing unit is further configured to generate the second IP address according to the IP address of the application server, the IP address of the terminal, and the first address generation sequence when detecting that the downlink data packet carries a high-defense address identifier. a virtual IP address;
    所述处理单元,还用于根据地址生成时刻和地址生存时长确定地址结束时刻;当所述地址结束时刻大于验证时刻时,确定目标时间差等于所述地址结束时刻减去所述验证时刻;The processing unit is further configured to determine the address end time according to the address generation time and the address lifetime; when the address end time is greater than the verification time, determine that the target time difference is equal to the address end time minus the verification time;
    所述处理单元,还用于当所述目标时间差大于预设时长时,根据所述下行数据包和所述第一虚拟IP地址生成第一下行数据包;The processing unit is further configured to generate a first downlink data packet according to the downlink data packet and the first virtual IP address when the target time difference is greater than a preset duration;
    所述发送单元还用于将所述第一下行数据包发送给所述终端。The sending unit is further configured to send the first downlink data packet to the terminal.
  19. 根据权利要求18所述的网络设备,其特征在于,The network device according to claim 18, characterized in that,
    所述处理单元,还用于当所述目标时间差小于或等于预设时长时,获取第二地址生成序列,所述第二地址生成序列包括所述第二虚拟IP地址的地址生成时刻和所述第二虚拟IP地址的地址生存时长;根据所述密钥,所述应用服务器的IP地址,所述终端的IP地址和所述第二地址生成序列生成第二虚拟IP地址;根据所述下行数据包,所述第一虚拟IP地址,所述第二虚拟IP地址和地址切换标识生成第二下行数据包;The processing unit is further configured to obtain a second address generation sequence when the target time difference is less than or equal to a preset duration, and the second address generation sequence includes the address generation time of the second virtual IP address and the The address lifetime of the second virtual IP address; according to the key, the IP address of the application server, the IP address of the terminal and the second address generation sequence to generate a second virtual IP address; according to the downlink data Packet, the first virtual IP address, the second virtual IP address and the address switching identifier generate a second downlink data packet;
    所述发送单元,还用于向所述终端发送第二下行数据包。The sending unit is further configured to send a second downlink data packet to the terminal.
  20. 根据权利要求18所述的网络设备,其特征在于,The network device according to claim 18, characterized in that,
    所述处理单元,还用于当所述目标时间差小于或等于预设时长时,获取第二地址生成序列,所述第二地址生成序列包括第二虚拟IP地址的地址生成时刻和所述第二虚拟IP地址的地址生存时长;根据所述密钥,所述应用服务器的IP地址,所述终端的IP地址和第二地址生成序列生成第二虚拟IP地址;The processing unit is further configured to obtain a second address generation sequence when the target time difference is less than or equal to a preset duration, and the second address generation sequence includes the address generation time of the second virtual IP address and the second The address lifetime of the virtual IP address; according to the key, the IP address of the application server, the IP address of the terminal and the second address generation sequence to generate a second virtual IP address;
    所述发送单元,还用于向终端发送携带有第二虚拟IP地址和第二地址生成序列的地址切换通知;The sending unit is further configured to send an address switching notification carrying a second virtual IP address and a second address generation sequence to the terminal;
    所述处理单元,还用于根据所述下行数据包和所述第一虚拟IP地址生成第一下行数据包;The processing unit is further configured to generate a first downlink data packet according to the downlink data packet and the first virtual IP address;
    所述发送单元,还用于将第一下行数据包发送给所述终端。The sending unit is further configured to send the first downlink data packet to the terminal.
  21. 根据权利要求17至20中任一项所述的网络设备,其特征在于,所述处理单元具体用于使用所述密钥将所述第一虚拟IP地址的第二部分进行解密;将所述终端的IP地址的第二部分和解密结果进行第一次异或运算;将所述第一地址生成序列和第一次异或运算结果进行第二次异或运算;将所述第一虚拟IP地址的第一部分与第二次异或运算结果组成所述待处理IP地址。The network device according to any one of claims 17 to 20, wherein the processing unit is specifically configured to use the key to decrypt the second part of the first virtual IP address; performing a first XOR operation on the second part of the terminal's IP address and the decryption result; performing a second XOR operation on the first address generation sequence and the first XOR operation result; and performing a second XOR operation on the first virtual IP The first part of the address and the result of the second XOR operation form the IP address to be processed.
  22. 根据权利要求16至20中任一项所述的网络设备,其特征在于,The network device according to any one of claims 16 to 20, characterized in that,
    所述接收单元还用于接收密钥管理服务器发送的所述应用服务器的IP地址以及与所述应用服务器的IP地址对应的密钥。The receiving unit is further configured to receive the IP address of the application server and the key corresponding to the IP address of the application server sent by the key management server.
  23. 一种终端,其特征在于,包括:A terminal, characterized in that, comprising:
    发送单元,用于向域名系统服务器发送地址请求消息,所述地址请求消息包括域名; a sending unit, configured to send an address request message to a domain name system server, where the address request message includes a domain name;
    接收单元,用于接收所述域名系统服务器根据所述地址请求消息发送的响应消息,所述响应消息包括所述应用服务器的第一虚拟因特网协议IP地址和高防地址标识;A receiving unit, configured to receive a response message sent by the domain name system server according to the address request message, the response message including the first virtual Internet Protocol IP address of the application server and the high-defense address identifier;
    处理单元,用于生成上行数据包,所述上行数据包携带有终端的IP地址,所述应用服务器的第一虚拟IP地址和高防地址标识;A processing unit, configured to generate an uplink data packet, the uplink data packet carrying the IP address of the terminal, the first virtual IP address of the application server and the high-defense address identifier;
