[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN107809366B - Method and system for safely sharing UNP tunnel - Google Patents

Method and system for safely sharing UNP tunnel Download PDF

Info

Publication number
CN107809366B
CN107809366B CN201711027044.3A CN201711027044A CN107809366B CN 107809366 B CN107809366 B CN 107809366B CN 201711027044 A CN201711027044 A CN 201711027044A CN 107809366 B CN107809366 B CN 107809366B
Authority
CN
China
Prior art keywords
message
unp
social resource
virtual address
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711027044.3A
Other languages
Chinese (zh)
Other versions
CN107809366A (en
Inventor
周迪
周欣如
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Uniview Technologies Co Ltd
Original Assignee
Zhejiang Uniview Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Uniview Technologies Co Ltd filed Critical Zhejiang Uniview Technologies Co Ltd
Priority to CN201711027044.3A priority Critical patent/CN107809366B/en
Publication of CN107809366A publication Critical patent/CN107809366A/en
Application granted granted Critical
Publication of CN107809366B publication Critical patent/CN107809366B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2592Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/18Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a method and a system for safely sharing a UNP tunnel.A safety supervision box receives a message sent by social resources, encapsulates the message into the UNP message and then sends the UNP message through the established UNP tunnel, wherein the UNP message carries a label of a VLAN to which the social resources belong; the access server allocates a virtual address for the social resource, replaces the actual IP address of the social resource in the message by the virtual address and sends the actual IP address to the destination device; the access server receives a message sent to a target social resource, replaces a virtual address with an actual IP address of the target social resource according to a recorded social resource table item, packages the message into a UNP message and sends the UNP message to a security supervision box, wherein the UNP message carries a label of a VLAN to which the target social resource belongs; and the safety supervision box receives the UNP message and sends the UNP message to social resources from the corresponding VLAN port according to the VLAN label and the target MAC of the message. The invention shares the UNP tunnel, thereby saving resources; and IP isolation is carried out through the VLAN, so that the safety is improved.

Description

Method and system for safely sharing UNP tunnel
Technical Field
The invention belongs to the technical field of network communication, and particularly relates to a method and a system for safely sharing a UNP tunnel.
Background
As the application range of video monitoring services is wider and wider, the security problem is more and more emphasized by users, and the user's demand for secure transmission of audio and video information in a monitoring system is also increased. Meanwhile, the government needs to uniformly monitor the video monitoring systems of the enterprises and public institutions, and uniformly connects video sources accessed by various social resources to a public security network for monitoring.
The access of various social resources to the public security network is beneficial to fighting criminal suspects of various criminal and public security cases, wherein the internet bar is used as a high-incidence place of the criminal cases and is listed as a priority supervision object. The social resources are generally accessed to a public security network through a security supervision box, the security supervision box is arranged on one side of the social resources to serve as a UNP client, a UNP server is arranged on one side of the public security network, and the social resources are accessed through a UNP tunnel.
However, the internal network of the internet cafe is highly independent and random, and the scale of the internet cafe is large or small, so that the configuration of the intranet IP network segments of a plurality of different internet cafes is always the same, and if the network cameras IPCs of several internet cafes are connected to the public security network through one security supervision box, conflicts are easily caused due to repeated configuration of IP addresses, and a respective un tunnel needs to be established for each IPC. In this case, the configuration is complicated and network resources are wasted.
Disclosure of Invention
The invention aims to provide a method and a system for safely sharing a UNP tunnel, which are used for solving the problem of safe access under the condition of repeated IP address configuration.
In order to achieve the purpose, the technical scheme of the invention is as follows:
a UNP tunnel security sharing method is used for accessing social resources to a public platform, a security supervision box serving as a UNP client is arranged on a social resource side, an access server serving as a UNP server is arranged on a public platform side, ports of the security supervision box are divided into a plurality of different VLANs, different VLAN ports access to social resources of different units, and the UNP tunnel security sharing method comprises the following steps:
the security supervision box initiates registration to an access server at the public platform side and establishes a UNP tunnel;
the safety supervision box receives a message sent by social resources, packages the message into a UNP message and then sends the UNP message through an established UNP tunnel, wherein the UNP message carries a label of a VLAN to which the social resources belong;
the access server receives the UNP message from the safety supervision box, allocates a virtual address for the social resource, replaces the actual IP address of the social resource in the message with the virtual address, sends the actual IP address to the destination device, and records the social resource table entry comprising the virtual address, the VLAN tag and the MAC address of the social resource;
the access server receives a message sent to a target social resource, replaces the virtual address with the actual IP address of the target social resource according to the recorded social resource table entry and the virtual address of the target social resource carried in the message, packages the virtual address into an UNP message and sends the UNP message to a security supervision box, wherein the UNP message carries a label of a VLAN to which the target social resource belongs;
and the safety supervision box receives the UNP message and sends the UNP message to social resources from the corresponding VLAN port according to the VLAN label and the target MAC of the message.
Further, a management server is arranged in the public platform, a destination device of the message sent by the social resource is the management server, the access server receives the UNP message from the security supervision box, allocates a virtual address to the social resource, replaces an actual IP address of the social resource in the message with the virtual address, and sends the actual IP address to the destination device, and the method comprises the following steps:
the access server decapsulates the UNP message from the security supervision box to restore a two-layer message;
and modifying the source IP in the two-layer message into a virtual address corresponding to the social resource, and sending the virtual address to the management server.
Further, the access server receives a message sent to a target social resource, replaces a virtual address with an actual IP address of the target social resource according to a recorded social resource table entry and the virtual address of the target social resource carried in the message, encapsulates the virtual address into an un message, and sends the un message to the security supervision box, including:
and setting the target IP of the outer-layer UNP tunnel message of the UNP message as the actual IP address of the target social resource.
Further, the destination device of the packet sent by the social resource is another social resource, the social resource sending the packet is a first social resource, the destination device is a second social resource, the access server receives the un packet from the security supervision box, allocates a virtual address for the social resource, replaces an actual IP address of the social resource in the packet with the virtual address, and sends the packet to the destination device, including:
the access server decapsulates the UNP message from the security supervision box to restore a two-layer message;
and modifying the source IP in the two-layer message into a virtual address corresponding to the first social resource, modifying the target IP into a virtual address corresponding to the second social resource, and sending the virtual address to the second social resource.