    所述发送单元,还用于向网络设备发送上行数据包。The sending unit is further configured to send an uplink data packet to the network device.
  24. 根据权利要求23所述的终端,其特征在于,所述响应消息还包括第一地址生成序列,以及所述上行数据包还包括第一地址生成序列,所述第一地址生成序列包括所述第一虚拟IP地址的地址生成时刻和所述第一虚拟地址的地址生存时长。The terminal according to claim 23, wherein the response message further includes a first address generation sequence, and the uplink data packet further includes a first address generation sequence, and the first address generation sequence includes the first address generation sequence The address generation time of a virtual IP address and the address lifetime of the first virtual address.
  25. 根据权利要求23或24所述的终端,其特征在于,The terminal according to claim 23 or 24, characterized in that,
    所述接收单元,还用于接收所述网络设备发送的第一下行数据包,所述第一下行数据包携带第一虚拟IP地址。The receiving unit is further configured to receive a first downlink data packet sent by the network device, where the first downlink data packet carries a first virtual IP address.
  26. 根据权利要求24所述的终端,其特征在于,The terminal according to claim 24, characterized in that,
    所述接收单元,还用于接收所述网络设备发送的第二下行数据包,所述第二下行数据包携带第一虚拟IP地址,所述第二虚拟IP地址,第二地址生成序列和地址切换标识;The receiving unit is further configured to receive a second downlink data packet sent by the network device, the second downlink data packet carrying the first virtual IP address, the second virtual IP address, the second address generation sequence and the address Switch logo;
    所述处理单元,还用于根据所述地址切换标识生成携带有所述第二虚拟IP地址,和第二地址生成序列和高防地址标识的上行数据包。The processing unit is further configured to generate an uplink data packet carrying the second virtual IP address, a second address generation sequence, and a high-defense address identifier according to the address switching identifier.
  27. 根据权利要求24所述的终端,其特征在于,The terminal according to claim 24, characterized in that,
    所述接收单元,还用于接收所述网络设备发送的第一下行数据包和地址切换通知,所述第一下行数据包携带第一虚拟IP地址,所述地址切换通知包括第二虚拟IP地址和第二地址生成序列;The receiving unit is further configured to receive a first downlink data packet and an address switching notification sent by the network device, the first downlink data packet carries a first virtual IP address, and the address switching notification includes a second virtual IP address. IP address and second address generation sequence;
    所述处理单元,还用于根据所述地址切换通知生成携带有第二虚拟IP地址,第二地址生成序列和高防地址标识的上行数据包。The processing unit is further configured to generate an uplink data packet carrying a second virtual IP address, a second address generation sequence and a high-defense address identifier according to the address switching notification.
  28. 一种域名系统服务器,其特征在于,包括:A domain name system server, characterized in that it comprises:
    接收单元,用于接收终端发送的地址请求消息,所述地址请求消息包括域名;a receiving unit, configured to receive an address request message sent by a terminal, where the address request message includes a domain name;
    处理单元,用于当所述域名为高防域名时,获取密钥和高防地址标识;A processing unit, configured to obtain a key and an address identifier of Anti-Advanced when the domain name is an Anti-Advanced domain name;
    所述处理单元,还用于根据所述密钥,所述终端的IP地址和所述应用服务器的因特网协议IP地址生成第一虚拟IP地址;The processing unit is further configured to generate a first virtual IP address according to the key, the IP address of the terminal and the Internet Protocol IP address of the application server;
    发送单元,用于向终端发送响应消息,所述响应消息包括所述第一虚拟IP地址和高防地址标识。A sending unit, configured to send a response message to the terminal, where the response message includes the first virtual IP address and the high-defense address identifier.
  29. 根据权利要求28所述的域名系统服务器,其特征在于,The domain name system server according to claim 28, wherein,
    所述处理单元,具体用于获取第一地址生成序列,所述第一地址生成序列包括第一虚拟IP地址的地址生成时刻和第一虚拟地址的地址生存时长;根据所述密钥,所述终端的IP地址和所述应用服务器的IP地址和所述第一地址生成序列生成第一虚拟IP地址。The processing unit is specifically configured to acquire a first address generation sequence, where the first address generation sequence includes address generation time of the first virtual IP address and address lifetime of the first virtual address; according to the key, the The IP address of the terminal, the IP address of the application server, and the first address generation sequence generate a first virtual IP address.
  30. 根据权利要求29所述的域名系统服务器,其特征在于,Domain name system server according to claim 29, is characterized in that,
    所述处理单元具体用于将所述终端的IP地址的第二部分与所述应用服务器的IP地址的第二部分进行第一次异或运算;将所述第一地址生成序列的与第一次异或运算结果进行第二次异或运算;使用所述密钥对第二次异或运算结果进行加密;将加密结果与所述应用 服务器的IP地址的第一部分组成第一虚拟IP地址。The processing unit is specifically configured to perform a first XOR operation on the second part of the IP address of the terminal and the second part of the IP address of the application server; Perform a second XOR operation on the result of the XOR operation; use the key to encrypt the result of the second XOR operation; combine the encrypted result with the application The first part of the IP address of the server constitutes the first virtual IP address.
  31. 一种计算机可读存储介质,存储有指令,其特征在于,当其在计算机上运行时,使得计算执行权利要求1至15中任一项所述的方法。 A computer-readable storage medium storing instructions, characterized in that, when it is run on a computer, it causes the computer to perform the method described in any one of claims 1 to 15.
PCT/CN2023/075817 2022-03-03 2023-02-14 Communication method, network device, terminal, and domain name system server WO2023165324A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210210483.2 2022-03-03
CN202210210483.2A CN116743410A (en) 2022-03-03 2022-03-03 Communication method, network equipment, terminal and domain name system server