Further, the access server receives a message sent to a target social resource, replaces a virtual address with an actual IP address of the target social resource according to a recorded social resource table entry and the virtual address of the target social resource carried in the message, encapsulates the virtual address into an un message, and sends the un message to the security supervision box, including:
and setting the target IP of the outer-layer UNP tunnel message of the UNP message as the actual IP address of the second social resource.
The invention also provides a system for safely sharing the UNP tunnel, which is used for accessing social resources to a public platform, and comprises a safety supervision box which is arranged at the social resource side and is used as a UNP client side, and an access server which is arranged at the public platform side and is used as a UNP server, wherein the port of the safety supervision box is divided into a plurality of different VLANs, and the different VLAN ports are accessed to the social resources of different units, wherein:
the safety supervision box is used for initiating registration to an access server at the public platform side and establishing a UNP tunnel; receiving a message sent by social resources, packaging the message into a UNP message, and sending the UNP message through an established UNP tunnel, wherein the UNP message carries a label of a VLAN to which the social resources belong; and receiving the UNP message sent by the access server, and sending the UNP message to the social resource from the corresponding VLAN port according to the VLAN label and the target MAC of the message.
The access server is used for receiving the UNP message from the safety supervision box, distributing a virtual address for the social resource, replacing the actual IP address of the social resource in the message by the virtual address, sending the virtual address to the destination equipment, and recording the social resource table entry comprising the virtual address, the VLAN label and the MAC address of the social resource; receiving a message sent to a target social resource, replacing the virtual address with the actual IP address of the target social resource according to the recorded social resource table entry and the virtual address of the target social resource carried in the message, packaging the message into a UNP message, and sending the UNP message to a security supervision box, wherein the UNP message carries the label of the VLAN to which the target social resource belongs.
The invention provides a method and a system for safely sharing UNP tunnel, which divides VLAN on a safety supervision box, marks a corresponding VLAN label when forwarding the message of the accessed social resource, and sends the VLAN label to an access server. The access server distributes different virtual addresses to the actual IP addresses under different VLAN labels, and forwards the virtual addresses after address conversion. Therefore, social resources can share the UNP tunnel, and equipment with the same IP address can transmit data through the same UNP tunnel, so that resources are saved; the accessed IPC performs IP isolation through the VLAN, so that data isolation is realized, and the security is improved; and mutual communication between social resources can be realized.
Drawings
FIG. 1 is a flow chart of a method for safely sharing UNP tunnels according to the present invention;
fig. 2 is a network networking structure diagram according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention are further described in detail below with reference to the drawings and examples, which should not be construed as limiting the present invention.
The invention is realized based on universal Network passport UNP (universal Network passport) technology, the universal Network passport UNP technology is that a UNP server (UNPS) is established in an upper-level domain of a video monitoring system, a UNP client (UNPC) is established in a lower-level domain of the video monitoring system, a UNP channel is established between the UNP server and the UNP client, and all signaling and data of the video monitoring system pass through address conversion equipment such as NAT equipment, a firewall, a security isolation gateway and the like through the UNP channel. In the traditional technology for accessing social resources to a public platform, a security supervision box is arranged on one side of the social resources to serve as a UNP client, an access server is arranged on one side of the public platform to serve as a UNP server, and the social resources are accessed through a UNP tunnel. But for social resources with the same actual IP address, access needs to be realized through different un tunnels.
The technical scheme of the invention is a method for safely sharing a UNP tunnel, which realizes that social resources with the same actual IP address safely share the same UNP tunnel, and is explained by a specific embodiment below.
As shown in fig. 1, a method for safely sharing an un p tunnel is used for accessing social resources to a public platform, a security supervision box serving as an un p client is arranged at the social resource side, an access server serving as an un p server is arranged at the public platform side, a port of the security supervision box is divided into a plurality of different VLANs, and different VLAN ports access social resources of different units. The method for safely sharing the UNP tunnel comprises the following steps:
and step S1, the security supervision box initiates registration to the access server of the public platform side and establishes the UNP tunnel.
The security supervision box of the embodiment accesses social resources to a public platform (such as a public security network), and the social resources belong to different units. As shown in fig. 2, taking the internet cafe as an example, the social resource IPC1 of the internet cafe 1 and the social resource IPC2 of the internet cafe 2 are connected to the security supervision box, and access to the public platform:
IPC1 of Internet Bar 1's own actual IP Address: IP1(192.168.1.10), MAC address MAC1 (48: EA: 63: 00: 11: 01);
IPC2 of internet cafe 2 itself actual IP address: IP2(192.168.1.10), MAC address: MAC2 (48: EA: 63: 00: 22: 01);
the actual IP address of the access server: IP0(202.5.1.1), MAC address: MAC0 (48: EA: 63: 85: 85: 85), with a virtual gateway address: vIP0 (10.10.10.1).
And the safety supervision box arranged at the social resource side is used as an UNP client, initiates registration to an access server (used as an UNP server) of the public platform, and establishes an UNP tunnel.
For example: IP address of security supervision box: IP15(15.15.15.1), after establishing the hop tunnel, the hop server assigns it a virtual address, and the security administration box obtains the virtual address: vIP15 (10.10.10.2).
In this embodiment, the social resources IPC1 and IPC2 have the same actual IP address, belong to social resources of different units, and share the established un p tunnel between the security supervision box and the access server.
And step S2, the security supervision box receives the message sent by the social resource, encapsulates the message into a UNP message and then sends the UNP message to the access server through the established UNP tunnel, wherein the UNP message carries the label of the VLAN to which the social resource belongs.
The security supervision box of the embodiment accesses the social resources to a public platform (such as a public security network), and the social resources IPC1 and IPC2 belong to different units, but the actual IP addresses of the social resources are the same and are 192.168.1.10. In order to perform IP isolation on them, implement data isolation, and improve security, the present embodiment divides different VLANs into its ports on the security supervision box.
For example: and carrying out port VLAN division in the security supervision box to divide a plurality of VLANs. IPC1 of Internet Bar 1 is assigned VLAN10, and MAC address of VLAN10 is (48: EA: 63: 10: 10: 10); IPC2 of Internet cafe 2 is assigned VLAN20 and the MAC address of VLAN20 is (48: EA: 63: 20: 20: 20).
In actual networking, IPC1 of internet bar 1 is connected to VLAN10 port of security supervision box, and IPC2 of internet bar 2 is connected to VLAN20 port of security supervision box. It will be readily appreciated that when there are more social resources in the internet cafe (e.g., IPC3 in internet cafe 3) to access the security administration box, the security administration box needs to be divided into more VLANs, such as VLAN30, to access the social resources in internet cafe 3. Meanwhile, in the same internet bar, there may be more social resources, for example, IPC4 is also in the internet bar 1, and the IPC4 and IPC1 have different actual IP addresses, are all connected to the VLAN10 port, and belong to the same VLAN.
When the IPC of the Internet bar needs to interact with a management server in a public platform, the IPC1 or the IPC2 sends a message to the management server, and at the moment, the message sent by the IPC1 or the IPC2 is packaged into a UNP message when passing through a security supervision box, and is labeled by a VLAN10 or a VLAN 20. Taking IPC1 as an example, the details are as follows:
in this embodiment, the management server IP address within the common platform: IP100(202.5.1.100), MAC address: MAC100 (48: EA: 63: 88: 88: 88).
After the message sent by IPC1 is encapsulated by UNP:
the inner layer source MAC is MAC address MAC1 (48: EA: 63: 00: 11: 01) of IPC1, the destination MAC is MAC address MAC0 (48: EA: 63: 85: 85: 85) of the access server, and VLAN label VLAN10 is carried on the destination MAC;
the inner source IP is the virtual address vIP15(10.10.10.2) of the security supervision box, and the inner destination IP is the virtual address vIP0(10.10.10.1) of the access server;
the source IP of the outer layer UNP tunnel message is the actual IP address IP1(192.168.1.10) of IPC1, and the destination IP is the actual IP address IP0(202.5.1.1) of the access server;
the source MAC address of the outer UNP tunnel message is the actual MAC address MAC1 (48: EA: 63: 00: 11: 01) of IPC1, and the destination MAC address is the MAC address MAC0 (48: EA: 63: 85: 85: 85) of the access server.
In this embodiment, the security supervision box serves as an un client, and performs un packet encapsulation on a packet sent by IPC1, which does two things during encapsulation:
1 is a VLAN tag on tape;
2 is the virtual address vIP15(10.10.10.2) that sets the inner source IP to the security administration box and the inner destination IP is the virtual address vIP0(10.10.10.1) of the access server.
It should be noted that, in the above-mentioned UNP message, both the destination MAC address and the destination IP address point to the access server. At this time, the received messages can be set on the access server and all transferred to the management server of the public platform, so that the IPC-sent messages can reach the management server. Particularly, the access server and the management server are the same device and are used as the UNP server and the management server, and the management server can receive the access message of the IPC after directly receiving the UNP message and decapsulating the UNP message.
In addition, the destination MAC of the two-layer message sent by the IPC can also be set as a broadcast address, the access server sends the two-layer message through the broadcast address after receiving the two-layer message sent by the IPC, and the management server can receive the two-layer message sent by the IPC and respond because the management server and the access server are in the same private network; the access server sends the response message to the IPC through the UNP tunnel to obtain the MAC address and the IP address of the management server; therefore, when sending the message to the management server again, the two-layer message is directly sent and encapsulated as an un p message, the destination MAC address is the MAC address of the management server, and the destination IP is the IP address of the management server (described in detail in another patent application with application number 201710547283.5 of the present applicant). How to send the two-layer message sent by the IPC to the management server after the two-layer message is sent to the access server through UNP encapsulation is not limited in the invention, and the details are not repeated herein.
It is easy to understand that IPC1 is located in the private network, the IP address is the private network IP address, when the sent message is a two-layer message, the source MAC address is the MAC of IPC1 itself, and the destination MAC of the two-layer message is the MAC address of the destination device. For example, when IPC1 sends a message to a management server of a public platform and sets that all received messages are forwarded to the management server of the public platform on an access server, the MAC address of the destination of the two-layer message may be the MAC address of the access server; when the MAC address of the management server is known, the MAC of the destination of the two-layer packet may also be the MAC address of the management server, and at this time, the access server unicast forwards the packet to the management server. When the IPC1 sends a message to other destination devices (such as IPC2), the destination MAC of the two-layer message is the MAC address of the destination device.