Publications (1)

Publication Number Publication Date
WO2023165324A1 true WO2023165324A1 (en) 2023-09-07

Family

ID=87882888

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/075817 WO2023165324A1 (en) 2022-03-03 2023-02-14 Communication method, network device, terminal, and domain name system server

Country Status (2)

Country Link
CN (1) CN116743410A (en)
WO (1) WO2023165324A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105429957A (en) * 2015-11-02 2016-03-23 芦斌 IP address jump safety communication method based on SDN framework
US20170374088A1 (en) * 2016-06-22 2017-12-28 Sable Networks, Inc. Individually assigned server alias address for contacting a server
CN110611723A (en) * 2018-06-15 2019-12-24 华为技术有限公司 Scheduling method and device of service resources
CN114124381A (en) * 2021-11-30 2022-03-01 中国人民解放军国防科技大学 Multi-party address hopping pattern generation method and device based on quantum key distribution

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105429957A (en) * 2015-11-02 2016-03-23 芦斌 IP address jump safety communication method based on SDN framework
US20170374088A1 (en) * 2016-06-22 2017-12-28 Sable Networks, Inc. Individually assigned server alias address for contacting a server
CN110611723A (en) * 2018-06-15 2019-12-24 华为技术有限公司 Scheduling method and device of service resources
CN114124381A (en) * 2021-11-30 2022-03-01 中国人民解放军国防科技大学 Multi-party address hopping pattern generation method and device based on quantum key distribution

Also Published As

Publication number Publication date
CN116743410A (en) 2023-09-12

Similar Documents

Publication Publication Date Title
US10992654B2 (en) Secure WAN path selection at campus fabric edge
EP2401836B1 (en) Pair-wise keying for tunneled virtual private networks technical field
US8856518B2 (en) Secure and efficient offloading of network policies to network interface cards
US9596075B2 (en) Transparent serial encryption
Taranov et al. {sRDMA}--Efficient {NIC-based} Authentication and Encryption for Remote Direct Memory Access
EP1435716B1 (en) Security association updates in a packet load-balanced system
US9614669B1 (en) Secure network communications using hardware security barriers
US11063917B2 (en) Communication network with rolling encryption keys and data exfiltration control
WO2019129201A1 (en) Session management for communications between a device and a dtls server
US11418434B2 (en) Securing MPLS network traffic
US20170213054A1 (en) Secure transactions in a memory fabric
US8250127B2 (en) Harvesting entropy from trusted cryptographic sources
US20240146728A1 (en) Access control method, access control system, and related device
CN106209401B (en) A kind of transmission method and device
Farinacci et al. Locator/ID separation protocol (LISP) data-plane confidentiality
CN110832806B (en) ID-based data plane security for identity-oriented networks
US9525671B1 (en) Secure address resolution protocol
WO2023165324A1 (en) Communication method, network device, terminal, and domain name system server
US10764065B2 (en) Admissions control of a device
CN114553411B (en) Distributed memory encryption device and distributed memory decryption device
US20230269077A1 (en) On-demand formation of secure user domains
US20080059788A1 (en) Secure electronic communications pathway
US20200162381A1 (en) Stage one cache lookup for network node of mesh network
KR101591306B1 (en) Method and apparatus for communication using virtual MAC address
US20240214370A1 (en) Secure communications using pre-generated subkeys

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23762725

Country of ref document: EP

Kind code of ref document: A1