And step S3, the access server receives the UNP message from the safety supervision box, allocates a virtual address for the social resource, replaces the actual IP address of the social resource in the message with the virtual address, sends the actual IP address to the destination device, and records the social resource table entry comprising the virtual address, the VLAN label and the MAC address of the social resource.
In this embodiment, after receiving the un message, the access server allocates a virtual address vIP1(10.10.10.3) to IPC1, and replaces the actual IP address of the social resource in the un message with the virtual address.
The following is a detailed explanation through two embodiments, wherein embodiment 1 is a message sent by social resources to a management server of a public platform, and embodiment 2 is communication between social resources.
Embodiment 1, the social resource IPC sends a message to a management server of the public platform.
The access server decapsulates the UNP message from the security supervision box, restores a two-layer message, performs address conversion, namely modifies a source IP in the two-layer message into a virtual address corresponding to social resources, and sends the virtual address to the management server.
The fields of the message sent to the management server after address translation are:
the source MAC is MAC address MAC1 (48: EA: 63: 00: 11: 01) of IPC1, and the destination MAC is MAC address MAC100 (48: EA: 63: 88: 88) of the management server;
the source IP is the virtual address vIP1(10.10.10.3) of IPC1, and the destination IP is the management server IP address IP100 (202.5.1.100).
Wherein the source IP is modified to the virtual address vIP1 of IPC1 after address translation (10.10.10.3).
Embodiment 2 and this embodiment also support communication between social resources, and the social resource that sends the packet is referred to as a first social resource, and the destination device is referred to as a second social resource. For example, IPC1 and IPC2 communicate, IPC1 sends a message to IPC2, IPC1 is a first social resource, and IPC2 is a second social resource.
The IPC1 message is sent to an access server after being carried on a VLAN10 label by a security supervision box, and the access server allocates a virtual address vIP1(10.10.10.3) for the IPC 1; similarly, the message sent by IPC2 is sent to the access server after the security supervision box carries the VLAN20 tag, and the access server allocates a virtual address vIP2 to IPC2 (10.10.10.4).
When the message sent by IPC1 to IPC2 passes through the access server, the following address conversion is carried out:
the access server decapsulates the UNP message from the security supervision box to restore a two-layer message;
and modifying the source IP in the two-layer message into a virtual address corresponding to the first social resource, modifying the target IP into a virtual address corresponding to the second social resource, and sending the virtual address to the second social resource.
The fields of the message sent to IPC2 after address translation are:
the source MAC is MAC address MAC1 (48: EA: 63: 00: 11: 01) of IPC1, and the destination MAC is MAC address MAC2 (48: EA: 63: 00: 22: 01) of IPC 2;
the source IP is the virtual address vIP1(10.10.10.3) of IPC1, and the destination IP is the virtual address (10.10.10.4) of IPC 2.
Wherein both the source IP and the destination IP are modified to virtual addresses.
Therefore, the virtual address obtained by IPC1 at the access server is 10.10.10.3, the address obtained by IPC2 at the access server is 10.10.10.4 in a virtual manner, the two social resource virtual addresses are different, so that the two IPCs can exchange data normally, and the returned message is sent to different VLANs and ports according to the VLAN tag and the MAC address, so that data communication between the two devices is realized. It is easy to understand that communication between social resources is realized, and the social resources can also be other devices in the internet bar, such as a Network Video Recorder (NVR) and the like.
In this embodiment, the access server further records a social resource table entry, which includes a virtual address, a VLAN tag, and an MAC address of the social resource, and may further include an actual IP address and a device ID of the social resource. When receiving the message sent to the social resource, the method can find the actual IP address and the corresponding VLAN label according to the destination MAC address and the destination virtual address of the message, and the UNP message carries the corresponding VLAN label.
And step S4, the access server receives the message sent to the target social resource, replaces the virtual address with the actual IP address of the target social resource according to the recorded social resource table entry and the virtual address of the target social resource carried in the message, packages the virtual address into an UNP message and sends the UNP message to the safety supervision box, wherein the UNP message carries the VLAN label of the target social resource.
When receiving the message sent to the target social resource, the embodiment performs address conversion according to the recorded virtual address, actual IP address, VLAN tag and MAC address of the social resource, performs un encapsulation, and sends the message to the security supervision box.
In the case of embodiment 1, the message comes from the management server of the public platform, the source MAC address of the message is the MAC address of the management server, the source IP is the IP address of the management server, the destination MAC address is the MAC address of the access server, and the destination IP is the virtual address of the social resource.
When UNP encapsulation is carried out, address conversion is carried out on a target IP address, an UNP virtual address is converted into an actual IP address of IPC, and the two-layer frame head is provided with a VLAN label and then sent to a safety supervision box.
Taking the message sent to the IPC1 by the management server as an example, and the IPC1 is a target social resource, the message after the access server is encapsulated by the UNP is as follows:
the inner layer source MAC is MAC address MAC100 (48: EA: 63: 88: 88: 88) of the management server, the destination MAC is MAC address MAC1 (48: EA: 63: 00: 11: 01) of IPC1, and VLAN tag VLAN10 is carried on;
the inner source IP is the virtual address vIP0(10.10.10.1) of the access server, and the inner destination IP is the virtual address vIP15(10.10.10.2) of the security supervision box;
the source IP of the outer layer UNP tunnel message is the actual IP address IP0(202.5.1.1) of the access server, and the destination IP is the actual IP address IP1(192.168.1.10) of IPC 1;
the source MAC address of the outer UNP tunnel message is MAC address MAC0 of the access server, and the destination MAC address is MAC address MAC1 of IPC1 (48: EA: 63: 00: 11: 01).
In the case of embodiment 2, for a message sent from IPC1 to IPC2, IPC2 is a target social resource, and is sent out after being encapsulated by an UNP, a target IP address is subjected to address translation, a target virtual address is translated into an actual IP address of IPC2, and a two-layer frame header is provided with a VLAN tag and then sent to a security supervision box. The specific packaging is as follows:
the inner layer source MAC is MAC address MAC1 (48: EA: 63: 00: 11: 01) of IPC1, the destination MAC is MAC address MAC2 (48: EA: 63: 00: 22: 01) of IPC2, and VLAN label VLAN20 is carried at the same time;
the inner source IP is the virtual address vIP0(10.10.10.1) of the access server, and the inner destination IP is the virtual address vIP15(10.10.10.2) of the security supervision box;
the source IP of the outer layer UNP tunnel message is the actual IP address IP0(202.5.1.1) of the access server, and the destination IP is the actual IP address IP1(192.168.1.10) of IPC 2;
the source MAC address of the outer UNP tunnel message is MAC address MAC0 of the access server, and the destination MAC address is MAC address MAC2 of IPC2 (48: EA: 63: 00: 22: 01).
Note that the VLAN tag carried at this time is the VLAN tag VLAN20 of the destination device, IPC 2.
And step S5, the security supervision box receives the UNP message and sends the UNP message to the social resource from the corresponding VLAN port according to the VLAN label and the target MAC of the message.
After receiving the un p message, the security supervision box in this embodiment decapsulates the un p message, and sends the un p message to a corresponding VLAN port according to a VLAN tag attached to the un p message, where the un p message can be received and processed according to an MAC address and an actual IP address of an IPC at the VLAN port.
For the case of embodiment 1, after receiving the un p packet, the security supervision box sends the decapsulated two-layer packet to a VLAN10 port according to the VLAN tag carried by the un p packet, for example, VLAN10, and finally sends the decapsulated two-layer packet to IPC1 according to the destination IP address 192.168.1.10.
For the case of embodiment 2, after receiving the un p packet, the security supervision box sends the decapsulated two-layer packet to a VLAN20 port according to the VLAN tag carried by the un p packet, for example, VLAN20, and finally sends the decapsulated two-layer packet to IPC2 according to the destination IP address 192.168.1.10.
According to the technical scheme, the VLAN is divided on the safety monitoring box, and when the message of the accessed social resource is forwarded, the corresponding VLAN label is marked and sent to the access server. The access server distributes different virtual addresses to the actual IP addresses under different VLAN labels, and forwards the virtual addresses after address conversion. Therefore, social resources share the UNP tunnel, mutual communication among the social resources can be realized, the resources are saved, the social resources are isolated through the VLAN, and the safety is improved.
Correspondingly to the method, the technical scheme also provides an embodiment of a system for safely sharing the UNP tunnel, which is used for accessing social resources to a public platform and comprises a security supervision box which is arranged on the social resource side and is used as a UNP client, and an access server which is arranged on the public platform side and is used as a UNP server. The ports of the safety supervision box are divided into a plurality of different VLANs, and the different VLAN ports are accessed to social resources of different units.
The security supervision box of the embodiment is used for initiating registration to an access server at a public platform side and establishing a UNP tunnel; receiving a message sent by social resources, packaging the message into a UNP message, and sending the UNP message through an established UNP tunnel, wherein the UNP message carries a label of a VLAN to which the social resources belong; and receiving the UNP message sent by the access server, and sending the UNP message to the social resource from the corresponding VLAN port according to the VLAN label and the target MAC of the message.
The access server of the embodiment is used for receiving the UNP message from the security supervision box, allocating a virtual address for social resources, replacing an actual IP address of the social resources in the message with the virtual address, sending the actual IP address to a target device, and recording social resource table entries comprising the virtual address, the VLAN tag and the MAC address of the social resources; receiving a message sent to a target social resource, replacing the virtual address with the actual IP address of the target social resource according to the recorded social resource table entry and the virtual address of the target social resource carried in the message, packaging the message into a UNP message, and sending the UNP message to a security supervision box, wherein the UNP message carries the label of the VLAN to which the target social resource belongs.
The message interaction between the devices in the system for safely sharing an UNP tunnel in this embodiment has been described in detail in the foregoing method description, and is not described here again.
The above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and those skilled in the art can make various corresponding changes and modifications according to the present invention without departing from the spirit and the essence of the present invention, but these corresponding changes and modifications should fall within the protection scope of the appended claims.

Claims (10)

1. A method for safely sharing a UNP tunnel, which is used for accessing social resources into a public platform through a universal network passport UNP tunnel, wherein a security supervision box serving as a UNP client is arranged on a social resource side, and an access server serving as a UNP server is arranged on a public platform side, and the port of the security supervision box is divided into a plurality of different VLANs, and the different VLAN ports access the social resources of different units, and the method for safely sharing the UNP tunnel comprises the following steps:
the security supervision box initiates registration to an access server at the public platform side and establishes a UNP tunnel;
the safety supervision box receives a message sent by social resources, packages the message into a UNP message and then sends the UNP message through an established UNP tunnel, wherein the UNP message carries a label of a VLAN to which the social resources belong;
the access server receives the UNP message from the safety supervision box, allocates a virtual address for the social resource, replaces the actual IP address of the social resource in the message with the virtual address, sends the actual IP address to the destination device, and records the social resource table entry comprising the virtual address, the VLAN tag and the MAC address of the social resource;
the access server receives a message sent to a target social resource, replaces the virtual address with the actual IP address of the target social resource according to the recorded social resource table entry and the virtual address of the target social resource carried in the message, packages the virtual address into an UNP message and sends the UNP message to a security supervision box, wherein the UNP message carries a label of a VLAN to which the target social resource belongs;
and the safety supervision box receives the UNP message and sends the UNP message to social resources from the corresponding VLAN port according to the VLAN label and the target MAC of the message.
2. The method for safely sharing the UNP tunnel according to claim 1, wherein a management server is disposed in the public platform, the destination device of the message sent by the social resource is the management server, the access server receives the UNP message from the security supervision box, allocates a virtual address to the social resource, replaces an actual IP address of the social resource in the message with the virtual address, and sends the message to the destination device, and the method comprises:
the access server decapsulates the UNP message from the security supervision box to restore a two-layer message;
and modifying the source IP in the two-layer message into a virtual address corresponding to the social resource, and sending the virtual address to the management server.
3. The method according to claim 2, wherein the access server receives a message addressed to the target social resource, replaces the virtual address with the actual IP address of the target social resource according to the recorded social resource table entry and the virtual address of the target social resource carried in the message, encapsulates the virtual address into an un p message, and then sends the un p message to the security supervision box, and the method comprises:
and setting the target IP of the outer-layer UNP tunnel message of the UNP message as the actual IP address of the target social resource.
4. The method of UNP tunnel secure sharing according to claim 1, wherein the destination device of the message sent by the social resource is another social resource, the social resource sending the message is a first social resource, the destination device is a second social resource, the access server receives the UNP message from the security supervision box, assigns a virtual address to the social resource, replaces an actual IP address of the social resource in the message with the virtual address, and sends the message to the destination device, comprising:
the access server decapsulates the UNP message from the security supervision box to restore a two-layer message;
and modifying the source IP in the two-layer message into a virtual address corresponding to the first social resource, modifying the target IP into a virtual address corresponding to the second social resource, and sending the virtual address to the second social resource.
5. The method according to claim 4, wherein the access server receives a message addressed to the target social resource, replaces the virtual address with the actual IP address of the target social resource according to the recorded social resource table entry and the virtual address of the target social resource carried in the message, encapsulates the virtual address into an un p message, and then sends the un p message to the security supervision box, and the method comprises:
and setting the target IP of the outer-layer UNP tunnel message of the UNP message as the actual IP address of the second social resource.
6. A system for secure sharing of a UNP tunnel for accessing social resources to a public platform through a universal network passport, the system comprising a security supervision box as a UNP client provided at a social resource side, and an access server as a UNP server provided at a public platform side, wherein ports of the security supervision box are divided into a plurality of different VLANs, and different VLAN ports access social resources of different units, wherein:
the safety supervision box is used for initiating registration to an access server at the public platform side and establishing a UNP tunnel; receiving a message sent by social resources, packaging the message into a UNP message, and sending the UNP message through an established UNP tunnel, wherein the UNP message carries a label of a VLAN to which the social resources belong; receiving an UNP message sent by an access server, and sending the UNP message to social resources from a corresponding VLAN port according to a VLAN label and a target MAC of the message;
the access server is used for receiving the UNP message from the safety supervision box, distributing a virtual address for the social resource, replacing the actual IP address of the social resource in the message by the virtual address, sending the virtual address to the destination equipment, and recording the social resource table entry comprising the virtual address, the VLAN label and the MAC address of the social resource; receiving a message sent to a target social resource, replacing the virtual address with the actual IP address of the target social resource according to the recorded social resource table entry and the virtual address of the target social resource carried in the message, packaging the message into a UNP message, and sending the UNP message to a security supervision box, wherein the UNP message carries the label of the VLAN to which the target social resource belongs.
7. The UNP tunnel security sharing system according to claim 6, wherein a management server is disposed in the public platform, the destination device of the message sent by the social resource is the management server, the access server receives the UNP message from the security supervision box, allocates a virtual address to the social resource, replaces an actual IP address of the social resource in the message with the virtual address, and sends the message to the destination device, and the following operations are performed:
the access server decapsulates the UNP message from the security supervision box to restore a two-layer message;
and modifying the source IP in the two-layer message into a virtual address corresponding to the social resource, and sending the virtual address to the management server.
8. The UNP tunnel security sharing system of claim 7, wherein the access server receives a message addressed to the target social resource, replaces the virtual address with the actual IP address of the target social resource according to the recorded social resource table entry and the virtual address of the target social resource carried in the message, encapsulates the virtual address into the UNP message, and then sends the UNP message to the security supervision box, and performs the following operations:
and setting the target IP of the outer-layer UNP tunnel message of the UNP message as the actual IP address of the target social resource.
9. The UNP tunnel secure sharing system according to claim 6, wherein the destination device of the message sent by the social resource is another social resource, the social resource sending the message is a first social resource, the destination device is a second social resource, the access server receives the UNP message from the security supervision box, allocates a virtual address to the social resource, replaces an actual IP address of the social resource in the message with the virtual address, and sends the message to the destination device, and the following operations are performed:
the access server decapsulates the UNP message from the security supervision box to restore a two-layer message;
and modifying the source IP in the two-layer message into a virtual address corresponding to the first social resource, modifying the target IP into a virtual address corresponding to the second social resource, and sending the virtual address to the second social resource.
10. The UNP tunnel security sharing system according to claim 9, wherein the access server receives a message addressed to the target social resource, replaces the virtual address with the actual IP address of the target social resource according to the recorded social resource table entry and the virtual address of the target social resource carried in the message, encapsulates the virtual address into the UNP message, and then sends the UNP message to the security supervision box, and performs the following operations:
and setting the target IP of the outer-layer UNP tunnel message of the UNP message as the actual IP address of the second social resource.
CN201711027044.3A 2017-10-27 2017-10-27 Method and system for safely sharing UNP tunnel Active CN107809366B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711027044.3A CN107809366B (en) 2017-10-27 2017-10-27 Method and system for safely sharing UNP tunnel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711027044.3A CN107809366B (en) 2017-10-27 2017-10-27 Method and system for safely sharing UNP tunnel

Publications (2)

Publication Number Publication Date
CN107809366A CN107809366A (en) 2018-03-16
CN107809366B true CN107809366B (en) 2020-10-20

Family

ID=61582974

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711027044.3A Active CN107809366B (en) 2017-10-27 2017-10-27 Method and system for safely sharing UNP tunnel

Country Status (1)

Country Link
CN (1) CN107809366B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109861959B (en) * 2018-11-22 2022-04-08 新华三技术有限公司 Data transmission method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883158A (en) * 2010-06-28 2010-11-10 中兴通讯股份有限公司 Method and client for acquiring VLAN (Virtual Local Area Network) IDs (Identifiers) and network protocol addresses
CN103391256A (en) * 2013-07-25 2013-11-13 武汉邮电科学研究院 Base station user plane data processing and optimizing method based on Linux system
CN105163062A (en) * 2015-06-16 2015-12-16 浙江宇视科技有限公司 System and method for accessing social resources to public platform

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8885634B2 (en) * 2007-11-30 2014-11-11 Ciena Corporation Systems and methods for carrier ethernet using referential tables for forwarding decisions

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101883158A (en) * 2010-06-28 2010-11-10 中兴通讯股份有限公司 Method and client for acquiring VLAN (Virtual Local Area Network) IDs (Identifiers) and network protocol addresses
CN103391256A (en) * 2013-07-25 2013-11-13 武汉邮电科学研究院 Base station user plane data processing and optimizing method based on Linux system
CN105163062A (en) * 2015-06-16 2015-12-16 浙江宇视科技有限公司 System and method for accessing social resources to public platform

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《云计算数据中心网络设计综述》;王斌锋等;《计算机研究与发展》;20160915;第2085-2106页 *

Also Published As

Publication number Publication date
CN107809366A (en) 2018-03-16

Similar Documents

Publication Publication Date Title
EP2253123B1 (en) Method and apparatus for communication of data packets between local networks
EP3001609B1 (en) Method and device for processing multicast message in nvo3 network, and nvo3 network
WO2017054757A1 (en) Broadband access
CA3071801C (en) Virtualized network functions through address space aggregation
CN105591971B (en) A kind of implementation method and device of QoS
CN104704778A (en) Method and system for virtual and physical network integration
US20130182651A1 (en) Virtual Private Network Client Internet Protocol Conflict Detection
CN106101617B (en) Message transmission method, device and system
CN102447752A (en) Service access method, system and device based on layer2 tunnel protocol (L2TP)
WO2016054956A1 (en) Load sharing method and device
US20150288651A1 (en) Ip packet processing method and apparatus, and network system
WO2015113410A1 (en) Data packet processing method and apparatus
CN107094110B (en) DHCP message forwarding method and device
CN109639552B (en) Three-layer forwarding method and device
CN102821165B (en) Ip address conversion method and device
WO2021089169A1 (en) Private sub-networks for virtual private networks (vpn) clients
CN108259298A (en) A kind of message forwarding method and device
CN116418632A (en) Message processing method, device, equipment and machine-readable storage medium
CN105897542B (en) Tunnel establishment method and video monitoring system
CN107809366B (en) Method and system for safely sharing UNP tunnel
CN107426346B (en) Method and system for two-layer message to safely pass through three-layer network
JP3491828B2 (en) Closed network connection system, closed network connection method, recording medium storing a processing program therefor, and hosting service system
CN109246016B (en) Cross-VXLAN message processing method and device
CN107508811B (en) UNP-based secure registration query method and system
CN103036761A (en) Tunnel server and client device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant